The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM Turing Award Lecture.

Slides:



Advertisements
Similar presentations
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Advertisements

Great Theoretical Ideas in Computer Science.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Public Key Cryptography
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
Public Key Cryptography Bryan Pearsaul. Outline What is Cryptology? Symmetric Ciphers Asymmetric Ciphers Diffie-Hellman RSA (Rivest/Shamir/Adleman) Moral.
Lecture 6: Public Key Cryptography
Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Lecture 11: Key Distribution
Network and Communications Network Security Department of Computer Science Virginia Commonwealth University.
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
Great Theoretical Ideas in Computer Science.
RSA Ramki Thurimella.
Cryptography: RSA & DES Marcia Noel Ken Roe Jaime Buccheri.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Chapter 21 Public-Key Cryptography and Message Authentication.
Private-Key Cryptography  traditional private/secret/single key cryptography uses one key  shared by both sender and receiver  if this key is disclosed.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
1 Public-Key Cryptography and Message Authentication.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Information Security CS 526
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
Fall 2002CS 395: Computer Security1 Chapter 9: Public Key Cryptography.
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
Public Key Cryptosystem Introduced in 1976 by Diffie and Hellman [2] In PKC different keys are used for encryption and decryption 1978: First Two Implementations.
Cryptography issues – elliptic curves Presented by Tom Nykiel.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Lecture 5 Asymmetric Cryptography. Private-Key Cryptography Traditional private/secret/single key cryptography uses one key Shared by both sender and.
@Yuan Xue CS 285 Network Security Public-Key Cryptography Yuan Xue Fall 2012.
Public Key Cryptosystem
Network Security Design Fundamentals Lecture-13
Public Key Encryption and Digital Signatures
RSA and El Gamal Cryptosystems
Real-world Security of Public Key Crypto
Chapter -5 PUBLIC-KEY CRYPTOGRAPHY AND RSA
Presentation transcript:

The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM Turing Award Lecture

Lessons Learned u Try to solve “real-world” problems u … using computer science theory u … and number theory. u Be optimistic: do the “impossible”. u Invention of RSA. u Moore’s Law matters. u Do cryptography in public. u Crypto theory matters. u Organizations matter: ACM, IACR, RSA

Try to solve real-world problems u Diffie and Hellman published “New Directions in Cryptography” Nov ’76: “We stand today at the brink of a revolution in cryptography.” u Proposed “Public-Key Cryptosystem”. (This remarkable idea developed jointly with Merkle.) u Introduced even more remarkable notion of digital signatures. u Good cryptography is motivated by applications. (e-commerce, mental poker, voting, auctions, …)

… using computer science theory u In 1976 “complexity theory” and “algorithms” were just beginning… u Cryptography is a “theory consumer”: it needs –easy problems (such as multiplication or prime-finding, for the “good guys”) and –hard problems (such as factorization, to defeat an adversary).

…and number theory u Diffie/Hellman used number theory for “key agreement” (two parties agree on a secret key, using exponentiation modulo a prime number). u Some algebraic structure seemed essential for a PKC; we kept returning to number theory and modular arithmetic… u Difficulty of factoring not well studied then, but seemed hard…

Be optimistic: do the “impossible” u Diffie and Hellman left open the problem of realizing a PKC: D(E(M)) = E(D(M)) = M where E is public, D is private. u At times, we thought it impossible… u Since then, we have learned “Meta-theorem of Cryptography”: Any apparently contradictory set of requirements can be met using right mathematical approach…

Invention of RSA u Tried and discarded many approaches, including some “knapsack-based” ones. (Len was great at killing off bad ideas.) u “Group of unknown size” seemed useful idea… as did “permutation polynomials”… u After a “seder” at a student’s… u “RSA” uses n = pq product of primes: C = M e (mod n) [public key (e,n)] M = C d (mod n) [private key (d,n)]

$100 RSA SciAm Challenge u Martin Gardner publishes Scientific American column about RSA in August ’77, including our $100 challenge (129 digit n) and our infamous “40 quadrillion years” estimate required to factor RSA-129 = 114,381,625,757,888,867,669,235,779,976,146,61 2,010,218,296,721,242,362,562,561,842,935,706, 935,245,733,897,830,597,123,563,958,705,058,9 89,075,147,599,290,026,879,543,541 (129 digits) or to decode encrypted message.

TM-82 4/77; CACM 2/78 (4000 mailed)

S, R, and A in ‘78

The wonderful Zn* u Zn* = multiplicative group modulo n = pq u Factoring makes it hard for adversary –to compute size of group –to compute discrete logs u Taking e-th roots modulo n is hard (“RSA Assumption”) u Taking e-th roots is hard, where the adversary can pick e>1. (“Strong RSA Assumption”)

Moore’s Law matters. u Time to do RSA decryption on a 1 MIPS VAX was around 30 seconds (VERY SLOW…) u IBM PC debuts in 1981 u Still, we worked on efficient special-purpose implementation (e.g. special circuit board, and then the “RSA chip”, which did RSA in 0.4 seconds) to prove practicality of RSA. u Moore’s Law to the rescue---software now runs 2000x faster… u Now software and the Web rule…

Photo of RSA chip

Do cryptography in public. u Confidence in cryptographic schemes derives from intensive public review. u Public standards (e.g. PKCS series) u Vigorous public research effort results in many new cryptographic proposals, definitions, and attacks

Other PKC proposals u 1978: Merkle/Hellman (knapsack) u 1979: Rabin/Williams (factoring) u 1984: Goldwasser/Micali (QR) u 1985: El Gamal (DLP) u 1985: Miller/Koblitz (elliptic curves) u 1998: Cramer/Shoup u … many others, too

$100 RSA Challenge Met ‘94 u RSA-129 was factored in 1994, using thousands of computers on Internet. “The magic words are squeamish ossifrage.” u Cheapest purchase of computing time ever! u Gives credibility to difficulty of factoring, and helps establish key sizes needed for security.

Factoring milestones u ’84: 69D (D = “digits”) (Sandia; Time magazine) u ’91: 100D (Quadratic sieve) u ’94: 129D ($100 challenge number) (Distributed QS) u ’99: 155D (512-bits; Number field sieve) u ’01: 15 = 3 * 5 (4 bits; IBM quantum computer!)

Other attacks on RSA u Cycling attacks (?) u Attacks based on “weak keys” (?) u Attacks based on lack of randomization or improper “padding” (use e.g. Bellare/Rogaway’s OAEP ’94) u Timing analysis, power analysis, fault attacks, … u See Boneh’s “Twenty Years of Attacks on the RSA Cryptosystem”.

Crypto theory matters u probabilistic encryption, u chosen-ciphertext attacks u GMR digital signatures, u zero-knowledge protocols, u concrete complexity of cryptographic reductions; practice-oriented provable security u …

Organizations matter u ACM – e.g. CACM published RSA paper u IACR (David Chaum) – sponsors CRYPTO conferences u RSA (Jim Bidzos) –sponsors RSA conferences –leader in many policy debates –helped to set crypto standards

(The End)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.