RSA Cryptosystem 1977

1
RSA Cryptosystem (1977)
de facto standard of public-key cryptosystems
p, q primes, n pq, ed 1 mod (p-1)(q-1),
e, n public key, d secret key, (factoring,
n 1024 bits) M message, M ?0,1,2,.,n-1.
Encryption C Me mod n
e small (2161)
Decryption M Cd mod n
d large (dgtn1/2)
2
Ronald Rivest
Adi Shamir
Leonard Adleman
3
(No Transcript)
4
Fast Exponentiation
The binary representation of d dk-12k-1
dk-22k-2 d121 d020, where dk-11.
Left-to-right binary method Input C, n,
d Output Cd mod n X C For ik-2 to 0 X X2
mod n if di1, then XXC mod n Return X
cubic complexity O((log n)3). - we need about
1500 modular multiplications for 1024-bit n,d
on average.
d 179769313486231590772930519078902473361797697
89423065727343008115773263944520916726277163493714
0456477800995856 486367356035749422778584041
89265584674398992586950491403608217709659968519739
03412635215659390188627764072341203
16682859702665262897377118205139448713763256495756
55785893257302729658745304709432808
5
left-to-right right-to-left
345 1 0 1 0 1 1
0 0 1 left-to-right a a2
a4 a10 a20 a42 a86 a172 a344
a5 a21
a43 a345 right-to-left a345
a89 a89 a25 a25 a9 a a a 1
a256 a128 a64 a32
a16 a8 a4 a2 a
6
Main Components of Smartcards

• Central Processing Unit (CPU),
• Read Only Memory (ROM),
• Electrically Erasable Programmable Read Only
  Memory (EEPROM),
• Random Access Memory (RAM),
• Arithmetic Unit (AU).

ROM EEPROM RAM
CPU
I/O-Port
AU
7

• Central Processing Unit (CPU)
• - 8 or 16 bit controller
• - Motorola 6805, Intel 8051, Hitachi, etc
• - The programming for CPU is done in assembler.
  
• Read Only Memory (ROM)
• - non-volatile memory
• - it contains the operating system, the
  transmission protocol
• and commands, the security algorithms,
  several applications.
• - photographic mask programmed
• (Several months for changing the ROM code)
• - size, 8-16 kBytes (Max. 48 kBytes)

8

• Random Access Memory (RAM)
• - It is a volatile memory.
• - The contents are lost when the power supply
  is switched off.
• - It is used for a buffer for storing
  transmission data and as a very fast access
  memory for workspace.
• - Reading and writing a byte takes a few
  microseconds.
• - Size 128 - 256 Bytes (Max 3KBytes)
• - Much more expensive than ROM

9

• EEPROM
• - It is a non-volatile programmable memory.
• - It allows about 100,000 update (i.e.
  erase/write) cycles.
• - writing is about 1,000 times slower than
  doing into RAM.
• - Size 2-8 kBytes (Max 12 kBytes)
• - the secret key, the cryptographic parameters
  are stored.
• Arithmetic Unit (AU)
• - It is the cryptographic co-processor, which
  computes the integer
• arithmetic (addition, multiplication, modular
  exponentiation)
• - The speed between the AU and memory is not
  negligible.
• - The development cost is very expensive.

10
Cryptographic Coprocessor

• It usually has a capability to compute
• the multiplication (ab),
• the integer addition (a b),
• the integer subtraction (a - b)
• the modular exponentiation (ad mod n)
• and no division, inversions.
• In general the division and inversion are slow
  and require a lot of memory.

