A Method for Obtaining

Digital Signatures

and Public Key CryptosystemsRivest, Shamir, Adleman

Srilal Buddika

2

Ronald L. Rivest, Adi Shamir, and Leonard Adleman

Inventers of RSA (1978)

Concept Invented By Diffie and Hellman

3

Diffie-Hellman algorithm (1976) Whitfield Diffie and Martin Hellman

Outline

Information Security

Public Key Cryptosystems

Basic Concept of RSA

Digital Signatures

Encryption Flow

RSA Algorithm

Security Analysis

Current RSA Stats

Conclusion

Q & A

4

Information SecurityWe need information to share/express our ideas

Some Information are valuable. Hence we need Protection

One of Protection method is “Data Encryption“

Encryption : Transform usable information into a form that

renders it unusable by anyone other than an authorized user

Decryption : Information that has been encrypted (rendered

unusable) can be transformed back into its original usable

form by an authorized user, who possesses the cryptographic

key

Cryptographic key : Specifies the particular transformation

of plaintext into ciphertext, or vice versa

5

Information Security Contd.

6

Encryption

Decryption

Plain Text

Cipher Text

Algorithm

Key

Public Key Cryptoystems

Encryption procedure - E

Decryption procedure - D

Message - M

Cipher text - C

Parameters of E kept public

Parameters of D kept private

Examples

7

Public Key Cryptosystems Contd.Deciphering the enciphered form of a message M yields M.

D(E(M)) = M

Both E and D are easy to compute

By publicly revealing E, the user does not reveal an easy

way to compute D (One-Way Functions)

If a message M is first deciphered and then enciphered, M is

the result

E(D(M)) = M

RSA is an algorithm for public-key cryptography

8

Basic Concepts of RSA

RSA do – Encryption/Decryption/Key Generation

Two types of Keys

Private key (to be kept confidential)

Public key (known to everyone)

Has the property of D(E(M)) = M

The Inverse is also TRUE (digital signatures)

E(D(M)) = M

9

Typical Encryption Scenario

10

Digital SignaturesProof for verifying the sender (Authentication)

Proof that message is not modified by someone

other than the sender (Integrity)

Preserve non-repudiation (Sender cannot deny

sending it)

Signature needs to be,

– Message-dependant

– Signer-dependant

11

Digital Signatures Contd.

• How to do it in RSA

– Alice sends a signed message to Bob

• Why we need to HASH the message ?

– Example :

• I have uploaded the “presentation-slides.pdf” on

Moodle

• Verify your SHA512sum Digest Code with Original

value posted at MyLinkedInProfile/Projects

12

Digital Signatures Contd.Sometimes you don't particularly mind letting the whole world read a

message (or would rather they did) yet want to provide a mechanism

to prove that you wrote the message. Signing does just this.

RSA is slow, but most encryption software using RSA actually

encrypts documents with a symmetric cipher like TDEA or AES, and

encrypts the key used (sometimes called a "session" key) with RSA,

so the slowdown from encrypting the entire document is not that

great.

If you want to hide the contents of the message, then you take the

message and the signature, zip them together and encrypt the

whole thing with the public key of the receiver before you send.

13

Encryption Flow

14

RSA Algorithm

Notations

– n is known as the modulus

– p & q two large random primes

– e is known as the public exponent or

encryption exponent

– d is known as the secret exponent or

decryption exponent

Mathematics Related to RSA – Eular’s,Fermat’s

and Chinese Remainder Theorems

15

RSA Algorithm Contd.

1. Choose two random large prime numbers, p and q

2. Compute the product n = p x q

3. Randomly choose the encryption key, e, such that e

and (p - 1)(q - 1) are relatively prime

4. Use the extended Euclidean algorithm to compute the

decryption key, d, such that

e*d ≡ 1 mod (p - 1)(q - 1)

ie

d = e-1 mod ((p - 1)(q - 1))

* d and n are also relatively prime

16

RSA Algorithm Contd.

Keys

– e and n are the public key

– d is the private key

Important :

The two primes, p and q, are no longer needed

They should be discarded, but never revealed

17

RSA Algorithm Contd.

Encryption

1. Divide message into numerical blocks smaller than

n (with binary data, choose the largest power of 2

less than n)

2. For each block

• c = me mod n

Decryption

1. For each cipher text block

m = cd mod n

18

RSA Algorithm Contd.RSA Example

1. Select primes: p=17 & q=11

2. Compute n = pq =17×11=187 ; n=187

3. Compute ø(n)=(p–1)(q-1)=16×10=160

4. Select e ; gcd(e,160)=1; choose e=7

5. Determine d: d*e=1 mod 160 and d < 160

Hence, Value is d=23 since 23×7=161= 10×160+1

6. Publish public key Kpub={7,187} (e,n)

7. Keep secret private key Kpvt={23,17,11} (p,q,d)

19

RSA Algorithm Contd.

message „M‟= 88 (88<187)

Encryption: [c = me mod n]

• C = 887 mod 187 = 11

C = 11

Decryption: [m = cd mod n]

• M = 1123 mod 187 = 88

M = 88

If message is 8888 then ?

