1
RSA – Genesis, operation &security
ECE 646 - Lecture 9
Public Key (Asymmetric) Cryptosystems
Public key of Bob - KBPrivate key of Bob - kB
Alice Bob
Network
Encryption Decryption
2
Trap-door one-way function
X f(X) Y
f-1(Y)
Whitfield Diffie and Martin Hellman“New directions in cryptography,” 1976
PUBLIC KEY
PRIVATE KEY
Professional (NSA) vs. amateur (academic)approach to designing ciphers
1. Know how to break Russian
ciphers
2. Use only well-established
proven methods
3. Hire 50,000 mathematicians
4. Cooperate with an industry
giant
5. Keep as much as possible
secret
1. Know nothing about
cryptology
2. Think of revolutionary
ideas
3. Go for skiing
4. Publish in “Scientific
American”
5. Offer a $100 award for
breaking the cipher
4
Challenge published in Scientific American
9686 9613 7546 2206 1477 1409 2225 43558829 0575 9991 1245 7431 9874 6951 20930816 2982 2514 5708 3569 3147 6622 88398962 8013 3919 9055 1829 9451 5781 5145
Ciphertext:
Public key:
N = 114381625757 888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541
(129 decimal digits)e = 9007
Award $100
1977
5
RSA as a trap-door one-way function
M C = f(M) = Me mod N C
M = f-1(C) = Cd mod N
PUBLIC KEY
PRIVATE KEY
N = P Q P, Q - large prime numbers
e d 1 mod ((P-1)(Q-1))
RSA keys
PUBLIC KEY PRIVATE KEY
{ e, N } { d, P, Q }
N = P Q
e d 1 mod ((P-1)(Q-1))
P, Q - large prime numbers
6
Why does RSA work? (1)
M’ = Cd mod N = (Me mod N)d mod N = M
decryptedmessage
originalmessage
?
e d 1 mod ((P-1)(Q-1))
e d 1 mod (N)
Euler’s totientfunction
Euler’s totient (phi) function (1)
(N) - number of integers in the range from 1 to N-1that are relatively prime with N
Special cases:
1. P is prime
Relatively prime with P: 1, 2, 3, …, P-1
2. N = P Q P, Q are prime
(N) = (P-1) (Q-1)
Relatively prime with N: {1, 2, 3, …, PQ-1} – {P, 2P, 3P, …, (Q-1)P}– {Q, 2Q, 3Q, …, (P-1)Q}
(P) = P-1
7
Euler’s totient (phi) function (2)
Special cases:
3. N = P2 P is prime
(N) = P (P-1)
Relatively prime with N: {1, 2, 3, …, P2-1} – {P, 2P, 3P, …, (P-1)P}
In general
If N = P1e1 P2
e2 P3e3 … Pt
et
(N) = Piei-1 (Pi-1)
i=1
t
Euler’s TheoremLeonard Euler, 1707-1783
a: gcd(a, N) = 1
a(N) 1 (mod N)
8
Euler’s Theorem - Justification (1)
For N=10 For arbitrary N
R = {1, 3, 7, 9} R = {x1, x2, …, x (N)}
Let a=3 Let us choose arbitrary a, such thatgcd(a, N) = 1
S = {ax1 mod N, ax2 mod N, …,ax (N)mod N}
S = { 31 mod 10,33 mod 10, 37 mod 10,
39 mod 10 }= {3, 9, 1, 7} = rearranged set R
Euler’s Theorem - Justification (2)
For N=10 For arbitrary N
R = S R = S
x1x2 x3 x4(ax1) (ax2)(ax3 )(ax4) mod N
x1x2 x3 x4a4 x1x2 x3 x4 mod N
a4 1 (mod N)
i=1
(N)
xi
i=1
(N)
a xi (mod N)
i=1
(N)
xi a(N)
i=1
(N)
xi (mod N)
a (N) 1 (mod N)
9
Why does RSA work? (2)
M’ = Cd mod N = (Me mod N)d mod N =
= Me d mod N =
= M1+k(N) mod N = M (M(N))k mod N =
= M (M(N) mod N)k mod N =
= M 1k mod N = M
e d 1 mod (N)e d = 1 + k(N)
=
Rivest estimation - 1977
The best known algorithm for factoring a129-digit number requires:
40 000 trilion years= 40 · 1015 years
assuming the use of a supercomputerbeing able to perform
1 multiplication of 129 decimal digit numbers in 1 ns
Rivest’s assumption translates to the delay of a single logic gate 10 ps
Estimated age of the universe: 100 bln years = 1011 years
10
Lehmer SieveBicycle chain sieve [D. H. Lehmer, 1928]
Computer Museum, Mountain View, CA
Machine à Congruences [E. O. Carissan, 1919]Machine à Congruences [E. O. Carissan, 1919]
11
Supercomputer Cray
Computer Museum, Mountain View, CA
Early records in factoring large numbers
YearsNumber of
decimaldigits
Numberof bits
Requiredcomputational
power(in MIPS-years)
1974
1984
1991
1992
1993
45
71
