Download presentation

Presentation is loading. Please wait.

Published byEdgardo O'Keefe Modified over 2 years ago

1
Public Key Cryptography The RSA Cryptosystem

2
by William M. Faucette Department of Mathematics State University of West Georgia

3
The RSA Cryptosystem

4
The granddaddy of all public key cryptosystems, the RSA cryptosystem is named for its creators, Rivest, Shamir, and Adleman. RSA was first described in 1978.

5
A Little Number Theory In order to describe the RSA crypto- system, we first need to get a little background in some elementary number theory.

6
Relatively Prime Numbers

7
Two natural numbers n and m are relatively prime if n and m have no common factor greater than 1.

8
Relatively Prime Numbers For example, 24 and 25 are relatively prime, as are 2310 and If you dont believe me, factor them!

9
The Euler Phi Function

10
For any natural number n, the Euler phi function of n, denoted (n),is the number of natural numbers less than or equal to n which are relatively prime to n.

11
The Euler Phi Function For example, we have (1)=1 since 1 is relatively prime to 1 (2)=1 since 1 is relatively prime to 2 (3)=2 since 1, 2 are relatively prime to 3 (10)=4 since 1, 3, 7, 9 are relatively prime to 10.

12
The Euler Phi Function If p is a prime number, then (p)=p 1, since every number less than p is relatively prime to p.

13
The Euler Phi Function Similarly, (p k )=p k p k 1 = p k 1 (p 1). This is easy to see since the only prime factor of p k is p, so the only numbers which have a common factor with p k are the multiples of p.

14
The Euler Phi Function Since one out of every p numbers is a multiple of p, the number of multiples of p less than or equal to p k is p k 1. So, (p k )=p k p k 1 = p k 1 (p 1).

15
The Euler Phi Function Although its not at all obvious, the Euler phi function is multiplicative. That is, if n and m are relatively prime, then (nm)= (n) (m)

16
The Euler Phi Function One proof of this result uses the Chinese Remainder Theorem to show that there is a one-to-one correspondence between numbers less than or equal to the product nm which are relatively prime to nm and ordered pairs of numbers which are (1) less than or equal to n and relatively prime to n and (2) less than or equal to m and relatively prime to m.

17
The Euler Phi Function We wont prove this result. If youre interested, consult pages 21–22 in the book A Course in Number Theory and Cryptography by Neal Koblitz

18
The Euler Phi Function In particular, if n is the product of two prime numbers p and q, we have

19
The Euclidean Algorithm

20
The Euclidean Algorithm allows the efficient computation of the greatest common divisor of two natural numbers. This algorithm is easily implemented on present-day computers even with extremely large numbers.

21
The Euclidean Algorithm Suppose we wish to compute the greatest common divisor, denoted gcd, of two natural numbers, a and b, with b

22
The Euclidean Algorithm Next, you divide b by r 1, getting a quotient q 2 and a remainder r 2.

23
The Euclidean Algorithm From now on, you divide r n 1 by r n, getting a quotient q n+1 and a remainder r n+1.

24
The Euclidean Algorithm Since 0r n+1

25
The Euclidean Algorithm In fact, so that this algorithm works exponentially quickly.

26
Repeated Squaring Method

27
The repeated squaring method allows the efficient computation of the modular exponentiation of a large number to a large power. This algorithm is easily implemented on present-day computers even with extremely large numbers.

28
Repeated Squaring Method Algorithm: We wish to compute b n mod m First, write n as a natural number in base 2. Here, each n i is either 0 or 1.

29
Repeated Squaring Method Algorithm: We wish to compute b n mod m Set a=1 if n 0 =0 and set a=b if n 0 =1. Square b and set b 1 b 2 mod m. If n 1 =1, multiply a by b 1 and reduce mod m. Square b 1 and set b 2 b 1 2 mod m. If n 2 =1, multiply a by b 2 and reduce mod m.

