rsa cryptography taravat moshtagh department of mathematics and statistics york university january...
TRANSCRIPT
RSA Cryptography
Taravat MoshtaghDepartment of Mathematics
and StatisticsYork University
January 19th 2006
RSA Crptography 2
Outline Part I Introduction to RSA cryptography Basic terminology Mathematics behind the RSA How the algorithm works How secure the algorithm is Conclusion Part II Introduction to Maple ; Maple worksheet for
RSA
RSA Crptography 3
What is meant by cryptography?
Cryptography comes from Greek word kryptós means "hidden", and gráphein means“ to write“. So cryptography is ‘secret‘ or ‘hidden‘ writing.
Cryptology is as old as writing itself, and has been used for thousands of years to safeguard military and diplomatic communications.
Cryptography is the art of keeping information secret from all but those who are authorized to see it.
RSA Crptography 4
Basic terminology
Plaintext: Data that can be read and understood without any special measures .It is also the message.
Encryption: Encoding the contents of the message in such a way that hides its contents from outsiders .
Ciphertext: The encrypted message. Decryption: The process of retrieving
the plaintext from the ciphertext.
RSA Crptography 5
Key: A key is a value that works with a cryptographic algorithm to produce a specific ciphertext. Keys are basically really, really, really big numbers. Key size is measured in bits; the number representing a 1024-bit key is darn huge.
RSA Crptography 6
Public Key: The user releases a copy of this key to the public to allow anyone to use it for encrypting messages to be sent to the user and for decrypting messages received from the user.
Private Key: The user keeps the private key secret and uses it to encrypt outgoing messages and decrypt incoming messages
RSA Crptography 7
AliceBob
For our scenarios we suppose that Alice and Bob are two users. Now we would like to know how Bob can send a private message to Alice in a cryptosystem.
Hi Alice-----------------------------------.
Bob
RSA Crptography 8
Simple exampleSimple example
Suppose Bob wants to encode the word “Hi Alice" using the "shift by 3" rule ,that is he offsets the alphabet so that the 3rd letter down (D) begins the alphabet.So starting with A B C D E F G H I J K L M N O P Q R S T U V W X Y Z and sliding everything up by 3, he gets D E F G H I J K L M N O P Q R S T U V W X Y Z A B C where D=A, E=B, F=C, and so on. Using this scheme, the plaintext, " Hi Alice" encrypts as “Kl Dolfg" .To allow Alice to read the ciphertext, Bob tells her that the key is “shift by3”.
RSA Crptography 9
Plaintext
Encryption
Ciphertext
Decryption
Plaintext
Encryption and Decryption
Key
Bob
Alice
RSA Crptography 10
Encryption Decryption
Symmetric key cryptography
BobPlaintext
Ciphertext
Original plaintext Alic
e
Encryption and decryption rely on having a key (a word, number, or phrase to encrypt and decrypt) .Encryption and decryption use the same keyProblem is difficulty of secure key distribution.
RSA Crptography 11
Question: How the key could be
transferred between Bob and Alice without being intercepted ?One might argue that we could simply encrypt the key, but this would require another key that tells how to encrypt the first key…. and we would just run in circles!A public-key cryptosystem needs no private couriers; the keys can be distributed over the insecure communications channel. (Retrieved from http://theory.lcs.mit.edu/~rivest/rsapaper.pdf)
RSA Crptography 12
Encryption Decryption
Public-key Cryptography
BobPlaintext
Ciphertext
Encryption key
Decryption key
Original plaintext Alic
e
The problems of key distribution are solved by public key cryptography, the concept of which was introduced by Diffie , Hellman and Merkle in 1976.
The big idea is to use a pair of keys for encryption: a public key, which encrypts data, and a
corresponding private key for decryption. This algorithm provided an implementation for
secure public key distribution, but didn't implement Digital Signatures
RSA Crptography 13
RSA public key cryptographyThe RSA Public Key Cryptography was invented in 1978 by three researchers at MIT named Rivest, Shamir and Adelman. RSA stands for the first letter in each of its inventors' last names
RSA is an elegant algorithm based on the product of two large prime numbers that exactly fit the requirement for a practical public key cryptography implementation.
