RSA: Understanding Public Key Cryptosystems and the RSA Algorithm - Prof. Krzysztof Gaj, Study notes of Cryptography and System Security

An in-depth exploration of rsa, a public key cryptosystem used for secure data transmission. Topics include the rsa algorithm's genesis, operation, and security, the concept of a trap-door one-way function, and the differences between professional and amateur approaches to designing ciphers. The document also includes the original rsa challenge and discussions on euler's totient function and euler's theorem.

Typology: Study notes

Pre 2010

Uploaded on 02/10/2009

koofers-user-koh-1
koofers-user-koh-1 🇺🇸

8 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
RSA Genesis, operation &
security
ECE 646 - Lecture 9
Public Key (Asymmetric) Cryptosystems
Public key of Bob - KBPrivate key of Bob - kB
Alice Bob
Network
Encryption Decryption
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download RSA: Understanding Public Key Cryptosystems and the RSA Algorithm - Prof. Krzysztof Gaj and more Study notes Cryptography and System Security in PDF only on Docsity!

RSA – Genesis, operation &

security

ECE 646 - Lecture 9

Public Key (Asymmetric) Cryptosystems

Public key of Bob - KB Private key of Bob -^ kB

Alice Bob

Network

Encryption Decryption

Trap-door one-way function

X f(X) Y

f-1(Y)

Whitfield Diffie and Martin Hellman

“ New directions in cryptography ,” 1976

PUBLIC KEY

PRIVATE KEY

Professional (NSA) vs. amateur (academic) approach to designing ciphers

1. Know how to break Russian

ciphers

2. Use only well-established

proven methods

3. Hire 50,000 mathematicians

4. Cooperate with an industry

giant

5. Keep as much as possible

secret

1. Know nothing about

cryptology

2. Think of revolutionary

ideas

3. Go for skiing

4. Publish in “Scientific

American”

5. Offer a $100 award for

breaking the cipher

RSA keys

PUBLIC KEY PRIVATE KEY

{ e, N } (^) { d, P, Q }

N = P ⋅ Q

e ⋅ d ≡ 1 mod ((P-1)(Q-1))

P, Q - large prime numbers

Why does RSA work? (1)

M’ = Cd^ mod N = (Me^ mod N)d^ mod N = M

decrypted

message

original

message

e ⋅ d ≡ 1 mod ((P-1)(Q-1))

e ⋅ d ≡ 1 mod ϕ(N)

Euler’s totient

function

Euler’s totient (phi) function (1)

M (N) - number of integers in the range from 1 to N-

that are relatively prime with N

Special cases:

1. P is prime

Relatively prime with P: 1, 2, 3, …, P-

2. N = P ⋅ Q P, Q are prime

ϕ(N) = (P-1) ⋅(Q-1)

Relatively prime with N: {1, 2, 3, …, P⋅Q-1} – {P, 2P, 3P, …, (Q-1)P}

  • {Q, 2Q, 3Q, …, (P-1)Q}

ϕ(P) = P-

Euler’s totient (phi) function (2)

Special cases:

3. N = P^2 P is prime

ϕ(N) = P ⋅(P-1)

Relatively prime with N: {1, 2, 3, … , P^2 -1} – {P, 2P, 3P, … , (P-1)P}

In general

If N = P 1 e1⋅ P 2 e2^ ⋅ P 3 e3^ ⋅ … ⋅ Ptet

ϕ(N) = ∏ Piei-1^ ⋅ (Pi-1) i=

t

Euler’s Theorem - Justification (2)

For N=10 For arbitrary N

R = S R = S

x 1 ⋅x 2 ⋅x 3 ⋅x 4 ≡ (a⋅x 1 )⋅ (a⋅x 2 )⋅(a⋅x 3 )⋅(a⋅x 4 ) mod N

x 1 ⋅x 2 ⋅x 3 ⋅x 4 ≡ a^4 ⋅ x 1 ⋅x 2 ⋅x 3 ⋅x 4 mod N

a^4 ≡ 1 (mod N)

∏ i=

ϕ(N) xi ≡^ ∏ i=

ϕ(N) a ⋅ xi (mod N)

∏ i=

ϕ(N) xi ≡^ aϕ(N)^ ⋅^ ∏ i=

ϕ(N) xi (mod N)

a ϕ(N)^ ≡ 1 (mod N)

Why does RSA work? (2)

M’ = Cd^ mod N = (Me^ mod N)d^ mod N =

= Me^ ⋅d^ mod N =

= M1+k⋅ϕ(N)^ mod N = M ⋅ (Mϕ(N))k^ mod N =

= M ⋅ (Mϕ(N)^ mod N)k^ mod N =

= M ⋅ 1 k^ mod N = M

e ⋅ d ≡ 1 mod ϕ(N) e ⋅ d = 1 + k⋅ϕ(N)

Rivest estimation - 1977

The best known algorithm for factoring a 129-digit number requires:

40 000 trilion years = 40 · 10^15 years

assuming the use of a supercomputer being able to perform

1 multiplication of 129 decimal digit numbers in 1 ns

Rivest’s assumption translates to the delay of a single logic gate ≈ 10 ps

Estimated age of the universe: 100 bln years = 10^11 years

Early records in factoring large numbers

Years

Number of decimal digits

Number of bits

Required computational power (in MIPS-years)

