Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 38

RSA - PowerPoint PPT Presentation

  • Uploaded on

Public Key Crypto RSA. RSA. CSCI284 Spring 2004 GWU. Advanced Cryptography CSCI 297/later 381. Theory of secrecy: hard problems and crypto Elliptic curves Electronic Cash and Anonymous Credentials PRNGs Not much Cryptanalysis, Shannon secrecy. Advanced Crypto: Grading.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' RSA' - cooper-beard

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Public Key Crypto

  • RSA


CSCI284 Spring 2004


advanced cryptography csci 297 later 381
Advanced CryptographyCSCI 297/later 381
  • Theory of secrecy: hard problems and crypto
  • Elliptic curves
  • Electronic Cash and Anonymous Credentials
  • PRNGs
  • Not much Cryptanalysis, Shannon secrecy


advanced crypto grading
Advanced Crypto: Grading
  • HWs, presentations, class participation, project
  • Half lecture, half seminar style course. Each student reads and presents about 3 papers during the course.


cs297 electronic voting
CS297: Electronic Voting
  • Crypto, Security, Systems, Political requirements of e-voting
  • Part lecture, part seminar, with project and participation through volunteering in 2004 election.
  • Students can register only through instructor permission: instructor is Jonathan Stanton.


  • Presentations on:
    • 27th April, Tuesday, 6:10-7:40 (make-up day) and
    • 28th April, Wednesday, 6:10-7:40 (another make-up day)
  • Presentations consist of 10 mins demos/presentations + 5 mins. questions
  • Schedule will be given next week
  • Make sure you have tested the PC in the room and loaded your software before class starts.


project evaluations 25
Project evaluations: 25%
  • 5%: proposal (those who have not submitted should do so asap, their marks will be multiplied by 0.6, i.e. maximum mark will be 3%)
  • 5% presentation
  • 5% questions
  • 5% if working demo (this goes for questions for theory projects)
  • 5% how interesting/difficult it is


how does alice send bob the decryption key in private key crypto
How does Alice send Bob the decryption key in private key crypto?
  • If Alice wants it such that anyone can decrypt her messages, but know that they came from her
    • Suppose she could make the decryption key available in a public place
    • This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it


how does alice send bob the decryption key in private key crypto contd
How does Alice send Bob the decryption key in private key crypto? contd
  • If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way
    • Suppose Bob makes his encryption key available publicly
    • No one should be able to compute the decryption key from the encryption key
    • This is the dual of the previous case


public key cryptography
Public Key Cryptography

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication


Consider: given c = f(m), f public. Should be decrypted only by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?


pkc from another pov
PKC from another pov
  • f(m) is a one-way function, because f(m) is computationally easy, but finding m from f(m) should be difficult without the key
  • However, finding m with the key, or on knowing g, should be easy too.
  • f(m) is a one-way function with a trapdoor – the private key


aside computational complexity
Aside: Computational Complexity
  • NP problems are those in which one can check a given solution in polynomial time
  • An NP-complete problem is one which, if solved in polynomial time, can be used to solve all other NP problems in polynomial time.
  • Thus, if an NP-complete problem is solved in polynomial-time, P (set of all problems solvable in polynomial time) = NP (set of all problems for which solutions can be checked in polynomial time)


aside computational complexity1
Aside: Computational Complexity

There are problems not known to have polynomial-time solutions which are also not known to be NP-complete: i.e. they are difficult, but perhaps not among the most difficult


aside different grades of difficulty
Aside: different grades of difficulty
  • If m can be found from f(m) in polynomial time, i.e. the number of operations required are a polynomial in the size of the input (the number of bits in the keys), f(m) is not one-way in the most popular computational model: probabilistic polynomial-time.
  • If an algorithm for finding f(m) in polynomial time is not known to the public, f(m) might be one-way, and might be usable for crypto


aside different grades of difficulty contd
Aside: different grades of difficulty contd
  • If other very difficult problems (NP-complete problems) in computer science can be solved if m can be found from f(m), i.e. the problem is NP-hard, f(m) is most likely to be one-way.
  • It is not known if one-way functions exist. They exist only if P ≠ NP


rsa cocks 73 rivest shamir adleman 76
RSACocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab  1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

Show that fK and gK are inverses


need some group theory
Need: Some group theory

What is a group?

  • A set of elements G with
  • An additive operation  such that
    • G is closed under the operation, i.e. if a, b G, so does a b
    • The operation is associative, i.e. (a b) c = a (b c)
    • An identity exists and is in G, i.e.
    • e  G, s.t. e  g = g e = g
    • Every element has an inverse in G, i.e.

 g  G  g-1  G s.t g  g-1 = e


multiplicative and additive groups
Multiplicative and additive groups
  • The group operation can be addition or multiplication
  • Consider Zn
  • Is it a multiplicative group? Additive?

