Math236 Discrete Maths with Applications

Transcription

1 Math236 Discrete Maths with Applications P. Ittmann UKZN, Pietermaritzburg Semester 1, 2012 Ittmann (UKZN PMB) Math / 33

2 Key size in RSA The security of the RSA system is dependent on the diculty of factoring large numbers Suppose an opponent Oscar can factor the public modulus n (i.e., determine the two primes p and q) Then he can easily nd the private key d and hence decrypt all of Alice's encrypted messages The larger n is, the more dicult this is to do Ittmann (UKZN PMB) Math / 33

3 Key size in RSA (cont.) The key size of an RSA cryptosystem is the size of the public modulus n We have only considered small values of n (e.g., a four digit number like 2773 can be factored in a fraction of a second) In the real world the key size is usually a lot larger Of course, the larger n is, the more time encryption and decryption takes Ittmann (UKZN PMB) Math / 33

4 Key size in RSA (cont.) The desire for computational security must be weighed against the need for ecient encryption and decryption The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce NIST keeps track of recent developments, like new algorithms and faster computers, that aect how easy it is to factor a number of a given size Based on their observations, they make recommendations to other federal agencies on how large the public modulus n should be to ensure security Ittmann (UKZN PMB) Math / 33

5 Key size in RSA (cont.) As of May 2006, NIST suggests a minimum key size of 1024 bits, though they recommend increasing this to 2048 bits for data that must remain secure through 2030 and to 3072 bits for data that must remain impregnable beyond 2030 Another authority on the RSA cryptosystem is the company that administered the RSA patent (now expired) RSA Laboratories currently recommends key sizes of 1024 bits for corporate use and 2048 bits for extremely valuable keys like the root key pair used by a certifying authority Ittmann (UKZN PMB) Math / 33

6 Key size in RSA (cont.) Several recent standards specify a 1024-bit minimum for corporate use Less valuable information may well be encrypted using a 768-bit key, as such a key is still beyond the reach of all known key breaking algorithms RSA Laboratories also recommends that the two primes p and q that comprise the modulus n should be of roughly the same length So for a 1024 bit modulus n, p and q should be about 512 bits each They also recommend that p and q should not be extremely close to one another Ittmann (UKZN PMB) Math / 33

7 RSA digital signatures Besides being capable of encryption and decryption of messages, RSA can also be used to create digital signatures A digital signature is analogous to a handwritten signature It is a way of signing a message so that someone reading the message will know with certainty that the message was created by the signer Ittmann (UKZN PMB) Math / 33

8 RSA digital signatures (cont.) Before we explain the mechanics, we introduce some new terminology To concatenate means to place end to end If we concatenate message A with message B, we denote the result A B For example, if A = cat and B = dog, then A B = catdog and B A = dogcat Ittmann (UKZN PMB) Math / 33

9 RSA digital signatures (cont.) Suppose that Alice wants to send Bob a message M in such a fashion that he is certain that she is the one who sent it For example, she might be sending her bank manager instructions to transfer money out of one of her accounts She uses an RSA key pair pub(alice) = (n, e) and pri(alice) = d She begins by representing the message M as an integer in the interval [0, n 1] (or breaks it into blocks if it is too long) Ittmann (UKZN PMB) Math / 33

10 RSA digital signatures (cont.) Using her private key she computes the message signature, M pri(alice) = M d mod n That is, she encrypts the message M with her private key Alice concatenates M with M pri(alice) to produce M M pri(alice) Assuming that the message M is condential, she encrypts M M pri(alice) with Bob's public key, pub(bob) She then sends (M M pri(alice)) pub(bob) to Bob Ittmann (UKZN PMB) Math / 33

11 RSA digital signatures (cont.) We now examine events from Bob's perspective Bob receives a message (M M ) pub(bob) from someone claiming to be Alice He begins by using his private key, pri(bob), to remove the outer layer of encryption, recovering M M He separates this into M and M Bob now encrypts M with Alice's public key, pub(alice) That is, he nds M pub(alice) = (M ) e mod n Ittmann (UKZN PMB) Math / 33

12 RSA digital signatures (cont.) He compares this with M, the rst half of the concatenated message he received There are two possibilities: If M pub(alice) = M, then Bob knows that M was encrypted with Alice's private key Since Alice is the only one who knows Alice's private key, this proves that the message M is from Alice If M pub(alice) M, then either the message M was not encrypted with Alice's private key, or some malicious third party altered the text M after Alice added her signature In either case, Bob knows that the message was not authorized by Alice Ittmann (UKZN PMB) Math / 33

13 RSA digital signatures (cont.) Example Suppose that Alice wishes to send the signed and encrypted message give henda money to Bob, and that pub(alice) = (2773, 17) pri(alice) = 157 and pub(bob) = (3233, 19) pri(bob) = 2299 She encodes the message as M = Ittmann (UKZN PMB) Math / 33

14 RSA digital signatures (cont.) Example She then encrypts each block B of length 4 by the rule C = B 157 mod 2773 to produce the message signature M pri(alice) = So, M M pri(alice) = Since each of the numbers in these blocks is in the range [0, 3232], blocks of length 4 will work nicely with Bob's public modulus Ittmann (UKZN PMB) Math / 33

15 RSA digital signatures (cont.) Example Alice now encrypts each block B with Bob's public key, using the rule C = B 19 mod 3233 to obtain (M M pri(alice)) pub(bob) = This is the message that she sends to Bob Suppose Bob receives the ciphertext Y = Ittmann (UKZN PMB) Math / 33

16 RSA digital signatures (cont.) Example He sets to work decrypting it, rst using his private key d = 2299 with the rule C = B 2299 mod 3233 He discovers that the underlying message is X = He now decodes as give henda money Bob must now verify the signature Ittmann (UKZN PMB) Math / 33

