Foundations of Network and Computer SecurityAnnouncementsHistogram (also on website)Multiplicative GroupsMultiplicative Groups (cont)The Group Zm*Examples of Zm*Euler’s Phi FunctionEvaluating the Phi FunctionExamplesLaGrange’s TheoremBasic RSA CryptosystemSlide 13Key GenerationKey Generation NotesRSA EncryptionRSA ExampleRSA Example (cont)RSA ProofSecurity of RSAFactoring TechnologyThe Number Field SieveNFS (cont)The RecordOn the ForefrontImplementation NotesImplementation Notes (cont)Note on Primality TestingPrime Number Theorem(n) versus n/ln(n)Sample CalculationFoundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #10Sep 29th 2005CSCI 6268/TLEN 5831, Fall 2005Announcements•Reading: Groups and RSA–Get from the schedule page•Midterm Results–High: 91–Median: 70–Mostly happy with results•The more straightforward questions were gotten by most everyone in the classHistogram (also on website)ABCMultiplicative Groups•Is {0, 1, …, m-1} a group under multiplication mod m?–No, 0 has no inverse•Ok, toss out 0; is {1, …, m-1} a group under multiplication mod m?–Hmm, try some examples…•m = 2, so G = {1} X•m = 3, so G = {1,2} X•m = 4, so G = {1,2,3} oops!•m = 5, so G = {1,2,3,4} XMultiplicative Groups (cont)•What was the problem?–2,3,5 all prime–4 is composite (meaning “not prime”)•Theorem: G = {1, 2, …, m-1} is a group under multiplication mod m iff m is prime Proof: Ã: suppose m is composite, then m = ab where a,b 2 G and a, b  1. Then ab = m = 0 and G is not closed !: follows from a more general theorem we state in a momentThe Group Zm*•a,b 2 N are relatively prime iff gcd(a,b) = 1–Often we’ll write (a,b) instead of gcd(a,b)•Theorem: G = {a : 1 · a · m-1, (a,m) = 1} and operation is multiplication mod m yields a group–We name this group Zm*–We won’t prove this (though not too hard)–If m is prime, we recover our first theoremExamples of Zm*•Let m = 15–What elements are in Z15*?•{1,2,4,7,8,11,13,14}–What is 2-1 in Z15*?•First you should check that 2 2 Z15*•It is since (2,15) = 1–Trial and error:•1, 2, 4, 7, 8 X–There is a more efficient way to do this called “Euclid’s Extended Algorithm”•Trust meEuler’s Phi Function•Definition: The number of elements of a group G is called the order of G and is written |G|–For infinite groups we say |G| = 1–All groups we deal with in cryptography are finite•Definition: The number of integers i < m such that (i,m) = 1 is denoted (m) and is called the “Euler Phi Function”–Note that |Zm*| = (m)–This follows immediately from the definition of ()Evaluating the Phi Function•What is (p) if p is prime?–p-1•What is (pq) if p and q are distinct primes?–If p, q distinct primes, (pq) = (p)(q)–Not true if p=q–We won’t prove this, though it’s not hardExamples•What is (3)?–|Z3*| = |{1,2}| = 2•What is (5)?•What is (15)?– (15) = (3)(5) = 2 £ 4 = 8–Recall, Z15* = {1,2,4,7,8,11,13,14}LaGrange’s Theorem•Last bit of math we’ll need for RSA•Theorem: if G is any finite group of order n, then 8 a 2 G, an = 1–Examples:•6 2 Z22, 6+6+…+6, 22 times = 0 mod 22•2 2 Z15*, 28 = 256 = 1 mod 15•Consider {0,1}5 under ©–01011 2 {0,1}5, 0101132 = 0000016 =00000–It always works (proof requires some work)Basic RSA Cryptosystem•Basic Setup:–Alice and Bob do not share a key to start with–Alice will be the sender, Bob the receiver•Reverse what follows for Bob to reply–Bob first does key generation•He goes off in a corner and computes two keys•One key is pk, the “public key”•Other key is sk, the “secret key” or “private key”–After this, Alice can encrypt with pk and Bob decrypts with skBasic RSA Cryptosystem•Note that after Alice encrypts with pk, she cannot even decrypt what she encrypted–Only the holder of sk can decrypt–The adversary can have a copy of pk; we don’t careAdversaryAliceBob’s Public Key Bob’s Private KeyBobBob’s Public KeyKey Generation•Bob generates his keys as follows–Choose two large distinct random primes p, q–Set n = pq (in Z… no finite groups yet)–Compute (n) = (pq) = (p)(q) = (p-1)(q-1)–Choose some e 2 Z(n)*–Compute d = e-1 in Z(n)*–Set pk = (e,n) and sk = (d,n)•Here (e,n) is the ordered pair (e,n) and does not mean gcdKey Generation Notes•Note that pk and sk share n–Ok, so only d is secret•Note that d is the inverse in the group Z(n)* and not in Zn*–Kind of hard to grasp, but we’ll see why•Note that factoring n would leak d•And knowing (n) would leak d–Bob has no further use for p, q, and (n) so he shouldn’t leave them lying aroundRSA Encryption•For any message M 2 Zn*–Alice has pk = (e,n)–Alice computes C = Me mod n–That’s it•To decrypt–Bob has sk = (d,n)–He computes Cd mod n = M•We need to prove thisRSA Example•Let p = 19, q = 23–These aren’t large primes, but they’re primes!–n = 437– (n) = 396–Clearly 5 2 Z*396, so set e=5–Then d=317•ed = 5 £ 317 = 1585 = 1 + 4 £ 396 X–pk = (5, 437)–sk = (396, 437)RSA Example (cont)•Suppose M = 100 is Alice’s message–Ensure (100,437) = 1 X–Compute C = 1005 mod 437 = 85–Send 85 to Bob•Bob receives C = 85–Computes 85317 mod 437 = 100 X•We’ll discuss implementation issues laterRSA Proof•Need to show that for any M 2 Zn*, Med = M mod n–ed = 1 mod (n) [by def of d]–So ed = k(n) + 1 [by def of modulus]–So working in Zn*, Med = Mk(n) + 1 = Mk(n) M1 = (M(n))k M = 1k M = M•Do you see LaGrange’s Theorem there?•This doesn’t say anything about the security of RSA, just that we can decryptSecurity of RSA•Clearly if we can factor efficiently, RSA breaks–It’s unknown if breaking RSA implies we can factor•Basic RSA is not good encryption–There are problems with using RSA as I’ve just described; don’t do it–Use a method like OAEP•We won’t go into thisFactoring Technology•Factoring Algorithms–Try everything up to sqrt(n)•Good if n is small–Sieving•Ditto–Quadratic Sieve, Elliptic Curves, Pollard’s Rho Algorithm•Good up to about 40 bits–Number Field Sieve•State of the Art for large compositesThe Number Field Sieve•Running time is estimated as•This is super-polynomial, but sub-exponential–It’s unknown what the