Efficient encryption and decryption

Transcription

1 ECE646 Lctur RSA Implmntation: Efficint ncryption, dcryption & ky gnration Rquird Rading W. Stallings, "Cryptography and twork-scurity, Chaptr 9. Th RSA Algorithm Chaptr 8. Tsting for Primality A. Mnzs, P. van Oorschot, and S. Vanston, Handbook of Applid Cryptography Chaptr 4 Public-Ky Paramtrs 4. Introduction 4. Probabilistic primality tsts (you can skip 4.. Solvay-Strassn tst) 4.4 Prim numbr gnration (you can skip 4.4. and 4.4.4) umbr of bits vs. numbr of dcimal digits #digits = #bits Efficint ncryption and dcryption #digits = (log ) #bits. #bits 56 bits = 77 D 84 bits = 6 D 5 bits = 54 D 768 bits = D 4 bits = 8 D 48 bits = 66 D How to prform xponntiation fficintly? Exponntiation: Y = X E mod Y = X E mod = X X X X X X X mod Right-to-lft binary xponntiation Lft-to-right binary xponntiation E-tims E = ( L-, L-,,, ) Problms: Solutions: E may b in th rang of 4 8. hug storag ncssary to stor X E bfor rduction. amount of computations infasibl to prform. modulo rduction aftr ach multiplication. clvr algorithms BC, India, Chandah-Sûtra Y = ; S = X; for i= to L- { if ( i == ) Y = Y S mod ; S = S mod ; } Y = ; for i=l- downto { Y = Y mod ; if ( i == ) Y = Y X mod ; }

2 Right-to-lft binary xponntiation E = ( L-, L-,,, ) S: X X mod X 4 mod X 8 mod X L- mod E: L- Y = X (X mod ) (X 4 mod ) (X 8 mod ) (X L- mod ) L- (X a ) b = X ab X a X b = X a+b Y = X L- L- mod = L- i i i= = X = X E mod Y = X E mod Right-to-lft binary xponntiation: Exampl E = 9 = = () S: X X mod X 4 mod X 8 mod X 6 mod E: 4 Y = X X mod X 6 mod = = X 9 mod Y = 9 mod mod =9 9 mod = 4 4 mod = 5 5 mod = 9 mod (7 mod ) mod = 5 mod = 4 Lft-to-right binary xponntiation Y = X E mod E = ( L-, L-,,, ) E: L- L- L- Y = ((...((( X L- ) X L- ) X L- ). ) X ) X mod (X a ) b = X ab X a X b = X a+b Y = X ( L- + L- ) + L- ) +. + ) + mod = i i = X L- L- + L- L- + L- L i= mod = X = = X E mod L- Lft-to-right binary xponntiation: Exampl Y = 9 mod E = 9 = = () E: 4 Y = ((...((( X ) ) ) X) X mod = ((( mod ) ) mod ) mod ) mod mod = (8 mod ) mod ) mod mod = = (5 ) mod mod = = 4 mod mod = = 5 mod = 4 Y = (X 8 X ) X mod = X 9 mod Exponntiation Exampl: Y = 7 mod Right-to-lft binary xponntiation = = ( ) Lft-to-right binary xponntiation Right-to-Lft Binary Exponntiation in Hardwar X E nabl Y S MUL SQR output

3 Lft-to-Right Binary Exponntiation in Hardwar Y X Basic Oprations of RSA Encryption L < k public ky xponnt C = M mod ciphrtxt plaintxt public ky modulus k-bits k-bits k-bits Control Logic E Dcryption L=k d privat ky xponnt MUL M plaintxt = C mod ciphrtxt privat ky modulus output k-bits k-bits k-bits Tim of Exponntiation in Softwar Tim of Exponntiation in Hardwar t EXP (, L, k) = #modular_multiplications(, L) t MULMOD (k), L = 4 = F 4 = + #modular_multiplications 7 larg random L-bit L + #ons() L t EXP (L, k) = L t MULMOD (k) t MULMOD (k) - tim of a singl modular multiplication of two k-bit numbrs modulo a k-bit numbr t MULMOD (k) = c hm k t MULMOD (k) - tim of a singl modular multiplication of two k-bit numbrs modulo a k-bit numbr t MULMOD (k) = c sm k Algorithms for Modular Multiplication Papr-and-Pncil Algorithm of Multiplication word = l byts = λ bits A n- A n-... A A A Multiplication Papr-and-pncil θ(k ) Karatsuba θ(k / ) Schönhag-Strassn (FFT) Modular Rduction θ(k ln(k)) Multiplication combind with modular rduction Montgomry algorithm θ(k ) classical Barrtt θ(k ) th sam complxity as undrlying multiplication Slby-Mitchll θ(k ) + + Assrtion: + lg n λ D n- words D n- C n- C n- words D n-4 D = A B D = A B + A B D = A B + A B + A B C n+ C n B n- B n- C n- C n-... B B D words D n-4 = A n- B n- + A n- B n- + A n- B n- D n- = A n- B n- + A n- B n- D n- = A n- B n- x + + D words D... C C B C

