ECE297:11 Lecture 12

Similar documents
ECE 646 Lecture 9. RSA: Genesis, operation & security

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, operation & security. Factorization in Software & Hardware. Trap-door one-way function

RSA: Genesis, operation & security. Factoring in Software & Hardware.

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

THE RSA CRYPTOSYSTEM

Attacks on RSA & Using Asymmetric Crypto

RSA. Ramki Thurimella

Public Key Cryptography

Lecture 1: Introduction to Public key cryptography

RSA RSA public key cryptosystem

RSA Cryptosystem and Factorization

Foundations of Network and Computer Security

Analysis of the RSA Encryption Algorithm

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Cryptography. pieces from work by Gordon Royle

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Asymmetric Encryption

Public-Key Cryptosystems CHAPTER 4

8.1 Principles of Public-Key Cryptosystems

Elliptic Curve Cryptography

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

9 Knapsack Cryptography

Elliptic Curve Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Chapter 8 Public-key Cryptography and Digital Signatures

CIS 551 / TCOM 401 Computer and Network Security

Introduction to Modern Cryptography. Benny Chor

Introduction to Cryptography. Lecture 8

10 Public Key Cryptography : RSA

Public Key Encryption

Topics in Cryptography. Lecture 5: Basic Number Theory

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

My brief introduction to cryptography

Introduction to Cryptography. Lecture 6

Public-key Cryptography and elliptic curves

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture V : Public Key Cryptography

Cryptography IV: Asymmetric Ciphers

Algorithmic Number Theory and Public-key Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

Number Theory & Modern Cryptography

Factoring integers, Producing primes and the RSA cryptosystem. December 14, 2005

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

One can use elliptic curves to factor integers, although probably not RSA moduli.

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Mathematics of Public Key Cryptography

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Lecture Notes, Week 6

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Mathematics of Cryptography

Public Key Algorithms

Public Key Cryptography

Ma/CS 6a Class 3: The RSA Algorithm

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Is It As Easy To Discover As To Verify?

Public-key Cryptography and elliptic curves

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Ti Secured communications

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Solution to Midterm Examination

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Public Key Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Factorization of RSA 140 Using the Number Field Sieve

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Efficiency of RSA Key Factorization by Open-Source Libraries and Distributed System Architecture

Lecture 6: Cryptanalysis of public-key algorithms.,

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Quantum Computing 101. ( Everything you wanted to know about quantum computers but were afraid to ask. )

Factoring and RSA Codes using DERIVE Johann Wiesenbauer, Technical Univ. of Vienna,

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Number Theory for Asymmetric Crypto

Public-Key Encryption: ElGamal, RSA, Rabin

On the factorization of RSA-120. T. Denny 1, B. Dodson 2, A. K. Lenstra 3, M. S. Manasse 4

Introduction to Modern Cryptography. Benny Chor

Week 7 An Application to Cryptography

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CPSC 467b: Cryptography and Computer Security

I. Introduction. MPRI Cours Lecture IIb: Introduction to integer factorization. F. Morain. Input: an integer N; Output: N = k

Other Public-Key Cryptosystems

NUMBER THEORY FOR CRYPTOGRAPHY

An Introduction to Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Discrete mathematics I - Number theory

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Powers in Modular Arithmetic, and RSA Public Key Cryptography

Public Key Cryptography

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Question: Total Points: Score:

Discrete logarithm and related schemes

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Transcription:

ECE297:11 Lecture 12 RSA Genesis, operation & security Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob 1

Trap-door one-way function Whitfield Diffie and Martin Hellman New directions in cryptography, 1976 PUBLIC KEY X f(x) Y f -1 (Y) PRIVATE KEY Professional (NSA) vs. amateur (academic) approach to designing ciphers 1. Know how to break Russian ciphers 2. Use only well-established proven methods 3. Hire 50,000 mathematicians 4. Cooperate with an industry giant 5. Keep as much as possible secret 1. Know nothing about cryptology 2. Think of revolutionary ideas 3. Go for skiing 4. Publish in Scientific American 5. Offer a $100 award for breaking the cipher 2

Challenge published in Scientific American 1977 Ciphertext: 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5145 Public key: N = 114381625757 88886766923577997614 661201021829672124236256256184293 570693524573389783059712356395870 5058989075147599290026879543541 e = 9007 Award 100 $ (129 decimal digits) RSA as a trap-door one-way function PUBLIC KEY M C = f(m) = M e mod N C M = f -1 (C) = C d mod N PRIVATE KEY N = P Q P, Q - large prime numbers e d 1 mod ((P-1)(Q-1)) 3

RSA keys PUBLIC KEY PRIVATE KEY { e, N } { d, P, Q } N = P Q P, Q - large prime numbers e d 1 mod ((P-1)(Q-1)) Why does RSA work? (1)? M = C d mod N = (M e mod N) d mod N = M decrypted message original message e d 1 mod ((P-1)(Q-1)) e d 1 mod ϕ(n) Euler s totient function 4

