Chapter 8

Chapter 8
RSA
1. Most popular public-key cryptosystem.
2. Invented by Rivest/Shamir/Adleman in 1977 at MIT.
3. Patented until 2000.
77
8.1 Cryptosystem
Set-up Stage
1. Choose two large primes and . p q
2. Compute = . n p q
3. Compute ( ) = ( , 1)( , 1).

n p q
4. Choose random ; 0 ( ), with gcd( ( )) = 1.

b < b < n b; n
Note that has inverse in ( ) .

b Z n
5. Compute inverse = ,1 mod ( ): a b n
b 1 mod ( )
a n :
6. Public key: kpub =( n; b ).

Private key: kpr =( p; q; a ).
Encryption: done using public key, kpub .

y = ( ) = mod .
ekpub x x
b
n
x 2 Zn = f0 1
; , 1g.
;:::;n
Decryption: done using private key, kpr .

x = ( )=
dkpr y y
a
mod . n
Example:
Alice sends encrypted message ( = 4) to Bob after Bob x
sends her the public key.
78
Alice Bob
(1) choose = 3; = 11p q
(2) = = 33
n p q
(3) ( ) = (3 , 1)(11 , 1) = 2 10 = 20
n
(4) choose = 3; gcd(20 3) = 1

b ;
(3 33)
x =4 kpub
, ;
(5) = ,1 = 7 mod 20
a b
=31
y = mod
x
b
n = 43 = 64 31 mod 33 ,!
y
x = = 317 4 mod 33
y
a
Why does RSA work?

We have to show that: pr ( ) = pr ( pub ( )) = . dk y dk ek x x
pr = = = mod . a ba ab
dk y x x n
a 1 mod ( ) () 1 + ( ); is an integer.
b n a b t n t
dk pr = = ( ) 1 = ( ( ) ) mod .
x
ab
x
t n
x x
n t
x n
if ( ) 1 mod then pr = ( ( ) ) = 1 = 1 = mod .

x
n
n dk x
n t
x
t
x x x n
1. Case: gcd( ) = gcd( ) = 1 x; n x; p q
Euler's Theorem: ( ) 1 mod , q.e.d. x

n
n
2. Case: gcd( ) = gcd( ) 6= 1 x; n x; p q
either = or = ; are integers such that;

x r p x , . s q r; s r < q s < p
assume = ) gcd( ) = 1 x r p x; q
( ) = ( ,1)( ,1) = ( )( ,1) = ( ( ) ) ,1 = 1 mod

x
n
x
q p
x
q p
x
q p
q
( ) = 1 + ; where is an integer
x
n
c q c
( ) = + = + = + = +
x x
n
x x c q x r p c q x r c p q x r c n
( ) mod
x x
n
x n
79
x
( )n
1 mod , q.e.d.
n
8.2 Computational Aspects

8.2.1 Choosing p and q
Problem: Finding two large primes , (each p q > 250 bits).

Principle:
Pick a large integer and apply primality test. In practice, a \Monte Carlo" test
developed by Miller-Rabbin (pg. 136 in [Sti95]) is used. Note that a primality
test does NOT require factorization.
Miller-Rabin Algorithm:
Input: or and arbitrary number
p q . r < p; q
Output 1: Statement \ is composite" ! always true.

p; q
Output 2: Statement \ is prime" ! true with probability 0 75.

p; q > :
In practice, the above algorithm is run 3 times (for a 1000 bit prime) and upto 12 times (for
a 150 bit prime) [AM97, Table 4.4 page 148] with dierent parameters . If the answer is r
always \ is prime", then is with very high probability a prime.

p p
P ( is composite ) 0 25 where = number of tries.

p :
t
t
Question: What is the likelihood that a randomly picked integer or is prime? p q
Answer: P ( is prime ) 1( ) .
p
ln p
Example: 2250 ! (250 bits).

p
P ( is prime ) = ln(21 ) 1731 .

p 250
80
8.2.2 Choosing a and b
kpub= ; condition: gcd( ( )) = 1; where ( ) = ( , 1) ( , 1).

b b; n n p q
kpr= ; where = ,1 mod ( ).

a a b n
Pick arbitrary (large!) and compute:

b
1. Euclidean Algorithm: ( ) + = gcd( ( )) s n t b b; n
2. Test if gcd( ( )) = 1 b; n
3. Calculate : a
Question: What is mod ( )? t b n
= (, )( ) + 1
t b s n
) 1 mod ( )
t b n
) = ,1 = mod ( )
t b a n
Remark:
It is not necessary to nd for the computation of . s a
8.2.3 Encryption/Decryption
encryption: ekpub x ( ) = mod = . x

b
n y
decryption: dk pr ( ) =
y mod = . y
a
n x
Question: How many multiplications are required for computing 8 ? x
Answer: | {z= 2}; | 2 {z2 = 4}; | 4 {z4 = 8}.

