RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob

Trap-door one-way function Whitfield Diffie and Martin Hellman New directions in cryptography, 976 PUBLIC KEY X f(x) Y f - (Y) PRIVATE KEY Professional (NSA) vs. amateur (academic) approach to designing ciphers. Know how to break Russian ciphers 2. Use only well-established proven methods 3. Hire 50,000 mathematicians 4. Cooperate with an industry giant 5. Keep as much as possible secret. Know nothing about cryptology 2. Think of revolutionary ideas 3. Go for skiing 4. Publish in Scientific American 5. Offer a $00 award for breaking the cipher 2

3

Challenge published in Scientific American 977 Ciphertext: 9686 963 7546 2206 477 409 2225 4355 8829 0575 999 245 743 9874 695 2093 086 2982 254 5708 3569 347 6622 8839 8962 803 399 9055 829 945 578 545 Public key: N = 438625757 8888676692357799764 6620028296722423625625684293 57069352457338978305972356395870 50589890754759929002687954354 e = 9007 Award $00 (29 decimal digits) 4

Rivest estimation - 977 The best known algorithm for factoring a 29-digit number requires: 40 000 trilion years = 40 0 5 years assuming the use of a supercomputer being able to perform multiplication of 29 decimal digit numbers in ns Rivest s assumption translates to the delay of a single logic gate» 0 ps Estimated age of the universe: 00 bln years = 0 years Lehmer Sieve Bicycle chain sieve [D. H. Lehmer, 928] Computer Museum, Mountain View, CA 5

Machine à Congruences [E. O. Carissan, 99] Supercomputer Cray Computer Museum, Mountain View, CA 6

Early records in factoring large numbers Years 974 Number of decimal digits 45 Number of bits 49 Required computational power (in MIPS-years) 0.00 984 7 235 0. 99 00 332 7 992 0 365 75 993 20 398 830 Number of bits vs. number of decimal digits 0 #digits = 2 #bits #digits = (log 0 2) #bits» 0.30 #bits 256 bits = 77 D 384 bits = 6 D 52 bits = 54 D 768 bits = 23 D 024 bits = 308 D 2048 bits = 66 D 7

How to factor for free? A. Lenstra & M. Manasse, 989 Using the spare time of computers, (otherwise unused) Program and results sent by e-mail (later using WWW) Practical implementations of attacks Factorization, RSA Year Number of bits of N Number of decimal digits of N Method Estimated amount of computations 994 430 29 QS 5000 MIPS-years 996 433 30 GNFS 750 MIPS-years 998 467 40 GNFS 2000 MIPS-years 999 467 40 GNFS 8000 MIPS-years 8

Breaking RSA-29 When: Who: How: August 993 - April, 994, 8 months D. Atkins, M. Graff, A. K. Lenstra, P. Leyland + 600 volunteers from the entire world 600 computers from Cray C90, through 6 MHz PC, to fax machines Only 0.03% computational power of the Internet Results of cryptanalysis: The magic words are squeamish ossifrage An award of $00 donated to Free Software Foundation Elements affecting the progress in factoring large numbers computational power computer networks better algorithms 977-993 increase of about 500 times Internet 9

RSA as a trap-door one-way function PUBLIC KEY M C = f(m) = M e mod N C M = f - (C) = C d mod N PRIVATE KEY N = P Q P, Q - large prime numbers e d º mod ((P-)(Q-)) RSA keys PUBLIC KEY PRIVATE KEY { e, N } { d, P, Q } N = P Q P, Q - large prime numbers e d º mod ((P-)(Q-)) 0

Why does RSA work? ()? M = C d mod N = (M e mod N) d mod N = M decrypted message original message e d º mod ((P-)(Q-)) e d º mod j(n) Euler s totient function Euler s totient (phi) function () j(n) - number of integers in the range from to N- that are relatively prime with N Special cases:. P is prime j(p) = P- Relatively prime with P:, 2, 3,, P- 2. N = P Q P, Q are prime j(n) = (P-) (Q-) Relatively prime with N: {, 2, 3,, P Q-} {P, 2P, 3P,, (Q-)P} {Q, 2Q, 3Q,, (P-)Q}

Euler s totient (phi) function (2) Special cases: 3. N = P 2 P is prime j(n) = P (P-) Relatively prime with N: {, 2, 3,, P 2 -} {P, 2P, 3P,, (P-)P} In general If N = P e P e2 2 P e3 3 P et t t j(n) = Õ P i ei- (P i -) i= The first 000 values of φ(n) 2

