David Evans cs.virginia/evans

David Evanshttp://www.cs.virginia.edu/evans

CS588: Security and PrivacyUniversity of VirginiaComputer Science

Lecture 13:Security of RSA

THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.

CS588 Spring 2005 2

Menu• Legality of discussing RSA

• Properties of RSA– Correct (last Thursday)

– Easy to compute if you know the key

– Hard to break if you don’t know the key

CS588 Spring 2005 3

Properties of E and D

Trap-door one way function:1. D (E (M)) = M

2. E and D are easy to compute.

3. Revealing E doesn’t reveal an easy way to compute D

Trap-door one way permutation: also4. E (D (M)) = M

CS588 Spring 2005 4

Property 4: E (D (M)) = M

D(M) = Md mod n

E(D(M)) = (Md mod n)e mod n

= Mde mod n

= Med mod n

= M

(from the property 1 proof)

CS588 Spring 2005 5






Before going on…is it legal to talk about 2?

CS588 Spring 2005 6

RSA in Perl

print pack"C*", split/\D+/, `echo "16iII*o\U@{$/=$z; [(pop,pop,unpack"H*",<>)]} \EsMsKsN0[lN*1lK[d2%Sa2/d0 <X+d*lMLa^*lN%0]dsXx++lMlN /dsM0<J]dsJxp"|dc`(by Adam Back)

Until 1997 – Until 1997 – Illegal to show Illegal to show

this slide to non-this slide to non-US citizens!US citizens!

Until Jan 2000: can export RSA, but only with 512 bit keysNow: can export RSA except to embargoed destinations

CS588 Spring 2005 7

First Amendment

Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment.

Sixth Circuit Court of Appeals, April 4, 2000

Ruling that Peter Junger could post RSA source code on his web site

CS588 Spring 2005 8

Property 2: Easy to Compute

• E(M) = Me mod n

• Easy – every 4th grader can to exponents, every kindergartner can do mod n.

• How big are M, e, and n?– M: 2n where n is the number of bits in M– M and n must be big (~10200) for security

CS588 Spring 2005 9

Fast Exponentiation

• am + n = am * an

• ab = ab/2 * ab/2 (if 2 divides b)

• So, can compute Me in about log2e multiplies

• 10150 < 2512, 512 multiplies is doable (by a computer, not a kindergartner)

• Faster bitwise algorithms known

CS588 Spring 2005 10

Anything else hard to compute?• We need to find large prime

numbers p and q• Obvious way: Pick big number x for i = 2 to x - 1

if i divides x its not prime,

start over with x + 1

done – x is prime

sqrt (x)


How many prime numbers?

• Infinite number (proved by Euclid, 300BC)


Infinite Primes ProofSuppose that there exist only finitely many

primes p1 < p2 < ... < pr.

Let N = (p1)(p2)...(pr) + 1

N > pr so it is composite, N = p * M

If p = pi for some 1…r, then,

N = pi * M = pi * (p1)(p2)...(pi-1) (pi+1)...(pr) + 1

pi (M - (p1)(p2)...(pi-1) (pi+1)...(pr)) = 1

Contradiction: pi > 1

Hence, there must be infinitely many primes.


Density of Primes

From http://www.utm.edu/research/primes/howmany.shtml

(x) is the number of primes x


Finding Primes• The Prime Number Theorem:

(x) ~ x/ln x

• So, to find a prime bigger than x, we need to

make about ln x/2 guesses

• Naïve prime test

– Each guess requires (√x) work

– Expect to need (ln x/2 * √x) work– For 200 digits = 230 * 10100

– More work than breaking 3DES!


Need a faster prime test

• There are several fast probabilistic prime tests

• Can quickly test a prime with high probability, with a small amount of work

• If we pick a non-prime, its not a disaster (left as PS4 exercise to figure out what happens)


Fermat Test• Recall Fermat’s Little Theorem:

– If n is prime and a is not divisible by n then

an-1 1 mod n

• Prove n is composite by finding an-1 1 mod n• Showing an-1 1 mod n does not prove n is prime

• But if it holds for many a’s it is likely than n is prime – Holds for all a’s for some non-primes known as

Carmichael Numbers: 561, 645, 1105, …


Primality Test

• PRIMES Problem– Input: a number n– Ouput: TRUE if n is prime, otherwise FALSE

• Is PRIMES in P?


Quiz Time


PRIMES

• PRIMES Problem– Input: a number n– Ouput: TRUE if n is prime, otherwise FALSE

• Until 2002: believed there was no polynomial algorithm for PRIMES– Lots of effort on this over 1000s of years


Gauss on PRIMESThe problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superuous to discuss the problem at length... Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated.

Karl Friedrich Gauss, Disquisitiones Arithmeticae, 1801


PRIMES is in P

• Manindra Agrawal, Neeraj Kayal and Nitin Saxena, PRIMES is in P. Indian Institute of Technology Kanpur, 2002– Neeraj Kayal and Nitin Saxena were 4th year

undergraduates at IIT Kanpur– http://www.cse.iitk.ac.in/news/primality.html– 7 pages long + references


Paper Excerpt

Key insight based ongeneralization of Fermat’s little theorem







??


RSA

E(M) = Me mod n

D(C) = Cd mod n

n = pq p, q are prime

d is relatively prime to (p – 1)(q – 1)

ed 1 (mod (p – 1)(q – 1))


Strategy• Revealing E: e, n. Can attacker find D?

