ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation
Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
Trap-door one-way function Whitfield Diffie and Martin Hellman New directions in cryptography, 1976 PUBLIC KEY X f(x) Y f -1 (Y) PRIVATE KEY
Professional (NSA) vs. amateur (academic) approach to designing ciphers 1. Know how to break Russian ciphers 2. Use only well-established proven methods 3. Hire 50,000 mathematicians 4. Cooperate with an industry giant 5. Keep as much as possible secret 1. Know nothing about cryptology 2. Think of revolutionary ideas 3. Go for skiing 4. Publish in Scientific American 5. Offer a $100 award for breaking the cipher
Challenge published in Scientific American Ciphertext: 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5145 Public key: N = 114381625757 88886766923577997614 661201021829672124236256256184293 570693524573389783059712356395870 5058989075147599290026879543541 e = 9007 Award $100 (129 decimal digits) 1977
Rivest estimation - 1977 The best known algorithm for factoring a 129-digit number requires: 40 000 trilion years = 40 10 15 years assuming the use of a supercomputer being able to perform 1 multiplication of 129 decimal digit numbers in 1 ns Rivest s assumption translates to the delay of a single logic gate» 10 ps Estimated age of the universe: 100 bln years = 10 11 years
Lehmer Sieve Bicycle chain sieve [D. H. Lehmer, 1928] Computer Museum, Mountain View, CA
Machine à Congruences [E. O. Carissan, 1919]
Supercomputer Cray Computer Museum, Mountain View, CA
Early records in factoring large numbers Years 1974 Number of decimal digits 45 Number of bits 149 Required computational power (in MIPS-years) 0.001 1984 71 235 0.1 1991 100 332 7 1992 110 365 75 1993 120 398 830
Number of bits vs. number of decimal digits 10 #digits = 2 #bits #digits = (log 10 2) #bits» 0.30 #bits 256 bits = 77 D 384 bits = 116 D 512 bits = 154 D 768 bits = 231 D 1024 bits = 308 D 2048 bits = 616 D
How to factor for free? A. Lenstra & M. Manasse, 1989 Using the spare time of computers, (otherwise unused) Program and results sent by e-mail (later using WWW)
Practical implementations of attacks Factorization, RSA Year Number of bits of N Number of decimal digits of N Method Estimated amount of computations 1994 430 129 QS 5000 MIPS-years 1996 433 130 GNFS 750 MIPS-years 1998 467 140 GNFS 2000 MIPS-years 1999 467 140 GNFS 8000 MIPS-years
Breaking RSA-129 When: Who: How: August 1993 - April 1, 1994, 8 months D. Atkins, M. Graff, A. K. Lenstra, P. Leyland + 600 volunteers from the entire world 1600 computers from Cray C90, through 16 MHz PC, to fax machines Only 0.03% computational power of the Internet Results of cryptanalysis: The magic words are squeamish ossifrage An award of $100 donated to Free Software Foundation
Elements affecting the progress in factoring large numbers computational power 1977-1993 increase of about 1500 times computer networks Internet better algorithms
RSA as a trap-door one-way function PUBLIC KEY M C = f(m) = M e mod N C M = f -1 (C) = C d mod N PRIVATE KEY N = P Q P, Q - large prime numbers e d º 1 mod ((P-1)(Q-1))
