1 / 38

RSA

Public Key Crypto RSA. RSA. CSCI284 Spring 2004 GWU. Advanced Cryptography CSCI 297/later 381. Theory of secrecy: hard problems and crypto Elliptic curves Electronic Cash and Anonymous Credentials PRNGs Not much Cryptanalysis, Shannon secrecy. Advanced Crypto: Grading.

cooper-beard
Download Presentation

RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public Key Crypto • RSA RSA CSCI284 Spring 2004 GWU

  2. Advanced CryptographyCSCI 297/later 381 • Theory of secrecy: hard problems and crypto • Elliptic curves • Electronic Cash and Anonymous Credentials • PRNGs • Not much Cryptanalysis, Shannon secrecy CS284/Spring04/GWU/Vora/RSA

  3. Advanced Crypto: Grading • HWs, presentations, class participation, project • Half lecture, half seminar style course. Each student reads and presents about 3 papers during the course. CS284/Spring04/GWU/Vora/RSA

  4. CS297: Electronic Voting • Crypto, Security, Systems, Political requirements of e-voting • Part lecture, part seminar, with project and participation through volunteering in 2004 election. • Students can register only through instructor permission: instructor is Jonathan Stanton. CS284/Spring04/GWU/Vora/RSA

  5. Projects? • Presentations on: • 27th April, Tuesday, 6:10-7:40 (make-up day) and • 28th April, Wednesday, 6:10-7:40 (another make-up day) • Presentations consist of 10 mins demos/presentations + 5 mins. questions • Schedule will be given next week • Make sure you have tested the PC in the room and loaded your software before class starts. CS284/Spring04/GWU/Vora/RSA

  6. Project evaluations: 25% • 5%: proposal (those who have not submitted should do so asap, their marks will be multiplied by 0.6, i.e. maximum mark will be 3%) • 5% presentation • 5% questions • 5% if working demo (this goes for questions for theory projects) • 5% how interesting/difficult it is CS284/Spring04/GWU/Vora/RSA

  7. How does Alice send Bob the decryption key in private key crypto? • If Alice wants it such that anyone can decrypt her messages, but know that they came from her • Suppose she could make the decryption key available in a public place • This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it CS284/Spring04/GWU/Vora/RSA

  8. How does Alice send Bob the decryption key in private key crypto? contd • If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way • Suppose Bob makes his encryption key available publicly • No one should be able to compute the decryption key from the encryption key • This is the dual of the previous case CS284/Spring04/GWU/Vora/RSA

  9. Public Key Cryptography Two injective functions f and g such that fg=I i.e. messages encrypted with one can be decrypted with the other; functions include association with key f cannot be used to find g and vice versa One is made public, the other kept private Encryption with public function provides confidential transmission, decryption with public function provides authentication CS284/Spring04/GWU/Vora/RSA

  10. Consider: given c = f(m), f public. Should be decrypted only by owner of this “public key” Is the secrecy of this encryption perfect? i.e. given infinite computing power, can someone find m? CS284/Spring04/GWU/Vora/RSA

  11. PKC from another pov • f(m) is a one-way function, because f(m) is computationally easy, but finding m from f(m) should be difficult without the key • However, finding m with the key, or on knowing g, should be easy too. • f(m) is a one-way function with a trapdoor – the private key CS284/Spring04/GWU/Vora/RSA

  12. Aside: Computational Complexity • NP problems are those in which one can check a given solution in polynomial time • An NP-complete problem is one which, if solved in polynomial time, can be used to solve all other NP problems in polynomial time. • Thus, if an NP-complete problem is solved in polynomial-time, P (set of all problems solvable in polynomial time) = NP (set of all problems for which solutions can be checked in polynomial time) CS284/Spring04/GWU/Vora/RSA

  13. Aside: Computational Complexity There are problems not known to have polynomial-time solutions which are also not known to be NP-complete: i.e. they are difficult, but perhaps not among the most difficult CS284/Spring04/GWU/Vora/RSA

  14. Aside: different grades of difficulty • If m can be found from f(m) in polynomial time, i.e. the number of operations required are a polynomial in the size of the input (the number of bits in the keys), f(m) is not one-way in the most popular computational model: probabilistic polynomial-time. • If an algorithm for finding f(m) in polynomial time is not known to the public, f(m) might be one-way, and might be usable for crypto CS284/Spring04/GWU/Vora/RSA

  15. Aside: different grades of difficulty contd • If other very difficult problems (NP-complete problems) in computer science can be solved if m can be found from f(m), i.e. the problem is NP-hard, f(m) is most likely to be one-way. • It is not known if one-way functions exist. They exist only if P ≠ NP CS284/Spring04/GWU/Vora/RSA

  16. RSACocks (’73), Rivest, Shamir, Adleman (’76) n = pq, p and q (large) primes P = C = Zn K = {(n, p, q, a, b}: ab  1 mod (n)} fK(m) = ma mod n gK(m) = mb mod n Show that fK and gK are inverses CS284/Spring04/GWU/Vora/RSA

  17. Need: Some group theory What is a group? • A set of elements G with • An additive operation  such that • G is closed under the operation, i.e. if a, b G, so does a b • The operation is associative, i.e. (a b) c = a (b c) • An identity exists and is in G, i.e. • e  G, s.t. e  g = g e = g • Every element has an inverse in G, i.e.  g  G  g-1  G s.t g  g-1 = e CS284/Spring04/GWU/Vora/RSA

  18. Multiplicative and additive groups • The group operation can be addition or multiplication • Consider Zn • Is it a multiplicative group? Additive? Fact: Zp* for prime p is cyclic, generated by a primitive element  {1, , 2, … p-1} Examples of Zn - multiplicative and additive groups, prime and composite n, primitive elements CS284/Spring04/GWU/Vora/RSA

