Download - The RSA Algorithmppt.ppt
-
7/23/2019 The RSA Algorithmppt.ppt
1/64
he RSA Algorithm
JooSeok Song
2007. 11. 13. Tue
-
7/23/2019 The RSA Algorithmppt.ppt
2/64
CCLAB
Private-Key Cryptography
traditional private/secret/singe keycryptography uses onekey
shared by both sender and receiver
if this key is disclosed communications are
compromised also is sy!!etric, parties are equal
hence does not protect sender from receiverforging a message & claiming is sent by sender
-
7/23/2019 The RSA Algorithmppt.ppt
3/64
CCLAB
Pu"ic-Key Cryptography
probably most significant advance in the 3000year history of cryptography
uses t#okeys a public & a private key
asy!!etricsince parties are notequal
uses clever application of number theoretic
concepts to function
complements rather thanreplaces private key
crypto
-
7/23/2019 The RSA Algorithmppt.ppt
4/64
CCLAB
Pu"ic-Key Cryptography
pu"ic-key/t#o-key/asy!!etriccryptographyinvolves the use of t#okeys:
a pu"ic-key, which may be known by anybody, and
can be used to encrypt !essages, and veri$y
signatures a private-key, known only to the recipient, used to
%ecrypt !essages, and sign(createsignatures
is asy!!etricbecause
those who encrypt messages or verify signaturescannotdecrypt messages or create signatures
-
7/23/2019 The RSA Algorithmppt.ppt
5/64
CCLAB
Pu"ic-Key Cryptography
-
7/23/2019 The RSA Algorithmppt.ppt
6/64
CCLAB
&hy Pu"ic-Key Cryptography'
developed to address two key issues:
key %istri"ution how to have secure communications
in general without having to trust a !"# with your key
%igita signatures how to verify a message comes
intact from the claimed sender public invention due to $hitfield "iffie & %artin
ellman at 'tanford ni in )*+
known earlier in classified community
-
7/23/2019 The RSA Algorithmppt.ppt
7/64
CCLAB
Pu"ic-Key Characteristics
-ublic.!ey algorithms rely on two keys with thecharacteristics that it is:
computationally infeasible to find decryption key
knowing only algorithm & encryption key
computationally easy to en/decrypt messages when therelevant (en/decrypt key is known
either of the two related keys can be used for
encryption, with the other used for decryption (in some
schemes
-
7/23/2019 The RSA Algorithmppt.ppt
8/64
CCLAB
Pu"ic-Key Cryptosyste!s
-
7/23/2019 The RSA Algorithmppt.ppt
9/64
CCLAB
Pu"ic-Key (ppications
can classify uses into 3 categories:
encryption/%ecryption(provide secrecy
%igita signatures(provide authentication
key e)change(of session keys
some algorithms are suitable for all uses, others
are specific to one
-
7/23/2019 The RSA Algorithmppt.ppt
10/64
CCLAB
Security o$ Pu"ic Key Sche!es
like private key schemes brute force e)haustivesearchattack is always theoretically possible
but keys used are too large (1)2bits
security relies on a arge enoughdifference indifficulty between easy(en/decrypt and har%(cryptanalyse problems
more generally the har%problem is known, itsust made too hard to do in practise
requires the use of very arge nu!"ers
hence is so#compared to private key schemes
-
7/23/2019 The RSA Algorithmppt.ppt
11/64
CCLAB 296.3 Page 11
Cryptography *utine
+ntro%uction,terminology, cryptanalysis, securityPri!itives,
one.way functions
one.way trapdoor functions
one.way hash functions
Protocos, digital signatures, key e4change, 55
Private-Key (gorith!s, 6indael, "7'
Pu"ic-Key (gorith!s, !napsack, 6'8, 7l.9amal,
Case Stu%ies,!erberos, "igital #ash
-
7/23/2019 The RSA Algorithmppt.ppt
12/64
CCLAB 296.3 Page 12
Pri!itives, *ne-&ay unctions
(Informally): A function Y = f(x)
is one-wayif it is easy to compute y fromxbut
hard to computexfrom y
;uilding block of most cryptographic protocols
8nd, the security of most protocols rely on their
e4istence5
n$ortunatey, not known to e4ist5
-
7/23/2019 The RSA Algorithmppt.ppt
13/64
CCLAB 296.3 Page 13
*ne-#ay $unctions,possi"e %e$inition
)5 =(4 is polynomial time
25 =.)(4 is >-.hard
$hat is wrong with this definition?
