1 / 38

Outline

This article provides an overview of RSA algorithm and discrete logarithms, including their applications in key management and primality testing. It also discusses the computational issues in RSA and techniques to resist timing attacks. Additionally, it explores the selection of large primes and introduces the Miller-Rabin algorithm for primality testing.

kraymond
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Outline • Review of RSA • Discrete logarithms • Testing for primality • Key management in public-key cryptosystem • Diffie-Hellman Key exchange

  2. Revisit proof of RSA • If (a×b)≡(a×c) mod n then b≡c mod n True if a is relatively prime to n Suppose b > c b-c = qn ab – ac = kn a(b-c) = kn kn b-c = gcd(a,n)=1 a Ex. 2x1 mod 8 = 2 1 ≡ 5 mod 8 2x5 mod 8 = 2

  3. Proof of Fermat’s law • Recall: p is a prime, Zp is a Galois Field Any a multiplied by {1,2,…,p-1} will span {1,2,…,p-1} in some order {a mod p, 2a mod p,…, (p-1)a mod p} 等於 {1,2,…,p-1} 的重排 左邊集合內元素都與 p 互質 1 ax ≡ ay mod p => x ≡ y mod p 2 • 左邊集合內的元素都不同

  4. Proof for Euler’s theorem • aø(n)≡ 1 mod n, gcd(a,n)=1 • n is a prime => Fermat’s theorem • Arbitrary n: ø(n) means the number of integers that is relatively prime to n, denote the set of integers as Multiply each by a, modulo n: S is a permutation of R !!! * a is relatively prime to n, and xi is relative prime to n => so does axi * There is no duplicate in S

  5. RSA concept • n=pq, p and q are primes a … a a2 a3 af(n)-1 af(n) Euler’s formula: 1 2 3 4 . . . pq-2 pq-1 1 1 1 1 . . . 1 1 1. af(n) 2. 3. a af(n) … akf(n)+1 af(n) af(n) (ae)d af(n) ae a

  6. RSA algorithm : key generation and encryption/decryption Example: 1. Select primes p and q (pq). 2. Calculate n=pq. 3. Calculate f(n)=(p-1)(q-1) 4. Select e that is relative prime to and less than f(n) 5. Determine d such that de ≡ 1 mod f(n), and d< f(n) (d is the multiplicative inverse of e, find it using Extended Euclid’s algorithm) p=17, q=11 n= 17x11 = 187 f(n)= 16x10 = 160 e = 7 d = 23

  7. RSA encryption/decryption example • Public key: KU={e,n}={7,187} • Private key: KR={d,n}={23,187}

  8. Computational issues in RSA • Select primes p and q (pq) • How to select a large prime? (Chap. 8.3) • Calculate d such that d ≡ e-1 mod f(n) • How to compute multiplicative inverse? => Extended Euclid’s algorithm (Chap. 4.4) • Encryption: M = Cd mod n • How to compute exponentiation fast?

  9. Computation issues – encryption/decryption • Modular exponentiation: • Fast algorithm use the property: • Write exponential d as binary number: bkbk-1…b1b0 • ex. 2310 = 101112 = 24+22+21+20 M = Cd mod n (a x b) mod n = (a mod n) x (b mod n) mod n 1123 mod 187 =(1116×114×112×111) mod 187 =[(1116 mod 187)×(114 mod 187)×(112 mod 187)×(111 mod 187)] mod 187 =…=88

  10. Pseudo-code for fast exponentiation: ab mod n Timing attacks c=0; /* c will be the exponent at last */ d=1; /* d will be the ab mod n at last */ for(i=k; i>=0; i--){ /* k+1 bits for b */ c = 2*c; d = (d*d) mod n; if ( bi== 1 ){ c = c+1; d = (d*a) mod n } } If this bit is 1, exec. time will be slower

  11. Resist to timing attacks • Constant exponentiation time • return the results of exponentiation after a fixed time • Random delay • Add random delay to the exp. execution time • Blinding • Multiply ciphertext by a random number

  12. Outline • Review of RSA • Discrete logarithms • Testing for primality • Key management in public-key cryptosystem • Diffie-Hellman Key exchange

  13. The power of an integer, modulo n • Euler’s formula (1):aø(n)≡ 1 mod n, gcd(a,n)=1 • General form (2): am ≡ 1 mod n, gcd(a,n)=1 • There is at least one m(m=f(n))satisfies (2) • For any 0<a<n, the least positive m satisfies (2) is referred as • The order of a (mod n) • The exponent to which a belongs (mod n) • The length of the period generated by a

  14. Example: modulo 19 Euler’s formula • Primitive root of 19: • period = 18 • Span {1,…,18} 4? ≡ 17 mod 19 period = 9 period = 3

  15. Discrete logarithms • For real numbers: y = xr • For prime integer p, and its primitive root a • There is a unique i such that => logx y = r b ≡ ai mod p where 0 ≤ i ≤ (p-1) Given b, a, and p, we can find a uniquei => inda,p (b) = i • Unique discrete logarithm mod m to some base a exist • only if a is a primitive root of m

  16. Example: discrete log, mod 19

  17. Calculation of discrete log Calculation of power is straightforward • Equation: b = ai mod p Calculation of discrete log (if exists) is hard !!! => The same complexity of factoring primes Not feasible for large primes

  18. Outline • Review of RSA • Discrete logarithms • Testing for primality • Key management in public-key cryptosystem • Diffie-Hellman Key exchange