RSA Crptography 14
Encryption Decryption
RSA Public-key cryptography
BobPlaintext
Ciphertext
Original plaintext Alic
e
Bob encrypts message using Alice’s public keyAlice decrypts using her private key
When Bob wants to send a secure message to Alice ; Bob uses Alice’s public key (for example her email address) to encrypt the message. Alice then uses her private key (for example her password) to decrypt it.
Alice public key
Alice private key
RSA Crptography 15
The background number theory required to
understand how RSA worksBasics:A number is prime if the only numbers
that exactly divide it are 1 and itself.A pair of numbers are relatively prime if
the great common divisor of them is 1. Note: If p and q are distinct prime
numbers, they are certainly relatively prime to each other.
RSA Crptography 16
Multiplicative InversesMultiplicative Inverses
Theorem. A number “e” has a multiplicative inverse mod n if and only if gcd (e ,n)=1.
If “e “has a multiplicative inverse mod n it is unique.
Further, there is an efficient algorithm to test whether “e “and “n “are relatively prime, and if so, calculate the inverse of “e”.
RSA Crptography 17
Fermat’s Little TheoremFermat’s Little Theorem
If “p“ is a prime number and “a” is any integer between 1 and p-1
inclusive, thenap-1 = 1 (mod p )
RSA Crptography 18
Euler’s theoremEuler’s theorem Any number “a” relatively prime to “n”
there exists the congruence
aPhi(n) = 1 (mod n)
Phi(n) is the number of positive integers less than ‘n’ and relatively prime to ‘n’
RSA Crptography 19
The Chinese Remainder The Chinese Remainder TheoremTheorem
Suppose “a” and “b” are relatively prime. Ifx = y (mod a) and x = y (mod b)
thenx = y (mod a × b)
RSA Crptography 20
Solving a problemSolving a problemSuppose I have• a prime number p;• a number M between 1 and p-1 inclusive;• another number “e “also between 1 and
p-1;And I compute• C = Me (mod p)
If I give you C,e and p can you find M
RSA Crptography 21
1. Find a number “d “such that e × d=1 (mod p-1)
2. Compute Cd mod p
Yes you can if you take the Yes you can if you take the following steps:following steps:
RSA Crptography 22
1. We found “d” such that e × d = 1 mod p-1That means that e × d – 1 = k(p-1) for some integer k. or
ed = k(p-1) +1
Why does that work?
RSA Crptography 23
2. We computed Cd mod p ;Since C = Me (mod p) then
Cd = (Me)d (mod p) = Med (mod p) = Mk(p-1) +1 (mod p)
(since ed = k(p-1) +1 )
= Mk(p-1) × M (mod p) =(Mp-1)k M (mod p) = 1 × M (mod p) (by
Fermat’s little theorem)
= M (mod p)
RSA Crptography 24
Fact!If the modulus is not relatively a prime number then the method doesn’t work.
Why doesn’t it work?
In general an-1 1 mod n if n is not prime.
RSA Crptography 25
We could make the method for finding M work if we knew the number “r” such that
Mr = 1 (mod n)If gcd (M,n )=1 then there will be
such a number “r” and there is a way to find it
RSA Crptography 26
Finding rIn order to find “r” such that Mr =
1 (mod n), we have to be able to factorize “n” and find all of its prime factors.Suppose n = p × q where p and q are
primes then
r =Phi(n)= (p-1) ×(q-1)
RSA Crptography 27
Important notes:Important notes:1. It is easy to compute the product of
two large primes n = p×q.2. Setting Phi(n) = (p-1) ×(q-1) we
have MPhi(n) = 1 (mod n)
for all M co-prime with n.3. Given “e” (co-prime with phi(n)), it
is easy to determine “d” such that e×d = 1 mod (p-1)(q-1)
RSA Crptography 28
4. It is easy to compute Me mod n5. If C=Me (mod n) then M=Cd (mod n) and it
is easy to compute Cd mod n if you know “d”.
