Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

Published byJeffrey Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "1 The RSA Algorithm Rocky K. C. Chang February 23, 2007."— Presentation transcript:

1 1 The RSA Algorithm Rocky K. C. Chang February 23, 2007

2 Rocky, K. C. Chang2 Outline  Trapdoor one-way function  The RSA algorithm  Some practical considerations  RSA ’ s security  Some pitfalls of RSA

3 Rocky, K. C. Chang3 Trapdoor one-way function  Suppose n = pq, where p and q are large primes.  Consider f(m) = m e mod n.  For certain values of e and that n is large enough, f(m) is a one-way function. It is computationally infeasible to obtain m based on the knowledge of n, e, and f(m).  However, with the knowledge of a certain trapdoor, the inversion is easy to do. The trapdoor for RSA is the factorization of n (i.e., the knowledge of p and q).

4 Rocky, K. C. Chang4 The RSA algorithm  Let n = pq, where p and q are primes. Note that n is a composite number.  Let M = C = Z n = {0, 1, 2, …, n–1}.  K = {(n, p, q, d, e): e  d  1 (mod (n))}. We will see that (n) = (p–1)(q–1).  For K = (n, p, q, d, e), define E K (m) = m e mod n, and D K (c) = c d mod n, where m, c  Z n.  The (n, e) comprise the “public key”.  The (p, q, (n), d) comprise the “private key.”

5 Rocky, K. C. Chang5 To probe further  Both encryption and decryption involve modulo multiplications.  Since n is a composite, Z n is not a group under modulo multiplication, i.e., the inverse may not exist. Z * n = {a  Z n : gcd(a,n) = 1}. Z n \ Z * n = {a  Z n : gcd(a,n) > 1}.  How many elements in Z * n ? We denote the number of elements by (n). Recall that (n) is used in determining d and e.

6 Rocky, K. C. Chang6 The value of  (n)  Note that gcd(a,n) = 1 iff gcd(a,p) = 1 and gcd(a,q) = 1.  There are q numbers in Z n that satisfy a mod p = 0: {0, p, 2p, …, (q–1)p}.  There are p numbers in Z n that satisfy x mod q = 0: {0, q, 2q, …, (p–1)q}.  Therefore, the total number of integers in Z n that their gcd(a,n) > 1 is p+q–1.  Thus, (n) = pq – (p+q–1) = (p–1)(q–1).  Use the well-known result that if b  Z * n, then b (n)  1 (mod n). Therefore, a (p–1)(q–1)  1 (mod n), for a  Z * n.

7 Rocky, K. C. Chang7 For example,  Let p = 3, q = 5. Therefore, n = 15 and (p–1)(q– 1) = 8.  For any a  {0, 3, 5, 6, 9, 10, 12, 15}, a 8 ! 1 mod 15.  For any a  {1, 2, 4, 7, 8, 11, 13, 14}, a 8  1 mod 15, e.g., 2 4  1 mod 15. 4 2  1 mod 35. 7 4  1 mod 35. …  Note that primitive elements may not exist in Z * n, because n is not a prime.

8 Rocky, K. C. Chang8 The relationship between e and d  The values of e and d have to satisfy e  d  1 (mod (p–1)(q–1)). Recall that d exists iff gcd(e,(p–1)(q–1)) = 1.  For example, p = 101 and q = 113. n = pq = 11413. (n) = (p–1)(q–1) = 11200 = 2 6 5 2 7. Pick e = 3533, which is not divisible by 2, 5, or 7. Use the extended Euclidean algorithm to compute d = e -1 mod 11200 = 6597. To encrypt m = 9726, compute 9276 3533 mod 11413 = 5761. To decrypt c = 5761, compute 5761 6597 mod 11413 = 9726.

9 Rocky, K. C. Chang9 D K (E K (m)) = m?  Recall that ed  1 (mod (n)).  In other words, ed = t(n)+1, where t is a nonnegative integer.  Let’s consider an m  Z * n. (m e ) d  m t(n)+1 (mod n). (m e ) d  (m (n) ) t m (mod n). (m e ) d  (1) t m (mod n). (m e ) d  m (mod n).

10 Rocky, K. C. Chang10 D K (E K (m)) = m?  Let’s consider an m  Z n \ Z * n.  Using the Chinese Remainder Theorem, m mod n can be represented by (m mod p, m mod q).  Note that either the following is true: m mod p = 0 and m mod q = 0 or m mod p = 0 and m mod q  0 or m mod p  0 and m mod q = 0.  For those cases where m mod p = 0 or m mod q = 0, m ed mod p = 0 or m ed mod q = 0. Therefore, m ed  m (mod p) = 0, or m ed  m (mod q) = 0.

11 Rocky, K. C. Chang11 Digital signing using RSA  To sign a message m, Alice computes s = m d mod n.  The pair (m,s) is a signed message.  To verify the signature, anyone who knows the public key can verify that s e  m mod n, the message itself.