-
7/23/2019 The RSA Algorithmppt.ppt
14/64
CCLAB 296.3Page 14
*ne-#ay $unctions,"etter %e$inition
=or most )no single --< (probabilistic
polynomial time algorithm can compute )
giveny
oughy: at most a )/@4@kfraction of instances )are easy for any kand as @4@ .
-
7/23/2019 The RSA Algorithmppt.ppt
15/64
CCLAB 296.3Page 15
So!e e)a!pes conectures
actoring:4 A (u,v
y A f(u,v A uBv
Cf u and v are prime it is hard to recover them from y5
4iscrete 5og:y A g4mod pwhere p is prime and g is a DgeneratorE (i.e.,g), g2, g3,
generates all values F p5
46S #ith kno#n !essage !:y A "7'4
(m
-
7/23/2019 The RSA Algorithmppt.ppt
16/64
CCLAB 296.3Page 16
*ne-#ay $unctions inpu"ic-key protocos
y A cipherte4t m A plainte4t k A public key
#onsider: y A 7k(m (i5e5, f A 7k
7veryone knows k and thus f
7k(m needs to be easy
7k.)(y should be hard
Htherwise eavesdropper could decrypt y5
;ut what about the intended recipient, who should
be able to decrypt y?
-
7/23/2019 The RSA Algorithmppt.ppt
17/64
CCLAB 296.3Page 17
*ne-#ay $unctions inprivate-key protocos
y A cipherte4t m A plainte4t kA key
Cs
y A 7k(m (i5e5 f A 7k
a one.way function with respect to y and m?
f is not easy to compute unless k is known
'o what do one.way functions have to do with
private.key protocols?
-
7/23/2019 The RSA Algorithmppt.ppt
18/64
CCLAB 296.3Page 18
*ne-#ay $unctions inprivate-key protocos
y A cipherte4t m A plainte4t kA key
ow about
y A 7k(m A 7(k,m A 7m(k (i5e5 f A 7m
should this be a one.way function?
In a known-plaintext attackwe know a (y,m) pair.
The m along wih ! "e#ine$ #
!m(k) nee"$ o %e ea$y
!m&1(y) $ho'l" %e har"
herwi$e we o'l" e*ra he key k.
-
7/23/2019 The RSA Algorithmppt.ppt
19/64
CCLAB 296.3Page 19
*ne-&ay Trap%oor unctions
A one-wayfunction with a trapdoorThe trapdoor is a key that makes it easy to inert
the function y ! f(")
74ample: S( (conecture
y A 4emod n$here n A pq (p, q, prime, p, q, e random
p or q or d (where ed A ) mod (p.)(q.) can be used astrapdoors
Cn public.key algorithmsf(4 A public key (e.#.,e and n in 6'8
-
7/23/2019 The RSA Algorithmppt.ppt
20/64
CCLAB 296.3Page 2+
*ne-#ay ash unctions
I A h(4 where y is a fi4ed length independent of the siGe of 45 Cn
general this means h is not invertible since it is many to
one5
#alculating y from 4 is easy #alculating any 4 such that y A h(4 give y is hard
sed in digital signatures and other protocols5
-
7/23/2019 The RSA Algorithmppt.ppt
21/64
CCLAB
S(
by 6ivest, 'hamir & 8dleman of %C< in )*++
best known & widely used public.key scheme
based on e4ponentiation in a finite (9alois field
over integers modulo a prime
nb5 e4ponentiation takes H((log n3 operations (easy
uses large integers (eg5 )02J bits
security due to cost of factoring large numbers
nb5 factoriGation takes H(e log n log log n operations (hard
-
7/23/2019 The RSA Algorithmppt.ppt
22/64
CCLAB
S( Key Setup
each user generates a public/private key pair by:
selecting two large primes at random . p, q
computing their system modulus N=p.q note (N)=(p-1)(q-1)
selecting at random the encryption key e where )FeL
keep secret private decryption key: !6AKd,p,qL
-
7/23/2019 The RSA Algorithmppt.ppt
23/64
CCLAB
S( se
to encrypt a message % the sender:
obtains pu"ic keyof recipient KU={e,N}
computes: C=Memod N, where 0M (block if needed
-
7/23/2019 The RSA Algorithmppt.ppt
24/64
CCLAB
Pri!e u!"ers
prime numbers only have divisors of ) and self
they cannot be written as a product of other numbers
note: ) is prime, but is generally not of interest
eg5 2,3,1,+ are prime, J,,M,*,)0 are not
prime numbers are central to number theory
list of prime number less than 200 is: ! " # 11 1! 1# 1$ ! $ !1 !# %1 %! %# "! "$ &1
#1 #! #$ '! '$ $# 101 10! 10# 10$ 11! 1# 1!1
1!# 1!$ 1%$ 1"1 1"# 1&! 1 1#! 1#$ 1'1 1$1 1$!