RSA keys PUBLIC KEY PRIVATE KEY { e, N } { d, P, Q } N = P Q P, Q - large prime numbers e d º 1 mod ((P-1)(Q-1))
Why does RSA work? (1)? M = C d mod N = (M e mod N) d mod N = M decrypted message original message e d º 1 mod ((P-1)(Q-1)) e d º 1 mod j(n) Euler s totient function
Euler s totient (phi) function (1) j(n) - number of integers in the range from 1 to N-1 that are relatively prime with N Special cases: 1. P is prime j(p) = P-1 Relatively prime with P: 1, 2, 3,, P-1 2. N = P Q P, Q are prime j(n) = (P-1) (Q-1) Relatively prime with N: {1, 2, 3,, P Q-1} {P, 2P, 3P,, (Q-1)P} {Q, 2Q, 3Q,, (P-1)Q}
Euler s totient (phi) function (2) Special cases: 3. N = P 2 P is prime j(n) = P (P-1) Relatively prime with N: {1, 2, 3,, P 2-1} {P, 2P, 3P,, (P-1)P} In general If N = P e1 1 P e2 2 P e3 3 P et t t j(n) = Õ P i ei-1 (P i -1) i=1
The first 1000 values of φ(n)
Euler s Theorem Leonard Euler, 1707-1783 " a j(n) º 1 (mod N) a: gcd(a, N) = 1
Euler s Theorem - Justification (1) For N=10 For arbitrary N R = {1, 3, 7, 9} R = {x 1, x 2,, x j(n) } Let a=3 S = { 3 1 mod 10, 3 3 mod 10, 3 7 mod 10, 3 9 mod 10 } = {3, 9, 1, 7} Let us choose arbitrary a, such that gcd(a, N) = 1 S = {a x 1 mod N, a x 2 mod N,, a x j(n) mod N} = rearranged set R
Euler s Theorem - Justification (2) For N=10 For arbitrary N R = S R = S x 1 x 2 x 3 x 4 º (a x 1 ) (a x 2 ) (a x 3 ) (a x 4 ) mod N j(n) Õ i=1 j(n) x i º Õ i=1 a x i (mod N) x 1 x 2 x 3 x 4 º a 4 x 1 x 2 x 3 x 4 mod N j(n) Õ i=1 j(n) x i º a j(n) Õ i=1 x i (mod N) a 4 º 1 (mod N) a j(n) º 1 (mod N)
Why does RSA work? (2) M = C d mod N = (M e mod N) d mod N = = M e d mod N = e d º 1 mod j(n) e d = 1 + k j(n) = = M 1+k j(n) mod N = M (M j(n) ) k mod N = = M (M j(n) mod N) k mod N = = M 1 k mod N = M
Efficient encryption and decryption
Number of bits vs. number of decimal digits 10 #digits = 2 #bits #digits = (log 10 2) #bits» 0.30 #bits 256 bits = 77 D 384 bits = 116 D 512 bits = 154 D 768 bits = 231 D 1024 bits = 308 D 2048 bits = 616 D
How to perform exponentiation efficiently? Y = X E mod N = X X X X X X X mod N E-times E may be in the range of 2 1024» 10 308 Problems: Solutions: 1. huge storage necessary to store X E before reduction 2. amount of computations infeasible to perform 1. modulo reduction after each multiplication 2. clever algorithms 200 BC, India, Chandah-Sûtra
Exponentiation: Y = X E mod N Right-to-left binary exponentiation Left-to-right binary exponentiation E = (e L-1, e L-2,, e 1, e 0 ) 2 Y = 1; S = X; for i=0 to L-1 { if (e i == 1) Y = Y S mod N; S = S 2 mod N; } Y = 1; for i=l-1 downto 0 { Y = Y 2 mod N; if (e i == 1) Y = Y X mod N; }
Right-to-left binary exponentiation Y = X E mod N E = (e L-1, e L-2,, e 1, e 0 ) 2 S: X X 2 mod N X 4 mod N X 8 mod N X 2 L-1 mod N E: e 0 e 1 e 2 e 3 e L-1 e 0 e 1 e 2 e 3 L-1 e L-1 Y = X (X 2 mod N) (X 4 mod N) (X 8 mod N) (X 2 mod N) (X a ) b = X ab X a X b = X a+b Y = X e 0 + 2 e 1 + 4 e 2 + 8 e 3 + + 2 L-1 e L-1 mod N = L-1 ei 2 i å i=0 = X = X E mod N
