More Related Content Similar to Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman (20) Turing100@Persistent | Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman1. © 2013 Persistent Systems Ltd
www.persistentsys.com
RSA : The Inventors and the Algorithm
Pandurang Kamat
Turing100 Lecture series @ Persistent Systems
11 May 2013
2. © 2013 Persistent Systems Ltd
2
Dr. Ronald Rivest, Dr. Adi Shamir and Dr. Leonard Adleman
Citation :
“… for their ingenious contribution to making public-key
cryptography useful in practice.”
“A method for obtaining digital signatures and public-key
cryptosystems,” Communications of the ACM, Feb. 1978.
ACM A. M. Turing Award
6. © 2013 Persistent Systems Ltd
6
Born : 1947, Schenectady, New York, USA
Education :
BA (Mathematics, Yale University, 1969)
Ph.D. (Computer Science, Stanford University, 1973)
Professional Career :
MIT (Viterbi Professor of Computer Science in the EECS Department)
Leader of MITs Cryptography and Information Security Group, from 1974)
Member of MIT's Computer Science and Artificial Intelligence
Laboratory, CSAIL, and of their Theory of Computation Group.
Co-founder of RSA Data Security (now owned by EMC as RSA Security), Verisign
and Peppercoin
Ronald (Ron) Linn Rivest
7. © 2013 Persistent Systems Ltd
7
Research : cryptography, computer and network security, voting systems
Inventor of MD2, MD4, MD5 & MD6 (co-inventor) cryptographic hash functions
Inventor of RC2, RC4, RC5 and co-inventor of RC6 ciphers
Book : Popularly known as CLRS
Co-author (with Professors Cormen, Leiserson, and Stein)
of “Introduction to Algorithms”, published by MIT Press
Awards and Recognition :
ACM Paris Kanellakis Theory and Practice Award (1997)
ACM Turing Award, with A. Shamir and L. Adleman (2002)
Marconi Prize (2007)
National Cyber Security Hall of Fame Award (2012)
Ronald Rivest : Research and Recognition
8. © 2013 Persistent Systems Ltd
8
Born : 1952, Tel Aviv, Israel
Education :
BSc (Mathematics, Tel Aviv University, 1973)
PhD (Computer Science, Weizmann Institute, Israel, 1977)
Professional Career :
Assistant Professor Department of Mathematics, MIT (1978-1980)
Associate Professor at Department of Applied Mathematics, Weizmann Institute of
Science, Rehovot, Israel (1980-1984)
Paul and Marlene Borman Professor, Department of Applied Mathematics, The
Weizmann Institute of Science, Rehovot, Israel(1984 onward)
Co-founder of RSA Data Security (now owned by EMC as RSA Security)
Adi Shamir
9. © 2013 Persistent Systems Ltd
9
Research : Cryptography
Broadcast encryption, ring signatures and T-functions
Cryptanalytic attacks against block ciphers, stream ciphers
Protective techniques against side channel attacks such as
power analysis.
Awards and Recognition :
IEEE WRG Baker Award (1986)
Israel Mathematical Society Erdos Prize (1983)
ACM Paris Kanellakis Theory and Practice Award (1997)
ACM Turing Award, with A. Shamir and L. Adleman (2002)
Fellow, International Association of Cryptographic
Research (2004)
Adi Shamir : Research and Recognition
10. © 2013 Persistent Systems Ltd
10
Shamir’s secret sharing
k points enough to define polynomial of degree k-1
Differential Cryptanalysis -- New Field
Co-wrote a book with his graduate student Eli Biham :
“Differential Cryptanalysis of the DES”
Identity Based Cryptography (1984) – New Field
Proposed Identity based Encryption (1984)
First practical implementations came in 2001 via 2 different
techniques : Weil Pairing (Boneh & Franklin ) and Quadratic
Residue (Cocks)
Visual Cryptography (1994) – New Field
Decryption is a visual process
Adi Shamir : Other Major Contributions
11. © 2013 Persistent Systems Ltd
11
Born : 1945, San Francisco, California
Education :
BA, Mathematics (University of California, Berkley, 1968)
PhD, Computer Science (UC, Berkley, 1976)
Professional Career :
MIT, Department of Mathematics (1979-1980 Associate Professor, 1977-1979
Assistant Professor)
University of Southern California (1980 Associate Professor, 1983 Professor, 1985
Henry Salvatori Professor)
Co-founder of RSA Data Security (now owned by EMC as RSA Security)
Leonard (Len) Max Adleman
12. © 2013 Persistent Systems Ltd
12
Research :
“Adleman-Pomerance-Rumely primality test”
Almost polynomial time, deterministic primality testing algorithm.