4 Classical Algorithm of Modular Rduction x m Effct of th incras in th computr spd on th spd of ncryption and dcryption in RSA x n- x n- x n-... x n-... x x : m n- m n-... m x n- x n-... x n-... x q n- m x x n- b+ x n- q n- = m n- : m n- m n-... m q n- = q n- + ε ε =,, computr spd to kp th sam scurity oprand siz x n-... x n-... x x q n- = x n- b+ x n- m n- q n- = q n- + ε ε =,, ncryption/dcryption spd x n-... x x Dcryption using Chins Rmaindr Thorm M C P = C mod P d P = d mod (P-) d P = C mod C Q = C mod Q d Q = d mod (Q-) M P = C P mod P M Q = C Q mod Q whr M = M P R Q + M Q R P mod R P = (P - mod Q) P = P Q- mod R Q = (Q - mod P) Q= Q P- mod d d Q SOFTWARE Without CRT Tim of dcryption without and with Chins Rmaindr Thorm HARDWARE t DEC (k) = t EXP (random, k, L=k) = c s k With CRT k t DEC-CRT (k) t EXP (random, k/, L=k/) = c s ( ) = t DEC (k) 4 Without CRT t DEC (k) = t EXP (random, k, L=k) = c h k With CRT t DEC-CRT (k) t EXP (random, k/, L=k/) = c h ( k ) = t DEC (k) 4 Lt and Chins Rmaindr Thorm = n n n... n M for any i, j gcd(n i, n j ) = Thn, any numbr A - can b rprsntd uniquly by A (a = A mod n, a = A mod n,, a M = A mod n M ) A can b rconstructd from (a, a,, a M ) using quation M A = (a i i - i mod n i ) mod i= whr i = = n i = n n... n i- n i+... n M M = M P P Chins Rmaindr Thorm for =P Q = P Q gcd(p, Q) = M (M p = M mod P, M Q = M mod Q) P - mod P + MQ Q Q - mod Q = M P Q ((Q - ) mod P) + M Q P ((P - ) mod Q) mod = = M P R Q + M Q R P mod mod

5 Concalmnt of mssags in th RSA cryptosystm Blakly, Borosh, 979 Thr xist mssags that ar not changd by th RSA ncryption! For xampl: M= C = mod = M= C = mod = M=- - mod C = (-) mod = - Evry M such that M P = M mod P {,, -} M Q = M mod Q {,, -} C P = C mod P = (M mod ) mod P = M mod P = M P mod P = M P C Q = C mod Q = (M mod ) mod Q = M mod Q = M Q mod Q = M Q Concalmnt of mssags in th RSA cryptosystm Blakly, Borosh, 979 At last 9 mssags not concald by RSA! umbr of mssags not concald by RSA: σ = ( + gcd(-, P-)) ( + gcd(-, Q-)) A. = σ = 9 B. gcd(-, P-) = and gcd(-, Q-) = σ = 9 C. gcd(-, P-) = P- and gcd(-, Q-) = Q- σ = P Q= It is possibl that all mssags rmain unconcald by RSA! Efficint ky gnration prim numbr gnration Gnration of th RSA kys P, Q Typically = 6 + gcd(, P-) = gcd(, Q-) = gcd(-, P-) = gcd(-, Q-) = Extndd Euclid s algorithm = P Q d = - mod (P-) (Q-) Random sarch Random vs. Incrmntal Sarch Is thr a sufficnt amount of prim numbrs to choos from? π(x) - th amount of prim numbrs smallr than x x prims numbrs tstd for primality Incrmntal sarch starting point chosn at random π(x) = x ln(x) π(x) prim numbrs x π(x)

6 Is thr a sufficnt amount of prim numbrs of th givn bit lngth to choos from? π k - th amount of prim numbrs of th siz of k-bits k- π k prim numbrs k Avrag distanc btwn prims of th givn bit lngth () prims k- k Avrag distanc btwn two conscutiv prims π k = π( k ) - π( k- ).5 π( k ) π( k- ) k π k Avrag distanc (k) k - k- π k.69 (k-) k- π( k- ) ln k- Avrag distanc btwn prims of th givn bit lngth () Eulr s Thorm Lonard Eulr, umbr of bits k Avrag distanc btwn prims Avrag amount of odd numbrs to tst a: gcd(a, ) = a ϕ() (mod ) Frmat s Thorm Pirr d Frmat, 6?-665 Frmat primality tst prim a: gcd(a, ) = a - (mod )