1974

1984

1991

1992

1993

45

71

100

110

120

149

235

332

365

398

7

75

830

Breaking RSA-

When: August 1993 - 1 April 1994, 8 months

Who: D. Atkins, M. Graff, A. K. Lenstra, P. Leyland

+ 600 volunteers from the entire world

How: 1600 computers

from Cray C90, through 16 MHz PC, to fax machines

Only 0.03% computational power of the Internet

Results of cryptanalysis:

“The magic words are squeamish ossifrage”

An award of 100 $ donated to Free Software Foundation

Elements affecting the progress

in factoring large numbers

  • computational power
  • computer networks

x better algorithms

1977-1993 increase of about 1500 times

Internet

Factoring methods

General purpose Special purpose

QS - Quadratic Sieve

GNFS - General Number Field Sieve

ECM - Elliptic Curve Method

Time of factoring depends only on the size of N

Time of factoring is much shorter if N or factors of N are of the special form

Pollard’ s p-1 method

Cyclotomic polynomial method

SNFS - Special Number Field Sieve

Continued Fraction Method (historical)

Running time of factoring algorithms

Lq[α, c] = exp ((c+ o (1))·(ln q)α·(ln ln q)1-^ α)

For D = Lq[0, c] = (ln q)(c+o(1))

Algorithm polynomial as a function of the number of bits of q

For D = Lq[1, c] = exp((c+ o (1))·(ln q))

Algorithm exponential as a function of the number of bits of q

For 0 < D < 1 Algorithm^ subexponential as a function of the number of bits of q

f (n) = o (1) if for any positive constant c >0 there exist a constant n 0 >0, such that 0 ≤ f (n) < c, for all n ≥ n 0

Factoring 512-bit number

512 bits = 155 decimal digits

old standard for key sizes in RSA

17 March - 22 August 1999

168 workstations SGI and Sun, 175-400 MHz

First stage

Second stage

Cray C916 - 10 days, 2.3 GB RAM

Group of Herman te Riele

Centre for Mathematics and Computer Science

(CWI), Amsterdam

120 Pentium PC, 300-450 MHz, 64 MB RAM

4 stations Digital/Compaq, 500 MHz

2 months

TWINKLE

“The Weizmann INstitute Key Locating Engine”

Adi Shamir , Eurocrypt, May 1999

CHES, August 1999

Electrooptical device capable to speed-up

the first phase of factorization from 100 to 1000 times

If ever built it would increase the size of the key

that can be broken from 100 to 200 bits

Cost of the device (assuming that the prototype was

earlier built) - $

Recommended key sizes for RSA

Old standard:

New standard:

Individual users

Individual users

Organizations (short term)

Organizations (long term)

512 bits (155 decimal digits)

768 bits (231 decimal digits)

1024 bits (308 decimal digits)

2048 bits (616 decimal digits)

Keylengths in public key cryptosystems that provide the same level of security as AES and other secret-key ciphers

Arjen K. Lenstra, Eric R. Verheul

Selecting Cryptographic Key Sizes

Journal of Cryptology

Arjen K. Lenstra „Unbelievable Security: Matching AES Security Using Public Key Systems ASIACRYPT’ 2001

DES

3 DES (2K)

3 DES (3K)

AES-

AES-

AES-

year

Keylengths in RSA providing the same level of security as selected secret-key cryptosystems

March 2002, Financial Cryptography Conference

Nicko van Someren, CTO nCipher Inc. announced that his company developed software capable of breaking 512-bit RSA key within 6 weeks using computers available in a single office

Practical progress in factorization

Bernstein’s Machine (1)

Fall 2001

Daniel Bernstein , professor of mathematics

at University of Illinois in Chicago

submits a grant application to NSF

and publishes fragments of this application

as an article on the web

D. Bernstein, Circuits for Integer Factorization: A Proposal

http://cr.yp.to/papers.html#nfscircuit

March 2002

  • Bernstein’ s article “ discovered” during

Financial Cryptography Conference

  • Informal panel devoted to analysis of consequences

of the Bernstein’ s discovery

  • Nicko Van Someren (nCipher) estimates that machine

costing $ 1 bilion is able to break 1024-bit RSA within several minuts

Bernstein’s Machine (2)

Arjen Lenstra, Citibank & U. Eindhoven:

„… I have no idea what is this all fuss about...”

Bruce Schneier, Counterpane:

Carl Pomerance, Bell Labs:

„… fresh and fascinating idea...”

„ ... enormous improvements claimed are more a result

of redefining efficiency than anything else...”

Bernstein’s Machine (5)

RSA keylength that can be broken using Bernstein’s machine

Computational cost = time [days] * memory [$]

RSA key lengths that can be broken using classical computers

3

infinity

$ 1 bln1 day $ 1000 bln1 day**

Bernstein’s Machine (6)

RSA Challange

Lentgh of N

in bits

Length of N

in decimal digits

Award for

factorization

Estimation of RSA Security Inc. regarding

the number and memory of PCs

necessary to break RSA-

Attack time: 1 year

Single machine: PC, 500 MHz, 170 GB RAM

Number of machines: 342,000,