  19. Lagrange’s theorem on the order of a group element Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n. Example: multiplicative group. True also of additive groups. Example: additive group. CS284/Spring04/GWU/Vora/RSA

  20. Lagrange’s theorem on the order of a group element - II Proof: Consider the following relation: a  b iff axi = b for some i • is an equivalence relation because: • axo(x) = a • If a  bthen b = axi and a = bx-I and b  a • If a  b and b  c, then b = axi and c = bxj = axi+j and a  c Hence, the cosets of this relation partition the group and are of equal size. Example: the relation for some x and composite n CS284/Spring04/GWU/Vora/RSA

  21. Lagrange’s theorem on the order of a group element - III Hence, the size of any coset divides the size of the group if it is finite {e, x1, x2, …xo(x)} is a coset of size o(x) Because any coset that contains x = {a s.t axi = x  i} = {a = x1-i  i} = {xj  j } Hence o(x) | n Example, composite n CS284/Spring04/GWU/Vora/RSA

  22. Back to RSA f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n = x mod n if x Zn* What if x  Zn\Zn*? Need much more math. CS284/Spring04/GWU/Vora/RSA

  23. xt (n) mod n = ? Write Zn = ZpX Zq True by Chinese Remainder Theorem: There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime. x  (x mod p, x mod q) = wlog (0, d) = (0, j) x(n) = (0,  (n)j) = (0, 1) x. x(n) = (0, 1) (0, j) = x CRT isomorphism examples, by hand, small composite n CS284/Spring04/GWU/Vora/RSA

  24. Back to RSA: Key generation Find p and q (two large random primes) n pq (n)  (p-1)(q-1) Choose random a invertible mod (n) s.t 1 < a < (n) i.e. a s.t gcd(a, (n)) = 1 Use Euclidean algorithm to find a-1mod (n) Without p and q cannot determine (n) One key: (n, a) other key (n, b); Example CS284/Spring04/GWU/Vora/RSA

  25. Security of RSAIs it based on hardness of factoring n? • It is not known if: • factoring a product of two primes into its prime components is • solvable in polynomial time • NP-complete • there are other trapdoors to RSA, i.e. other ways of breaking it in general • Factoring is an easy problem in the quantum computing model. CS284/Spring04/GWU/Vora/RSA

  26. Computational Complexity Computational complexity of the following operations on x (k bit) and y (l bit), k  l: • x + y • x – y • xy • Floor(x/y) O(l(k-l)) • gcd(x, y) O(k3) CS284/Spring04/GWU/Vora/RSA

  27. Euclidean Algorithm gcd(m, n) /* m > n */ (a, b) := (m, n) /* Initialize */ while (b0) (a, b) := (b, a – b*q) /*Where q = a/b */ return(a) Complexity? CS284/Spring04/GWU/Vora/RSA

  28. Computational Complexity mod n Computational complexity of the following operations on mod n, where n is a k-bit integer: • x + y • x – y • xy • x-1 • xc c< n O(k2log c) = O(k3) CS284/Spring04/GWU/Vora/RSA

  29. Efficient exponentiation(from Memon notes) Usual approach to computing xc mod n is inefficient when c is large. Example: 551 involves 51 multiplications mod n Instead, represent c as bit string bk-1 … b0 and use the following algorithm: z = 1 For i = k-1 downto 0 do z = z2 mod n if bi = 1 then z = z x mod n How many multiplications? k = 2ceiling(log2c) CS284/Spring04/GWU/Vora/RSA

  30. Example Calculate 551 mod 7 efficiently 51 = 110011 = 25 + 24 + 21 + 20 551 = ((((52)2)2)2)2 (((52)2)2)2 52 51 How many multiplications did you need? CS284/Spring04/GWU/Vora/RSA

  31. 551 mod 7 CS284/Spring04/GWU/Vora/RSA

  32. RSA: Computational complexity • 512 bit primes, n 1024 bits • Encryption: b3 where a plaintext character is b-bits • Decryption by brute force: 2bb3 • Key generation: Primes? O(b2), O(b3) CS284/Spring04/GWU/Vora/RSA

  33. PRIME • The book presents probabilistic algorithms for determining if a number is prime. • Two years ago, undergraduate students and their adviser showed that determining if a number is prime can be done in deterministic polynomial time • We will not discuss any of these in class. CS284/Spring04/GWU/Vora/RSA

  34. A simple inefficient algorithm • Generate a b-bit random number • It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b) • Generate enough and will be done, in O(b) complexity. CS284/Spring04/GWU/Vora/RSA

  35. Factoring: Pollard p-1 algorithm • Suppose we know that: • for p a prime dividing n • every prime power that divides p-1 is  B • (p-1) | B! • Further: 2p-1  1 (mod p) (Why?) • Hence 2B! (mod n)  2B! (mod p)  1 (mod p) • And p | 2B! -1 • Hence p | gcd(2B! -1, n), which divides n • gcd(2B! -1, n) non-trivial factor of n CS284/Spring04/GWU/Vora/RSA

  36. Pollard p-1 contd. POLLARD p-1 FACTORING (n, B) a  2 for j  2 to B a  aj mod n d  gcd(a-1, n) if 1 < d < n return(d) else return(failure) CS284/Spring04/GWU/Vora/RSA

  37. Example CS284/Spring04/GWU/Vora/RSA

  38. Complexity: Pollard p-1 • B-1 modular exponentiations, each requiring (logn)2logB operations • (logn)3 for Euclidean • If B of O(log n), polynomial, but probbaility of success low. • For good RSA security, p-1 should not have small factors. CS284/Spring04/GWU/Vora/RSA

More Related