Euler s Theorem Leonard Euler, 707-783 " a: gcd(a, N) = a j(n) º (mod N) Euler s Theorem - Justification () For N=0 For arbitrary N R = {, 3, 7, 9} R = {x, x 2,, x j(n) } Let a=3 S = { 3 mod 0, 3 3 mod 0, 3 7 mod 0, 3 9 mod 0 } = {3, 9,, 7} Let us choose arbitrary a, such that gcd(a, N) = S = {a x mod N, a x 2 mod N,, a x j(n) mod N} = rearranged set R 3

Euler s Theorem - Justification (2) For N=0 R = S x x 2 x 3 x 4 º (a x ) (a x 2 ) (a x 3 ) (a x 4 ) mod N x x 2 x 3 x 4 º a 4 x x 2 x 3 x 4 mod N a 4 º (mod N) For arbitrary N j(n) Õ i= j(n) Õ i= R = S j(n) x i º Õ a x i (mod N) i= j(n) x i º a j(n) Õ x i (mod N) i= a j(n) º (mod N) Why does RSA work? (2) M = C d mod N = (M e mod N) d mod N = = M e d mod N = e d º mod j(n) e d = + k j(n) = = M +k j(n) mod N = M (M j(n) ) k mod N = = M (M j(n) mod N) k mod N = = M k mod N = M 4

Efficient encryption and decryption Number of bits vs. number of decimal digits 0 #digits = 2 #bits #digits = (log 0 2) #bits» 0.30 #bits 256 bits = 77 D 384 bits = 6 D 52 bits = 54 D 768 bits = 23 D 024 bits = 308 D 2048 bits = 66 D 5

How to perform exponentiation efficiently? Y = X E mod N = X X X X X X X mod N E-times E may be in the range of 2 024» 0 308 Problems: Solutions:. huge storage necessary to store X E before reduction 2. amount of computations infeasible to perform. modulo reduction after each multiplication 2. clever algorithms 200 BC, India, Chandah-Sûtra Exponentiation: Y = X E mod N Right-to-left binary exponentiation Left-to-right binary exponentiation E = (e L-, e L-2,, e, e 0 ) 2 Y = ; S = X; for i=0 to L- { if (e i == ) Y = Y S mod N; S = S 2 mod N; } Y = ; for i=l- downto 0 { Y = Y 2 mod N; if (e i == ) Y = Y X mod N; } 6

Right-to-left binary exponentiation Y = X E mod N E = (e L-, e L-2,, e, e 0 ) 2 S: X X 2 mod N X 4 mod N X 8 mod N X 2 L- mod N E: e 0 e e 2 e 3 e L- e Y = X 0 e (X 2 mod N) (X 4 e mod N) 2 e (X 8 3 mod N) (X 2 L- e L- mod N) (X a ) b = X ab X a X b = X a+b Y = X e 0 + 2 e + 4 e 2 + 8 e 3 + + 2 L- e L- mod N = L- å e i 2 i i=0 = X = X E mod N Right-to-left binary exponentiation: Example S: X X 2 mod N X 4 mod N X 8 mod N X 6 mod N E: e 0 e e 2 e 3 e 4 0 0 Y = X X 2 mod N X 6 mod N = = X 9 mod N Y = 3 9 mod E = 9 = 6 + 2 + = (00) 2 3 3 2 mod =9 9 2 mod = 4 4 2 mod = 5 5 2 mod = 3 3 9 3 mod (27 mod ) 3 mod = 5 3 mod = 4 7

Left-to-right binary exponentiation Y = X E mod N E = (e L-, e L-2,, e, e 0 ) 2 E: e L- e L-2 e L-3 e e 0 Y = ((...((( 2 e X L- ) 2 e L-2 X ) 2 e L-3 e X ) 2. ) 2 e X ) 2 0 X mod N (X a ) b = X ab X a X b = X a+b Y = X (e L- 2 + e L-2 ) 2 + e L-3 ) 2 +. + e ) 2 + e 0 mod N = å e i 2 i = X 2L- e L- + 2 L-2 e L-2 + 2 L-3 e L-3 + +2 e +e 0 i=0 mod N = X = = X E mod N L- Left-to-right binary exponentiation: Example Y = 3 9 mod E = 9 = 6 + 2 + = (00) 2 E: e 4 e 3 e 2 e e 0 0 0 Y = ((...((( 2 X ) 2 ) 2 ) 2 X) 2 X mod N = (((3 2 mod ) ) 2 mod ) 2 mod 3) 2 mod 3 mod = (8 mod ) 2 mod 3) 2 mod 3 mod = = (5 3) 2 mod 3 mod = = 4 2 mod 3 mod = = 5 3 mod = 4 Y = (X 8 X ) 2 X mod N = X 9 mod N 8