Right-to-left binary exponentiation: Example E = 19 = 16 + 2 + 1 = (10011) 2 S: X X 2 mod N X 4 mod N X 8 mod N X 16 mod N E: e 0 e 1 e 2 e 3 e 4 1 1 0 0 1 Y = X X 2 mod N 1 1 X 16 mod N = = X 19 mod N Y = 3 19 mod 11 3 3 2 mod 11 =9 9 2 mod 11 = 4 4 2 mod 11 = 5 5 2 mod 11 = 3 3 9 1 1 3 mod 11 (27 mod 11) 3 mod 11 = 5 3 mod 11 = 4
Left-to-right binary exponentiation Y = X E mod N E = (e L-1, e L-2,, e 1, e 0 ) 2 E: e L-1 e L-2 e L-3 e 1 e 0 e L-1 e L-2 e L-3 e 1 e 0 Y = ((...(((1 2 X ) 2 X ) 2 X ) 2. ) 2 X ) 2 X mod N (X a ) b = X ab X a X b = X a+b Y = X (e L-1 2 + e L-2 ) 2 + e L-3 ) 2 +. + e 1 ) 2 + e 0 mod N = = X 2L-1 e L-1 + 2 L-2 e L-2 + 2 L-3 e L-3 + +2 e 1 +e 0mod i=0 N = X = = X E mod N L-1 å e i 2 i
Left-to-right binary exponentiation: Example Y = 3 19 mod 11 E = 19 = 16 + 2 + 1 = (10011) 2 E: e 4 e 3 e 2 e 1 e 0 1 0 0 1 1 Y = ((...(((1 2 X ) 2 1 ) 2 1 ) 2 X) 2 X mod N = (((3 2 mod 11) ) 2 mod 11) 2 mod 11 3) 2 mod 11 3 mod 11 = (81 mod 11) 2 mod 11 3) 2 mod 11 3 mod 11 = = (5 3) 2 mod 11 3 mod 11 = = 4 2 mod 11 3 mod 11 = = 5 3 mod 11 = 4 Y = (X 8 X ) 2 X mod N = X 19 mod N
Exponentiation Example: Y = 7 12 mod 11 Right-to-left binary exponentiation Left-to-right binary exponentiation e = 12 = (1 1 0 0) 2
Right-to-Left Binary Exponentiation in Hardware 1 X E enable Y S MUL SQR output
Left-to-Right Binary Exponentiation in Hardware 1 Y X Control Logic E MUL output
Basic Operations of RSA Encryption L < k e public key exponent C ciphertext = M mod plaintext N public key modulus k-bits k-bits k-bits Decryption M plaintext L=k d = C mod ciphertext private key exponent N private key modulus k-bits k-bits k-bits
Time of Exponentiation in Software t EXP (e, L, k) = #modular_multiplications(e, L) t MULMOD (k) e, L e=3 2 4 e = F 4 = 2 + 1 #modular_multiplications 2 17 3 large random L-bit e L + #ones(e)» L 2 t MULMOD (k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number t MULMOD (k) = c sm k 2
Time of Exponentiation in Hardware t EXP (L, k) = L t MULMOD (k) t MULMOD (k) - time of a single modular multiplication of two k-bit numbers modulo a k-bit number t MULMOD (k) = c hm k
Algorithms for Modular Multiplication Multiplication Paper-and-pencil q(k 2 ) Karatsuba q(k 3/2 ) Schönhage-Strassen (FFT) q(k ln(k)) Multiplication combined with modular reduction Montgomery algorithm q(k 2 ) Modular Reduction classical Barrett q(k 2 ) the same complexity as underlying multiplication Selby-Mitchell q(k 2 )
Paper-and-Pencil Algorithm of Multiplication 1 word = l bytes = l bits A n-1 A n-2... A 1 A 0 A x B n-1 B n-2... B 1 B 0 B Assertion: 2 words lg 2 n l D 0 = A 0 B 0 D 1 = A 0 B 1 + A 1 B 0 + D 1 D 0 D 2 = A 0 B 2 + A 1 B 1 + A 2 B 0 + D 2 3 words..... 3 words + + + D 2n-3 D 2n-2 2 words D 2n-4 D 2n-4 = A n-3 B n-1 + A n-2 B n-2 + A n-1 B n-3 D 2n-3 = A n-2 B n-1 + A n-1 B n-2 D 2n-2 = A n-1 B n-1 C 2n-1 C 2n-2... C n+1 C n C n-1 C n-2... C 1 C 0 C
Classical Algorithm of Modular Reduction x m x 2n-1 x 2n-2 x 2n-3... x n-1... x 1 x 0 : m n-1 m n-2... m 0 q n-1 m q n-1 = x 2n-1b+ x 2n-2 m n-1 q n-1 = q n-1 + e e = 0, 1, 2 x 2n-2 x 2n-3... x n-1... x 1 x 0 : m n-1 m n-2... m 0 x 2n-3... x n-1... x 1 x 0 q n-2 = x 2n-2b+ x 2n-3 m n-1 q n-2 = q n-2 + e e = 0, 1, 2....... x n-1... x 1 x 0
