Download 01204427-PublicKey_RSA

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts
no text concepts found
Transcript 
RSA and its Mathematics Behind
July 2011
Topics





Modular Arithmetic
Greatest Common Divisor
Euler’s Identity
RSA algorithm
Security in RSA
Modular Arithmetic



A system of arithmetic for
integers, where numbers wrap
around after they reach a
certain value—the modulus
Modular or "clock" arithmetic is
arithmetic on a circle instead of
a number line
In modulo N , we use only the
twelve whole numbers from 0
through N-1
The 12-hour clock : modulo 12
If the time is 9:00 now, then 4
hours later it will be 1:00
9+4 =13
13 % 12= 1
Modular Clock Arithmetic

1:00 and and 13:00 hours are the same
1:00 and and 25:00 hours are the same

1  13 (mod 12)

a  b (mod n)
n is the modulus
a is congruent to b modulo n
a-b is an integer multiple of (divisible by) n
a%n=b%n
Example

38  14 (mod 12)


38  2 (mod 12)


38-14 = 24 ; multiple of 12
38-2 = 36 ; multiple of 12
The same rule for negative number



-8  7 (mod 5)
2  -3 (mod 5)
-3  -8 (mod 5)
Congruence Class Example
--
1  6  11 (mod 5)
10
5
0
-- 14 9 4
8
13
--

1 6 11 -3
2
7
12
--
Congruence Classes of the integers modulo 5
Replace of congruence item

Let
11 +16  3 (mod 12) and
16  4 (mod 12), therefore
11 +16  11 + 4  (mod 12)

Let
9835  7 (mod 12) and
1177  1 (mod 12), therefore
9835*1177  7 * 1  7 (mod 12)
Modular Arithmetic Notation
Modulus operator
Congruence relation
a = b mod n
a  b (mod n)
Inputs a number a and a base b,
outputs a mod b as the remiander of
ab (value between 0 and b –1)
Relates two numbers a, b to each other
relative some base
= means that integer a is the reminder
of the division of integer b by integer n
 indicates that the integers a and b fall
into the same congruence class modulo
n (same remainder when diving by b)
2 = 14 mod 3
14  2 (mod 3)
Exercise (I)
A: Compute
1.
113 mod 24:
24 113
2.
9
-29 mod 7
Exercise (II)
Q: Which of the following are true?
1. 3  3 (mod 17)
2. 3  -3 (mod 17)
3. 172  177 (mod 5)
4. -13  13 (mod 26)
10
Topics





Modular Arithmetic
Greatest Common Divisor
Euler’s Identity
RSA algorithm
Security in RSA
Greatest Common Divisor

Def: Let a,b be integers, not both zero. The greatest common
divisor of a and b (or gcd(a,b) ) is the biggest number d which
divides both a and b without a remainder


gcd (8,12) =4
Find gcd (54, 24)




54x1 = 27x2 = 18x3 = 9x6; {1, 2 ,3, 6, 9, 18, 27, 54}
24x1 = 12x2 = 8x3 = 4x6; {1, 2 ,3, 4, 6, 8, 12, 54}
Share number : {1, 2, 3, 6}
gcd (54, 24) = 6
Finding GCD

gcd(a,0) = a, and gcd(a,b) = gcd(b, a mod b)
Find gcd(132, 28) :
1. r = 132 mod 28 = 20
2. r = 28 mod 20 = 8
3. r = 20 mod 8 = 4
4. r = 8 mod 4 = 0
gcd(132, 28) = 4
=> gcd(28, 20)
=> gcd(20,8)
=> gcd(8,4)
=> gcd(4,0)
1
2
3
4
5
a
132
28
20
8
4
b
28
20
8
4
0
GCD and Relatively Prime


Def: two integers a and b are said to be relatively prime (also
called co-prime) if gcd(a,b) = 1
so no prime common divisors.
Find gcd(28, 15) :
1. r = 28 mod 15 = 13 => gcd(15, 13)
2. r = 15 mod 13 = 2 => gcd(13, 2)
3. r = 13 mod 2 = 1 => gcd(2,1)
4. r = 2 mod 1 = 0 => gcd(1,0)
15 and 28 are relative prime
gcd(28,15) = 1
Since a prime number has no factors besides itself, clearly a prime number
is relatively prime to every other number (except for multiples of itself)
Test Relative Prime
Q: Find the following gcd’s:
1.
gcd(77,11)
2.
gcd(77,33)
3.
gcd(36,24)
4.
gcd(23,7)
15
Topics





Modular Arithmetic
Greatest Common Divisor
Euler’s Identity
RSA algorithm
Security in RSA
Euler's Totient Function