Exponentiation Example: Y = 7 2 mod Right-to-left binary exponentiation e = 2 = ( 0 0) 2 Left-to-right binary exponentiation Right-to-Left Binary Exponentiation in Hardware X E enable Y S MUL SQR output 9

Left-to-Right Binary Exponentiation in Hardware Y X Control Logic E MUL output Basic Operations of RSA Encryption C ciphertext L < k e public key exponent = M mod N plaintext public key modulus k-bits k-bits k-bits Decryption M plaintext L=k d = C mod ciphertext private key exponent N private key modulus k-bits k-bits k-bits 20

Time of Exponentiation in Software t EXP (e, L, k) = #modular_multiplications(e, L) t MULMOD (k) e, L e=3 2 4 e = F 4 = 2 + #modular_multiplications 2 7 3 large random L-bit e L + #ones(e)» L 2 t MULMOD (k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number t MULMOD (k) = c sm k 2 Time of Exponentiation in Hardware t EXP (L, k) = L t MULMOD (k) t MULMOD (k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number t MULMOD (k) = c hm k 2

Algorithms for Modular Multiplication Multiplication Paper-and-pencil q(k 2 ) Karatsuba q(k 3/2 ) Schönhage-Strassen (FFT) Modular Reduction q(k ln(k)) Multiplication combined with modular reduction Montgomery algorithm q(k 2 ) classical Barrett q(k 2 ) the same complexity as underlying multiplication Selby-Mitchell q(k 2 ) Paper-and-Pencil Algorithm of Multiplication word = l bytes = l bits A n- A n-2... A A 0 A x B n- B n-2... B B 0 B Assertion: 2 words + + + lg 2 n l D 0 = A 0 B 0 D = A 0 B + A B 0 + D 2 = A 0 B 2 + A B + A 2 B 0 + D 2n-2 2 words 3 words D 2n-4 D 2n-3..... D 2 3 words D 2n-4 = A n-3 B n- + A n-2 B n-2 + A n- B n-3 D 2n-3 = A n-2 B n- + A n- B n-2 D 2n-2 = A n- B n- D D 0 C 2n- C 2n-2... C n+ C n C n- C n-2... C C 0 C 22

Classical Algorithm of Modular Reduction x m x 2n- x 2n-2 x 2n-3... x n-... x x 0 : m n- m n-2... m 0 q n- m q n- = x 2n-b+ x 2n-2 m n- q n- = q n- + e e = 0,, 2 x 2n-2 x 2n-3... x n-... x x 0 : m n- m n-2... m 0 x 2n-3... x n-... x x 0 q n-2 = x 2n-2b+ x 2n-3 m n- q n-2 = q n-2 + e e = 0,, 2....... x n-... x x 0 Effect of the increase in the computer speed on the speed of encryption and decryption in RSA to keep the same security computer speed operand size encryption/decryption speed 23

Decryption using Chinese Remainder Theorem M d = C mod N C P = C mod P d P = d mod (P-) C Q = C mod Q d Q = d mod (Q-) d P d Q M P = C P mod P M Q = C Q mod Q where M = M P R Q + M Q R P mod N R P = (P - mod Q) P = P Q- mod N R Q = (Q - mod P) Q= Q P- mod N Let and Chinese Remainder Theorem N = n n 2 n 3... n M for any i, j gcd(n i, n j ) = Then, any number 0 A N- can be represented uniquely by A «(a = A mod n, a 2 = A mod n 2,, a M = A mod n M ) A can be reconstructed from (a, a 2,, a M ) using equation M A = å (a i N i (N - i mod n i )) mod N where N N i = = n i i= = n n 2... n i- n i+... n M 24

Chinese Remainder Theorem for N=P Q N = P Q gcd(p, Q) = M «(M p = M mod P, M Q = M mod Q) M = M P N P N P - mod P + M Q N Q N Q - mod Q mod N = M P Q ((Q - ) mod P) + M Q P ((P - ) mod Q) mod N = = M P R Q + M Q R P mod N Concealment of messages in the RSA cryptosystem Blakley, Borosh, 979 There exist messages that are not changed by the RSA encryption! For example: M= C = e mod N = M=0 C = 0 e mod N = 0 M=N-º- mod N C = (-) e mod N = - Every M such that M P = M mod P Î {, 0, -} M Q = M mod Q Î {, 0, -} C P = C mod P = (M e mod N) mod P = M e mod P = M Pe mod P = M P C Q = C mod Q = (M e mod N) mod Q = M e mod Q = M Qe mod Q = M Q 25

