public key cryptography — rsa · public key cryptography introduction public key cryptosystem: a...

. . . . . .

.

...... Public Key Cryptography — RSA

Fajiang Yu, [email protected]

School of Computer, Wuhan University

2013.9

Fajiang Yu (Sch. of Com., WHU) RSA 2013.9 1 / 57

. . . . . .

Agenda

...1 Public Key Cryptography Introduction

...2 RSA Algorithm

...3 Proof of RSA Correctness

...4 Security Considerations

...5 RSA Attack

...6 RSA Implementation


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

Public Key Cryptography Introduction

Whitfield Diffie, Martin E. Hellman. New Directions inCryptography. IEEE Transactions on Information Theory, IT-22(6): 644-654, 1976.


. . . . . .

Public Key Cryptography IntroductionFlow of information in conventional cryptographic system

The key K is transmitted only to the legitimate receiver via asecure channel.The secure channel cannot be used to transmit P itself for reasonsof capacity or delay.


. . . . . .

Public Key Cryptography Introduction

Large, secure, telecommunications system: A large number of users n

(n2 − n)/2 potential pairs: anyone communicates privately from allothers.

It is unrealistica pair of users with no prior acquaintance will be able to wait for akey to be sent by some secure physical meanskeys for all (n2 − n)/2 pairs can be arranged in advance


. . . . . .

Public Key Cryptography IntroductionIt is possible to develop systems, in which two parties communicatingsolely over a public channel and using only publicly known techniquescan create a secure connection.

Two approaches to this problempublic key cryptosystemspublic key distribution systems (Proposed by Ralph C. Merkle)


. . . . . .

Public Key Cryptography IntroductionPublic Key Cryptosystem: a pair of families {EK}K∈{K} and{DK}K∈{K} of algorithms representing invertible transformations,

EK : {M} → {M};DK : {M} → {M}on a finite message space {M}, such that

...1 for every K ∈ {K}, Ek is the inverse of DK,

...2 for every K ∈ {K} and M ∈ {M}, the algorithms EK and DK areeasy to compute,

...3 for almost every K ∈ {K}, each easily computed algorithmequivalent to DK is computationally infeasible to derive from EK,

...4 for every K ∈ {K}, it is feasible to computer inverse pairs EK andDK from K.

Because of the third property, a user’s enciphering key EK can be made public

without compromising the security of his secret deciphering key DK.

one-way function, trap-door one-way functionFajiang Yu (Sch. of Com., WHU) RSA 2013.9 8 / 57

. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

RSA Algorithm

RSA, an algorithm for public-key cryptographyThe algorithm was publicly described in the paper

R. L. Rivest, A. Shamir, L. Adleman. A Method for ObtainingDigital Signatures and Public Key Cryptosystems.Communications of the ACM, 21(2): 120-126, 1978.

Authors:Ronald Linn Rivest, born 1947Adi Shamir, born 1952, an Israeli cryptographer, one of theinventors of differential cryptanalysisLeonard Max Adleman, born 1945

shared the 2002 Turing Award


. . . . . .

RSA Algorithm

Key Generation...1 Choose two random prime numbers p and q, which must be kept secret....2 Compute n = p · q, which is public....3 Compute ϕ(n) = (p − 1)(q − 1), which is kept secret....4 Choose an integer e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1,

i.e. e and ϕ(n) are coprime. e is public....5 Compute d such that e · d = 1 mod ϕ(n), i.e. d is the

multiplicative inverse of e modulo ϕ(n), d is kept secret.The Encryption Key is the pair of positive integers (e,n).The Decryption Key is the pair of positive integers (d,n).

Each user makes his encryption key public,and keeps the corresponding decryption key private.


. . . . . .

RSA Algorithm

First, represent the message as an integer M such that 0 ⩽ M ⩽ n − 1.

