Upload
kenneth-fraser
View
219
Download
0
Embed Size (px)
Citation preview
RSA and Public Key Cryptography
Oct. 2002
Nathanael Paul
Some quick things to fill in some holes…
(P,C,K,E,D)– P: plaintext– C: ciphertext– K: keyspace– E: encryption function– D: decryption function
Someone recently asked me (and something for you to think about for next time):– Can cryptography and math be separated? Why or
why not?
What is public key cryptography?Why is there a need?
Asymmetric vs. Symmetric Problems solved by public key
– Shared secret not needed– Authentication
Trapdoor one-way function– Factoring integers– Discrete logs
Slow, power hungry
Where did public key cryptography come from?
Diffie and Hellman– Credited with invention (circa 1976)– One year later, RSA is invented– April 2002, ACM communications
1970 James Ellis (British Gov’t)– “The possibility of non-secret encryption”– NSA claims
Overview
RSA– Rivest, Shamir, Adleman, 1977
Zn
– Modular operations (the expensive part)– A sender looks up the public key of the receiver,
and encrypts the message with that key– The receiver decrypts the message with his private
key– Although, public key is public information, private
key is secret but related to the public key in a special way
Essence of RSA
P, C are in Zn
n = p * q, where p and q are primes y = Ek(m) = mb mod n m = Dk(y) = ya mod n
– D(y) = D(E(m)) = D(mb) = (mb)a = m– Factoring not necessary for decryption
The public key is (b,n), everything else is private
private key is (a,n)
Some relationships
a is relatively prime to (p-1)(q-1) ab 1 (mod (p-1)(q-1)) (n) = (p-1)(q-1). ??? (n) = { x < n : gcd(x, n) = 1 }
– “all integers less than n that are relatively prime to n”
Let’s check to see if encryption and decryption really are inverse operations.
Checking RSA
ab 1 (mod (n))– “ab is some multiple of ((n) + 1)
ab = t((n) + 1), t >= 1 (mb)a mt((n) + 1) (mod n)
(m (n))tm (mod n) (1)tm (mod n) by Euler’s Thm. m (mod n)
DONE
How to pick a public key
Pick 2 primes, p and q Compute n = pq and (n) = (p-1)(q-1) Choose a random b (1 < b < (n))
– gcd (b, (n)) = 1 Compute a = b-1 mod (n)
– Extended euclidean algorithm Publish the public key
– (b, n) is a person’s public key now(i.e., people may now send encrypted text using this public key)
Bob chooses his public key
He randomly chooses 17th and 19th primes, 59 and 67, respectively (p = 59, q = 67)
(n) = (58)(66) = 3828 Pick a random b, less than 3828 but > 1
– Let’s try 2669. Will that work? gcd(2669, 3828) = 1
Now, ab 1 (mod (n))– a * 2669 1 mod 3828– a will exist iff gcd(a, (n)) = 1
Bob finishes his calculations in making his public key…
a = b-1 in Zn, recall a is the decryption exponent a = 1625 (b-1 = 1625 modd 3828) Bob’s private key (a, n) is (1625,3953), so now
Bob publishes his public key (b,n) as (2669, 3953)
Alice wants to send Bob a message, m…
Alice has plaintext 3128 to send. She will send E(m):– Alice encrypts with public key (b,n) or (2669,3953)– E(m) = 31282669 mod 3953 = 3541
Bob receives the ciphertext 3541:– Bob decrypts with private key (a,n) or (1625,3953)– 35411625 mod 3953 = 3128
Some notes about a,b, p, and q
p and q must be large for security b, the encryption exponent, does not have to
be that large (216 – 1 = 65535 is good) a, the decryption exponent, needs to be
sufficiently large (512 to 2048 bits) Having to work with such large numbers, we
need to look at some other elements of RSA.