  19. How to select a large prime? • In RSA, we have to • select two primes p and q (pq) • select e or d (that is relatively prime to f(n)) • p, q, e, d must be sufficiently large to avoid exhaustive search attack • However, no useful method to generate arbitrarily large primes • Sol: pick at random an odd number of the desired order of magnitude, and test whether it is a prime

  20. Test for primality k k-1 generate aq,a2q,…,a2 q,a2 q mod n • Miller-Rabin algorithm: decide whether a number is a prime with a bounded error probability • Given an odd integer n for test • Factor (n-1) as • Choose an integer a, 1<a<n-1 Ex. n = 29 28 = 22 (7) n-1 = 2kq, k > 0, q odd Recall Fermat’s theorem:an-1≡1 mod n if n is a prime a = 10 107,102x7,104x7 mod 29 =17, 28, 1 See next page

  21. Test for primality (cont.) … If n is a prime, square k a2q=an-1≡1 mod n k However, we don’t have to test until a2q k k-1 generate aq,a2q,…,a2 q,a2 q mod n • For a given integer a If this number aq mod n = 1 or -1 Then (aq)2 mod n = 1 If this number a2q mod n = -1=(n-1) Then (aq)2 mod n = 1 k (aq)4 mod n = 1 … k (aq)2 mod n = 1

  22. Repeated use of Miller-Rabin Algorithm Fermat’s theorem:an-1≡1 mod n , for all 0<a<n, if n is a prime • It has been shown that, for one random chosen integer a, • the probability of false positive is less than 1/4 (n 非質數,但是偵測為質數) Run M-R test 2 times with different a => Prob = (1/4)2 Run M-R test t times with different a => Prob = (1/4)t

  23. How many integers to test to find a prime? • Prime number theory: the primes near n are spaced on the average one every ln (n) integers • Discard even integers, and ending with digit 5 => test about 0.4ln (n) numbers • Ex. prime on the order of magnitude of 2200 (200 bits) => 0.4ln (2200) = 55 trails to find a prime Density of prime? no. of primes = ln (n) n 1 n

  24. How to generate public/private keys? • Q: select e or d that is relatively prime to f(n)? • A: Extended Euclid’s algorithm • Test gcd(e, f(n)) = 1? • Calculate the multiplicative inverse at the same time if they are relatively prime • Procedure: Generate a series of random numbers, test each against f(n) • How many random numbers to test? • The prob. that two random numbers are relatively prime is about 0.6 (problem 8.1)

  25. Outline • Review of RSA • Discrete logarithms • Testing for primality • Key management in public-key cryptosystem • Diffie-Hellman Key exchange

  26. Key management (Ch 10.1) • Two issues for public-key cryptosystem • Distribution of public keys • The use of public-key encryption to distribute secret keys (keys for symm. cipher) • Distribution of public keys • Public announcement • Public available directory • Public-key authority • Public-key certificates

  27. 1. Public announcement • Drawback: the opponent can pretend to be another user Ex. post public keys to public forums, such as USENET newsgroup and Internet mailing list

  28. 2. Public available directory • Some trusted entity maintains a publicly available dynamic directory of public keys {A, KUa } {B, KUb } … Register the public key Register the public key Attack: an opponent invades the public-key directory, and counterfeit public keys

  29. 3. Public-key authority A can confirm the message from the authority Central authority: 1. Maintain directory of public keys 2. Each participant knows the public key for the authority N1 :認證B的身份 N2 :認證A的身份

  30. 4. Public-key certificates 憑證 Certificate: contain public key and other information, generate from the certificate authority 1. Anyone can read, verify 2. Only CA can create Application must be in person or by secure channel Time: verify currency of certificate

  31. Simple secret key distribution E KUe[ Ks ] • Public-key scheme has slow data rate • use public key to distribute secret key • use secret key scheme for data encryption session key (secret key) intercept KUe || IDA E KUa[ Ks ] Ks

  32. Secret key distribution with confidentiality and authentication • Against active and passive attacks Authenticate B Authenticate A authentication (only A can create it) Confidentiality (only B can read)

  33. A hybrid and hierarchical scheme MKA Use public-key scheme to distribute master key KDC MKB A C B MKA MKB Ks Ks Use master keys with KDC to distribute session key • Advantage: • Use master key to distribute session keys, instead of using public-key scheme => faster ! • Backward compatible to old KDC scheme (master + session key)

  34. Outline • Review of RSA • Discrete logarithms • Testing for primality • Key management in public-key cryptosystem • Diffie-Hellman Key exchange

  35. Diffie-Hellman key exchange • Purpose: enable two users to exchange a key securely that can then be used for subsequent encryption of message • Diffie-Hellman algorithm: take advantage of the hard problem –discrete logarithm Setup up a secret key K • The issue of distribution • of secret keys A B

  36. Protocol of D-H key exchange Discrete log ? Public: q, a (q is a prime; a<q, is a primitive root of q)

  37. Verify D-H algorithm • Both users get the same secret key K User A gets: Eq: the same User B gets:

  38. Other issues about D-H E [Message] K • Brute-force attack: Ex. 3a mod 353 = 40 • Try all 3x mod 353, 0<x<353, until it equal 40 • Use D-H algorithm as public-key system {User, Public Key} KDC {A, YA(=aX )} A {B, YB(=aX )} B YB A B

More Related