EncryptionC = Me mod n

DecryptionM = Cd mod n


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

Agenda


...2 RSA Algorithm

...3 Proof of RSA CorrectnessMathematical PreliminaryProof of Correctness


...5 RSA Attack



. . . . . .

Euler’s Theorem

.Theorem..

......Euler’s Theorem If n and a are coprime positive integers, then aϕ(n) = 1mod n, where ϕ(n) is Euler’s totient function.

Euler’s totient function ϕ(n) of a positive integer n is defined to bethe number of positive integers less than or equal to n that are coprimeto n.


. . . . . .

Euler’s totient function

.

......If n = pr, where n, p, r are positive integers and p is a prime number,then ϕ(n) = pr − pr−1 = (1− 1/p) · pr.

.Proof...

......

If a is a positive integer, a ⩽ pr and gcd(a, pr) = 1,then a = x · p, x ∈ {1, 2, . . . , pr−1}.So, ϕ(n) = pr − pr−1.

Specially, if p is a prime number, ϕ(p) = p − 1.


. . . . . .

Fermat’s theorem

.Theorem..

......Fermat’s little theorem If p is a prime and a is an integer coprime to p,then ap−1 = 1 mod p.

.Theorem..

......Fermat’s Last Theorem No three positive integers a, b, and c can satisfythe equation an + bn = cn for any integer value of n greater than two.


. . . . . .

Euler’s totient function

.

......Euler’s totient function is a multiplicative function: if p and q arepositive integers, and gcd(p, q) = 1, then ϕ(p · q) = ϕ(p) · ϕ(q).

.Theorem..

......

Fundamental Theorem of Arithmetic Any integer n greater than 1 can bewritten as a unique product (up to ordering of the factors) of primenumbers, such that

n = p1 × p2 × · · · × ps = pr11 × pr2

2 × prmm ,

where pi is a prime number for i ∈ {1, 2, . . . ,m, . . . , s}, andp1 ⩽ p2 ⩽ · · · ⩽ pm ⩽ ps.

So when p, q are prime numbers and n = p · q, ϕ(n) = (p − 1)(q − 1).


. . . . . .

Goldbach’s conjecture

Goldbach’s conjecture.

......Strong Goldbach’s conjecture: Every even integer greater than 2can be written as the sum of two primes.

.

......Weak Goldbach’s conjecture: All odd numbers greater than 7 arethe sum of three odd primes.

.Theorem..

......

Chen’s Theorem Every sufficiently large even number can be writtenas the sum of either two primes, or a prime and a semiprime (theproduct of two primes).


. . . . . .

Mathematical hard problemsHilbert’s ProblemsTwenty-three problems in mathematics published by Germanmathematician David Hilbert in 1900.

Millennium Prize ProblemsSeven problems in mathematics that were stated by the ClayMathematics Institute in 2000.A correct solution to any of the problems results in a US$1,000,000 prize.

Poincare conjecture(solved, by Grigori Perelman, who declined the award)P versus NP problemRiemann hypothesis(About distribution of prime numbers)Birch and Swinnerton-Dyer conjecture(associated to an elliptic curve E over a number field K)...


. . . . . .

Agenda


...2 RSA Algorithm

...3 Proof of RSA CorrectnessMathematical PreliminaryProof of Correctness


...5 RSA Attack



. . . . . .

Proof of RSA Correctness

Proof: (Me)d = Med = M mod n or (Cd)e = Ced = C mod n

Because ed = 1 mod ϕ(n),so ed = tϕ(n) + 1, Med = Mtϕ(n)+1, where t is one integer.

When gcd(M,n) = 1, based Euler’s theorem Mϕ(n) = 1 mod n,and Mtϕ(n) = 1 mod n, Mtϕ(n)+1 = M mod n.


. . . . . .


Proof:

When gcd(M,n) = 1 and M ∈ {1, 2, . . . ,n − 1}, because n = pq,M = ap or M = bq, where a and b are 0 or positive integers.And M = cpq,otherwise M ⩾ n and M ∈ {1, 2, . . . ,n − 1} are contradictory.