Fact: Zp* for prime p is cyclic, generated by a primitive element 

{1, , 2, … p-1}

Examples of Zn - multiplicative and additive groups, prime and composite n, primitive elements


lagrange s theorem on the order of a group element
Lagrange’s theorem on the order of a group element

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.


lagrange s theorem on the order of a group element ii
Lagrange’s theorem on the order of a group element - II

Proof: Consider the following relation:

a  b iff axi = b for some i

  • is an equivalence relation because:
    • axo(x) = a
    • If a  bthen b = axi and a = bx-I and b  a
    • If a  b and b  c, then b = axi and c = bxj = axi+j and a  c

Hence, the cosets of this relation partition the group and are of equal size.

Example: the relation for some x and composite n


lagrange s theorem on the order of a group element iii
Lagrange’s theorem on the order of a group element - III

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x  i}

= {a = x1-i  i}

= {xj  j }

Hence o(x) | n

Example, composite n


back to rsa
Back to RSA

f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n

= x mod n if x Zn*

What if x  Zn\Zn*? Need much more math.


x t n mod n
xt (n) mod n = ?

Write Zn = ZpX Zq

True by Chinese Remainder Theorem:

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

x  (x mod p, x mod q) = wlog (0, d) = (0, j)

x(n) = (0,  (n)j) = (0, 1)

x. x(n) = (0, 1) (0, j) = x

CRT isomorphism examples, by hand, small composite n


back to rsa key generation
Back to RSA: Key generation

Find p and q (two large random primes)

n pq

(n)  (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find a-1mod (n)

Without p and q cannot determine (n)

One key: (n, a) other key (n, b); Example


security of rsa is it based on hardness of factoring n
Security of RSAIs it based on hardness of factoring n?
  • It is not known if:
    • factoring a product of two primes into its prime components is
      • solvable in polynomial time
      • NP-complete
    • there are other trapdoors to RSA, i.e. other ways of breaking it in general
  • Factoring is an easy problem in the quantum computing model.


computational complexity
Computational Complexity

Computational complexity of the following operations on x (k bit) and y (l bit), k  l:

  • x + y
  • x – y
  • xy
  • Floor(x/y) O(l(k-l))
  • gcd(x, y) O(k3)


euclidean algorithm
Euclidean Algorithm

gcd(m, n) /* m > n */

(a, b) := (m, n) /* Initialize */

while (b0) (a, b) := (b, a – b*q) /*Where q = a/b */




computational complexity mod n
Computational Complexity mod n

Computational complexity of the following operations on mod n, where n is a k-bit integer:

  • x + y
  • x – y
  • xy
  • x-1
  • xc c< n O(k2log c) = O(k3)


efficient exponentiation from memon notes
Efficient exponentiation(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551 involves 51 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)



Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?


5 51 mod 7
551 mod 7


rsa computational complexity
RSA: Computational complexity
  • 512 bit primes, n 1024 bits
  • Encryption: b3 where a plaintext character is b-bits
  • Decryption by brute force: 2bb3
  • Key generation: Primes? O(b2), O(b3)


  • The book presents probabilistic algorithms for determining if a number is prime.
  • Two years ago, undergraduate students and their adviser showed that determining if a number is prime can be done in deterministic polynomial time
  • We will not discuss any of these in class.


a simple inefficient algorithm
A simple inefficient algorithm
  • Generate a b-bit random number
  • It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b)
  • Generate enough and will be done, in O(b) complexity.


factoring pollard p 1 algorithm
Factoring: Pollard p-1 algorithm
  • Suppose we know that:
    • for p a prime dividing n
    • every prime power that divides p-1 is  B
    • (p-1) | B!
  • Further: 2p-1  1 (mod p) (Why?)
  • Hence 2B! (mod n)  2B! (mod p)  1 (mod p)
  • And p | 2B! -1
  • Hence p | gcd(2B! -1, n), which divides n
  • gcd(2B! -1, n) non-trivial factor of n


pollard p 1 contd
Pollard p-1 contd.


a  2

for j  2 to B

a  aj mod n

d  gcd(a-1, n)

if 1 < d < n







complexity pollard p 1
Complexity: Pollard p-1
  • B-1 modular exponentiations, each requiring (logn)2logB operations
  • (logn)3 for Euclidean
  • If B of O(log n), polynomial, but probbaility of success low.
  • For good RSA security, p-1 should not have small factors.