6. You can find “d” if you can find Phi(n) and you can find Phi(n) if you can factorise “n”.
7. Factorizing “n” is hard.8. This is the basis of the RSA public key
cryptosystem. The holder of the public key knows “p” and “q” and therefore he/she can find Phi(n) and therefore “d” and can compute Cd mod n to find M.
9. No-one else knows “p” and “q”, so they cannot find Phi(n) or “d” and so they cannot recover M.
RSA Crptography 29
RSA – Key GenerationRSA – Key Generation
1. Alice generates two large primes p and q (each with at least 100 decimal digits).
2. She computes n = p×q3. She computes Phi(n) = (p-1) ×(q-1)4. She chooses a random number “e” in
which gcd(e,Phi(n) )= 1
RSA Crptography 30
5. She computes the private key “d” by solving the equation e × d =1 mod Phi(n) .
6. She can now carefully dispose of the values of p, q and Phi(n) .
7. Alice keeps “d” private but publishes the value of the pair (e,n) ( this is her public key).
RSA Crptography 31
RSA - EncryptionRSA - EncryptionWe distinguish Bob and Alice encryption and decryption procedures with subscripts:
EA , DA and EB , DB
Bob wishes to send Alice a message M. He takes the following steps:
1. He looks up Alice’s public key pair (e,n) .2. He computes the ciphertext C and sends it
to Alice,C= EA(M) =Me (mod n)
RSA Crptography 32
RSA - DecryptionRSA - Decryption
Alice receives the value C from Bob. She decrypts it since she knows the key DA . The decoding M′ is
M′ =DA (EA (M)) = DA (Me )= (Me)d
(mod n)We have to prove that this works! Namely that M′ will be equal to the original M.
RSA Crptography 33
Why does the RSA algorithm work?Why does the RSA algorithm work?For any integer (message) M which is relatively prime to n, due to Euler and Fermat theorem:
Since for some integer k , orThenFrom (1) we see that for all M such that p does not divide M :
and since (p-1) divides
. 1 (mod ( ))e d n . 1 ( )e d k n . 1 ( )e d k n
( ) 1 (mod ) (1)nM n
1 1 (mod )pM p
( ) ( 1)( 1)n p q
1 ( ) ( )
( )
(mod ) . (mod )
.( ) (1) (mod )
ed k n k n
n k k
M M p M M p
M M M M p
1 ( ) (mod )ed k nM M M n
RSA Crptography 34
And then p| Med-M.Arguing similarly for q yields q| Med-MTogether these last two equations imply that for all M,
Since p and q are distinct primes, it follows that also their product, means p.q is a divisor of Med-M
1 ( ) (mod )ed k nM M M n
RSA Crptography 35
RSA Public Key RSA Public Key SystemSystem
Choose prime numbers p and q.
Find their product n = pq.
Calculate Phi(n) = (p-1)(q-1).
Select an integer e, in which the gcd( e, Phi(n))= 1.
Calculate d such that e*d = 1 mod Phi(n).
The public key is (e, n). The private key is (d, n).
Plaintext can be any number M, where M < n, and neither p nor q divides M
The ciphertext is C=Me (mod n)
The plaintext is Med (mod n)
ExampleExampleChoose 11 and 13
Calculate n = 11*13 = 143
Calculate Phi(n) = (11-1)*(13-1) = 120.
Let e = 7.
We want 7*d = 1 mod 120. Thus d = 103, as 7*103 = 721 = 1 mod 120.
The public key is (7, 143).
The private key is (103, 143).
Let the numerical representation of M be M = 5, for example.
The ciphertext is C=5 7 (mod 153) =47
The plaintext is 47103 (mod 143) =5
RSA Crptography 36
Is RSA secure?The security of the RSA cryptosystem depends on the difficulty of factoring n. It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p and q, then one could obtain the private key d. Thus the security of the RSA system is based on the assumption that factoring is difficult. The discovery of an easy method of factoring would "break" RSA .
RSA Crptography 37
Is RSA Secure? (Cont.)
