David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC.

Slides:



Advertisements
Similar presentations
RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.
Advertisements

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Prime Numbers: A Recent Discovery, Secure Communications, and Million Dollar Prizes George T. Gilbert TCU January 29, 2003.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.
UMass Lowell Computer Science Analysis of Algorithms Prof. Karen Daniels Spring, 2009 Tuesday, 28 April Number-Theoretic Algorithms Chapter 31.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
UMass Lowell Computer Science Analysis of Algorithms Prof. Karen Daniels Fall, 2002 Tuesday, 26 November Number-Theoretic Algorithms Chapter 31.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Public Key Cryptography Topical Lecture Week 10. PUBLIC AB Public Key Cryptography A: Hey B, send me an encoded message. This is how you encode a message.
Announcements: HW4 – DES due Friday midnight HW4 – DES due Friday midnight Any volunteers to help config C/C# later today? Who’s using Scheme? Quiz on.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Lecture 6: Public Key Cryptography
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.
Lecture 5 Overview Does DES Work? Differential Cryptanalysis Idea – Use two plaintext that barely differ – Study the difference in the corresponding.
CSE 321 Discrete Structures Winter 2008 Lecture 10 Number Theory: Primality.
Chapter 12 Cryptography (slides edited by Erin Chambers)
Because both the system’s privacy and the security of digital money depend on encryption, a breakthrough in mathematics or computer science that defeats.

1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 12: Non-secret Key Cryptosystems.
Great Theoretical Ideas in Computer Science.
RSA Parameter Generation Bob needs to: - find 2 large primes p,q - find e s.t. gcd(e, Á (pq))=1 Good news: - primes are fairly common: there are about.
CPSC 490 Number Theory Primes, Factoring and Euler Phi-function Mar.31 st, 2006 Sam Chan.
The Complexity of Primality Testing. What is Primality Testing? Testing whether an integer is prime or not. – An integer p is prime if the only integers.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.
MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.
Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski.
Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.
A Method for Obtaining Digital Signatures and Public-key Cryptosystems
Strength of Cryptographic Systems Dr. C F Chong, Dr. K P Chow Department of Computer Science and Information Systems The University of Hong Kong.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 
MA/CSSE 473 Day 10 Primality testing summary Data Encryption RSA.
Primes in P Deterministic polynomial-time algorithm of Agrawal, Kayal and Saxena Presented by Vladimir Braverman.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
Public Key Cryptosystems RSA Diffie-Hellman Department of Computer Engineering Sharif University of Technology 3/8/2006.
Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
ENCRYPTION TAKE 2: PRACTICAL DETAILS David Kauchak CS52 – Spring 2015.
CS Modular Division and RSA1 RSA Public Key Encryption To do RSA we need fast Modular Exponentiation and Primality generation which we have shown.
Ch1 - Algorithms with numbers Basic arithmetic Basic arithmetic Addition Addition Multiplication Multiplication Division Division Modular arithmetic Modular.
Week 4 - Wednesday.  What did we talk about last time?  Finished DES  AES.
Great Theoretical Ideas in Computer Science.
Implementation of Public Key Encryption Algorithms
Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.
RSA Cryptosystem Great Theoretical Ideas In Computer Science S. Rudich V. Adamchik CS Spring 2006 Lecture 8Feb. 09, 2006Carnegie Mellon University.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Non-secret Key Cryptosystems.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Solve it with the Computer Rick Spillman CSCE 115 Spring 2013 Lecture 12.
PRIMES is in P Manindra Agrawal Neeraj Kayal Nitin Saxena Dept of CSE, IIT Kanpur.
A Prime Example CS Lecture 20 A positive integer p  2 is prime if the only positive integers that divide p are 1 and p itself. Positive integers.
Encryption Take 2: Practical details
Public Key Encryption Major topics The RSA scheme was devised in 1978
Practical Aspects of Modern Cryptography
High order procedures Primality testing The RSA cryptosystem
Dr. Richard Spillman Pacific Lutheran University
Public-key Cryptography
Number Theory and Euclidean Algorithm
Lecture 7: Non-secret Key Cryptosystems
Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.
Presentation transcript:

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.

CS588 Spring Menu Legality of discussing RSA Properties of RSA –Correct (last Thursday) –Easy to compute if you know the key –Hard to break if you don’t know the key

CS588 Spring Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M 

CS588 Spring Property 4: E (D (M)) = M D(M) = M d mod n E(D(M)) = (M d mod n) e mod n = M de mod n = M ed mod n = M (from the property 1 proof)

CS588 Spring Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M Before going on…is it legal to talk about 2?  