Euler s totient (phi) function (1) M(N) - number of integers in the range from 1 to N-1 that are relatively prime with N Special cases: 1. P is prime ϕ(p) = P-1 Relatively prime with P: 1, 2, 3,, P-1 2. N = P Q P, Q are prime ϕ(n) = (P-1) (Q-1) Relatively prime with N: {1, 2, 3,, P Q-1} {P, 2P, 3P,, (Q-1)P} {Q, 2Q, 3Q,, (P-1)Q} Euler s totient (phi) function (2) Special cases: 3. N = P 2 P is prime ϕ(n) = P (P-1) Relatively prime with N: {1, 2, 3,, P 2-1} {P, 2P, 3P,, (P-1)P} In general If N = P e1 1 P e2 2 P e3 3 P et t t ϕ(n) = P i ei-1 (P i -1) i=1 5

Euler s Theorem Leonard Euler, 1707-1783 a: gcd(a, N) = 1 a M(N) { 1 (mod N) Euler s Theorem - Justification (1) For N=10 For arbitrary N R = {1, 3, 7, 9} R = {x 1, x 2,, x M(N) } Let a=3 Let us choose arbitrary a, such that gcd(a, N) = 1 S = { 3 1 mod 10, 3 3 mod 10, 3 7 mod 10, 3 9 mod 10 } S = {a x 1 mod N, a x 2 mod N,, a x ϕ(n) mod N} = {3, 9, 1, 7} = rearranged set R 6

Euler s Theorem - Justification (2) For N=10 R = S x 1 x 2 x 3 x 4 (a x 1 ) (a x 2 ) (a x 3 ) (a x 4 ) mod N x 1 x 2 x 3 x 4 a 4 x 1 x 2 x 3 x 4 mod N a 4 1 (mod N) For arbitrary N ϕ(n) i=1 ϕ(n) i=1 R = S ϕ(n) x i i=1 a x i (mod N) ϕ(n) x i a ϕ(n) x i (mod N) i=1 a ϕ(n) 1 (mod N) Why does RSA work? (2) M = C d mod N = (M e mod N) d mod N = = M e d mod N = e d 1 mod ϕ(n) e d = 1 + k ϕ(n) = = M 1+k ϕ(n) mod N = M (M ϕ(n) ) k mod N = = M (M ϕ(n) mod N) k mod N = = M 1 k mod N = M 7

Rivest estimation - 1977 The best known algorithm for factoring a 129-digit number requires: 40 000 trilion years = 40 10 15 years assuming the use of a supercomputer being able to perform 1 multiplication of 129 decimal digit numbers in 1 ns Rivest s assumption translates to the delay of a single logic gate 10 ps Estimated age of the universe: 100 bln years = 10 11 years Early records in factoring large numbers Years 1974 Number of decimal digits 45 Number of bits 149 Required computational power (in MIPS-years) 0.001 1984 71 235 0.1 1991 100 332 7 1992 110 365 75 1993 120 398 830 8

How to factor for free? A. Lenstra & M. Manasse, 1989 Using the spare time of computers, (otherwise unused) Program and results sent by e-mail (later using WWW) Practical implementations of attacks Factorization, RSA Year Number of bits of N Number of decimal digits of N Method Estimated amount of computations 1994 430 129 QS 5000 MIPS-years 1996 433 130 GNFS 750 MIPS-years 1998 467 140 GNFS 2000 MIPS-years 1999 467 140 GNFS 8000 MIPS-years 9

Breaking RSA-129 When: Who: How: August 1993-1 April 1994, 8 months D. Atkins, M. Graff, A. K. Lenstra, P. Leyland + 600 volunteers from the entire world 1600 computers from Cray C90, through 16 MHz PC, to fax machines Only 0.03% computational power of the Internet Results of cryptanalysis: The magic words are squeamish ossifrage An award of 100 $ donated to Free Software Foundation Elements affecting the progress in factoring large numbers computational power computer networks x better algorithms 1977-1993 increase of about 1500 times Internet 10

Factoring methods General purpose Time of factoring depends only on the size of N Special purpose Time of factoring is much shorter if N or factors of N are of the special form GNFS - General Number Field Sieve QS - Quadratic Sieve Continued Fraction Method (historical) ECM - Elliptic Curve Method Pollard s p-1 method Cyclotomic polynomial method SNFS - Special Number Field Sieve Running time of factoring algorithms L q [α, c] = exp ((c+o(1)) (ln q) α (ln ln q) 1- α ) For D=0 L q [0, c] = (ln q) (c+o(1)) For D=1 L q [1, c] = exp((c+o(1)) (ln q)) For 0 < D < 1 Algorithm polynomial as a function of the number of bits of q Algorithm exponential as a function of the number of bits of q Algorithm subexponential as a function of the number of bits of q f(n) = o(1) if for any positive constant c>0 there exist a constant n 0 >0, such that 0 f(n) < c, for all n n 0 11