20

Security Analysis

In addition to encrypting messages (which ensures

privacy), you can authenticate yourself to me (so I know

that it is really you who sent the message)

Complexity of Factoring large primes is the strength of

RSA algorithm

Managing Physical Security must be done

Don‟t let anyone copy your key or your primes

21

Current RSA Stats

Known Attacks

d<N5 Lattice Attack

Low public exponent (Coppersmith)

Broadcast Attack (Hastad)

Related message Attack (Franklin-Reiter)

A 768-bit key has been broken

A 2048-bit key (RSA Factorial Challenge)

Price : 200,000 USD

22

Conclusion

In this Paper,Authors have Invented a new PKCS

It‟s a New Methodology of Data Encryption

Mechanism (Still valid on IT Industry)

Have practically proven it

By applying relevant security criteria, it became the

best PKCS

Authors did not mention about RSA performances

under different data loads

One of a best research paper among few

23

Thank You !

24

Appendix - I

25

26

D-H Concept

Yellow paint is

already agreed by

Alice and Bob

Trapdoor Functions

Easy to compute in one direction

Difficult to compute in the opposite direction‟

RSA Example

Difficulty of Factoring Large Primes

27

Other Public Key Cryptosystems

28

29

Mathematics

30

Mathematics Contd.

31

Mathematics Contd.

Digital Signature on RSA

32

Hash Functions

Ex: SHA-1/2 , MD5 …

Output code called “Digest”

If message is small Padding is used

Has Avalanche Effect

33

34

Hash Functions Contd.

Avoiding Reblocking (Signed Msgs)Happens when ,

Signature “n” > Encryption “n”

Remedy-1• Maintain two public key pairs (e, n)

• Choose a threshold value h.

• For signature n < h

• For enciphering n > h

Remedy-2• Each user has a single public key pair (e, n)

• Choose a threshold value h.

• n is where h < n < 2h

• Message enciphered as a number less than h

• If ciphertext has a value greater than h, repeatedly re-encipher until

it is less than h

• Similarly method applies for deciphering.

35

Appendix - II

36

Generating Large Primes

How to find a really big prime

Randomly generate a large odd number b of

the size you want

Use Solovay and Strassen’s probabilistic

algorithm

• Select some number a from {0, …, b-1}

• gcd(a,b) = 1 and J(a,b) = a(b-1)/2

– If false b is composite.

– If true b is prime with a probability of at least ½

37

Mathematics Stuffs for RSA

Eulers totient function Ф

– Ф(n) : gives the number of positive integers

less then n which are relatively prime to n.

Computing Ф(n)

– Ф(n) = Ф(p*q)

= Ф(p)* Ф(q)

= (p-1)*(q-1)

= pq – p – q + 1

= n – (p + q) + 1

38

Mathematics Stuffs for RSA Contd.

Multiplicative Inverse Example– Two relatively prime numbers 5 and 7

1 * 5 = 5 ≡ 5 (Mod 7)

2 * 5 = 10 ≡ 3 (Mod 7)

3 * 5 = 15 ≡ 1 (Mod 7)

4 * 5 = 20 ≡ 6 (Mod 7)

5 * 5 = 25 ≡ 4 (Mod 7)

6 * 5 = 30 ≡ 2 (Mod 7)

7 * 5 = 35 ≡ 0 (Mod 7)

Z7 is a cyclic group

39

Attacks on RSA

Lattice Based Attacks on RSA

Hastad’s Attack

Franklin-Reiter Attack

Extension to Wiener’s Attack

Hastad’s Attack

Given 3 public keys (Ni,ei) with the same ei=3

If a user sent the same message to all 3 public keys

=> can recover the plaintext

40

Attacks on RSA Contd.

Hastad‟s Attack

41

User

Message: m

Receiver 1

(N1,e)

Receiver 1

(N2,e)

Receiver 1

(N3,e)

c1=me mod N1

c2=me mod N2

c3=me mod N3

Attacks on RSA Contd.

Franklin-Reiter Attack

42

Bob

Message: m1,m2

m2=f(m1) mod N

Alice

(N,e)

c1=m1e mod N

c2=m2e mod N

Attacks on RSA Contd.

This attack was originally developed by Franklin and Reiter, for the

situation when e = 3, with k = 2 messages, with a relation of degree

d =1. This result has since been generalized further, so that it

applies for any number of messages with a relation of any degree.

The value of e is limited to a length of approximately 32 bits due to

the complexity of the calculation. This ensures that the attack is

effective when e = 216 + 1, which is a popular choice.

43