The RSA Algorithmppt.ppt

7/23/2019 The RSA Algorithmppt.ppt

1/64

he RSA Algorithm

JooSeok Song

2007. 11. 13. Tue


2/64

CCLAB

Private-Key Cryptography

traditional private/secret/singe keycryptography uses onekey

shared by both sender and receiver

if this key is disclosed communications are

compromised also is sy!!etric, parties are equal

hence does not protect sender from receiverforging a message & claiming is sent by sender


3/64

CCLAB

Pu"ic-Key Cryptography

probably most significant advance in the 3000year history of cryptography

uses t#okeys a public & a private key

asy!!etricsince parties are notequal

uses clever application of number theoretic

concepts to function

complements rather thanreplaces private key

crypto


4/64

CCLAB


pu"ic-key/t#o-key/asy!!etriccryptographyinvolves the use of t#okeys:

a pu"ic-key, which may be known by anybody, and

can be used to encrypt !essages, and veri$y

signatures a private-key, known only to the recipient, used to

%ecrypt !essages, and sign(createsignatures

is asy!!etricbecause

those who encrypt messages or verify signaturescannotdecrypt messages or create signatures


5/64

CCLAB



6/64

CCLAB

&hy Pu"ic-Key Cryptography'

developed to address two key issues:

key %istri"ution how to have secure communications

in general without having to trust a !"# with your key

%igita signatures how to verify a message comes

intact from the claimed sender public invention due to $hitfield "iffie & %artin

ellman at 'tanford ni in )*+

known earlier in classified community


7/64

CCLAB

Pu"ic-Key Characteristics

-ublic.!ey algorithms rely on two keys with thecharacteristics that it is:

computationally infeasible to find decryption key

knowing only algorithm & encryption key

computationally easy to en/decrypt messages when therelevant (en/decrypt key is known

either of the two related keys can be used for

encryption, with the other used for decryption (in some

schemes


8/64

CCLAB

Pu"ic-Key Cryptosyste!s


9/64

CCLAB

Pu"ic-Key (ppications

can classify uses into 3 categories:

encryption/%ecryption(provide secrecy

%igita signatures(provide authentication

key e)change(of session keys

some algorithms are suitable for all uses, others

are specific to one


10/64

CCLAB

Security o$ Pu"ic Key Sche!es

like private key schemes brute force e)haustivesearchattack is always theoretically possible

but keys used are too large (1)2bits

security relies on a arge enoughdifference indifficulty between easy(en/decrypt and har%(cryptanalyse problems

more generally the har%problem is known, itsust made too hard to do in practise

requires the use of very arge nu!"ers

hence is so#compared to private key schemes


11/64

CCLAB 296.3 Page 11

Cryptography *utine

+ntro%uction,terminology, cryptanalysis, securityPri!itives,

one.way functions

one.way trapdoor functions

one.way hash functions

Protocos, digital signatures, key e4change, 55

Private-Key (gorith!s, 6indael, "7'

Pu"ic-Key (gorith!s, !napsack, 6'8, 7l.9amal,

Case Stu%ies,!erberos, "igital #ash


12/64

CCLAB 296.3 Page 12

Pri!itives, *ne-&ay unctions

(Informally): A function Y = f(x)

is one-wayif it is easy to compute y fromxbut

hard to computexfrom y

;uilding block of most cryptographic protocols

8nd, the security of most protocols rely on their

e4istence5

n$ortunatey, not known to e4ist5


13/64

CCLAB 296.3 Page 13

*ne-#ay $unctions,possi"e %e$inition

)5 =(4 is polynomial time

25 =.)(4 is >-.hard

$hat is wrong with this definition?


14/64

CCLAB 296.3Page 14

*ne-#ay $unctions,"etter %e$inition

=or most )no single --< (probabilistic

polynomial time algorithm can compute )

giveny

oughy: at most a )/@4@kfraction of instances )are easy for any kand as @4@ .


15/64

CCLAB 296.3Page 15

So!e e)a!pes conectures

actoring:4 A (u,v

y A f(u,v A uBv

Cf u and v are prime it is hard to recover them from y5

4iscrete 5og:y A g4mod pwhere p is prime and g is a DgeneratorE (i.e.,g), g2, g3,

generates all values F p5

46S #ith kno#n !essage !:y A "7'4

(m


16/64

CCLAB 296.3Page 16

*ne-#ay $unctions inpu"ic-key protocos

y A cipherte4t m A plainte4t k A public key

#onsider: y A 7k(m (i5e5, f A 7k

7veryone knows k and thus f

7k(m needs to be easy

7k.)(y should be hard

Htherwise eavesdropper could decrypt y5

;ut what about the intended recipient, who should

be able to decrypt y?


