You are on page 1of 64

The RSA Algorithm

JooSeok Song
2007. 11. 13. Tue

Private-Key Cryptography
 traditional private/secret/single key
cryptography uses one key
 shared by both sender and receiver
 if this key is disclosed communications are
compromised
 also is symmetric, parties are equal
 hence does not protect sender from receiver
forging a message & claiming is sent by sender

CCLAB

Public-Key Cryptography
 probably most significant advance in the 3000
year history of cryptography
 uses two keys – a public & a private key
 asymmetric since parties are not equal
 uses clever application of number theoretic
concepts to function
 complements rather than replaces private key
crypto

CCLAB

and verify signatures – a private-key. and can be used to encrypt messages. known only to the recipient.Public-Key Cryptography  public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key. used to decrypt messages. which may be known by anybody. and sign (create) signatures  is asymmetric because – those who encrypt messages or verify signatures cannot decrypt messages or create signatures CCLAB .

Public-Key Cryptography CCLAB .

Why Public-Key Cryptography?  developed to address two key issues: – key distribution – how to have secure communications in general without having to trust a KDC with your key – digital signatures – how to verify a message comes intact from the claimed sender  public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976 – known earlier in classified community CCLAB .

with the other used for decryption (in some schemes) CCLAB .Public-Key Characteristics  Public-Key algorithms rely on two keys with the characteristics that it is: – computationally infeasible to find decryption key knowing only algorithm & encryption key – computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known – either of the two related keys can be used for encryption.

Public-Key Cryptosystems

CCLAB

Public-Key Applications
 can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange (of session keys)

 some algorithms are suitable for all uses, others
are specific to one

CCLAB

Security of Public Key Schemes
 like private key schemes brute force exhaustive
search attack is always theoretically possible
 but keys used are too large (>512bits)
 security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
 more generally the hard problem is known, its
just made too hard to do in practise
 requires the use of very large numbers
 hence is slow compared to private key schemes
CCLAB

RSA. Private-Key Algorithms: Rijndael.Cryptography Outline Introduction: terminology. security Primitives: – one-way functions – one-way trapdoor functions – one-way hash functions Protocols: digital signatures. Digital Cash CCLAB 296.. … Case Studies: Kerberos.3 Page 11 . key exchange. cryptanalysis. ElGamal. . DES Public-Key Algorithms: Knapsack.

the security of most protocols rely on their existence. CCLAB 296.3 Page 12 . not known to exist. This is true even if we assume P  NP. Unfortunately.Primitives: One-Way Functions (Informally): A function Y = f(x) is one-way if it is easy to compute y from x but “hard” to compute x from y Building block of most cryptographic protocols And.

One-way functions: possible definition 1. F(x) is polynomial time 2.3 Page 13 . F-1(x) is NP-hard What is wrong with this definition? CCLAB 296.

One-way functions: better definition For most x no single PPT (probabilistic polynomial time) algorithm can compute x given y Roughly: at most a 1/|x|k fraction of instances x are easy for any k and as |x| ->  This definition can be used to make the probability of hitting an easy instance arbitrarily small. CCLAB 296.3 Page 14 .

… generates all values < p). Discrete Log: y = gx mod p where p is prime and g is a “generator” (i.v) y = f(u.3 Page 15 .Some examples (conjectures) Factoring: x = (u. DES with known message m: y = DESx(m) This would assume a family of DES functions of increasing key size (for asymptotics) CCLAB 296..v) = u*v If u and v are prime it is hard to recover them from y.e. g2. g1. g3.

who should be able to decrypt y? CCLAB 296.e.One-way functions in public-key protocols y = ciphertext m = plaintext k = public key Consider: y = Ek(m) (i. f = Ek) Everyone knows k and thus f Ek(m) needs to be easy Ek-1(y) should be hard Otherwise eavesdropper could decrypt y.. But what about the intended recipient.3 Page 16 .

e.3 Page 17 .One-way functions in private-key protocols y = ciphertext m = plaintext k = key Is y = Ek(m) (i. f = Ek) a one-way function with respect to y and m? f is not easy to compute unless k is known So what do one-way functions have to do with private-key protocols? CCLAB 296.

e.One-way functions in private-key protocols y = ciphertext m = plaintext k = key How about y = Ek(m) = E(k. f = Em) should this be a one-way function? In a known-plaintext attack we know a (y.3 Page 18 .m) = Em(k) (i. CCLAB 296.m) pair. The m along with E defines f Em(k) needs to be easy Em-1(y) should be hard Otherwise we could extract the key k.

g. e random) p or q or d (where ed = 1 mod (p-1)(q-1)) can be used as trapdoors In public-key algorithms f(x) = public key (e.One-Way Trapdoor Functions A one-way function with a “trapdoor” The trapdoor is a key that makes it easy to invert the function y = f(x) Example: RSA (conjecture) y = xe mod n Where n = pq (p..g. prime.3 Page 19 . q.. d in RSA) CCLAB 296. e and n in RSA) Trapdoor = private key (e. q. p.