RSA: Component Operations
Exponentiation– We need to do it fast
Factorization– Believed to be difficult (security is here)
Finding prime numbers and testing primality– Rabin Miller test– New polynomial time algorithm
http://mathworld.wolfram.com/news/2002-08-07_primetest/ http://www.cse.iitk.ac.in/primality.pdf
Fast Exponentiation
a ^ 256 mod 7– Don’t do (a*a*a…*a) 256 times and mod by 7
(a * b) mod p = (a mod p * b mod p) mod p– Shortcut: Look at binary representation of 256– 256 = 28, (((((((a2) 2) 2) 2) 2) 2) 2) 2 and mod 7 each
time you perform a square– 25 = 11001 = 24 + 23 + 20
a ^ 25 mod n = (a * a8 * a16) mod n= (a * (((a2) 2) 2) * ((((a2) 2) 2) 2)) mod n
(((((((a2 mod n)*a) mod n)2 mod n)2 mod n)2 mod n) * a) mod n
Factorization
Brute force is stupid and slow– d = 1,2,3,4,… Does d divide n?– Factoring n = pq. If p <= q, n >= p2, so n >= p– d can go high as n in worst case– For n ~ 1040, 1020 number of divisions
Use structure of Zn
– p –1 method (not really used, but a good speedup)– Pollard’s rho method– Quadratic sieve, Number Field Sieve (NFS)– Is there a better method out there?
Finding some prime numbers
Easy to generate a number, but how do you know if it’s prime?
Rabin Miller– If n is prime, output is always “could be”– If n is composite, output is “composite” or “could be”– If n is composite and “could be” is returned, the
probability of a wrong answer is <= ¼
New polynomial algorithm that can say yes/no!
Using RSA: What can go wrong?
Computing (n) is no easier than factoring n From n = pq and (n) = (p-1)(q-1), we obtain:
– p2 – (n - (n) + 1)p + n = 0– The roots of the above equation will be p and q
If the decryption exponent, a is known, Bob needs to choose a new decryption exponent.– That isn’t enough! Bob must also choose a new
modulus.
DES vs. RSA
RSA is about 1500 times slower than DES– Exponentiation and modulus
Generation of numbers used in RSA can take time
Test n against known methods of factoring– http://www.rsasecurity.com/rsalabs/challenges/factoring/numbers.html
Key Distribution
Then hard problem for symmetric (secret) key ciphers
Transmitting a private key on an insecure channel– Asymmetric system solves problem
Primitive roots
is a pritimitive root of Fp you can get all elements of Fp from – There exists an m such that:
m = n mod p, for 1 <= n < p
m is unique Can you solve for m? Yes, but it’s hard by
currently known methods (Discrete log) All primes have primitive roots
Example of primitive root
Consider the element 2x mod 1320 1 mod 13 28 9 mod 13 21 2 mod 13 29 5 mod 13 22 4 mod 13 210 10 mod 13 23 8 mod 13 211 7 mod 13 24 3 mod 1325 6 mod 13 Primitive roots are not26 12 mod 13 found this way in Fp, but 27 11 mod 13 this is an example of a
primitive root.
Key distribution: Alice and Bob need to talk
Insecure channel of communication First, set up our field that our numbers will
operate within:– p, a large prime (sets up something called our field) is called a primitive root of Fp
Alice and Bob obtain a private key using public keys
a b
Bob Alice
ko = (a )b
k1 = (b )a
So, k1 = ko, and a secret key is shared between Alice and Bob.
What does the adversary know, and what can he do?
Knows a, b, , and p So we want to find the key, k
– k = ab
– This is believed to be hard.
If one knows how to compute discrete logs efficiently, then one can break this scheme (and other schemes based on public key cryptography)
Public Key Cryptographic Use
Secure RPC SSL Cisco encrypting routers
Key distribution
Key freshness Predistribution Agreement protocols
Trusted Authority – Alice and Bob need to talk (again)
How about a TA issuing a certificate?– TA shares a secret key with each person that may
ever want to communicate with TA– Alice asks for Bob’s public key, so TA issues a
certificate: E (K, ID(Bob), T, L)– E is done with Alice and TA’s shared key– K is random, T is timestamp, L is lifetime– Alice can verify certificate is from TA– Ex. Kerberos
Reading
“New Directions in Cryptography”– http://www.cs.rutgers.edu/~tdnguyen/classes/cs671/
presentations/Arvind-NEWDIRS.pdf
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems"– http://theory.lcs.mit.edu/~cis/pubs/rivest/rsapaper.ps