Presentation is loading. Please wait.

Presentation is loading. Please wait.

The RSA Algorithm Rocky K. C. Chang, March 2014 1.

Published byMargery Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "The RSA Algorithm Rocky K. C. Chang, March 2014 1."— Presentation transcript:

1 The RSA Algorithm Rocky K. C. Chang, March 2014 1

2 Outline 2  Trapdoor one-way function  The RSA algorithm  Some practical considerations  RSA ’ s security  Some pitfalls of RSA

3 Trapdoor one-way function 3  Suppose n = p  q, where p and q are large primes.  Consider f(m) = m e mod n.  For certain values of e and that n is large enough, f(m) is a one-way function.  It is computationally infeasible to obtain m based on the knowledge of n, e, and f(m).  However, with the knowledge of a certain trapdoor, the inversion is easy to do.  The trapdoor for RSA is the factorization of n (i.e., the knowledge of p and q).

4 The RSA algorithm 4  Let n = p  q, where p and q are primes. Note that n is a composite number.  Let M = C = Z n = {0, 1, 2, …, n–1}.  K = {(n, p, q, d, e): e  d  1 (mod  (n))}.  We will see that  (n) = (p–1)(q–1).  For K = (n, p, q, d, e), define  E K (m) = m e mod n, and  D K (c) = c d mod n, where m, c  Z n.  The (n, e) comprise the “public key.”  The (p, q,  (n), d) comprise the “private key.”

5 To probe further 5  Both encryption and decryption involve modulo multiplications.  Since n is a composite, Z n is not a group under modulo multiplication, i.e., the inverse may not exist.  Z * n = {a  Z n : gcd(a,n) = 1}.  Z n \ Z * n = {a  Z n : gcd(a,n) > 1}.  How many elements in Z * n ?  We denote the number of elements by  (n).  Recall that  (n) is used in determining d and e.

6 The value of  (n) 6  Note that gcd(a,n) = 1 iff gcd(a,p) = 1 and gcd(a,q) = 1.  There are q numbers in Z n that satisfy a mod p = 0: {0, p, 2p, …, (q–1)p}.  There are p numbers in Z n that satisfy a mod q = 0: {0, q, 2q, …, (p–1)q}.  Therefore, the total number of numbers in Z n that their gcd(a,n) > 1 is p+q–1.  Thus,  (n) = p  q – (p+q–1) = (p–1)(q–1).  Use the well-known result (in slide 28 of the prelude slides) that if b  Z * n, then b  (n)  1 (mod n).  Therefore, a (p–1)(q–1)  1 (mod n), for a  Z * n.

7 For example, 7  Let p = 3, q = 5. Therefore, n = 15 and (p–1)(q–1) = 8.  For any a  {0, 3, 5, 6, 9, 10, 12}, a 8 !  1 (mod 15).  For any a  {1, 2, 4, 7, 8, 11, 13, 14}, a 8  1 (mod 15), e.g.,  2 4  1 (mod 15).  4 2  1 (mod 15).  7 4  1 (mod 15). ……  Note that primitive elements may not exist in Z * n, because n is not a prime.

8 The relationship between e and d 8  The values of e and d have to satisfy  e  d  1 (mod (p–1)(q–1)).  Recall that d exists iff gcd(e,(p–1)(q–1)) = 1 (slide 17 of the prelude slides).  For example, p = 101 and q = 113.  n = p  q = 11413.   (n) = (p–1)(q–1) = 11200 = 2 6 5 2 7.  Pick e = 3533, which is not divisible by 2, 5, or 7.  Use the extended Euclidean algorithm to compute d = e -1 mod 11200 = 6597.  To encrypt m = 9726, compute 9276 3533 mod 11413 = 5761.  To decrypt c = 5761, compute 5761 6597 mod 11413 = 9726.

9 D K (E K (m)) = m? 9  Recall that e  d  1 (mod  (n)).  In other words, e  d = t  (n)+1, where t is a nonnegative integer.  Part 1: Let’s consider an m  Z * n.  (m e ) d  m t  (n)+1 (mod n).  (m e ) d  (m  (n) ) t m (mod n).  (m e ) d  (1) t m (mod n).  (m e ) d  m (mod n).

10 D K (E K (m)) = m? 10  Part II: Let’s consider an m  Z n \ Z * n.  Using the Chinese Remainder Theorem, m mod n can be uniquely represented by (m mod p, m mod q).  Note that either the following is true:  m mod p = 0 and m mod q = 0 or  m mod p = 0 and m mod q  0 or  m mod p  0 and m mod q = 0.  For m mod p = 0 and m mod q = 0,  m ed mod p = 0 and m ed mod q = 0.  Therefore, m ed  m (mod p) = 0 and m ed  m (mod q) = 0.  For those cases where m mod p = 0 or m mod q = 0,  Say m mod p = 0 or m mod q  0,  By the CRT, m ed mod n can be represented by (0, m ed mod q).  Using the previous two results, (0, m ed mod q) is equal to (0, m mod q).

11 Digital signing using RSA 11  To sign a message m, Alice computes s = m d mod n.  The pair (m,s) is a signed message.  To verify the signature, anyone who knows the public key can verify that s e  m mod n, the message itself.

