Download presentation
Presentation is loading. Please wait.
1
CSCI284 Spring 2009 GWU Sections 5.1, 5.2.2, 5.3
Public Key Crypto RSA RSA CSCI284 Spring 2009 GWU Sections 5.1, 5.2.2, 5.3
2
How does Alice send Bob the decryption key in private key crypto?
If Alice wants it such that anyone can decrypt her messages, but know that they came from her Suppose she could make the decryption key available in a public place This would require that the decryption key should not give any information on the encryption key, in particular it should not be equal to it 4/29/2019 CS /Spring09/GWU/Vora/RSA
3
CS284-162/Spring09/GWU/Vora/RSA
How does Alice send Bob the decryption key in private key crypto? contd If she wants it so that only Bob can read her messages, and Bob is ok with anyone sending him messages in this way Suppose Bob makes his encryption key available publicly No one should be able to compute the decryption key from the encryption key This is the dual of the previous case 4/29/2019 CS /Spring09/GWU/Vora/RSA
4
Public Key Cryptography
Two injective functions f and g such that fg=I i.e. messages encrypted with one can be decrypted with the other; functions include association with key f cannot be used to find g and vice versa One is made public, the other kept private Encryption with public function provides confidential transmission, decryption with public function provides authentication 4/29/2019 CS /Spring09/GWU/Vora/RSA
5
CS284-162/Spring09/GWU/Vora/RSA
One-way function A one-way function is easy in the forward direction, difficult in the reverse direction. Example: f(x) = xa mod m 4/29/2019 CS /Spring09/GWU/Vora/RSA
6
Trapdoor One-way Function
A trapdoor one-way function is easy in the reverse direction for someone with access to a trapdoor (secret information enabling easy inversion). Example: if f(x) = xa mod m where gcd(a, (m)) = 1, and (m) = pq for primes p and q, knowledge of p or q is a trapdoor 4/29/2019 CS /Spring09/GWU/Vora/RSA
7
RSA Cocks (’73), Rivest, Shamir, Adleman (’76)
n = pq, p and q (large) primes P = C = Zn K = {(n, p, q, a, b}: ab 1 mod (n)} fK(m) = ma mod n gK(m) = mb mod n 4/29/2019 CS /Spring09/GWU/Vora/RSA
8
CS284-162/Spring09/GWU/Vora/RSA
RSA: Key generation Find p and q (two large random primes) n pq (n) (p-1)(q-1) Choose random a invertible mod (n) s.t 1 < a < (n) i.e. a s.t gcd(a, (n)) = 1 Use Euclidean algorithm to find b=a-1mod (n) Not known how to determine (n) without p and q One key: (n, a) other key (n, b) 4/29/2019 CS /Spring09/GWU/Vora/RSA
9
CS284-162/Spring09/GWU/Vora/RSA
Example 4/29/2019 CS /Spring09/GWU/Vora/RSA
10
A Trapdoor One-way Function?
RSA encryption is believed to be a one-way function with the factorization of n as the trapdoor. It is not known if encryption really is one-way It is not known if there are other trapdoors However, for security, it is certainly required that it not be possible to factor n 4/29/2019 CS /Spring09/GWU/Vora/RSA
11
Security of RSA Is it based on hardness of factoring n?
It is not known if: factoring a product of two primes into its prime components is solvable in polynomial time NP-complete there are other trapdoors to RSA, i.e. other ways of breaking it in general Factoring is an easy problem in the quantum computing model. 4/29/2019 CS /Spring09/GWU/Vora/RSA
12
RSA: Computational complexity
512 bit primes, n is 1024 bits Encryption: b3 where a plaintext character is b-bits Decryption by brute force: 2bb3 Key generation: Primes? O(b2), O(b3) 4/29/2019 CS /Spring09/GWU/Vora/RSA
13
Encryption of blocks of symbols
Block ABCD…, each symbol is base N (e.g. N=2, 16) Convert a block of a few symbols to an integer mod n RSA encrypt Convert back to base N Example. 4/29/2019 CS /Spring09/GWU/Vora/RSA
14
CS284-162/Spring09/GWU/Vora/RSA
RSA Decryption Show that fK and gK are inverses f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n What do we do now? 4/29/2019 CS /Spring09/GWU/Vora/RSA
15
CS284-162/Spring09/GWU/Vora/RSA
We will need Chinese Remainder Theorem (CRT) Lagrange’s Theorem 4/29/2019 CS /Spring09/GWU/Vora/RSA
