• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
RSA
 

RSA

on

  • 569 views

 

Statistics

Views

Total Views
569
Views on SlideShare
569
Embed Views
0

Actions

Likes
0
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    RSA RSA Document Transcript

    • RSA Cryptosystem 6/8/2002 2:20 PM Outline Euler’s theorem (§10.1.3) RSA cryptosystem (§10.2.3) RSA Cryptosystem Definition Example Bits PCs Memory Security 430 1 128MB Correctness 760 215,000 4GB Algorithms for RSA 1,020 342×106 170GB Modular power (§10.1.4) 1,620 1.6×1015 120TB Modular inverse (§10.1.5) Randomized primality testing (§10.1.6) 6/8/2002 2:20 PM RSA Cryptosystem 1 6/8/2002 2:20 PM RSA Cryptosystem 2 Euler’s Theorem RSA Cryptosystem The multiplicative group for Zn, denoted with Z*n, is the subset of Setup: Example elements of Zn relatively prime with n n = pq, with p and q Setup: The totient function of n, denoted with φ(n), is the size of Z*n primes p = 7, q = 17 Example e relatively prime to n = 7⋅17 = 119 φ(n) = (p − 1) (q − 1) φ(n) = 6⋅16 = 96 Z*10 = { 1, 3, 7, 9 } φ(10) = 4 d inverse of e in Zφ(n) e=5 If p is prime, we have Keys: d = 77 Z*p = {1, 2, …, (p − 1)} φ(p) = p − 1 Public key: KE = (n, e) Keys: Euler’s Theorem public key: (119, 5) Private key: KD = d For each element x of Z*n, we have xφ(n) mod n = 1 private key: 77 Example (n = 10) Encryption: Encryption: 3φ(10) mod 10 = 34 mod 10 = 81 mod 10 = 1 Plaintext M in Zn M = 19 7φ(10) mod 10 = 74 mod 10 = 2401 mod 10 = 1 C = Me mod n C = 195 mod 119 = 66 9φ(10) mod 10 = 94 mod 10 = 6561 mod 10 = 1 Decryption: Decryption: M = Cd mod n C = 6677 mod 119 = 19 6/8/2002 2:20 PM RSA Cryptosystem 3 6/8/2002 2:20 PM RSA Cryptosystem 4 Complete RSA Example Security Setup: Encryption The security of the RSA In 1999, a 512-bit number was cryptosystem is based on the factored in 4 months using the p = 5, q = 11 C = M3 mod 55 widely believed difficulty of following computers: n = 5⋅11 = 55 Decryption factoring large numbers 160 175-400 MHz SGI and Sun φ(n) = 4⋅10 = 40 M = C27 mod 55 The best known factoring algorithm (general number 8 250 MHz SGI Origin e=3 field sieve) takes time 120 300-450 MHz Pentium II d = 27 (3⋅27 = 81 = 2⋅40 + 1) exponential in the number of 4 500 MHz Digital/Compaq bits of the number to be factored Estimated resources needed to M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 factor a number within one year The RSA challenge, sponsored C 1 8 27 9 15 51 13 17 14 10 11 23 52 49 20 26 18 2 by RSA Security, offers cash Bits PCs Memory M 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 prizes for the factorization of 430 1 128MB C 39 25 21 33 12 19 5 31 48 7 24 50 36 43 22 34 30 16 given large numbers In April 2002, prizes ranged 760 215,000 4GB M 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 C 53 37 29 35 6 3 32 44 45 41 38 42 4 40 46 28 47 54 from $10,000 (576 bits) to 1,020 342×106 170GB $200,000 (2048 bits) 1,620 1.6×1015 120TB 6/8/2002 2:20 PM RSA Cryptosystem 5 6/8/2002 2:20 PM RSA Cryptosystem 6 1