17/64

CCLAB 296.3Page 17

*ne-#ay $unctions inprivate-key protocos

y A cipherte4t m A plainte4t kA key

Cs

y A 7k(m (i5e5 f A 7k

a one.way function with respect to y and m?

f is not easy to compute unless k is known

'o what do one.way functions have to do with

private.key protocols?


18/64

CCLAB 296.3Page 18

*ne-#ay $unctions inprivate-key protocos

y A cipherte4t m A plainte4t kA key

ow about

y A 7k(m A 7(k,m A 7m(k (i5e5 f A 7m

should this be a one.way function?

In a known-plaintext attackwe know a (y,m) pair.

The m along wih ! "e#ine$ #

!m(k) nee"$ o %e ea$y

!m&1(y) $ho'l" %e har"

herwi$e we o'l" e*ra he key k.


19/64

CCLAB 296.3Page 19

*ne-&ay Trap%oor unctions

A one-wayfunction with a trapdoorThe trapdoor is a key that makes it easy to inert

the function y ! f(")

74ample: S( (conecture

y A 4emod n$here n A pq (p, q, prime, p, q, e random

p or q or d (where ed A ) mod (p.)(q.) can be used astrapdoors

Cn public.key algorithmsf(4 A public key (e.#.,e and n in 6'8


20/64

CCLAB 296.3Page 2+

*ne-#ay ash unctions

I A h(4 where y is a fi4ed length independent of the siGe of 45 Cn

general this means h is not invertible since it is many to

one5

#alculating y from 4 is easy #alculating any 4 such that y A h(4 give y is hard

sed in digital signatures and other protocols5


21/64

CCLAB

S(

by 6ivest, 'hamir & 8dleman of %C< in )*++

best known & widely used public.key scheme

based on e4ponentiation in a finite (9alois field

over integers modulo a prime

nb5 e4ponentiation takes H((log n3 operations (easy

uses large integers (eg5 )02J bits

security due to cost of factoring large numbers

nb5 factoriGation takes H(e log n log log n operations (hard


22/64

CCLAB

S( Key Setup

each user generates a public/private key pair by:

selecting two large primes at random . p, q

computing their system modulus N=p.q note (N)=(p-1)(q-1)

selecting at random the encryption key e where )FeL

keep secret private decryption key: !6AKd,p,qL


23/64

CCLAB

S( se

to encrypt a message % the sender:

obtains pu"ic keyof recipient KU={e,N}

computes: C=Memod N, where 0M (block if needed


24/64

CCLAB

Pri!e u!"ers

prime numbers only have divisors of ) and self

they cannot be written as a product of other numbers

note: ) is prime, but is generally not of interest

eg5 2,3,1,+ are prime, J,,M,*,)0 are not

prime numbers are central to number theory

list of prime number less than 200 is: ! " # 11 1! 1# 1$ ! $ !1 !# %1 %! %# "! "$ &1

#1 #! #$ '! '$ $# 101 10! 10# 10$ 11! 1# 1!1

1!# 1!$ 1%$ 1"1 1"# 1&! 1 1#! 1#$ 1'1 1$1 1$!

1$# 1$$


25/64

CCLAB

Pri!e actorisation

to $actora number nis to write it as a product ofother numbers: n=a c

note that factoring a number is relatively hard

compared to multiplying the factors together to

generate the number thepri!e $actorisationof a number nis when its

written as a product of primes

eg5 $1=#1! * !&00=%

!

"


26/64

CCLAB

eativey Pri!e u!"ers 8 9C4

two numbers a, are reativey pri!eif haveno co!!on %ivisorsapart from )

eg5 M & )1 are relatively prime since factors of M are),2,J,M and of )1 are ),3,1,)1 and ) is the only commonfactor

conversely can determine the greatest commondivisor by comparing their prime factoriGationsand using least powers

eg5 !00=1!1"1'=1!hence+C(1',!00)=1!1"0=&


27/64

CCLAB

er!at:s Theore!

ap-1

mod p = 1 where pis prime and gcd(a,p)=1

also known as =ermatNs Oittle


28/64

CCLAB

6uer Totient unction (n)

when doing arithmetic modulo n

co!pete set o$ resi%uesis: 0..n-1

re%uce% set o$ resi%uesis those numbers

(residues which are relatively prime to n

eg for nA)0,

complete set of residues is K0,),2,3,J,1,,+,M,*L

reduced set of residues is K),3,+,*L

number of elements in reduced set of residues iscalled the 6uer Totient unction ;n