How might we “break” RSA? Factoring nComputing Phi(n)Compute d given e and n
Still need to know n or Phi(n)Computing e-th roots modulo n(C= Me (mod n); then M= C1/e (mod n))
It is computationally intractable
RSA Crptography 38
Factoring n :The fastest known factoring algorithm developed by Pollard is the General Number Field Sieve, which has running time for factoring a large number of size n, of order
The method relies upon the observation that if integers x and y are such that x ≠ y (mod n) and x2 = y2 (mod n) then gcd(x − y, n) and gcd(x+y, n) are non-trivial factors of n.
1 2
3 364exp ( log ) (log log )
9n n
(Retrieved from http://mathworld.wolfram.com/NumberFieldSieve.html
RSA Crptography 39
Digits Number of operations
Time
100 9.6× 108 16 minutes
200 3.3 × 1012 38 days
300 1.3 × 1015 41 years
400 1.7 × 1017 5313
years
500 1.1 × 1019 3.5 × 105
years
1024 1.3 × 1026 4.2 × 1012
years
2048 1.5 × 1035 4.9 × 1021
years
The following table gives the number of operations needed to factor n with GNFS method, and the time required if each operation uses one microsecond, for various lengths of the number n (in decimal digits)
RSA Crptography 40
Computing Phi(n) without Factoring n
Assume that n = p × q, p < q.Since (p + q)2 - (q - p)2 = 4pq = 4n, then (p+q)2 = 4n + (q - p)2 so q +p = √4n +(q - p)2 and then Phi(n) = n - (p + q) + 1
RSA Crptography 41
q - p (q - p)2 +
4nq + p = √4n +(q - p)2
1 885 29.7489· · ·2 888 29.7993· · · 3 893 29.8831· · · 4 900 30
Example: n = 221 ( 4n=884)
So , q − p = 4 and q + p= 30,then Phi(n) =221-(30)+1=192and p = 13, q = 17,n = 13 × 17
RSA Crptography 42
Therefore breaking RSA system by computing Phi(n) is not easier than breaking RSA system by factoring n. (This is why n must be composite; Phi(n) is easy to compute if n is prime.)
RSA Crptography 43
Idea: if we had a fast algorithm which can factor
large numbers in a reasonable amount of time, we could break
RSA!!!
RSA Crptography 44
On May 9th 2005 a team at the German Federal Agency for Information Technology Security announced the factorization of the 200-digit number known as RSA-200 by General Number Field Sieve algorithm (GNFS).RSA-200 is:
27,997,833,911,221,327,870,829,467,638,722,601,621,070,446,786, 955,428,537,560,009,929,326,128,400,107,609,345,671,052,955,360
, 856,061,822,351,910,951,365,788,637,105,954,482,006,576,775,098
, 580,557,613,579,098,734,950,144,178,863,178,946,295,187,237,869
, 221,823,983
The two 100-digits factors are:
3,532,461,934,402,770,121,272,604,978,198,464,368,671,197,400, 197,625,023,649,303,468,776,121,253,679,423,200,058,547,956,528
, 088,349
and7,925,869,954,478,333,033,347,085,841,480,059,687,737,97
5,857, 364,219,960,734,330,341,455,767,872,818,152,135,381,409,
304,740, 185,467
The effort took approximately 80 2.2GHz Opteron CPU over 3 months of calendar time. The same team latter announced factorization of RSA-640, a smaller number containing 193 decimal digits (640 bits) on November 4th 2005.
RSA Crptography 45
RSA-2048 Prize: $200,000 Status: Not Factored Decimal Digits: 617
25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357
Decimal Digit Sum: 2738
RSA Crptography 46
Conclusion
Prime numbers play an essential role in the art of Public Key Cryptography.
Public Key Cryptosystem is secure and strong.
Factorization is a fast-moving field. If no new methods are developed, then 2048-bit RSA keys will always be safe from factorization, but one can't predict the future.
Enjoy 15 minutes break time!
RSA Crptography
Examples
Please go to the http://garsia.math.yorku.ca/~zabrocki/math5020f05/
and click on “Maple” worksheet.