1 / 29

RSA and Public Key Cryptography

RSA and Public Key Cryptography. Oct. 2002 Nathanael Paul. Some quick things to fill in some holes…. (P,C,K,E,D) P: plaintext C: ciphertext K: keyspace E: encryption function D: decryption function Someone recently asked me (and something for you to think about for next time):

haru
Download Presentation

RSA and Public Key Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RSA and Public Key Cryptography Oct. 2002 Nathanael Paul

  2. Some quick things to fill in some holes… • (P,C,K,E,D) • P: plaintext • C: ciphertext • K: keyspace • E: encryption function • D: decryption function • Someone recently asked me (and something for you to think about for next time): • Can cryptography and math be separated? Why or why not?

  3. What is public key cryptography?Why is there a need? • Asymmetric vs. Symmetric • Problems solved by public key • Shared secret not needed • Authentication • Trapdoor one-way function • Factoring integers • Discrete logs • Slow, power hungry

  4. Where did public key cryptography come from? • Diffie and Hellman • Credited with invention (circa 1976) • One year later, RSA is invented • April 2002, ACM communications • 1970 James Ellis (British Gov’t) • “The possibility of non-secret encryption” • NSA claims

  5. Overview • RSA • Rivest, Shamir, Adleman, 1977 • Zn • Modular operations (the expensive part) • A sender looks up the public key of the receiver, and encrypts the message with that key • The receiver decrypts the message with his private key • Although, public key is public information, private key is secret but related to the public key in a special way

  6. Essence of RSA • P, C are in Zn • n = p * q, where p and q are primes • y = Ek(m) = mb mod n • m = Dk(y) = ya mod n • D(y) = D(E(m)) = D(mb) = (mb)a = m • Factoring not necessary for decryption • The public key is (b,n), everything else is private • private key is (a,n)

  7. Some relationships • a is relatively prime to (p-1)(q-1) • ab  1 (mod (p-1)(q-1)) • (n) = (p-1)(q-1). ??? • (n) = { x < n : gcd(x, n) = 1 } • “all integers less than n that are relatively prime to n” • Let’s check to see if encryption and decryption really are inverse operations.

  8. Checking RSA • ab  1 (mod (n)) • “ab is some multiple of ((n) + 1) • ab = t((n) + 1), t >= 1 • (mb)a  mt((n) + 1) (mod n)  (m (n))tm (mod n)  (1)tm (mod n) by Euler’s Thm.  m (mod n) DONE

  9. How to pick a public key • Pick 2 primes, p and q • Compute n = pq and (n) = (p-1)(q-1) • Choose a random b (1 < b < (n)) • gcd (b, (n)) = 1 • Compute a = b-1 mod (n) • Extended euclidean algorithm • Publish the public key • (b, n) is a person’s public key now(i.e., people may now send encrypted text using this public key)

  10. Bob chooses his public key • He randomly chooses 17th and 19th primes, 59 and 67, respectively (p = 59, q = 67) • (n) = (58)(66) = 3828 • Pick a random b, less than 3828 but > 1 • Let’s try 2669. Will that work? gcd(2669, 3828) = 1 • Now, ab  1 (mod (n)) • a * 2669  1 mod 3828 • a will exist iff gcd(a, (n)) = 1

  11. Bob finishes his calculations in making his public key… • a = b-1 in Zn, recall a is the decryption exponent • a = 1625 (b-1 = 1625 modd 3828) • Bob’s private key (a, n) is (1625,3953), so now Bob publishes his public key (b,n) as (2669, 3953)

  12. Alice wants to send Bob a message, m… • Alice has plaintext 3128 to send. She will send E(m): • Alice encrypts with public key (b,n) or (2669,3953) • E(m) = 31282669 mod 3953 = 3541 • Bob receives the ciphertext 3541: • Bob decrypts with private key (a,n) or (1625,3953) • 35411625 mod 3953 = 3128

  13. Some notes about a,b, p, and q • p and q must be large for security • b, the encryption exponent, does not have to be that large (216 – 1 = 65535 is good) • a, the decryption exponent, needs to be sufficiently large (512 to 2048 bits) • Having to work with such large numbers, we need to look at some other elements of RSA.

