Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
Document related concepts
no text concepts found
Transcript 
CEN585 – Computer and Network Security
Public-Key Encryption, RSA
Dr. Mostafa Hassan Dahshan
Computer Engineering Department
College of Computer and Information Sciences
King Saud University
[email protected]
http://faculty.ksu.edu.sa/mdahshan
Symmetric Encryption Problems

Key exchange



Two parties already share a key: must have
been distributed to them
Key distribution center: could be compromised
Digital signatures

verification that digital message sent by
particular person
Public-Key Encryption




Two keys: private, public
One key for encryption, other for
decryption
Computationally infeasible to determine
decryption key using ciphertext and
encryption key
Some algorithms (RSA): if one key used for
encryption, other can be used for
decryption
Ingredients

Plaintext


Encryption algorithm


readable message
performs transformations on plaintext
Ciphertext

scrambled message produced by encryption
algorithm
Ingredients

Public and private keys




pair of keys selected or generated
one for encryption, other for decryption
transformations depend on key used
Decryption algorithm


accepts ciphertext and the matching key
produces original plaintext
Operation





Each user generates pair of keys
Place one of keys in public register or
accessible file (public key)
Keep other companion key (private key)
If Bob wants to send confidential message
to Alice: encrypt with Alice’s public key
Only Alice can decrypt message with her
private key
Advantages



Private keys generated locally
Private key need not to be distributed
Keys can be changed at any time
Applications: Confidentiality
Y = E(PUb, X)
X = D(PRb, Y)
Applications: Authentication
Y = E(PRa, X)
X = D(PUa, Y)
Applications: Confidentiality +
Authentication
Z = E(PUb, E(PRa, X))
X = D(PUa, E(PRb, Z))
Introduction to Number Theory

Required to understand RSA Algorithm
12
Divisors





a divides b (a|b) if no reminder of division
b/a, a ≠ 0, we say that a is a divisor of b
If a|1, then a = 1 or -1
If a|b and b|a then a = b or a = - b
Any b ≠ 0 divides 0
If b|g and b|h, then b|(mg + nh)
13
Divisors

Greatest common divisor c of a and b
c = gcd (a, b)



c is a divisor of a and b
any divisor of a and b is a divisor of c
In other words

gcd(a, b) = max [k, such that k|a and k|b]
14
The Euclidean Algorithm



For determining greatest common divisor
Based on the following theorem:
gcd(a, b) = gcd(b, a mod b)
Examples



gcd(55, 22) = gcd(22, 55 mod 22)
= gcd(22, 11) = 11
gcd(18, 12) = gcd(12, 6) = gcd(6, 0) = 6
gcd(11, 10) = gcd(10, 1) = gcd(1, 0) = 1
15
The Euclidean Algorithm
EUCLID(a, b)
1. A  a; B  b
2. if B = 0 return A = gcd(a, b)
3. R  A mod B
4. A  B
5. B  R
6. goto 2

16
Euclidean Algorithm – Example
Find gcd(1970, 1066)
1970 = 1 × 1066 + 904
gcd(1066, 904)
1066 = 1 × 904 + 162
gcd(904, 162)
904 = 5 × 162 + 94
gcd(162, 94)
162 = 1 × 94 + 68
gcd(94, 68)
94 = 1 × 68 + 26
gcd(68, 26)
68 = 2 × 26 + 16
gcd(26, 16)
26 = 1 × 16 + 10
gcd(16, 10)
16 = 1 × 10 + 6
gcd(10, 6)
10 = 1 × 6 + 4
gcd(6, 4)
6 =1×4+2
gcd(4, 2)
4 =2×2+0
gcd(2, 0)
Therefore, gcd(1970, 1066) = 2
17
Modular Arithmetic

Any integer a ≥ 0 can be written as
a  qn  r




0r n
q  a n 
Define a mod n as the remainder r of a/n
Integers a and b are said to be congruent
modulo n if (a mod n) = (b mod n)
Written as a ≡ b (mod n)
Example

73 ≡ 4 (mod 23)
18
Modular Arithmetic – Operations


[(a mod n) + (b mod n)] mod n
= (a + b) mod n
[(a mod n) × (b mod n)] mod n
= (a × b) mod n
19
Modular Arithmetic – Properties

if n|(a – b) then a ≡ b (mod n)




n|(a – b)  (a – b) = kn  a = b + kn
a mod n = b mod n + kn mod n
a ≡ b (mod n) implies b ≡ a (mod n)
a ≡ b (mod n) and b ≡ c (mod n)
imply a ≡ c (mod n)
20
Modular Arithmetic – Properties
Property
Expression
Commutative laws
(a + b) mod n = (b + a) mod n
(a × b) mod n = (b × a) mod n
Associative laws
[(a + b) + c] mod n = [a + (b + c)] mod n
[(a × b) × c] mod n = [a × (b × c)] mod n
Distributive law
[a × (b + c)] mod n = [(a × b) + (a × c)] mod n
Identities
(0 + a) mod n = a mod n
(1 × a) mod n = a mod n
21
Modular Arithmetic – Properties


If (a × b) ≡ (a × c) (mod n) and a is
relatively prime to n then b ≡ c (mod n)
Example



5 × 2 = 10 ≡ 2 mod 8
5 × 10 = 50 ≡ 2 mod 8; 10 ≡ 2 mod 8
Counter example


6 × 3 = 18 ≡ 2 mod 8
6 × 7 = 42 ≡ 2 mod 8; yet 3 mod 8 ≠ 7 mod 8
22
Modular Arithmetic – Properties



Multiplicative inverse w-1 (mod n) for w
(mod n) is the value that satisfies
(w × w-1) ≡ 1 (mod n)
If a is relatively prime to n, then there exists
a multiplicative inverse a-1 (mod n) to a
Multiplicative inverse is calculated using
the extended Euclidean algorithm
23
Extended Euclidean Algorithm
EXTENDED_GCD(a, b)
1. x := 0 lastx := 1
2. y := 1 lasty := 0
3. while b ≠ 0





quotient := a div b
temp := b
b := a mod b
a := temp
temp := x x := lastx−quotient×x lastx := temp
temp := y y := lasty−quotient×y lasty := temp
4. return {lastx, lasty, a}
24
Extended Euclidean Algorithm

We start by



At the end


lasty = b-1 mod m
If we end up with negative value of lasty


m  modulus
b  number we want to get its inverse
add it to the modulus
For our purpose, x and lastx are not needed
25
Extended GCD Modified
INV_MOD(m, b)
1. y := 1 lasty := 0
2. while b ≠ 0




quotient := m div b
temp := b
b := m mod b
m := temp
temp := y y := lasty−quotient×y lasty := temp
3. return {lasty}
26
Example:
m
b
160 7
7
160 mod 7 = 6
6
1


1
6 mod 1 = 0
7 mod 6 =
-1
7
mod 160
quotient lasty
160 div 7= 22 0
7 div 6 = 1
1
6 div 1 =
6
-22
23
y
1
lasty − quotient × y
0 – (22 × 1) = -22
1 – (1×-22) = 23
-22 – (6×23) = -160
7 × 23 = 161 ≡ 1 mod 160
7-1 mod 160 = 23
27
Prime Numbers


p is prime if its only divisors are ± 1 and ±p
Any integer a > 0 can be factored as
at
a1
a2
a  p1 p2
pt
where



p1< p2 < … < pt are prime numbers
ai is positive integer
Examples


91 = 7 × 13
3600 = 24 × 32 × 52
28
Prime Numbers

Let P = set of prime numbers
a p
p P


ap
ap  0
Value of any integer can be expressed as list
of nonzero exponents
Examples


91: {a7 = 1, a13 = 1}
3600: {a2 = 4, a3 = 2, a5 = 2}
29
Prime Numbers

Multiplying numbers  adding exponents
a   p p ,b   p p , k
a
p P
k p  ap  b p

b
p P
ab   p
kp
p P
p  P
Example



k = 12 × 18 = (22 × 31) × (21 × 32) = 216
k2 = 2 + 1 = 3; k3 = 1 + 2 = 3
216 = 23 × 33 = 8 × 27
30
Prime Numbers

Given
a   p ,b   p
ap
p P

bp
p P
if a|b, then ap ≤ bp for all p
Example




a = 12; b = 36; 12|36
12 = 22 × 3; 36 = 22 × 32
a2 = 2 = b2
a3 = 1 ≤ 2 = b3
31
Prime Numbers


If k = gcd(a,b) then kp = min(ap, bp) for all p
Example



300 = 22 × 31 × 52
18 = 21 × 32
gcd(18, 300) = 21 × 31 × 50 = 6
32
Relative Prime Numbers



Integers a and b are relatively prime if they
have no prime factors in common
i.e., gcd(a, b) = 1
Example



8, 15 are relatively prime
Divisors of 8: 1, 2, 4, 8
Divisors of 15: 1, 3, 5, 15
33
Fermat’s Theorem


If p is prime and a is a positive integer not
divisible by p, then
ap-1 ≡ 1 (mod p)
Another form
ap = a (mod p)
34
Fermat’s Theorem – Example



a = 7, p = 19
72 = 49 ≡ 11 (mod 19)
74 ≡ 121 ≡ 7 (mod 19)




i.e. ((72 mod 19) × (72 mod 19)) (mod 19)
78 ≡ 49 ≡ 11 (mod 19)
716 ≡ 121 ≡ 7 (mod 19)
ap-1 = 718 = 716 × 72 ≡ 7 × 11 ≡ 1 (mod 19)
35
Euler's Totient Function



φ (n) = number of positive integers less
than n that are relatively prime to n
If p is a prime number, φ (p) = p – 1
If p, q are prime numbers, p ≠ q and n = pq


φ(n) = φ(pq) = φ(p) × φ(q) = (p – 1) × (q – 1)
Example


φ(21) = φ(7) × φ(3) = 2 × 6 = 12
Numbers are {1,2,4,5,8,10,11,13,16,17,19,20}
36
Euler's Theorem


For every a and n that are relatively prime
aφ(n) ≡ 1 (mod n)
Alternative form


aφ(n)+1 ≡ a (mod n)
Examples


a = 3; n = 10; φ(10) = 4
aφ(n) = 34 = 81 ≡ 1 (mod 10) = 1 (mod n)
a = 2; n = 11; φ(11) = 10
aφ(n) = 210 = 1024 ≡ 1 (mod 11) = 1 (mod n)
37
Euler's Theorem


Corollary: if p, q are prime numbers, n = pq,
0 < m < n, then:
mφ(n)+1 = m(p – 1) (q – 1) + 1 ≡ m (mod n)
Also
[mφ(n)]k ≡ 1 mod n
mkφ(n) ≡ 1 mod n
mkφ(n)+1 = mk(p – 1) (q – 1) + 1 ≡ m (mod n)
38
Testing for Primality




For RSA, we need very large prime numbers
Need to determine number is prime or not
No simple means of doing this
Current algorithms are probabilistic




Fermat primality test
Miller-Rabin primality test
Frobenius pseudoprimality test
elliptic curve primality test
39
Miller-Rabin Algorithm
TEST (n)
1. Find integers k, q, with k > 0, q odd,
so that (n −1 = 2kq);
2. Select a random integer a, 1 < a < n − 1;
3. if aq mod n = 1 then return("inconclusive");
4. for j = 0 to k − 1 do


if a(2^j)q mod n ≡ n − 1 then
return("inconclusive");
5. return("composite");
40
Miller-Rabin Algorithm - Example




Test number n = 29
(n – 1) = 28 = 22 × 7  q = 7, k =2
Select random a, 1 < a < 28, let a = 10
Compute 107 mod 29 = 17 ≠ 1 so continue


if it was 1, then 29 may be prime (inconclusive)
Next: try from j = 0 to k-1 (from 0 to 1)


j=0, 107 mod 29 = 17 ≠ 28 so continue
j=1, 102×7 mod 29 = 28, return (inconclusive)
41
Repeated Use of Miller-Rabin

Given an odd n (not prime) and randomly
chosen integer a (1 < a < n − 1)


If t different values of a are chosen



Pr(TEST returns inconclusive) < ¼
probability that n passes TEST < (¼)t
For t = 10, probability < 10-6
For sufficiently large t, all passing TEST

we can be confident that n is prime
42
RSA Algorithm




Plaintext is encrypted in blocks
Block’s binary value 2k < n
Equivalently, block size k < log2(n)
Encryption (plaintext block M, ciphertext C)


C = Me mod n
Decryption

M = Cd mod n = (Me)d mod n = Med mod n
Assumptions





Sender and receiver know n
Sender knows e
Receiver only knows d
Public key KU = {e, n}
Private key KR = {d, n}
Requirements and Conditions




It is required to find e, d, n so that
Med mod n = M
Equivalently, Med ≡ M mod n (M < n)
From the corollary of Euler’s theorem
mkφ(n)+1 = mk(p – 1) (q – 1) + 1 ≡ m (mod n)
Conditions



p, q are prime numbers, n = pq
0<m<n
ed = k φ(n) + 1
Mathematical Justification






ed = k φ(n) + 1
ed mod φ(n) = k φ(n) mod φ(n) + 1 mod
φ(n)
ed ≡ 1 mod φ(n)
d ≡ e-1 mod φ(n)
e, d are multiplicative inverses mod φ(n)
Condition


d (and thus e) is relatively prime to φ(n)
Equivalently: gcd(φ(n), d) = 1
(Slide 16)
Ingredients
p, q, two prime numbers
private
chosen
n = pq
public
calculated
e, with gcd(φ(n), e) = 1;
1 < e < φ(n)
public
chosen
d ≡ e-1 mod φ(n)
private
calculated
Example





Select p = 17, q = 11
Calculate n = pq = 17 × 11 = 187
Calculate φ(n) = (p – 1) (q – 1) = 160
Select e < 160, relatively prime to 160: e = 7
Calculate d < 160, de ≡ 1 mod 160



repeat d = (k φ(n) + 1) / e
increment k until you get an integer value
1 × 160 + 1 = 161; d = 161/7 = 23
Example


KU = {7, 187}, KR = {23, 187}
Let M = 88
Example





887 mod 187 = [(884 mod 187) × (882 mod
187) × (881 mod 187)] mod 187
881 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = 59,969,536 mod 187 = 132
887 mod 187 = (88 × 77 × 132) mod 187
= 894,432 mod 187 = 11
Example






1123 mod 187 = [(111 mod 187)
× (112 mod 187) × (114 mod 187) × (118 mod 187)
× (118 mod 187)] mod 187
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14,641 mod 187 = 55
118 mod 187 = 214,358,881 mod 187 = 33
1123 mod 187 = (11 × 121 × 55 × 33 × 33)
mod 187 = 79,720,245 mod 187 = 88
Modular Exponentiation


If exponentiation is done first, intermediate
results will be gargantuan
we can use property of modular arithmetic
[(a mod n) × (b mod n)] mod n = (a × b) mod n

To calculate x11 mod n



x11 = x1+2+8 = (x)(x2)(x8)
compute x mod n, x2 mod n, x4 mod n, x8 mod n
calculate [(x mod n) × (x2 mod n) × (x8 mod n)
mod n
Modular Exponentiation
Algorithm for Computing ab mod n
Example: a = 7, b = 560 = 1000110000, n = 561
53
Alternative Method
source: Wikipedia
54
Example:
23
11
mod 187
step
result
exponent
base
0
1
23 (10111)
11
1
(1 × 11) % 187 = 11
11 (01011)
(11 × 11) % 187 = 121
2
(11 × 121) % 187 = 22
05 (00101)
(121 × 121) % 187 = 55
3
(22 × 55) % 187 = 88
02 (00010)
(55 × 55) % 187 = 33
4
88
02 (00001)
(33 × 33) % 187 = 154
5
(88 × 154) % 187 = 88
0
(154 × 154) % 187 = 154

result = 88
55
Choice of Keys



p and q must be large numbers
Method used to find primes must be efficient
Typical procedure






pick random odd integer
pick random a < n
perform primality test with a as parameter
if n fails test, reject n and restart
repeat the test sufficient number of times
If n passes all tests, accept n, else restart
56
Attacks on RSA

Brute force


Mathematical attacks


approaches to factor the product of two primes
Timing attacks


try all possible keys
estimate key by measuring decryption time
Chosen ciphertext attacks

exploit properties of RSA
57
Additional References

Wikipedia





Modular exponentiation
Integer factorization
Extended_Euclidean_algorithm
Primality_test
Weisstein, Eric W. "Primality Test." From
MathWorld--A Wolfram Web Resource,
http://mathworld.wolfram.com/PrimalityTest.html
Related documents