Public Key Encryption Major topics The RSA scheme was devised in 1978 How does public key encryption work? How are modular exponential values calculated? How hard is it to find prime numbers? How hard is it to factor the product of two large primes? The RSA scheme was devised in 1978 RSA stands for Rivest, Shamir, Aldeman The public key approach does not require mutual knowledge of a secret key, thus it is appropriate for secure information transfer over the Internet However the transfer of large amounts of information is best done using a secret key; the RSA scheme can be used to share this key

RSA public-key encryption Each participant has a public key and a private key Both keys specify 1-to-1 functions from a message to itself; these functions are inverses, as seen here M = SA(PA (M)) and M = PA (SA (M)) Only user A (Alice) should be able to compute SA ( ) is a reasonable length of time; everyone knows PA and can compute PA ( ) efficiently The next slides describe how this system works

Sending a message Any eavesdropper cannot read the message since he cannot compute SA( ) based on PA ( )

Sending a Digital Signature Another interesting application is to send a digital signature; this works “in reverse” Bob needs to know that a document received via the Internet really came from Alice Alice uses her secret code to encrypt her “signature” Bob uses Alice’s public key to decrypt the signature and verify it is Alice since no one else knows Alice’s private key

Creating public and private keys

A Sample Calculation Consider the prime numbers p = 11, q = 29. n = pq = 319 and (p-1)(q-1) = 280. Select e = 3 and calculate d as the multiplicative inverse of e mod 280. It turns out that d = 187 because e * d ≡ 3 * 187 ≡ 1 (mod 280) Suppose we want to encrypt the message M = 100 using the public key (3, 319), we calculate 1003 (mod 319) ≡ 254 To decrypt 254 using the private key (187, 319) we calculate 254187 (mod 319) ≡ 100 A first question is how quickly can we calculate a value like 254187 (mod 319) ?

Modular Exponentiation Each iteration uses one of these identities a2c mod n = (ac)2 mod n or a2c+1 mod n = a * (ac)2 mod n

An Example Calculation Find ab mod n when a = 7, b = 560 (1000110000) and n = 561 (166)2 (mod 561) (49)2 (mod 561) (67)2 (mod 561) (157)2 (mod 561) 7(526)2 (mod 561) (298)2 (mod 561) 7(160)2 (mod 561) (241)2 (mod 561)

Decoding the Message = 100 Find ab (mod n) when a = 254, b = 187, and n = 319 i 8 7 6 5 4 3 2 1 bi c 11 23 46 93 187 d 254 78 100 122 67 (254)2 (mod 319) 254(23)2 (mod 319) 254(78)2 (mod 319) 254(67)2 (mod 319) 254(100)2 (mod 319) (67)2 (mod 319) 254(122)2 (mod 319)

How Easy is it to Find Large Primes? The p and q in the RSA algorithm are primes We must be able to find two large prime numbers quickly We also hope it is difficult to factor the product of two large primes (a later topic) Brute force approach Generate a large odd number The fundamental theorem of arithmetic states that any number has a unique factorization into prime factors (only re-ordering is possible) So divide by all primes up to the square root of the number, if no factors are found, the number is prime Unfortunately, this is too slow for large numbers

The Density of Primes primes are reasonably dense, so finding a large prime should not be too time consuming the prime distribution function (n) gives the number of primes <= n For n = 109, (n) = 50,847,478 and n/ln n = 48,254,942 which is less than 6% error the probability a random integer n is prime is 1/ln n for a hundred digit number, approximately 115 odd numbers would need to be chosen to find a prime

Some Mathematical Foundations If a number is a nontrivial square root of 1 (mod n), then it must be composite If a number is prime, then the result of the witness algorithm (next slide) must be 1; otherwise, according to Fermat’s theorem, the number must be composite

Miller-Rabin Primality Testing Nontrivial square root of 1, so composite Must be composite due to Fermat’s theorem Very likely the number is prime, but not for sure

Miller-Rabin Algorithm s is the number of witnesses to be chosen randomly If any witness is found, n must be composite For a b-bit number, Miller-Rabin requires O(s b) arithmetic operations and O(s b3) bit operations

Error rate for Miller-Rabin Choice of s if s is 50, then the probability of an error is “infinitesimally small” (much less than 2-50) smaller values of s are good enough for most applications

How Easy is it to Factor p*q ? The problems It is easy to find two large primes p and q, so in the public key algorithm we set n = p*q The encryption can be broken if n can be factored Some techniques for finding factors Pollard Rho and Pollard p-1 Quadratic sieve algorithm Elliptical curve algorithm We will only look at Pollard Rho First we need to lay some mathematical foundations with the Chinese Remainder Theorem

Chinese Remainder Theorem Around 100 AD Sun-Tsu solved the following Find those integers that leave remainders 2,3,2 when divided by 3,5,7 respectively all solutions have the form 23 + 105 x in general finds a correspondence between a system of equations modulo pairwise relatively prime moduli (3,5,7) and an equation modulo their product (105) Chinese remainder theorem has two uses given n = n1n2…nk then the structure of Zn is identical to Zn1 x Zn2 x … x Znk this can give efficient algorithms since Zn can be decomposed into smaller systems

An Example Problem

Pollard’s rho heutistic neither the running time nor success is guaranteed any divisor it finds will be correct, but it may never report any results in practice, it is the one of the most effective means of factorization currently known it will print the factor p after approximately p iterations; thus it finds small factors quickly

Pollard’s rho heuristic The while loop searches indefinitely for factors generating a new xi each time Lines 1-4 are for initialization The xi values saved in y are when i = 1,2,4,8,16, … d is the gcd of y- xi and n; if it is nontrivial then it is printed as a factor of n If n is composite, we expect to find enough divisors to factor n after approximately n1/4 updates

The Big Picture

The rho diagrams (a) is generated by the xi starting at 2 for n = 1387 The factor 19 (since 1387 = 19 * 73) is discovered when the xi is 177, this is before the value 1186 is repeated (b) show the recurrence for mod 19, every xi in part (a) is equivalent to the xi‘ mod 19 (c) shows the recurrence for mod 73, again every xi in part (a) is equivalent to the xi” mod 73 By the Chinese remainder theorem, each node in (a) corresponds to a pair of nodes in (b) and (c)

A Summary of Public Key Encryption Public key encryption is based on A public key P = (e, n) is used to encrypt using P(M) = Me (mod n) = C for message M Secret key (d, n) decrypts using S(C) = Cd (mod n) = M It’s success depends on the ease of finding two large primes since n = p*q and the difficulty in factoring the product of two large primes Using probabilistic approaches like Miller-Rabin large primes can be found quickly However, even the best probabilistic approaches, such as Pollard Rho, cannot factor this product in a reasonable amount of time