“Recognizing Primes in random polynomial time” (1987)
only topped in 2002 by “PRIMES in P” (IITK)
Proved “first case of Fermat’s last theorem holds for infinitely many primes” (1986)
Andrew Wiles proved Fermat’s last theorem (conjectured 1637) in 1995.
Father of DNA computing : Solved Hamiltonian Path Problem using DNA (1994)
Awards and Recognition :
ACM Paris Kanellakis Theory and Practice Award (1997)
ACM Turing Award, with A. Shamir and L. Adleman (2002)
Distinguished Professor title University of Southern California (2000)
Len Adleman: Research and Recognition
13. © 2013 Persistent Systems Ltd
www.persistentsys.com
Video snippet from Adleman’s Turing lecture
15. © 2013 Persistent Systems Ltd
15
Cryptography is derived from Greek words Krypto (hidden)
+ grafo (writing)
Used as early as 1900 BC – as inferred from archeological
finds.
Until the 1970s, encryption was Symmetric.
Sender and Receiver use the same key to encrypt and
decrypt.
A separate, secure (and usually offline) channel was used to
exchange a shared secret
Encryption through history
16. © 2013 Persistent Systems Ltd
16
Transposition Cipher
Used by ancient Greeks and Spartans
Scytale
18. © 2013 Persistent Systems Ltd
18
Inventor: Arthur Scherbius
Polyalphabetic substitution cipher
Used by Nazi military in WWII
Polish Cipher Bureau first broke enigma
ciphers
Alan Turing played a major role in British
efforts to break enigma
Enigma Machine
20. © 2013 Persistent Systems Ltd
20
Private and Public Key Cryptography
Private Key Cryptography (Symmetric)
Uses a single key to encrypt and decrypt
Key shared by both sender and receiver
Cannot be used as a signature
Public Key Cryptography (Asymmetric)
Uses two keys – one private and the other public
Operations are slower than private key cryptography
In communication, typically used to establish a
symmetric session key
21. © 2013 Persistent Systems Ltd
21
Public key encryption
E D
Alice Bob
PK SK
m c c m
Bob: generates (PK, SK) and gives PK to Alice
Non-secure
Channel
23. © 2013 Persistent Systems Ltd
23
Claude Shanon : Information Theoretic Security
A code is unbreakable when the adversary does not have
enough information. E.g. One Time Pad
Computational Complexity introduced new ideas
A code could be unbreakable because the adversary does
not have enough computational power or time
Cryptology meets Computational Complexity
24. © 2013 Persistent Systems Ltd
24
1974, CS244 (Computer Security) course by Lance Hoffman
Establishing secure communications between separate
secure sites over insecure communication lines.
“… your description of project 1 is muddled terribly.”
1975 : Paper submited to CACM --- Rejected
“… not in the main stream of present cryptography thinking … “
Finally a revised version is published in April 1978
"Secure Communications over Insecure Channels". Communications
of the ACM
Ralph Merkle
25. © 2013 Persistent Systems Ltd
25
Merkle’s Puzzles (1974)
Million Puzzles --
complexity O(N)
each
Bob
Alice
Eve
Has to solve 500K
puzzles on average
O(N2)
26. © 2013 Persistent Systems Ltd
26
“PKC was born in the spring of 1975, a child of two problems
and a misunderstanding” *Diffie, 1988]
Problem 1: Key distribution
How do two parties establish a common cryptographic key
(symmetric) without any prior secret sharing ?
Problem 2: Signatures
Is there a way for the recipient of a digital message to verify
that the message came from a particular sender ?
Misunderstanding : Key Distribution Center used in conventional
symmetric key cryptography was insecure.
The birth of PKC
27. © 2013 Persistent Systems Ltd
27
One-way functions
Given x => easy to compute f(x) ;
but given f(x) => hard to compute x
Trapdoor functions
one way functions where a secret “trapdoor”
y, allows one to compute x from f(x)
Trapdoor Functions
28. © 2013 Persistent Systems Ltd
28
What if Alice could pose challenges whose answers she
didn’t know (and couldn’t feasibly compute) but could
feasibly verify ?
Bob creates a function ‘f’ (public info) for which only he knows the
trapdoor ‘y’.
Alice sends a value from the f(x) space and asks Bob to solve it for x.
Bob can only solve it if he knows the secret ‘y’ --- SIGNATURE
verification
If ‘x’ is the message Alice wants to send Bob -- ENCRYPTION.