  14. RSA: Component Operations • Exponentiation • We need to do it fast • Factorization • Believed to be difficult (security is here) • Finding prime numbers and testing primality • Rabin Miller test • New polynomial time algorithm • http://mathworld.wolfram.com/news/2002-08-07_primetest/ • http://www.cse.iitk.ac.in/primality.pdf

  15. Fast Exponentiation • a ^ 256 mod 7 • Don’t do (a*a*a…*a) 256 times and mod by 7 • (a * b) mod p = (a mod p * b mod p) mod p • Shortcut: Look at binary representation of 256 • 256 = 28, (((((((a2) 2) 2) 2) 2) 2) 2) 2 and mod 7 each time you perform a square • 25 = 11001 = 24 + 23 + 20a ^ 25 mod n = (a * a8 * a16) mod n = (a * (((a2) 2) 2) * ((((a2) 2) 2) 2)) mod n (((((((a2 mod n)*a) mod n)2 mod n)2 mod n)2 mod n) * a) mod n

  16. Factorization • Brute force is stupid and slow • d = 1,2,3,4,… Does d divide n? • Factoring n = pq. If p <= q, n >= p2, so n >= p • d can go high as n in worst case • For n ~ 1040, 1020 number of divisions • Use structure of Zn • p –1 method (not really used, but a good speedup) • Pollard’s rho method • Quadratic sieve, Number Field Sieve (NFS) • Is there a better method out there?

  17. Finding some prime numbers • Easy to generate a number, but how do you know if it’s prime? • Rabin Miller • If n is prime, output is always “could be” • If n is composite, output is “composite” or “could be” • If n is composite and “could be” is returned, the probability of a wrong answer is <= ¼ • New polynomial algorithm that can say yes/no!

  18. Using RSA: What can go wrong? • Computing (n) is no easier than factoring n • From n = pq and (n) = (p-1)(q-1), we obtain: • p2 – (n - (n) + 1)p + n = 0 • The roots of the above equation will be p and q • If the decryption exponent, a is known, Bob needs to choose a new decryption exponent. • That isn’t enough! Bob must also choose a new modulus.

  19. DES vs. RSA • RSA is about 1500 times slower than DES • Exponentiation and modulus • Generation of numbers used in RSA can take time • Test n against known methods of factoring • http://www.rsasecurity.com/rsalabs/challenges/factoring/numbers.html

  20. Key Distribution • Then hard problem for symmetric (secret) key ciphers • Transmitting a private key on an insecure channel • Asymmetric system solves problem

  21. Primitive roots •  is a pritimitive root of Fp you can get all elements of Fp from  • There exists an m such that: m = n mod p, for 1 <= n < p • m is unique • Can you solve for m? Yes, but it’s hard by currently known methods (Discrete log) • All primes have primitive roots

  22. Example of primitive root • Consider the element 2x mod 1320 1 mod 13 28 9 mod 13 21 2 mod 13 29 5 mod 1322 4 mod 13 210 10 mod 1323 8 mod 13 211 7 mod 1324 3 mod 1325 6 mod 13 Primitive roots are not26 12 mod 13 found this way in Fp, but 27 11 mod 13 this is an example of a primitive root.

  23. Key distribution: Alice and Bob need to talk • Insecure channel of communication • First, set up our field that our numbers will operate within: • p, a large prime (sets up something called our field) •  is called a primitive root of Fp

  24. Alice and Bob obtain a private key using public keys Bob Alice a b ko = (a )b k1 = (b )a So, k1 = ko, and a secret key is shared between Alice and Bob.

  25. What does the adversary know, and what can he do? • Knows a, b, , and p • So we want to find the key, k • k = ab • This is believed to be hard. • If one knows how to compute discrete logs efficiently, then one can break this scheme (and other schemes based on public key cryptography)

  26. Public Key Cryptographic Use • Secure RPC • SSL • Cisco encrypting routers

  27. Key distribution • Key freshness • Predistribution • Agreement protocols

  28. Trusted Authority – Alice and Bob need to talk (again) • How about a TA issuing a certificate? • TA shares a secret key with each person that may ever want to communicate with TA • Alice asks for Bob’s public key, so TA issues a certificate: E (K, ID(Bob), T, L) • E is done with Alice and TA’s shared key • K is random, T is timestamp, L is lifetime • Alice can verify certificate is from TA • Ex. Kerberos

  29. Reading • “New Directions in Cryptography” • http://www.cs.rutgers.edu/~tdnguyen/classes/cs671/presentations/Arvind-NEWDIRS.pdf • "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" • http://theory.lcs.mit.edu/~cis/pubs/rivest/rsapaper.ps

More Related