Effect of the increase in the computer speed on the speed of encryption and decryption in RSA to keep the same security computer speed operand size encryption/decryption speed
Decryption using Chinese Remainder Theorem M d = C mod N C P = C mod P d P = d mod (P-1) C Q = C mod Q d Q = d mod (Q-1) = d P d Q M P C P mod P M Q = C Q mod Q where M = M P R Q + M Q R P mod N R P = (P -1 mod Q) P = P Q-1 mod N R Q = (Q -1 mod P) Q= Q P-1 mod N
Let Chinese Remainder Theorem N = n 1 n 2 n 3... n M and for any i, j gcd(n i, n j ) = 1 Then, any number 0 A N-1 can be represented uniquely by A «(a 1 = A mod n 1, a 2 = A mod n 2,, a M = A mod n M ) A can be reconstructed from (a 1, a 2,, a M ) using equation M A = å (a i N i (N -1 i mod n i )) mod N where N i = N = n i i=1 = n 1 n 2... n i-1 n i+1... n M
Chinese Remainder Theorem for N=P Q N = P Q gcd(p, Q) = 1 M «(M p = M mod P, M Q = M mod Q) M = M P N P N P -1 mod P + M Q N Q N Q -1 mod Q mod N = M P Q ((Q -1 ) mod P) + M Q P ((P -1 ) mod Q) mod N = = M P R Q + M Q R P mod N
Concealment of messages in the RSA cryptosystem Blakley, Borosh, 1979 There exist messages that are not changed by the RSA encryption! For example: M=1 C = 1 e mod N = 1 M=0 C = 0 e mod N = 0 M=N-1º-1 mod N C = (-1) e mod N = -1 Every M such that M P = M mod P Î {1, 0, -1} M Q = M mod Q Î {1, 0, -1} C P = C mod P = (M e mod N) mod P = M e mod P = M Pe mod P = M P C Q = C mod Q = (M e mod N) mod Q = M e mod Q = M Qe mod Q = M Q
Concealment of messages in the RSA cryptosystem At least 9 messages not concealed by RSA! Blakley, Borosh, 1979 Number of messages not concealed by RSA: s = (1 + gcd(e-1, P-1)) (1 + gcd(e-1, Q-1)) A. e=3 s = 9 B. gcd(e-1, P-1) = 2 and gcd(e-1, Q-1) = 2 s = 9 C. gcd(e-1, P-1) = P-1 and gcd(e-1, Q-1) = Q-1 s = P Q=N It is possible that all messages remain unconcealed by RSA!
Optimal Assymetric Encryption Padding (1) Coding >168 bits Bellare-Rogaway 000000001 message SEED MASK(SEED) masked_message MASK(masked_message) masked_message masked_seed
Optimal Assymetric Encryption Padding (2) Decoding Bellare-Rogaway masked_message masked_seed MASK(masked_message) SEED MASK(SEED) 000000001 message >168 bits
RSA Key Generation
prime number generation Generation of the RSA keys e Typically e = 2 16 + 1 P, Q gcd(e, P-1) = 1 gcd(e, Q-1) = 1 gcd(e-1, P-1) = 2 gcd(e-1, Q-1) = 2 Extended Euclid s algorithm N = P Q d = e -1 mod (P-1) (Q-1)
RSA as a trap-door one-way function PUBLIC KEY M C = f(m) = M e mod N C M = f -1 (C) = C d mod N PRIVATE KEY N = P Q P, Q - large prime numbers e d º 1 mod ((P-1)(Q-1))
Concealment of messages in the RSA cryptosystem At least 9 messages not concealed by RSA! Blakley, Borosh, 1979 Number of messages not concealed by RSA: s = (1 + gcd(e-1, P-1)) (1 + gcd(e-1, Q-1)) A. e=3 s = 9 B. gcd(e-1, P-1) = 2 and gcd(e-1, Q-1) = 2 s = 9 C. gcd(e-1, P-1) = P-1 and gcd(e-1, Q-1) = Q-1 s = P Q=N It is possible that all messages remain unconcealed by RSA!
