Applied Cryptography and Network Security

Similar documents
Public Key Algorithms

! Addition! Multiplication! Bigger Example - RSA cryptography

RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.

Overview. Public Key Algorithms I

RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.

CS669 Network Security

Applied Cryptography and Computer Security CSE 664 Spring 2018

Chapter 3 Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

ASYMMETRIC CRYPTOGRAPHY

UCT Algorithm Circle: Number Theory

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

Lecture Notes, CSE 232, Fall 2014 Semester

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Lecture 3 Algorithms with numbers (cont.)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Algorithms (III) Yijia Chen Shanghai Jiaotong University

CS/COE 1501 cs.pitt.edu/~bill/1501/ More Math

Algorithms (III) Yu Yu. Shanghai Jiaotong University

COP 4516: Math for Programming Contest Notes

Lecture 6: Overview of Public-Key Cryptography and RSA

RSA System setup and test

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Davenport University ITS Lunch and Learn February 2, 2012 Sneden Center Meeting Hall Presented by: Scott Radtke

- 0 - CryptoLib: Cryptography in Software John B. Lacy 1 Donald P. Mitchell 2 William M. Schell 3 AT&T Bell Laboratories ABSTRACT

RSA. Public Key CryptoSystem

Lecture 2 Applied Cryptography (Part 2)

Admin ENCRYPTION. Admin. Encryption 10/29/15. Assignment 6. 4 more assignments: Midterm next Thursday. What is it and why do we need it?

Activity Guide - Public Key Cryptography

What did we talk about last time? Public key cryptography A little number theory

CS 161 Computer Security

Public Key Cryptography and the RSA Cryptosystem

4 PKI Public Key Infrastructure

RSA (algorithm) History

Public Key Algorithms

31.6 Powers of an element

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

1 Extended Euclidean Algorithm

Study Guide to Mideterm Exam

1 Elementary number theory

RSA Public Key Encryption 1. Ivor Page 2

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Assignment 9 / Cryptography

Public Key Cryptography and RSA

Channel Coding and Cryptography Part II: Introduction to Cryptography

3/22/17. Admin. Assignment 6 ENCRYPTION. David Kauchak CS52 Spring Survey: How is the class going? Survey: respondents. 24 total respondents

Cryptography and Network Security

Cryptography: More Primitives

Chapter 9 Public Key Cryptography. WANG YANG

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

CPSC 467: Cryptography and Computer Security

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Euclid's Algorithm. MA/CSSE 473 Day 06. Student Questions Odd Pie Fight Euclid's algorithm (if there is time) extended Euclid's algorithm

CPSC 467: Cryptography and Computer Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Primitive Elements. Samuel Slocum, Evan Wall April 27, a p 1 1(modp)

COMPSCI 230 Discrete Math Prime Numbers January 24, / 15

Algorithmic number theory Cryptographic hardness assumptions. Table of contents

Public Key Cryptography

Public-key encipherment concept

Public Key Encryption

Cryptography and Network Security. Sixth Edition by William Stallings

Primality Testing! 1

1 Extended Euclidean Algorithm

Parallel Quadratic Number Field Sieve

RSA: PUBLIC KEY ALGORITHMS

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Math From Scratch Lesson 22: The RSA Encryption Algorithm

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Provable Partial Key Escrow

What we still don t know about addition and multiplication

VHDL for RSA Public Key System

Congruence Arithmetic

Number Theory and RSA Public-Key Encryption

Introduction to Cryptography Lecture 7

Modular Arithmetic. Marizza Bailey. December 14, 2015

Goals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010

Side-Channel Attack against RSA Key Generation Algorithms

Public Key Cryptography

Discrete Math in CS Problem Set 3 CS 280 Fall 2005 Due September 23, 2005

Senior Math Circles Cryptography and Number Theory Week 1

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

Midterm Exam. CS381-Cryptography. October 30, 2014

A Tour of Classical and Modern Cryptography

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Public Key Cryptography 2. c Eli Biham - December 19, Public Key Cryptography 2