17 RSA digital signatures (cont.) Example If when decrypted with Alice's public key (2773, 17) and the rule C = B 17 mod 2773 equals give henda money, then he knows that the message came from Alice So he decrypts and, indeed, it yields the text give henda money He is thus assured that the message give henda money was authorized by Alice Ittmann (UKZN PMB) Math / 33

18 Digital signatures There are a number of dierent ways to produce digital signatures We have described one of them A digital signature scheme should have the following properties The signature can be appended to any message the signatory wants to identify as hers To prevent someone from appending a signature to a message the signatory did not authorize, or altering the message, the signature must be message dependent Ittmann (UKZN PMB) Math / 33

19 Digital signatures (cont.) That is, if the message is altered after being signed, the signature should not correspond to the altered message It should be computationally infeasible to forge the signature Signatures should be easy to check by anybody wishing to do so, e.g., with the RSA digital signature scheme, anyone wishing to verify Alice's signature M on a message M can quickly look up pub(alice) and then calculate M pub(alice) Ittmann (UKZN PMB) Math / 33

20 The mathematics of RSA To complete our study of RSA, we shall prove that it works That is: If we follow the instructions for generating a key and encrypting a message with that key Then, when we attempt to decrypt the ciphertext, we will recover the original message Ittmann (UKZN PMB) Math / 33

21 The mathematics of RSA (cont.) Theorem Let p and q be distinct prime numbers and let a and b be non-negative integers. If a b (mod p) and a b (mod q), then a b (mod pq) Proof. Recall that if gcd(x, y) = 1 and x z and y z, then xy z (from Tut 2) Now, a b is divisible by both p and q Since, p and q are distinct primes, gcd(p, q) = 1 Thus, a b must be divisible by pq Hence a b (mod pq) Ittmann (UKZN PMB) Math / 33

22 The mathematics of RSA (cont.) We now prove that RSA works Our proof is more or less the same as the one given in the original RSA paper Ittmann (UKZN PMB) Math / 33

23 The mathematics of RSA (cont.) Theorem Let (n, e) be a public key for the RSA cryptosystem and (n, d) the corresponding private key, and let E(M) = M e mod n and D(C) = C d mod n be the encryption and decryption rules, respectively. Then D(E(M)) M (mod n) Ittmann (UKZN PMB) Math / 33

24 The mathematics of RSA (cont.) Proof. Since ed 1 (mod φ(n)), there is some integer k such that ed = 1 + kφ(n) Hence, D(E(M)) (M e ) d (mod n) M ed (mod n) M kφ(n)+1 (mod n) Ittmann (UKZN PMB) Math / 33

25 The mathematics of RSA (cont.) Proof. Let p and q be the prime numbers that comprise the public modulus That is, n = pq From Fermat's Little Theorem, if p does not divide M, then M p 1 1 (mod p) Ittmann (UKZN PMB) Math / 33

26 The mathematics of RSA (cont.) Proof. Raising both sides to the power k(q 1), we have M k(p 1)(q 1) 1 k(q 1) (mod p) 1 (mod p) So that M kφ(n) M 1 M (mod p) Ittmann (UKZN PMB) Math / 33

27 The mathematics of RSA (cont.) Proof. Finally, M kφ(n)+1 M (mod p). (1) Notice that if p M, then (1) is trivially true Hence (1) is true for all M Similarly, M kφ(n)+1 M (mod q) (2) holds for all M Ittmann (UKZN PMB) Math / 33

28 The mathematics of RSA (cont.) Proof. We combine (1) and (2) using the previous theorem we get that M kφ(n)+1 M (mod n) Therefore, D(E(M)) M kφ(n)+1 (mod n) M (mod n) as required Ittmann (UKZN PMB) Math / 33

29 The Discrete Logarithm Problem The security of the RSA cryptosystem is based on the diculty of factoring large integers There are many other mathematical problems that are believed to be inherently dicult, and some of these have been used to construct other kinds of public-key cryptosystems One example is the Discrete Logarithm Problem Given a, b Z n, nd a number x Z n (if one exists) such that a x b (mod n) Ittmann (UKZN PMB) Math / 33

30 The Discrete Logarithm Problem (cont.) Consider an equivalent problem in the reals We are given c, d R, and we wish to nd x R such that c x = d The solution (if there is one) is simply x = log c d However, when we restrict ourselves to Z n for a large value of n, the problem becomes very dicult Partially, this is because of the apparently random behaviour of the function a x when reduced modulo n Ittmann (UKZN PMB) Math / 33

31 Notice the lack of any perceivable pattern in the values of f (x) Ittmann (UKZN PMB) Math / 33 The Discrete Logarithm Problem (cont.) Example Consider the function in Z 2773 f (x) = 17 x We tabulate f (x) for a few consecutive values of x x f (x)

32 The Discrete Logarithm Problem (cont.) We have already noted that the security of the D-H key exchange system rests on the diculty of the Discrete Logarithm Problem Suppose that an opponent has discovered a method by which he can eciently compute discrete logarithms That is, given a, b Z n, the opponent can quickly nd x such that a x b (mod n) Ittmann (UKZN PMB) Math / 33

33 The Discrete Logarithm Problem (cont.) By listening in to the conversation between Alice and Bob in the D-H key exchange example, he discovers that Y = 13, P = 29, 13 A 23 (mod 29), and 13 B 22 (mod 29) Using his ecient algorithm for discrete logarithms, he quickly determines that A = 12 and B = 17 He then computes Y AB 16 He has found Alice and Bob's shared secret key and can now decrypt any messages they exchange Ittmann (UKZN PMB) Math / 33