3 Page 20 . CCLAB 296.One-way Hash Functions Y = h(x) where – y is a fixed length independent of the size of x. In general this means h is not invertible since it is many to one. – Calculating y from x is easy – Calculating any x such that y = h(x) give y is hard Used in digital signatures and other protocols.

factorization takes O(e log n log log n) operations (hard) CCLAB .RSA  by Rivest. exponentiation takes O((log n)3) operations (easy)  uses large integers (eg. 1024 bits)  security due to cost of factoring large numbers – nb. Shamir & Adleman of MIT in 1977  best known & widely used public-key scheme  based on exponentiation in a finite (Galois) field over integers modulo a prime – nb.

p. q  computing their system modulus N=p.ø(N))=1  solve following equation to find decryption key d – e.RSA Key Setup  each user generates a public/private key pair by:  selecting two large primes at random . gcd(e.p.N}  keep secret private decryption key: KR={d.q} CCLAB .d=1 mod ø(N) and 0≤d≤N  publish their public encryption key: KU={e.q – note ø(N)=(p-1)(q-1)  selecting at random the encryption key e  where 1<e<ø(N).

p.N} – computes: C=Me mod N.RSA Use  to encrypt a message M the sender: – obtains public key of recipient KU={e. where 0≤M<N  to decrypt the ciphertext C the owner: – uses their private key KR={d.q} – computes: M=Cd mod N  note that the message M must be smaller than the modulus N (block if needed) CCLAB .

4. but is generally not of interest  eg.5.Prime Numbers  prime numbers only have divisors of 1 and self – they cannot be written as a product of other numbers – note: 1 is prime.6. 2.10 are not  prime numbers are central to number theory  list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 CCLAB .8.9.7 are prime.3.

3600=24×32×52 CCLAB . 91=7×13 .Prime Factorisation  to factor a number n is to write it as a product of other numbers: n=a × b × c  note that factoring a number is relatively hard compared to multiplying the factors together to generate the number  the prime factorisation of a number n is when its written as a product of primes – eg.

2.5.8 and of 15 are 1.Relatively Prime Numbers & GCD  two numbers a. 8 & 15 are relatively prime since factors of 8 are 1.300)=21×31×50=6 CCLAB .15 and 1 is the only common factor  conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers – eg.4. 300=21×31×52 18=21×32 hence GCD(18.3. b are relatively prime if have no common divisors apart from 1 – eg.

Fermat's Theorem  ap-1 mod p = 1 – where p is prime and gcd(a.p)=1  also known as Fermat’s Little Theorem  useful in public key and primality testing CCLAB .

3.2.6.3.7.Euler Totient Function ø(n)  when doing arithmetic modulo n  complete set of residues is: 0.5.9}  number of elements in reduced set of residues is called the Euler Totient Function ø(n) CCLAB .4.n-1  reduced set of residues is those numbers (residues) which are relatively prime to n – eg for n=10.1..7.9} – reduced set of residues is {1. – complete set of residues is {0.8.

Euler Totient Function ø(n)  to compute ø(n) need to count number of elements to be excluded  in general need prime factorization.q) = (p-1)(q-1)  eg.q prime) ø(p.q (p. – ø(37) = 36 – ø(21) = (3–1)×(7–1) = 2×6 = 12 CCLAB . but – for p (p prime) ø(p) = p-1 – for p.

n=11. – – – – CCLAB a=3. hence 210 = 1024 = 1 mod 11 . ø(10)=4.Euler's Theorem  a generalisation of Fermat's Theorem  aø(n)mod N = 1 – where gcd(a. hence 34 = 81 = 1 mod 10 a=2.n=10.N)=1  eg. ø(11)=10.

