Your SlideShare is downloading. ×
Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing100@Persistent
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing100@Persistent


Published on

Dr. Pandurang Kamat, Ph.D., Principal Architect, Persistent Systems talks about the Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman

Dr. Pandurang Kamat, Ph.D., Principal Architect, Persistent Systems talks about the Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Differential Cryptanalysis of DES was know and kept secret by IBM and NASA. With minor modifications the algorithm was vulnerable to ke recovery.
  • Military driven. All entities under one roof so sharing secret was not a problem
  • ViolatesKerchoff’s principle that only key should be secretThere is no key thereEnigma had to be broken again and again as the cipher changed.
  • Invulenrable to computational advances.. Quantum computing etc.Does not depend on computational hardness
  • No references to related prior work was also cited as reason for rejection.
  • 20-bit cipher as the puzzle 1 minute to solve and another 1 to verify.Average 500K minutes (1 Year) for Eve to brute-force the right key.
  • Talk about how problems were being solved for militaryRadar-plane challenge response : realization that “What if Alice could pose challenges whose answers she didn’t know (and couldn’t feasibly compute) but could feasibly verify ?”
  • Talk about how problems were being solved for militaryRadar-plane challenge response : realization that “What if Alice could pose challenges whose answers she didn’t know (and couldn’t feasibly compute) but could feasibly verify ?”
  • (private key) Easy and Hard (public key) Knapsack + multiplier and modulus used to convert hard to easy and vice versa
  • Fermat’s Little thm used in probabilistic primality testing. Fermat’s witness and Fermat’s liars and pseudoprime.Little only in deference to last thm.
  • Fermat’s Little thm used in probabilistic primality testing. Fermat’s witness and Fermat’s liars and pseudoprime.Little only in deference to last thm.
  • BB’04: Boneh-Brumley
  • Transcript

    • 1. © 2013 Persistent Systems Ltdwww.persistentsys.comRSA : The Inventors and the AlgorithmPandurang KamatTuring100 Lecture series @ Persistent Systems11 May 2013
    • 2. © 2013 Persistent Systems Ltd2Dr. Ronald Rivest, Dr. Adi Shamir and Dr. Leonard AdlemanCitation :“… for their ingenious contribution to making public-keycryptography useful in practice.”“A method for obtaining digital signatures and public-keycryptosystems,” Communications of the ACM, Feb. 1978.ACM A. M. Turing Award
    • 3. © 2013 Persistent Systems Ltd3RSA used in the Public Key Certificates
    • 4. © 2013 Persistent Systems Ltdwww.persistentsys.comRSA : The Inventors
    • 5. © 2013 Persistent Systems Ltd5Time Magazine 1977P = NP
    • 6. © 2013 Persistent Systems Ltd6 Born : 1947, Schenectady, New York, USA Education : BA (Mathematics, Yale University, 1969) Ph.D. (Computer Science, Stanford University, 1973) Professional Career : MIT (Viterbi Professor of Computer Science in the EECS Department) Leader of MITs Cryptography and Information Security Group, from 1974) Member of MITs Computer Science and Artificial Intelligence Laboratory, CSAIL,and of their Theory of Computation Group. Co-founder of RSA Data Security (now owned by EMC as RSA Security), Verisignand PeppercoinRonald (Ron) Linn Rivest