“Multiuser Cryptographic Techniques” : Diffie and Hellman (1976)
Verifiable Challenges
29. © 2013 Persistent Systems Ltd
29
John Gill : Discrete exponentiation because the
inverse, discrete logarithm, is hard.
DH chose this for the DH scheme
Knapsack Or Subset-sum problem
Merkle-Hellman (first) and others
Can’t be used for signing. Now considered broken.
Donald Knuth : Prime multiplication , because
factorization is hard.
RSA chose this.
Three possible tracks to find trapdoor functions
30. © 2013 Persistent Systems Ltd
30
Whitfield Diffie and Martin E. Hellman,
“New Directions in Cryptography,”
IEEE Transactions On Information Theory, 1976.
“We stand today on the brink of a revolution in
cryptography …”
The Diffie Hellman Paper – inspired RSA
31. © 2013 Persistent Systems Ltd
31
Diffie-Hellman Key Exchange
Finite cyclic group G of order n
Generator g in G ( G = {1, g, g2, g3, … , gn-1 } )
Alice Bob
Picks random a in {1,…,n} Picks random b in {1,…,n}
kAB = gab = (ga)
b
= KAbKBa = (gb)
a
=
KA = ga
KB = gb
32. © 2013 Persistent Systems Ltd
www.persistentsys.com
Video snippet of Rivest Turing Lecture
34. © 2013 Persistent Systems Ltd
34
Greatest Common Divisor, gcd (a,b) – of a and b is the
largest positive integer dividing both a and b.
e.g. gcd (24, 60) = 12
a and b are called relatively prime if gcd (a,b) = 1
Congruence : Given integers a, b and n (s.t. n ≠ 0), a is
congruent to b mod n if (a - b) is a positive or negative
multiple of n.
e.g. 17 ≡ 2 mod 5
Number Theory and Modular Arithmetic
35. © 2013 Persistent Systems Ltd
35
Given gcd (a,n) = 1
Let s and t be integers s.t. as+nt=1
Then as ≡ 1 (mod n) and
s is the multiplicative inverse of a (mod n)
Multiplicative Inverse
36. © 2013 Persistent Systems Ltd
36
Due to Sun Tzu.
Suppose gcd (p, q) = 1.
Given a and b, there exists exactly one solution
x (mod pq) to the simultaneous congruences
x ≡ a (mod p) and x ≡ b (mod q)
Chinese Remainder Theorem (CRT)
37. © 2013 Persistent Systems Ltd
37
If p is prime and p does not divide a, then
ap – 1 ≡ 1 (mod p)
Fermat’s Little Theorem
38. © 2013 Persistent Systems Ltd
38
Euler’s phi ( Φ ) function : For a composite
n, Φ (n) is the number of integers 1 <= a <=
n such that gcd (a,n) = 1.
If n = pq (where p and q are primes) then using
Chinese Remainder Theorem we get
Φ(n) = (p – 1) (q – 1)
Euler’s Theorem : For a composite n, If
gcd(a, n) = 1, then
aΦ(n) ≡ 1 (mod n)
Euler’s theorem
39. © 2013 Persistent Systems Ltd
39
Large random primes, p and q, s.t. n = pq
Φ = (p-1)(q-1)
Choose an integer e, 1 < e < Φ, such that gcd(e, Φ) = 1
Compute d, such that ed ≡ 1 (mod Φ)
Public key is (n, e) and the private key (d, p, q)
n modulus e public/encryption exponent
d secret/private exponent .
RSA Key Generation
40. © 2013 Persistent Systems Ltd
40
M=Message H(m)= Cryptographic Hash of m
Encrypt c ≡ me mod n
Decrypt m ≡ cd mod n
Sign s ≡ (H(m))d mod n
Verify H(m) ≡ se mod n
RSA Trapdoor Functions
42. © 2013 Persistent Systems Ltd
42
ed ≡ 1 (mod (p - 1)(q - 1))
ed – 1 = h (p – 1) (q – 1) , for some non-negative integer h
If (me)d ≡ 0 (mod p) (me)d is a multiple of p (me)d ≡ 0 ≡ m (mod
p) If (me)d !≡ 0 (mod p)
(me)d = m(ed – 1)m = mh(p-1)(q-1)m = (mp-1)h(q-1)m ≡ 1h(q-1)m ≡ m (mod p)
using Fermat’s Little Thm.
