Public Key Cryptography and RSA• Major topics

– Principles of public key cryptosystems– The RSA algorithm– The Security of RSA

• Motivations– A public key system is asymmetric, there does not have

to be an exchange of private keys before communicating– A public key system does not make a symmetric system

obsolete; in fact it can be used to exchange private keys– Key distribution remains an important issue– Number theory forms the mathematical foundation of

public key cryptography

Primary Needs• Generate two keys

– A public key that can be accessed by anyone– A private key that is kept secret

• Two primary needs– Be able to send messages securely to a recipient with

no knowledge of a shared secret key– Be able to verify a message actually came from a

particular person; this is called authentication• Uses of a public key system

– Encryption/decryption of messages– Digital signatures– Key exchange for using symmetric encryption

Encryption/Decryption

Authentication

Requirements for a Public Key System1. Party B can easily generate a pair of keys: public key KUb and

private key KRb

2. Sender A can access public key KUb and can encrypt message MC = EKUb(M)

3. Receiver B can easily decrypt the messageM = DKRb(C) = DKRb(EKUb(M))

4. It is computationally infeasible for someone intercepting message C and knowing public key KUb to determine private key KRb

5. It is computationally infeasible for someone intercepting message C and knowing public key KUb to recover message M

6. The encryption and decryption functions can be applied in any order M = DKRb(EKUb(M)) = EKub(DKRb(M))This makes digital signatures possible

Public Key Secrecy

Public Key Authentication

Public Key Algorithms• Approaches to public key cryptography

– We first cover RSA, perhaps the best known and most widely used approach

– In chapter 10 we cover elliptic curve methods which are growing in popularity

– In the same chapter we cover Diffie-Hellman for the exchange of secret keys

– DSS (Digital Signature Standard) is covered in chap.13

Conventional and Public Key Encryption

The RSA Algorithm

A Sample Calculation1. Select two primes, p = 17 and q = 112. Calculate n = pq = 17 * 11 = 1873. Calculate φ(n) = (p - 1) (q – 1) = 1604. Select e < φ(n) and relative prime to φ(n), we use e = 7 5. Determine d so the de ≡ 1 mod φ(n), in other words, d

and e are multiplicative inverses

Group Work• Consider the prime numbers p = 11, q = 29.

– What is n? – What is φ(n)?– Suppose we select e = 3, what is d?– Suppose we want to encrypt the message M = 100

using the public key (3, 319), what is the resultant value for the cipher text C?

– What is the formula to decrypt C using the private key (187, 319) ?

• It is clear we need to find an easy way to solve this exponential modularization problem

Group Work• Suppose ciphertext C = 10 is sent to a user with

public key e = 5 and n = 35. How could you decode this ciphertext? What is the decoding?

Fast Modular Exponentiation• The algorithm for computing ab mod n

• bi is the ith bit of b when b is written in binary• These bits are processed from the most significant

bit to the least significant bit

A Sample Calculation• We want to solve 7560 mod 561• a = 7, b = 560, n = 561• In binary b is 1000110000

• So the result is 7560 mod 561= 1

Group Work• We now can decode the message from our prior example

(hint: the result should be 100)• Find ab (mod n) when a = 254, b = 187, and n = 319 by

completing the following table

254d

1c

11011101bi

12345678i

• Did you get 100?

How Secure is RSA?• Algorithms Used to Break RSA

– Pollard’s Rho, a probabilistic approach– Sieve techniques– Successful efforts– Choice of values

• Timing Attacks and “Fixes”– Constant exponential time– Random delay– Blinding

How Easy is it to Factor p*q ?• The problems

– It is easy to find two large primes p and q, so in the public key algorithm we set n = p*q

– The encryption can be broken if n can be factored• Some techniques for finding factors

– Pollard Rho and Pollard p-1– General number field sieve– Special number field sieve

• We will only look at Pollard Rho in detail• We will use the Chinese Remainder Theorem

Pollard’s rho heutistic• neither the running time nor success is guaranteed• any divisor it finds will be correct, but it may

never report any results• in practice, it is the one of the most effective

means of factorization currently known • it will print the factor p after approximately √p

iterations; thus it finds small factors quickly

Pollard’s rho heuristic• The while loop searches

indefinitely for factors generating a new xi each time

• Lines 1-4 are for initialization

• The xi values saved in y are when i = 1,2,4,8,16, …

• d is the gcd of y- xi and n; if it is nontrivial then it is printed as a factor of n

• If n is composite, we expect to find enough divisors to factor n after approximately n1/4 updates

The rho diagrams - 1

The rho diagrams - 2• (a) is generated by the xi starting at 2 for n = 1387• The factor 19 (since 1387 = 19 * 73) is discovered

when the xi is 177, this is before the value 1186 is repeated

• (b) show the recurrence for mod 19, every xi in part (a) is equivalent to the xi‘ mod 19

• (c) shows the recurrence for mod 73, again every xi in part (a) is equivalent to the xi” mod 73

• By the Chinese remainder theorem, each node in (a) corresponds to a pair of nodes in (b) and (c)

Group Work• Keep tracing the rho diagrams and find out when

the factor 73 is discovered

The Sieve Approaches• Sieve techniques have become increasingly effective

– The generalized number field sieve (GNFS) has replaced quadratic sieve as being most effective

– An even faster approach, specialized number field sieve (SNFS), works for some numbers (see next slide)

• Computers will keep getting faster and factoring techniques improved, but keys of size 1024 through 2048 seem to be adequate for the future

Performance Comparison

Choice of p and q• Ways to avoid values for n that can be more easily

factored– The length of p and q should differ by only a few digits– Both (p – 1) and (q – 1) should contain a large prime

factor– gcd(p – 1, q – 1) should be small– If e < n and d < n¼ then it is easy to determine d

What is a Timing Attack?• The timing of the modular exponentiation

algorithm is critical– If the bi is set, then the assignment d (d x a) mod n

is performed, for some known values of a and d this can be very slow thus revealing a 1 bit

– Countermeasures attempt to hide these extreme time differences

• Some countermeasures– Insure all exponentiations take the same time (but this

does degrade performance)– Add a random delay time, this noise must be large

enough to confuse the attacking algorithm

Use of Blinding• Multiply by a random number before performing

exponentiation; this prevents bit-by-bit analysis• Here is RSA’s approach using blinding

1. Generate a random r between 0 and n-12. Compute C’ = C(re) mod n3. Compute M’ = (C’)d mod n4. Compute M = M’ r-1 where r-1 is the multiplicative

inverse of r mod n• This only introduces a 2% to 10% penalty