Random vs. Incremental Search Random search primes Incremental search numbers tested for primality starting point chosen at random
Is there a sufficent number of primes to choose from? p(x) - the number of primes smaller than x 0 x p(x) = x ln(x) p(x) primes x 10 100 p(x) 10 150 4.3 10 97 2.9 10 147 10 300 1.4 10 297
Number of bits vs. number of decimal digits 10 #digits = 2 #bits #digits = (log 10 2) #bits» 0.30 #bits 256 bits = 77 D 384 bits = 116 D 512 bits = 154 D 768 bits = 231 D 1024 bits = 308 D 1536 bits = 462 D 2048 bits = 616 D
Is there a sufficent number of primes of the given bit length to choose from? p k - the number of primes of the size of k-bits 0 2 k-1 2 k p k primes p k = p(2 k ) - p(2 k-1 )»» 0.5 p(2 k )»» p(2 k-1 ) k 512 1024 1536 p k 4 10 151 2.5 10 305 2.3 10 459
Average distance between primes of the given bit length (1) primes 2 k-1 2 k Average distance between two consecutive primes Average distance (k)» 2 k - 2 k-1 p k» 2 k-1 p(2 k-1 )» ln 2 k-1»» 0.69 (k-1)
Average distance between primes of the given bit length (2) Number of bits k 256 384 512 1024 1536 Average distance between primes 177 265 354 709 1064 Average amount of odd numbers to test 88 132 177 355 532
Euler s Theorem Leonard Euler, 1707-1783 " a j(n) º 1 (mod N) a: gcd(a, N) = 1
Fermat s Theorem Pierre de Fermat, 1601?-1665 " N prime a: gcd(a, N) = 1 a N-1 º 1 (mod N)
Fermat primality test
Fermat primality test n composite L(n) Liars to the compositness of n W(n) Witnesses to the compositness of n {1..n-1} a Î W(n) iff a n-1 º 1 mod n
n composite Carmichael number Carmichael Numbers L(n) Liars to the compositness of n W(n) Witnesses to the compositness of n {1..n-1} W(n) = {a: 1 a n, gcd(a, n)>1} L(n) = j(n) W(n) = n-j(n)
Carmichael Numbers A composite integer is a Carmichael number iff k ³ 3 n= p 1 p 2 p 3 p k p i are distinct primes, p i ¹p j for i ¹j "p i (p i -1) (n-1) Smallest Carmichael number n = 561 = 3 11 17 Among all numbers smaller or equal to 10 15 There are about 3 10 13 prime numbers 10 5 Carmichael numbers
Good probabilistic primality test n composite L(n) Liars to the compositness of n W(n) Witnesses to the compositness of n {1..n-1} " n composite W(n) ³ L(n) If a Î W(n) test returns n composite else test returns n probably prime or n pseudoprime to the base a
Miller-Rabin test n composite L(n) Strong liars to the compositness of n W(n) Strong witnesses to the compositness of n {1..n-1} " n composite L(n) j(n)/4 < (n-1)/4
Miller-Rabin test n composite L(n) Strong liars to the compositness of n 1, n-1 W(n) Strong witnesses to the compositness of n For certain composite numbers, such as n = 3 5 7... (2k+1) there are only two strong liars: 1 and n-1 {1..n-1}
Miller-Rabin test Mathematical Basis If n is prime then 1 has only two square roots modulo n i.e., there are only two numbers, y 1 and y 2, such that y 12 mod n = 1 and y 22 mod n = 1 y 1 =1 and y 2 =n-1º-1 mod n If n is composite then 1 has at least four square roots modulo n i.e., there exist numbers, y 1, y 2, y 3, y 4, such that y 12 mod n = 1, y 22 mod n = 1, y 32 mod n = 1, y 42 mod n = 1, y 1 =1, y 2 =n-1º-1 mod n, y 3 º ± 1 mod n, y 4 º ± 1 mod n
Miller-Rabin test Algorithm (1) Find s and r, such that For example: n - 1 = 2 s r, where r is odd n = 49 n - 1 = 48 = 2 4 3 s=4, r=3 n = 61 n-1 = 60 = 2 2 15 s=2, r=15
Miller-Rabin test Algorithm (2) Compute a n-1 mod n = ( ((a r mod n) 2 mod n) 2 mod n ) 2 mod n = 1 s squarings square mod n a r (a r ) 2 (a r ) 2 2 (a r ) 2 3... (a r ) 2 s-1 (a r ) 2 s mod n square root mod n
Miller-Rabin test Algorithm (3) square mod n a r (a r ) 2 (a r ) 2 2 (a r ) 2 3... (a r ) 2 s-1 (a r ) 2 s mod n Case A: Case B: Case C: Case D: Case E: square root mod n 1 1 1 1 1 1 X X -1 1 1 1 X X 1 1 1 1-1 1 1 1 1 1 X X X X X X result of test X º ± 1 mod n probably prime or composite?