Concealment of messages in the RSA cryptosystem At least 9 messages not concealed by RSA! Blakley, Borosh, 979 Number of messages not concealed by RSA: s = ( + gcd(e-, P-)) ( + gcd(e-, Q-)) A. e=3 s = 9 B. gcd(e-, P-) = 2 and gcd(e-, Q-) = 2 s = 9 C. gcd(e-, P-) = P- and gcd(e-, Q-) = Q- s = P Q=N It is possible that all messages remain unconcealed by RSA! Optimal Assymetric Encryption Padding () Coding >68 bits 00000000 message SEED Bellare-Rogaway MASK(SEED) masked_message MASK(masked_message) masked_message masked_seed 26

Optimal Assymetric Encryption Padding (2) Decoding Bellare-Rogaway masked_message masked_seed MASK(masked_message) SEED MASK(SEED) 00000000 message >68 bits RSA Key Generation 27

prime number generation Generation of the RSA keys e P, Q Typically e = 2 6 + gcd(e, P-) = gcd(e, Q-) = gcd(e-, P-) = 2 gcd(e-, Q-) = 2 Extended Euclid s algorithm N = P Q d = e - mod (P-) (Q-) RSA as a trap-door one-way function PUBLIC KEY M C = f(m) = M e mod N C M = f - (C) = C d mod N PRIVATE KEY N = P Q P, Q - large prime numbers e d º mod ((P-)(Q-)) 28

Concealment of messages in the RSA cryptosystem At least 9 messages not concealed by RSA! Blakley, Borosh, 979 Number of messages not concealed by RSA: s = ( + gcd(e-, P-)) ( + gcd(e-, Q-)) A. e=3 s = 9 B. gcd(e-, P-) = 2 and gcd(e-, Q-) = 2 s = 9 C. gcd(e-, P-) = P- and gcd(e-, Q-) = Q- s = P Q=N It is possible that all messages remain unconcealed by RSA! Random search Random vs. Incremental Search primes Incremental search numbers tested for primality starting point chosen at random 29

Is there a sufficent number of primes to choose from? p(x) - the number of primes smaller than x 0 x p(x) = x ln(x) p(x) primes x 0 00 p(x) 0 50 4.3 0 97 2.9 0 47 0 300.4 0 297 Number of bits vs. number of decimal digits 0 #digits = 2 #bits #digits = (log 0 2) #bits» 0.30 #bits 256 bits = 77 D 384 bits = 6 D 52 bits = 54 D 768 bits = 23 D 024 bits = 308 D 536 bits = 462 D 2048 bits = 66 D 30

Is there a sufficent number of primes of the given bit length to choose from? p k - the number of primes of the size of k-bits 0 2 k- 2 k p k primes p k = p(2 k ) - p(2 k- )»» 0.5 p(2 k )»» p(2 k- ) k 52 024 536 p k 4 0 5 2.5 0 305 2.3 0 459 Average distance between primes of the given bit length () primes 2 k- 2 k Average distance between two consecutive primes Average distance (k)» 2 k - 2 k- p k» 2 k- p(2 k- )» ln 2 k-»» 0.69 (k-) 3

Average distance between primes of the given bit length (2) Number of bits k 256 384 52 024 536 Average distance between primes 77 265 354 709 064 Average amount of odd numbers to test 88 32 77 355 532 Euler s Theorem Leonard Euler, 707-783 " a: gcd(a, N) = a j(n) º (mod N) 32

Fermat s Theorem Pierre de Fermat, 60?-665 " N prime a: gcd(a, N) = a N- º (mod N) Fermat primality test 33

Fermat primality test n composite L(n) Liars to the compositness of n W(n) Witnesses to the compositness of n {..n-} a Î W(n) iff a n- º mod n n composite Carmichael number Carmichael Numbers L(n) Liars to the compositness of n W(n) Witnesses to the compositness of n {..n-} W(n) = {a: a n, gcd(a, n)>} L(n) = j(n) W(n) = n-j(n) 34

Carmichael Numbers A composite integer is a Carmichael number iff k ³ 3 n= p p 2 p 3 p k p i are distinct primes, p i ¹p j for i ¹j "p i (p i -) (n-) Smallest Carmichael number n = 56 = 3 7 Among all numbers smaller or equal to 0 5 There are about 3 0 3 prime numbers 0 5 Carmichael numbers Good probabilistic primality test n composite L(n) Liars to the compositness of n W(n) Witnesses to the compositness of n {..n-} " n composite W(n) ³ L(n) If a Î W(n) test returns n composite else test returns n probably prime or n pseudoprime to the base a 35