(N) = the numbers between 1 and N - 1 which are

relatively prime to N
Thus:






(4) = 2
(5) = 4
(6) = 2
(7) = 6
(8) = 4
(9) = 6
(1 and 3 are relatively prime to 4)
(1, 2, 3, and 4 are relatively prime to 5)
(1 and 5 are relatively prime to 6)
(1, 2, 3, 4, 5, and 6 are relatively prime to 7)
(1, 3, 5, and 7 are relatively prime to 8)
(1, 2, 4, 5, 7, and 8 are relatively prime to 9)
Compute (N) in
C code:
phi = 1;
for (i = 2 ; i < N ; ++i)
if (gcd(i, N) == 1)
++phi;
Euler's Totient Function, cont

Note that (N) = N-1 when N is prime

Somewhat obvious fact that (N) is also easy to calculate
when N has exactly two different prime factors:
(p*q) = (p-1)*(q-1)

Example: Find  (15)
Euler’s Totient Theorem

One of the important keys to the RSA algorithm

If gcd(m, n) = 1 and m < n, then m(n)  1 (mod n)
where (n) = (p1-1)*(q-1)
m(n)  1 (mod n)
relatively prime
m (p-1)(q-1) mod n = 1

Example:
m (p-1)(q-1) mod n = 1
M=38
replace
(p-1)(q-1)
with
(11-1)(5-1)
n=55
3840 mod 55 = 1
More in Euler’s Theorem

Multiply both sides of equation by m
m (p-1)(q-1) mod n = 1
m (p-1)(q-1) *m mod n = 1*m
m (p-1)(q-1)+1 mod n = m
m (n)+1 mod n = m
The Road to crypto


If we can find two numbers, call them e and d, such that
e*d = [(p-1)(q-1)]+1
n = p*q
Use e as the private key and d as the public key;
Encrypts:
Decrypts:
c  me (mod n)
m  cd (mod n)
cd = (me (mod n))d
= med (mod n)
= m(p-1)(q-1)+1 (mod n)
= m(n)+1 (mod n)
=m
Recall Euler’s theorem
m (n)+1 mod n = m
A trapdoor one-way function
Public key
Message
m
c = f(m) = me mod n
Ciphertext
c
m = f-1(c) = cd mod n
Private key
(trapdoor information)
n = p*q (p & q: primes)
e*d = 1 mod (p-1)(q-1)
Topics





Modular Arithmetic
Greatest Common Divisor
Euler’s Identity
RSA algorithm
Security in RSA
RSA





Public key cryptosystem
Proposed in 1977 by Ron L. Rivest,
Adi Shamir and Leonard Adleman
at MIT
Best known & widely used publickey scheme
Based on exponentiation in a finite
(Galois) field over integers modulo
a prime
Main patent expired in 2000
Shamir
Rivest
Rivest Adleman
Shamir Adleman
RSA Algorithm


Uses two keys : e and d for encryption and decryption
A message m is encrypted to the cipher text by
c = me mod n

The ciphertext is recover by
m = cd mod n

Because of symmetric in modular arithmetic
m = cd mod n = (me)d mod n = (md)e mod n

One can use one key to encrypt a message and another
key to decrypt it
RSA Key Setup
1.
Selecting two large primes at random : p, q

2.
Computing their system modulus n=p*q

3.

5.
6.
note ø(n)=(p-1)(q-1)
Selecting at random the encryption key e

4.
Typically 512 to 2048 bits
where 1<e<ø(n), gcd(e,ø(n))=1
Meaning: there must be no numbers that divide neatly into e and
into (p-1)(q-1), except for 1.
Solve following equation to find decryption key d

