1RSA – Genesis, operation &securityECE 646 - Lecture 9Public Key (Asymmetric) CryptosystemsPublic key of Bob - KBPrivate key of Bob - kBAliceBobNetworkEncryptionDecryption2Trap-door one-way functionXf(X) Yf-1(Y)Whitfield Diffie and Martin Hellman“New directions in cryptography,” 1976PUBLIC KEYPRIVATE KEYProfessional (NSA) vs. amateur (academic)approach to designing ciphers1. Know how to break Russianciphers2. Use only well-establishedproven methods3. Hire 50,000 mathematicians4. Cooperate with an industrygiant5. Keep as much as possiblesecret1. Know nothing aboutcryptology2. Think of revolutionaryideas3. Go for skiing4. Publish in “ScientificAmerican”5. Offer a $100 award forbreaking the cipher34Challenge published in Scientific American9686 9613 7546 2206 1477 1409 2225 43558829 0575 9991 1245 7431 9874 6951 20930816 2982 2514 5708 3569 3147 6622 88398962 8013 3919 9055 1829 9451 5781 5145Ciphertext:Public key:N = 114381625757 888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541(129 decimal digits)e = 9007Award $10019775RSA as a trap-door one-way functionMC = f(M) = Memod NCM = f-1(C) = Cdmod NPUBLIC KEYPRIVATE KEYN = P QP, Q - large prime numberse d 1 mod ((P-1)(Q-1))RSA keysPUBLIC KEYPRIVATE KEY{ e, N }{ d, P, Q }N = P Qe d 1 mod ((P-1)(Q-1))P, Q - large prime numbers6Why does RSA work? (1)M’= Cdmod N = (Memod N)dmod N = Mdecryptedmessageoriginalmessage?e d 1 mod ((P-1)(Q-1))e d 1 mod (N)Euler’s totientfunctionEuler’s totient (phi) function (1)(N) - number of integers in the range from 1 to N-1that are relatively prime with NSpecial cases:1. P is primeRelatively prime with P: 1, 2, 3, …, P-12. N = P Q P, Q are prime(N) = (P-1) (Q-1)Relatively prime with N: {1, 2, 3, …, PQ-1} – {P, 2P, 3P, …, (Q-1)P}– {Q, 2Q, 3Q, …, (P-1)Q}(P) = P-17Euler’s totient (phi) function (2)Special cases:3. N = P2P is prime(N) = P (P-1)Relatively prime with N: {1, 2, 3, …, P2-1} – {P, 2P, 3P, …, (P-1)P}In generalIf N = P1e1 P2e2 P3e3 … Ptet(N) = Piei-1 (Pi-1)i=1tEuler’s TheoremLeonard Euler, 1707-1783a: gcd(a, N) = 1a(N) 1 (mod N)8Euler’s Theorem - Justification (1)For N=10 For arbitrary NR = {1, 3, 7, 9}R = {x1, x2, …, x(N)}Let a=3 Let us choose arbitrary a, such thatgcd(a, N) = 1S = {ax1mod N, ax2mod N, …,ax(N)mod N}S = { 31 mod 10,33 mod 10, 37 mod 10,39 mod 10 }= {3, 9, 1, 7}= rearranged set REuler’s Theorem - Justification (2)For N=10 For arbitrary NR = SR = Sx1x2x3x4(ax1) (ax2)(ax3)(ax4) mod Nx1x2x3x4a4 x1x2x3x4mod Na4 1 (mod N)i=1(N)xii=1(N)a xi(mod N)i=1(N)xia(N) i=1(N)xi(mod N)a(N) 1 (mod N)9Why does RSA work? (2)M’= Cdmod N = (Memod N)dmod N == Me dmod N == M1+k(N)mod N = M (M(N))kmod N == M (M(N)mod N)kmod N == M 1kmod N = Me d 1 mod (N)e d = 1 + k(N)=Rivest estimation - 1977The best known algorithm for factoring a129-digit number requires:40 000 trilion years= 40 · 1015yearsassuming the use of a supercomputerbeing able to perform1 multiplication of 129 decimal digit numbers in 1 nsRivest’s assumption translates to the delay of a single logic gate10 psEstimated age of the universe: 100 