Chapter 4. Number Theory. 4.1 Factors and multiples

An effective Method for Attack RSA Strategy

CPSC 467b: Cryptography and Computer Security

Public-Key Cryptanalysis

Applications of The Montgomery Exponent

What we still don t know about addition and multiplication

Lab 1: Cipher Fundamentals

Transcription:

Applied Cryptography and Network Security William Garrison bill@cs.pitt.edu 6311 Sennott Square Lecture #8: RSA

Didn t we learn about RSA last time? During the last lecture, we saw what RSA does and learned a little bit about how we can use those features Our goal today will be to explore Why RSA actually works Why RSA is efficient* to use Why it is reasonably safe to use RSA In short, it's a details day Note: Efficiency is a relative term J

RSA Overview / Roadmap How do we choose large, pseudo-random primes?! Key generation: Choose two large prime numbers! and ", compute # =!" Compute %(#) = (! 1)(" 1) Choose an integer * such that gcd *, % # = 1 Calculate d such that */ 1 (mod %(#)) Public key: #, * Private key:!, ", / This seems tricky, too Why is %(#) = (! 1)(" 1) How can we do this? Usage: Encryption: 3 * (mod #) Isn t this expensive? Decryption: 4 / mod # = 3 56 (mod #) = 3 78 9 :; (mod #) = 3 1 (mod #) = 3 Why does this work?

Before we can do anything, we need a few large, pseudo-random primes If our numbers are small, primality testing is pretty easy Try to divide n by all numbers less than! The Sieve of Eratosthenes is a general extension of this principle RSA requires big primes, so brute force testing is not an option (Why?) To choose the types of numbers that RSA needs, we instead use a probabilistic primality testing method test : Z Z {T, F} test(n, a) = F means that n is composite based on the witness a test(n, a) = T means that n is probably prime based on the witness a To test a number n for primality: 1. Randomly choose a witness a Often with probability 1/2 2. if test(n, a) = F, n is composite 3. if test(n, a) = T, loop until we're reasonably certain that n is prime k repetitions means P[n composite] = 2 -k

Fermat s little theorem can help us! Fermat's little theorem: Given a prime number! and a natural number " such that 1 " <!, then a '() 1 mod! How does this help with primality testing? If a '() 1 mod!, then! is definitely composite If a '() 1 mod!, then! is probably prime Note: Some composite numbers will always pass this test (Yikes!) These are called Carmichael numbers Carmichael numbers are rare, but may still be found Other primality tests (e.g., Miller-Rabin) avoid detecting these numbers This helps us test whether some number is prime. But how exactly does this help us generate RSA keys?

Putting it all together foundprime = false while (!foundprime) return r let r = some large, odd, random number foundprime = true for (iters = 0; iters < k; iters++) let a = random number less than r if (a r-1 1 mod r) foundprime = false break The prime number theorem tells us that, on average, the number of primes less than n is approximately n/ln(n) That is, P[n prime] 1/ln(n) Searching for a prime is hard, but not ridiculously so

RSA Overview / Roadmap How do we choose large, pseudo-random primes?! Key generation: Choose two large prime numbers! and ", compute # =!" Compute %(#) = (! 1)(" 1) Choose an integer * such that gcd *, % # = 1 Calculate d such that */ 1 (mod %(#)) Public key: #, * Private key:!, ", / Usage: Encryption: 3 * (mod #) This seems tricky, too Isn t this expensive? Why is %(#) = (! 1)(" 1) How can we do this? Decryption: 4 / mod # = 3 56 (mod #) = 3 78 9 :; (mod #) = 3 1 (mod #) = 3 Why does this work?

!(#) is called Euler's totient function Definition: The totient function,!(#), counts the number of elements less than n that are relatively prime to n For an RSA modulus # = &', calculating!(#) is actually pretty simple Consider each of the &' numbers # All multiples of & share a common factor with # There are ' such numbers {&, 2&, 3&,, '&} Similarly, all multiples of ' share a common factor with # There are & such numbers {', 2', 3',, &'} So, we have that! # = &' & ' + 1 As a result,! # = &' & ' + 1 = (& 1)(' 1) The +1 controls for subtracting pq twice Note: Calculating!(#) is easy because we know how to factor #!

