RSA and PublicKey Cryptosystems - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

RSA and PublicKey Cryptosystems

Description:

Trusted couriers are used to do so, but it is not feasible if a system is to be ... An algorithm (by Pollard) factors n in time O(n ) ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 17
Provided by: Kian6
Category:

less

Transcript and Presenter's Notes

Title: RSA and PublicKey Cryptosystems


1
RSA and Public-Key Cryptosystems
  • Presenter Kianoosh Mokhtarian

Computer Engineering Department Sharif University
of Technology 7/14/2005
2
Types of Cryptosystems
  • Symmetric (secret key cryptosystems)
  • Use the same key to encrypt and decrypt a message
    (or one key is easily derivable from the other)
  • A problem how to transport the secret key
    securely?
  • Trusted couriers are used to do so, but it is not
    feasible if a system is to be rapid and
    inexpensive
  • Assymetric (public key cryptosystems)
  • Use one key (the public key) to encrypt a message
    and a different key (the private key) to decrypt
    it

3
Public-Key Cryptosystems
  • Each user places an encryption procedure in a
    public file and keeps his decryption procedure
    secret
  • D(E(M)) M
  • Both E and D are easy to compute
  • By publicly revealing E the user does not reveal
    an easy way to compute D, in practice only he can
    decrypt E(M)
  • E(D(M)) M
  • An encryption (decryption) procedure consists of
    a general method and an encryption key

4
Signatures
  • Sometimes the recipient must be sure that the
    message is originated from the sender
  • The signature must be message-dependent, as well
    as signer-dependent
  • Bob wants to send Alice a signed message
  • He computes his signature S for the message M,
    S DB(M), and sends EA(S) to Alice
  • Bob cannot deny having sent Alice this message
  • Alice cannot modify M (use Bobs sign for M)

5
RSA
  • Ron Rivest, Adi Shamir and Leonard Adleman
  • Very vulnerable to chosen plaintext attack (also
    a new timing attack can break many
    implementations of RSA)
  • Represent the message as integers between 0 and
    n-1
  • C º E(M) º M (mod n), for a message M
  • M º D(C) º C (mod n), for a ciphertext C
  • Encryption does not increase the size of a
    message
  • Encryption key is (e, n), Decryption key is (d, n)

e
d
6
The Keys
  • n pq where p and q are very large random
    primes (to be hidden due to the difficulty of
    factoring n)
  • Pick d, a large random integer, relatively prime
    to (p-1).(q-1)
  • e is the multiplicative inverse of d mod
    (p-1)(q-1)
  • e.d º 1 ( mod (p-1)(q-1) )
  • A high-speed computer can encrypt a 200-digit
    message in a few seconds, special-purpose
    hardware would be much faster

7
The Underlying Mathematics
  • F(n) The Euler totient function giving number
    of positive integers less than n and relatively
    prime to n
  • F(p) p - 1 for prime numbers
  • By elementary properties of totient function
  • F(n) F(p).F(q) (p-1).(q-1)

e
d
d
e.d
  • D(E(M)) º (E(M)) º (M ) º M (mod n)

d
e
e
e.d
  • E(D(M)) º (D(M)) º (M ) º M (mod n)

8
Underlying Mathematics (contd)
k.F(n) 1
e.d
  • M º M (mod n)

p - 1
k.F(n) 1
  • M º 1 (mod p) ? M º M
    (mod p)

q - 1
k.F(n) 1
  • M º 1 (mod q) ? M º M
    (mod q)

k.F(n) 1
e.d
  • thus M º M º M (mod n)

e
  • Computing M (mod n) requires at most 2.log(e)
    multiplications and 2.log(e) divisions