e*d=1 mod ø(n) and 0≤d≤n

In other words, d is the unique number less than n that when multiplied by e
gives you 1 modulo ø(n)
Publish public encryption key: PU={e,n}
Keep secret private decryption key: PR={d,n}
Example: Key Generation Step by Step
Step
Example
Selecting two large primes at random : p, q p = 7; q = 19
(use small numbers for demonstration)
Computing their system modulus n=p.q
ø(n) = (p-1)(q-1)
n = 7*19 = 133
ø(n) = (7-1)*(19-1) = 6*18 = 108
Selecting at random the encryption key e
and gcd(e, 108) = 1
e=5
find decryption key d such that
e*d = 1 mod ø(n) and 0≤d≤n
d*5 mod 108 = 1; d = 65
Check : 65*5 = 325; 325 mod 108 = 1
Public encryption key: PU={e,n}
PU = {5,133}
Secret private decryption key: PR = {d,n}
PR = {65,133}
Encryption and Decryption for m = 6
c = me mod n = 65 % 133 = 62
m = cd mod n = 6265 % 133 = 6
Key Generation : Find n and ø(n)
1) Generate two large prime numbers, p and q
Lets have: p = 7 and q = 19
2) Find n = p*q
n =7*19 = 133
3) Find ø(n) = (p-1)(q-1)
ø(n) = (7-1)(19-1)= 6 * 18 = 108
Key Generation : Generate Private Key
4) Choose a small number, e coprime to 108
Using Euclid's algorithm to find gcd(e,108)
e = 2 => gcd(e, 108) = 2
e = 3 => gcd(e, 108) = 3
e = 4 => gcd(e, 108) = 4
e = 5 => gcd(e, 108) = 1
✗
✗
✗
✓
Key Generation : Generate Public Key
5) Find d, such that e*d = 1 mod ø(n) and 0≤d≤n ;
e=5; ø(n)=108
Using extended Euclid algorithm;
e*d = 1 mod ø(n) => e*d = 1+k*ø(n) ; d, k are interger
= (1+k*ø(n))/e
d = (1+k*108)/5
Try through values of k until an integer solution for d is found:
k = 0 => d = 1 / 5 = 0.2
✗
k = 1 => d = (1+1*108)/ 5 =109/5 = 21.8
✗
k = 2 => d = (1+2*108)/5 = 217/5 = 43.4
✗
k = 3 => d = (1+3*108)/5 = 325/5 = 65
✓
Example : Encryption


PU= {e,n} = {5,133}
Lets use the message m=16
c = me mod n
= 165 mod 133
= 1048576 mod 133
=4
Example: Decryption


PR={d,n}={65,133}
From the encryption c=4
m = cd mod n
= 465 mod 133
= 1.361129467683755x1039 mod 133
= 16
Encode the ASCII String
Message input string
S
e
c
r
e
t
!
99
114
101
116
33
01100011
01110010
01100101
01110100
00100001
Message input ASCII
83
101
Message input binary
01010011
01100101
Message input 16 bit binary
01010011 01100101
01100011 01110010
padding
01100101 01110100
00000000 00100001
Message input 16 bit decimal for “Secret!”
21349
25458
25972
33
Sample 16 bits key
n = 1602475129
e = 64037
d = 1004908973
m =104
c = (10464037) mod 1602475129
= 1187226754
m = (11872267541004908973 ) mod 3910095493
= 104
Directly computation of exponential needs too much
memory and very slow
How to deal with 1024 bits?

n=93518075472517812751194715143409086574889727146298665297205834171
6028661922905915993804021855830241749312943318773824184453712016205
8121648079083318028014599104077070592823126414272024960940574924494
3892408117844772524625134689327476917023068462758680788043986062882
531909490562722483341876279065122161924203

e=47609

d=11964515064443823593596316031391223220980346742172807039116148962
1549089033006783051907418704947846047912477425584476949894086409937
3984308816603929721452354151974603791286138851972972428882514356100
5547814973195750655549449328508806029373024427172453884284448045662
068755190227462789262813325769121319683889
we could still end up with a number with so many
digits (before taking the remainder on dividing by p)
that we wouldn't have enough memory to store it
Using Modular Exponential

Using modular reduction to enhance computation
f mod i = j and f = g * h then
(( g mod i ) * (h mod i)) mod i = j
Modular Exponential : 2320 mod 29
exp
(23exp-1 mod 29)*23
((23exp-1 mod 29) *23) mod 29
2
23*23= 529
529 mod 29 =7
3
7*23=161
161 mod 29=16
4
16*23=368
368 mod 29=20
5
20*23=460
460 mod 29=25
6
25*23=575
575 mod 29=24
7
24*23=552
552 mod 29=1
8
1*23=23
23 mod 29=23
9
23*23=529
529 mod 29=7
10
7*23=161
161 mod 29=16
:
:
:
16
23*23=529
529 mod 29=7
:
:
:
19
20*23=460
460 mod 29=25
20
37
25*23=575
575 mod 29=24
232 mod 29 = 7
234=232*232 mod 29 = 7*7 mod 29
=49 mod 29 = 20
238=234*234 mod 29 = 20*20 mod 29
=400 mod 29 =23
2316=238*238 mod 29 = 23*23 mod 29
=529 mod 29 =7
2320=2316*234 mod 29 = 7*20 mod 29
=140 mod 29 =24
Modular Exponential : 23391 mod 55
exp
23exp/2*23exp/2
(23exp-1) * (23exp/2) mod 55
1
[exception] 231=23
23 mod 55 = 23
2
23*23= 529
529 mod 55 = 34
4
34*34=1156
1156 mod 55 = 1
8
1*1=1
1 mod 55 = 1
16
1*1=1
1 mod 55 = 1
32
1*1=1
1 mod 55 = 1
64
1*1=1
1 mod 55 = 1
128
1*1=1
1 mod 55 = 1
256
1*1=1
1 mod 55 = 1
512
1*1=1
1 mod 55 = 1
23391 = 23256*23128*234*232*231
= 1*1*1*34*23
= 722
38
722 mod 55 = 12
Modular Exponential : 31397 mod 55
exp
31exp/2*31exp/2
(31exp-1) * (31exp/2) mod 55
1
[exception] 311=31
31 mod 55 = 33
2
31*31= 961
961 mod 55 = 26
4
26*26=676
676 mod 55 = 16
8
16*16=256
256 mod 55 = 36
16
36*36=1296
1296 mod 55 = 31
32
31*31=961
961 mod 55 = 26
64
26*26=676
676 mod 55 = 16
128
16*16=256
256 mod 55 = 36
256
36*36=1296
1296 mod 55 = 31
512
31*31=961
961 mod 55 = 26
31397 % 55
= (31256*31128*318*314*311 ) % 55
= (31*36*36*16*33)
= ((1116 % 55)*36*16*33 ) % 55
= (16*36*16*33 ) % 55
= ((576 mod 55) *16 *33) % 55
= (26*16*33) % 55
= ((416 % 55) *33 ) % 55
= (31*3 ) % 55
= 961 % 55
= 26
31397 mod 55 = 1.1765014105569728144308343503655x1059 mod 55
= 26
39
Modular Exponential for RSA