CS588 Spring RSA in Perl print pack"C*", split/\D+/, `echo [(pop,pop,unpack"H*",<>)]} \EsMsKsN0[lN*1lK[d2%Sa2/d0 <X+d*lMLa^*lN%0]dsXx++lMlN /dsM0<J]dsJxp"|dc` (by Adam Back) Until 1997 – Illegal to show this slide to non- US citizens! Until Jan 2000: can export RSA, but only with 512 bit keys Now: can export RSA except to embargoed destinations

CS588 Spring First Amendment Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment. Sixth Circuit Court of Appeals, April 4, 2000 Ruling that Peter Junger could post RSA source code on his web site

CS588 Spring Property 2: Easy to Compute E(M) = M e mod n Easy – every 4 th grader can to exponents, every kindergartner can do mod n. How big are M, e, and n ? –M: 2 n where n is the number of bits in M –M and n must be big (~ ) for security

CS588 Spring Fast Exponentiation a m + n = a m * a n a b = a b/2 * a b/2 (if 2 divides b ) So, can compute M e in about log 2 e multiplies < 2 512, 512 multiplies is doable (by a computer, not a kindergartner) Faster bitwise algorithms known

CS588 Spring Anything else hard to compute? We need to find large prime numbers p and q Obvious way: Pick big number x for i = 2 to x - 1 if i divides x its not prime, start over with x + 1 done – x is prime sqrt (x)

CS588 Spring How many prime numbers? Infinite number (proved by Euclid, 300BC)

CS588 Spring Infinite Primes Proof Suppose that there exist only finitely many primes p 1 < p 2 <... < p r. Let N = (p 1 )(p 2 )...(p r ) + 1 N > p r so it is composite, N = p * M If p = p i for some 1 … r, then, N = p i * M = p i * (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) + 1 p i ( M - (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) ) = 1 Contradiction: p i > 1 Hence, there must be infinitely many primes.

CS588 Spring Density of Primes From  (x) is the number of primes  x

CS588 Spring Finding Primes The Prime Number Theorem:  (x) ~ x/ln x So, to find a prime bigger than x, we need to make about ln x/2 guesses Naïve prime test –Each guess requires  ( √ x) work –Expect to need  (ln x/2 * √ x) work –For 200 digits = 230 * –More work than breaking 3DES!

CS588 Spring Need a faster prime test There are several fast probabilistic prime tests Can quickly test a prime with high probability, with a small amount of work If we pick a non-prime, its not a disaster (left as PS4 exercise to figure out what happens)

CS588 Spring Fermat Test Recall Fermat’s Little Theorem: –If n is prime and a is not divisible by n then a n-1  1 mod n Prove n is composite by finding a n-1  1 mod n Showing a n-1  1 mod n does not prove n is prime But if it holds for many a’ s it is likely than n is prime –Holds for all a’ s for some non-primes known as Carmichael Numbers: 561, 645, 1105, …

CS588 Spring Primality Test PRIMES Problem –Input: a number n –Ouput: TRUE if n is prime, otherwise FALSE Is PRIMES in P?

CS588 Spring Quiz Time

CS588 Spring PRIMES PRIMES Problem –Input: a number n –Ouput: TRUE if n is prime, otherwise FALSE Until 2002: believed there was no polynomial algorithm for PRIMES –Lots of effort on this over 1000s of years

CS588 Spring Gauss on PRIMES The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superuous to discuss the problem at length... Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated. Karl Friedrich Gauss, Disquisitiones Arithmeticae, 1801

CS588 Spring PRIMES is in P Manindra Agrawal, Neeraj Kayal and Nitin Saxena, PRIMES is in P. Indian Institute of Technology Kanpur, 2002 –Neeraj Kayal and Nitin Saxena were 4 th year undergraduates at IIT Kanpur – –7 pages long + references

CS588 Spring Paper Excerpt Key insight based on generalization of Fermat’s little theorem

CS588 Spring Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M   ?? 

CS588 Spring RSA E(M) = M e mod n D(C) = C d mod n n = pqp, q are prime d is relatively prime to (p – 1)(q – 1) ed  1 (mod (p – 1)(q – 1))

CS588 Spring Strategy Revealing E : e, n. Can attacker find D ? If attacker factors n = p * q ed  1 mod (p – 1)(q – 1) Easy to find d  e -1 mod (p – 1)(q – 1) Use experience to argue factoring is hard. –This should make us somewhat nervous Argue all other attacks are at least as hard as factoring n.