1$# 1$$
-
7/23/2019 The RSA Algorithmppt.ppt
25/64
CCLAB
Pri!e actorisation
to $actora number nis to write it as a product ofother numbers: n=a c
note that factoring a number is relatively hard
compared to multiplying the factors together to
generate the number thepri!e $actorisationof a number nis when its
written as a product of primes
eg5 $1=#1! * !&00=%
!
"
-
7/23/2019 The RSA Algorithmppt.ppt
26/64
CCLAB
eativey Pri!e u!"ers 8 9C4
two numbers a, are reativey pri!eif haveno co!!on %ivisorsapart from )
eg5 M & )1 are relatively prime since factors of M are),2,J,M and of )1 are ),3,1,)1 and ) is the only commonfactor
conversely can determine the greatest commondivisor by comparing their prime factoriGationsand using least powers
eg5 !00=1!1"1'=1!hence+C(1',!00)=1!1"0=&
-
7/23/2019 The RSA Algorithmppt.ppt
27/64
CCLAB
er!at:s Theore!
ap-1
mod p = 1 where pis prime and gcd(a,p)=1
also known as =ermatNs Oittle
-
7/23/2019 The RSA Algorithmppt.ppt
28/64
CCLAB
6uer Totient unction (n)
when doing arithmetic modulo n
co!pete set o$ resi%uesis: 0..n-1
re%uce% set o$ resi%uesis those numbers
(residues which are relatively prime to n
eg for nA)0,
complete set of residues is K0,),2,3,J,1,,+,M,*L
reduced set of residues is K),3,+,*L
number of elements in reduced set of residues iscalled the 6uer Totient unction ;n
-
7/23/2019 The RSA Algorithmppt.ppt
29/64
CCLAB
6uer Totient unction (n)
to compute P(n need to count number ofelements to be e4cluded
in general need prime factoriGation, but
for p (p prime (p) = p-1
for p5q (p,q prime (p.q) = (p-1)(q-1)
eg5 (!#) = !&
(1) = (!1)(#1) = & = 1
-
7/23/2019 The RSA Algorithmppt.ppt
30/64
CCLAB
6uer:s Theore!
a generalisation of =ermatQs
-
7/23/2019 The RSA Algorithmppt.ppt
31/64
CCLAB
&hy S( &orks
because of 7ulerQs
-
7/23/2019 The RSA Algorithmppt.ppt
32/64
CCLAB
S( 6)a!pe
)5 'elect primes:p=1# q=1125 #omputen =pq =1#11=1'#
35 #ompute(n)=(p1)(q-1)=1&10=1&0
J5 'elect e: gcd(e,1&0)=1* choose e=#
15 "etermine d: de=1 mod 1&0and d < 1&0
Ralue is d=!since !#=1&1= 101&01
5 -ublish public key KU={#,1'#}
+5 !eep secret private key KR={!,1#,11}
-
7/23/2019 The RSA Algorithmppt.ppt
33/64
CCLAB
S( 6)a!pe cont
sample 6'8 encryption/decryption is: given message M = ''(nb5 ''
-
7/23/2019 The RSA Algorithmppt.ppt
34/64
CCLAB
6)ponentiation
can use the 'quare and %ultiply 8lgorithm a fast, efficient algorithm for e4ponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to
compute the result
look at binary representation of e4ponent
only takes H(log2n multiples for number n
eg5 #"= #%.#1= !.# = 10 mod 11
eg5 !1$= !1'.!1= ".! = % mod 11
-
7/23/2019 The RSA Algorithmppt.ppt
35/64
CCLAB
6)ponentiation
-
7/23/2019 The RSA Algorithmppt.ppt
36/64
CCLAB
S( Key 9eneration
users of 6'8 must: determine two primes at random . p, q select either eor dand compute the other
primes p,qmust not be easily derived from
modulus N=p.q means must be sufficiently large
typically guess and use probabilistic test
e4ponents e, d are inverses, so use Cnverse
algorithm to compute the other
-
7/23/2019 The RSA Algorithmppt.ppt
37/64
CCLAB
S( Security
three approaches to attacking 6'8: brute force key search (infeasible given siGe ofnumbers
mathematical attacks (based on difficulty of computing
P(>, by factoring modulus > timing attacks (on running of decryption
-
7/23/2019 The RSA Algorithmppt.ppt
38/64
CCLAB
actoring Pro"e!
