1RSA – Genesis, operation & securityECE 646 - Lecture 9Public Key (Asymmetric) CryptosystemsPublic key of Bob - KBPrivate key of Bob - kBAliceBobNetworkEncryptionDecryption2Trap-door one-way functionXf(X) Yf-1(Y)Whitfield Diffie and Martin Hellman“New directions in cryptography,” 1976PUBLIC KEYPRIVATE KEYProfessional (NSA) vs. amateur (academic)approach to designing ciphers1. Know how to break Russianciphers2. Use only well-establishedproven methods3. Hire 50,000 mathematicians4. Cooperate with an industry giant5. Keep as much as possible secret1. Know nothing about cryptology2. Think of revolutionaryideas3. Go for skiing4. Publish in “Scientific American”5. Offer a $100 award for breaking the cipher34Challenge published in Scientific American9686 9613 7546 2206 1477 1409 2225 43558829 0575 9991 1245 7431 9874 6951 20930816 2982 2514 5708 3569 3147 6622 88398962 8013 3919 9055 1829 9451 5781 5145Ciphertext:Public key:N = 114381625757 888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541(129 decimal digits)e = 9007Award $10019775RSA as a trap-door one-way functionMC = f(M) = Memod NCM = f-1(C) = Cdmod NPUBLIC KEYPRIVATE KEYN = P ⋅ Q P, Q - large prime numberse ⋅ d ≡ 1 mod ((P-1)(Q-1))RSA keysPUBLIC KEYPRIVATE KEY{ e, N }{ d, P, Q }N = P ⋅ Qe ⋅ d ≡ 1 mod ((P-1)(Q-1))P, Q - large prime numbers6Why does RSA work? (1)M’ = Cdmod N = (Memod N)dmod N = Mdecryptedmessageoriginalmessage?e ⋅ d ≡ 1 mod ((P-1)(Q-1))e ⋅ d ≡ 1 mod ϕ(N)Euler’s totientfunctionEuler’s totient (phi) function (1)ϕϕϕϕ(N) - number of integers in the range from 1 to N-1that are relatively prime with NSpecial cases:1. P is primeRelatively prime with P: 1, 2, 3, …, P-12. N = P ⋅ Q P, Q are prime ϕ(N) = (P-1) ⋅(Q-1)Relatively prime with N: {1, 2, 3, …, P⋅Q-1} – {P, 2P, 3P, …, (Q-1)P}– {Q, 2Q, 3Q, …, (P-1)Q}ϕ(P) = P-17Euler’s totient (phi) function (2)Special cases:3. N = P2P is prime ϕ(N) = P ⋅(P-1)Relatively prime with N: {1, 2, 3, …, P2-1} – {P, 2P, 3P, …, (P-1)P}In generalIf N = P1e1⋅ P2e2 ⋅ P3e3 ⋅ … ⋅ Ptetϕ(N) = ∏ Piei-1⋅ (Pi-1)i=1tEuler’s TheoremLeonard Euler, 1707-1783∀∀∀∀a: gcd(a, N) = 1aϕϕϕϕ(N)≡≡≡≡ 1 (mod N)8Euler’s Theorem - Justification (1)For N=10 For arbitrary NR = {1, 3, 7, 9}R = {x1, x2, …, x ϕϕϕϕ(N)}Let a=3 Let us choose arbitrary a, such thatgcd(a, N) = 1S = {a⋅x1mod N, a⋅x2 mod N, …, a⋅x ϕ(N)mod N}S = { 3⋅1 mod 10, 3⋅3 mod 10, 3⋅7 mod 10,3⋅9 mod 10 }= {3, 9, 1, 7}= rearranged set REuler’s Theorem - Justification (2)For N=10 For arbitrary NR = SR = Sx1⋅x2 ⋅x3 ⋅x4 ≡(a⋅x1)⋅ (a⋅x2)⋅(a⋅x3 )⋅(a⋅x4) mod Nx1⋅x2 ⋅x3 ⋅x4 ≡a4⋅ x1⋅x2 ⋅x3 ⋅x4 mod Na4≡ 1 (mod N)∏i=1ϕ(N)xi≡∏i=1ϕ(N)a ⋅ xi (mod N)∏i=1ϕ(N)xi≡aϕ(N)⋅ ∏i=1ϕ(N)xi (mod N)a ϕ(N)≡ 1 (mod N)9Why does RSA work? (2)M’ = Cdmod N = (Memod N)dmod N = = Me ⋅dmod N = = M1+k⋅ϕ(N)mod N = M ⋅ (Mϕ(N))k mod N == M ⋅ (Mϕ(N)mod N)k mod N == M ⋅ 1kmod N = Me ⋅ d ≡ 1 mod ϕ(N)e ⋅ d = 1 + k⋅ϕ(N)=Rivest estimation - 1977The best known algorithm for factoring a 129-digit number requires:40 000 trilion years= 40 · 1015yearsassuming the use of a