Similarly (me)d ≡ m (mod q)
(me)d ≡ m (mod pq) using Chinese Remainder Thm
Proof of Correctness
43. © 2013 Persistent Systems Ltd
43
Plain RSA is a Deterministic encryption algorithm (no
random aspect)
Open to chosen plaintext attacks
Not semantically secure
Chosen Ciphertext attacks exist
Solution: random padding – Optimal Asymmetric
Encryption Padding (OAEP)
RSA algorithm by itself is vulnerable in practice
44. © 2013 Persistent Systems Ltd
44
Public Key Cryptography Standard #1 (current version 2.2)
Specifies RSA encryption, decryption, signature and verification
primitives
I2OSP, OS2IP: Convert non-negative integers to Octet strings and vice versa.
RSAEP, RSADP: Basic encryption and decryption algorithms.
RSASP1, RSAVP1: Algorithms for producing and verifying signatures.
Specifies RSA encryption and signature schemes
Specifies encoding methods for these schemes
Other signature scheme standards
ANSI X9.31, Bellare-Rogaway PSS
PKCS #1
45. © 2013 Persistent Systems Ltd
45
EME-OAEP from PKCS#1 v2.2
lHash PS 01 MDB =
MGF
seed
MGF
00 maskedSeed maskedDBEM =
00
46. © 2013 Persistent Systems Ltd
46
Practical choices with RSA
To speed up RSA encryption use a small e:
c = me (mod N)
Minimum value: e=3
Recommended value: e=65537=216+1
47. © 2013 Persistent Systems Ltd
47
RSA Key Lengths
Strength compared with symmetric cipher key sizes
Symmetric (AES) key size in bits RSA Key size in bits
128 3072
192 7680
256 15360
48. © 2013 Persistent Systems Ltd
48
Illegal” Perl prior to 1999
#!/bin/perl -
sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo
16dioU$k"SK$/SM$nEsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/W//g;$_=pack('H*',/((..)*)$/)
Reference: Adam Back
http://www.cypherspace.org/adam/rsa/
RSA and the US Export Regulations
49. © 2013 Persistent Systems Ltd
49
Unknown to the RSA team, British mathematician
Clifford Cocks, while working at the Government
Communications Headquarters (GCHQ), had built upon
the work of James Ellis and developed a similar
method.
It was however classified as a secret by the British
Government and not made public until 1997.
Used N=e
The Pre-RSA PKC algorithm (1973)
50. © 2013 Persistent Systems Ltd
www.persistentsys.com
Video snippet of Shamir Turing Lecture
53. © 2013 Persistent Systems Ltd
53
RSA Attack Approaches
Brute forcing the Key
Not feasible given the sizes of numbers
Factorization
Mathematical attacks for factoring modulus N
Implementation Attacks
Timing attacks
Power attacks
Fault attacks
54. © 2013 Persistent Systems Ltd
54
Mathematical approach takes 3 forms:
factor N=p.q, hence find ø(N) and then d
determine ø(N) directly and find d
find d directly
Considered equally hard == factoring
Factoring algorithms have gotten better over the years
Best algorithms use “Quadratic Sieve” or “Generalized Number
Field Sieve”
1024+ bit RSA currently considered secure for most uses and
2048 bit recommended for high-security.
Factorization
56. © 2013 Persistent Systems Ltd
56
RSA-768 factored in 2009 by Thorsten Kleinjung et al.
The largest RSA challenge modulus factored till date
232 decimal digits, 768 bits
RSA-768 =
1230186684530117755130494958384962720772853569595334792197
3224521517264005072636575187452021997864693899564749427740
6384592519255732630345373154826850791702612214291346167042
921431160222124047927473779408066535141959745985
6902143413
RSA-768 =
3347807169895689878604416984821269081770479498371376856891
2431388982883793
878002287614711652531743087737814467999489 ×
The RSA Challenge
57. © 2013 Persistent Systems Ltd
57
Implementation attacks
Timing attack: [Kocher et al. 1997]
The time it takes to compute cd (mod N) can expose d
countermeasures
use constant exponentiation time
add random delays
Power attack: [Kocher et al. 1999)
The power consumption of a smartcard while it is computing
cd (mod N) can expose d.
Faults attack: [Boneh et al. 1997]
A computer error during cd
(mod N) can expose d.
58. © 2013 Persistent Systems Ltd
58
An Example Fault Attack on RSA
A common optimization of RSA decryption
decrypt mod p: mp ≡ cd (mod p)
decrypt mod q: mq ≡ cd (mod q)
If an error occurs when computing mq , but not with mp
Then: output is m’ where
m’ ≡ cd (mod p) but m’ ! ≡ cd (mod q)
(m’)e ≡ c (mod p) but (m’)e ! ≡ c in (mod q)
gcd((m’)e- c, n) = p
combine to get m ≡ cd (mod n)
59. © 2013 Persistent Systems Ltd
59
Problems with RSA Key Generation
[Heninger et al./Lenstra et al.]