12 12 Some practical considerations

13 Rocky, K. C. Chang13 Generating the RSA parameters 1. Generate 2 large primes, p and q (each with size k/2 bits). 2. n (k ≥ 2048 bits)  pq and (n)  (p–1)(q–1). 3. Choose a random e (1 < e < (n)) such that gcd(e,(n)) = 1. 4. d = e -1 mod (n). 5. Publish (n,e) and safeguard the secret (p, q, (n), d).

14 Rocky, K. C. Chang14 Generating the RSA parameters 1. Need an efficient algorithm to generate a large prime.  Rabin-Miller test determines whether an odd integer n is prime. 2. Find 2 large primes. 3. Use the Euclidean algorithm to make sure that gcd(e,(n)) = 1. 4. Use the extended Euclidean algorithm to compute d = e -1 mod (n).

15 Rocky, K. C. Chang15 Practical considerations  Usually fix the value of e, e.g., e = 3 for signatures and e = 5 for encryption. There are pitfalls when one is using the same exponent for both encryption and signatures. Therefore, p – 1 and q – 1 cannot be multiples of 3 or 5. Smaller exponent for signatures (why?) Some problems with small exponents (to be discussed shortly).  Other common values for e are 17 and 65537.

16 16 RSA’s (in)security

17 Rocky, K. C. Chang17 The RSA’s security  An obvious attack against RSA is to factor n. If this can done, then obtain p and q. Compute (p–1)(q–1). Compute e -1 mod (p–1)(q–1) = d.  Roughly speaking, breaking the RSA algorithm is as difficult as factoring n. The “ current ” factoring algorithms are able to factor numbers having up to 512 bits. On the safe side, n ≥ 2048 bits to make the factoring problem computationally infeasible to solve.

18 Rocky, K. C. Chang18 The RSA’s security  Moreover, if one can obtain (n), one can obtain other elements in the private key.  First of all, one can obtain p and q by solving n = pq and (n) = (p–1)(q–1).  The solution for p is given by p 2 – (n – (n) + 1)p + n = 0.  In other words, if one can compute (n), one can factor p and q.  Lastly, what happen if one can obtain the value of d? n can be factored in polynomial time using a randomized algorithm.

19 Rocky, K. C. Chang19 Pitfalls using RSA  Problem 1: If Alice signs 2 messages m 1 and m 2. Eve can compute Alice ’ s signature on m 3 = m 1 m 2 mod n. Original signatures: m 1 d and m 2 d. Eve can produce the signature for m 3 by multiplying m 1 d and m 2 d.

20 Rocky, K. C. Chang20 Pitfalls using RSA  Problem 2: When RSA is used to encrypt a very small message m. E.g., if e = 5 and m < n 1/5, then m e = m 5 < n. Therefore, no mod n operation needed. Simply take a fifth root of c to recover m! For example, if encrypting a 256-bit key using RSA, the encrypted key is less than 2 2565 = 2 1280 << 2 2048 if n is a 2048-bit integer.  The main problem is the existence of a structure in the numbers that RSA operates on.

21 Rocky, K. C. Chang21 Resolving the pitfalls  A possible approach is to use an encoding function to destroy the structure as much as possible.  The Public-Key Cryptography Standard (PKCS1 for RSA) covering cryptographic primitives; encryption schemes; signature schemes with appendix; ASN.1 syntax for representing keys and for identifying the schemes.

22 Rocky, K. C. Chang22 Message encryption using RSA  Using RSA to encrypt a message is almost never practiced. The size of the message is limited by the size of n.  Instead, choose a random secret key K, and encrypt K with the RSA key. The message encryption is based on secret key cryptosystem, Sending K e mod n, E K (m).

23 Rocky, K. C. Chang23 Message encryption using RSA  A better approach is: Choose a suitable random number r  {0, 1, …, n–1}. Set K = h(r), where h() is some hash function. Send r e mod n and E K (m).  Advantages: There is no structure in r. The hash function ensures that no structure between r’s propagates to structure in the K’s.

24 Rocky, K. C. Chang24 Digital signatures using RSA  Problem: remove the structures of the messages that are signed. Use a hash function to hash the messages.  The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits). Cannot use the hash function output directly in RSA.

25 Rocky, K. C. Chang25 Digital signatures using RSA  A solution is to use a pseudorandom mapping to expand h(m) to a random number s  {0, 1, …, n – 1}.  If you ask Alice to sign a number of messages m 1, m 2, …, m i. Eve can get hold of the (m, s), but the values of s are effectively random. Thus, the information does not help forge Alice’s signature.

26 Rocky, K. C. Chang26 Conclusions  RSA can be used for encryption as well as digital signatures.  The security of RSA lies on the difficulty of factoring a large number into 2 primes.  RSA encryption and decryption require expensive exponentiation operations. The CRT helps accelerate the operations.  In practice, RSA is used to encrypt a secret key with an encoding function.  In practice, the messages to be signed have to go through a hash function to destroy the message structures.

27 Rocky, K. C. Chang27 Acknowledgments  The notes are prepared mostly based on D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002. N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.

Download ppt "1 The RSA Algorithm Rocky K. C. Chang February 23, 2007."

Similar presentations

RSA.

RSA.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
95-712 OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.

OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Similar presentations

Ads by Google