supercomputerbeing able to perform1 multiplication of 129 decimal digit numbers in 1 nsRivest’s assumption translates to the delay of a single logic gate ≈10 psEstimated age of the universe: 100 bln years = 1011years10Lehmer SieveBicycle chain sieve [D. H. Lehmer, 1928]Computer Museum, Mountain View, CAMachine Machine ààCongruencesCongruences[E. O. [E. O. CarissanCarissan, 1919], 1919]11Supercomputer CrayComputer Museum, Mountain View, CAEarly records in factoring large numbersYearsNumber ofdecimal digitsNumberof bitsRequired computationalpower (in MIPS-years)1974198419911992199345711001101201492353323653980.0010.177583012How to factor for free?A. Lenstra & M. Manasse, 1989• Using the spare time of computers,(otherwise unused)• Program and results sent by e-mail(later using WWW)Practical implementations of attacksFactorization, RSAYearNumber of bitsof NNumber of decimal digits of N Estimated amountof computations199419961998129130140 4304334672000 MIPS-years5000 MIPS-years750 MIPS-yearsMethodQSGNFSGNFS1999 140 4678000 MIPS-yearsGNFS13Breaking RSA-129When: August 1993 - 1 April 1994, 8 monthsWho: D. Atkins, M. Graff, A. K. Lenstra, P. Leyland + 600 volunteers from the entire worldHow: 1600 computersfrom Cray C90, through 16 MHz PC,to fax machinesOnly 0.03% computational power of the InternetResults of cryptanalysis:“The magic words are squeamish ossifrage”An award of $100 donated to Free Software FoundationElements affecting the progressin factoring large numbers• computational power• computer networks•••• better algorithms1977-1993 increase of about 1500 timesInternet14Factoring methodsGeneral purpose Special purposeQS - Quadratic SieveGNFS - General Number Field SieveECM - Elliptic Curve MethodTime of factoring dependsonly on the size of NTime of factoring is muchshorter if N or factors of Nare of the special formPollard’s p-1 methodCyclotomic polynomial methodSNFS - Special Number FieldSieveContinued Fraction Method(historical)Running time of factoring algorithmsLq[α, c] = exp ((c+o(1))·(ln q)α·(ln ln q)1- α)For αααα=0Lq[0, c] = (ln q)(c+o(1))Algorithm polynomialas a function of the numberof bits of qFor αααα=1Lq[1, c] = exp((c+o(1))·(ln q))Algorithm exponentialas a function of the numberof bits of qFor 0 < αααα < 1Algorithm subexponentialas a function of the numberof bits of qf(n) = o(1) if for any positive constant c>0 there exist a constantn0>0, such that 0 ≤ f(n) < c, for all n ≥ n015General purpose factoring methodssize of the factored number N in decimal digits (D)100D 130DQS more efficientNFS moreefficientExpected running timeQS NFSLN[1/2, 1] = exp((1 + o(1))·(ln N)1/2))·(ln ln N)1/2)LN[1/3, 1.92] = exp((1.92 + o(1))·(ln N)1/3))·(ln ln N)2/3)110D 120DFirst RSA ChallengeRSA-100RSA-110RSA-120RSA-130RSA-140RSA-150RSA-160RSA-170RSA-180RSA-190RSA-200RSA-210..............RSA-450RSA-460RSA-470RSA-480RSA-490RSA-500Largest number factored to dateRSA-200May 200516Second RSA ChallangeLentgh of Nin bitsLength of Nin decimal digitsAward
View Full Document
Unlocking...