# RSA and Public Key Cryptography Oct. 2002 Nathanael Paul.

## Presentation on theme: "RSA and Public Key Cryptography Oct. 2002 Nathanael Paul."— Presentation transcript:

RSA and Public Key Cryptography Oct. 2002 Nathanael Paul

Some quick things to fill in some holes… (P,C,K,E,D) – P: plaintext – C: ciphertext – K: keyspace – E: encryption function – D: decryption function Someone recently asked me (and something for you to think about for next time): – Can cryptography and math be separated? Why or why not?

What is public key cryptography? Why is there a need? Asymmetric vs. Symmetric Problems solved by public key – Shared secret not needed – Authentication Trapdoor one-way function – Factoring integers – Discrete logs Slow, power hungry

Where did public key cryptography come from? Diffie and Hellman – Credited with invention (circa 1976) – One year later, RSA is invented – April 2002, ACM communications 1970 James Ellis (British Gov’t) – “The possibility of non-secret encryption” – NSA claims

Overview RSA – Rivest, Shamir, Adleman, 1977 Z n – Modular operations (the expensive part) – A sender looks up the public key of the receiver, and encrypts the message with that key – The receiver decrypts the message with his private key – Although, public key is public information, private key is secret but related to the public key in a special way

Essence of RSA P, C are in Z n n = p * q, where p and q are primes y = E k (m) = m b mod n m = D k (y) = y a mod n – D(y) = D(E(m)) = D(m b ) = (m b ) a = m – Factoring not necessary for decryption The public key is (b,n), everything else is private private key is (a,n)

Some relationships a is relatively prime to (p-1)(q-1) ab  1 (mod (p-1)(q-1))  (n) = (p-1)(q-1). ???  (n) = { x < n : gcd(x, n) = 1 } – “all integers less than n that are relatively prime to n” Let’s check to see if encryption and decryption really are inverse operations.

Checking RSA ab  1 (mod  (n)) – “ab is some multiple of (  (n) + 1) ab = t(  (n) + 1), t >= 1 (m b ) a  m t(  (n) + 1) (mod n)  (m  (n) ) t m (mod n)  (1) t m (mod n)by Euler’s Thm.  m (mod n) DONE

How to pick a public key Pick 2 primes, p and q Compute n = pq and  (n) = (p-1)(q-1) Choose a random b (1 < b <  (n)) – gcd (b,  (n)) = 1 Compute a = b -1 mod  (n) – Extended euclidean algorithm Publish the public key – (b, n) is a person’s public key now (i.e., people may now send encrypted text using this public key)

Bob chooses his public key He randomly chooses 17 th and 19 th primes, 59 and 67, respectively (p = 59, q = 67)  (n) = (58)(66) = 3828 Pick a random b, less than 3828 but > 1 – Let’s try 2669. Will that work? gcd(2669, 3828) = 1 Now, ab  1 (mod  (n)) – a * 2669  1 mod 3828 – a will exist iff gcd(a,  (n)) = 1

Bob finishes his calculations in making his public key… a = b -1 in Z n, recall a is the decryption exponent a = 1625 (b -1 = 1625 modd 3828) Bob’s private key (a, n) is (1625,3953), so now Bob publishes his public key (b,n) as (2669, 3953)

Alice wants to send Bob a message, m… Alice has plaintext 3128 to send. She will send E(m): – Alice encrypts with public key (b,n) or (2669,3953) – E(m) = 3128 2669 mod 3953 = 3541 Bob receives the ciphertext 3541: – Bob decrypts with private key (a,n) or (1625,3953) – 3541 1625 mod 3953 = 3128

Some notes about a,b, p, and q p and q must be large for security b, the encryption exponent, does not have to be that large (2 16 – 1 = 65535 is good) a, the decryption exponent, needs to be sufficiently large (512 to 2048 bits) Having to work with such large numbers, we need to look at some other elements of RSA.

RSA: Component Operations Exponentiation – We need to do it fast Factorization – Believed to be difficult (security is here) Finding prime numbers and testing primality – Rabin Miller test – New polynomial time algorithm http://mathworld.wolfram.com/news/2002-08-07_primetest/ http://www.cse.iitk.ac.in/primality.pdf

Fast Exponentiation a ^ 256 mod 7 – Don’t do (a*a*a…*a) 256 times and mod by 7 (a * b) mod p = (a mod p * b mod p) mod p – Shortcut: Look at binary representation of 256 – 256 = 2 8, (((((((a 2 ) 2 ) 2 ) 2 ) 2 ) 2 ) 2 ) 2 and mod 7 each time you perform a square – 25 = 11001 = 2 4 + 2 3 + 2 0 a ^ 25 mod n = (a * a 8 * a 16 ) mod n = (a * (((a 2 ) 2 ) 2 ) * ((((a 2 ) 2 ) 2 ) 2 )) mod n (((((((a 2 mod n)*a) mod n) 2 mod n) 2 mod n) 2 mod n) * a) mod n

Factorization Brute force is stupid and slow – d = 1,2,3,4,… Does d divide n? – Factoring n = pq. If p = p 2, so  n >= p – d can go high as  n in worst case – For n ~ 10 40, 10 20 number of divisions Use structure of Z n – p –1 method (not really used, but a good speedup) – Pollard’s rho method – Quadratic sieve, Number Field Sieve (NFS) – Is there a better method out there?

Finding some prime numbers Easy to generate a number, but how do you know if it’s prime? Rabin Miller – If n is prime, output is always “could be” – If n is composite, output is “composite” or “could be” – If n is composite and “could be” is returned, the probability of a wrong answer is <= ¼ New polynomial algorithm that can say yes/no!

Using RSA: What can go wrong? Computing  (n) is no easier than factoring n From n = pq and  (n) = (p-1)(q-1), we obtain: – p 2 – (n -  (n) + 1)p + n = 0 – The roots of the above equation will be p and q If the decryption exponent, a is known, Bob needs to choose a new decryption exponent. – That isn’t enough! Bob must also choose a new modulus.

DES vs. RSA RSA is about 1500 times slower than DES – Exponentiation and modulus Generation of numbers used in RSA can take time Test n against known methods of factoring – http://www.rsasecurity.com/rsalabs/challenges/factoring/numbers.html

Key Distribution Then hard problem for symmetric (secret) key ciphers Transmitting a private key on an insecure channel – Asymmetric system solves problem

Primitive roots  is a pritimitive root of Fp you can get all elements of Fp from  – There exists an m such that:  m = n mod p, for 1 <= n < p m is unique Can you solve for m? Yes, but it’s hard by currently known methods (Discrete log) All primes have primitive roots

Example of primitive root Consider the element 2 x mod 13 2 0  1 mod 13 2 8  9 mod 13 2 1  2 mod 13 2 9  5 mod 13 2 2  4 mod 13 2 10  10 mod 13 2 3  8 mod 13 2 11  7 mod 13 2 4  3 mod 13 2 5  6 mod 13Primitive roots are not 2 6  12 mod 13found this way in Fp, but 2 7  11 mod 13this is an example of a primitive root.

Key distribution: Alice and Bob need to talk Insecure channel of communication First, set up our field that our numbers will operate within: – p, a large prime (sets up something called our field) –  is called a primitive root of Fp

Alice and Bob obtain a private key using public keys aa bb Bob Alice k o = (  a ) b k 1 = (  b ) a So, k 1 = k o, and a secret key is shared between Alice and Bob.

What does the adversary know, and what can he do? Knows  a,  b, , and p So we want to find the key, k – k =  ab – This is believed to be hard. If one knows how to compute discrete logs efficiently, then one can break this scheme (and other schemes based on public key cryptography)

Public Key Cryptographic Use Secure RPC SSL Cisco encrypting routers

Key distribution Key freshness Predistribution Agreement protocols

Trusted Authority – Alice and Bob need to talk (again) How about a TA issuing a certificate? – TA shares a secret key with each person that may ever want to communicate with TA – Alice asks for Bob’s public key, so TA issues a certificate: E (K, ID(Bob), T, L) – E is done with Alice and TA’s shared key – K is random, T is timestamp, L is lifetime – Alice can verify certificate is from TA – Ex. Kerberos

Reading “New Directions in Cryptography” – http://www.cs.rutgers.edu/~tdnguyen/classes/cs671/ presentations/Arvind-NEWDIRS.pdf http://www.cs.rutgers.edu/~tdnguyen/classes/cs671/ presentations/Arvind-NEWDIRS.pdf "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" – http://theory.lcs.mit.edu/~cis/pubs/rivest/rsapaper.ps