mathematical approach takes 3 forms: factor N=p.q, hence find (N)and then d determine (N)directly and find d
find d directly
currently believe all equivalent to factoring have seen slow improvements over the years
as of 8ug.** best is )30 decimal digits (1)2 bit with 9>='
biggest improvement comes from improved algorithm
cf DSuadratic 'ieveE to D9eneraliGed >umber =ield 'ieveE barring dramatic breakthrough )02JT bit 6'8 secure
ensure p, q of similar siGe and matching other constraints
-
7/23/2019 The RSA Algorithmppt.ppt
39/64
CCLAB
Ti!ing (ttacks
developed in mid.)**0Ns e4ploit timing variations in operations
eg5 multiplying by small vs large number
or C=Qs varying which instructions e4ecuted
infer operand siGe based on time taken 6'8 e4ploits time taken in e4ponentiation
countermeasures use constant e4ponentiation time
add random delays
blind values used in calculations
-
7/23/2019 The RSA Algorithmppt.ppt
40/64
CCLAB
Su!!ary
have considered: prime numbers
=ermatNs and 7ulerNs
-
7/23/2019 The RSA Algorithmppt.ppt
41/64
CCLAB
(ssign!ents
)5 -erform encryption and decryption using 6'8algorithm, as in =igure ), for the following:
p A 3U q A )), e A +U % A 1
p A 1U q A )), e A 3U % A *
25 Cn a public.key system using 6'8, you intercept
the cipherte4t # A )0 sent to a user whose public
key is e A 1, n A 315 $hat is the plainte4t %?
41
7ncryption "ecryption
-lainte4t
MM
#ipherte4t
)) -lainte4t
MMMM
+mod )M+ A )) ))
23mod )M+ A MM
! A +, )M+ !6 A 23, )M+igure 1.74ample of 6'8 8lgorithm
+ntro%uction
-
7/23/2019 The RSA Algorithmppt.ppt
42/64
CCLAB
+ntro%uction
"iscovered by $hitfield "iffie and %artin
ellman
D>ew "irections in #ryptographyE
"iffie.ellman key agreement protocol
74ponential key agreement
8llows two users to e4change a secret key
6equires no prior secrets
6eal.time over an untrusted network
+ntro%uction
-
7/23/2019 The RSA Algorithmppt.ppt
43/64
CCLAB
+ntro%uction
;ased on the difficulty of computing discrete
logarithms of large numbers5
>o known successful attack strategiesB
6equires two large numbers, one prime (-,
and (9, a primitive root of -
+!pe!entation
-
7/23/2019 The RSA Algorithmppt.ppt
44/64
CCLAB
+!pe!entation
- and 9 are both publicly available numbers - is at least 1)2 bits
sers pick private values a and b
#ompute public values
4 A ga mod p
y A gb mod p
-ublic values 4 and y are e4changed
+!pe!entation
-
7/23/2019 The RSA Algorithmppt.ppt
45/64
CCLAB
+!pe!entation
Copyright< 2001 "y et+P< +nc. an% Keith Pa!gren< C+SSP.
+!pe!entation
-
7/23/2019 The RSA Algorithmppt.ppt
46/64
CCLAB
+!pe!entation
#omputeshared, private key kaA yamod p
kbA 4bmod p
8lgebraically it can be shown that kaA kb
sers now have a symmetric secret key to encrypt
+!pe!entation
-
7/23/2019 The RSA Algorithmppt.ppt
47/64
CCLAB
+!pe!entation
Copyright< 2001 "y et+P< +nc. an% Keith Pa!gren< C+SSP.
