RSA Cryptography and Digital signature

Download Report

Transcript RSA Cryptography and Digital signature 

RSA Cryptography
Taravat Moshtagh
Department of Mathematics and Statistics
York University
January 19th 2006
Outline
Part I
 Introduction to RSA cryptography
 Basic terminology
 Mathematics behind the RSA
 How the algorithm works
 How secure the algorithm is
 Conclusion
Part II
 Introduction to Maple ; Maple worksheet for RSA
RSA Crptography
2
What is meant by cryptography?
Cryptography comes from Greek word kryptós means
"hidden", and gráphein means“ to write“. So
cryptography is ‘secret‘ or ‘hidden‘ writing.
Cryptology is as old as writing itself, and has been
used for thousands of years to safeguard military and
diplomatic communications.
Cryptography is the art of keeping information secret
from all but those who are authorized to see it.
RSA Crptography
3
Basic terminology
Plaintext: Data that can be read and understood
without any special measures .It is also the message.
Encryption: Encoding the contents of the message in
such a way that hides its contents from outsiders .
Ciphertext: The encrypted message.
Decryption: The process of retrieving the plaintext
from the ciphertext.
RSA Crptography
4
Key: A key is a value that works with a
cryptographic algorithm to produce a specific
ciphertext. Keys are basically really, really, really
big numbers. Key size is measured in bits; the
number representing a 1024-bit key is darn huge.
RSA Crptography
5
Public Key: The user releases a copy of this key to
the public to allow anyone to use it for encrypting
messages to be sent to the user and for decrypting
messages received from the user.
Private Key: The user keeps the private key secret
and uses it to encrypt outgoing messages and
decrypt incoming messages
RSA Crptography
6
For our scenarios we suppose that Alice and Bob are
two users. Now we would like to know how Bob can
send a private message to Alice in a cryptosystem.
Hi Alice
---------------------------------.
Bob
Bob
Alice
RSA Crptography
7
Simple example
Suppose Bob wants to encode the word “Hi Alice" using the "shift by 3"
rule ,that is he offsets the alphabet so that the 3rd letter down (D) begins
the alphabet.
So starting with
ABCDEFGHIJKLMNOPQRSTUVWXYZ
and sliding everything up by 3, he gets
DEFGHIJKLMNOPQRSTUVWXYZABC
where D=A, E=B, F=C, and so on.
Using this scheme, the plaintext, " Hi Alice" encrypts as “Kl Dolfg" .
To allow Alice to read the ciphertext, Bob tells her that the key is “shift
by3”.
RSA Crptography
8
Encryption and Decryption
Key
Encryption
Decryption
Alice
Bob
Plaintext
Ciphertext
RSA Crptography
Plaintext
9
Symmetric key cryptography
Ciphertext
Plaintext
Bob
Encryption
Original plaintext
Decryption
Alice
Encryption and decryption rely on having a key (a word, number, or
phrase to encrypt and decrypt) .
Encryption and decryption use the same key
Problem is difficulty of secure key distribution.
RSA Crptography
10
Question:
How the key could be transferred between
Bob and Alice without being intercepted ?
One might argue that we could simply encrypt the key,
but this would require another key that tells how to
encrypt the first key…. and we would just run in
circles!
A public-key cryptosystem needs no private couriers; the keys
can be distributed over the insecure communications channel.
(Retrieved from http://theory.lcs.mit.edu/~rivest/rsapaper.pdf)
RSA Crptography
11
Public-key Cryptography
The problems of key distribution are solved by public key cryptography,
the concept of which was introduced by Diffie , Hellman and Merkle in
1976.
Encryption key
Plaintext
Bob
Decryption key
Ciphertext
Encryption
Original plaintext
Decryption
Alice
The big idea is to use a pair of keys for encryption: a public key, which
encrypts data, and a corresponding private key for decryption.
This algorithm provided an implementation for secure public key
