Download Rivest-Shamir

Lecture 8 Overview
Analysis of Algorithms
• Algorithms
– Time Complexity
– Space Complexity
• An algorithm whose time complexity is
bounded by a polynomial is called a
polynomial-time algorithm.
– An algorithm is considered to be efficient if it runs
in polynomial time.
CS 450/650 Lecture 8: Algorithm Background
2
Time and Space
• Should be calculated as function of problem
size (n)
– Sorting an array of size n,
– Searching a list of size n,
– Multiplication of two matrices of size n by n
• T(n) = function of n (time)
• S(n) = function of n (space)
• relative rates of growth
– 1000n vs. n2
CS 450/650 Lecture 8: Algorithm Background
3
Definitions
 T(n) = O(f(n)): T is bounded above by f
The growth rate of T(n) <= growth rate of f(n)
 T(n) = W (g(n)): T is bounded below by g
The growth rate of T(n) >= growth rate of g(n)
 T(n) = Q(h(n)): T is bounded both above and below by h
The growth rate of T(n) = growth rate of h(n)
 T(n) = o(p(n)): T is dominated by p
The growth rate of T(n) < growth rate of p(n)
CS 450/650 Lecture 8: Algorithm Background
4
Time Complexity







C
O(n)
O(log n)
O(nlogn)
O(n2)
…
O(nk)
 O(2n)
 O(kn)
 O(nn)
Polynomial
Exponential
CS 450/650 Lecture 8: Algorithm Background
O(2log n)
5
P, NP, NP-hard, NP-complete
• A problem belongs to the class P if the problem can be
solved by a polynomial-time algorithm
• A problem belongs to the class NP if the correctness of
the problem’s solution can be verified by a polynomialtime algorithm
• A problem is NP-hard if it is as hard as any problem in NP
– Existence of a polynomial-time algorithm for an NP-hard
problem implies the existence of polynomial solutions for every
problem in NP
• NP-complete problems are the NP-hard problems that
are also in NP
CS 450/650 Lecture 8: Algorithm Background
6
Relationships between different classes
NP
NP-hard
P
CS 450/650 Lecture 8: Algorithm Background
NP-complete
7
Lecture 9
Rivest-Shamir-Adelman (RSA)
CS 450/650
Fundamentals of
Integrated Computer Security
Slides are modified from Hesham El-Rewini
RSA
• Invented by Cocks (GCHQ), independently,
by Rivest, Shamir and Adleman (MIT)
• Two keys e and d used for Encryption and
Decryption
– The keys are interchangeable
• M = D(d, E(e, M) ) = D(e, E(d, M) )
– Public key encryption
• Based on problem of factoring large numbers
– Not in NP-complete
– Best known algorithm is exponential
CS 450/650 Lecture 9: RSA
9
RSA
• To encrypt message M compute
– c = Me mod N
• To decrypt ciphertext c compute
– M = cd mod N
CS 450/650 Lecture 9: RSA
10
Key Choice
• Let p and q be two large prime numbers
• Let N = pq
• Choose e relatively prime to (p1)(q1)
– a prime number larger than p-1 and q-1
• Find d such that ed mod (p1)(q1) = 1
CS 450/650 Lecture 9: RSA
11
RSA
• Recall that e and N are public
• If attacker can factor N, he can use e to easily
find d
– since ed mod (p1)(q1) = 1
• Factoring the modulus breaks RSA
• It is not known whether factoring is the only
way to break RSA
CS 450/650 Lecture 9: RSA
12
Does RSA Really Work?
• Given c = Me mod N we must show
– M = cd mod N = Med mod N
• We’ll use Euler’s Theorem
– If x is relatively prime to N then x(N) mod N =1
• (n): number of positive integers less than n that are
relatively prime to n.
• If p is prime then, (p) = p-1
CS 450/650 Lecture 9: RSA
13
Does RSA Really Work?
• Facts:
– ed mod (p  1)(q  1) = 1
– ed = k(p  1)(q  1) + 1
by definition of mod
– (N) = (p  1)(q  1)
– Then ed  1 = k(p  1)(q  1) = k(N)
• Med = M(ed-1)+1 = MMed-1 = MMk(N)
= M(M(N)) k mod N = M1 k mod N
= M mod N
CS 450/650 Lecture 9: RSA
14
Example
• Select primes p=11, q=3.
• N = p* q = 11*3 = 33
• Choose e = 3
• check gcd(e, p-1) = gcd(3, 10) = 1
– i.e. 3 and 10 have no common factors except 1
• check gcd(e, q-1) = gcd(3, 2) = 1
• therefore gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1
CS 450/650 Lecture 9: RSA
15
Example (cont.)
• p-1 * q-1 = 10 * 2 = 20
• Compute d such that
e * d mod (p-1)*(q-1) = 1
3 * d mod 20 = 1
d=7
Public key = (N, e) = (33, 3)
Private key = (N, d) = (33, 7)
CS 450/650 Lecture 9: RSA
16
Example (cont.)
• Now say we want to encrypt message m = 7
• c = Me mod N = 73 mod 33 = 343 mod 33 = 13
– Hence the ciphertext c = 13
• To check decryption, we compute
M' = cd mod N = 137 mod 33 = 7
CS 450/650 Lecture 9: RSA
17
More Efficient RSA
• Modular exponentiation example
– 520 = 95367431640625 = 25 mod 35
• A better way: repeated squaring
–
–
–
–
–
–
Note that 20 = 2  10, 10 = 2  5, 5 = 2  2 + 1, 2 = 1 2
51= 5 mod 35
52= (51) 2 = 52 = 25 mod 35
55= (52) 2  51 = 252  5 = 3125 = 10 mod 35
510 = (55) 2 = 102 = 100 = 30 mod 35
520 = (510) 2 = 302 = 900 = 25 mod 35
• No huge numbers and it’s efficient!
CS 450/650 Lecture 9: RSA
18
RSA key-length strength
• RSA has challenges for different key-lengths
– RSA-140
• Factored in 1 month using 200 machines in 1999
– RSA-155 (512-bit)
• Factored in 3.7 months using 300 machines in 1999
– RSA-160
• Factored in 20 days in 2003
– RSA-200
• Factored in 18 month in 2005
– RSA-210, RSA-220, RSA-232, … RSA-2048
CS 450/650 Lecture 9: RSA
19
Symmetric vs Asymmetric
Secret Key (Symmetric)
Number of keys
1
Protection of key Must be kept secret
Public Key (Asymmetric)
2
One key must be kept secret; the
other can be freely exposed
Best uses
Cryptographic workhorse; secrecy Key exchange, authentication
and integrity of datasingle
characters to blocks of data,
messages, files
Key distribution
Must be out-of-band
Public key can be used to
distribute other keys
Speed
Fast
Slow; typically, 10,000 times
slower than secret key
CS 450/650 Fundamentals of Integrated Computer Security
20
Group Work
Find keys d and e for the RSA cryptosystem with
p = 7 and q = 11
Solution
– p*q = 77
– (p-1) * (q-1) = 60
– e = 37
– d = 13
– n = 13 * 37 = 481 = 1 mod 60
CS 450/650 Lecture 9: RSA
21