100
110
120
149
235
332
365
398
0.001
0.1
7
75
830
12
How to factor for free?A. Lenstra & M. Manasse, 1989
• Using the spare time of computers,(otherwise unused)
• Program and results sent by e-mail(later using WWW)
Practical implementations of attacks
Factorization, RSA
Year
Numberof bitsof N
Number ofdecimal digits
of N
Estimated amountof computations
1994
1996
1998
129
130
140
430
433
467 2000 MIPS-years
5000 MIPS-years
750 MIPS-years
Method
QS
GNFS
GNFS
1999 140467 8000 MIPS-yearsGNFS
13
Breaking RSA-129
When: August 1993 - 1 April 1994, 8 months
Who: D. Atkins, M. Graff, A. K. Lenstra, P. Leyland+ 600 volunteers from the entire world
How: 1600 computersfrom Cray C90, through 16 MHz PC,
to fax machines
Only 0.03% computational power of the Internet
Results of cryptanalysis:
“The magic words are squeamish ossifrage”
An award of $100 donated to Free Software Foundation
Elements affecting the progressin factoring large numbers
computational power
computer networks
better algorithms
1977-1993 increase of about 1500 times
Internet
14
Factoring methods
General purpose Special purpose
QS - Quadratic Sieve
GNFS - General NumberField Sieve
ECM - Elliptic Curve Method
Time of factoring dependsonly on the size of N
Time of factoring is muchshorter if N or factors of N
are of the special form
Pollard’s p-1 method
Cyclotomic polynomial method
SNFS - Special Number FieldSieve
Continued Fraction Method(historical)
Running time of factoring algorithms
Lq[, c] = exp ((c+o(1))·(ln q)·(ln ln q)1- )
For =0
Lq[0, c] = (ln q)(c+o(1))
Algorithm polynomialas a function of the numberof bits of q
For =1
Lq[1, c] = exp((c+o(1))·(ln q))
Algorithm exponentialas a function of the numberof bits of q
For 0 < < 1 Algorithm subexponentialas a function of the number
of bits of q
f(n) = o(1) if for any positive constant c>0 there exist a constantn0>0, such that 0 f(n) < c, for all n n0
15
General purpose factoring methods
size of the factored numberN in decimal digits (D)
100D 130D
QS moreefficient
NFS moreefficient
Expected running time
QS NFS
LN[1/2, 1] = exp((1 + o(1))·(ln N)1/2 ))·(ln ln N)1/2)
LN[1/3, 1.92] = exp((1.92 + o(1))·(ln N)1/3 ))·(ln ln N)2/3)
110D 120D
First RSA Challenge
RSA-100RSA-110RSA-120RSA-130RSA-140RSA-150RSA-160RSA-170RSA-180RSA-190RSA-200RSA-210..............RSA-450RSA-460RSA-470RSA-480RSA-490RSA-500
Largest number factored to date
RSA-200 May 2005
16
Second RSA Challange
Lentgh of Nin bits
Length of Nin decimal digits
Award forfactorization
576
640
704
768
896
1024
1536
2048
174
193
212
232
270
309
463
617
$10,000
$20,000
$30,000
$50,000
$75,000
$100,000
$150,000
$200,000
Number of bits vs. number of decimal digits
10#digits = 2#bits
#digits = (log10 2) · #bits 0.30 · #bits
256 bits = 77 D384 bits = 116 D512 bits = 154 D768 bits = 231 D1024 bits = 308 D2048 bits = 616 D
17
Factoring 512-bit number
512 bits = 155 decimal digitsold standard for key sizes in RSA
17 March - 22 August 1999
168 workstations SGI and Sun, 175-400 MHz
First stage
Second stage
Cray C916 - 10 days, 2.3 GB RAM
Group of Herman te RieleCentre for Mathematics and Computer Science(CWI), Amsterdam
120 Pentium PC, 300-450 MHz, 64 MB RAM4 stations Digital/Compaq, 500 MHz
2 months
March 2002, Financial Cryptography Conference
Nicko van Someren, CTO nCipher Inc.announced that his company developed software
capable of breaking 512-bit RSA keywithin 6 weeks
using computers available in a single office
Practical progress in factorization
18
Number of operations in the best known attack
512-bit RSADES(56-bit key)
1/50
NDES
NDES
RSA vs. DES: Resistance to attack
Factoring RSA-576512 bits = 155 decimal digits
When?