RSA Overview / Roadmap Key generation: Choose two large prime numbers! and ", compute # =!" Compute %(#) = (! 1)(" 1) Choose an integer * such that gcd *, % # = 1 Calculate d such that */ 1 (mod %(#)) Public key: #, * Private key:!, ", / Usage: Encryption: 3 * (mod #) This seems tricky, too Isn t this expensive? Why is %(#) = (! 1)(" 1) How can we do this? Decryption: 4 / mod # = 3 56 (mod #) = 3 78 9 :; (mod #) = 3 1 (mod #) = 3 Why does this work?

Review of greatest common divisors Definition: Let! and " be integers, not both zero. The largest integer # such that d! and # " is called the greatest common divisor of! and ", and is denoted by gcd(!, ") Note: We can (naively) find GCDs by comparing the common divisors of two numbers. Example: What is the GCD of 24 and 36? Factors of 24: 1, 2, 3, 4, 6, 12 Factors of 36: 1, 2, 3, 4, 6, 9, 12, 18 gcd(24, 36) = 12 Wait. Aren't we dealing with numbers that are hard to factor?

Luckily, computing GCDs is not all that hard Intuition: Rather than computing the GCD of two big numbers, we can instead compute the GCD of smaller numbers that have the same GCD! Interesting observation: gcd(%, ') is the same as gcd % ', ' Wait, what? Divides First, we must show that * % * ' * (% ') If * % and * ', then % = /* and ' = 0* Then % ' = /* 0* = / 0 * So, * % * ' * (% ') Ok, so * is a divisor of (% '), but is it the greatest divisor? The divisors of (% ') are a subset of of the divisors of % and the divisors of ' Since * = gcd(%, '), it is the greatest of the remaining divisors

Euclid s algorithm optimizes this process! Euclid's algorithm finds gcd(%, ') as follows: Set ) *+ = %, ) *- = ',. = 0 While ) 0*+ 0 divide ) 0*- by ) 0*+ to find 2 0 and ) 0 such that ) 0*- = 2 0 ) 0*+ + ) 0. =. + 1 gcd %, ' = ) 0*- Example: Computing gcd(414, 662) 5 6 5 7 5-2 - 662-1 - 414 0 1 248 1 1 166 2 1 82 3 2 2 4 41 0

That's all fine and good, but how does this help us compute! 1 mod '())? Method 1: Use Euclid s algorithm Choose a random! Use Euclid s algorithm to determine whether gcd!,. ) = 1 Repeat as needed Method 2: We can just choose a large prime number, 0 > max(4, 5) Why does method 2 work? 0 is a prime number, so it has no divisors other than itself and 1 0 is larger than 4 and 5, so 0 4 and 0 5

RSA Overview / Roadmap Key generation: Choose two large prime numbers! and ", compute # =!" Compute %(#) = (! 1)(" 1) Choose an integer * such that gcd *, % # = 1 Calculate d such that */ 1 (mod %(#)) Public key: #, * Private key:!, ", / Usage: Encryption: 3 * (mod #) This seems tricky, too How can we do this? Isn t this expensive? Decryption: 4 / mod # = 3 56 (mod #) = 3 78 9 :; (mod #) = 3 1 (mod #) = 3 Why does this work?

It turns out that Euclid s algorithm can help us compute! # $%, too If we maintain a little extra state, we can figure out numbers & ' and ( ' such that ) ' = & ' + + ( ' - when calculating gcd(+, -) If + and - are relatively prime, this will allow us to calculate + $% 1 = & ' + + ( ' - // If + and - are relatively prime, ) 5 = 1 & ' + = 1 ( ' - // Subtract ( 5 - from both sides & ' + 1 mod - // Definition of congruence So & ' = + $% // Definition of inverse The extended Euclid's algorithm works as follows: Set ) $% = -, ) $9 = +, 5 = 0, & $9 = 1, ( $9 = 0, & $% = 0, ( $% = 1 While ) '$% 0 divide ) '$9 by ) '$% to find < ' and ) ' such that ) '$9 = < ' ) '$% + ) ' & ' = & '$9 < ' & '$% ( ' = ( '$9 < ' ( '$% 5 = 5 + 1 gcd +, - = ) '$9 = & '$9 + + ( '$9 - This makes ) ' = & ' + + ( ' - for 5 = 1 and 5 = 2