29/64

CCLAB

6uer Totient unction (n)

to compute P(n need to count number ofelements to be e4cluded

in general need prime factoriGation, but

for p (p prime (p) = p-1

for p5q (p,q prime (p.q) = (p-1)(q-1)

eg5 (!#) = !&

(1) = (!1)(#1) = & = 1


30/64

CCLAB

6uer:s Theore!

a generalisation of =ermatQs


31/64

CCLAB

&hy S( &orks

because of 7ulerQs


32/64

CCLAB

S( 6)a!pe

)5 'elect primes:p=1# q=1125 #omputen =pq =1#11=1'#

35 #ompute(n)=(p1)(q-1)=1&10=1&0

J5 'elect e: gcd(e,1&0)=1* choose e=#

15 "etermine d: de=1 mod 1&0and d < 1&0

Ralue is d=!since !#=1&1= 101&01

5 -ublish public key KU={#,1'#}

+5 !eep secret private key KR={!,1#,11}


33/64

CCLAB

S( 6)a!pe cont

sample 6'8 encryption/decryption is: given message M = ''(nb5 ''


34/64

CCLAB

6)ponentiation

can use the 'quare and %ultiply 8lgorithm a fast, efficient algorithm for e4ponentiation

concept is based on repeatedly squaring base

and multiplying in the ones that are needed to

compute the result

look at binary representation of e4ponent

only takes H(log2n multiples for number n

eg5 #"= #%.#1= !.# = 10 mod 11

eg5 !1$= !1'.!1= ".! = % mod 11


35/64

CCLAB

6)ponentiation


36/64

CCLAB

S( Key 9eneration

users of 6'8 must: determine two primes at random . p, q select either eor dand compute the other

primes p,qmust not be easily derived from

modulus N=p.q means must be sufficiently large

typically guess and use probabilistic test

e4ponents e, d are inverses, so use Cnverse

algorithm to compute the other


37/64

CCLAB

S( Security

three approaches to attacking 6'8: brute force key search (infeasible given siGe ofnumbers

mathematical attacks (based on difficulty of computing

P(>, by factoring modulus > timing attacks (on running of decryption


38/64

CCLAB

actoring Pro"e!

mathematical approach takes 3 forms: factor N=p.q, hence find (N)and then d determine (N)directly and find d

find d directly

currently believe all equivalent to factoring have seen slow improvements over the years

as of 8ug.** best is )30 decimal digits (1)2 bit with 9>='

biggest improvement comes from improved algorithm

cf DSuadratic 'ieveE to D9eneraliGed >umber =ield 'ieveE barring dramatic breakthrough )02JT bit 6'8 secure

ensure p, q of similar siGe and matching other constraints


39/64

CCLAB

Ti!ing (ttacks

developed in mid.)**0Ns e4ploit timing variations in operations

eg5 multiplying by small vs large number

or C=Qs varying which instructions e4ecuted

infer operand siGe based on time taken 6'8 e4ploits time taken in e4ponentiation

countermeasures use constant e4ponentiation time

add random delays

blind values used in calculations


40/64

CCLAB

Su!!ary

have considered: prime numbers

=ermatNs and 7ulerNs


41/64

CCLAB

(ssign!ents

)5 -erform encryption and decryption using 6'8algorithm, as in =igure ), for the following:

p A 3U q A )), e A +U % A 1

p A 1U q A )), e A 3U % A *

25 Cn a public.key system using 6'8, you intercept

the cipherte4t # A )0 sent to a user whose public

key is e A 1, n A 315 $hat is the plainte4t %?

41

7ncryption "ecryption

-lainte4t

MM

#ipherte4t

)) -lainte4t

MMMM

+mod )M+ A )) ))

23mod )M+ A MM

! A +, )M+ !6 A 23, )M+igure 1.74ample of 6'8 8lgorithm

+ntro%uction


42/64

CCLAB

+ntro%uction

"iscovered by $hitfield "iffie and %artin

ellman

D>ew "irections in #ryptographyE

"iffie.ellman key agreement protocol

74ponential key agreement

8llows two users to e4change a secret key

6equires no prior secrets

6eal.time over an untrusted network

+ntro%uction


43/64

CCLAB

+ntro%uction

;ased on the difficulty of computing discrete

logarithms of large numbers5

>o known successful attack strategiesB

6equires two large numbers, one prime (-,

and (9, a primitive root of -

+!pe!entation


44/64

CCLAB

+!pe!entation

- and 9 are both publicly available numbers - is at least 1)2 bits

sers pick private values a and b

#ompute public values

4 A ga mod p

y A gb mod p

-ublic values 4 and y are e4changed

+!pe!entation


45/64

CCLAB

+!pe!entation

Copyright< 2001 "y et+P< +nc. an% Keith Pa!gren< C+SSP.

