Public Key Crypto
Download
1 / 38

RSA - PowerPoint PPT Presentation


  • 160 Views
  • Uploaded on

Public Key Crypto RSA. RSA. CSCI284 Spring 2004 GWU. Advanced Cryptography CSCI 297/later 381. Theory of secrecy: hard problems and crypto Elliptic curves Electronic Cash and Anonymous Credentials PRNGs Not much Cryptanalysis, Shannon secrecy. Advanced Crypto: Grading.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' RSA' - cooper-beard


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

RSA

CSCI284 Spring 2004

GWU


Advanced cryptography csci 297 later 381
Advanced CryptographyCSCI 297/later 381

  • Theory of secrecy: hard problems and crypto

  • Elliptic curves

  • Electronic Cash and Anonymous Credentials

  • PRNGs

  • Not much Cryptanalysis, Shannon secrecy

CS284/Spring04/GWU/Vora/RSA


Advanced crypto grading
Advanced Crypto: Grading

  • HWs, presentations, class participation, project

  • Half lecture, half seminar style course. Each student reads and presents about 3 papers during the course.

CS284/Spring04/GWU/Vora/RSA


Cs297 electronic voting
CS297: Electronic Voting

  • Crypto, Security, Systems, Political requirements of e-voting

  • Part lecture, part seminar, with project and participation through volunteering in 2004 election.

  • Students can register only through instructor permission: instructor is Jonathan Stanton.

CS284/Spring04/GWU/Vora/RSA


Projects
Projects?

  • Presentations on:

    • 27th April, Tuesday, 6:10-7:40 (make-up day) and

    • 28th April, Wednesday, 6:10-7:40 (another make-up day)

  • Presentations consist of 10 mins demos/presentations + 5 mins. questions

  • Schedule will be given next week

  • Make sure you have tested the PC in the room and loaded your software before class starts.

CS284/Spring04/GWU/Vora/RSA


Project evaluations 25
Project evaluations: 25%

  • 5%: proposal (those who have not submitted should do so asap, their marks will be multiplied by 0.6, i.e. maximum mark will be 3%)

  • 5% presentation

  • 5% questions

  • 5% if working demo (this goes for questions for theory projects)

  • 5% how interesting/difficult it is

CS284/Spring04/GWU/Vora/RSA


How does alice send bob the decryption key in private key crypto
How does Alice send Bob the decryption key in private key crypto?

  • If Alice wants it such that anyone can decrypt her messages, but know that they came from her

    • Suppose she could make the decryption key available in a public place

    • This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284/Spring04/GWU/Vora/RSA


How does alice send bob the decryption key in private key crypto contd
How does Alice send Bob the decryption key in private key crypto? contd

  • If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way

    • Suppose Bob makes his encryption key available publicly

    • No one should be able to compute the decryption key from the encryption key

    • This is the dual of the previous case

CS284/Spring04/GWU/Vora/RSA


Public key cryptography
Public Key Cryptography crypto? contd

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284/Spring04/GWU/Vora/RSA


Consider: given c = f(m), f public. Should be decrypted only by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

CS284/Spring04/GWU/Vora/RSA


Pkc from another pov
PKC from another pov by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • f(m) is a one-way function, because f(m) is computationally easy, but finding m from f(m) should be difficult without the key

  • However, finding m with the key, or on knowing g, should be easy too.

  • f(m) is a one-way function with a trapdoor – the private key

CS284/Spring04/GWU/Vora/RSA


Aside computational complexity
Aside: Computational Complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • NP problems are those in which one can check a given solution in polynomial time

  • An NP-complete problem is one which, if solved in polynomial time, can be used to solve all other NP problems in polynomial time.

  • Thus, if an NP-complete problem is solved in polynomial-time, P (set of all problems solvable in polynomial time) = NP (set of all problems for which solutions can be checked in polynomial time)

CS284/Spring04/GWU/Vora/RSA


Aside computational complexity1
Aside: Computational Complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

There are problems not known to have polynomial-time solutions which are also not known to be NP-complete: i.e. they are difficult, but perhaps not among the most difficult

CS284/Spring04/GWU/Vora/RSA


Aside different grades of difficulty
Aside: different grades of difficulty by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • If m can be found from f(m) in polynomial time, i.e. the number of operations required are a polynomial in the size of the input (the number of bits in the keys), f(m) is not one-way in the most popular computational model: probabilistic polynomial-time.

  • If an algorithm for finding f(m) in polynomial time is not known to the public, f(m) might be one-way, and might be usable for crypto

CS284/Spring04/GWU/Vora/RSA


Aside different grades of difficulty contd
Aside: different grades of difficulty contd by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • If other very difficult problems (NP-complete problems) in computer science can be solved if m can be found from f(m), i.e. the problem is NP-hard, f(m) is most likely to be one-way.

  • It is not known if one-way functions exist. They exist only if P ≠ NP

CS284/Spring04/GWU/Vora/RSA


Rsa cocks 73 rivest shamir adleman 76
RSA by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?Cocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab  1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

Show that fK and gK are inverses

CS284/Spring04/GWU/Vora/RSA


Need some group theory
Need: Some group theory by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

What is a group?

  • A set of elements G with

  • An additive operation  such that

    • G is closed under the operation, i.e. if a, b G, so does a b

    • The operation is associative, i.e. (a b) c = a (b c)

    • An identity exists and is in G, i.e.

    • e  G, s.t. e  g = g e = g

    • Every element has an inverse in G, i.e.

       g  G  g-1  G s.t g  g-1 = e

CS284/Spring04/GWU/Vora/RSA


Multiplicative and additive groups
Multiplicative and additive groups by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • The group operation can be addition or multiplication

  • Consider Zn

  • Is it a multiplicative group? Additive?