11
µ-chip from Hitachi
Contact-less chip card, 0.4 mm2, Radio Frequency
2.45 GHz, 128-bit ROM.
RFID (Radio Frequency Identification) Ubiquitous
Computing, Pervasive Computing
12
Basic Integer Arithmetic
Z the integer ring Z/mZ 0,1,2,,m-1, residue
ring (Z/mZ) g in Z/mZ gcd(g,m) 1,
the multiplicative group of residue m
gcd(a,b), the greatest common divisor of a and b

• The basic operations of Z/mZ are as follows
• X,Y in Z/mZ
• X Y mod m (modular addition)
• X Y mod m (modular subtraction)
• X Y mod m (modular multiplication)
• Y-1 mod m (inversion), where Y in (Z/mZ).

Modular addition and modular subtraction mod n
are fast O(log m).
13
Multiplication Inversion
Straightforward modular multiplication requires a
division with remainder of integers, which is
O((log m)2).
Input m, X,Y in Z/mZ Output XY mod m 1.
T XY in Z 2. Find q,r such that T qm r,
0 lt r lt m 3. return r
Inversion is a very expensive operation, O((log
m)2). (the extended Euclidean algorithm, Fermat
theorem) It is about 2030 times slower than
modular multiplication.
14
Montgomery Multiplication
Question can we avoid a division for modular
multiplication (XY mod m)?
? Yes. Montgomery Multiplication
Input m, X,Y in Z/mZ, R 2r, r is
bit-length of m (m -m-1 mod R,
pre-computed) Output XYR-1 mod m 1. T ? XY in
Z 2. U ? T m mod R 3. T ? (TUm)/R in Z 4.
If T gt m, then T ? T m 5. Return T
In Step 2, the reduction mod R is very fast.
1.250.240.231.221.210.20 mod 22
1.210.20. In Step 3, the division by R is very
fast. (1.250.241.230.220.210.20 )/23
1.220.211.20.
15
Correctness of the algorithm
Claim 1, TUm is divisible by R, (R(TUm))
U Tm k R, mm -1 l R for some k, l in
Z ? T Um T (Tm k R)m
T T m m k m R T
T(-1 l R) k m R R(T l
k m).
Claim 2, (TUm)/R TR-1 mod m
T T Um mod m ? TR-1 mod m (TUm)R-1 mod m
(TUm)/R.
Claim 3, (TUm)/R lt 2m
T Um XY Um lt mm Rm lt 2Rm due to
U lt R, X,Yltm, and m lt 2r R.
16
Explicit Algorithm
Input m, X,Y in Z/mZ, R br, r is
digit-length of m w.r.t. base b (m
-m-1 mod b, pre-computed) Output XYR-1 mod m
1. T ? XY 2. A ? T (Notation A
(a2r-1,,a1,a0)) 3. For i0 to r-1 do the
following 3.1. ui ? ai m mod b 3.2. A ?
A ui m bi 4. A ? A/R 5. If A gt m, then A
? A m 6. Return A
17
Example
Example m 72639, b10, R105, r5
XY T 7118368, m -m-1 mod b 1
i ui ai m mod 10 ui m 10i
A --- -----------
------------ 7118368 0
u0 8 581112
7699480 1 u1 8
5811120 13510600 2
u2 6 43583400
57094000 3 u3 4
290556000 347650000 4
u4 5 3631950000
3979600000
A/R 3979600000/100000 39796 lt m gt TR-1 mod m
39796
18
Final Subtraction is Conditional(p307, R512)
19
Exponentiation using MM
We denote by Mont(X,Y) the Montgomery
multiplication for X,Y in Z/mZ, namely Mont(X,Y)
XYR-1 mod m.
We can apply Montgomery multiplication to the
efficient computation of modular exponentiation
Xd mod n.
Input d, m, X in Z/mZ, R2 mod m Output Xd
mod m 1. T Mont(X,R2) 2. S T 3. for
in-2 to 0 S Mont(S,S) if
di1 then S Mont(S,T) 4. S Mont(S,1) 5.
Return S
T (X)R mod m
S (ZR)(ZR)R-1 (Z2)R mod m
S (ZR)(XR)R-1 (ZX)R mod m
S (ZR)R-1 Z mod m