:
0.4% of publicly available https keys were factored. Mostly
devices like routers
Random number generation is a critical cog; must ensure good
source of entropy.
prng.seed(seed)
p = prng.generate_random_prime()
prng.add_randomness(bits)
q = prng.generate_random_prime()
N = p*q
Poor initial entropy same p
on multiple devices
N1 , N2 : 2 different keys s.t.
gcd(N1,N2) = p
60. © 2013 Persistent Systems Ltd
60
Low Private Exponent
M. Wiener (1987) - a linear time algorithm for recovering d if d < N 0.25
Boneh and Durfee (1998) - d < N 0.292 RSA is insecure
This is a problem for low-power devices like smartcards.
Workaround :
dp = d mod (p – 1) and dq = d mod (q – 1) are small, while d is still large.
Also Qinv = q -1 (mod p) then
mp = cdp (mod p) and mq = cdq (mod q)
h = Qinv * (mp – mq) (mod p)
m = mq + (h * q)
dp and dq can’t be too small though.
Low Private Exponent
61. © 2013 Persistent Systems Ltd
61
Quantum computing
Based on qubit
Can be 1 , 0 or a superposition of both at the same time
Quantum parallelism allows for exponentially many computations
Shor ‘s Algorithm (1994)
Can factor large numbers in polynomial time -- O ( (log n)3 ) for factoring n bit
number. Probabilistic.
Thankfully quantum computers are long way from reality
Best implementation so far
Bristol University researchers (1999) – computed the “order finding routine” part of Shor
IBM (2011) and UCSB researchers (2012) could factor 15 = 3 * 5 (48% of the time)
Quantum Computing and Factoring
62. © 2013 Persistent Systems Ltd
62
Merkle-Hellman (1978) – Knapsack
Rabin-Williams (1979) – Factoring
Goldwasser-Micali (1984) – Quadratic Residue
Blum-Goldwasser (1984) – Factoring
ElGamal (1985) – Discrete Log Problem
Miller-Koblitz (1985) – Elliptic Curves
Cramer-Shoup (1998) – Discrete Log Problem
Boneh-Franklin (2001) – Bilinear Diffie-Hellman Problem
Cocks IBE (2001) – Quadratic Residue
…
Other PKC Systems
63. © 2013 Persistent Systems Ltd
63
RSA (1977) was the first (publicly known) public key
encryption and signature algorithm
Based on number theory and core security derived
from hardness of factoring
Widely deployed and used in modern communication
Most effective attacks have been on implementation
Slow and steady progress on factoring attacks
Summary
64. © 2013 Persistent Systems Ltd
64
This presentation has referenced and borrowed material from the
following sources.
ACM’s Turing Award website
RSA inventor’s own web pages
10 years of public key cryptography – Whitfield Diffie
Wikipedia
Dan Boneh’s Crypto course on Coursera.org
Introduction to Cryptography and Coding Theory – Trappe and
Washington
References and acknowledgements
65. © 2013 Persistent Systems Ltd
65
Prof. Dan Boneh
https://www.coursera.org/course/crypto
Learn More
Editor's Notes Differential Cryptanalysis of DES was know and kept secret by IBM and NASA. With minor modifications the algorithm was vulnerable to ke recovery. Military driven. All entities under one roof so sharing secret was not a problem ViolatesKerchoff’s principle that only key should be secretThere is no key thereEnigma had to be broken again and again as the cipher changed. Invulenrable to computational advances.. Quantum computing etc.Does not depend on computational hardness No references to related prior work was also cited as reason for rejection. 20-bit cipher as the puzzle 1 minute to solve and another 1 to verify.Average 500K minutes (1 Year) for Eve to brute-force the right key. Talk about how problems were being solved for militaryRadar-plane challenge response : realization that “What if Alice could pose challenges whose answers she didn’t know (and couldn’t feasibly compute) but could feasibly verify ?” Talk about how problems were being solved for militaryRadar-plane challenge response : realization that “What if Alice could pose challenges whose answers she didn’t know (and couldn’t feasibly compute) but could feasibly verify ?” (private key) Easy and Hard (public key) Knapsack + multiplier and modulus used to convert hard to easy and vice versa Fermat’s Little thm used in probabilistic primality testing. Fermat’s witness and Fermat’s liars and pseudoprime.Little only in deference to last thm. Fermat’s Little thm used in probabilistic primality testing. Fermat’s witness and Fermat’s liars and pseudoprime.Little only in deference to last thm. BB’04: Boneh-Brumley