x x x x x x x x x
1 2 3
if 0 ( ) then O(( )) O( ).
< b < n n n
Question: How many multiplications are required for computing 13 ? x
Answer: | {z= 2}; | 2 {z= 3}; | 3 {z3 = 6}; | 6 6{z= 12}; | 12 {z= 13}.
x x x x x x x x x x x x x x x
SQ MUL SQ SQ MUL
81
Square-and-multiply algorithm
First: binary representation of the exponent ! ; 15 x
B
B
B = 3 23 + 2 22 + 1 21 + 0
b b b b
B = ( 3 2 + 2 )22 + 1 2 + 0 = (( 3 2 + 2 )2 + 1 )2 +
b b b b b b b b0
x = (( 3 2+ 2)2+ 1 )2+ 0
B
x
b b b b
Step x
B
#1 x
b3 2
#2 (x
b3 2 x 2 )b
#3 (x 3
b 2 x 2 )2
b
#4 (x 3
b 2 x 2 )2 x 1
b b
#5 (( x
b3 2 x 2 )2 x 1 )2
b b
#6 (( x
b3 2 x 2 )2 x 1 )2 x 0
b b b
Example: x
13 = x
11012 = x
(3
b ;b2 ;b1 ;b0 )2
#1 3 2 = 2
x
b
x SQ
#2 2 3 = 2 = 3
x x
b
x x x MUL
#3 ( 3 )2 = 6
x x SQ
#4 6 0 6 1 = 6
x x x x
#5 ( 6 )2 = 12
x x SQ
#6 12 0 = 12 = 13
x x
b
x x x MUL
Complexity: [log2 ] SQ + [ 12 log2 ] MUL.
n n
Comparison: = 21000B
Straight forward exponentiation: 21000 10300 multiplications

! computationally impossible.
Square-and-multiply: 1 5 log2 (21000 ) = 1500 multiplications and squarings
:
! relatively easy.
82
Remark: Remember to apply modulo reduction after every multiplication and squaring
operation.
Algorithm [Sti95]: computes , where = P ,=01 2 B
x B
l
i
bi
i
1. =z x
2. for = , 1 downto 0 do:

i l
(a) = z z
2 mod n
(b) if ( = 1) then = mod

bi z z x n
8.3 Attacks
8.3.1 Brute Force
Given = mod , try all possible keys ; 0

y x
b
n a a < ( ) to obtain =
n x y
a
mod . In
n
practice jKj = ( ) 2500 ) impossible.

n n >
8.3.2 Finding (n)

Given = mod , nd ( ) and compute = ,1 mod ( ).
n; b; y x
b
n n a b n
) computing ( ) is believed to be as dicult as factoring .

n n
8.3.3 Finding a directly
Given = mod , nd directly and compute = mod .

n; b; y x
b
n a x y
a
n
) computing directly is believed to be as dicult as factoring .

a n
83
8.3.4 Factorization of n
Given = mod , nd = and compute:

n; b; y
b
x n p q n
( ) = ( , 1)( , 1)
n p q
b= ,1 mod ( )
a n
x = mod y
a
n
! This approach is the only attack believed to be practical.
Factoring Algorithms:
1. Quadratic Sieve (QS): speed depends on the size of ; record: in 1994 factoring of
n
=RSA129, log10 = 129 digits, log2 = 426 bits.

n n n
2. Elliptic Curve: similar to QS; speed depends on the size of the smallest prime factor
of , i.e., on and .
n p q
3. Number Field Sieve: asymptotically better than QS; record: in 1996 factoring of
=RSA140; log10 = 140 digits; log2 = 466 bits.
n n n
Algorithm Complexity
pln( ) ln(ln( ))
Quadratic Sieve O(e (1+ (1))
p
o n
) n
Elliptic Curve O(e(1+ (1)) 2 ln( ) ln(ln( )) )

o p p
Number Field Sieve O(e(1 92+ (1))(ln( ))1=3 (ln(ln(

: o n n)))2=3 )
84
number month MIPS-years algorithm
RSA-100 April 1991 7 quadratic sieve
RSA-120 June 1993 830 quadratic sieve
RSA-130 April 1996 500 generalized number eld sieve
RSA-140 February 1999 1500 generalized number eld sieve
RSA-155 August 1999 8000 generalized number eld sieve
85
8.4 Implementation
Hardware: 1024 bit decryption in less that 5 ms.
Software: 1024 bit decryption in 43 ms; 1024 bit encryption in 0.65 ms
hybrid systems, consisting of public-key and private-key algorithms: most commonly
used in practice
1. key exchange and authentication with (slow) public-key algorithm
2. bulk data encryption with (fast) block ciphers
86

