1 / 44

Chap. 8,9: Introduction to number theory and RSA algorithm

Chap. 8,9: Introduction to number theory and RSA algorithm. Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown. The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything in the world you ask for."

isabelle-burt
Télécharger la présentation

Chap. 8,9: Introduction to number theory and RSA algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chap. 8,9: Introduction to number theory and RSA algorithm Jen-Chang Liu, 2004 Adapted from Lecture slides by Lawrie Brown

  2. The Devil said to Daniel Webster: "Set me a task I can't carry out, and I'll give you anything in the world you ask for." Daniel Webster: "Fair enough. Prove that for n greater than 2, the equation an + bn = cn has no non-trivial solution in the integers." They agreed on a three-day period for the labor, and the Devil disappeared. At the end of three days, the Devil presented himself, haggard, jumpy, biting his lip. Daniel Webster said to him, "Well, how did you do at my task? Did you prove the theorem?' "Eh? No . . . no, I haven't proved it." "Then I can have whatever I ask for? Money? The Presidency?' "What? Oh, that—of course. But listen! If we could just prove the following two lemmas—" —The Mathematical Magpie, Clifton Fadiman

  3. Clifton Fadiman • Clifton Fadiman was a multi-talented writer, critic, raconteur and bookworm. He is best remembered as moderator of the erudite radio quiz show Information, Please, which ran from 1938 until 1952. • He wrote a book: The Lifetime Reading Plan (一生的讀書計畫),列出 西方經典一百本

  4. Key Distribution Problem • Symmetric schemes require both parties to share a common secret key • How to securely distribute this key ? • often secure system failure due to a break in the key distribution scheme (eavesdropping)

  5. Key Distribution methods • given parties A and B have various key distribution alternatives: • A can select key and physically deliver to B • third party can select & physicallydeliver key to A & B • if A & B have communicated previously can use previous key to encrypt a new key • if A & B have secure communications with a third party C, C can relay key between A & B Not suitable for large systems Initial distribution?

  6. Scale of key distribution problem • A network with N hosts => N(N-1)/2 pairs • Node-level encryption N(N-1)/2 • Application-level encryption • 10 applications/node

  7. Key distribution center (KDC) KDC shares a unique key (master key) with each user to distribute secret key (session key) between a pair of users: scale of key distribution problem reduces to N Key distribution center (KDC) EMK2 (Secret key) EMK1 (Secret key) Secret key Secret key

  8. Asymmetric cryptography • Real world example: locker • Public key & private key

  9. Difference between symmetric and asymmetric cryptography Asymmetric encryption: Hard to find reverse operation Symmetric encryption: Reverse operation is possible

  10. One-way trap door function Public key Private key Public key

  11. Motivation: RSA public-key algorithm Public directory Bob Alice One key for encryption, one key for decryption

  12. Preview of RSA algorithm • R: Rivest, S: Shamir, A: Adleman • Plaintext M, ciphertext C C = Me mod n, where 0 ≤ M < n M = Cd mod n = (Med) mod n Q: Is there e, d, n such that (Med)≡ M mod n ? A: Euler’s theorem Q: Given e , is it possible to compute M directly from C?

  13. Outline • Prime numbers • Fermat’s and Euler’s Theorems • RSA algorithm • Testing for primality

  14. Prime Numbers • prime numbers only have divisors of 1 and self • they cannot be written as a product of other numbers • note: 1 is prime, but is generally not of interest • eg. 2,3,5,7 are prime, 4,6,8,9,10 are not • prime numbers are central to number theory • list of prime number less than 200 is: 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199

  15. Prime Factorisation • prime factorisation: any integer a>1 can be factored in a unique way • , are primes each ai is a positive integer • eg. 91=7×13 ; 3600=24×32×52 • Note: factoring a number is relatively hard compared to multiplying the factors together to generate the number

  16. Relatively Prime Numbers & GCD • two numbers a,b are relatively prime if have no common divisors apart from 1 • eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor • conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers • eg. 300=22×31×52 18=21×32hence GCD(18,300)=21×31×50=6

  17. Outline • Prime numbers • Fermat’s and Euler’s Theorems • RSA algorithm • Testing for primality

  18. Fermat's Theorem • also known as Fermat’s Little Theorem • ap-1 mod p = 1 • where p is prime and gcd(a,p)=1 [a, p互質] • useful in public key and primality testing