How about an example? Example: Find the inverse of 797 mod 1047 " # " $ " % " & " -2 797 1 0-1 1047 0 1 0 0 797 1 0 1 1 250-1 1 2 3 47 4-3 3 5 15-21 16 4 3 2 67-51 5 7 1-490 373 So, 1 = -490*797 + 373*1047-490*797 = 1 + (-373)1047-490*797 1 mod 1047 In other words, -490 is the inverse of 797 mod 1047

RSA Overview / Roadmap Key generation: Choose two large prime numbers! and ", compute # =!" Compute %(#) = (! 1)(" 1) Choose an integer * such that gcd *, % # = 1 Calculate d such that */ 1 (mod %(#)) Public key: #, * Private key:!, ", / Usage: Encryption: 3 * (mod #) This seems tricky, too Isn t this expensive? Decryption: 4 / mod # = 3 56 (mod #) = 3 78 9 :; (mod #) = 3 1 (mod #) = 3 Why does this work?

Isn't exponentiation really expensive? Exponentiation can be sped up using a trick called successive squaring int pow(int m, int e) if(e is even) return pow(m*m, e/2) else return m * pow(m, e 1) For example, consider computing 2 15 Naive method: 2 * 2 * 2 * * 2 = 32,768 Fast method: 2 15 = 2 * 4 7 = 2 * 4 * 16 3 = 2 * 4 * 16 * 16 2 = 2 * 4 * 16 * 256 = 32,768 = 2 * 4 * 4 6 O(e) multiplications O(log(e)) multiplications This only gets us partway there. Various other algorithmic tricks enable modulo exponentiation to be efficient!

RSA Overview / Roadmap Key generation: Usage: Choose two large prime numbers! and ", compute # =!" Compute %(#) = (! 1)(" 1) Choose an integer * such that gcd *, % # = 1 Calculate d such that */ 1 (mod %(#)) Public key: #, * Private key:!, ", / Encryption: 3 * (mod #) Isn t this expensive? Decryption: 4 / mod # = 3 56 (mod #) = 3 78 9 :; (mod #) = 3 1 (mod #) = 3 Why does this work?

Why does decryption work? Note: Decryption will work if and only if! " mod & = (! " mod & = ( )" mod & //! = ( ) mod & = ( *+, -. mod &// /0 1 mod 3(&), so /0 = 63 & + 1 = (. mod & //?!? = ( mod & // (. = ( The only hitch in showing the correctness of the decryption process is proving that ( *+, -. mod & = (. mod & Fortunately, two smart guys can help us out with this Pierre de Fermat 160? - 1665 Leonhard Euler 1707-1783

First, we need to learn about the set! " Definition:! " is the set of all integers relatively prime to n Example:! $% 1 3 7 9 1 1 3 7 9 3 3 9 1 7 7 7 1 9 3 9 9 7 3 1 Interesting note: ', )! " : ')! " ' relatively prime to, means that. $, / $ :. $ ' + / $, = 1 ) relatively prime to n means that. 3, / 3 :. 3 ) + / 3, = 1 Multiplying gives us. $. 3 ') +. $ / 3 ' + / $. 3 ) + / $ / 3,, = 1 The above states that! " is closed under multiplication

This leads us to something called Euler's theorem Theorem: " $ % : " ( % 1 mod. Proof: Multiply all /. elements of $ % together, calling the product 0 Note that 0 $ %, and has an inverse 0 12 Now, multiply each element of $ % by " and multiply each of the resulting elements together. This will give us " ( % 0 Multiplying each element of $ % actually just rearranges these elements. As a result, we have that " ( % 0 = 0 If we divide both sides of the equation by 0, we get that " ( % = 1 Ok, so what does Euler s theorem have to do with RSA?

