RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Similar documents
Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

The security of RSA (part 1) The security of RSA (part 1)

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Chapter 8 Public-key Cryptography and Digital Signatures

The RSA cryptosystem and primality tests

Asymmetric Encryption

CIS 551 / TCOM 401 Computer and Network Security

Public Key Cryptography

Introduction to Modern Cryptography. Benny Chor

Mathematics of Cryptography

10 Public Key Cryptography : RSA

Introduction to Public-Key Cryptosystems:

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

8.1 Principles of Public-Key Cryptosystems

RSA. Ramki Thurimella

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

THE RSA CRYPTOSYSTEM

Public Key Algorithms

RSA RSA public key cryptosystem

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Lecture 1: Introduction to Public key cryptography

NUMBER THEORY FOR CRYPTOGRAPHY

Number Theory & Modern Cryptography

Congruence of Integers

5199/IOC5063 Theory of Cryptology, 2014 Fall

Algorithmic Number Theory and Public-key Cryptography

Ma/CS 6a Class 3: The RSA Algorithm

Lecture V : Public Key Cryptography

dit-upm RSA Cybersecurity Cryptography

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 14: Hardness Assumptions

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Ti Secured communications

Public-Key Encryption: ElGamal, RSA, Rabin

Numbers. Çetin Kaya Koç Winter / 18

Attacks on RSA & Using Asymmetric Crypto

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Public-Key Cryptosystems CHAPTER 4

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Cryptography IV: Asymmetric Ciphers

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

10 Modular Arithmetic and Cryptography

Cryptography. pieces from work by Gordon Royle

Cryptography. P. Danziger. Transmit...Bob...

A New Attack on RSA with Two or Three Decryption Exponents

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Public Key Cryptography

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Powers in Modular Arithmetic, and RSA Public Key Cryptography

Implementation Tutorial on RSA

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

An Introduction to Cryptography

Public Key Cryptography

COMP4109 : Applied Cryptography

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

A Few Facts from Number Theory and the RSA Cryptosystem OVERVIEW. RSA Producing Big Primes. Table of Contents. Overview Basic Facts of Number Theory

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

THE CUBIC PUBLIC-KEY TRANSFORMATION*

THE RSA ENCRYPTION SCHEME

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Innovation and Cryptoventures. Cryptography 101. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

Mathematical Foundations of Public-Key Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

Ma/CS 6a Class 4: Primality Testing

Discrete Mathematics GCD, LCM, RSA Algorithm

Iterated Encryption and Wiener s attack on RSA

Math.3336: Discrete Mathematics. Mathematical Induction

Number Theory. Modular Arithmetic

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Partial Key Exposure: Generalized Framework to Attack RSA

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Number Theory and Group Theoryfor Public-Key Cryptography

Great Theoretical Ideas in Computer Science

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Public Key Cryptography

Practice Assignment 2 Discussion 24/02/ /02/2018

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

CPSC 467b: Cryptography and Computer Security

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

Math/Mthe 418/818. Review Questions

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

CPSC 467b: Cryptography and Computer Security

Math 412: Number Theory Lecture 13 Applications of

CPSC 467b: Cryptography and Computer Security

Solution to Midterm Examination

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

Number Theory and Algebra: A Brief Introduction

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Analysis of the RSA Encryption Algorithm

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Discrete mathematics I - Number theory

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Transcription:

RSA Algorithm http://koclab.org Çetin Kaya Koç Spring 2018 1 / 14

Well-Known One-Way Functions Discrete Logarithm: Given p, g, and x, computing y in y = g x (mod p) is EASY Given p, g, y, computing x in y = g x (mod p) is HARD Factoring: Given p and q, computing n in n = p q is EASY Given n, computing p or q in n = p q is HARD Discrete Square Root: Given x and y, computing y in y = x 2 (mod n) is EASY Given y and n, computing x in y = x 2 (mod n) is HARD Discrete eth Root: Given x, n and e, computing y in y = x e (mod n) is EASY Given y, n and e, computing x in y = x e (mod n) is HARD http://koclab.org Çetin Kaya Koç Spring 2018 2 / 14

Rivest-Shamir-Adleman Algorithm Invented by three young faculty members at MIT: Ronald Rivest (CS), Adi Shamir (Math), and Leonard Adleman (Math) in the Summer and Fall of 1976: Ron and Adi would come up with ideas, and Len would try to shoot them down. Len was consistently successful; late one night, though, Ron came up with an algorithm that Len couldnt crack. Following the ideas of building a public-key encryption method using trapdoor one-way functions of Merkle and Hellman It is based on the one-way functions factoring and discrete eth root The paper was published in 1977 (Comm. of ACM) The method was patented by MIT in 1983, which ended in 2000 http://koclab.org Çetin Kaya Koç Spring 2018 3 / 14

Rivest-Shamir-Adleman Algorithm The User generates two large, approximately same size random primes: p and q The modulus n is the product of these two primes: n = pq Euler s totient function of n is given by φ(n) = (p 1)(q 1) The User selects a number 1 < e < φ(n) such that and computes d with gcd(e, φ(n)) = 1 d = e 1 (mod φ(n)) using the extended Euclidean algorithm http://koclab.org Çetin Kaya Koç Spring 2018 4 / 14

Rivest-Shamir-Adleman Algorithm e is the public exponent and d is the private exponent The public key: The modulus n and the public exponent e The private key: The private exponent d, the primes p and q, and φ(n) = (p 1)(q 1) Encryption and decryption are performed by computing C = M e (mod n) M = C d (mod n) where M, C are the plaintext and ciphertext such that 0 M, C < n http://koclab.org Çetin Kaya Koç Spring 2018 5 / 14