Chapter 8

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Chapter 8

Enviado por

Direitos autorais:

Formatos disponíveis

Chapter 8

3. Compute ( ) = ( , 1)( , 1).

4. Choose random ; 0 ( ), with gcd( ( )) = 1.

Note that has inverse in ( ) .

5. Compute inverse = ,1 mod ( ): a b n

6. Public key: kpub =( n; b ).

Encryption: done using public key, kpub .

Decryption: done using private key, kpr .

sends her the public key.

(4) choose = 3; gcd(20 3) = 1

Why does RSA work?

if ( )  1 mod then pr = ( ( ) ) = 1 = 1 = mod .

1. Case: gcd( ) = gcd( ) = 1 x; n x; p q

Euler's Theorem: ( )  1 mod , q.e.d. x

2. Case: gcd( ) = gcd( ) 6= 1 x; n x; p q

either = or = ; are integers such that;

( ) = ( ,1)( ,1) = ( )( ,1) = ( ( ) ) ,1 = 1 mod

8.2 Computational Aspects

Problem: Finding two large primes , (each p q > 250 bits).

Output 1: Statement \ is composite" ! always true.

Output 2: Statement \ is prime" ! true with probability 0 75.

always \ is prime", then is with very high probability a prime.

P ( is composite )  0 25 where = number of tries.

Question: What is the likelihood that a randomly picked integer or is prime? p q

Example:  2250 ! (250 bits).

P ( is prime ) = ln(21 )  1731 .

kpub= ; condition: gcd( ( )) = 1; where ( ) = ( , 1) ( , 1).

kpr= ; where = ,1 mod ( ).

Pick arbitrary (large!) and compute:

1. Euclidean Algorithm: ( ) + = gcd( ( )) s n t b b; n

Question: What is mod ( )? t b n

encryption: ekpub x ( ) = mod = . x

Question: How many multiplications are required for computing 8 ? x

Answer: | {z= 2}; | 2 {z2 = 4}; | 4 {z4 = 8}.

Question: How many multiplications are required for computing 13 ? x

Straight forward exponentiation: 21000  10300 multiplications

2. for = , 1 downto 0 do:

(b) if ( = 1) then = mod

Given = mod , try all possible keys ; 0 

practice jKj = ( )  2500 ) impossible.

8.3.2 Finding (n)

) computing ( ) is believed to be as dicult as factoring .

8.3.3 Finding a directly

Given = mod , nd directly and compute = mod .

) computing directly is believed to be as dicult as factoring .

Given = mod , nd = and compute:

! This approach is the only attack believed to be practical.

=RSA129, log10 = 129 digits, log2 = 426 bits.

Elliptic Curve O(e(1+ (1)) 2 ln( ) ln(ln( )) )

Number Field Sieve O(e(1 92+ (1))(ln( ))1=3 (ln(ln(

Você também pode gostar

3. Compute ( ) = ( , 1)( , 1).

4. Choose random ; 0 ( ), with gcd( ( )) = 1.

Note that has inverse in ( ) .

5. Compute inverse = ,1 mod ( ): a b n

if ( ) 1 mod then pr = ( ( ) ) = 1 = 1 = mod .

Euler's Theorem: ( ) 1 mod , q.e.d. x

( ) = ( ,1)( ,1) = ( )( ,1) = ( ( ) ) ,1 = 1 mod

P ( is composite ) 0 25 where = number of tries.

Example: 2250 ! (250 bits).

P ( is prime ) = ln(21 ) 1731 .

kpub= ; condition: gcd( ( )) = 1; where ( ) = ( , 1) ( , 1).

kpr= ; where = ,1 mod ( ).

1. Euclidean Algorithm: ( ) + = gcd( ( )) s n t b b; n

Question: What is mod ( )? t b n

Straight forward exponentiation: 21000 10300 multiplications

Given = mod , try all possible keys ; 0

practice jKj = ( ) 2500 ) impossible.

8.3.2 Finding (n)

) computing ( ) is believed to be as dicult as factoring .

) computing directly is believed to be as dicult as factoring .