12 Some practical considerations 12

13 Generating the RSA parameters 13 1. Generate 2 large primes, p and q (each with size k/2 bits). 2. n (k ≥ 2048 bits)  p  q and  (n)  (p–1)(q–1). 3. Choose a random e (1 < e <  (n)) such that gcd(e,  (n)) = 1. 4. d = e -1 mod  (n). 5. Publish (n,e) and safeguard the secret (p, q,  (n), d).

14 Generating the RSA parameters 14 1. Need an efficient algorithm to generate a large prime.  Rabin-Miller test determines whether an odd integer n is prime. 2. Find 2 large primes. 3. Use the Euclidean algorithm to make sure that gcd(e,  (n)) = 1. 4. Use the extended Euclidean algorithm to compute d = e -1 mod  (n).

15 Practical considerations 15  Usually fix the value of e, e.g., e = 3 for signatures and e = 5 for encryption.  There are pitfalls when one is using the same exponent for both encryption and signatures.  Therefore, p – 1 and q – 1 cannot be multiples of 3 or 5.  Smaller exponent for signatures (why?)  Some problems with small exponents (to be discussed shortly).  Other common values for e are 17 and 65537.

16 RSA’s (in)security 16

17 The RSA’s security 17  An obvious attack against RSA is to factor n.  If this can done, then obtain p and q.  Compute (p–1)(q–1).  Compute e -1 mod (p–1)(q–1) = d.  Roughly speaking, breaking the RSA algorithm is as difficult as factoring n.  The “ current ” factoring algorithms are able to factor numbers having up to 512 bits.  On the safe side, n ≥ 2048 bits to make the factoring problem computationally infeasible to solve.

18 The RSA’s security 18  Moreover, if one can obtain  (n), one can obtain other elements in the private key.  First of all, one can obtain p and q by solving  n = p  q and   (n) = (p–1)(q–1).  The solution for p is given by  p 2 – (n –  (n) + 1)p + n = 0.  In other words, if one can compute  (n), one can factor p and q.  Lastly, what happen if one can obtain the value of d?  n can be factored in polynomial time using a randomized algorithm.

19 Pitfalls using RSA 19  Problem 1: If Alice signs 2 messages m 1 and m 2. Eve can compute Alice ’ s signature on m 3 = m 1 m 2 mod n.  Original signatures: m 1 d and m 2 d.  Eve can produce the signature for m 3 by multiplying m 1 d and m 2 d.

20 Pitfalls using RSA 20  Problem 2: When RSA is used to encrypt a very small message m.  E.g., if e = 5 and m < n 1/5, then m e = m 5 < n. Therefore, no mod n operation needed.  Simply take a fifth root of c to recover m!  For example, if encrypting a 256-bit key using RSA, the encrypted key is less than 2 256  5 = 2 1280 << 2 2048 if n is a 2048-bit integer.  The main problem is the existence of a structure in the numbers that RSA operates on.  A possible approach is to use an encoding function to destroy the structure as much as possible.

21 Message encryption using RSA 21  Using RSA to encrypt a message is almost never practiced.  The size of the message is limited by the size of n.  Instead, choose a random secret key K, and encrypt K with the RSA key.  The message encryption is based on secret key cryptosystem,  Sending K e mod n, E K (m).

22 Message encryption using RSA 22  A better approach is:  Choose a suitable random number r  {0, 1, …, n–1}.  Set K = h(r), where h() is some hash function.  Send r e mod n and E K (m).  Advantages:  There is no structure in r.  The hash function ensures that no structure between r’s propagates to structure in the K’s.

23 Digital signatures using RSA 23  Problem: remove the structures of the messages that are signed.  Use a hash function to hash the messages.  The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits).  Cannot use the hash function output directly in RSA.

24 Digital signatures using RSA 24  A solution is to use a pseudorandom mapping to expand h(m) to a random number s  {0, 1, …, n – 1}.  If you ask Alice to sign a number of messages m 1, m 2, …, m i.  Eve can get hold of the (m, s), but the values of s are effectively random.  Thus, the information does not help forge Alice’s signature.

25 The RSA Lab’s public-key cryptography standard 25  PKCS #1 for RSA or RFC 3447 covers  Data conversion primitives: a text a non-negative integer  Cryptographic primitives  Encryption schemes  RSAES-OAEP (for new applications) – cryptographic primitives + Bellare and Rogaway's Optimal Asymmetric Encryption scheme  RSAES-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method  Digital Signature schemes  RSASSA-PSS (for new applications) – cryptographic primitives + a probabilistic signature scheme-based encoding method  RSASSA-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method

26 Conclusions 26  RSA can be used for encryption as well as digital signatures.  The security of RSA lies on the difficulty of factoring a large number into 2 primes.  RSA encryption and decryption require expensive exponentiation operations.  The CRT helps accelerate the operations.  In practice, RSA is used to encrypt a secret key with an encoding function.  In practice, the messages to be signed have to go through a hash function to destroy the message structures.

27 Acknowledgments 27  The notes are prepared mostly based on  D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.  N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003.  http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2- rsa-cryptography-standard.pdf

Download ppt "The RSA Algorithm Rocky K. C. Chang, March 2014 1."

Similar presentations

RSA.

RSA.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPublic Key Cryptography1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Similar presentations

Ads by Google