Who?
Announced: December 3, 2003
J. Franke and T. KleinjungBonn UniversityMax Planck Institute for Mathematics in BonnExperimental Mathematics Institute in Essen
P. Montgomery and H. te Riele - CWIF. Bahr, D. Leclair, P. Leyland and R. Wackerbarth
German Federal Agency for InformationTechnology Security (BIS)
19
Factoring RSA-200200 decimal digits = 664 bits
When?
Who?
Dec 2003 - May 2005
CWI (Netherlands), Bonn University,Max Planck Institute for Mathematics in BonnExperimental Mathematics Institute in EssenGerman Federal Agency for InformationTechnology Security (BIS)
First stage
Second stage
Effort?
About 1 year on various machines, equivalent to55 years on Opteron 2.2 GHz CPU
3 months on a cluster of 80 2.2 GHz Opteronsconnected via a Gigabit network
Factoring RSA-640640 bits = 193 decimal digitsWhen?
Who?
June 2005 - Nov 2005
CWI (Netherlands), Bonn University,Max Planck Institute for Mathematics in BonnExperimental Mathematics Institute in EssenGerman Federal Agency for InformationTechnology Security (BIS)
First stage
Second stage
Effort?
3 months on 80 Opteron 2.2 GHz CPUs
1.5 months on a cluster of 80 2.2 GHz Opteronsconnected via a Gigabit network
20
numberdecimaldigits
date time (phase 1) algorithm
C116 116 1990 275 MIPS years mpqs
RSA-120 120 VI. 1993 830 MIPS years mpqs
RSA-129 129 IV. 1994 5000 MIPS years mpqs
RSA-130 130 IV. 1996 1000 MIPS years gnfs
RSA-140 140 II. 1999 2000 MIPS years gnfs
RSA-155 155 VIII. 1999 8000 MIPS years gnfs
C158 158 I. 2002 3.4 Pentium 1GHz CPU years gnfs
RSA-160 160 III. 2003 2.7 Pentium 1GHz CPU years gnfs
RSA-576 174 XII. 2003 13.2 Pentium 1GHz CPU years gnfs
C176 176 V. 2005 48.6 Pentium 1GHz CPU years gnfs
RSA-200 200 V. 2005 121 Pentium 1GHz CPU years gnfs
Factorization records
Factorization records
He who has absolute confidence in linear regression willexpect a 1024-bit RSA number to be factored on
December 17, 2028
21
For the most recent records see
Factorization Announcements at
http://www.crypto-world.com/FactorAnnouncements.html
Estimation of RSA Security Inc. regardingthe number and memory of PCs
necessary to break RSA-1024
Attack time: 1 year
Single machine: PC, 500 MHz, 170 GB RAM
Number of machines: 342,000,000
22
Best Algorithm to Factor Large Numbers
NUMBER FIELD SIEVE
Complexity: Sub-exponential time and memory
N = Number to factor,k = Number of bits of N
Polynomialfunction, a·km
Exponential function, ek
Sub-exponential function,
e k1/3
(ln k)2/3
k = Number of bits of N
Executiontime
Factoring 1024-bit RSA keysusing Number Field Sieve (NFS)
Polynomial Selection
Linear Algebra
Square Root
Relation Collection
Sieving
Minifactoring (Cofactoring,Norm Factoring)200 bit
smooth numbers
& 350 bit
ECM, p-1 method, rho method
23
TWINKLE“The Weizmann INstitute Key Locating Engine”
Adi Shamir, Eurocrypt, May 1999CHES, August 1999
Electrooptical device capable to speed-upthe first phase of factorization from 100 to 1000 times
If ever built it would increase the size of the keythat can be broken from 100 to 200 bits
Cost of the device (assuming that the prototype wasearlier built) - $5000
Bernstein’s Machine (1)
Fall 2001
Daniel Bernstein, professor of mathematicsat University of Illinois in Chicagosubmits a grant application to NSF
and publishes fragments of this applicationas an article on the web
D. Bernstein, Circuits for Integer Factorization: A Proposal
http://cr.yp.to/papers.html#nfscircuit
24
March 2002
• Bernstein’s article “discovered” duringFinancial Cryptography Conference
• Informal panel devoted to analysis of consequencesof the Bernstein’s discovery
• Nicko Van Someren (nCipher) estimates that machinecosting $ 1 bilion is able to break 1024-bit RSAwithin several minuts
Bernstein’s Machine (2)
March 2002
• alarming voices on e-mailing discussion listscalling for revocation of all currently used
1024-bit keys
• sensational articles in newspapers aboutBernstein’s discovery
Bernstein’s Machine (3)
25
April 2002
Response of the RSA Security Inc.:
Error in the estimation presented at the conference;according to formulas from the Bernstein’s article
machine costing$ 1 billion is able to break
1024-bit RSA within10 billion x several minuts = tens of years
According to estimations of Lenstra i Verheul, machinebreaking 1024-bit RSA within one day
would cost $ 160 billion in 2002
Bernstein’s Machine (4)
Arjen Lenstra, Citibank & U. Eindhoven:
„…I have no idea what is this all fuss about...”