Miller-Rabin test Algorithm (3) square mod n a r (a r ) 2 (a r ) 2 2 (a r ) 2 3... (a r ) 2 s-1 (a r ) 2 s mod n Case A: Case B: Case C: Case D: Case E: square root mod n 1 1 1 1 1 1 X X -1 1 1 1 X X 1 1 1 1-1 1 1 1 1 1 X X X X X X result of test n composite n composite X º ± 1 mod n probably prime or composite?
Miller-Rabin test
Minimal number of the Miller-Rabin tests t, necessary to obtain the probability of error < 2-100 for a k-bit number n k t k t k t 160 34 202-208 23 335-360 12 161-163 33 209-215 22 361-392 11 164-166 32 216-222 21 393-430 10 167-169 31 223-231 20 431-479 9 170-173 30 232-241 19 480-542 8 174-177 29 242-252 18 543-626 7 178-181 28 253-264 17 627-746 6 182-185 27 265-278 16 747-926 5 186-190 26 279-294 15 927-4 1232 191-195 25 295-313 14 1233-3 1853 196-201 24 314-334 13 over 1853 2
Minimal number of the Miller-Rabin tests, t, for relatively small numbers n
Random vs. Incremental Search Random search primes Incremental search numbers tested for primality starting point chosen at random
Using division by small primes primes numbers tested D D D D D D D D D D D D D D D D D R 2 D Division by small primes R 2 Miller-Rabin test with base 2 R Miller-Rabin test with the random base a R 2 R R R R R
Merten s Theorem The proportion of candidate odd integers NOT ruled out by the trial division by all primes B a(b) = (1-1/3) (1-1/5) (1-1/7) (1-1/B) a(b)» 1.12 / ln B For B=256, a(b)» 0.2 80% of tested numbers discarded by the trial division
Incremental search for a prime Efficient implementation of division by small primes Set of small primes n 0 = 91 3 5 7 11 n 0 mod 3 = 1 n 0 mod 5 = 1 n 0 mod 7 = 0 n 0 mod 11 = 3 n = 93 1+2 mod 3= 0 1+2 mod 5= 3 0+2 mod 7= 2 3+2 mod 11= 5 n = 95 0+2 mod 3= 2 3+2 mod 5= 0 2+2 mod 7= 4 5+2 mod 11= 7 n = 97 2+2 mod 3= 1 0+2 mod 5= 2 4+2 mod 7= 6 7+2 mod 11= 9 n = 99 1+2 mod 3= 0 2+2 mod 5= 4 6+2 mod 7= 1 9+2 mod 11= 0 n =101 0+2 mod 3= 2 4+2 mod 5= 1 1+2 mod 7= 3 0+2 mod 11= 2
Division by small primes Practical implementation (2) 91 93 95 97 99 101 103 105 107 109 111 113 115 117 119 121 3 5 7 11 1 1 1 1 1 1 3 1 7 5 1 3 1 1 3 5 11 7 3 1 3 1 1 S[k] 1 1 1 0 1 0 0 1 0 0 1 0 1 1 1 1