30
Repeated Squaring Method Algorithm: We wish to compute b n mod m At the j th step, you have computed b j b 2^j mod m. If n j =1, multiply a by b j. After the (k 1)-st step, a = b n mod m

31
Finding Large Prime Numbers

32
In order to implement the RSA algorithm, we must have a technique for finding large prime numbers.

33
Finding Large Prime Numbers Since the security of the RSA algorithm itself is based on the fact that it is computationally infeasible to factor large numbers, we must have some other method of determining whether a large number is prime.

34
Primality Tests

35
According to Fermats Little Theorem, if p is a prime number and a is a number relatively prime to p, then

36
Primality Tests If n is not prime, it is still possible that the equation holds, but not likely, for a relatively prime to n. If this equation holds, we say that n is a pseudoprime base a.

37
Primality Tests Theorem: If, for a given n, Fermats Little Theorem fails for a single base a, then it fails for at least half of the possible bases a in ( Z /n Z ) *.

38
Primality Tests Algorithm: Take a large odd integer n. Choose a random a with 01, then n is composite.

39
Primality Tests Algorithm: If gcd(a,n)=1, then raise a to the (n 1)-st power. If Fermats Little Theorem fails, then n is composite. If Fermats Little Theorem holds, then n might be prime.

40
Primality Tests Algorithm: Next, choose k different bases a 1, a 2,..., a k and suppose that n might be prime with respect to each of these bases. Then by our theorem, there is 1 chance in 2 k that n might still be composite.

41
Primality Tests Algorithm: This gives us a probabilistic method of choosing large prime numbers, unless …

42
Primality Tests It is possible that, for a given n, Fermats Little Theorem holds for all bases a. In fact, such numbers exist. They are called Carmichael numbers. In 1992, it was shown by Alford, Granville, and Pomerance that there are infinitely many Carmichael numbers.

43
Shameless Plug for my Alma Mater This result was proven while Alford, Granville, and Pomerance were on the mathematics faculty of The University of Georgia.

44
Primality Tests So, we might want to look at a better primality test.

45
Primality Tests Another primality test involves some quantities called Jacobi symbols, and in order to define them, we must talk about Legendre symbols.

46
Legendre and Jacobi Symbols Let p be an odd prime number and let a be a natural number. We define the Legendre symbol to be 0 if p divides a, 1 if a is a square mod p, and 1 is a is not a square mod p.

47
Legendre and Jacobi Symbols If n is not prime, we can factor n uniquely as a product of primes p p r r. We define the Jacobi symbol by

48
Legendre and Jacobi Symbols Legendre and Jacobi symbols are easily computed by present-day computers using the Law of Quadratic Reciprocity. For further information, consult any text on elementary number theory.

49
Primality Tests For a prime number p, it is known that

50
Primality Tests Theorem: If n is composite, the equation fails for at least half of the possible bases a in ( Z /n Z ) *.

51
Primality Tests Algorithm: Take a large odd integer n. Choose a random a with 01, then n is composite.

52
Primality Tests Algorithm: If gcd(a,n)=1, then raise a to the (n 1)/2-th power Compute the Jacobi symbol (a/n). If these two numbers are not congruent mod n, then n is composite. If these two numbers are congruent mod n, then n might be prime.

53
Primality Tests Algorithm: Next, choose k different bases a 1, a 2,..., a k and suppose that n might be prime with respect to each of these bases. Then by our theorem, there is 1 chance in 2 k that n might still be composite.

54
Primality Tests Algorithm: This gives us a probabilistic method of choosing large prime numbers.

55
How Big is Large? Suppose we are using an N letter alphabet. Choose natural numbers k and l with k

56
How Big is Large? Each user must choose his prime numbers p and q so that n=pq is between N k and N l.

57
How Big is Large? In this way, every k digit number in the N symbol alphabet can be represented uniquely as a number in Z /n Z.

58
How Big is Large? Further, every number in Z /n Z represents a unique l digit number in the N symbol alphabet.

59
How Big is Large? In this way, we can use a k-graph technique to convert groups of k letters in the plaintext into a unique number in Z /n Z.