+!pe!entation


46/64

CCLAB

+!pe!entation

#omputeshared, private key kaA yamod p

kbA 4bmod p

8lgebraically it can be shown that kaA kb

sers now have a symmetric secret key to encrypt

+!pe!entation


47/64

CCLAB

+!pe!entation

Copyright< 2001 "y et+P< +nc. an% Keith Pa!gren< C+SSP.

6)a!pe


48/64

CCLAB

6)a!pe


49/64

CCLAB

6)a!pe

8lice and ;ob get public numbers - A 23, 9 A *

8lice and ;ob compute public values V A *Jmod 23 A 1) mod 23 A

I A *3 mod 23 A +2* mod 23 A )

8lice and ;ob e4change public numbers

(ppications


50/64

CCLAB

(ppications

"iffie.ellman is currently used in many

protocols, namely:

'ecure 'ockets Oayer (''O/


51/64

CCLAB

4igita Signature =o%e


52/64

CCLAB

4igitaSignature

=o%e

4i it Si t i t


53/64

CCLAB

4igita Signature e>uire!ents

must depend on the message signed

must use information unique to sender

to prevent both forgery and denial

must be relatively easy to producemust be relatively easy to recogniGe & verify

be computationally infeasible to forge

with new message for e4isting digital signature

with fraudulent digital signature for given message

be practical save digital signature in storage


54/64

CCLAB

4irect 4igita Signatures

involve only sender & receiver assumed receiver has senderNs public.key

digital signature made by sender signing entiremessage or hash with private.key

can encrypt using receivers public.key important that sign first then encrypt message &

signature

security depends on senderNs private.key


55/64

CCLAB

69a!a 4igita Signatures

signature variant of 7l9amal, related to ". so uses e4ponentiation in a finite (9alois

with security based difficulty of computing discretelogarithms, as in ".

use private key for encryption (signing

uses public key for decryption (verification

each user (eg5 8 generates their key

chooses a secret key (number: 1 < 2< q-1

compute their pu"ic key: 32= a2mod q

69a!a 4igita Signature


56/64

CCLAB

69a!a 4igita Signature

8lice signs a message % to ;ob by computing the hash m = H(M), 0


57/64

CCLAB

69a!a Signature 6)a!pe

use field 9=()* q=1$ and a=10

8lice computes her key: 8 chooses 2=1& & computes 32=10

1& mod 1$ = %

8lice signs message with hash m=1%as (!,%):

choosing random K=" which has gcd(1',")=1

computing 41 = 10"mod 1$ = !

finding K-1mod (q-1) = "-1mod 1' = 11

computing 4= 11(1%-1&.!) mod 1' = %

any user ; can verify the signature by computing 51 = 10

1%mod 1$ = 1&

5 = %!.!%= "1'% = 1& mod 1$

since 1&= 1&signature is valid


58/64

CCLAB

4igita Signature Stan%ar% 4SS

' 9ovt approved signature scheme designed by >C'< & >'8 in early *0Qs

published as =C-'.)M in )**)

revised in )**3, )** & then 2000

uses the '8 hash algorithm

"'' is the standard, "'8 is the algorithm

=C-' )M.2 (2000 includes alternative 6'8 &

elliptic curve signature variants "'8 is digital signature only unlike 6'8

is a public.key technique

4SS vs S( Signatures


59/64

CCLAB

4SS vs S( Signatures


60/64

CCLAB

4igita Signature (gorith! 4S(

creates a 320 bit signature

with 1)2.)02J bit security

smaller and faster than 6'8

a digital signature scheme only

security depends on difficulty of computing

discrete logarithms

variant of 7l9amal & 'chnorr schemes


61/64

CCLAB

4S( Key 9eneration

have shared global public key values (p,q,g:

choose )0.bit prime number q

choose a large prime p with 6-1


62/64

CCLAB

4S( Signature Creation

to signa message Mthe sender:

generates a random signature key /, /


63/64

CCLAB

4S( Signature ?eri$ication

having received % & signature (9,:)

to veri$ya signature, recipient computes:

> = :-1 mod q

?1= ;(M)> mod q

?= (9>)mod q

@ = ;(g?13?)mod p mod q

if @=9then signature is verified

see 8ppendi4 8 for details of proof why

4SS *vervie#


64/64

Date post:	19-Feb-2018
Category:	Documents
Upload:	rohan
View:	219 times
Download:	0 times

The RSA Algorithmppt.ppt

Documents