RSA and El Gamal Cryptosystems RSA Cryptosystem 7/29/2018 8:31 AM RSA and El Gamal Cryptosystems Bits PCs Memory 430 1 128MB 760 215,000 4GB 1,020 342106 170GB 1,620 1.61015 120TB RSA Cryptosystem
Outline Euler’s theorem (§10.1.3) RSA cryptosystem (§10.2.3) Definition Example Security Correctness Algorithms for RSA Modular power (§10.1.4) Modular inverse (§10.1.5) Randomized primality testing (§10.1.6) RSA Cryptosystem
Euler’s Theorem The multiplicative group for Zn, denoted with Z*n, is the subset of elements of Zn relatively prime with n The totient function of n, denoted with f(n), is the size of Z*n Example Z*10 = { 1, 3, 7, 9 } f(10) = 4 If p is prime, we have Z*p = {1, 2, …, (p - 1)} f(p) = p - 1 Euler’s Theorem For each element x of Z*n, we have xf(n) mod n = 1 Example (n = 10) 3f(10) mod 10 = 34 mod 10 = 81 mod 10 = 1 7f(10) mod 10 = 74 mod 10 = 2401 mod 10 = 1 9f(10) mod 10 = 94 mod 10 = 6561 mod 10 = 1 RSA Cryptosystem
The RSA Cryptosystem (1) Theorem Let p and q be two odd primes, and n = pq. Let e be relatively prime with f(n) and let d be the multiplicative inverse of e modulo f(n). For each integer x such that 0 < x < n, xed ≡ x mod n RSA Cryptosystem
The RSA Cryptosystem (2) Setup: n = pq, with p and q primes e relatively prime to f(n) = (p - 1) (q - 1) d inverse of e in Zf(n) Keys: Public key: KE = (n, e) Private key: KD = d Encryption: Plaintext M in Zn C = Me mod n Decryption: M = Cd mod n Example Setup: p = 7, q = 17 n = 717 = 119 f(n) = 616 = 96 e = 5 d = 77 Keys: public key: (119, 5) private key: 77 Encryption: M = 19 C = 195 mod 119 = 66 Decryption: C = 6677 mod 119 = 19 RSA Cryptosystem
Complete RSA Example Setup: Encryption Decryption p = 5, q = 11 f(n) = 410 = 40 e = 3 d = 27 (327 = 81 = 240 + 1) Encryption C = M3 mod 55 Decryption M = C27 mod 55 RSA Cryptosystem
Security of RSA Algorithm (1) The security of the RSA cryptosystem is based on the widely believed difficulty of factoring large numbers The best known factoring algorithm (general number field sieve) takes time exponential in the number of bits of the number to be factored The RSA challenge, sponsored by RSA Security, offers cash prizes for the factorization of given large numbers In April 2002, prizes ranged from $10,000 (576 bits) to $200,000 (2048 bits) RSA Cryptosystem
Security of RSA Algorithm (2) In 1999, a 512-bit number was factored in 4 months using the following computers: 160 175-400 MHz SGI and Sun 8 250 MHz SGI Origin 120 300-450 MHz Pentium II 4 500 MHz Digital/Compaq Estimated resources needed to factor a number within one year Bits PCs Memory 430 1 128MB 760 215,000 4GB 1,020 342106 170GB 1,620 1.61015 120TB RSA Cryptosystem
Correctness of RSA Algorithm (1) We show the correctness of the RSA cryptosystem for the case when the plaintext M does not divide n Namely, we show that (Me)d mod n = M Since ed mod f(n) = 1, there is an integer k such that ed = kf(n) + 1 Since M does not divide n, by Euler’s theorem we have Mf(n) mod n = 1 RSA Cryptosystem
Correctness of RSA Algorithm (2) Thus, we obtain (Me)d mod n = Med mod n = Mkf(n) + 1 mod n = MMkf(n) mod n = M (Mf(n))k mod n = M (Mf(n) mod n)k mod n = M (1)k mod n = M mod n = M See the book for the proof of correctness in the case when the plaintext M divides n RSA Cryptosystem
Algorithmic Issues The implementation of the RSA cryptosystem requires various algorithms Overall Representation of integers of arbitrarily large size and arithmetic operations on them Encryption Modular power Decryption Setup Generation of random numbers with a given number of bits (to generate candidates p and q) Primality testing (to check that candidates p and q are prime) Computation of the GCD (to verify that e and f(n) are relatively prime) Computation of the multiplicative inverse (to compute d from e) RSA Cryptosystem
Using RSA for Digital Signatures Digital signature S for message M is obtained by applying the decryption function (with private key) to M: S← Md mod n (RSA signature) The verification of the digital signature S is performed with the encryption function (with public key) by checking that M ≡ Se (mod n) (RSA verification) RSA Cryptosystem