distribution, but didn't implement Digital Signatures
RSA Crptography
12
RSA public key cryptography
The RSA Public Key Cryptography was invented in 1978 by three
researchers at MIT named Rivest, Shamir and Adelman. RSA
stands for the first letter in each of its inventors' last names
RSA is an elegant algorithm based on the product of two large
prime numbers that exactly fit the requirement for a practical public
key cryptography implementation.
RSA Crptography
13
RSA Public-key cryptography
When Bob wants to send a secure message to Alice ; Bob uses Alice’s public
key (for example her email address) to encrypt the message. Alice then uses her
private key (for example her password) to decrypt it.
Alice public key
Plaintext
Bob
Alice private key
Ciphertext
Encryption
Original plaintext
Decryption
Alice
Bob encrypts message using Alice’s public key
Alice decrypts using her private key
RSA Crptography
14
The background number theory required
to understand how RSA works
Basics:
A number is prime if the only numbers that exactly
divide it are 1 and itself.
A pair of numbers are relatively prime if the great
common divisor of them is 1.
Note: If p and q are distinct prime numbers, they
are certainly relatively prime to each other.
RSA Crptography
15
Multiplicative Inverses
Theorem. A number “e” has a multiplicative
inverse mod n if and only if gcd (e ,n)=1.
If “e “has a multiplicative inverse mod n it is
unique.
Further, there is an efficient algorithm to test
whether “e “and “n “are relatively prime, and if so,
calculate the inverse of “e”.
RSA Crptography
16
Fermat’s Little Theorem
If “p“ is a prime number and “a” is any integer
between 1 and p-1 inclusive, then
ap-1 = 1 (mod p )
RSA Crptography
17
Euler’s theorem
Any number “a” relatively prime to “n” there exists
the congruence
aPhi(n) = 1 (mod n)
Phi(n) is the number of positive integers less
than ‘n’ and relatively prime to ‘n’
RSA Crptography
18
The Chinese Remainder Theorem
Suppose “a” and “b” are relatively prime. If
x = y (mod a) and x = y (mod b)
then
x = y (mod a × b)
RSA Crptography
19
Solving a problem
Suppose I have
• a prime number p;
• a number M between 1 and p-1 inclusive;
• another number “e “also between 1 and p-1;
And I compute
• C = Me (mod p)
If I give you C,e and p can you find M
RSA Crptography
20
Yes you can if you take the following
steps:
1. Find a number “d “such that
e × d=1 (mod p-1)
2. Compute Cd mod p
RSA Crptography
21
Why does that work?
1. We found “d” such that e × d = 1 mod p-1
That means that e × d – 1 = k(p-1) for some
integer k. or
ed = k(p-1) +1
RSA Crptography
22
2. We computed Cd mod p ;
Since C = Me (mod p) then
Cd = (Me)d (mod p)
= Med (mod p)
= Mk(p-1) +1 (mod p)
= Mk(p-1) × M (mod p)
=(Mp-1)k M (mod p)
= 1 × M (mod p)
= M (mod p)
RSA Crptography
(since ed = k(p-1) +1 )
(by Fermat’s little theorem)
23
Fact!
If the modulus is not relatively a prime number then the
method doesn’t work.
Why doesn’t it work?
In general an-1  1 mod n if n is not prime.
RSA Crptography
24
We could make the method for finding M work
if we knew the number “r” such that
Mr = 1 (mod n)
If gcd (M,n )=1 then there will be such a
number “r” and there is a way to find it
RSA Crptography
25
Finding r
In order to find “r” such that Mr = 1 (mod n), we
have to be able to factorize “n” and find all of its
prime factors.
Suppose n = p × q where p and q are primes then
r =Phi(n)= (p-1) ×(q-1)
RSA Crptography
26
Important notes:
1. It is easy to compute the product of two large
primes n = p×q.
2. Setting Phi(n) = (p-1) ×(q-1) we have
MPhi(n) = 1 (mod n)
for all M co-prime with n.
3. Given “e” (co-prime with phi(n)), it is easy to
determine “d” such that
e×d = 1 mod (p-1)(q-1)
RSA Crptography
27
4.
5.
6.
7.
8.
9.
It is easy to compute Me mod n
If C=Me (mod n) then M=Cd (mod n) and it is easy
to compute Cd mod n if you know “d”.
You can find “d” if you can find Phi(n) and you can