Bruce Schneier, Counterpane:
Carl Pomerance, Bell Labs:
„…fresh and fascinating idea...”
„ ... enormous improvements claimed are more a resultof redefining efficiency than anything else...”
Bernstein’s Machine (5)
26
RSA keylength that can be brokenusing Bernstein’s machine
Computational cost = time [days] * memory [$]
RSA key lengths that can be brokenusing classical computers
3
2
1?
? ?
infinity
?
$ 1 bln*1 day $ 1000 bln*1 day
Bernstein’s Machine (6)
TWIRLFebruary 2003
Adi Shamir & Eran Tromer, Weizmann Institute of Science
Hardware implementation of the sieving phase ofNumber Field Sieve (NFS)
Assumed technology:
CMOS, 0.13 mclock 1 GHz
30 cm semiconductor wafers at the cost of $5,000 each
27
TWIRL
Tentative estimations(no experimental data):
512-bit RSA:
1024-bit RSA:
< 10 minutes$ 10 k
< 1 year$ 10 million
A. Shamir, E. TromerCrypto 2003
Theoretical Designs for Sieving (1)
1999-2000
TWINKLE ( Shamir, CHES 1999;
Shamir & Lenstra, Eurocrypt 2000)
- based on optoelectronic devices (fast LEDs)
- not even a small prototype built in practice
- not suitable for 1024 bit numbers
2003
TWIRL (Shamir & Tromer, Crypto 2003)
- semiconductor wafer design
- requires fast communication between chips located
on the same 30 cm diameter wafer
- difficult to realize using current fabrication technology
28
Theoretical Designs for Sieving (2)
2003-2004
Mesh Based Sieving / YASD
(Geiselmann & Steinwandt, PKC 2003
Geiselmann & Steinwandt, CT-RSA 2004)
- not suitable for 1024 bit numbers
2005
SHARK (Franke et al., SHARCS & CHES 2005)
- relies on an elaborate butterfly switch
connecting large number of chips
- difficult to realize using current technology
Theoretical Designs for Sieving (3)
2007
Non-Wafer-Scale Sieving Hardware(Geiselmann & Steinwandt, Eurocrypt 2007)
- based on moderate size chips (2.2 x 2.2 cm)
- communication among chips seems to be realistic
- 2 to 3.5 times slower than TWIRL
- supports only linear sieving, and not more optimal
lattice sieving
29
Estimated recurring costs withcurrent technology (US$year)
768-bit 1024-bit
TraditionalPC-based
1.3107 1012
TWINKLE 8106
TWIRL 5103 10106
Mesh-based 3104
SHARK 230106
But: non-recurring costs, chip size, chip transport networks…
by Eran Tromer, May 2005
However…
Just analytical estimations, no realimplementations, no concrete numbers
None of the theoretical designs ever built.
