- 160 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' RSA' - cooper-beard

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Advanced CryptographyCSCI 297/later 381

- Theory of secrecy: hard problems and crypto
- Elliptic curves
- Electronic Cash and Anonymous Credentials
- PRNGs
- Not much Cryptanalysis, Shannon secrecy

CS284/Spring04/GWU/Vora/RSA

Advanced Crypto: Grading

- HWs, presentations, class participation, project
- Half lecture, half seminar style course. Each student reads and presents about 3 papers during the course.

CS284/Spring04/GWU/Vora/RSA

CS297: Electronic Voting

- Crypto, Security, Systems, Political requirements of e-voting
- Part lecture, part seminar, with project and participation through volunteering in 2004 election.
- Students can register only through instructor permission: instructor is Jonathan Stanton.

CS284/Spring04/GWU/Vora/RSA

Projects?

- Presentations on:
- 27th April, Tuesday, 6:10-7:40 (make-up day) and
- 28th April, Wednesday, 6:10-7:40 (another make-up day)
- Presentations consist of 10 mins demos/presentations + 5 mins. questions
- Schedule will be given next week
- Make sure you have tested the PC in the room and loaded your software before class starts.

CS284/Spring04/GWU/Vora/RSA

Project evaluations: 25%

- 5%: proposal (those who have not submitted should do so asap, their marks will be multiplied by 0.6, i.e. maximum mark will be 3%)
- 5% presentation
- 5% questions
- 5% if working demo (this goes for questions for theory projects)
- 5% how interesting/difficult it is

CS284/Spring04/GWU/Vora/RSA

How does Alice send Bob the decryption key in private key crypto?

- If Alice wants it such that anyone can decrypt her messages, but know that they came from her
- Suppose she could make the decryption key available in a public place
- This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it

CS284/Spring04/GWU/Vora/RSA

How does Alice send Bob the decryption key in private key crypto? contd

- If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way
- Suppose Bob makes his encryption key available publicly
- No one should be able to compute the decryption key from the encryption key
- This is the dual of the previous case

CS284/Spring04/GWU/Vora/RSA

Public Key Cryptography

Two injective functions f and g such that fg=I

i.e. messages encrypted with one can be decrypted with the other; functions include association with key

f cannot be used to find g and vice versa

One is made public, the other kept private

Encryption with public function provides confidential transmission, decryption with public function provides authentication

CS284/Spring04/GWU/Vora/RSA

Consider: given c = f(m), f public. Should be decrypted only by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m?

CS284/Spring04/GWU/Vora/RSA

PKC from another pov

- f(m) is a one-way function, because f(m) is computationally easy, but finding m from f(m) should be difficult without the key
- However, finding m with the key, or on knowing g, should be easy too.
- f(m) is a one-way function with a trapdoor – the private key

CS284/Spring04/GWU/Vora/RSA

Aside: Computational Complexity

- NP problems are those in which one can check a given solution in polynomial time
- An NP-complete problem is one which, if solved in polynomial time, can be used to solve all other NP problems in polynomial time.
- Thus, if an NP-complete problem is solved in polynomial-time, P (set of all problems solvable in polynomial time) = NP (set of all problems for which solutions can be checked in polynomial time)

CS284/Spring04/GWU/Vora/RSA

Aside: Computational Complexity

There are problems not known to have polynomial-time solutions which are also not known to be NP-complete: i.e. they are difficult, but perhaps not among the most difficult

CS284/Spring04/GWU/Vora/RSA

Aside: different grades of difficulty

- If m can be found from f(m) in polynomial time, i.e. the number of operations required are a polynomial in the size of the input (the number of bits in the keys), f(m) is not one-way in the most popular computational model: probabilistic polynomial-time.
- If an algorithm for finding f(m) in polynomial time is not known to the public, f(m) might be one-way, and might be usable for crypto

CS284/Spring04/GWU/Vora/RSA

Aside: different grades of difficulty contd

- If other very difficult problems (NP-complete problems) in computer science can be solved if m can be found from f(m), i.e. the problem is NP-hard, f(m) is most likely to be one-way.
- It is not known if one-way functions exist. They exist only if P ≠ NP

CS284/Spring04/GWU/Vora/RSA

RSACocks (’73), Rivest, Shamir, Adleman (’76)

n = pq, p and q (large) primes

P = C = Zn

K = {(n, p, q, a, b}: ab 1 mod (n)}

fK(m) = ma mod n

gK(m) = mb mod n

Show that fK and gK are inverses

CS284/Spring04/GWU/Vora/RSA

Need: Some group theory

What is a group?

- A set of elements G with
- An additive operation such that
- G is closed under the operation, i.e. if a, b G, so does a b
- The operation is associative, i.e. (a b) c = a (b c)
- An identity exists and is in G, i.e.
- e G, s.t. e g = g e = g
- Every element has an inverse in G, i.e.

g G g-1 G s.t g g-1 = e

CS284/Spring04/GWU/Vora/RSA

Multiplicative and additive groups

- The group operation can be addition or multiplication
- Consider Zn
- Is it a multiplicative group? Additive?

Fact: Zp* for prime p is cyclic, generated by a primitive element

{1, , 2, … p-1}

Examples of Zn - multiplicative and additive groups, prime and composite n, primitive elements

CS284/Spring04/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element

Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n.

Example: multiplicative group. True also of additive groups. Example: additive group.

