Embed Size (px)
Citation preview
A Method for Obtaining Digital Signatures and Public-key
Cryptosystems
R.L Rivest, A. Shamir, L. Adleman
Presented by Wesley Varela
Ronald L. Rivest, Adi Shamir, and Leonard Adleman
Inventers of RSA
OUTLINE
• Introduction
• The Basic Idea of RSA
• A Small Example (Simple)
• The Big Hairy Math Stuff
• A Better Example
• Known Weaknesses
Introduction
“The era of “electronic mail” [10] may soon be upon us”
Why Encryption ??
What uses ??
So Bad People Don’t Do Bad Things
• Public vs. Private Key Cryptosystems– Private Key
• Encryption and decryption keys can be derived from each other
• The key must be securely delivered to the person(s) who need to decrypt or encrypt messages
• Person(s) receiving the key must be trustworthy• More useable in single-user enviroments
– Public Key• More secure and easier to use• Encryption keys are publicly available • Digital signatures
RSA – The Basic Idea• Properties of RSA
– Encrypting a plaintext message M gives the ciphertext. Deciphering the ciphertext returns M.
D(E(M)) = M– The inverse is also true (digital signatures).
E(D(M)) = M– The encryption key (E) and decryption key (D)
are easily computed– E is publicly available but does not compromise
the cryptosystem.
Basic Definitions you can’t live without
• Trap-door one-way functions: easily computed in one direction but not the other, unless the decryption key is known
• Trap-door one-way permutations: Every message is ciphertext from some message and every ciphertext is a permissible message.
A Small Example
• Assume we have two people– Oliver
• Encryption Key Eo
• Decryption Key Do
– Katie• Encryption Key Ek
• Decryption Key Dk
• Oliver sends a message to Katie– Ek(M) = ciphertext
• Sends the ciphertext to Katie
• Katie receives the message and response– Dk(C) = plaintext– Eo(M2) = ciphertext
• Sends the ciphertext to Oliver
• Oliver receives the return ciphertext– Do(C2) = plaintext
Signatures• Oliver sends a message to Katie
– Do(M) = Signature
• Ek(Signature) = Ciphertext
• Sends the ciphertext to Katie
• Katie receives the message– Dk(C) = Signature
– Eo(Signature) = plaintext
– Has the pair (Signature, Plaintext)
Big Hairy Math Stuff
• Eo = (E(e, m) mod n ) + some algorithm
• Do = (D(d, m) mod n ) + some algorithm
• d and e are exponents.
• m is the message
• n is the product of 2 very large primes
Why Use Primes for p & q?
• They have no non-trivial factors• It makes it even harder to find Ф(n)• No algorithm to easily factor large
numbers• Everything that’s cool has the word prime
attached to it. – Prime rib– Prime time– Optimus Prime
– Prime Directive
Eulers totient function Ф
• Ф(n) - gives the number of positive integers less then n which are relatively prime to n.
Computing Ф(n)
• Ф(n) = Ф(p*q)
= Ф(p)* Ф(q)
= (p-1)*(q-1)
= pq – p – q + 1
= n – (p + q) + 1
Selecting “d”
• d should be relatively prime to Ф(n)
• Select d to be a prime larger than max(p,q)
“since d is relatively prime to Ф(n), it has a multiplicative inverse e in the ring of integers modulo Ф(n)”
Multiplicative Inverse Example
• Two relatively prime numbers 5 and 7 1 * 5 = 5 ≡ 5 (Mod 7)
2 * 5 = 10 ≡ 3 (Mod 7) 3 * 5 = 15 ≡ 1 (Mod 7) 4 * 5 = 20 ≡ 6 (Mod 7) 5 * 5 = 25 ≡ 4 (Mod 7) 6 * 5 = 30 ≡ 2 (Mod 7) 7 * 5 = 35 ≡ 0 (Mod 7)
Z7 is a cyclic group
Computing e from d
• Using the Extended Euclidian Algorithm– We find e such that e*d ≡ 1 (modФ(n))
Theorem
The following theorem from Euler and Fermat will be useful
MФ(n) ≡ 1 (mod n)
“since d is relatively prime to Ф(n), it has a multiplicative inverse e in the ring of integers modulo Ф(n)”
e*d ≡ 1 (mod Ф(n))
MФ(n) ≡ 1 (mod n)
(Me)d = Med = MkФ(n) +1
= MkФ(n) * M1
= (MФ(n))k * M≡ 1K * M
= M
ALL about M
• Choosing how to represent your message M is very important.
• One method (ASCII)
• hello world 1101000 1100101 1101100 1101100 1101111 0100000 1110111 1101111 1110010 1101100 1100100
• m < n
Computing Me mod n• Represent e as a binary number
• ekek-1…e1e0 = 5 = 101
C = 1
For(i=k, i>=0; i--){
C = (C*C) mod n
if(ei = 1)
C = (C * M) mod n
}
• At most 2*log2(e) + 2*log2(e)
Primarily Testing
• How to find a really big prime– Randomly generate a large odd number b of
the size you want– Use Solovay and Strassen’s probabilistic
algorithm• Select some number a from {0, …, b-1}• gcd(a,b) = 1 and J(a,b) = a(b-1)/2
– If false b is composite. – If true b is prime with a probability of at least ½
Factoring
• Factoring (n) • Computing (Ф(n))• Computing d
Faster Computers?Pick a bigger prime.
“RSA Laboratories currently recommends key sizes of 1024 bits for corporate use and 2048 bits for extremely valuable keys like the root key pair used by a certifying authority. Several recent standards specify a 1024-bit minimum for corporate use. Less valuable information may well be encrypted using a
768-bit key”
“512-bit number RSA-155 was factored in seven months during 1999 ”
Known Weaknesses
• d<N.5 Lattice Attack
• Low public exponent (Coppersmith)
• Broadcast Attack (Hastad)
• Related message Attack (Franklin-Reiter)
Provable
• Is RSA provably secure?
Physical Security
• Don’t let anyone copy your key or your primes