    • 7. © 2013 Persistent Systems Ltd7 Research : cryptography, computer and network security, voting systems Inventor of MD2, MD4, MD5 & MD6 (co-inventor) cryptographic hash functions Inventor of RC2, RC4, RC5 and co-inventor of RC6 ciphers Book : Popularly known as CLRS Co-author (with Professors Cormen, Leiserson, and Stein)of “Introduction to Algorithms”, published by MIT Press Awards and Recognition : ACM Paris Kanellakis Theory and Practice Award (1997) ACM Turing Award, with A. Shamir and L. Adleman (2002) Marconi Prize (2007) National Cyber Security Hall of Fame Award (2012)Ronald Rivest : Research and Recognition
    • 8. © 2013 Persistent Systems Ltd8 Born : 1952, Tel Aviv, Israel Education : BSc (Mathematics, Tel Aviv University, 1973) PhD (Computer Science, Weizmann Institute, Israel, 1977) Professional Career : Assistant Professor Department of Mathematics, MIT (1978-1980) Associate Professor at Department of Applied Mathematics, Weizmann Institute ofScience, Rehovot, Israel (1980-1984) Paul and Marlene Borman Professor, Department of Applied Mathematics, TheWeizmann Institute of Science, Rehovot, Israel(1984 onward) Co-founder of RSA Data Security (now owned by EMC as RSA Security)Adi Shamir
    • 9. © 2013 Persistent Systems Ltd9 Research : Cryptography Broadcast encryption, ring signatures and T-functions Cryptanalytic attacks against block ciphers, stream ciphers Protective techniques against side channel attacks such aspower analysis. Awards and Recognition : IEEE WRG Baker Award (1986) Israel Mathematical Society Erdos Prize (1983) ACM Paris Kanellakis Theory and Practice Award (1997) ACM Turing Award, with A. Shamir and L. Adleman (2002) Fellow, International Association of CryptographicResearch (2004)Adi Shamir : Research and Recognition
    • 10. © 2013 Persistent Systems Ltd10 Shamir’s secret sharing k points enough to define polynomial of degree k-1 Differential Cryptanalysis -- New Field Co-wrote a book with his graduate student Eli Biham :“Differential Cryptanalysis of the DES” Identity Based Cryptography (1984) – New Field Proposed Identity based Encryption (1984) First practical implementations came in 2001 via 2 differenttechniques : Weil Pairing (Boneh & Franklin ) and QuadraticResidue (Cocks) Visual Cryptography (1994) – New Field Decryption is a visual processAdi Shamir : Other Major Contributions
    • 11. © 2013 Persistent Systems Ltd11 Born : 1945, San Francisco, California Education : BA, Mathematics (University of California, Berkley, 1968) PhD, Computer Science (UC, Berkley, 1976) Professional Career : MIT, Department of Mathematics (1979-1980 Associate Professor, 1977-1979Assistant Professor) University of Southern California (1980 Associate Professor, 1983 Professor, 1985Henry Salvatori Professor) Co-founder of RSA Data Security (now owned by EMC as RSA Security)Leonard (Len) Max Adleman
    • 12. © 2013 Persistent Systems Ltd12 Research : “Adleman-Pomerance-Rumely primality test” Almost polynomial time, deterministic primality testing algorithm. “Recognizing Primes in random polynomial time” (1987) only topped in 2002 by “PRIMES in P” (IITK) Proved “first case of Fermat’s last theorem holds for infinitely many primes” (1986) Andrew Wiles proved Fermat’s last theorem (conjectured 1637) in 1995. Father of DNA computing : Solved Hamiltonian Path Problem using DNA (1994) Awards and Recognition : ACM Paris Kanellakis Theory and Practice Award (1997) ACM Turing Award, with A. Shamir and L. Adleman (2002) Distinguished Professor title University of Southern California (2000)Len Adleman: Research and Recognition
    • 13. © 2013 Persistent Systems Ltdwww.persistentsys.comVideo snippet from Adleman’s Turing lecture
    • 14. © 2013 Persistent Systems Ltdwww.persistentsys.comHistory of Cryptography