30
First Practical Implementation ofthe Relation Collection Step in Hardware
Tetsuya Izu and Jun Kogureand Takeshi Shimoyama (Fujitsu)
CHES 2007 - CAIRN 2 machine, September 2007SHARCS 2007 – CAIRN 3 machine, September 2007
2007
Japan
First large number factoredusing FPGA support
Factored number:
N = P · Q423-bits 205 bits 218 bits
Time of computations:
One month of computations using a PC supported by CAIRN 2for a 423-bit number
Problems:
- Speed up vs. one PC (AMD Opteron): only about 4 times- Limited scalability
CAIRN 3 about 40 times faster than CAIRN 2
Time of sieving with CAIRN 3 for a 768-bit keyestimated at 270 years
31
SHARCS - Special-purpose Hardwarefor Attacking Cryptographic Systems
1st edition: Paris, Feb. 24-25, 20052nd edition: Cologne, Apr. 3-4, 20063rd edition: Vienna, Sep. 9-10, 2007
Workshop Series
Seehttp://www.ruhr-uni-bochum.de/itsc/tanja/SHARCS/
Keylengths in public key cryptosystemsthat provide the same level of security as AES
and other secret-key ciphers
Arjen K. Lenstra, Eric R. Verheul„Selecting Cryptographic Key Sizes”Journal of Cryptology
Arjen K. Lenstra„Unbelievable Security: Matching AES SecurityUsing Public Key Systems”ASIACRYPT’ 2001
32
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
Keylengths in RSA providing the same levelof security as selected secret-key cryptosystems
DES 3 DES(2 keys)
3 DES(3 keys)
AES-128 AES-192 AES-256
The same number of operations
The same cost
416620 1333
1723 19412426 2644
3224
68977918
13840
15387
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2001 2010 2020 2030DES3 DES (2K)3 DES (3K)
AES-128
AES-192
AES-256
year
Keylengths in RSA providing the same levelof security as selected secret-key cryptosystems
33
Recommended key sizes for RSARSA Laboratories, 1996
Old standard:
New standard:
Individual users
Individual users
Organizations (short term)
Organizations (long term)
512 bits(155 decimal digits)
768 bits(231 decimal digits)
1024 bits(308 decimal digits)
2048 bits(616 decimal digits)
Recommendations of RSA Security Inc.
May 6, 2003
2003-2010
2010-2030
2030-
Validity period
MinimalRSA key length
(bits)
Equivalent symmetrickey length
(bits)
80
112
128
1024
2048
3072
34
Five security levelsallowed by American government
NIST SP 800-56
RSA / DH ECCSymmetric
ciphersLevel
I
II
III
IV
V
80
112
128
192
256
160
224
256
384
512
1024
2048
3072
8192
15360
68
Discovery of public key cryptographyby British Intelligence
CESG - Communications-Electronics Security GroupBritish intelligence agency existing
for over 80 yers
Employees of CESG discovered the idea ofpublic key cryptography, the RSA cryptosystem and
the Diffie-Hellman key agreement schemeseveral years before their discovery in open research
Story disclosed only in December 1997
35
69
General concept ofpublic key cryptography
Secret research Open research
James H. Ellis
“The possibility of SecureNon-Secret DigitalEncryption”
January 1970
Whit Diffie, Martin Hellman
November 1976
“New Directions inCryptography”
• proof of a possibility ofconstructing non-secret-keycryptography
• example of a public-keyagreement scheme
• concept of a digital signature
70
RSA cryptosystem
Secret research Open research
Clifford Cocks Ron Rivest, Adi Shamir,Martin Hellman
November 1973 January 1978
C = MN mod N C = Me mod N
Decryption always based onthe Chinese RemainderTheorem
Decryption based onthe Chinese RemainderTheorem optional
36
71
Diffie-Hellman Key Agreement Scheme
Secret Research Open Research
Whit Diffie, Martin HellmanMalcolm Williamson
1974 June 1976
72
Discovery of the public key cryptographyby British Intelligence
• Discovery in the secret research had onlyhistorical significance
• Discovery in the open research initiatedthe revolution in cryptography
• It is still unclear whether and if so whenpublic key cryptography was discovered by NSA.
• British Intelligence never considered applyingpublic key cryptography for digital signatures
37
ACM A.M. Turing Award2002
R. RivestA. ShamirL. Adleman
“For Seminal Contributionsto the Theory and Practical Applications of
Public Key Cryptography”
Turing Award Lectures
Dr. Leonard M. AdlemanUniversity of Southern CaliforniaPre RSA Days
Dr. Ronald L. RivestMassachusetts Institute of TechnologyEarly RSA Days
Dr. Adi ShamirThe Weizmann InstituteCryptology: A Status Report