• If attacker factors n = p * qed 1 mod (p – 1)(q – 1)

Easy to find d e-1 mod (p – 1)(q – 1)

• Use experience to argue factoring is hard.– This should make us somewhat nervous

• Argue all other attacks are at least as hard as factoring n.


Gardner’s Column: Original RSA challenge ($100)

n (RSA-129) = 1 1438 1625 7578 8886 7669 2357 7997 6146 6120 1021 8296 7212 4236 2562 5618 4293 5706 9352 4573 3897 8305 9712 3563 9587 0505 8989 0751 4759 9290 0268 7954 3541

e = 9007

C = 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5154

Scientific American, August 1977


40000000000000000 17

Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond.

Derek Atkins (April 1994): We are happy to announce that RSA-129 = 3490 5295 1084 7650 9491 4784 9619 9038 9813 3417 7646 3849 3387 8439 9082 0577 * 3 2769 1329 9326 6709 5499 6198 8190 8344 6141 3177 6429 6799 2942 5397 9828 8533


Trial and Error Factoring• Guess x, if 1 < gcd (x, n) < n then x is an

interesting factor• If p and q are similar size, lowest factor is

around n.

– Requires O(n) divisions.– For RSA-129 = 1.1 * 1064 divisions, 1 per

nanosecond = 3.4 * 1047 years


Pollard’s Rho Method

• Fastest known in 1977 [Pollard75]

• To find factor p, requires 4p modular multiplies

• Worst case: lowest p is n, we need 4n multiplies

• For RSA-129 = 1.3 * 1032 = 4 * 1015 years

• Rivest probably used this, but made a math error (4 quadrilllion 40 quadrilllion)


How so Fast

• Better factoring algorithms• Distributed computation• Still can’t do a * b mod c in one

nanosecond (not faster processors)– 1ns = 10-9 s– Best Pentium 4 today: 4 GHz (cycle = .25ns)– But, multiplying 100 digit numbers takes

many cycles


Factoring Pragmatics

• Conjectured to take esqrt(2 log n log log n) steps to factor n.

• Quadratic Sieve Factoring– Improved Kraitchik’s algorithm to choose

likely good values for x’s– Complexity: esqrt(log n log log n)

– How much bigger numbers can it factor?

Twice as many digits in same time!


Breaking RSA-129

• Organized by Derek Atkins and others, 1994• Quadratic Sieve algorithm• Memory-limited (1994 – most workstations

16MB RAM), used 10M to hold .5M primes• Recruited volunteers from Internet• 1600 machines• Used 5000 MIPS years over 8 months


To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project.

Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage,

AsiaCrypt 1994.


Recent Factoring Algorithms

• Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999

• ~8000 MIPS years (36 CPU years)

• 7 months on ~300 machines

• Lecture 1: factor 300 digit number for automatic A. How much harder is this?


Faster Factoring Algorithm

• Function Field Seive [Adelman & Lasker, 1992]

• O(log10.5 n)

“Breakthrough of Gaussian Proportions”

• One serious limintation:– Only works in Hollywood: this is what the

movie “Sneakers” is about!


RSA Security

• Factoring is hard (except in Sneakers)

• Is this enough to know RSA is secure?

• Can you compute D without factoring n?– Probably not, but can’t prove it.– But, can prove other obvious mathematical

attacks are equivalent to factoring.


(n) without factoring

• Calculate (n) without factoring n.

ed 1 mod (n)• Equivalent to factoring:

(n) = (p – 1)(q – 1) = n – (p + q) + 1 p + q = n – (n) – 1 p – q = sqrt ((p + q)2 – 4n) [next slide]

2p = sqrt ((n – (n) –1)2 – 4n) + n – (n) –1If we know (n) we can calculate p and q easily.


p – q = sqrt ((p + q)2 – 4n)

(p – q)2 = p2 – 2pq + q2

= p2 + q2 – 2n

(p + q)2 = p2 + q2 + 2n

(p – q)2 = (p + q)2 – 4n

p – q = sqrt ((p + q)2 – 4n)


Determine d without (n) • Brute force: m digits long, amount of work

is 10m. – Try 1T/second (special purpose hardware)– Will take 3*1030 years for m = 50.– For factoring difficulty, m > 100. (Bigger than

AES key)

• Non-brute force: knowing d enables factoring.


Determining d factoring

ed = 1 mod (n)k * (n) = ed – 1

Already showed, finding (n) is same as factoring.

Also true for multiple of (n).


Properties of RSA’s E and D

• Trap-door one way function:D (E (M)) = ME and D are easy to compute.Revealing E doesn’t reveal an easy way to

compute D

• Trap-door one way permutation: also E (D (M)) = M


Applications of RSA• Privacy:

– Bob encrypts message to Alice using EA

– Only Alice knows DA

• Signatures: – Alice encrypts a message to Alice using DA

– Bob decrypts using EA

– Knows it was from Alice, since only Alice knows DA

• Things you use every day: ssh, SSL, DNS, etc.• More than 400,000,000 copies of the RSA

algorithm are currently installed


Faculty Candidate Talks

• Wednesday, 3:30: Cliff Zou – modeling and detecting Internet worms

• Monday, 3:30 (Olsson 009)– Kevin Fu, MIT (PhD student of Ron Rivest

and Frank Kaashoek)– Secure content distribution using untrusted

servers


Charge• Thursday: Doug Szajda• Monday: Kevin Fu, 3:30• Tuesday: what to do about all those

couriers• Thursday: guess lecture, Daniel Mellen,

Jennifer Combs and Trab Farrales from Accenture– Implementing a public-key infrastructure in

industry

• Work on your projects

Documents

David Evans cs.virginia/evans