    • 15. © 2013 Persistent Systems Ltd15Cryptography is derived from Greek words Krypto (hidden)+ grafo (writing)Used as early as 1900 BC – as inferred from archeologicalfinds.Until the 1970s, encryption was Symmetric.Sender and Receiver use the same key to encrypt anddecrypt.A separate, secure (and usually offline) channel was used toexchange a shared secretEncryption through history
    • 16. © 2013 Persistent Systems Ltd16Transposition CipherUsed by ancient Greeks and SpartansScytale
    • 17. © 2013 Persistent Systems Ltd17Shift CipherUsed by RomansCaesar Cipher
    • 18. © 2013 Persistent Systems Ltd18Inventor: Arthur ScherbiusPolyalphabetic substitution cipherUsed by Nazi military in WWIIPolish Cipher Bureau first broke enigmaciphersAlan Turing played a major role in Britishefforts to break enigmaEnigma Machine
    • 19. © 2013 Persistent Systems Ltdwww.persistentsys.comPublic Key Cryptography
    • 20. © 2013 Persistent Systems Ltd20Private and Public Key CryptographyPrivate Key Cryptography (Symmetric)Uses a single key to encrypt and decryptKey shared by both sender and receiverCannot be used as a signaturePublic Key Cryptography (Asymmetric)Uses two keys – one private and the other publicOperations are slower than private key cryptographyIn communication, typically used to establish asymmetric session key
    • 21. © 2013 Persistent Systems Ltd21Public key encryptionE DAlice BobPK SKm c c mBob: generates (PK, SK) and gives PK to AliceNon-secureChannel
    • 22. © 2013 Persistent Systems Ltd22Challenge - Response
    • 23. © 2013 Persistent Systems Ltd23Claude Shanon : Information Theoretic SecurityA code is unbreakable when the adversary does not haveenough information. E.g. One Time PadComputational Complexity introduced new ideasA code could be unbreakable because the adversary doesnot have enough computational power or timeCryptology meets Computational Complexity
    • 24. © 2013 Persistent Systems Ltd24 1974, CS244 (Computer Security) course by Lance Hoffman Establishing secure communications between separatesecure sites over insecure communication lines. “… your description of project 1 is muddled terribly.” 1975 : Paper submited to CACM --- Rejected “… not in the main stream of present cryptography thinking … “ Finally a revised version is published in April 1978 "Secure Communications over Insecure Channels". Communicationsof the ACMRalph Merkle
    • 25. © 2013 Persistent Systems Ltd25Merkle’s Puzzles (1974)Million Puzzles --complexity O(N)eachBobAliceEveHas to solve 500Kpuzzles on averageO(N2)
    • 26. © 2013 Persistent Systems Ltd26“PKC was born in the spring of 1975, a child of two problemsand a misunderstanding” *Diffie, 1988] Problem 1: Key distribution How do two parties establish a common cryptographic key(symmetric) without any prior secret sharing ? Problem 2: Signatures Is there a way for the recipient of a digital message to verifythat the message came from a particular sender ? Misunderstanding : Key Distribution Center used in conventionalsymmetric key cryptography was insecure.The birth of PKC
    • 27. © 2013 Persistent Systems Ltd27One-way functionsGiven x => easy to compute f(x) ;but given f(x) => hard to compute xTrapdoor functionsone way functions where a secret “trapdoor” y,allows one to compute x from f(x)Trapdoor Functions
    • 28. © 2013 Persistent Systems Ltd28What if Alice could pose challenges whose answers shedidn’t know (and couldn’t feasibly compute) but couldfeasibly verify ? Bob creates a function ‘f’ (public info) for which only he knows thetrapdoor ‘y’. Alice sends a value from the f(x) space and asks Bob to solve it for x. Bob can only solve it if he knows the secret ‘y’ --- SIGNATUREverification If ‘x’ is the message Alice wants to send Bob -- ENCRYPTION. “Multiuser Cryptographic Techniques” : Diffie and Hellman (1976)Verifiable Challenges