60
How Big is Large? Then, using an l-graph technique, the ciphertext numerical string can then be converted into a unique sequence of groups of l letters.

61
The RSA Algorithm

62
Alice and Bob wish to exchange messages through the RSA Algorithm. Alice chooses two large prime numbers, p A and q A. She does this using the probabilistic primality testing discussed earlier. She then computes n A = p A q A and (n A )=(p A 1) (q A 1).

63
The RSA Algorithm Alice next chooses a natural number e A which is relatively prime to (n A ). To do this, take any number of the right size and use the Euclidean Algorithm to find the gcd of that number and (n A ). If the gcd is 1, stop. If not, increment the number by 1 and repeat the process.

64
The RSA Algorithm Since e A is relatively prime to (n A ), e A has a multiplicative inverse e A 1 in the quotient ring Z / (n A ) Z. Let d A = e A 1. Then e A d A mod (n A ).

65
The RSA Algorithm Alices public enciphering key is then K E,A =(n A,e A ). This key is published. Alices private deciphering key is then K D,A =(n A,d A ). This key is kept confidential.

66
The RSA Algorithm Similarly, Bob chooses two large prime numbers, p B and q B. He does this using the probabilistic primality testing discussed earlier. He then computes n B = p B q B and (n B )=(p B 1) (q B 1).

67
The RSA Algorithm Bob also chooses a natural number e B which is relatively prime to (n B ). Do this using the same algorithm Alice used.

68
The RSA Algorithm Since e B is relatively prime to (n B ), e B has a multiplicative inverse e B 1 in the quotient ring Z / (n B ) Z. Let d B = e B 1. Then e B d B mod (n B ).

69
The RSA Algorithm Bobs public enciphering key is then K E,B =(n B,e B ). This key is published. Bobs private deciphering key is then K D,B =(n B,d B ). This key is kept confidential.

70
Exchanges Using RSA

71
Encoding using RSA In order to encode a plaintext message using the RSA algorithm, Alice first converts the plaintext into a string of digits, as described earlier. Call this number P.

72
Encoding using RSA Next, Alice raises P to the e B power and takes the remainder mod n B. She then sends the result, C, to Bob. Since only Bob knows the decoding key d B, only he can read the message.

73
Decoding using RSA Once Bob receives the message C, he raises C to the d B power and reduces mod n B. Since e B d B 1 mod n B, this second exponentiation returns P from C. The decoding is completed by converting this string of digits back into characters.

74
The RSA Algorithm The fact that only Bob knows d B means that only Bob can read the message. This takes care of confidentiality. What about the other three facets of data transfer?

75
Authenticity and Non-Repudiation in the RSA Algorithm

76
Authenticity and Non-Repudiation in RSA To guarantee authenticity and non- repudiation, Alice takes the string of digits P and does one of the following: If n A

77
Authenticity and Non-Repudiation in RSA If n B

78
Authenticity and Non-Repudiation in RSA To perform the decryption, Bob takes the ciphertext C and does one of the following: If n B

79
Authenticity and Non-Repudiation in RSA If n A

80
Authenticity and Non-Repudiation in RSA The key fact here is that Alice has used her private key d A in the encryption process. Since Bob knows Alices public key e A, he can use Alices public key as well as his own private deciphering key to get a readable message which he knows only Alice could have sent.

81
Integrity in RSA

82
In order to ensure that a coded message hasnt been tampered with in transmission, one uses a hash function.

83
Hash Functions Roughly speaking, a hash function is an easily computable map f:x->h from a very long input x to a much shorter output h that has the property that f is one-to-one. That is, two different plaintext messages go to two different hash values.

84
Integrity in RSA If part of Alices signature consists of the hash value h=f(x), where x is the entire text of her message, then Bob can verify not only that the message was really sent by Alice, but also that it wasnt tampered with during transmission.

85
Next Time... In the next lecture, we will look at a second type of public key cryptography based on the use of the group of points on an elliptic curve. This is (appropriately enough) known as elliptic curve cryptography.

86
Thanks for Attending

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google