Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC.

Published byIrma Skinner Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.

2 CS588 Spring 20052 Menu Legality of discussing RSA Properties of RSA –Correct (last Thursday) –Easy to compute if you know the key –Hard to break if you don’t know the key

3 CS588 Spring 20053 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M 

4 CS588 Spring 20054 Property 4: E (D (M)) = M D(M) = M d mod n E(D(M)) = (M d mod n) e mod n = M de mod n = M ed mod n = M (from the property 1 proof)

5 CS588 Spring 20055 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M Before going on…is it legal to talk about 2?  

6 CS588 Spring 20056 RSA in Perl print pack"C*", split/\D+/, `echo "16iII*o\U@{$/=$z; [(pop,pop,unpack"H*",<>)]} \EsMsKsN0[lN*1lK[d2%Sa2/d0 <X+d*lMLa^*lN%0]dsXx++lMlN /dsM0<J]dsJxp"|dc` (by Adam Back) Until 1997 – Illegal to show this slide to non- US citizens! Until Jan 2000: can export RSA, but only with 512 bit keys Now: can export RSA except to embargoed destinations

7 CS588 Spring 20057 First Amendment Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment. Sixth Circuit Court of Appeals, April 4, 2000 Ruling that Peter Junger could post RSA source code on his web site

8 CS588 Spring 20058 Property 2: Easy to Compute E(M) = M e mod n Easy – every 4 th grader can to exponents, every kindergartner can do mod n. How big are M, e, and n ? –M: 2 n where n is the number of bits in M –M and n must be big (~ 10 200 ) for security

9 CS588 Spring 20059 Fast Exponentiation a m + n = a m * a n a b = a b/2 * a b/2 (if 2 divides b ) So, can compute M e in about log 2 e multiplies 10 150 < 2 512, 512 multiplies is doable (by a computer, not a kindergartner) Faster bitwise algorithms known

10 CS588 Spring 200510 Anything else hard to compute? We need to find large prime numbers p and q Obvious way: Pick big number x for i = 2 to x - 1 if i divides x its not prime, start over with x + 1 done – x is prime sqrt (x)

11 CS588 Spring 200511 How many prime numbers? Infinite number (proved by Euclid, 300BC)

12 CS588 Spring 200512 Infinite Primes Proof Suppose that there exist only finitely many primes p 1 < p 2 <... < p r. Let N = (p 1 )(p 2 )...(p r ) + 1 N > p r so it is composite, N = p * M If p = p i for some 1 … r, then, N = p i * M = p i * (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) + 1 p i ( M - (p 1 )(p 2 )...(p i-1 ) (p i+1 )...(p r ) ) = 1 Contradiction: p i > 1 Hence, there must be infinitely many primes.

13 CS588 Spring 200513 Density of Primes From http://www.utm.edu/research/primes/howmany.shtml  (x) is the number of primes  x

14 CS588 Spring 200514 Finding Primes The Prime Number Theorem:  (x) ~ x/ln x So, to find a prime bigger than x, we need to make about ln x/2 guesses Naïve prime test –Each guess requires  ( √ x) work –Expect to need  (ln x/2 * √ x) work –For 200 digits = 230 * 10 100 –More work than breaking 3DES!

15 CS588 Spring 200515 Need a faster prime test There are several fast probabilistic prime tests Can quickly test a prime with high probability, with a small amount of work If we pick a non-prime, its not a disaster (left as PS4 exercise to figure out what happens)

16 CS588 Spring 200516 Fermat Test Recall Fermat’s Little Theorem: –If n is prime and a is not divisible by n then a n-1  1 mod n Prove n is composite by finding a n-1  1 mod n Showing a n-1  1 mod n does not prove n is prime But if it holds for many a’ s it is likely than n is prime –Holds for all a’ s for some non-primes known as Carmichael Numbers: 561, 645, 1105, …

17 CS588 Spring 200517 Primality Test PRIMES Problem –Input: a number n –Ouput: TRUE if n is prime, otherwise FALSE Is PRIMES in P?