find Phi(n) if you can factorise “n”.
Factorizing “n” is hard.
This is the basis of the RSA public key cryptosystem.
The holder of the public key knows “p” and “q” and
therefore he/she can find Phi(n) and therefore “d”
and can compute Cd mod n to find M.
No-one else knows “p” and “q”, so they cannot find
Phi(n) or “d” and so they cannot recover M.
RSA Crptography
28
RSA – Key Generation
1. Alice generates two large primes p and q (each
with at least 100 decimal digits).
2. She computes n = p×q
3. She computes Phi(n) = (p-1) ×(q-1)
4. She chooses a random number “e” in which
gcd(e,Phi(n) )= 1
RSA Crptography
29
5. She computes the private key “d” by solving the
equation e × d =1 mod Phi(n) .
6. She can now carefully dispose of the values of p,
q and Phi(n) .
7. Alice keeps “d” private but publishes the value
of the pair (e,n) ( this is her public key).
RSA Crptography
30
RSA - Encryption
We distinguish Bob and Alice encryption and decryption
procedures with subscripts:
EA , DA and EB , DB
Bob wishes to send Alice a message M. He takes the following
steps:
1. He looks up Alice’s public key pair (e,n) .
2. He computes the ciphertext C and sends it to Alice,
C= EA(M) =Me (mod n)
RSA Crptography
31
RSA - Decryption
Alice receives the value C from Bob. She decrypts it
since she knows the key DA . The decoding M′ is
M′ =DA (EA (M)) = DA (Me )= (Me)d (mod n)
We have to prove that this works! Namely that M′
will be equal to the original M.
RSA Crptography
32
Why does the RSA algorithm work?
For any integer (message) M which is relatively prime to n, due to Euler
and Fermat theorem:
M  (n) 1 (mod n)
(1)
Since e.d 1 (mod  (n)) for some integer k , e.d 1  k (n) or e.d  1  k (n)
Then
M   M ed  M 1k (n) (mod n)
From (1) we see that for all M such that p does not divide M :
M p1 1 (mod p)
and since (p-1) divides  (n)  ( p  1)(q  1)
M ed  M 1 k ( n) (mod p)  M .M k ( n) (mod p)
 M .(M  ( n ) )k  M (1)k  M (mod p)
RSA Crptography
33
And then p| Med-M.
Arguing similarly for q yields q| Med-M
Together these last two equations imply that for
all M,
M ed  M 1k ( n)  M (mod n)
Since p and q are distinct primes, it follows that
also their product, means p.q is a divisor of Med-M
RSA Crptography
34
RSA Public Key System
Example
Choose prime numbers p and q.
Choose 11 and 13
Find their product n = pq.
Calculate n = 11*13 = 143
Calculate Phi(n) = (p-1)(q-1).
Calculate Phi(n) = (11-1)*(13-1) = 120.
Select an integer e, in which the
gcd( e, Phi(n))= 1.
Let e = 7.
Calculate d such that e*d = 1 mod Phi(n).
We want 7*d = 1 mod 120.
Thus d = 103, as 7*103 = 721 = 1 mod 120.
The public key is (7, 143).
The public key is (e, n).
The private key is (103, 143).
The private key is (d, n).
Plaintext can be any number M, where
M < n, and neither p nor q divides M
Let the numerical representation of M be
M = 5, for example.
The ciphertext is C=Me (mod n)
The ciphertext is C=5 7 (mod 153) =47
The plaintext is Med (mod n)
The plaintext is 47103 (mod 143) =5
RSA Crptography
35
Is RSA secure?
The security of the RSA cryptosystem depends on the
difficulty of factoring n. It is currently difficult to
obtain the private key d from the public key (n, e).
However if one could factor n into p and q, then one
could obtain the private key d. Thus the security of
the RSA system is based on the assumption that
factoring is difficult. The discovery of an easy method
of factoring would "break" RSA .
RSA Crptography
36
Is RSA Secure? (Cont.)
How might we “break” RSA?
Factoring n
Computing Phi(n)
Compute d given e and n
Still need to know n or Phi(n)
Computing e-th roots modulo n
(C= Me (mod n); then M= C1/e (mod n))
It is computationally intractable
RSA Crptography
37
Factoring n :The fastest known factoring algorithm
developed by Pollard is the General Number Field Sieve,
which has running time for factoring a large number of size
n, of order
1
2