CS284/Spring04/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - II

Proof: Consider the following relation:

a b iff axi = b for some i

- is an equivalence relation because:
- axo(x) = a
- If a bthen b = axi and a = bx-I and b a
- If a b and b c, then b = axi and c = bxj = axi+j and a c

Hence, the cosets of this relation partition the group and are of equal size.

Example: the relation for some x and composite n

CS284/Spring04/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - III

Hence, the size of any coset divides the size of the group if it is finite

{e, x1, x2, …xo(x)} is a coset of size o(x)

Because any coset that contains x

= {a s.t axi = x i}

= {a = x1-i i}

= {xj j }

Hence o(x) | n

Example, composite n

CS284/Spring04/GWU/Vora/RSA

Back to RSA

f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n

= x mod n if x Zn*

What if x Zn\Zn*? Need much more math.

CS284/Spring04/GWU/Vora/RSA

xt (n) mod n = ?

Write Zn = ZpX Zq

True by Chinese Remainder Theorem:

There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime.

x (x mod p, x mod q) = wlog (0, d) = (0, j)

x(n) = (0, (n)j) = (0, 1)

x. x(n) = (0, 1) (0, j) = x

CRT isomorphism examples, by hand, small composite n

CS284/Spring04/GWU/Vora/RSA

Back to RSA: Key generation

Find p and q (two large random primes)

n pq

(n) (p-1)(q-1)

Choose random a invertible mod (n) s.t 1 < a < (n)

i.e. a s.t gcd(a, (n)) = 1

Use Euclidean algorithm to find a-1mod (n)

Without p and q cannot determine (n)

One key: (n, a) other key (n, b); Example

CS284/Spring04/GWU/Vora/RSA

Security of RSAIs it based on hardness of factoring n?

- It is not known if:
- factoring a product of two primes into its prime components is
- solvable in polynomial time
- NP-complete
- there are other trapdoors to RSA, i.e. other ways of breaking it in general
- Factoring is an easy problem in the quantum computing model.

CS284/Spring04/GWU/Vora/RSA

Computational Complexity

Computational complexity of the following operations on x (k bit) and y (l bit), k l:

- x + y
- x – y
- xy
- Floor(x/y) O(l(k-l))
- gcd(x, y) O(k3)

CS284/Spring04/GWU/Vora/RSA

Euclidean Algorithm

gcd(m, n) /* m > n */

(a, b) := (m, n) /* Initialize */

while (b0) (a, b) := (b, a – b*q) /*Where q = a/b */

return(a)

Complexity?

CS284/Spring04/GWU/Vora/RSA

Computational Complexity mod n

Computational complexity of the following operations on mod n, where n is a k-bit integer:

- x + y
- x – y
- xy
- x-1
- xc c< n O(k2log c) = O(k3)

CS284/Spring04/GWU/Vora/RSA

Efficient exponentiation(from Memon notes)

Usual approach to computing xc mod n is inefficient when c is large.

Example: 551 involves 51 multiplications mod n

Instead, represent c as bit string bk-1 … b0 and use the following algorithm:

z = 1

For i = k-1 downto 0 do

z = z2 mod n

if bi = 1 then z = z x mod n

How many multiplications? k = 2ceiling(log2c)

CS284/Spring04/GWU/Vora/RSA

Example

Calculate 551 mod 7 efficiently

51 = 110011 = 25 + 24 + 21 + 20

551 = ((((52)2)2)2)2 (((52)2)2)2 52 51

How many multiplications did you need?

CS284/Spring04/GWU/Vora/RSA

551 mod 7

CS284/Spring04/GWU/Vora/RSA

RSA: Computational complexity

- 512 bit primes, n 1024 bits
- Encryption: b3 where a plaintext character is b-bits
- Decryption by brute force: 2bb3
- Key generation: Primes? O(b2), O(b3)

CS284/Spring04/GWU/Vora/RSA

PRIME

- The book presents probabilistic algorithms for determining if a number is prime.
- Two years ago, undergraduate students and their adviser showed that determining if a number is prime can be done in deterministic polynomial time
- We will not discuss any of these in class.

CS284/Spring04/GWU/Vora/RSA

A simple inefficient algorithm

- Generate a b-bit random number
- It is prime with probability 1/ln 2b = 1/(ln2 b) = O(1/b)
- Generate enough and will be done, in O(b) complexity.

CS284/Spring04/GWU/Vora/RSA

Factoring: Pollard p-1 algorithm

- Suppose we know that:
- for p a prime dividing n
- every prime power that divides p-1 is B
- (p-1) | B!
- Further: 2p-1 1 (mod p) (Why?)
- Hence 2B! (mod n) 2B! (mod p) 1 (mod p)
- And p | 2B! -1
- Hence p | gcd(2B! -1, n), which divides n
- gcd(2B! -1, n) non-trivial factor of n

CS284/Spring04/GWU/Vora/RSA

Pollard p-1 contd.

POLLARD p-1 FACTORING (n, B)

a 2

for j 2 to B

a aj mod n

d gcd(a-1, n)

if 1 < d < n

return(d)

else

return(failure)

CS284/Spring04/GWU/Vora/RSA

Example

CS284/Spring04/GWU/Vora/RSA

Complexity: Pollard p-1

- B-1 modular exponentiations, each requiring (logn)2logB operations
- (logn)3 for Euclidean
- If B of O(log n), polynomial, but probbaility of success low.
- For good RSA security, p-1 should not have small factors.

CS284/Spring04/GWU/Vora/RSA

Download Presentation

Connecting to Server..