    • 29. © 2013 Persistent Systems Ltd29John Gill : Discrete exponentiation because the inverse,discrete logarithm, is hard. DH chose this for the DH schemeKnapsack Or Subset-sum problem Merkle-Hellman (first) and others Can’t be used for signing. Now considered broken.Donald Knuth : Prime multiplication , becausefactorization is hard. RSA chose this.Three possible tracks to find trapdoor functions
    • 30. © 2013 Persistent Systems Ltd30Whitfield Diffie and Martin E. Hellman,“New Directions in Cryptography,”IEEE Transactions On Information Theory, 1976.“We stand today on the brink of a revolution incryptography …”The Diffie Hellman Paper – inspired RSA
    • 31. © 2013 Persistent Systems Ltd31Diffie-Hellman Key ExchangeFinite cyclic group G of order nGenerator g in G ( G = {1, g, g2, g3, … , gn-1 } )Alice BobPicks random a in {1,…,n} Picks random b in {1,…,n}kAB = gab = (ga)b= KAbKBa = (gb)a=KA = gaKB = gb
    • 32. © 2013 Persistent Systems Ltdwww.persistentsys.comVideo snippet of Rivest Turing Lecture
    • 33. © 2013 Persistent Systems Ltdwww.persistentsys.comRSA : The Algorithm
    • 34. © 2013 Persistent Systems Ltd34Greatest Common Divisor, gcd (a,b) – of a and b is thelargest positive integer dividing both a and b. e.g. gcd (24, 60) = 12 a and b are called relatively prime if gcd (a,b) = 1Congruence : Given integers a, b and n (s.t. n ≠ 0), a iscongruent to b mod n if (a - b) is a positive or negativemultiple of n. e.g. 17 ≡ 2 mod 5Number Theory and Modular Arithmetic
    • 35. © 2013 Persistent Systems Ltd35Given gcd (a,n) = 1Let s and t be integers s.t. as+nt=1Then as ≡ 1 (mod n) ands is the multiplicative inverse of a (mod n)Multiplicative Inverse
    • 36. © 2013 Persistent Systems Ltd36Due to Sun Tzu.Suppose gcd (p, q) = 1.Given a and b, there exists exactly one solutionx (mod pq) to the simultaneous congruencesx ≡ a (mod p) and x ≡ b (mod q)Chinese Remainder Theorem (CRT)
    • 37. © 2013 Persistent Systems Ltd37If p is prime and p does not divide a, thenap – 1 ≡ 1 (mod p)Fermat’s Little Theorem
    • 38. © 2013 Persistent Systems Ltd38Euler’s phi ( Φ ) function : For a compositen, Φ (n) is the number of integers 1 <= a <=n such that gcd (a,n) = 1. If n = pq (where p and q are primes) then usingChinese Remainder Theorem we getΦ(n) = (p – 1) (q – 1)Euler’s Theorem : For a composite n, Ifgcd(a, n) = 1, thenaΦ(n) ≡ 1 (mod n)Euler’s theorem
    • 39. © 2013 Persistent Systems Ltd39Large random primes, p and q, s.t. n = pqΦ = (p-1)(q-1)Choose an integer e, 1 < e < Φ, such that gcd(e, Φ) = 1Compute d, such that ed ≡ 1 (mod Φ)Public key is (n, e) and the private key (d, p, q)n  modulus e  public/encryption exponentd  secret/private exponent .RSA Key Generation
    • 40. © 2013 Persistent Systems Ltd40M=Message H(m)= Cryptographic Hash of m Encrypt c ≡ me mod n Decrypt m ≡ cd mod n Sign s ≡ (H(m))d mod n Verify H(m) ≡ se mod nRSA Trapdoor Functions
    • 41. © 2013 Persistent Systems Ltdwww.persistentsys.comRSA Explained Video
    • 42. © 2013 Persistent Systems Ltd42ed ≡ 1 (mod (p - 1)(q - 1))ed – 1 = h (p – 1) (q – 1) , for some non-negative integer hIf (me)d ≡ 0 (mod p)  (me)d is a multiple of p  (me)d ≡ 0 ≡ m (modp) If (me)d !≡ 0 (mod p) (me)d = m(ed – 1)m = mh(p-1)(q-1)m = (mp-1)h(q-1)m ≡ 1h(q-1)m ≡ m (mod p)using Fermat’s Little Thm.Similarly (me)d ≡ m (mod q) (me)d ≡ m (mod pq) using Chinese Remainder ThmProof of Correctness