18 CS588 Spring 200518 Quiz Time

19 CS588 Spring 200519 PRIMES PRIMES Problem –Input: a number n –Ouput: TRUE if n is prime, otherwise FALSE Until 2002: believed there was no polynomial algorithm for PRIMES –Lots of effort on this over 1000s of years

20 CS588 Spring 200520 Gauss on PRIMES The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superuous to discuss the problem at length... Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated. Karl Friedrich Gauss, Disquisitiones Arithmeticae, 1801

21 CS588 Spring 200521 PRIMES is in P Manindra Agrawal, Neeraj Kayal and Nitin Saxena, PRIMES is in P. Indian Institute of Technology Kanpur, 2002 –Neeraj Kayal and Nitin Saxena were 4 th year undergraduates at IIT Kanpur –http://www.cse.iitk.ac.in/news/primality.html –7 pages long + references

22 CS588 Spring 200522 Paper Excerpt Key insight based on generalization of Fermat’s little theorem

23 CS588 Spring 200523 Properties of E and D Trap-door one way function: 1. D (E (M)) = M 2. E and D are easy to compute. 3.Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also 4. E (D (M)) = M   ?? 

24 CS588 Spring 200524 RSA E(M) = M e mod n D(C) = C d mod n n = pqp, q are prime d is relatively prime to (p – 1)(q – 1) ed  1 (mod (p – 1)(q – 1))

25 CS588 Spring 200525 Strategy Revealing E : e, n. Can attacker find D ? If attacker factors n = p * q ed  1 mod (p – 1)(q – 1) Easy to find d  e -1 mod (p – 1)(q – 1) Use experience to argue factoring is hard. –This should make us somewhat nervous Argue all other attacks are at least as hard as factoring n.

26 CS588 Spring 200526 Gardner’s Column: Original RSA challenge ($100) n (RSA-129) = 1 1438 1625 7578 8886 7669 2357 7997 6146 6120 1021 8296 7212 4236 2562 5618 4293 5706 9352 4573 3897 8305 9712 3563 9587 0505 8989 0751 4759 9290 0268 7954 3541 e = 9007 C = 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5154 Scientific American, August 1977

27 CS588 Spring 200527 40000000000000000  17 Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond. Derek Atkins (April 1994): We are happy to announce that RSA-129 = 3490 5295 1084 7650 9491 4784 9619 9038 9813 3417 7646 3849 3387 8439 9082 0577 * 3 2769 1329 9326 6709 5499 6198 8190 8344 6141 3177 6429 6799 2942 5397 9828 8533

28 CS588 Spring 200528 Trial and Error Factoring Guess x, if 1 < gcd (x, n) < n then x is an interesting factor If p and q are similar size, lowest factor is around  n. –Requires O (  n ) divisions. –For RSA-129 = 1.1 * 10 64 divisions, 1 per nanosecond = 3.4 * 10 47 years

29 CS588 Spring 200529 Pollard’s Rho Method Fastest known in 1977 [Pollard75] To find factor p, requires 4  p modular multiplies Worst case: lowest p is  n, we need 4  n multiplies For RSA-129 = 1.3 * 10 32 = 4 * 10 15 years Rivest probably used this, but made a math error (4 quadrilllion  40 quadrilllion)

30 CS588 Spring 200530 How so Fast Better factoring algorithms Distributed computation Still can’t do a * b mod c in one nanosecond (not faster processors) –1ns = 10 -9 s –Best Pentium 4 today: 4 GHz (cycle =.25ns) –But, multiplying 100 digit numbers takes many cycles

31 CS588 Spring 200531 Factoring Pragmatics Conjectured to take e sqrt(2 log n log log n) steps to factor n. Quadratic Sieve Factoring –Improved Kraitchik’s algorithm to choose likely good values for x ’s –Complexity: e sqrt(log n log log n) –How much bigger numbers can it factor? Twice as many digits in same time!

32 CS588 Spring 200532 Breaking RSA-129 Organized by Derek Atkins and others, 1994 Quadratic Sieve algorithm Memory-limited (1994 – most workstations 16MB RAM), used 10M to hold.5M primes Recruited volunteers from Internet 1600 machines Used 5000 MIPS years over 8 months

33 CS588 Spring 200533 To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project. Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage, AsiaCrypt 1994.

34 CS588 Spring 200534 Recent Factoring Algorithms Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999 ~8000 MIPS years (36 CPU years) 7 months on ~300 machines Lecture 1: factor 300 digit number for automatic A. How much harder is this?

35 CS588 Spring 200535 Faster Factoring Algorithm Function Field Seive [Adelman & Lasker, 1992] O(log 10.5 n ) “Breakthrough of Gaussian Proportions” One serious limintation: –Only works in Hollywood: this is what the movie “Sneakers” is about!

36 CS588 Spring 200536 RSA Security Factoring is hard (except in Sneakers) Is this enough to know RSA is secure? Can you compute D without factoring n ? –Probably not, but can’t prove it. –But, can prove other obvious mathematical attacks are equivalent to factoring.