Correctness of RSA RSA Algorithm The correctness of the RSA algorithm follows from Euler s theorem: For n and a be positive, relatively prime integers, we have a φ(n) = 1 (mod n) Since we have e d = 1 mod φ(n), we can write ed = 1 + Kφ(n) for some integer K, and thus provided that gcd(m, n) = 1 C d = (M e ) d (mod n) = M ed (mod n) = M 1+Kφ(n) (mod n) = M (M φ(n) ) K (mod n) = M 1 K = M (mod n) http://koclab.org Çetin Kaya Koç Spring 2018 6 / 14

Correctness of RSA RSA Algorithm On the other hand, if gcd(m, n) 1 and M < n, we have either gcd(m, n) = p or gcd(m, n) = q Therefore, M = u p or M = v q, for some integers u < p and v < q, such that gcd(u, n) = 1 and gcd(v, n) = 1 Without loss of generally, assume M = u p with gcd(u, n) = 1, we can write C = M e = (u p) e = u e p e (mod n) Since gcd(u, n) = 1, we have u ed = u (mod n) and thus C d = u ed p ed (mod n) = u p 1+Kφ(n) (mod n) We will now show that x = p 1+Kφ(n) (mod n) is equal to p, and thus C d = u p = M (mod n) http://koclab.org Çetin Kaya Koç Spring 2018 7 / 14

Correctness of RSA RSA Algorithm Since n = p q, we write x = p 1+Kφ(n) (mod p q) Due to the CRT, this implies x p = p 1+Kφ(n) = 0 (mod p) x q = p 1+Kφ(n) = p (mod q) The first is true, because p = 0 (mod p) The second equality is true because φ(n) = 0 (mod q 1) since φ(n) = (p 1)(q 1) http://koclab.org Çetin Kaya Koç Spring 2018 8 / 14

Correctness of RSA RSA Algorithm Therefore, we find x = { 0 (mod p) p (mod q) Applying the CRT to the residues (0, p) and moduli (p, q), we obtain x = 0 q c 1 + p p c 2 (mod pq) such that c 1 = q 1 (mod p) and c 2 = p 1 (mod q) We can write p c 2 = 1 + L q, and obtain x as x = p p c 2 = p (1 + L q) = p + L pq (mod pq) Thus, we find x = p (mod n) http://koclab.org Çetin Kaya Koç Spring 2018 9 / 14

Example RSA RSA Algorithm The primes p = 11 and q = 13, the modulus n = 11 13 = 143 φ(n) = φ(143) = (p 1)(q 1) = 10 12 = 120 Find e such that gcd(e, φ(n)) = φ(e, 120) = 1 Since 120 = 2 3 3 5, we select e = 7 d = e 1 (mod φ(n)) which gives d = 7 1 (mod 120) as d = 103 Encryption C = M e (mod n) gives C = 8 7 (mod 143) as C = 57 Decryption D = C d (mod n) gives M = 57 103 (mod 143) as M = 8 Encryption C = M e (mod n) gives C = 11 7 (mod 143) as C = 132 Decryption D = C d (mod n) gives M = 132 103 (mod 143) as M = 11 http://koclab.org Çetin Kaya Koç Spring 2018 10 / 14

Security of RSA RSA Algorithm The public key (e, n) is published The private key parameters p, q, φ(n), d are kept by the user Breaking RSA: one or several or all instances Computing M, given C and (e, n) all instances Computing d, given (e, n) Taking discrete eth Root Computing M Compute eth Root of M e (mod n) and obtain M Factoring n Computing d Factor n = pq, compute d = e 1 mod (p 1)(q 1) Computing φ(n) Computing d Compute d = e 1 mod φ(n) http://koclab.org Çetin Kaya Koç Spring 2018 11 / 14

Knowing φ(n) Factoring n We know n = pq, we can also write: n φ(n) + 1 = pq (p 1)(q 1) + 1 = p + q Thus we have pq and p + q, and we can write a quadratic equation whose roots are p and q x 2 (p + q)x + pq = x 2 (n φ(n) + 1) + n = 0 The roots of the equations are 1 2 (n φ(n) + 1 ± (n φ(n) + 1) 2 4n ) Example: For n = 143 and φ(n) = 120, we write p, q = (1/2)(143 120 + 1 ± (143 120 + 1) 2 4 143) = 11, 13 http://koclab.org Çetin Kaya Koç Spring 2018 12 / 14

Knowing d (Probabilistically) Factoring n Given d, we can write d e = 1 + Kφ(n) since they are inverses of one another mod φ(n) Since d e 1 is a multiple of φ(n), for gcd(a, n) = 1 we can write a de 1 = (a φ(n) ) K = 1 (mod n) If there is a universal exponent b such that a b = 1 (mod n) for all a with gcd(a, n), then there is exists a probabilistic method for factoring n This probabilistic factorization algorithm is based on the Miller-Rabin primality test http://koclab.org Çetin Kaya Koç Spring 2018 13 / 14

Breaking RSA? Factoring Factoring n indeed breaks the RSA encryption algorithm However, does Breaking RSA mean that we can factor n? There is no general proof for such a claim a lack of progress A related result: Breaking the low-exponent RSA is not as hard as factoring integers Strong evidence: An RSA breaker cannot be used for factoring integers http://koclab.org Çetin Kaya Koç Spring 2018 14 / 14

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback