1RSA – Genesis, operation &securityECE 646 - Lecture 9Public Key (Asymmetric) CryptosystemsPublickey of Bob - KBPrivate key of Bob - kBAliceBobNetworkEncryptionDecryptionTrap-door one-way functionXf(X) Yf-1(Y)Whitfield Diffie and Martin Hellman“New directions in cryptography,” 1976PUBLIC KEYPRIVATE KEY2Professional (NSA) vs. amateur (academic)approach to designing ciphers1. Know how to break Russianciphers2. Use only well-establishedproven methods3. Hire 50,000 mathematicians4. Cooperate with an industrygiant5. Keep as much as possiblesecret1. Know nothing aboutcryptology2. Think of revolutionaryideas3. Go for skiing4. Publish in “ScientificAmerican”5. Offer a $100 award forbreaking the cipher3Challenge published in Scientific American9686 9613 7546 2206 1477 1409 2225 43558829 0575 9991 1245 7431 9874 6951 20930816 2982 2514 5708 3569 3147 6622 88398962 8013 3919 9055 1829 9451 5781 5145Ciphertext:Publickey:N = 114381625757 888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541(129 decimal digits)e = 9007Award $1001977RSAas a trap-door one-way functionMC = f(M) = Memod NCM = f-1(C) = Cdmod NPUBLIC KEYPRIVATE KEYN = P Q P, Q - large prime numberse d 1 mod ((P-1)(Q-1))4RSAkeysPUBLIC KEYPRIVATE KEY{ e, N }{ d, P, Q }N = P Qe d 1 mod ((P-1)(Q-1))P, Q - large prime numbersWhy does RSA work? (1)M’ = Cdmod N = (Memod N)dmod N = Mdecryptedmessageoriginalmessage?e d 1 mod ((P-1)(Q-1))e d 1 mod (N)Euler’s totientfunctionEuler’s totient (phi) function (1)(N) - number of integers in the range from 1 to N-1that are relatively prime with NSpecial cases:1. P is primeRelatively prime with P: 1, 2, 3, …, P-12. N = P Q P, Q are prime(N) = (P-1) (Q-1)Relatively prime with N: {1, 2, 3, …, PQ-1} – {P, 2P, 3P, …, (Q-1)P}– {Q, 2Q, 3Q, …, (P-1)Q}(P) = P-15Euler’s totient (phi) function (2)Special cases:3. N = P2P is prime(N) = P (P-1)Relatively prime with N: {1, 2, 3, …, P2-1} – {P, 2P, 3P, …, (P-1)P}In generalIf N = P1e1 P2e2 P3e3 … Ptet(N) = Piei-1 (Pi-1)i=1tEuler’s TheoremLeonard Euler, 1707-1783a: gcd(a, N) = 1a(N) 1 (mod N)Euler’s Theorem - Justification (1)For N=10 For arbitrary NR = {1, 3, 7, 9}R = {x1, x2, …, x(N)}Let a=3 Let us choose arbitrary a, such thatgcd(a, N) = 1S = {ax1mod N, ax2mod N, …,ax(N)mod N}S = { 31 mod 10,33mod 10, 37 mod 10,39 mod 10 }= {3, 9, 1, 7}= rearranged set R6Euler’s Theorem - Justification (2)For N=10 For arbitrary NR = SR = Sx1x2x3x4(ax1) (ax2)(ax3)(ax4) mod Nx1x2x3x4a4 x1x2x3x4mod Na4 1 (mod N)i=1(N)xii=1(N)a xi(mod N)i=1(N)xia(N) i=1(N)xi(mod N)a(N) 1 (mod N)Why does RSA work? (2)M’ = Cdmod N = (Memod N)dmod N == Me dmod N == M1+k(N)mod N = M (M(N))kmod N == M (M(N)mod N)kmod N == M 1kmod N = Me d 1 mod (N)e d = 1 + k(N)=Rivest estimation - 1977The best known algorithm for factoring a129-digit number requires:40 000 trilion years= 40 · 1015yearsassuming the use of a supercomputerbeing able to perform1 multiplication of 129 decimal digit numbers in 1 nsRivest’s assumption translates to the delay of a single logic gate10 psEstimated age of the universe: 100 bln years = 1011years7Lehmer SieveBicycle chain sieve [D. H. Lehmer, 1928]Computer Museum, Mountain View, CAMachine à Congruences [E. O. Carissan, 1919]Machine à Congruences [E. O. Carissan, 1919]Supercomputer CrayComputer Museum, Mountain View, CA8Early records in factoring large numbersYearsNumber ofdecimaldigitsNumberof bitsRequiredcomputationalpower(in MIPS-years)1974198419911992199345711001101201492353323653980.0010.1775830How to factor for free?A. Lenstra & M. Manasse, 1989• Using the spare time of computers,(otherwise unused)• Program and results sent by e-mail(later using WWW)Practical implementations of attacksFactorization, RSAYearNumberof bitsof NNumber ofdecimal digitsof NEstimated amountof computations1994199619981291301404304334672000 MIPS-years5000 MIPS-years750 MIPS-yearsMethodQSGNFSGNFS1999 1404678000 MIPS-yearsGNFS9Breaking RSA-129When: August 1993 - 1 April 1994, 8 monthsWho: D. Atkins, M. Graff, A. K. Lenstra, P. Leyland+ 600 volunteers from the entire worldHow: 1600 computersfrom Cray C90, through 16 MHz PC,to fax machinesOnly 0.03% computational power of the InternetResults of cryptanalysis:“The magic words are squeamish ossifrage”An award of $100 donated to Free Software FoundationElements affecting the progressin factoring large numbers- computational power- computer networks- better algorithms1977-1993 increase of about 1500 timesInternetFactoring methodsGeneral purpose Special purposeQS - Quadratic SieveGNFS - General NumberField SieveECM - Elliptic Curve MethodTime of factoring dependsonly on the size of NTime of factoring is muchshorter if N or factors of Nare of the special formPollard’s p-1 methodCyclotomic polynomial methodSNFS - Special Number FieldSieveContinued Fraction Method(historical)10Running time of factoring algorithmsLq[, c] = exp ((c+o(1))·(ln q)·(ln ln q)1- )For =0Lq[0, c] = (ln q)(c+o(1))Algorithm polynomialas a function of the numberof bits of qFor =1Lq[1, c] = exp((c+o(1))·(ln q))Algorithm exponentialas a function of the numberof bits of qFor 0 < < 1Algorithm subexponentialas a function of the numberof bits of qf(n) = o(1) if for any positive constant c>0 there exist a constantn0>0, such that 0 f(n) < c, for all n n0General purpose factoring methodssize of the factored numberN in decimal digits (D)100D 130DQS moreefficientNFS moreefficientExpected running timeQS NFSLN[1/2, 1] = exp((1 + o(1))·(ln N)1/2))·(ln ln N)1/2)LN[1/3, 1.92] = exp((1.92 + o(1))·(ln N)1/3))·(ln ln N)2/3)110D 120DFirst RSA ChallengeRSA-100RSA-110RSA-120RSA-130RSA-140RSA-150RSA-160RSA-170RSA-180RSA-190RSA-200RSA-210..............RSA-450RSA-460RSA-470RSA-480RSA-490RSA-500Largest number factored to dateRSA-200May 200511Second RSA ChallangeLentgh of Nin bitsLength of Nin decimal digitsAward forfactorization576640704768896102415362048174193212232270309463617$10,000$20,000$30,000$50,000$75,000$100,000$150,000$200,000Number of bits vs. number of decimal digits10#digits= 2#bits#digits = (log102) · #bits 0.30 · #bits256 bits = 77 D384 bits = 116 D512 bits =
View Full Document
Unlocking...