    Fact: Zp* for prime p is cyclic, generated by a primitive element 

    {1, , 2, … p-1}

    Examples of Zn - multiplicative and additive groups, prime and composite n, primitive elements

CS284/Spring04/GWU/Vora/RSA


Lagrange s theorem on the order of a group element
Lagrange’s theorem on the order of a group element by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.

CS284/Spring04/GWU/Vora/RSA


Lagrange s theorem on the order of a group element ii
Lagrange’s theorem on the order of a group element - II by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Proof: Consider the following relation:

a  b iff axi = b for some i

  • is an equivalence relation because:

    • axo(x) = a

    • If a  bthen b = axi and a = bx-I and b  a

    • If a  b and b  c, then b = axi and c = bxj = axi+j and a  c

      Hence, the cosets of this relation partition the group and are of equal size.

      Example: the relation for some x and composite n

CS284/Spring04/GWU/Vora/RSA


Lagrange s theorem on the order of a group element iii
Lagrange’s theorem on the order of a group element - III by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x  i}

= {a = x1-i  i}

= {xj  j }

Hence o(x) | n

Example, composite n

CS284/Spring04/GWU/Vora/RSA


Back to rsa
Back to RSA by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n

= x mod n if x Zn*

What if x  Zn\Zn*? Need much more math.

CS284/Spring04/GWU/Vora/RSA


X t n mod n
x by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?t (n) mod n = ?

Write Zn = ZpX Zq

True by Chinese Remainder Theorem:

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

x  (x mod p, x mod q) = wlog (0, d) = (0, j)

x(n) = (0,  (n)j) = (0, 1)

x. x(n) = (0, 1) (0, j) = x

CRT isomorphism examples, by hand, small composite n

CS284/Spring04/GWU/Vora/RSA


Back to rsa key generation
Back to RSA: Key generation by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Find p and q (two large random primes)

n pq

(n)  (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find a-1mod (n)

Without p and q cannot determine (n)

One key: (n, a) other key (n, b); Example

CS284/Spring04/GWU/Vora/RSA


Security of rsa is it based on hardness of factoring n
Security of RSA by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?Is it based on hardness of factoring n?

  • It is not known if:

    • factoring a product of two primes into its prime components is

      • solvable in polynomial time

      • NP-complete

    • there are other trapdoors to RSA, i.e. other ways of breaking it in general

  • Factoring is an easy problem in the quantum computing model.

CS284/Spring04/GWU/Vora/RSA


Computational complexity
Computational Complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Computational complexity of the following operations on x (k bit) and y (l bit), k  l:

  • x + y

  • x – y

  • xy

  • Floor(x/y) O(l(k-l))

  • gcd(x, y) O(k3)

CS284/Spring04/GWU/Vora/RSA


Euclidean algorithm
Euclidean Algorithm by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

gcd(m, n) /* m > n */

(a, b) := (m, n) /* Initialize */

while (b0) (a, b) := (b, a – b*q) /*Where q = a/b */

return(a)

Complexity?

CS284/Spring04/GWU/Vora/RSA


Computational complexity mod n
Computational Complexity mod n by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Computational complexity of the following operations on mod n, where n is a k-bit integer:

  • x + y

  • x – y

  • xy

  • x-1

  • xc c< n O(k2log c) = O(k3)

CS284/Spring04/GWU/Vora/RSA


Efficient exponentiation from memon notes
Efficient exponentiation by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551 involves 51 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284/Spring04/GWU/Vora/RSA


Example
Example by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284/Spring04/GWU/Vora/RSA


5 51 mod 7
5 by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?51 mod 7

CS284/Spring04/GWU/Vora/RSA


Rsa computational complexity
RSA: Computational complexity by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • 512 bit primes, n 1024 bits

  • Encryption: b3 where a plaintext character is b-bits

  • Decryption by brute force: 2bb3

  • Key generation: Primes? O(b2), O(b3)

CS284/Spring04/GWU/Vora/RSA


Prime
PRIME by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • The book presents probabilistic algorithms for determining if a number is prime.

  • Two years ago, undergraduate students and their adviser showed that determining if a number is prime can be done in deterministic polynomial time

  • We will not discuss any of these in class.

CS284/Spring04/GWU/Vora/RSA


A simple inefficient algorithm
A simple inefficient algorithm by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • Generate a b-bit random number

  • It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b)

  • Generate enough and will be done, in O(b) complexity.

CS284/Spring04/GWU/Vora/RSA


Factoring pollard p 1 algorithm
Factoring: Pollard by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?p-1 algorithm

  • Suppose we know that:

    • for p a prime dividing n

    • every prime power that divides p-1 is  B

    • (p-1) | B!

  • Further: 2p-1  1 (mod p) (Why?)

  • Hence 2B! (mod n)  2B! (mod p)  1 (mod p)

  • And p | 2B! -1

  • Hence p | gcd(2B! -1, n), which divides n

  • gcd(2B! -1, n) non-trivial factor of n

CS284/Spring04/GWU/Vora/RSA


Pollard p 1 contd
Pollard by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?p-1 contd.

POLLARD p-1 FACTORING (n, B)

a  2

for j  2 to B

a  aj mod n

d  gcd(a-1, n)

if 1 < d < n

return(d)

else

return(failure)

CS284/Spring04/GWU/Vora/RSA


Example1
Example by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

CS284/Spring04/GWU/Vora/RSA


Complexity pollard p 1
Complexity: Pollard p-1 by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

  • B-1 modular exponentiations, each requiring (logn)2logB operations

  • (logn)3 for Euclidean

  • If B of O(log n), polynomial, but probbaility of success low.

  • For good RSA security, p-1 should not have small factors.

CS284/Spring04/GWU/Vora/RSA


ad