Why RSA Works  because of Euler's Theorem:  aø(n)mod N = 1 – where gcd(a. (1)q = M1 = M mod N CCLAB .ø(N) = M1.d=1+k.N)=1  in RSA have: – – – – N=p.(Mø(N))q = M1.ø(N) for some k  hence : Cd = (Me)d = M1+k.q ø(N)=(p-1)(q-1) carefully chosen e & d to be inverses mod ø(N) hence e.

choose e=7 Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1 6. 3.160)=1. Select primes: p=17 & q=11 Compute n = pq =17×11=187 Compute ø(n)=(p–1)(q-1)=16×10=160 Select e : gcd(e.11} CCLAB . 5. Publish public key KU={7. 4.17.RSA Example 1. Keep secret private key KR={23. 2.187} 7.

88<187)  encryption: C = 887 mod 187 = 11  decryption: M = 1123 mod 187 = 88 CCLAB .RSA Example cont  sample RSA encryption/decryption is:  given message M = 88 (nb.

75 = 74.7 = 10 mod 11 – eg. efficient algorithm for exponentiation concept is based on repeatedly squaring base and multiplying in the ones that are needed to compute the result  look at binary representation of exponent  only takes O(log2 n) multiples for number n     – eg.3 = 4 mod 11 CCLAB .71 = 3.Exponentiation can use the Square and Multiply Algorithm a fast.31 = 5. 3129 = 3128.

Exponentiation CCLAB .

q must not be easily derived from modulus N=p.p.q – means must be sufficiently large – typically guess and use probabilistic test  exponents e. so use Inverse algorithm to compute the other CCLAB .RSA Key Generation  users of RSA must: – determine two primes at random . q – select either e or d and compute the other  primes p. d are inverses.

by factoring modulus N) – timing attacks (on running of decryption) CCLAB .RSA Security  three approaches to attacking RSA: – brute force key search (infeasible given size of numbers) – mathematical attacks (based on difficulty of computing ø(N).

hence find ø(N) and then d – determine ø(N) directly and find d – find d directly  currently believe all equivalent to factoring – have seen slow improvements over the years  as of Aug-99 best is 130 decimal digits (512) bit with GNFS – biggest improvement comes from improved algorithm  cf “Quadratic Sieve” to “Generalized Number Field Sieve” – barring dramatic breakthrough 1024+ bit RSA secure  ensure p.q.Factoring Problem  mathematical approach takes 3 forms: – factor N=p. q of similar size and matching other constraints CCLAB .

multiplying by small vs large number – or IF's varying which instructions executed  infer operand size based on time taken  RSA exploits time taken in exponentiation  countermeasures – use constant exponentiation time – add random delays – blind values used in calculations CCLAB .Timing Attacks  developed in mid-1990’s  exploit timing variations in operations – eg.

security .Summary  have considered: – – – – – – – CCLAB prime numbers Fermat’s and Euler’s Theorems Primality Testing Chinese Remainder Theorem Discrete Logarithms principles of public-key cryptography RSA algorithm. implementation.

e = 7. What is the plaintext M? CCLAB 41 . you intercept the ciphertext C = 10 sent to a user whose public key is e = 5. as in Figure 1. 187 KR = 23. n = 35. Perform encryption and decryption using RSA algorithm. M = 5 ② p = 5. 187 Figure 1. e = 3. M = 9 Encryption Plaintext 88 887 mod 187 = 11 Decryption Ciphertext 11 11 23 mod 187 = 88 KU = 7.Assignments 1. Example of RSA Algorithm Plaintext 88 2. q = 11. for the following: ① p = 3. q = 11. In a public-key system using RSA.

Introduction  Discovered by Whitfield Diffie and Martin Hellman – “New Directions in Cryptography”  Diffie-Hellman key agreement protocol – – – – CCLAB Exponential key agreement Allows two users to exchange a secret key Requires no prior secrets Real-time over an untrusted network .

 No known successful attack strategies*  Requires two large numbers. and (G).Introduction  Based on the difficulty of computing discrete logarithms of large numbers. a primitive root of P CCLAB . one prime (P).

Implementation  P and G are both publicly available numbers – P is at least 512 bits  Users pick private values a and b  Compute public values – x = ga mod p – y = gb mod p  Public values x and y are exchanged CCLAB .

. Inc. 2001 by NetIP. CISSP.Implementation CCLAB Copyright. and Keith Palmgren.

Implementation  Compute shared. private key – ka = ya mod p – kb = xb mod p  Algebraically it can be shown that ka = kb – Users now have a symmetric secret key to encrypt CCLAB .

CISSP.Implementation CCLAB Copyright. Inc. 2001 by NetIP. and Keith Palmgren. .

