CSCI284 Spring 2009 GWU Sections 5.1, 5.2.2, 5.3 Public Key Crypto RSA RSA CSCI284 Spring 2009 GWU Sections 5.1, 5.2.2, 5.3

How does Alice send Bob the decryption key in private key crypto? If Alice wants it such that anyone can decrypt her messages, but know that they came from her Suppose she could make the decryption key available in a public place This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA How does Alice send Bob the decryption key in private key crypto? contd If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way Suppose Bob makes his encryption key available publicly No one should be able to compute the decryption key from the encryption key This is the dual of the previous case 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Public Key Cryptography Two injective functions f and g such that fg=I i.e. messages encrypted with one can be decrypted with the other; functions include association with key f cannot be used to find g and vice versa One is made public, the other kept private Encryption with public function provides confidential transmission, decryption with public function provides authentication 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA One-way function A one-way function is easy in the forward direction, difficult in the reverse direction. Example: f(x) = xa mod m 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Trapdoor One-way Function A trapdoor one-way function is easy in the reverse direction for someone with access to a trapdoor (secret information enabling easy inversion). Example: if f(x) = xa mod m where gcd(a, (m)) = 1, and (m) = pq for primes p and q, knowledge of p or q is a trapdoor 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

RSA Cocks (’73), Rivest, Shamir, Adleman (’76) n = pq, p and q (large) primes P = C = Zn K = {(n, p, q, a, b}: ab  1 mod (n)} fK(m) = ma mod n gK(m) = mb mod n 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA RSA: Key generation Find p and q (two large random primes) n pq (n)  (p-1)(q-1) Choose random a invertible mod (n) s.t 1 < a < (n) i.e. a s.t gcd(a, (n)) = 1 Use Euclidean algorithm to find b=a-1mod (n) Not known how to determine (n) without p and q One key: (n, a) other key (n, b) 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA Example 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

A Trapdoor One-way Function? RSA encryption is believed to be a one-way function with the factorization of n as the trapdoor. It is not known if encryption really is one-way It is not known if there are other trapdoors However, for security, it is certainly required that it not be possible to factor n 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Security of RSA Is it based on hardness of factoring n? It is not known if: factoring a product of two primes into its prime components is solvable in polynomial time NP-complete there are other trapdoors to RSA, i.e. other ways of breaking it in general Factoring is an easy problem in the quantum computing model. 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

RSA: Computational complexity 512 bit primes, n is 1024 bits Encryption: b3 where a plaintext character is b-bits Decryption by brute force: 2bb3 Key generation: Primes? O(b2), O(b3) 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Encryption of blocks of symbols Block ABCD…, each symbol is base N (e.g. N=2, 16) Convert a block of a few symbols to an integer mod n RSA encrypt Convert back to base N Example. 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA RSA Decryption Show that fK and gK are inverses f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n What do we do now? 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA We will need Chinese Remainder Theorem (CRT) Lagrange’s Theorem 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CRT: Solve congruences What is x? 17x  3 mod 101 5x  2 mod 7 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Chinese Remainder Theorem There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime. Proof: Suppose not. Then: First number = ax + b = Ay + B Second number = cx + b = Cy + B (a-c)x = (A-C)y y | (a-c)x  y | (a-c) because x and y rel. prime a = my + c first number = mxy + cx + b = second number modulo xy 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Determine a number x given x = ai mod mi for i = 1 … n gcd(mi mj ) = 1 ij Let M = i mi And Mi = M/mi Find yi such that yiMi = 1 mod mi Then x = (I aiyiMi) mod M Example. 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA So we have shown that: There is exactly one number that satisfies the congruences, and that it can be determined using the formula provided. Define : ZM  Zm1  Zm2  ….  Zmr (x) = (x mod m1 x mod m2 ...… x mod mr) Example. CRT is equivalent to saying that  is bijective (one-to-one, i.e. injective; and onto, i.e. surjective) 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA Order of an element Smallest number such that repeated group operation on the element gives the identity That is, for any g group G with operation ○, i is the smallest number such that o(g) = i  g○ g ○...○g = group identity Example { i times 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n. Example: multiplicative group. True also of additive groups. Example: additive group. 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - II Proof: Consider the following relation: a  b iff axi = b for some i is an equivalence relation because: axo(x) = a If a  b then b = axi and a = bx-i and b  a If a  b and b  c, then b = axi and c = bxj = axi+j and a  c Hence, the cosets of this relation partition the group and are of equal size. Example: the relation for some x and composite n 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Lagrange’s theorem on the order of a group element - III Hence, the size of any coset divides the size of the group if it is finite {e, x1, x2, …xo(x)} is a coset of size o(x) Because any coset that contains x = {a s.t axi = x  i} = {a = x1-i  i} = {xj  j } Hence o(x) | n Example, composite n 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA RSA Decryption Show that fK and gK are inverses f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n = x mod n if x Zn* (By Lagrange’s Theorem) What if x  Zn\Zn*? 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA x xt (n) mod n = ? For x  Zn\Zn* Write Zn = Zp X Zq Use CRT: x  (x mod p, x mod q) = wlog (0, d) (because x  Zn\Zn*) x(n) = (0, d(n)) = (0, 1) x. x(n) = (0, 1) (0, d(n)) = x 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

A simple inefficient algorithm for generating a prime Generate a b-bit random number It is prime with probability 1/ln 2b = 1/(ln2  b) = O(1/b) Generate enough and will be done, in O(b) complexity. How do you check if it is prime? 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

CS284-162/Spring09/GWU/Vora/RSA Eratosthenes Sieve If want a prime of length b bits, list the numbers 2 to 2b/2 Starting from the beginning, delete all multiples of each prime: delete 4, 6, 8, …; 6, 9, …… At the end will be left with the primes Check if these primes divide your randomly generated number If not, it is prime. 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Euler Phi function (number of invertible elements in Zm) If m = pq, 1, 2, 3, …p, ..2p, ..3p, …qp  q numbers divisible by p 1, 2, 3, …q, ..2q, ..3q, …pq  p numbers divisible by q pq only number counted twice. No other numbers. pq – p – q + 1 = (p-1)(q-1) invertible elements 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA

Can also show previous result using CRT 4/29/2019 CS284-162/Spring09/GWU/Vora/RSA