1 / 27

The RSA Algorithm

The RSA Algorithm. Rocky K. C. Chang, March 2014. Outline. Trapdoor one-way function The RSA algorithm Some practical considerations RSA ’ s security Some pitfalls of RSA. Trapdoor one-way function. Suppose n = p q, where p and q are large primes. Consider f(m) = m e mod n.

svea
Télécharger la présentation

The RSA Algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The RSA Algorithm Rocky K. C. Chang, March 2014

  2. Outline • Trapdoor one-way function • The RSA algorithm • Some practical considerations • RSA’s security • Some pitfalls of RSA

  3. Trapdoor one-way function • Suppose n = pq, where p and q are large primes. • Consider f(m) = me mod n. • For certain values of e and that n is large enough, f(m) is a one-way function. • It is computationally infeasible to obtain m based on the knowledge of n, e, and f(m). • However, with the knowledge of a certain trapdoor, the inversion is easy to do. • The trapdoor for RSA is the factorization of n (i.e., the knowledge of p and q).

  4. The RSA algorithm • Let n = pq, where p and q are primes. Note that n is a composite number. • Let M = C = Zn = {0, 1, 2, …, n–1}. • K = {(n, p, q, d, e): e  d  1 (mod (n))}. • We will see that (n) = (p–1)(q–1). • For K = (n, p, q, d, e), define • EK(m) = me mod n, and • DK(c) = cd mod n, where m, c  Zn. • The (n, e) comprise the “public key.” • The (p, q, (n), d) comprise the “private key.”

  5. To probe further • Both encryption and decryption involve modulo multiplications. • Since n is a composite, Zn is not a group under modulo multiplication, i.e., the inverse may not exist. • Z*n = {a  Zn: gcd(a,n) = 1}. • Zn \Z*n = {a  Zn: gcd(a,n) > 1}. • How many elements in Z*n? • We denote the number of elements by (n). • Recall that (n) is used in determining d and e.

  6. The value of (n) • Note that gcd(a,n) = 1 iffgcd(a,p) = 1 andgcd(a,q) = 1. • There are q numbers in Zn that satisfy a mod p = 0: {0, p, 2p, …, (q–1)p}. • There are p numbers in Zn that satisfy a mod q = 0: {0, q, 2q, …, (p–1)q}. • Therefore, the total number of numbersin Zn that their gcd(a,n) > 1 is p+q–1. • Thus, (n) = pq – (p+q–1) = (p–1)(q–1). • Use the well-known result (in slide 28 of the prelude slides) that if b  Z*n, then b(n)  1 (mod n). • Therefore, a(p–1)(q–1)  1 (mod n), for a  Z*n.

  7. For example, • Let p = 3, q = 5. Therefore, n = 15 and(p–1)(q–1) = 8. • For any a  {0, 3, 5, 6, 9, 10, 12}, a8!1(mod 15). • For any a  {1, 2, 4, 7, 8, 11, 13, 14}, a8 1 (mod 15), e.g., • 24 1 (mod 15). • 42 1 (mod 15). • 74 1 (mod 15). • … • Note that primitive elements may not exist in Z*n, because n is not a prime.

  8. The relationship between e and d • The values of e and d have to satisfy • e  d  1 (mod (p–1)(q–1)). • Recall that d exists iffgcd(e,(p–1)(q–1)) = 1 (slide 17 of the prelude slides). • For example, p = 101 and q = 113. • n = pq = 11413. • (n) = (p–1)(q–1) = 11200 = 26527. • Pick e = 3533, which is not divisible by 2, 5, or 7. • Use the extended Euclidean algorithm to compute d = e-1 mod 11200 = 6597. • To encrypt m = 9726, compute 92763533 mod 11413 = 5761. • To decrypt c = 5761, compute 57616597 mod 11413 = 9726.

  9. DK(EK(m)) = m? • Recall that ed  1 (mod (n)). • In other words, ed = t(n)+1, where t is a nonnegative integer. • Part 1: Let’s consider an m Z*n. • (me)d mt(n)+1(mod n). • (me)d (m(n))tm(mod n). • (me)d (1)tm(mod n). • (me)d m (mod n).

  10. DK(EK(m)) = m? • Part II: Let’s consider an m Zn\Z*n. • Using the Chinese Remainder Theorem, m mod n can be uniquely represented by (m mod p, m mod q). • Note that either the following is true: • m mod p = 0 and m mod q = 0 or • m mod p = 0 and m mod q  0 or • m mod p  0 and m mod q = 0. • For m mod p = 0 and m mod q = 0, • med mod p = 0 and med mod q = 0. • Therefore, med  m (mod p) = 0 and med  m (mod q) = 0. • For those cases where m mod p = 0 or m mod q = 0, • Say m mod p = 0 or m mod q  0, • By the CRT, med mod n can be represented by (0, med mod q). • Using the previous two results, (0, med mod q) is equal to (0, mmod q).

  11. Digital signing using RSA • To sign a message m, Alice computes s = md mod n. • The pair (m,s) is a signed message. • To verify the signature, anyone who knows the public key can verify that se m mod n, the message itself.

