Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Public Key Cryptography and RSA• Major topics
– Principles of public key cryptosystems– The RSA algorithm– The Security of RSA
• Motivations– A public key system is asymmetric, there does not have
to be an exchange of private keys before communicating– A public key system does not make a symmetric system
obsolete; in fact it can be used to exchange private keys– Key distribution remains an important issue– Number theory forms the mathematical foundation of
public key cryptography
Primary Needs• Generate two keys
– A public key that can be accessed by anyone– A private key that is kept secret
• Two primary needs– Be able to send messages securely to a recipient with
no knowledge of a shared secret key– Be able to verify a message actually came from a
particular person; this is called authentication• Uses of a public key system
– Encryption/decryption of messages– Digital signatures– Key exchange for using symmetric encryption
Encryption/Decryption
Authentication
Requirements for a Public Key System1. Party B can easily generate a pair of keys: public key KUb and
private key KRb
2. Sender A can access public key KUb and can encrypt message MC = EKUb(M)
3. Receiver B can easily decrypt the messageM = DKRb(C) = DKRb(EKUb(M))
4. It is computationally infeasible for someone intercepting message C and knowing public key KUb to determine private key KRb
5. It is computationally infeasible for someone intercepting message C and knowing public key KUb to recover message M
6. The encryption and decryption functions can be applied in any order M = DKRb(EKUb(M)) = EKub(DKRb(M))This makes digital signatures possible
Public Key Secrecy
Public Key Authentication
Public Key Algorithms• Approaches to public key cryptography
– We first cover RSA, perhaps the best known and most widely used approach
– In chapter 10 we cover elliptic curve methods which are growing in popularity
– In the same chapter we cover Diffie-Hellman for the exchange of secret keys
– DSS (Digital Signature Standard) is covered in chap.13
Conventional and Public Key Encryption
The RSA Algorithm
A Sample Calculation1. Select two primes, p = 17 and q = 112. Calculate n = pq = 17 * 11 = 1873. Calculate φ(n) = (p - 1) (q – 1) = 1604. Select e < φ(n) and relative prime to φ(n), we use e = 7 5. Determine d so the de ≡ 1 mod φ(n), in other words, d
and e are multiplicative inverses
Group Work• Consider the prime numbers p = 11, q = 29.
– What is n? – What is φ(n)?– Suppose we select e = 3, what is d?– Suppose we want to encrypt the message M = 100
using the public key (3, 319), what is the resultant value for the cipher text C?
– What is the formula to decrypt C using the private key (187, 319) ?
• It is clear we need to find an easy way to solve this exponential modularization problem
Group Work• Suppose ciphertext C = 10 is sent to a user with
public key e = 5 and n = 35. How could you decode this ciphertext? What is the decoding?
Fast Modular Exponentiation• The algorithm for computing ab mod n
• bi is the ith bit of b when b is written in binary• These bits are processed from the most significant
bit to the least significant bit
A Sample Calculation• We want to solve 7560 mod 561• a = 7, b = 560, n = 561• In binary b is 1000110000
• So the result is 7560 mod 561= 1
Group Work• We now can decode the message from our prior example
(hint: the result should be 100)• Find ab (mod n) when a = 254, b = 187, and n = 319 by
completing the following table
254d
1c
11011101bi
12345678i
• Did you get 100?
How Secure is RSA?• Algorithms Used to Break RSA
– Pollard’s Rho, a probabilistic approach– Sieve techniques– Successful efforts– Choice of values
• Timing Attacks and “Fixes”– Constant exponential time– Random delay– Blinding
How Easy is it to Factor p*q ?• The problems
– It is easy to find two large primes p and q, so in the public key algorithm we set n = p*q
– The encryption can be broken if n can be factored• Some techniques for finding factors
– Pollard Rho and Pollard p-1– General number field sieve– Special number field sieve
• We will only look at Pollard Rho in detail• We will use the Chinese Remainder Theorem
Pollard’s rho heutistic• neither the running time nor success is guaranteed• any divisor it finds will be correct, but it may
never report any results• in practice, it is the one of the most effective
means of factorization currently known • it will print the factor p after approximately √p
iterations; thus it finds small factors quickly
Pollard’s rho heuristic• The while loop searches
indefinitely for factors generating a new xi each time
• Lines 1-4 are for initialization
• The xi values saved in y are when i = 1,2,4,8,16, …
• d is the gcd of y- xi and n; if it is nontrivial then it is printed as a factor of n
• If n is composite, we expect to find enough divisors to factor n after approximately n1/4 updates
The rho diagrams - 1
The rho diagrams - 2• (a) is generated by the xi starting at 2 for n = 1387• The factor 19 (since 1387 = 19 * 73) is discovered
when the xi is 177, this is before the value 1186 is repeated
• (b) show the recurrence for mod 19, every xi in part (a) is equivalent to the xi‘ mod 19
• (c) shows the recurrence for mod 73, again every xi in part (a) is equivalent to the xi” mod 73
• By the Chinese remainder theorem, each node in (a) corresponds to a pair of nodes in (b) and (c)
Group Work• Keep tracing the rho diagrams and find out when
the factor 73 is discovered
The Sieve Approaches• Sieve techniques have become increasingly effective
– The generalized number field sieve (GNFS) has replaced quadratic sieve as being most effective
– An even faster approach, specialized number field sieve (SNFS), works for some numbers (see next slide)
• Computers will keep getting faster and factoring techniques improved, but keys of size 1024 through 2048 seem to be adequate for the future
Performance Comparison
Choice of p and q• Ways to avoid values for n that can be more easily
factored– The length of p and q should differ by only a few digits– Both (p – 1) and (q – 1) should contain a large prime
factor– gcd(p – 1, q – 1) should be small– If e < n and d < n¼ then it is easy to determine d
What is a Timing Attack?• The timing of the modular exponentiation
algorithm is critical– If the bi is set, then the assignment d (d x a) mod n
is performed, for some known values of a and d this can be very slow thus revealing a 1 bit
– Countermeasures attempt to hide these extreme time differences
• Some countermeasures– Insure all exponentiations take the same time (but this
does degrade performance)– Add a random delay time, this noise must be large
enough to confuse the attacking algorithm
Use of Blinding• Multiply by a random number before performing
exponentiation; this prevents bit-by-bit analysis• Here is RSA’s approach using blinding
1. Generate a random r between 0 and n-12. Compute C’ = C(re) mod n3. Compute M’ = (C’)d mod n4. Compute M = M’ r-1 where r-1 is the multiplicative
inverse of r mod n• This only introduces a 2% to 10% penalty