CS588 Spring Gardner’s Column: Original RSA challenge ($100) n (RSA-129) = e = 9007 C = Scientific American, August 1977

CS588 Spring  17 Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond. Derek Atkins (April 1994): We are happy to announce that RSA-129 = *

CS588 Spring Trial and Error Factoring Guess x, if 1 < gcd (x, n) < n then x is an interesting factor If p and q are similar size, lowest factor is around  n. –Requires O (  n ) divisions. –For RSA-129 = 1.1 * divisions, 1 per nanosecond = 3.4 * years

CS588 Spring Pollard’s Rho Method Fastest known in 1977 [Pollard75] To find factor p, requires 4  p modular multiplies Worst case: lowest p is  n, we need 4  n multiplies For RSA-129 = 1.3 * = 4 * years Rivest probably used this, but made a math error (4 quadrilllion  40 quadrilllion)

CS588 Spring How so Fast Better factoring algorithms Distributed computation Still can’t do a * b mod c in one nanosecond (not faster processors) –1ns = s –Best Pentium 4 today: 4 GHz (cycle =.25ns) –But, multiplying 100 digit numbers takes many cycles

CS588 Spring Factoring Pragmatics Conjectured to take e sqrt(2 log n log log n) steps to factor n. Quadratic Sieve Factoring –Improved Kraitchik’s algorithm to choose likely good values for x ’s –Complexity: e sqrt(log n log log n) –How much bigger numbers can it factor? Twice as many digits in same time!

CS588 Spring Breaking RSA-129 Organized by Derek Atkins and others, 1994 Quadratic Sieve algorithm Memory-limited (1994 – most workstations 16MB RAM), used 10M to hold.5M primes Recruited volunteers from Internet 1600 machines Used 5000 MIPS years over 8 months

CS588 Spring To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project. Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage, AsiaCrypt 1994.

CS588 Spring Recent Factoring Algorithms Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999 ~8000 MIPS years (36 CPU years) 7 months on ~300 machines Lecture 1: factor 300 digit number for automatic A. How much harder is this?

CS588 Spring Faster Factoring Algorithm Function Field Seive [Adelman & Lasker, 1992] O(log 10.5 n ) “Breakthrough of Gaussian Proportions” One serious limintation: –Only works in Hollywood: this is what the movie “Sneakers” is about!

CS588 Spring RSA Security Factoring is hard (except in Sneakers) Is this enough to know RSA is secure? Can you compute D without factoring n ? –Probably not, but can’t prove it. –But, can prove other obvious mathematical attacks are equivalent to factoring.

CS588 Spring  (n) without factoring Calculate  (n) without factoring n. ed  1 mod  (n) Equivalent to factoring:  (n) = (p – 1)(q – 1) = n – (p + q) + 1 p + q = n –  (n) – 1 p – q = sqrt ((p + q) 2 – 4n) [next slide] 2p = sqrt ((n –  (n) –1) 2 – 4n) + n –  (n) –1 If we know  (n) we can calculate p and q easily.

CS588 Spring p – q = sqrt ((p + q) 2 – 4n) (p – q) 2 = p 2 – 2pq + q 2 = p 2 + q 2 – 2n (p + q) 2 = p 2 + q 2 + 2n (p – q) 2 = (p + q) 2 – 4n p – q = sqrt ((p + q) 2 – 4n)

CS588 Spring Determine d without  (n) Brute force: m digits long, amount of work is 10 m. –Try 1T/second (special purpose hardware) –Will take 3*10 30 years for m = 50. –For factoring difficulty, m > 100. (Bigger than AES key) Non-brute force: knowing d enables factoring.

CS588 Spring Determining d  factoring ed = 1 mod  (n) k *  (n) = ed – 1 Already showed, finding  (n) is same as factoring. Also true for multiple of  (n).

CS588 Spring Properties of RSA’s E and D Trap-door one way function: D (E (M)) = M E and D are easy to compute. Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also E (D (M)) = M

CS588 Spring Applications of RSA Privacy: –Bob encrypts message to Alice using E A –Only Alice knows D A Signatures: –Alice encrypts a message to Alice using D A –Bob decrypts using E A –Knows it was from Alice, since only Alice knows D A Things you use every day: ssh, SSL, DNS, etc. More than 400,000,000 copies of the RSA algorithm are currently installed

CS588 Spring Faculty Candidate Talks Wednesday, 3:30: Cliff Zou – modeling and detecting Internet worms Monday, 3:30 (Olsson 009) –Kevin Fu, MIT (PhD student of Ron Rivest and Frank Kaashoek) –Secure content distribution using untrusted servers

CS588 Spring Charge Thursday: Doug Szajda Monday: Kevin Fu, 3:30 Tuesday: what to do about all those couriers Thursday: guess lecture, Daniel Mellen, Jennifer Combs and Trab Farrales from Accenture –Implementing a public-key infrastructure in industry Work on your projects

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.