Analysis for RSA Encryption Theorem Let n be the modulus used in the RSA cryptosystem. RSA encryption, decryption, signature, and verification each take O(log n) arithmetic operations. RSA Cryptosystem
The El Gamal Cryptosystem (1) The ElGamal algorithm is an asymmetric key encryption algorithm for public key cryptography which is based on Diffie-Hellman key agreement. It was described by Taher Elgamal in 1984. The ElGamal algorithm is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. RSA Cryptosystem
The El Gamal Cryptosystem (2) The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with the ElGamal algorithm. ElGamal can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms. RSA Cryptosystem
The El Gamal Cryptosystem (3) Definition Given integers b and n, with b<n, the discrete logarithm of an integer y to the base b is an integer x, such that bx ≡ y mod n. The discrete logarithm is also called index, and we write x = indb,ny. RSA Cryptosystem
The El Gamal Cryptosystem (4) Let p be a prime, and g be a generator of Zp. The private key x is an integer between 1 and p–2. Let y = gx mod p. The public key is a triplet (p, g, y). To encrypt a plaintext M, a random integer k relatively prime to p – 1 is selected, and the following computation performed: a ← gk mod p b ← M yk mod p The ciphertext C consists of the pair (a, b). RSA Cryptosystem
The El Gamal Cryptosystem (5) Decryption of the ciphertext C = (a, b) is performed by calculation: M ← b/ax mod p The security of El Gamal’s algorithm relies on difficulty of computation of the discrete logarithm. Theorem Let n be the modulus used in the El Gamal cryptosystem. El Gamal encryption, decryption, signature, and verification each take O(log n) arithmetic operations. RSA Cryptosystem
Security of El Gamal Cryptosystem (1) ElGamal is a simple example of a semantically secure asymmetric key encryption algorithm (under reasonable assumptions). It is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext. RSA Cryptosystem
Security of El Gamal Cryptosystem (2) ElGamal's security rests, in part, on the difficulty of solving the discrete logarithm problem in G. Specifically, if the discrete logarithm problem could be solved efficiently, then ElGamal would be broken. However, the security of ElGamal actually relies on the so-called Decisional Diffie-Hellman (DDH) assumption. This assumption is often stronger than the discrete log assumption, but is still believed to be true for many classes of groups. RSA Cryptosystem
Security of El Gamal Cryptosystem (3) As described above, ElGamal can be defined over any cyclic group G, and is secure if a certain computational assumption (the "DDH Assumption") about that group is true. Unfortunately, the straightforward use of G = Zp for a prime p is insecure, because the DDH Assumption is false in this group. RSA Cryptosystem
Security of El Gamal Cryptosystem (4) In contrast, computing discrete logs is believed to be hard in Zp, but this is not enough for the security of El Gamal. The two most popular types of groups used in El Gamal are subgroups of Zp and groups defined over certain elliptic curves. RSA Cryptosystem
Efficiency of El Gamal Encryption under El Gamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption only requires one exponentiation (plus one division, which is typically much faster). Unlike in the RSA cryptosystem, El Gamal decryption cannot be sped up via the Chinese remainder theorem. RSA Cryptosystem
Diffie-Hellman Secret Key Exchange 1. Parties A and B publicly agree on a large prime n and a generator g in Zn. 2. A chooses a random number x and sends B number X = gx mod n. 3. B chooses a random number y and sends A number Y = gy mod n. 4. A computes K = Yx mod n. 5. B computes K’ = Xy mod n. 6. K = K’ and A and B can use K to communicate securely using a symmetric cryptosystem. RSA Cryptosystem