37 CS588 Spring 200537  (n) without factoring Calculate  (n) without factoring n. ed  1 mod  (n) Equivalent to factoring:  (n) = (p – 1)(q – 1) = n – (p + q) + 1 p + q = n –  (n) – 1 p – q = sqrt ((p + q) 2 – 4n) [next slide] 2p = sqrt ((n –  (n) –1) 2 – 4n) + n –  (n) –1 If we know  (n) we can calculate p and q easily.

38 CS588 Spring 200538 p – q = sqrt ((p + q) 2 – 4n) (p – q) 2 = p 2 – 2pq + q 2 = p 2 + q 2 – 2n (p + q) 2 = p 2 + q 2 + 2n (p – q) 2 = (p + q) 2 – 4n p – q = sqrt ((p + q) 2 – 4n)

39 CS588 Spring 200539 Determine d without  (n) Brute force: m digits long, amount of work is 10 m. –Try 1T/second (special purpose hardware) –Will take 3*10 30 years for m = 50. –For factoring difficulty, m > 100. (Bigger than AES key) Non-brute force: knowing d enables factoring.

40 CS588 Spring 200540 Determining d  factoring ed = 1 mod  (n) k *  (n) = ed – 1 Already showed, finding  (n) is same as factoring. Also true for multiple of  (n).

41 CS588 Spring 200541 Properties of RSA’s E and D Trap-door one way function: D (E (M)) = M E and D are easy to compute. Revealing E doesn’t reveal an easy way to compute D Trap-door one way permutation: also E (D (M)) = M

42 CS588 Spring 200542 Applications of RSA Privacy: –Bob encrypts message to Alice using E A –Only Alice knows D A Signatures: –Alice encrypts a message to Alice using D A –Bob decrypts using E A –Knows it was from Alice, since only Alice knows D A Things you use every day: ssh, SSL, DNS, etc. More than 400,000,000 copies of the RSA algorithm are currently installed

43 CS588 Spring 200543 Faculty Candidate Talks Wednesday, 3:30: Cliff Zou – modeling and detecting Internet worms Monday, 3:30 (Olsson 009) –Kevin Fu, MIT (PhD student of Ron Rivest and Frank Kaashoek) –Secure content distribution using untrusted servers

44 CS588 Spring 200544 Charge Thursday: Doug Szajda Monday: Kevin Fu, 3:30 Tuesday: what to do about all those couriers Thursday: guess lecture, Daniel Mellen, Jennifer Combs and Trab Farrales from Accenture –Implementing a public-key infrastructure in industry Work on your projects

Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 13: Security of RSA THE MAGIC."

Similar presentations

RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.

RSA cryptosystem 1 q The most important public-key cryptosystem is the RSA cryptosystem on which one can also illustrate a variety of important ideas of.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Prime Numbers: A Recent Discovery, Secure Communications, and Million Dollar Prizes George T. Gilbert TCU January 29, 2003.

Prime Numbers: A Recent Discovery, Secure Communications, and Million Dollar Prizes George T. Gilbert TCU January 29, 2003.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
UMass Lowell Computer Science 91.503 Analysis of Algorithms Prof. Karen Daniels Spring, 2009 Tuesday, 28 April Number-Theoretic Algorithms Chapter 31.

UMass Lowell Computer Science Analysis of Algorithms Prof. Karen Daniels Spring, 2009 Tuesday, 28 April Number-Theoretic Algorithms Chapter 31.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
UMass Lowell Computer Science 91.503 Analysis of Algorithms Prof. Karen Daniels Fall, 2002 Tuesday, 26 November Number-Theoretic Algorithms Chapter 31.

UMass Lowell Computer Science Analysis of Algorithms Prof. Karen Daniels Fall, 2002 Tuesday, 26 November Number-Theoretic Algorithms Chapter 31.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.

מבוא מורחב - שיעור 6 1 Lecture 6 High order procedures Primality testing The RSA cryptosystem.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Public Key Cryptography Topical Lecture Week 10. PUBLIC AB Public Key Cryptography A: Hey B, send me an encoded message. This is how you encode a message.

Public Key Cryptography Topical Lecture Week 10. PUBLIC AB Public Key Cryptography A: Hey B, send me an encoded message. This is how you encode a message.
Announcements: HW4 – DES due Friday midnight HW4 – DES due Friday midnight Any volunteers to help config C/C# later today? Who’s using Scheme? Quiz on.

Announcements: HW4 – DES due Friday midnight HW4 – DES due Friday midnight Any volunteers to help config C/C# later today? Who’s using Scheme? Quiz on.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography

Similar presentations

Ads by Google