 64

3
3
  exp  ( log n) (log log n)  


9




The method relies upon the observation that if integers x and y
are such that x ≠ y (mod n) and x2 = y2 (mod n) then
gcd(x − y, n) and gcd(x+y, n) are non-trivial factors of n.
(Retrieved from http://mathworld.wolfram.com/NumberFieldSieve.html
RSA Crptography
38
The following table gives the number of operations needed to factor n
with GNFS method, and the time required if each operation uses one
microsecond, for various lengths of the number n (in decimal digits)
Digits
Number of operations
100
9.6× 108
16 minutes
200
3.3 × 1012
38 days
300
1.3 × 1015
41 years
400
1.7 × 1017
5313 years
500
1.1 × 1019
3.5 × 105 years
1024
1.3 × 1026
4.2 × 1012 years
2048
1.5 × 1035
4.9 × 1021 years
RSA Crptography
Time
39
Computing Phi(n) without Factoring n
Assume that n = p × q, p < q.
Since (p + q)2 - (q - p)2 = 4pq = 4n, then
(p+q)2 = 4n + (q - p)2 so
q +p = √4n +(q - p)2 and then
Phi(n) = n - (p + q) + 1
RSA Crptography
40
Example:
n = 221 ( 4n=884)
q-p
(q - p)2 + 4n
q + p = √4n +(q - p)2
1
885
888
893
900
29.7489· · ·
29.7993· · ·
29.8831· · ·
30
2
3
4
So , q − p = 4 and q + p= 30,
then Phi(n) =221-(30)+1=192
and p = 13, q = 17,n = 13 × 17
RSA Crptography
41
Therefore breaking RSA system by computing
Phi(n) is not easier than breaking RSA system by
factoring n. (This is why n must be composite;
Phi(n) is easy to compute if n is prime.)
RSA Crptography
42
Idea: if we had a fast algorithm
which can factor large numbers in a
reasonable amount of time, we could
break RSA!!!
RSA Crptography
43
On May 9th 2005 a team at the German Federal Agency for Information Technology
Security announced the factorization of the 200-digit number known as RSA-200 by
General Number Field Sieve algorithm (GNFS).
RSA-200 is:
27,997,833,911,221,327,870,829,467,638,722,601,621,070,446,786,
955,428,537,560,009,929,326,128,400,107,609,345,671,052,955,360,
856,061,822,351,910,951,365,788,637,105,954,482,006,576,775,098,
580,557,613,579,098,734,950,144,178,863,178,946,295,187,237,869,
221,823,983
The two 100-digits factors are:
3,532,461,934,402,770,121,272,604,978,198,464,368,671,197,400,
197,625,023,649,303,468,776,121,253,679,423,200,058,547,956,528,
088,349
and
7,925,869,954,478,333,033,347,085,841,480,059,687,737,975,857,
364,219,960,734,330,341,455,767,872,818,152,135,381,409,304,740,
185,467
The effort took approximately 80 2.2GHz Opteron CPU over 3 months of calendar time.
The same team latter announced factorization of RSA-640, a smaller number containing
193 decimal digits (640 bits) on November 4th 2005.
RSA Crptography
44
 RSA-2048
 Prize: $200,000
 Status: Not Factored
 Decimal Digits: 617
25195908475657893494027183240048398571429282126204
03202777713783604366202070759555626401852588078440
69182906412495150821892985591491761845028084891200
72844992687392807287776735971418347270261896375014
97182469116507761337985909570009733045974880842840
17974291006424586918171951187461215151726546322822
16869987549182422433637259085141865462043576798423
38718477444792073993423658482382428119816381501067
48104516603773060562016196762561338441436038339044
14952634432190114657544454178424020924616515723350
77870774981712577246796292638635637328991215483143
81678998850404453640235273819513786365643912120103
97122822120720357
 Decimal Digit Sum: 2738
RSA Crptography
45
Conclusion
Prime numbers play an essential role in the art of
Public Key Cryptography.
Public Key Cryptosystem is secure and strong.
Factorization is a fast-moving field. If no new
methods are developed, then 2048-bit RSA keys
will always be safe from factorization, but one
can't predict the future.
RSA Crptography
46
Enjoy 15 minutes break time!
Examples
Please go to the
http://garsia.math.yorku.ca/~zabrocki/math5020f05/
and click on “Maple” worksheet.
RSA Crptography