Suppose M = ap,because q is a prime and q is not a factor of M,then gcd(M, q) = 1,and Mϕ(q) = 1 mod q, which is based on Euler’s theorem.Further, Mt(p−1)ϕ(q) = 1 mod q, Mtϕ(n) = 1 mod q.


. . . . . .


Proof:

So Mtϕ(n) = sq + 1, where s is 0 or one positive integer,then Mtϕ(n)+1 = sqM + M.Because M = ap,then Mtϕ(n)+1 = sapq + M = san + M,Mtϕ(n)+1 = M mod n,Med = M mod n.

When gcd(M,n) = 1 and M = 0,Med = M mod n.

Prove up.


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

RSA Problem

.RSA Problem..

......

Computing e-th roots modulo a composite n: recovering a value Msuch that C = Me mod n, where (e,n) is an RSA public key and C isan RSA ciphertext.


. . . . . .

Computing d

The most promising approach to solving the RSA problem is tocompute the secret exponent d from a public key (e,n),then decrypt C using the standard procedure.

Factoring n to compute ϕ(n)which is the problem of factoring large numbersComputing ϕ(n) without factoring nwhich is no easier than factoring nDetermining d without factoring n or Computing ϕ(n)which is no easier than factoring n

Solving RSA problem in some other ways?


. . . . . .

Factoring Large Numbers

Integer factorization or prime factorization is the decomposition of acomposite number into smaller non-trivial divisors.

When the numbers are very large, no efficient integer factorizationalgorithm is known.

Not all numbers of a given length are equally hard to factor.The hardest instances of these problems (for currently knowntechniques) are semiprimes, the product of two prime numbers.


. . . . . .

Factoring Large Numbers

(英) 顏松遠著, 楊思熳等譯. 計算數論 (第 2 版) (原名: NumberTheory for Computing, 2nd Edition). 清華大學出版社, 2008.

Song Y. Yan. Number Theory for Computing, Second Edition.Springer, 2002.


. . . . . .

RSA Problem V.S. Problem of Factoring Large Numbers

There are no proofs large integer factorization is computationally difficult.There are also no proofs that the RSA problem is similarly difficult.The RSA problem might well be easier.

There is strong evidence pointing to this conclusion: that a method tobreak the RSA method cannot be converted necessarily into a methodfor factoring large semiprimes.


. . . . . .

RSA Factoring Challenge

The RSA Factoring Challenge was a challenge put forward by RSALaboratories in 1991.

The RSA challenges ended in 2007.

RSA-768 (768 bits) was factored in December, 2009.


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

Factoring n Attack

Some special factoring algorithms

p, q choosinglarge number, RSA 1024 or RSA 2048p and q are strong primes (definition in cryptography),avoid Fermat factorization and cycle attack, etc.p and q are both large and about the same sizebut not too close, e.g. to avoid Fermat’s factorizationfor instance, p−q is less than 2n1/4 solving for p and q is trivial


. . . . . .

Low Exponent Attack

Encrypting with low encryption exponents (e = 3) and small values of M,the result of Me is less than the modulus n.Ciphertexts can be decrypted by taking the e-th root of the ciphertext.

The same paintext M is encrypted and sent to e or more recipients,and the receivers share the same exponent e,but different p, q, and therefore n,then it is easy to get M via the Chinese remainder theorem.

216 + 1 = 65537 is a commonly used value for e.A compromise between avoiding low exponent attacks and allowingefficient encryptions

The private key exponent d should be large enough.If q < p < 2q and d < n1/4/3,then d can be computed efficiently from n and e by Wiener’s Attack.


. . . . . .

Common Modulus Attack

One obvious instanceTwo encryption exponent e1 and e2 are coprime,and share one same modulus n.

