slide1
Download
Skip this Video
Download Presentation
RSA

Loading in 2 Seconds...

play fullscreen
1 / 38

RSA - PowerPoint PPT Presentation


  • 160 Views
  • Uploaded on

Public Key Crypto RSA. RSA. CSCI284 Spring 2004 GWU. Advanced Cryptography CSCI 297/later 381. Theory of secrecy: hard problems and crypto Elliptic curves Electronic Cash and Anonymous Credentials PRNGs Not much Cryptanalysis, Shannon secrecy. Advanced Crypto: Grading.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' RSA' - cooper-beard


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Public Key Crypto

  • RSA

RSA

CSCI284 Spring 2004

GWU

advanced cryptography csci 297 later 381
Advanced CryptographyCSCI 297/later 381
  • Theory of secrecy: hard problems and crypto
  • Elliptic curves
  • Electronic Cash and Anonymous Credentials
  • PRNGs
  • Not much Cryptanalysis, Shannon secrecy

CS284/Spring04/GWU/Vora/RSA

advanced crypto grading
Advanced Crypto: Grading
  • HWs, presentations, class participation, project
  • Half lecture, half seminar style course. Each student reads and presents about 3 papers during the course.

CS284/Spring04/GWU/Vora/RSA

cs297 electronic voting
CS297: Electronic Voting
  • Crypto, Security, Systems, Political requirements of e-voting
  • Part lecture, part seminar, with project and participation through volunteering in 2004 election.
  • Students can register only through instructor permission: instructor is Jonathan Stanton.

CS284/Spring04/GWU/Vora/RSA

projects
Projects?
  • Presentations on:
    • 27th April, Tuesday, 6:10-7:40 (make-up day) and
    • 28th April, Wednesday, 6:10-7:40 (another make-up day)
  • Presentations consist of 10 mins demos/presentations + 5 mins. questions
  • Schedule will be given next week
  • Make sure you have tested the PC in the room and loaded your software before class starts.

CS284/Spring04/GWU/Vora/RSA

project evaluations 25
Project evaluations: 25%
  • 5%: proposal (those who have not submitted should do so asap, their marks will be multiplied by 0.6, i.e. maximum mark will be 3%)
  • 5% presentation
  • 5% questions
  • 5% if working demo (this goes for questions for theory projects)
  • 5% how interesting/difficult it is

CS284/Spring04/GWU/Vora/RSA

how does alice send bob the decryption key in private key crypto
How does Alice send Bob the decryption key in private key crypto?
  • If Alice wants it such that anyone can decrypt her messages, but know that they came from her
    • Suppose she could make the decryption key available in a public place
    • This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284/Spring04/GWU/Vora/RSA

how does alice send bob the decryption key in private key crypto contd
How does Alice send Bob the decryption key in private key crypto? contd
  • If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way
    • Suppose Bob makes his encryption key available publicly
    • No one should be able to compute the decryption key from the encryption key
    • This is the dual of the previous case

CS284/Spring04/GWU/Vora/RSA

public key cryptography
Public Key Cryptography

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284/Spring04/GWU/Vora/RSA

slide10
Consider: given c = f(m), f public. Should be decrypted only by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

CS284/Spring04/GWU/Vora/RSA

pkc from another pov
PKC from another pov
  • f(m) is a one-way function, because f(m) is computationally easy, but finding m from f(m) should be difficult without the key
  • However, finding m with the key, or on knowing g, should be easy too.
  • f(m) is a one-way function with a trapdoor – the private key

CS284/Spring04/GWU/Vora/RSA

aside computational complexity
Aside: Computational Complexity
  • NP problems are those in which one can check a given solution in polynomial time
  • An NP-complete problem is one which, if solved in polynomial time, can be used to solve all other NP problems in polynomial time.
  • Thus, if an NP-complete problem is solved in polynomial-time, P (set of all problems solvable in polynomial time) = NP (set of all problems for which solutions can be checked in polynomial time)

CS284/Spring04/GWU/Vora/RSA

aside computational complexity1
Aside: Computational Complexity

There are problems not known to have polynomial-time solutions which are also not known to be NP-complete: i.e. they are difficult, but perhaps not among the most difficult

CS284/Spring04/GWU/Vora/RSA

aside different grades of difficulty
Aside: different grades of difficulty
  • If m can be found from f(m) in polynomial time, i.e. the number of operations required are a polynomial in the size of the input (the number of bits in the keys), f(m) is not one-way in the most popular computational model: probabilistic polynomial-time.
  • If an algorithm for finding f(m) in polynomial time is not known to the public, f(m) might be one-way, and might be usable for crypto

CS284/Spring04/GWU/Vora/RSA

aside different grades of difficulty contd
Aside: different grades of difficulty contd
  • If other very difficult problems (NP-complete problems) in computer science can be solved if m can be found from f(m), i.e. the problem is NP-hard, f(m) is most likely to be one-way.
  • It is not known if one-way functions exist. They exist only if P ≠ NP

CS284/Spring04/GWU/Vora/RSA

rsa cocks 73 rivest shamir adleman 76
RSACocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab  1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

Show that fK and gK are inverses

CS284/Spring04/GWU/Vora/RSA

need some group theory
Need: Some group theory

What is a group?

  • A set of elements G with
  • An additive operation  such that
    • G is closed under the operation, i.e. if a, b G, so does a b
    • The operation is associative, i.e. (a b) c = a (b c)
    • An identity exists and is in G, i.e.
    • e  G, s.t. e  g = g e = g
    • Every element has an inverse in G, i.e.

 g  G  g-1  G s.t g  g-1 = e

CS284/Spring04/GWU/Vora/RSA

multiplicative and additive groups
Multiplicative and additive groups
  • The group operation can be addition or multiplication
  • Consider Zn
  • Is it a multiplicative group? Additive?