Miller-Rabin test n composite L(n) Strong liars to the compositness of n W(n) Strong witnesses to the compositness of n {..n-} " n composite L(n) j(n)/4 < (n-)/4 Miller-Rabin test n composite L(n), n- Strong liars to the compositness of n W(n) Strong witnesses to the compositness of n For certain composite numbers, such as n = 3 5 7... (2k+) there are only two strong liars: and n- {..n-} 36

Miller-Rabin test Mathematical Basis If n is prime then has only two square roots modulo n i.e., there are only two numbers, y and y 2, such that y 2 mod n = and y 22 mod n = y = and y 2 =n-º- mod n If n is composite then has at least four square roots modulo n i.e., there exist numbers, y, y 2, y 3, y 4, such that y 2 mod n =, y 22 mod n =, y 32 mod n =, y 42 mod n =, y =, y 2 =n-º- mod n, y 3 º ± mod n, y 4 º ± mod n Miller-Rabin test Algorithm () Find s and r, such that For example: n - = 2 s r, where r is odd n = 49 n - = 48 = 2 4 3 s=4, r=3 n = 6 n- = 60 = 2 2 5 s=2, r=5 37

Miller-Rabin test Algorithm (2) Compute a n- mod n = ( ((a r mod n) 2 mod n) 2 mod n ) 2 mod n = s squarings square mod n a r (a r ) 2 (a r ) 2 2 (a r ) 2 3... (a r ) 2 s- (a r ) 2 s mod n square root mod n Miller-Rabin test Algorithm (3) square mod n a r (a r ) 2 (a r ) 2 2 (a r ) 2 3... (a r ) 2 s- (a r ) 2 s mod n Case A: Case B: Case C: Case D: Case E: X º ± mod n square root mod n X X - X X - X X X X X X result of test probably prime or composite? 38

Miller-Rabin test Algorithm (3) square mod n a r (a r ) 2 (a r ) 2 2 (a r ) 2 3... (a r ) 2 s- (a r ) 2 s mod n Case A: Case B: Case C: Case D: Case E: X º ± mod n square root mod n X X - X X - X X X X X X result of test n composite n composite probably prime or composite? Miller-Rabin test 39

Minimal number of the Miller-Rabin tests t, necessary to obtain the probability of error < 2-00 for a k-bit number n k t k t k t 60 34 202-208 23 335-360 2 6-63 33 209-25 22 36-392 64-66 32 26-222 2 393-430 0 67-69 3 223-23 20 43-479 9 70-73 30 232-24 9 480-542 8 74-77 29 242-252 8 543-626 7 78-8 28 253-264 7 627-746 6 82-85 27 265-278 6 747-926 5 86-90 26 279-294 5 927-4 232 9-95 25 295-33 4 233-3 853 96-20 24 34-334 3 over 853 2 Minimal number of the Miller-Rabin tests, t, for relatively small numbers n 40

Random search Random vs. Incremental Search primes Incremental search numbers tested for primality starting point chosen at random Using division by small primes primes numbers tested D D D D D D D D D D D D D D D D D R 2 D Division by small primes R 2 Miller-Rabin test with base 2 R Miller-Rabin test with the random base a R 2 R R R R R 4

Merten s Theorem The proportion of candidate odd integers NOT ruled out by the trial division by all primes B a(b) = (-/3) (-/5) (-/7) (-/B) a(b)».2 / ln B For B=256, a(b)» 0.2 80% of tested numbers discarded by the trial division Incremental search for a prime Efficient implementation of division by small primes Set of small primes n 0 = 9 3 5 7 n 0 mod 3 = n 0 mod 5 = n 0 mod 7 = 0 n 0 mod = 3 n = 93 +2 mod 3= 0 +2 mod 5= 3 0+2 mod 7= 2 3+2 mod = 5 n = 95 0+2 mod 3= 2 3+2 mod 5= 0 2+2 mod 7= 4 5+2 mod = 7 n = 97 2+2 mod 3= 0+2 mod 5= 2 4+2 mod 7= 6 7+2 mod = 9 n = 99 +2 mod 3= 0 2+2 mod 5= 4 6+2 mod 7= 9+2 mod = 0 n =0 0+2 mod 3= 2 4+2 mod 5= +2 mod 7= 3 0+2 mod = 2 42

Division by small primes Practical implementation (2) 9 93 95 97 99 0 03 05 07 09 3 5 7 9 2 3 5 7 3 7 5 3 3 5 7 3 3 S[k] 0 0 0 0 0 0 43