  12. Some practical considerations

  13. Generating the RSA parameters • Generate 2 large primes, p and q (each with size k/2 bits). • n (k ≥ 2048 bits)  pqand (n)(p–1)(q–1). • Choose a random e (1 < e < (n)) such that gcd(e,(n)) = 1. • d = e-1 mod (n). • Publish (n,e) and safeguard the secret (p, q, (n), d).

  14. Generating the RSA parameters • Need an efficient algorithm to generate a large prime. • Rabin-Miller test determines whether an odd integer n is prime. • Find 2 large primes. • Use the Euclidean algorithm to make sure that gcd(e,(n)) = 1. • Use the extended Euclidean algorithm to compute d = e-1 mod (n).

  15. Practical considerations • Usually fix the value of e, e.g., e = 3 for signatures and e = 5 for encryption. • There are pitfalls when one is using the same exponent for both encryption and signatures. • Therefore, p – 1 and q – 1 cannot be multiples of 3 or 5. • Smaller exponent for signatures (why?) • Some problems with small exponents (to be discussed shortly). • Other common values for e are 17 and 65537.

  16. RSA’s (in)security

  17. The RSA’s security • An obvious attack against RSA is to factor n. • If this can done, then obtain p and q. • Compute (p–1)(q–1). • Compute e-1 mod (p–1)(q–1) = d. • Roughly speaking, breaking the RSA algorithm is as difficult as factoring n. • The “current” factoring algorithms are able to factor numbers having up to 512 bits. • On the safe side, n ≥ 2048 bits to make the factoring problem computationally infeasible to solve.

  18. The RSA’s security • Moreover, if one can obtain (n), one can obtain other elements in the private key. • First of all, one can obtain p and q by solving • n = pq and • (n) = (p–1)(q–1). • The solution for p is given by • p2 – (n – (n) + 1)p + n = 0. • In other words, if one can compute (n), one can factor p and q. • Lastly, what happen if one can obtain the value of d? • n can be factored in polynomial time using a randomized algorithm.

  19. Pitfalls using RSA • Problem 1: If Alice signs 2 messages m1 and m2. Eve can compute Alice’s signature on m3 = m1m2 mod n. • Original signatures: m1d and m2d. • Eve can produce the signature for m3 by multiplying m1d and m2d.

  20. Pitfalls using RSA • Problem 2: When RSA is used to encrypt a very small message m. • E.g., if e = 5 and m < n1/5, then me = m5 < n. Therefore, no mod n operation needed. • Simply take a fifth root of c to recover m! • For example, if encrypting a 256-bit key using RSA, the encrypted key is less than 22565 = 21280 << 22048 if n is a 2048-bit integer. • The main problem is the existence of a structure in the numbers that RSA operates on. • A possible approach is to use an encoding function to destroy the structure as much as possible.

  21. Message encryption using RSA • Using RSA to encrypt a message is almost never practiced. • The size of the message is limited by the size of n. • Instead, choose a random secret key K, and encrypt K with the RSA key. • The message encryption is based on secret key cryptosystem, • Sending Ke mod n, EK(m).

  22. Message encryption using RSA • A better approach is: • Choose a suitable random number r  {0, 1, …, n–1}. • Set K = h(r), where h() is some hash function. • Send re mod n and EK(m). • Advantages: • There is no structure in r. • The hash function ensures that no structure between r’s propagates to structure in the K’s.

  23. Digital signatures using RSA • Problem: remove the structures of the messages that are signed. • Use a hash function to hash the messages. • The hash function’s output (e.g., 256 bits) is small compared with the size of n (e.g., 2048 bits). • Cannot use the hash function output directly in RSA.

  24. Digital signatures using RSA • A solution is to use a pseudorandom mapping to expand h(m) to a random number s  {0, 1, …, n – 1}. • If you ask Alice to sign a number of messages m1, m2, …, mi. • Eve can get hold of the (m, s), but the values of s are effectively random. • Thus, the information does not help forge Alice’s signature.

  25. The RSA Lab’s public-key cryptography standard • PKCS #1 for RSA or RFC 3447 covers • Data conversion primitives: a text <-> a non-negative integer • Cryptographic primitives • Encryption schemes • RSAES-OAEP (for new applications) – cryptographic primitives + Bellare and Rogaway's Optimal Asymmetric Encryption scheme • RSAES-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method • Digital Signature schemes • RSASSA-PSS (for new applications) – cryptographic primitives + a probabilistic signature scheme-based encoding method • RSASSA-PKCS1-v1_5 (for existing applications) – cryptographic primitives + a PKCS1-v1_5 encoding method

  26. Conclusions • RSA can be used for encryption as well as digital signatures. • The security of RSA lies on the difficulty of factoring a large number into 2 primes. • RSA encryption and decryption require expensive exponentiation operations. • The CRT helps accelerate the operations. • In practice, RSA is used to encrypt a secret key with an encoding function. • In practice, the messages to be signed have to go through a hash function to destroy the message structures.

  27. Acknowledgments • The notes are prepared mostly based on • D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002. • N. Ferguson and B. Schneier, Practical Cryptography, Wiley, 2003. • http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf

More Related