Fact: Zp* for prime p is cyclic, generated by a primitive element 

{1, , 2, … p-1}

Examples of Zn - multiplicative and additive groups, prime and composite n, primitive elements

CS284/Spring04/GWU/Vora/RSA

lagrange s theorem on the order of a group element
Lagrange’s theorem on the order of a group element

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.

CS284/Spring04/GWU/Vora/RSA

lagrange s theorem on the order of a group element ii
Lagrange’s theorem on the order of a group element - II

Proof: Consider the following relation:

a  b iff axi = b for some i

  • is an equivalence relation because:
    • axo(x) = a
    • If a  bthen b = axi and a = bx-I and b  a
    • If a  b and b  c, then b = axi and c = bxj = axi+j and a  c

Hence, the cosets of this relation partition the group and are of equal size.

Example: the relation for some x and composite n

CS284/Spring04/GWU/Vora/RSA

lagrange s theorem on the order of a group element iii
Lagrange’s theorem on the order of a group element - III

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x  i}

= {a = x1-i  i}

= {xj  j }

Hence o(x) | n

Example, composite n

CS284/Spring04/GWU/Vora/RSA

back to rsa
Back to RSA

f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n

= x mod n if x Zn*

What if x  Zn\Zn*? Need much more math.

CS284/Spring04/GWU/Vora/RSA

x t n mod n
xt (n) mod n = ?

Write Zn = ZpX Zq

True by Chinese Remainder Theorem:

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

x  (x mod p, x mod q) = wlog (0, d) = (0, j)

x(n) = (0,  (n)j) = (0, 1)

x. x(n) = (0, 1) (0, j) = x

CRT isomorphism examples, by hand, small composite n

CS284/Spring04/GWU/Vora/RSA

back to rsa key generation
Back to RSA: Key generation

Find p and q (two large random primes)

n pq

(n)  (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find a-1mod (n)

Without p and q cannot determine (n)

One key: (n, a) other key (n, b); Example

CS284/Spring04/GWU/Vora/RSA

security of rsa is it based on hardness of factoring n
Security of RSAIs it based on hardness of factoring n?
  • It is not known if:
    • factoring a product of two primes into its prime components is
      • solvable in polynomial time
      • NP-complete
    • there are other trapdoors to RSA, i.e. other ways of breaking it in general
  • Factoring is an easy problem in the quantum computing model.

CS284/Spring04/GWU/Vora/RSA

computational complexity
Computational Complexity

Computational complexity of the following operations on x (k bit) and y (l bit), k  l:

  • x + y
  • x – y
  • xy
  • Floor(x/y) O(l(k-l))
  • gcd(x, y) O(k3)

CS284/Spring04/GWU/Vora/RSA

euclidean algorithm
Euclidean Algorithm

gcd(m, n) /* m > n */

(a, b) := (m, n) /* Initialize */

while (b0) (a, b) := (b, a – b*q) /*Where q = a/b */

return(a)

Complexity?

CS284/Spring04/GWU/Vora/RSA

computational complexity mod n
Computational Complexity mod n

Computational complexity of the following operations on mod n, where n is a k-bit integer:

  • x + y
  • x – y
  • xy
  • x-1
  • xc c< n O(k2log c) = O(k3)

CS284/Spring04/GWU/Vora/RSA

efficient exponentiation from memon notes
Efficient exponentiation(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551 involves 51 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284/Spring04/GWU/Vora/RSA

example
Example

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284/Spring04/GWU/Vora/RSA

5 51 mod 7
551 mod 7

CS284/Spring04/GWU/Vora/RSA

rsa computational complexity
RSA: Computational complexity
  • 512 bit primes, n 1024 bits
  • Encryption: b3 where a plaintext character is b-bits
  • Decryption by brute force: 2bb3
  • Key generation: Primes? O(b2), O(b3)

CS284/Spring04/GWU/Vora/RSA

prime
PRIME
  • The book presents probabilistic algorithms for determining if a number is prime.
  • Two years ago, undergraduate students and their adviser showed that determining if a number is prime can be done in deterministic polynomial time
  • We will not discuss any of these in class.

CS284/Spring04/GWU/Vora/RSA

a simple inefficient algorithm
A simple inefficient algorithm
  • Generate a b-bit random number
  • It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b)
  • Generate enough and will be done, in O(b) complexity.

CS284/Spring04/GWU/Vora/RSA

factoring pollard p 1 algorithm
Factoring: Pollard p-1 algorithm
  • Suppose we know that:
    • for p a prime dividing n
    • every prime power that divides p-1 is  B
    • (p-1) | B!
  • Further: 2p-1  1 (mod p) (Why?)
  • Hence 2B! (mod n)  2B! (mod p)  1 (mod p)
  • And p | 2B! -1
  • Hence p | gcd(2B! -1, n), which divides n
  • gcd(2B! -1, n) non-trivial factor of n

CS284/Spring04/GWU/Vora/RSA

pollard p 1 contd
Pollard p-1 contd.

POLLARD p-1 FACTORING (n, B)

a  2

for j  2 to B

a  aj mod n

d  gcd(a-1, n)

if 1 < d < n

return(d)

else

return(failure)

CS284/Spring04/GWU/Vora/RSA

example1
Example

CS284/Spring04/GWU/Vora/RSA

complexity pollard p 1
Complexity: Pollard p-1
  • B-1 modular exponentiations, each requiring (logn)2logB operations
  • (logn)3 for Euclidean
  • If B of O(log n), polynomial, but probbaility of success low.
  • For good RSA security, p-1 should not have small factors.

CS284/Spring04/GWU/Vora/RSA

ad