    • 43. © 2013 Persistent Systems Ltd43Plain RSA is a Deterministic encryption algorithm (norandom aspect) Open to chosen plaintext attacksNot semantically secureChosen Ciphertext attacks existSolution: random padding – Optimal AsymmetricEncryption Padding (OAEP)RSA algorithm by itself is vulnerable in practice
    • 44. © 2013 Persistent Systems Ltd44 Public Key Cryptography Standard #1 (current version 2.2) Specifies RSA encryption, decryption, signature and verificationprimitives I2OSP, OS2IP: Convert non-negative integers to Octet strings and vice versa. RSAEP, RSADP: Basic encryption and decryption algorithms. RSASP1, RSAVP1: Algorithms for producing and verifying signatures. Specifies RSA encryption and signature schemes Specifies encoding methods for these schemes Other signature scheme standards ANSI X9.31, Bellare-Rogaway PSSPKCS #1
    • 45. © 2013 Persistent Systems Ltd45EME-OAEP from PKCS#1 v2.2lHash PS 01 MDB =MGFseedMGF00 maskedSeed maskedDBEM =00
    • 46. © 2013 Persistent Systems Ltd46Practical choices with RSATo speed up RSA encryption use a small e:c = me (mod N)Minimum value: e=3Recommended value: e=65537=216+1
    • 47. © 2013 Persistent Systems Ltd47RSA Key LengthsStrength compared with symmetric cipher key sizesSymmetric (AES) key size in bits RSA Key size in bits128 3072192 7680256 15360
    • 48. © 2013 Persistent Systems Ltd48Illegal” Perl prior to 1999 #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj$/=unpack(H*,$_);$_=`echo16dioU$k"SK$/SM$nEsN0p[lN*1lK[d2%Sa2/d0$^Ixp"|dc`;s/W//g;$_=pack(H*,/((..)*)$/)Reference: Adam Back and the US Export Regulations
    • 49. © 2013 Persistent Systems Ltd49Unknown to the RSA team, British mathematicianClifford Cocks, while working at the GovernmentCommunications Headquarters (GCHQ), had built uponthe work of James Ellis and developed a similarmethod.It was however classified as a secret by the BritishGovernment and not made public until 1997.Used N=eThe Pre-RSA PKC algorithm (1973)
    • 50. © 2013 Persistent Systems Ltdwww.persistentsys.comVideo snippet of Shamir Turing Lecture
    • 51. © 2013 Persistent Systems Ltd51Source : xkcd comic
    • 52. © 2013 Persistent Systems Ltdwww.persistentsys.comAttacks on RSA
    • 53. © 2013 Persistent Systems Ltd53RSA Attack ApproachesBrute forcing the Key Not feasible given the sizes of numbersFactorization Mathematical attacks for factoring modulus NImplementation Attacks Timing attacks Power attacks Fault attacks
    • 54. © 2013 Persistent Systems Ltd54Mathematical approach takes 3 forms: factor N=p.q, hence find ø(N) and then d determine ø(N) directly and find d find d directly Considered equally hard == factoringFactoring algorithms have gotten better over the years Best algorithms use “Quadratic Sieve” or “Generalized NumberField Sieve” 1024+ bit RSA currently considered secure for most uses and2048 bit recommended for high-security.Factorization
    • 55. © 2013 Persistent Systems Ltd55Factoring Complexity
    • 56. © 2013 Persistent Systems Ltd56 RSA-768 factored in 2009 by Thorsten Kleinjung et al. The largest RSA challenge modulus factored till date 232 decimal digits, 768 bits RSA-768 =1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 RSA-768 =33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 ×The RSA Challenge
    • 57. © 2013 Persistent Systems Ltd57Implementation attacks Timing attack: [Kocher et al. 1997] The time it takes to compute cd (mod N) can expose d countermeasures use constant exponentiation time add random delays Power attack: [Kocher et al. 1999) The power consumption of a smartcard while it is computingcd (mod N) can expose d. Faults attack: [Boneh et al. 1997] A computer error during cd(mod N) can expose d.