16
CRT: Solve congruences
What is x? 17x 3 mod 101 5x 2 mod 7 4/29/2019 CS /Spring09/GWU/Vora/RSA
17
Chinese Remainder Theorem
There is exactly one number modulo xy which is bmodx and Bmody if x and y are relatively prime. Proof: Suppose not. Then: First number = ax + b = Ay + B Second number = cx + b = Cy + B (a-c)x = (A-C)y y | (a-c)x y | (a-c) because x and y rel. prime a = my + c first number = mxy + cx + b = second number modulo xy 4/29/2019 CS /Spring09/GWU/Vora/RSA
18
Determine a number x given x = ai mod mi for i = 1 … n
gcd(mi mj ) = 1 ij Let M = i mi And Mi = M/mi Find yi such that yiMi = 1 mod mi Then x = (I aiyiMi) mod M Example. 4/29/2019 CS /Spring09/GWU/Vora/RSA
19
CS284-162/Spring09/GWU/Vora/RSA
So we have shown that: There is exactly one number that satisfies the congruences, and that it can be determined using the formula provided. Define : ZM Zm1 Zm2 …. Zmr (x) = (x mod m1 x mod m2 ...… x mod mr) Example. CRT is equivalent to saying that is bijective (one-to-one, i.e. injective; and onto, i.e. surjective) 4/29/2019 CS /Spring09/GWU/Vora/RSA
20
CS284-162/Spring09/GWU/Vora/RSA
Order of an element Smallest number such that repeated group operation on the element gives the identity That is, for any g group G with operation ○, i is the smallest number such that o(g) = i g○ g ○...○g = group identity Example { i times 4/29/2019 CS /Spring09/GWU/Vora/RSA
21
Lagrange’s theorem on the order of a group element
Theorem: Suppose G is a multiplicative group of order n (i.e. the group operation is multiplication) and g G. Then the order of g divides n. Example: multiplicative group. True also of additive groups. Example: additive group. 4/29/2019 CS /Spring09/GWU/Vora/RSA
22
Lagrange’s theorem on the order of a group element - II
Proof: Consider the following relation: a b iff axi = b for some i is an equivalence relation because: axo(x) = a If a b then b = axi and a = bx-i and b a If a b and b c, then b = axi and c = bxj = axi+j and a c Hence, the cosets of this relation partition the group and are of equal size. Example: the relation for some x and composite n 4/29/2019 CS /Spring09/GWU/Vora/RSA
23
Lagrange’s theorem on the order of a group element - III
Hence, the size of any coset divides the size of the group if it is finite {e, x1, x2, …xo(x)} is a coset of size o(x) Because any coset that contains x = {a s.t axi = x i} = {a = x1-i i} = {xj j } Hence o(x) | n Example, composite n 4/29/2019 CS /Spring09/GWU/Vora/RSA
24
CS284-162/Spring09/GWU/Vora/RSA
RSA Decryption Show that fK and gK are inverses f(g(x)) = xba mod n = xt(n)+1 mod n = x xt (n) mod n = x mod n if x Zn* (By Lagrange’s Theorem) What if x Zn\Zn*? 4/29/2019 CS /Spring09/GWU/Vora/RSA
25
CS284-162/Spring09/GWU/Vora/RSA
x xt (n) mod n = ? For x Zn\Zn* Write Zn = Zp X Zq Use CRT: x (x mod p, x mod q) = wlog (0, d) (because x Zn\Zn*) x(n) = (0, d(n)) = (0, 1) x. x(n) = (0, 1) (0, d(n)) = x 4/29/2019 CS /Spring09/GWU/Vora/RSA
26
A simple inefficient algorithm for generating a prime
Generate a b-bit random number It is prime with probability 1/ln 2b = 1/(ln2 b) = O(1/b) Generate enough and will be done, in O(b) complexity. How do you check if it is prime? 4/29/2019 CS /Spring09/GWU/Vora/RSA
27
CS284-162/Spring09/GWU/Vora/RSA
Eratosthenes Sieve If want a prime of length b bits, list the numbers 2 to 2b/2 Starting from the beginning, delete all multiples of each prime: delete 4, 6, 8, …; 6, 9, …… At the end will be left with the primes Check if these primes divide your randomly generated number If not, it is prime. 4/29/2019 CS /Spring09/GWU/Vora/RSA
28
Euler Phi function (number of invertible elements in Zm)
If m = pq, 1, 2, 3, …p, ..2p, ..3p, …qp q numbers divisible by p 1, 2, 3, …q, ..2q, ..3q, …pq p numbers divisible by q pq only number counted twice. No other numbers. pq – p – q + 1 = (p-1)(q-1) invertible elements 4/29/2019 CS /Spring09/GWU/Vora/RSA
29
Can also show previous result using CRT
4/29/2019 CS /Spring09/GWU/Vora/RSA
Similar presentations