9
How to find Large Prime Numbers?
  • Generate odd 100-digit random numbers, about
    ln(10 )/2 115 numbers will be tested
    before a prime is found (by the prime number
    theorem)
  • A probabilistic algorithm (by Solovay and
    Strassen) to test large number b for primality
  • Pick a random number a from 1, , b - 1 and
    tests gcd(a, b) 1 and J(a, b) a
    (mod b)
  • It is always true if b is prime, and false with
    probability at least ½ if b is composite

100
(b-1)/2
10
Large Prime Numbers (contd)
  • Test b with 100 randomly choosen values of a
  • A negligible chance of 2 for b to be
    composite, also the receiver would probably
    detect this
  • For odd b, a lt b, gcd(a, b) 1, J(a, b) ? -1,
    1
  • (Jacobi) J (a, b) if a 1 then 1 else

-100
(b - 1) / 8
if a is even then J(a / 2, b).(-1)
(a - 1).(b - 1) / 4
else J(b (mod a), a).(-1)
11
Large Prime Numbers (contd)
  • For more protection against factoring algorithms
  • p and q should differ in length by a few digits
  • gcd (p - 1, q - 1) should be small
  • both (p - 1) and (q - 1) should contain large
    prime factors, to do so, generate a large prime u
    and let p be the first prime in the sequence k.u
    1 for k 2, 4, 6,
  • A high-speed computer can test a 100-digit number
    primality in several seconds, and can find the
    first prime after a given point in one or two
    minutes

12
Factoring n
  • Factoring n would enable cryptanalysts to break
    this method
  • No polynomial-time factoring algorithm is known
    for Turing machines
  • Some quantum computer algorithm is able to factor
    integers in polynomial time (by Shor), but
    physicists have so far been unable to build a
    quantum computer that can handle more than a
    half-dozen bits

13
Factoring n (contd)
¼
  • An algorithm (by Pollard) factors n in time O(n
    )
  • The fastest algorithm known (until the RSA paper
    release date) by Richard Schroeppel, can factor n
    in approximately n
    steps
  • If each operation uses 1 microsecond, factoring a
    50-digit number with this method takes 3.9 hours
    and a 100-digit number takes 74 years

sqrt ( ln ln(n) / ln(n) )
14
Factoring n (contd)
  • If P NP breaking such systems is easy
  • An NP decision problem with complexity equivalent
    to that of integer factoring
  • Lfact lta, bgt there exist d (1 lt d lt a and
    d b)
  • The complement of Lfact is also in NP (use the
    prime factorization of b as the certificate)
  • Factoring ? NP ? co-NP
  • If Factoring is NP-hard then NP co-NP

15
Security (Cryptanalytic Approaches)
  • Obviuos approaches for breaking this system are
    at least as difficult as factoring n
  • Computing F(n) without factoring n
  • Not easier than factoring n, n can be factored
    using F(n)
  • F(n) (p-1).(q-1) n - (p q) 1 ? compute
    (p q)
  • p - q (p q) - 4n ? compute p and q
  • Determining d without factoring n or computing
    F(n)
  • d ? (e.d - 1) is a multiple of F(n)
  • n can be factored using any multiple of F(n)
    (Miller)

2
16
References
  • A Method for Obtaining Digital Signatures and
    Public-Key Cryptosystems, R.L. Rivest, A. Shamir,
    and L Adleman
  • (http//theory.lcs.mit.edu/cis/pubs/rivest/rsapa
    per.ps)
  • The P versus NP problem, Stephen Cook
  • (http//www.claymath.org/millennium/P_vs_NP/Offic
    ial_Problem_Description.pdf)
  • Introduction to Quantum Information Processing,
    Richard Cleve
  • (http//www.iqc.ca/qipcourse/introqip/fall04/f04
    lecture19.ppt)
  • Cryptographic Algorithms (http//www.eskimo.com/w
    eidai/algorithms.html)
  • Introducing Public Key Cryptosystems
  • (http//www.math.nmsu.edu/crypto/public_html/Publ
    icKey.html)
Write a Comment
User Comments (0)
About PowerShow.com