AttackUses the two public key pairs (e1,n) and (e2,n) to encrypt one message M,

C1 = Me1 mod n, C2 = Me2 mod nBecause gcd(e1, e2) = 1,then re1 + se2 = 1 by using extended Euclid algorithm,where r and s are integers, one of them is a negative integer, suppose r < 0.Then

(C−1

1

)−rC2s = M mod n.

Avoiding AttackA user group can not share one common modulus n.


. . . . . .

Chosen Plaintext Attack

Property Deterministic encryption algorithm

Attack Encrypting likely plaintexts under the public key and test ifthey are equal to the ciphertext.

Semantically Secure A cryptosystem is called semantically secure ifan attacker cannot distinguish two encryptions from each other even ifthe attacker knows (or has chosen) the corresponding plaintexts.

Padding schemePublic-Key Cryptography Standards (PKCS)PKCS #1 RSA Cryptography Standard Version 2.1Optimal Asymmetric Encryption Padding (OAEP),preventing chosen plaintext attack and adaptive chosen ciphertext attack


. . . . . .

Chosen Ciphertext Attack

Property The product of two ciphertexts is equal to the encryption of theproduct of the respective plaintexts, such that M1

eM2e = (M1M2)

e mod n.Attack

One attacker knew one ciphertext C, and wants toknow its corresponding plaintext M. The attackerchooses one random r < n, encrypts r, Cr = re mod n;computes C′ = CrC mod n;asks the holder of the private key to decrypt C′,and gets M′ = C′d = redCd = rCd mod n;computes M′r−1 = rr−1Cd = M mod n.

Avoiding AttackEncryption and signing use different key pairs.Do not decrypt (sign) any suspicious message.Hash first, then sign message.


. . . . . .

Other Attacks

Timing attackThe decryption time is correlated to the value of the input ciphertext.

Side-channel analysis attacks


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack

...6 RSA ImplementationPrimality TestExponentiation by repeated squaring and multiplicationApplication of Chinese remainder theoremModular Multiplication Without Trial Division


. . . . . .

Naive methods

.Theorem..

......

Given an input number n, check whether any integer m such that1 < m ⩽ √

n. If n is divisible by any m then n is composite, otherwiseit is prime.

.Proof...

......

Suppose n is a composite,then n = ab, where a, b both are integers and 1 < a ⩽ b.So a|n and a2 ⩽ ab ⇒ 1 < a ⩽ √

n,which conflicts with the theorem.

Fast deterministic test


. . . . . .

Probabilistic tests

GeneralThese tests use, apart from the tested number n,some other numbers a chosen at random from some sample space;the usual tests never report a prime number as composite,but it is possible for a composite number to be reported as prime.

The probability of error can be reduced by repeating the test withseveral independently chosen values of a.

The simplest probabilistic primality test Fermat primality test

RepresentationsMiller-Rabin primality testSolovay-Strassen primality test


. . . . . .

Probabilistic tests

Miller-Rabin primality testGary L. Miller. Riemann’s Hypothesis and Tests for Primality.Journal of Computer and System Sciences 13(3): 300-317, 1976.

Michael O. Rabin. Probabilistic algorithm for testing primality.Journal of Number Theory 12(1): 128-138, 1980.


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

Exponentiation by repeated squaring and multiplication

Me mod ne = ek−1 · 2k−1 + ek−2 · 2k−2 + · · ·+ e2 · 22 + e1 · 21 + e0 · 20,where ei = 0 or 1, for i ∈ {0, 1, 2, . . . , k − 1}.

Me = Mek−1·2k−1+ek−2·2k−2+···+e2·22+e1·21+e0·20 mod nMe = (Mek−1)2

k−1(Mek−2)2

k−2 · · · (Me2)22(Me1)2

1(Me0)2

0 mod n

Me =

((· · ·

((Mek−1)2Mek−2

)2 · · ·Me2)2

Me1)2

Me0 mod n


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

Chinese remainder theorem

.《孫子算經》— “物不知數”..

......有物不知其數，三三數之剩二，五五數之剩三，七七數之剩二。問物幾何？

.秦九韶《數書九章》1247..

......三人同行七十希，五樹梅花廿一支，七子團圓正半月，除百零五使得知。


. . . . . .


.Theorem..

......

Chinese remainder theorem Suppose n1, n2 are positive integers whichare coprime, for any given two integers a1, a2, there exists an uniqueinteger x (mod n1n2) satisfies the following simultaneous congruences{

x ≡ a1 (mod n1)x ≡ a2 (mod n2)


. . . . . .


Proof

Because gcd(n1,n2) = 1,then sn1 + tn2 = 1 by using extended Euclid algorithm,where s and t are integers.The above equation is divided by n1 and n2,it becomes tn2 ≡ 1 (mod n1), sn1 ≡ 1 (mod n2).Construct x = a2sn1 + a1tn2,then x ≡ a1 (mod n1), x ≡ a2 (mod n2).So x is one integer satisfies the simultaneous congruences.


. . . . . .


Proof

Suppose there is another integer x′ satisfies the simultaneous congruences,then x ≡ x′ (mod n1), x ≡ x′ (mod n2).And x − x′ = kn1, x − x′ = ln2, where k, l are integers.Because sn1 + tn2 = 1,the above equation is multiplied by (x − x′),it becomes ln2sn1 + kn1tn2 = x − x′, n1n2(ls + kt) = x − x′.

So x − x′ ≡ 0 (mod n1n2),And there has only one unique integer x (mod n1n2) satisfies thesimultaneous congruences.

Prove up.


. . . . . .


.Theorem..

......

General case of Chinese remainder theorem Suppose n1, n2, . . . , nk arepositive integers which are pairwise coprime, for any given set ofintegers a1, a2, . . . , ak, there exists an unique integer x(mod n1n2 · · ·nk) satisfies the following simultaneous congruences

x ≡ a1 (mod n1)x ≡ a2 (mod n2)· · ·x ≡ ak (mod nk)


. . . . . .


Construct x

x ≡ N1M1a1 + N2M2a2 + · · ·+ NkMkak (mod N),whereN = n1n2 · · ·nk = N1n1 = N2n2 = · · · = Nknk,N1M1 ≡ 1 (mod n1), N2M2 ≡ 1 (mod n2), . . . , NKMK ≡ 1 (mod nk).


. . . . . .

Application of CRT

RSA Decryption M = Cd mod n can be transformed intocomputing M which satisfies the following simultaneous congruences{

M ≡ M1 (mod p)M ≡ M2 (mod q)

where M1 ≡ Cd (mod p), M2 ≡ Cd (mod q).

Compute d mod (p − 1) = r,then d = k(p − 1) + r, where k is an integer.So M1 ≡ Ck(p−1)+r (mod p) ≡ (Cp−1 mod p)kCr (mod p).From Fermat’s little theorem, we know Cp−1 mod p = 1,then M1 ≡ C(d mod (p−1)) (mod p) ≡ (C mod p)(d mod (p−1)) (mod p).Similarly, M2 ≡ (C mod q)(d mod (q−1)) (mod q).


. . . . . .

Application of CRT

Procedure1: d1 = d mod (p − 1), d2 = d mod (q − 1);2: C1 = C mod p, C2 = C mod q;3: M1 = C1

d1 mod p, M2 = C2d2 mod q;

4: Q1 = q−1 mod p, Q2 = p−1 mod q;5: M = (qQ1M1 + pQ2M2) mod n.


. . . . . .

Agenda


...2 RSA Algorithm



...5 RSA Attack



. . . . . .

Modular Multiplication Without Trial Division

C = A · B mod n

Montgomery AlgorithmPeter L. Montgomery. Modular Multiplication Without TrialDivision. Mathematics of Computation, 44(170): 519-521, 1985.


. . . . . .

.

......

Thank You!Any Questions?


public key cryptography — rsa · public key cryptography introduction public key cryptosystem: a...

Documents