bln years = 1011years10Lehmer SieveBicycle chain sieve [D. H. Lehmer, 1928]Computer Museum, Mountain View, CAMachine à Congruences [E. O. Carissan, 1919]Machine à Congruences [E. O. Carissan, 1919]11Supercomputer CrayComputer Museum, Mountain View, CAEarly records in factoring large numbersYearsNumber ofdecimaldigitsNumberof bitsRequiredcomputationalpower(in MIPS-years)1974198419911992199345711001101201492353323653980.0010.177583012How to factor for free?A. Lenstra & M. Manasse, 1989• Using the spare time of computers,(otherwise unused)• Program and results sent by e-mail(later using WWW)Practical implementations of attacksFactorization, RSAYearNumberof bitsof NNumber ofdecimal digitsof NEstimated amountof computations1994199619981291301404304334672000 MIPS-years5000 MIPS-years750 MIPS-yearsMethodQSGNFSGNFS1999 1404678000 MIPS-yearsGNFS13Breaking RSA-129When: August 1993 - 1 April 1994, 8 monthsWho: D. Atkins, M. Graff, A. K. Lenstra, P. Leyland+ 600 volunteers from the entire worldHow: 1600 computersfrom Cray C90, through 16 MHz PC,to fax machinesOnly 0.03% computational power of the InternetResults of cryptanalysis:“The magic words are squeamish ossifrage”An award of $100 donated to Free Software FoundationElements affecting the progressin factoring large numbers- computational power- computer networks- better algorithms1977-1993 increase of about 1500 timesInternet14Factoring methodsGeneral purpose Special purposeQS - Quadratic SieveGNFS - General NumberField SieveECM - Elliptic Curve MethodTime of factoring dependsonly on the size of NTime of factoring is muchshorter if N or factors of Nare of the special formPollard’s p-1 methodCyclotomic polynomial methodSNFS - Special Number FieldSieveContinued Fraction Method(historical)Running time of factoring algorithmsLq[, c] = exp ((c+o(1))·(ln q)·(ln ln q)1- )For =0Lq[0, c] = (ln q)(c+o(1))Algorithm polynomialas a function of the numberof bits of qFor =1Lq[1, c] = exp((c+o(1))·(ln q))Algorithm exponentialas a function of the numberof bits of qFor 0 < < 1Algorithm subexponentialas a function of the numberof bits of qf(n) = o(1) if for any positive constant c>0 there exist a constantn0>0, such that 0 f(n) < c, for all n n015General purpose factoring methodssize of the factored numberN in decimal digits (D)100D 130DQS moreefficientNFS moreefficientExpected running timeQS NFSLN[1/2, 1] = exp((1 + o(1))·(ln N)1/2))·(ln ln N)1/2)LN[1/3, 1.92] = exp((1.92 + o(1))·(ln N)1/3))·(ln ln N)2/3)110D 120DFirst RSA ChallengeRSA-100RSA-110RSA-120RSA-130RSA-140RSA-150RSA-160RSA-170RSA-180RSA-190RSA-200RSA-210..............RSA-450RSA-460RSA-470RSA-480RSA-490RSA-500Largest number factored to dateRSA-200May 200516Second RSA ChallangeLentgh of Nin bitsLength of Nin decimal digitsAward forfactorization576640704768896102415362048174193212232270309463617$10,000$20,000$30,000$50,000$75,000$100,000$150,000$200,000Number of bits vs. number of decimal digits10#digits= 2#bits#digits = (log102) · #bits 0.30 · #bits256 bits = 77 D384 bits = 116
View Full Document