Public Key Cryptography and RSA Major topics Principles of public key cryptosystems The RSA algorithm The Security of RSA Motivations A public key system is asymmetric, there does not have to be an exchange of private keys before communicating A public key system does not make a symmetric system obsolete; in fact it can be used to exchange private keys Key distribution remains an important issue Number theory forms the mathematical foundation of public key cryptography
Primary Needs Generate two keys A public key that can be accessed by anyone A private key that is kept secret Two primary needs Be able to send messages securely to a recipient with no knowledge of a shared secret key Be able to verify a message actually came from a particular person; this is called authentication Uses of a public key system Encryption/decryption of messages Digital signatures Key exchange for using symmetric encryption
Encryption/Decryption
Authentication
Requirements for a Public Key System 1. Party B can easily generate a pair of keys: public key KU b and private key KR b 2. Sender A can access public key KU b and can encrypt message M C = E KU b (M) 3. Receiver B can easily decrypt the message M = D KR b (C) = D KRb (E KUb (M)) 4. It is computationally infeasible for someone intercepting message C and knowing public key KU b to determine private key KR b 5. It is computationally infeasible for someone intercepting message C and knowing public key KU b to recover message M 6. The encryption and decryption functions can be applied in any order M = D KR b (E KUb (M)) = E Kub (D KRb (M)) This makes digital signatures possible
Public Key Secrecy
Public Key Authentication
Public Key Algorithms Approaches to public key cryptography We first cover RSA, perhaps the best known and most widely used approach In chapter 10 we cover elliptic curve methods which are growing in popularity In the same chapter we cover Diffie-Hellman for the exchange of secret keys DSS (Digital Signature Standard) is covered in chap.13
Conventional and Public Key Encryption
The RSA Algorithm
A Sample Calculation 1. Select two primes, p = 17 and q = 11 2. Calculate n = pq = 17 * 11 = 187 3. Calculate φ(n) = (p - 1) (q 1) = 160 4. Select e < φ(n) and relative prime to φ(n), we use e = 7 5. Determine d so the de 1 mod φ(n), in other words, d and e are multiplicative inverses
Group Work Consider the prime numbers p = 11, q = 29. What is n? What is φ(n)? Suppose we select e = 3, what is d? Suppose we want to encrypt the message M = 100 using the public key (3, 319), what is the resultant value for the cipher text C? What is the formula to decrypt C using the private key (187, 319)? It is clear we need to find an easy way to solve this exponential modularization problem
Group Work Suppose ciphertext C = 10 is sent to a user with public key e = 5 and n = 35. How could you decode this ciphertext? What is the decoding?
Fast Modular Exponentiation The algorithm for computing a b mod n b i is the i th bit of b when b is written in binary These bits are processed from the most significant bit to the least significant bit
A Sample Calculation We want to solve 7 560 mod 561 a = 7, b = 560, n = 561 In binary b is 1000110000 So the result is 7 560 mod 561= 1
Group Work We now can decode the message from our prior example (hint: the result should be 100) Find a b (mod n) when a = 254, b = 187, and n = 319 by completing the following table i 8 7 6 5 4 3 2 1 b i 1 0 1 1 1 0 1 1 c 1 d 254 Did you get 100?
How Secure is RSA? Algorithms Used to Break RSA Pollard s Rho, a probabilistic approach Sieve techniques Successful efforts Choice of values Timing Attacks and Fixes Constant exponential time Random delay Blinding
How Easy is it to Factor p*q? The problems It is easy to find two large primes p and q, so in the public key algorithm we set n = p*q The encryption can be broken if n can be factored Some techniques for finding factors Pollard Rho and Pollard p-1 General number field sieve Special number field sieve We will only look at Pollard Rho in detail We will use the Chinese Remainder Theorem
Pollard s rho heutistic neither the running time nor success is guaranteed any divisor it finds will be correct, but it may never report any results in practice, it is the one of the most effective means of factorization currently known it will print the factor p after approximately p iterations; thus it finds small factors quickly
Pollard s rho heuristic The while loop searches indefinitely for factors generating a new x i each time Lines 1-4 are for initialization The x i values saved in y are when i = 1,2,4,8,16, d is the gcd of y- x i and n; if it is nontrivial then it is printed as a factor of n If n is composite, we expect to find enough divisors to factor n after approximately n 1/4 updates
The rho diagrams - 1
The rho diagrams - 2 (a) is generated by the x i starting at 2 for n = 1387 The factor 19 (since 1387 = 19 * 73) is discovered when the x i is 177, this is before the value 1186 is repeated (b) show the recurrence for mod 19, every x i in part (a) is equivalent to the x i mod 19 (c) shows the recurrence for mod 73, again every x i in part (a) is equivalent to the x i mod 73 By the Chinese remainder theorem, each node in (a) corresponds to a pair of nodes in (b) and (c)
Group Work Keep tracing the rho diagrams and find out when the factor 73 is discovered
The Sieve Approaches Sieve techniques have become increasingly effective The generalized number field sieve (GNFS) has replaced quadratic sieve as being most effective An even faster approach, specialized number field sieve (SNFS), works for some numbers (see next slide) Computers will keep getting faster and factoring techniques improved, but keys of size 1024 through 2048 seem to be adequate for the future
Performance Comparison
Choice of p and q Ways to avoid values for n that can be more easily factored The length of p and q should differ by only a few digits Both (p 1) and (q 1) should contain a large prime factor gcd(p 1, q 1) should be small If e < n and d < n ¼ then it is easy to determine d
What is a Timing Attack? The timing of the modular exponentiation algorithm is critical If the b i is set, then the assignment d (d x a) mod n is performed, for some known values of a and d this can be very slow thus revealing a 1 bit Countermeasures attempt to hide these extreme time differences Some countermeasures Insure all exponentiations take the same time (but this does degrade performance) Add a random delay time, this noise must be large enough to confuse the attacking algorithm
Use of Blinding Multiply by a random number before performing exponentiation; this prevents bit-by-bit analysis Here is RSA s approach using blinding 1. Generate a random r between 0 and n-1 2. Compute C = C(r e ) mod n 3. Compute M = (C ) d mod n 4. Compute M = M r -1 where r -1 is the multiplicative inverse of r mod n This only introduces a 2% to 10% penalty