General purpose factoring methods Expected running time QS NFS L N [1/2, 1] = exp((1 + o(1)) (ln N) 1/2 )) (ln ln N) 1/2 ) L N [1/3, 1.92] = exp((1.92 + o(1)) (ln N) 1/3 )) (ln ln N) 2/3 ) QS more efficient NFS more efficient 100D 110D 120D 130D size of the factored number N in decimal digits (D) RSA Challenge RSA-100 RSA-110 RSA-120 RSA-130 RSA-140 RSA-150 RSA-160 RSA-170 RSA-180... RSA-450 RSA-460 RSA-470 RSA-480 RSA-490 RSA-500 Smallest unfactored number RSA-150 Unused awards accumulate at a rate of $1750 / quarter 12

Factoring 512-bit number 512 bits = 155 decimal digits old standard for key sizes in RSA 17 March - 22 August 1999 Group of Herman te Riele Centre for Mathematics and Computer Science (CWI), Amsterdam First stage 2 months 168 workstations SGI and Sun, 175-400 MHz 120 Pentium PC, 300-450 MHz, 64 MB RAM 4 stations Digital/Compaq, 500 MHz Second stage Cray C916-10 days, 2.3 GB RAM TWINKLE The Weizmann INstitute Key Locating Engine Adi Shamir, Eurocrypt, May 1999 CHES, August 1999 Electrooptical device capable to speed-up the first phase of factorization from 100 to 1000 times If ever built it would increase the size of the key that can be broken from 100 to 200 bits Cost of the device (assuming that the prototype was earlier built) - $5000 13

Recommended key sizes for RSA Old standard: Individual users New standard: Individual users Organizations (short term) Organizations (long term) 512 bits (155 decimal digits) 768 bits (231 decimal digits) 1024 bits (308 decimal digits) 2048 bits (616 decimal digits) Keylengths in public key cryptosystems that provide the same level of security as AES and other secret-key ciphers Arjen K. Lenstra, Eric R. Verheul Selecting Cryptographic Key Sizes Journal of Cryptology Arjen K. Lenstra Unbelievable Security: Matching AES Security Using Public Key Systems ASIACRYPT 2001 14

RSA vs. DES: Resistance to attack Number of operations in the best known attack N DES 1/50 N DES DES (56-bit key) 512-bit RSA 18000 16000 14000 12000 10000 8000 6000 4000 2000 Keylengths in RSA providing the same level of security as selected secret-key cryptosystems 0 DES The same cost The same number of operations 2426 2644 3224 1723 1941 416 620 1333 3 DES (2 keys) 3 DES (3 keys) 7918 6897 13840 15387 AES-128 AES-192 AES-256 15

18000 16000 14000 12000 10000 8000 6000 4000 2000 Keylengths in RSA providing the same level of security as selected secret-key cryptosystems 0 AES-256 AES-192 AES-128 3 DES (3K) 3 DES (2K) DES 2001 2010 2020 2030 year Practical progress in factorization March 2002, Financial Cryptography Conference Nicko van Someren, CTO ncipher Inc. announced that his company developed software capable of breaking 512-bit RSA key within 6 weeks using computers available in a single office 16

Bernstein s Machine (1) Fall 2001 Daniel Bernstein, professor of mathematics at University of Illinois in Chicago submits a grant application to NSF and publishes fragments of this application as an article on the web D. Bernstein, Circuits for Integer Factorization: A Proposal http://cr.yp.to/papers.html#nfscircuit Bernstein s Machine (2) March 2002 Bernstein s article discovered during Financial Cryptography Conference Informal panel devoted to analysis of consequences of the Bernstein s discovery Nicko Van Someren (ncipher) estimates that machine costing $ 1 bilion is able to break 1024-bit RSA within several minuts 17

Bernstein s Machine (3) March 2002 alarming voices on e-mailing discussion lists calling for revocation of all currently used 1024-bit keys sensational articles in newspapers about Bernstein s discovery April 2002 Bernstein s Machine (4) Response of the RSA Security Inc.: Error in the estimation presented at the conference; according to formulas from the Bernstein s article machine costing $ 1 billion is able to break 1024-bit RSA within 10 billion x several minuts = tens of years According to estimations of Lenstra i Verheul, machine breaking 1024-bit RSA within one day would cost $ 160 billion in 2002 18

Bernstein s Machine (5) Carl Pomerance, Bell Labs: fresh and fascinating idea... Arjen Lenstra, Citibank & U. Eindhoven: I have no idea what is this all fuss about... Bruce Schneier, Counterpane:... enormous improvements claimed are more a result of redefining efficiency than anything else... Bernstein s Machine (6) 3 RSA keylength that can be broken using Bernstein s machine RSA key lengths that can be broken using classical computers 2 1???? $ 1 bln*1 day $ 1000 bln*1 day infinity Computational cost = time [days] * memory [$] 19

Lentgh of N in bits 576 640 704 768 896 1024 1536 2048 RSA Challange Length of N in decimal digits 174 193 212 232 270 309 463 617 Award for factorization $10,000 $20,000 $30,000 $50,000 $75,000 $100,000 $150,000 $200,000 Estimation of RSA Security Inc. regarding the number and memory of PCs necessary to break RSA-1024 Attack time: Single machine: 1 year PC, 500 MHz, 170 GB RAM Number of machines: 342,000,000 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback