Transcript CSIS 5857

Public Key Encryption and the
RSA Public Key Algorithm
CSCI 5857: Encoding and Encryption
Outline
• Basic concepts of public key encryption
– One-way functions
– Trapdoor functions
• The RSA public key algorithm
– Encryption/decryption functions
– Public/private key generation
– Underlying mathematics
Public Key Encryption
• Recipient (Alice) generates key pair:
– Public key kPU
+
• Does not have to be kept secret
• Distributed to all senders (such as Bob)
– Private key kPR
• Kept secret by Alice
Key pair
generator
Copy of Alice’s
public key
3
Public Key Encryption
• Bob uses Alice’s public key kPU to encrypt message
– C = E(kPU, P)
• Alice uses her private key kPR to decrypt message
– P = D(kPR, C)
C
P
E
D
Alice’s kPU
P
Alice’s kPR
List of others’
public keys
4
Public Key Encryption
• Central idea:
Adversary cannot determine private key from
corresponding public key
– Could theoretically find private key, but computationally
infeasible to do so
– Cannot read intercepted messages encrypted with public
key
“I still can’t compute
5
Public and Symmetric Keys
Problem:
How to securely distribute a symmetric key KS ?
Solution:
1. Use public key encryption to securely send it
2. Use faster symmetric key algorithm (like AES) to securely
transmit the rest of the message
ks
P
E
E
Epublic (kS, kPU)
Esymmetric (P, kS)
D
D
ks
P
6
Public Key Math
• Public key algorithms are mathematical functions of
integer numbers
– Keys are large numbers (hundreds of digits long)
– Plaintext translated to large numbers (not bits)
– Encryption is a mathematical function of plaintext and key
which creates another large number as ciphertext
Alice’s KPU
Alice’s KPR
7
Trapdoor One-Way Functions
One-way functions:
– Function: y = f (x)
– Inverse function: x = f -1 (y)
• Given x, y = f (x) very easy to compute
• Given y, x = f -1 (y) computationally infeasible to compute
Example: Factoring
– p and q are very large prime numbers
– n = p x q is easy to compute
– Factoring n into p and q infeasible
• Must try almost all possible p and q
8
Trapdoor One-Way Functions
Trapdoor functions:
• Given one-way function: y = f (x)
• There exists some “secret trapdoor” that allows
x = f -1 (y) to be easily computed
Example (very simple):
• n = p x q product of two large primes
• Factoring n into p and q to find p infeasible
• Finding p is easy if know q
– q is a “trapdoor” for finding p from n
9
Trapdoor One-Way Functions
Idea behind public-key encryption:
• Encryption function C = E (KPU, P) must be one way
– Must not be able to compute P from C
• Must have trapdoor to allow decryption
– Must be able to easily compute P from C if know trapdoor
• Trapdoor = private key
10
Trapdoor One-Way Functions
• Discrete Logarithms
– RSA, Rabin, ElGamal, Diffie-Hellman
– Easy to implement, well understood
• Elliptic Curve
– Discrete logarithms represented as curves
– Much faster than factoring/discrete logarithms
• NP-Complete problems
– Example: “knapsack problem”, Merkle and Hellman (1978)
– Exponential time to solve problem
– Easy to confirm solution if given
11
RSA Algorithm
• First widely used public key encryption algorithm
– Developed for public use in 1977 by Ron Rivest, Adi
Shamir, and Leonard Adleman at MIT
– Developed secretly in 1973 by Clifford Cocks (British
mathematician working for UK intelligence)
– MIT granted a patent for RSA (expired in 2000)
• Still most widely used public key algorithm
– Part of most cryptosystems (SSH, PGP, etc.)
12
RSA Algorithm
• Based on modular exponentiation function
• Central component: large modulus n
– RSA requires at least 1024 bit values for n
– Equivalent to approximately 309 digit decimal number
• Encryption:
C = PE mod n easy to compute
– Plaintext P and ciphertext C both large integers
– Modulus n and exponent E are public key
13
RSA Algorithm
• “Modular logarithm” problem:
P = E C mod n infeasible to compute
– Given ciphertext C and public key E, n
for what integer P does C = PE mod n?
– Example: For what P does P 343 mod 159197 = 33677?
– Would have to test all P < n to find a P such that C = PE mod n
• Trapdoor for decryption:
Exists D such that P = CD mod n
– n must be product of two primes p and q
– D is secret private key based on E, p and q
14
RSA Algorithm
15
RSA Key Generation
• Select 2 large primes p and q
– At least 512 bits (154 decimal digits)
• Compute n = p  q
• Compute Φ(n) = (p -1)  (q -1)
– Euler totient function
– Cannot compute directly from n without factoring into p
and q
– Crucial that multiplication of large primes is one way!
16
RSA Key Generation
• Select some E for encryption
– 1 < E < Φ(n)
– E is relatively prime to Φ(n)
• Compute D as E-1 mod Φ(n)
– ED mod Φ(n) = 1
• Public key: E and n
• Private key: D
17
RSA Example
• Public key: n = 159197 (from 397  401)
E = 343  note that these are too small in reality!
Known to sender Bob
• Private key: D = 12007= 343-1 mod 158400 (that is, 396 x 400)
Known only by recipient Alice
18
RSA Mathematics
Must show: P = C D mod n
= (P E)D mod n
= P ED mod n
Where ED mod Φ(n) = 1
Based on Euler’s theorem:
• If n = p  q and P < n
• Then P k  Φ(n) + 1 mod n = P for all integer k
19
RSA Mathematics
Proof (sort of):
• (k  Φ(n) + 1) mod Φ(n) = 1
Since k  Φ(n) is divisible by Φ(n)
• There exists some k such that ED = k  Φ(n) + 1
Since also have ED mod Φ(n) = 1
• P ED mod n = P
Substituting ED for k  Φ(n) + 1 in Euler’s Theorem
20