– They decide to use the Diffie-Hellman protocol CCLAB . Alice and Bob wish to have a secure conversation.Example  Two Internet users.

G = 9  Alice and Bob compute public values – X = 94 mod 23 = 6561 mod 23 = 6 – Y = 93 mod 23 = 729 mod 23 = 16  Alice and Bob exchange public numbers CCLAB .Example  Alice and Bob get public numbers – P = 23.

Applications  Diffie-Hellman is currently used in many protocols. namely: – Secure Sockets Layer (SSL)/Transport Layer Security (TLS) – Secure Shell (SSH) – Internet Protocol Security (IPSec) – Public Key Infrastructure (PKI) CCLAB .

Digital Signature Model CCLAB .

Digital Signature Model CCLAB .

Digital Signature Requirements  must depend on the message signed  must use information unique to sender  to prevent both forgery and denial  must be relatively easy to produce  must be relatively easy to recognize & verify  be computationally infeasible to forge  with new message for existing digital signature  with fraudulent digital signature for given message  be practical save digital signature in storage CCLAB .

Direct Digital Signatures  involve only sender & receiver  assumed receiver has sender’s public-key  digital signature made by sender signing entire message or hash with private-key  can encrypt using receivers public-key  important that sign first then encrypt message & signature  security depends on sender’s private-key CCLAB .

A) generates their key – chooses a secret key (number): 1 < xA < q-1 – compute their public key: yA = axA mod q CCLAB . related to D-H – so uses exponentiation in a finite (Galois) – with security based difficulty of computing discrete logarithms.ElGamal Digital Signatures  signature variant of ElGamal. as in D-H  use private key for encryption (signing)  uses public key for decryption (verification)  each user (eg.

0 <= m <= (q-1) – chose random integer K with 1 <= K <= (q-1) and gcd(K.S2)  any user B can verify the signature by computing – V1 = am mod q – V2 = yAS1 S1S2 mod q – signature is valid if V1 = V2 CCLAB .ElGamal Digital Signature  Alice signs a message M to Bob by computing – the hash m = H(M).q-1)=1 – compute temporary key: S1 = ak mod q – compute K-1 the inverse of K mod (q-1) – compute the value: S2 = K-1(m-xAS1) mod (q-1) – signature is:(S1.

ElGamal Signature Example  use field GF(19) q=19 and a=10  Alice computes her key: – A chooses xA=16 & computes yA=1016 mod 19 = 4  Alice signs message with hash m=14 as (3.34 = 5184 = 16 mod 19 – since 16 = 16 signature is valid CCLAB .3) mod 18 = 4  any user B can verify the signature by computing – V1 = 1014 mod 19 = 16 – V2 = 43.5)=1 computing S1 = 105 mod 19 = 3 finding K-1 mod (q-1) = 5-1 mod 18 = 11 computing S2 = 11(14-16.4): – – – – choosing random K=5 which has gcd(18.

Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993. 1996 & then 2000 uses the SHA hash algorithm DSS is the standard. DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants  DSA is digital signature only unlike RSA  is a public-key technique        CCLAB .

DSS vs RSA Signatures CCLAB .

Digital Signature Algorithm (DSA)  creates a 320 bit signature  with 512-1024 bit security  smaller and faster than RSA  a digital signature scheme only  security depends on difficulty of computing discrete logarithms  variant of ElGamal & Schnorr schemes CCLAB .

q.DSA Key Generation  have shared global public key values (p.g): – choose 160-bit prime number q – choose a large prime p with 2L-1 < p < 2L  where L= 512 to 1024 bits and is a multiple of 64  such that q is a 160 bit prime divisor of (p-1) – choose g = h(p-1)/q  where 1<h<p-1 and h(p-1)/q mod p > 1  users choose private & compute public key: – choose random private key: x<q – compute public key: y = gx mod p CCLAB .

and never be reused  then computes signature pair: r = (gk mod p)mod q s = [k-1(H(M)+ xr)] mod q  sends signature (r.s) with message M CCLAB . k must be random. k<q  nb.DSA Signature Creation  to sign a message M the sender:  generates a random signature key k. be destroyed after use.

recipient computes: w = u1= u2= v = s-1 mod q [H(M)w ]mod q (rw)mod q [(gu1 yu2)mod p ]mod q  if v=r then signature is verified  see Appendix A for details of proof why CCLAB .DSA Signature Verification  having received M & signature (r.s)  to verify a signature.

DSS Overview CCLAB .