6)a!pe
-
7/23/2019 The RSA Algorithmppt.ppt
48/64
CCLAB
6)a!pe
-
7/23/2019 The RSA Algorithmppt.ppt
49/64
CCLAB
6)a!pe
8lice and ;ob get public numbers - A 23, 9 A *
8lice and ;ob compute public values V A *Jmod 23 A 1) mod 23 A
I A *3 mod 23 A +2* mod 23 A )
8lice and ;ob e4change public numbers
(ppications
-
7/23/2019 The RSA Algorithmppt.ppt
50/64
CCLAB
(ppications
"iffie.ellman is currently used in many
protocols, namely:
'ecure 'ockets Oayer (''O/
-
7/23/2019 The RSA Algorithmppt.ppt
51/64
CCLAB
4igita Signature =o%e
-
7/23/2019 The RSA Algorithmppt.ppt
52/64
CCLAB
4igitaSignature
=o%e
4i it Si t i t
-
7/23/2019 The RSA Algorithmppt.ppt
53/64
CCLAB
4igita Signature e>uire!ents
must depend on the message signed
must use information unique to sender
to prevent both forgery and denial
must be relatively easy to producemust be relatively easy to recogniGe & verify
be computationally infeasible to forge
with new message for e4isting digital signature
with fraudulent digital signature for given message
be practical save digital signature in storage
-
7/23/2019 The RSA Algorithmppt.ppt
54/64
CCLAB
4irect 4igita Signatures
involve only sender & receiver assumed receiver has senderNs public.key
digital signature made by sender signing entiremessage or hash with private.key
can encrypt using receivers public.key important that sign first then encrypt message &
signature
security depends on senderNs private.key
-
7/23/2019 The RSA Algorithmppt.ppt
55/64
CCLAB
69a!a 4igita Signatures
signature variant of 7l9amal, related to ". so uses e4ponentiation in a finite (9alois
with security based difficulty of computing discretelogarithms, as in ".
use private key for encryption (signing
uses public key for decryption (verification
each user (eg5 8 generates their key
chooses a secret key (number: 1 < 2< q-1
compute their pu"ic key: 32= a2mod q
69a!a 4igita Signature
-
7/23/2019 The RSA Algorithmppt.ppt
56/64
CCLAB
69a!a 4igita Signature
8lice signs a message % to ;ob by computing the hash m = H(M), 0
-
7/23/2019 The RSA Algorithmppt.ppt
57/64
CCLAB
69a!a Signature 6)a!pe
use field 9=()* q=1$ and a=10
8lice computes her key: 8 chooses 2=1& & computes 32=10
1& mod 1$ = %
8lice signs message with hash m=1%as (!,%):
choosing random K=" which has gcd(1',")=1
computing 41 = 10"mod 1$ = !
finding K-1mod (q-1) = "-1mod 1' = 11
computing 4= 11(1%-1&.!) mod 1' = %
any user ; can verify the signature by computing 51 = 10
1%mod 1$ = 1&
5 = %!.!%= "1'% = 1& mod 1$
since 1&= 1&signature is valid
-
7/23/2019 The RSA Algorithmppt.ppt
58/64
CCLAB
4igita Signature Stan%ar% 4SS
' 9ovt approved signature scheme designed by >C'< & >'8 in early *0Qs
published as =C-'.)M in )**)
revised in )**3, )** & then 2000
uses the '8 hash algorithm
"'' is the standard, "'8 is the algorithm
=C-' )M.2 (2000 includes alternative 6'8 &
elliptic curve signature variants "'8 is digital signature only unlike 6'8
is a public.key technique
4SS vs S( Signatures
-
7/23/2019 The RSA Algorithmppt.ppt
59/64
CCLAB
4SS vs S( Signatures
-
7/23/2019 The RSA Algorithmppt.ppt
60/64
CCLAB
4igita Signature (gorith! 4S(
creates a 320 bit signature
with 1)2.)02J bit security
smaller and faster than 6'8
a digital signature scheme only
security depends on difficulty of computing
discrete logarithms
variant of 7l9amal & 'chnorr schemes
-
7/23/2019 The RSA Algorithmppt.ppt
61/64
CCLAB
4S( Key 9eneration
have shared global public key values (p,q,g:
choose )0.bit prime number q
choose a large prime p with 6-1
-
7/23/2019 The RSA Algorithmppt.ppt
62/64
CCLAB
4S( Signature Creation
to signa message Mthe sender:
generates a random signature key /, /
-
7/23/2019 The RSA Algorithmppt.ppt
63/64
CCLAB
4S( Signature ?eri$ication
having received % & signature (9,:)
to veri$ya signature, recipient computes:
> = :-1 mod q
?1= ;(M)> mod q
?= (9>)mod q
@ = ;(g?13?)mod p mod q
if @=9then signature is verified
see 8ppendi4 8 for details of proof why
4SS *vervie#
-
7/23/2019 The RSA Algorithmppt.ppt
64/64