We can restate Euler's theorem so that it more clearly connects to RSA math Theorem: " $ %, ( $ ) : " +, % )- " mod 2 Proof: " +, % )- = " +, % " = ", % + " = 1 + " = " From Euler s theorem! Now, in RSA All of our math is done mod 2 Our message space is chosen from elements of $ % 56 1 mod 7 2, so 56 = (7 2 + 1 for some ( : ;< mod 2 = : +, % )- mod 2 = : - mod 2 = : Decryption works!

RSA Overview / Roadmap Key generation: Usage: Choose two large prime numbers! and ", compute # =!" Compute %(#) = (! 1)(" 1) Choose an integer * such that gcd *, % # = 1 Calculate d such that */ 1 (mod %(#)) Public key: #, * Private key:!, ", / Encryption: 3 * (mod #) Decryption: 4 / mod # = 3 56 (mod #) = 3 78 9 :; (mod #) = 3 1 (mod #) = 3 But why is RSA safe Why does to this use? work?

Now, why exactly is RSA safe to use? In the original RSA paper*, the authors identify four avenues for attacking the mathematics behind RSA 1.Factoring! to find " and # 2.Determining $! without factoring! 3.Determining % without factoring! or learning $! 4.Learning to take & '( roots modulo! As it turns out, all of these attacks are thought to be hard to do But you shouldn't take my word for it Let s see why! *R.L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM 21(2): 120-126, Feb. 1978.

It turns out that factoring is a hard* problem First of all, why is factoring an issue?! is the public modulus of the RSA algorithm If we can factor! to find " and #, we can compute $(!) Given $(!) and ', we can easily compute the decryption exponent ( Fortunately, mathematicians believe that factoring numbers is a very difficult problem. History backs up this belief. The fastest general-purpose algorithm for integer factorization is called the general number field sieve. This algorithm has running time: O(e (c+o(1))(log n) 1 3 (log log n) 2 3 ) Note: This running time is sub-exponential i.e., Factoring can be done faster than brute force This explains why RSA keys are larger than AES keys RSA: Typically 1024-2048 bits AES: Typically 128 bits

What about computing!(#) without factoring? Question: Why would the ability to compute! # be a bad thing? It would allow us to easily compute %, since &% 1 mod!(#) Good news: If we can compute! #, it will allow us to factor n Note 1:! # = #. / + 1 = #. + / + 1 Rewriting gives us. + / = #! # + 1 Note 2:. / =. + / 1 4# Note 3:. + /. / = 2/ Finally, given / and #, we can easily compute.. + 2 1 4# =. 1 + 2./ + / 1 4# =. 1 + 2./ + / 1 4./ =. 1 2./ + / 1 =. / 1 What does this mean? If factoring is actually hard, then so is computing! # without factoring (Recall the concept of reduction)

What about computing! without factoring " or knowing # "? As it turns out, if we can figure out! without knowing #(") and without factoring ",! can be used to help us factor " Given!, we can compute &! 1, since we know & Note: &! 1 is a multiple of #(") &! 1 mod #(") &! = 1 + /#(") &! 1 = /#(") It has been shown that " can be efficiently factored using any multiple of #("). As such, if we know & and!, we can efficiently factor ".

Are there any other attacks that we need to worry about? Recall:! = # $ mod ( ) is part of the public key, so the adversary knows this If we could compute ) *+ roots mod (, we could decrypt without, It is not known whether breaking RSA yields an efficient factoring algorithm, but the inventors conjecture that this is the case This conjecture was made in 1978 To date, it has either been proved or disproved Conclusion: Odds are that breaking RSA efficiently implies that factoring can be done efficiently. Since factoring is hard, RSA is probably safe to use.

RSA Wrap Up Hopefully you now have a better understanding of RSA How each step of the process works How these steps can be made reasonably efficient Why RSA is safe to use Unfortunately, this is not the end of the story Although theoretically secure, implementations can be broken We ll revisit this in a later lecture Next time: Secret sharing and threshold cryptography

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback