Download Public Key Encryption

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Theorem wikipedia , lookup

Wiles's proof of Fermat's Last Theorem wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Proofs of Fermat's little theorem wikipedia , lookup

List of prime numbers wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

Transcript
Public Key Encryption
• Major topics
–
–
–
–
How does public key encryption work?
How are modular exponential values calculated?
How hard is it to find prime numbers?
How hard is it to factor the product of two large primes?
• The RSA scheme was devised in 1978
– RSA stands for Rivest, Shamir, Aldeman
– The public key approach does not require mutual knowledge of
a secret key, thus it is appropriate for secure information transfer
over the Internet
– However the transfer of large amounts of information is best
done using a secret key; the RSA scheme can be used to share
this key
RSA public-key encryption
• Each participant has a public key and a private key
• Both keys specify 1-to-1 functions from a message
to itself; these functions are inverses, as seen here
M = SA(PA (M)) and M = PA (SA (M))
• Only user A (Alice) should be able to compute
SA ( ) is a reasonable length of time; everyone
knows PA and can compute PA ( ) efficiently
• The next slides describe how this system works
Sending a message
• Any eavesdropper cannot read the message since
he cannot compute SA( ) based on PA ( )
Sending a Digital Signature
• Another interesting application is to send a digital
signature; this works “in reverse”
• Bob needs to know that a document received via the
Internet really came from Alice
• Alice uses her secret code to encrypt her “signature”
• Bob uses Alice’s public key to decrypt the signature and
verify it is Alice since no one else knows Alice’s private
key
Creating public and private keys
A Sample Calculation
• Consider the prime numbers p = 11, q = 29.
– n = pq = 319 and (p-1)(q-1) = 280.
– Select e = 3 and calculate d as the multiplicative
inverse of e mod 280. It turns out that d = 187 because
e * d ≡ 3 * 187 ≡ 1 (mod 280)
– Suppose we want to encrypt the message M = 100
using the public key (3, 319), we calculate 1003 (mod
319) ≡ 254
– To decrypt 254 using the private key (187, 319) we
calculate 254187 (mod 319) ≡ 100
• A first question is how quickly can we calculate a
value like 254187 (mod 319) ?
Modular Exponentiation
• Each iteration uses one of these identities
a2c mod n = (ac)2 mod n
or
a2c+1 mod n = a * (ac)2 mod n
An Example Calculation
• Find ab mod n when a = 7, b = 560 (1000110000) and
n = 561
(166)2 (mod 561)
(49)2 (mod 561)
(67)2 (mod 561)
(157)2 (mod 561)
7(526)2 (mod 561)
7(160)2 (mod 561)
(298)2 (mod 561)
(241)2 (mod 561)
Decoding the Message = 100
• Find ab (mod n) when a = 254, b = 187, and n = 319
i
8
7
6
5
4
3
2
1
bi
1
0
1
1
1
0
1
1
c
1
2
5
11
23
46
93
187
d
254
78
100
122
67
23
67
100
(254)2 (mod 319)
254(23)2 (mod 319)
254(67)2 (mod 319)
254(78)2 (mod 319)
254(100)2 (mod 319)
(67)2 (mod 319)
254(122)2 (mod 319)
How Easy is it to Find Large Primes?
• The p and q in the RSA algorithm are primes
– We must be able to find two large prime numbers
quickly
– We also hope it is difficult to factor the product of two
large primes (a later topic)
• Brute force approach
– Generate a large odd number
– The fundamental theorem of arithmetic states that any
number has a unique factorization into prime factors
(only re-ordering is possible)
– So divide by all primes up to the square root of the
number, if no factors are found, the number is prime
– Unfortunately, this is too slow for large numbers
The Density of Primes
– primes are reasonably dense, so finding a large prime
should not be too time consuming
– the prime distribution function (n) gives the number of
primes <= n
– For n = 109, (n) = 50,847,478 and n/ln n = 48,254,942
which is less than 6% error
– the probability a random integer n is prime is 1/ln n
– for a hundred digit number, approximately 115 odd
numbers would need to be chosen to find a prime
Some Mathematical Foundations
• If a number is a nontrivial square root of 1 (mod
n), then it must be composite
• If a number is prime, then the result of the witness
algorithm (next slide) must be 1; otherwise,
according to Fermat’s theorem, the number must
be composite
Miller-Rabin Primality Testing
Nontrivial square root
of 1, so composite
Very likely the number is
prime, but not for sure
Must be composite due
to Fermat’s theorem
Miller-Rabin Algorithm
• s is the number of witnesses to be chosen randomly
• If any witness is found, n must be composite
• For a b-bit number, Miller-Rabin requires O(s b)
arithmetic operations and O(s b3) bit operations
Error rate for Miller-Rabin
• Choice of s
– if s is 50, then the probability of an error is
“infinitesimally small” (much less than 2-50)
– smaller values of s are good enough for most
applications
How Easy is it to Factor p*q ?
• The problems
– It is easy to find two large primes p and q, so in the
public key algorithm we set n = p*q
– The encryption can be broken if n can be factored
• Some techniques for finding factors
– Pollard Rho and Pollard p-1
– Quadratic sieve algorithm
– Elliptical curve algorithm
• We will only look at Pollard Rho
• First we need to lay some mathematical
foundations with the Chinese Remainder Theorem
Chinese Remainder Theorem
• Around 100 AD Sun-Tsu solved the following
– Find those integers that leave remainders 2,3,2 when
divided by 3,5,7 respectively
– all solutions have the form 23 + 105 x
– in general finds a correspondence between a system of
equations modulo pairwise relatively prime moduli
(3,5,7) and an equation modulo their product (105)
• Chinese remainder theorem has two uses
– given n = n1n2…nk then the structure of Zn is identical
to Zn1 x Zn2 x … x Znk
– this can give efficient algorithms since Zn can be
decomposed into smaller systems
An Example Problem
Pollard’s rho heutistic
• neither the running time nor success is guaranteed
• any divisor it finds will be correct, but it may
never report any results
• in practice, it is the one of the most effective
means of factorization currently known
• it will print the factor p after approximately p
iterations; thus it finds small factors quickly
Pollard’s rho heuristic
• The while loop searches
indefinitely for factors
generating a new xi each
time
• Lines 1-4 are for
initialization
• The xi values saved in y are
when i = 1,2,4,8,16, …
• d is the gcd of y- xi and n; if
it is nontrivial then it is
printed as a factor of n
• If n is composite, we expect to find enough divisors to
factor n after approximately n1/4 updates
The Big Picture
The rho diagrams
• (a) is generated by the xi starting at 2 for n = 1387
• The factor 19 (since 1387 = 19 * 73) is discovered
when the xi is 177, this is before the value 1186 is
repeated
• (b) show the recurrence for mod 19, every xi in
part (a) is equivalent to the xi‘ mod 19
• (c) shows the recurrence for mod 73, again every
xi in part (a) is equivalent to the xi” mod 73
• By the Chinese remainder theorem, each node in
(a) corresponds to a pair of nodes in (b) and (c)
A Summary of Public Key Encryption
• Public key encryption is based on
– A public key P = (e, n) is used to encrypt using
P(M) = Me (mod n) = C for message M
– Secret key (d, n) decrypts using S(C) = Cd (mod n) = M
• It’s success depends on the ease of finding two
large primes since n = p*q and the difficulty in
factoring the product of two large primes
– Using probabilistic approaches like Miller-Rabin large
primes can be found quickly
– However, even the best probabilistic approaches, such
as Pollard Rho, cannot factor this product in a
reasonable amount of time