    • 58. © 2013 Persistent Systems Ltd58An Example Fault Attack on RSAA common optimization of RSA decryptiondecrypt mod p: mp ≡ cd (mod p)decrypt mod q: mq ≡ cd (mod q)If an error occurs when computing mq , but not with mpThen: output is m’ wherem’ ≡ cd (mod p) but m’ ! ≡ cd (mod q)(m’)e ≡ c (mod p) but (m’)e ! ≡ c in (mod q) gcd((m’)e- c, n) = pcombine to get m ≡ cd (mod n)
    • 59. © 2013 Persistent Systems Ltd59Problems with RSA Key Generation[Heninger et al./Lenstra et al.]: 0.4% of publicly available https keys were factored. Mostlydevices like routers Random number generation is a critical cog; must ensure goodsource of entropy.prng.seed(seed)p = prng.generate_random_prime()prng.add_randomness(bits)q = prng.generate_random_prime()N = p*qPoor initial entropy  same pon multiple devicesN1 , N2 : 2 different keys s.t.gcd(N1,N2) = p
    • 60. © 2013 Persistent Systems Ltd60 Low Private Exponent M. Wiener (1987) - a linear time algorithm for recovering d if d < N 0.25 Boneh and Durfee (1998) - d < N 0.292 RSA is insecure This is a problem for low-power devices like smartcards. Workaround : dp = d mod (p – 1) and dq = d mod (q – 1) are small, while d is still large. Also Qinv = q -1 (mod p) then mp = cdp (mod p) and mq = cdq (mod q) h = Qinv * (mp – mq) (mod p) m = mq + (h * q) dp and dq can’t be too small though.Low Private Exponent
    • 61. © 2013 Persistent Systems Ltd61 Quantum computing Based on qubit Can be 1 , 0 or a superposition of both at the same time Quantum parallelism allows for exponentially many computations Shor ‘s Algorithm (1994) Can factor large numbers in polynomial time -- O ( (log n)3 ) for factoring n bitnumber. Probabilistic. Thankfully quantum computers are long way from reality Best implementation so far Bristol University researchers (1999) – computed the “order finding routine” part of Shor IBM (2011) and UCSB researchers (2012) could factor 15 = 3 * 5 (48% of the time)Quantum Computing and Factoring
    • 62. © 2013 Persistent Systems Ltd62 Merkle-Hellman (1978) – Knapsack Rabin-Williams (1979) – Factoring Goldwasser-Micali (1984) – Quadratic Residue Blum-Goldwasser (1984) – Factoring ElGamal (1985) – Discrete Log Problem Miller-Koblitz (1985) – Elliptic Curves Cramer-Shoup (1998) – Discrete Log Problem Boneh-Franklin (2001) – Bilinear Diffie-Hellman Problem Cocks IBE (2001) – Quadratic Residue …Other PKC Systems
    • 63. © 2013 Persistent Systems Ltd63RSA (1977) was the first (publicly known) public keyencryption and signature algorithmBased on number theory and core security derivedfrom hardness of factoringWidely deployed and used in modern communicationMost effective attacks have been on implementation Slow and steady progress on factoring attacksSummary
    • 64. © 2013 Persistent Systems Ltd64This presentation has referenced and borrowed material from thefollowing sources. ACM’s Turing Award website RSA inventor’s own web pages 10 years of public key cryptography – Whitfield Diffie Wikipedia Dan Boneh’s Crypto course on Introduction to Cryptography and Coding Theory – Trappe andWashingtonReferences and acknowledgements
    • 65. © 2013 Persistent Systems Ltd65Prof. Dan Boneh More
    • 66. © 2013 Persistent Systems Ltd6666© 2012 Persistent Systems LtdThank You !