7 Frmat primality tst Carmichal umbrs n composit Carmichal numbr n composit L(n) Liars to W(n) Witnsss to L(n) Liars to W(n) Witnsss to a W(n) iff a n- mod n {..n-} W(n) = {a: a n, gcd(a, n)>} L(n) = ϕ(n) W(n) = n-ϕ(n) {..n-} Carmichal umbrs A composit intgr is a Carmichal numbr iff k n= p p p p k p i ar distinct prims, p i p j for i j p i (p i -) (n-) Smallst Carmichal numbr n = 56 = 7 Among all numbrs smallr or qual to 5 Thr ar about prim numbrs 5 Carmichal numbrs Good probabilistic primality tst n composit L(n) Liars to W(n) Witnsss to n composit W(n) L(n) {..n-} If a W(n) tst rturns n composit ls tst rturns n probably prim or n psudoprim to th bas a n composit n composit L(n) Strong liars to W(n) Strong witnsss to L(n), n- Strong liars to W(n) Strong witnsss to n composit {..n-} L(n) ϕ(n)/4 < (n-)/4 For crtain composit numbrs, such as n = (k+) thr ar only two strong liars: and n- {..n-}

8 Mathmatical Basis Algorithm () If n is prim thn has only two squar roots modulo n i.., thr ar only two numbrs, y and y, such that y mod n = and y mod n = y = and y =n- - mod n If n is composit thn has at last four squar roots modulo n i.., thr xist numbrs, y, y, y, y 4, such that y mod n =, y mod n =, y mod n =, y 4 mod n =, y =, y =n- - mod n, y ± mod n, y 4 ± mod n Find s and r, such that For xampl: n - = s r, n = 49 n - = 48 = 4 s=4, r= n = 6 n- = 6 = 5 s=, r=5 whr r is odd Algorithm () Algorithm () Comput a n- mod n = ( ((a r mod n) mod n) mod n ) mod n = squar mod n s squarings s- s a r (a r ) (a r ) (a r )... (a r ) (a r ) squar root mod n mod n squar mod n s- s a r (a r ) (a r ) (a r )... (a r ) (a r ) X ± mod n squar root mod n X X - X X - X X X X X X mod n rsult of tst probably prim or composit? -log of th bound on th rror probability of dclaring a k-bit composit numbr a prim aftr t itrations of th k = numbr of bits t - numbr of itrations of th

9 Minimal numbr of th s t, ncssary to obtain th probability of rror < - for a k-bit numbr n Minimal numbr of th s, t, for rlativly small numbrs n k t k t k t ovr 85 Random vs. Incrmntal Sarch Using division by small prims Random sarch prims numbrs tstd prims numbrs tstd for primality Incrmntal sarch starting point chosn at random D D D D D D D D D D D D D D D D D R R R D Division by small prims R R with bas R R with th random bas a R R Mrtn s Thorm Th proportion of candidat odd intgrs OT ruld out by th trial division by all prims B Incrmntal sarch for a prim Efficint implmntation of division by small prims St of small prims 5 7 α(b) = (-/) (-/5) (-/7) (-/B) α(b). / ln B For B=56, α(b). 8% of tstd numbrs discardd by th trial division n = 9 n = 9 n = 95 n = 97 n = 99 n mod = n mod 5 = n mod 7 = n mod = + mod = + mod 5= + mod 7= + mod = 5 + mod = + mod 5= + mod 7= 4 5+ mod = 7 + mod = + mod 5= 4+ mod 7= 6 7+ mod = 9 + mod = + mod 5= 4 6+ mod 7= 9+ mod = n = + mod = 4+ mod 5= + mod 7= + mod =

10 Division by small prims Practical implmntation () Optimum numbr of small prims 5 7 S[k] {, 5, 7,. B opt } B opt R D ln (R /D) R = tim of th with bas D = tim spnt on tst dividing on numbr by on small prim Rcovring RSA-ncryptd mssags without a privat ky () Gussing a st of possibl mssags RSA countrmasurs against known attacks IRS FBI E public_ky_of_fbi ( nam of th congrss mmbr who committd a tax fraud) journalist E public_ky_of_fbi (nam) E public_ky_of_fbi (nam).. E public_ky_of_fbi (nam) Rcovring RSA-ncryptd mssags without a privat ky () Small and small mssags = Hastad s attack P U = (, ) P U = (, ) P U = (, ) m c = m mod = m / m < / m =, m snd to thr diffrnt popl m mod CRT m mod m mod = m m mod / m Coding Optimal Assymtric Encryption Padding () >68 bits mssag SEED MASK(SEED) maskd_mssag maskd_mssag Bllar-Rogaway MASK(maskd_mssag) maskd_sd

11 Optimal Assymtric Encryption Padding () RSA signatur Dcoding Bllar-Rogaway Alic Mssag Signatur Mssag Signatur Bob maskd_mssag maskd_sd Hash function Hash function MASK(maskd_mssag) Hash valu SEED Hash valu ys no MASK(SEED) Public ky algorithm Hash valu Public ky algorithm mssag >68 bits Alic s privat ky Alic s public ky Padding for signaturs with appndix PKCS # v.5 for signaturs Padding for signaturs with appndix PKCS v.: PSS Probabilistic Signatur Schm FF FF FF. FF hash ID h(m) at last 8 byts ASI X9., ISO BBBBBBBBBBB A h(m) hash ID MGF: Mask Gnration Function padding : padding : zro octts bc: BC in hx