The running time of RSA encryption, decryption is simple
Topics





Modular Arithmetic
Greatest Common Divisor
Euler’s Identity
RSA algorithm
Security in RSA
Analyzing RSA





RSA depends on being able to find large primes quickly,
whereas anyone given the product of two large primes
“cannot” factor the number in a reasonable time.
If any one of p, q, m, d is known, then the other values can
be calculated. So secrecy is important
1024 bits is considered in risk
To protect the encryption, the minimum number of bits in n
should be 2048
RSA is slow in pratice

RSA is primary used to encrypt the session key used for secret key
encryption (message integrity) or the message's hash value
(digital signature)
RSA-Numbers


RSA numbers are a set of large semiprimes (numbers with
exactly two prime factors) that are part of the RSA
Factoring Challenge
Officially ended in 2007 but people can still attempt to
find the factorizations
http://en.wikipedia.org/wiki/RSA_numbers#RSA-768
RSA-768

RSA-768 has 768 bits (232 decimal digits), and was
factored on December 12, 2009
RSA-768 =
12301866845301177551304949583849627207728535695953347921973224521517264005
07263657518745202199786469389956474942774063845925192557326303453731548268
50791702612214291346167042921431160222124047927473779408066535141959745985
6902143413
RSA-768 = 33478071698956898786044169848212690817704794983713768568912431388982883793
878002287614711652531743087737814467999489
×36746043666799590428244633799627952632279158164343087642676032283815739666
511279233373417143396810270092798736308917
RSA-1024 and RSA-2048

RSA-1024 has 1,024 bits (309 decimal digits), and has not been
factored so far
RSA-1024 =13506641086599522334960321627880596993888147560566702752448514385152651060
48595338339402871505719094417982072821644715513736804197039641917430464965
89274256239341020864383202110372958725762358509643110564073501508187510676

59462920556368552947521350085287941637732853390610975054433499981115005697
7236890927563
RSA-2048 has 2,048 bits (617 decimal digits)

may not be factorizable for many years to come, unless considerable advances
are made in integer factorization
RSA-2048 =
25195908475657893494027183240048398571429282126204032027777137836043662020
70759555626401852588078440691829064124951508218929855914917618450280848912
00728449926873928072877767359714183472702618963750149718246911650776133798
59095700097330459748808428401797429100642458691817195118746121515172654632
28221686998754918242243363725908514186546204357679842338718477444792073993
42365848238242811981638150106748104516603773060562016196762561338441436038
33904414952634432190114657544454178424020924616515723350778707749817125772
RSA security summary
There are two one-way functions involved in the security of RSA.
One-way function
Encryption
function
Multiplication of
two primes
Description
The encryption function is a trapdoor one-way
function, whose trapdoor is the private key.
The difficulty of reversing this function without
the trapdoor knowledge is believed (but not
known) to be as difficult as factoring.
The difficulty of determining an RSA private
key from an RSA public key is known to be
equivalent to factoring n. An attacker thus
cannot use knowledge of an RSA public key
to determine an RSA private key unless they
can factor n. Because multiplication of two
primes is believed to be a one-way function,
determining an RSA private key from an RSA
public key is believed to be very difficult.
Q&A
Related documents