* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Public Key Encryption
Survey
Document related concepts
Transcript
Public Key Encryption • Major topics – – – – How does public key encryption work? How are modular exponential values calculated? How hard is it to find prime numbers? How hard is it to factor the product of two large primes? • The RSA scheme was devised in 1978 – RSA stands for Rivest, Shamir, Aldeman – The public key approach does not require mutual knowledge of a secret key, thus it is appropriate for secure information transfer over the Internet – However the transfer of large amounts of information is best done using a secret key; the RSA scheme can be used to share this key RSA public-key encryption • Each participant has a public key and a private key • Both keys specify 1-to-1 functions from a message to itself; these functions are inverses, as seen here M = SA(PA (M)) and M = PA (SA (M)) • Only user A (Alice) should be able to compute SA ( ) is a reasonable length of time; everyone knows PA and can compute PA ( ) efficiently • The next slides describe how this system works Sending a message • Any eavesdropper cannot read the message since he cannot compute SA( ) based on PA ( ) Sending a Digital Signature • Another interesting application is to send a digital signature; this works “in reverse” • Bob needs to know that a document received via the Internet really came from Alice • Alice uses her secret code to encrypt her “signature” • Bob uses Alice’s public key to decrypt the signature and verify it is Alice since no one else knows Alice’s private key Creating public and private keys A Sample Calculation • Consider the prime numbers p = 11, q = 29. – n = pq = 319 and (p-1)(q-1) = 280. – Select e = 3 and calculate d as the multiplicative inverse of e mod 280. It turns out that d = 187 because e * d ≡ 3 * 187 ≡ 1 (mod 280) – Suppose we want to encrypt the message M = 100 using the public key (3, 319), we calculate 1003 (mod 319) ≡ 254 – To decrypt 254 using the private key (187, 319) we calculate 254187 (mod 319) ≡ 100 • A first question is how quickly can we calculate a value like 254187 (mod 319) ? Modular Exponentiation • Each iteration uses one of these identities a2c mod n = (ac)2 mod n or a2c+1 mod n = a * (ac)2 mod n An Example Calculation • Find ab mod n when a = 7, b = 560 (1000110000) and n = 561 (166)2 (mod 561) (49)2 (mod 561) (67)2 (mod 561) (157)2 (mod 561) 7(526)2 (mod 561) 7(160)2 (mod 561) (298)2 (mod 561) (241)2 (mod 561) Decoding the Message = 100 • Find ab (mod n) when a = 254, b = 187, and n = 319 i 8 7 6 5 4 3 2 1 bi 1 0 1 1 1 0 1 1 c 1 2 5 11 23 46 93 187 d 254 78 100 122 67 23 67 100 (254)2 (mod 319) 254(23)2 (mod 319) 254(67)2 (mod 319) 254(78)2 (mod 319) 254(100)2 (mod 319) (67)2 (mod 319) 254(122)2 (mod 319) How Easy is it to Find Large Primes? • The p and q in the RSA algorithm are primes – We must be able to find two large prime numbers quickly – We also hope it is difficult to factor the product of two large primes (a later topic) • Brute force approach – Generate a large odd number – The fundamental theorem of arithmetic states that any number has a unique factorization into prime factors (only re-ordering is possible) – So divide by all primes up to the square root of the number, if no factors are found, the number is prime – Unfortunately, this is too slow for large numbers The Density of Primes – primes are reasonably dense, so finding a large prime should not be too time consuming – the prime distribution function (n) gives the number of primes <= n – For n = 109, (n) = 50,847,478 and n/ln n = 48,254,942 which is less than 6% error – the probability a random integer n is prime is 1/ln n – for a hundred digit number, approximately 115 odd numbers would need to be chosen to find a prime Some Mathematical Foundations • If a number is a nontrivial square root of 1 (mod n), then it must be composite • If a number is prime, then the result of the witness algorithm (next slide) must be 1; otherwise, according to Fermat’s theorem, the number must be composite Miller-Rabin Primality Testing Nontrivial square root of 1, so composite Very likely the number is prime, but not for sure Must be composite due to Fermat’s theorem Miller-Rabin Algorithm • s is the number of witnesses to be chosen randomly • If any witness is found, n must be composite • For a b-bit number, Miller-Rabin requires O(s b) arithmetic operations and O(s b3) bit operations Error rate for Miller-Rabin • Choice of s – if s is 50, then the probability of an error is “infinitesimally small” (much less than 2-50) – smaller values of s are good enough for most applications How Easy is it to Factor p*q ? • The problems – It is easy to find two large primes p and q, so in the public key algorithm we set n = p*q – The encryption can be broken if n can be factored • Some techniques for finding factors – Pollard Rho and Pollard p-1 – Quadratic sieve algorithm – Elliptical curve algorithm • We will only look at Pollard Rho • First we need to lay some mathematical foundations with the Chinese Remainder Theorem Chinese Remainder Theorem • Around 100 AD Sun-Tsu solved the following – Find those integers that leave remainders 2,3,2 when divided by 3,5,7 respectively – all solutions have the form 23 + 105 x – in general finds a correspondence between a system of equations modulo pairwise relatively prime moduli (3,5,7) and an equation modulo their product (105) • Chinese remainder theorem has two uses – given n = n1n2…nk then the structure of Zn is identical to Zn1 x Zn2 x … x Znk – this can give efficient algorithms since Zn can be decomposed into smaller systems An Example Problem Pollard’s rho heutistic • neither the running time nor success is guaranteed • any divisor it finds will be correct, but it may never report any results • in practice, it is the one of the most effective means of factorization currently known • it will print the factor p after approximately p iterations; thus it finds small factors quickly Pollard’s rho heuristic • The while loop searches indefinitely for factors generating a new xi each time • Lines 1-4 are for initialization • The xi values saved in y are when i = 1,2,4,8,16, … • d is the gcd of y- xi and n; if it is nontrivial then it is printed as a factor of n • If n is composite, we expect to find enough divisors to factor n after approximately n1/4 updates The Big Picture The rho diagrams • (a) is generated by the xi starting at 2 for n = 1387 • The factor 19 (since 1387 = 19 * 73) is discovered when the xi is 177, this is before the value 1186 is repeated • (b) show the recurrence for mod 19, every xi in part (a) is equivalent to the xi‘ mod 19 • (c) shows the recurrence for mod 73, again every xi in part (a) is equivalent to the xi” mod 73 • By the Chinese remainder theorem, each node in (a) corresponds to a pair of nodes in (b) and (c) A Summary of Public Key Encryption • Public key encryption is based on – A public key P = (e, n) is used to encrypt using P(M) = Me (mod n) = C for message M – Secret key (d, n) decrypts using S(C) = Cd (mod n) = M • It’s success depends on the ease of finding two large primes since n = p*q and the difficulty in factoring the product of two large primes – Using probabilistic approaches like Miller-Rabin large primes can be found quickly – However, even the best probabilistic approaches, such as Pollard Rho, cannot factor this product in a reasonable amount of time