    • RSA Cryptosystem 6/8/2002 2:20 PM Correctness Algorithmic Issues We show the correctness of Thus, we obtain The implementation of Setup the RSA cryptosystem for the (Me)d mod n = the RSA cryptosystem Generation of random case when the plaintext M Med mod n = requires various numbers with a given does not divide n Mkφ(n) + 1 mod n = number of bits (to generate algorithms Namely, we show that MMkφ(n) mod n = candidates p and q) M (Mφ(n))k mod n = Overall Primality testing (to check (Me)d mod n = M M (Mφ(n) mod n)k mod n = Representation of integers that candidates p and q are Since ed mod φ(n) = 1, there is of arbitrarily large size and M (1)k mod n = prime) an integer k such that arithmetic operations on M mod n = Computation of the GCD (to ed = kφ(n) + 1 them verify that e and φ(n) are Since M does not divide n, by M Encryption relatively prime) Euler’s theorem we have See the book for the proof of Modular power Computation of the correctness in the case when multiplicative inverse (to Mφ(n) mod n = 1 the plaintext M divides n Decryption compute d from e) Modular power 6/8/2002 2:20 PM RSA Cryptosystem 7 6/8/2002 2:20 PM RSA Cryptosystem 8 Modular Power Modular Inverse The repeated squaring Example Theorem Given positive integers a and b, algorithm speeds up the 318 mod 19 (18 = 10010) Given positive integers a the extended Euclid’s algorithm computation of a modular and b, let d be the smallest computes a triplet (d,i,j) such that Q1 = 31 mod 19 = 3 power ap mod n d = gcd(a,b) Q2 = (32 mod 19)30 mod 19 = 9 positive integer such that Write the exponent p in binary d = ia + jb Q3 = (92 mod 19)30 mod 19 = d = ia + jb p = pb − 1 pb − 2 … p1 p0 To test the existence of and 81 mod 19 = 5 for some integers i and j. Start with Q4 = (52 mod 19)31 mod 19 = We have compute the inverse of x ∈ Zn, we Q1 = apb − 1 mod n (25 mod 19)3 mod 19 = execute the extended Euclid’s d = gcd(a,b) algorithm on the input pair (x,n) Repeatedly compute 18 mod 19 = 18 Example Let (d,i,j) be the triplet returned Qi = ((Qi − 1)2 mod n)apb − i mod n Q5 = (182 mod 19)30 mod 19 = a = 21 (324 mod 19) mod 19 = d = ix + jn We obtain b = 15 17⋅19 + 1 mod 19 = 1 Case 1: d = 1 Qb = ap mod n d=3 i is the inverse of x in Zn The repeated squaring p5 − 1 1 0 0 1 0 i = 3, j = −4 Case 2: d > 1 algorithm performs O (log p) 2 p5 − i 3 1 1 3 1 3 = 3⋅21 + (−4)⋅15 = arithmetic operations 63 − 60 = 3 x has no inverse in Zn Qi 3 9 5 18 1 6/8/2002 2:20 PM RSA Cryptosystem 9 6/8/2002 2:20 PM RSA Cryptosystem 10 Pseudoprimality Testing Randomized Primality Testing The number of primes less than or equal to n is about n / ln n Compositeness witness function witness(x, n) with error probability Algorithm RandPrimeTest(n, k) Thus, we expect to find a prime among, O(b) randomly generated q for a random variable x Input integer n,confidence numbers with b bits each parameter k and composite Case 1: n is prime Testing whether a number is prime (primality testing) is believed witness function witness(x,n) witness w(x, n) = false with error probability q to be a hard problem Case 2: n is composite Output an indication of An integer n ≥ 2 is said to be a base-x pseudoprime if witness w(x, n) = false with whether n is composite or prime xn − 1 mod n = 1 (Fermat’s little theorem) probability q < 1 with probability 2−k Composite base-x pseudoprimes are rare: Algorithm RandPrimeTest tests whether n is prime by repeatedly t ← k/log2(1/q) A random 100-bit integer is a composite base-2 pseudoprime with for i ← 1 to t evaluating witness(x, n) probability less than 10-13 A variation of base- x x ← random() The smallest composite base-2 pseudoprime is 341 pseudoprimality provides a if witness(x,n)= true Base-x pseudoprimality testing for an integer n: suitable compositeness witness return “n is composite” Check whether xn − 1 mod n = 1 function for randomized primality return “n is prime” Can be performed efficiently with the repeated squaring algorithm testing (Rabin-Miller algorithm) 6/8/2002 2:20 PM RSA Cryptosystem 11 6/8/2002 2:20 PM RSA Cryptosystem 12 2