  19. Proof of Fermat’s law • Recall: p is a prime, Zp is a Galois Field Any a multiplied by {1,2,…,p-1} will span {1,2,…,p-1} in some order a×2a×…×((p-1)a) ≡ [(a mod p)×(2a mod p)×…×((p-1)a mod p)] mod p ≡ [1×2×…×(p-1)] mod p ≡ (p-1)! mod p (p-1)! ap-1≡ (p-1)! mod p

  20. Proof of Fermat’s law (cont.) (p-1)! ap-1≡ (p-1)! mod p Because (p-1)! is relatively prime to p ap-1≡ 1 mod p This can be re-written as ap≡ a mod p Example: a = 7, p = 19 => 718≡ 1 mod 19 ? 718 =716×72 ≡(7×11) mod 19 = 1 mod 19 72=49≡11 mod 19 74=72×72≡(11×11) mod 19= 7 mod 19 78=74×74≡(7×7) mod 19= 11 mod 19 716=78×78≡(11×11) mod 19= 7 mod 19

  21. Euler’s Totient Function ø(n) • when doing arithmetic modulo n • complete set of residues is: 0..n-1 • reduced set of residues is those numbers (residues) which are relatively prime to n • eg. for n=10, • complete set of residues is {0,1,2,3,4,5,6,7,8,9} • reduced set of residues is {1,3,7,9} • number of elements in reduced set of residues is called the Euler Totient Function ø(n) • i.e. is the number of positive integers less than n and relatively prime to n

  22. Example: totient function • ø(37)=? • 37 is a prime, {1,…,36} are all relatively prime to 37 • ø(37)=36 • ø(35)=? • List them: {1,2,3,4,6,8,9,11,12,13,16,17,18,19,22,23,24,26,27,29,31,32,33,34} • ø(35)=24

  23. Euler’s Totient Function ø(n) • Some special case: • for p (p prime) : ø(p) = p-1 • for p•q (pq, both prime): ø(p•q)=(p-1)×(q-1) • Proof for ø(p•q) = (p-1)×(q-1) {1,2,3,…, pq-1} 與 pq 互質的個數? => 與 pq 非互質個數: 1. p 的倍數:{p, 2p, 3p,…, (q-1)p} 2. q 的倍數:{q, 2q, 3q,…, (p-1)q} ø(p•q) =pq-1 – (p-1) – (q-1) = pq-p-q+1 = (p-1)(q-1)= ø(p)×ø(q)

  24. Euler's Theorem • Fermat's Theorem: an-1≡ 1 mod n • Euler’s theorem: aø(n)≡ 1 mod n • where gcd(a,n)=1 • eg. • a=3;n=10; ø(10)=4; • hence 34 = 81 = 1 mod 10 • a=2;n=11; ø(11)=10; • hence 210 = 1024 = 1 mod 11

  25. Proof for Euler’s theorem • aø(n)≡ 1 mod n, gcd(a,n)=1 • n is a prime => Fermat’s theorem • Arbitrary n: ø(n) means the number of integers that is relatively prime to n, denote the set of integers as Multiply each by a, modulo n: S is a permutation of R !!! * a is relatively prime to n, and xi is relative prime to n => so does axi * There is no duplicate in S

  26. Proof for Euler’s theorem (cont.) is the permutation of mod n OR (Med)≡ M mod n Recall: RSA algorithm

  27. Corollary to Euler’s theorem • RSA algorithm: • Euler’s theorem: • Given prime p and q, n=pq, 0<a<n (Med)≡ M mod n gcd(a, n)=1 a: plaintext => not necessary prime to n !!! 1. a is prime to n => Euler’s theorem 2. a is NOT prime to n => a 是 p 的倍數 或a 是 q 的倍數 Prove case 1: a = cp but a qp, because 0<a<n=pq => gcd(a, q) = 1

  28. Corollary to Euler’s theorem (cont.) case 1: a = cp, gcd(a,q)=1 Euler’s theorem 自乘 ø(p) 次 Totient function => => Multiply a=cp => => Δ

  29. Corollary to Euler’s theorem (cont.) • Given prime p and q, n=pq, 0<a<n • Alternative form of the corollary (used in RSA) By Euler’s theorem

  30. RSA from Euler’s corollary • RSA algorithm: find e, d, n to satisfy • Euler’s corollary: given primes p and q, n=pq, 0<a<n, and arbitrary k (Med)≡ M mod n We want ed = kf( n) + 1 ed ≡ 1 mod f( n) => d ≡ e-1 mod f( n) or (d is the multiplicative inverse of e, it exists If d (and e) is relatively prime to f(n) )

  31. Outline • Prime numbers • Fermat’s and Euler’s Theorems • RSA algorithm • Testing for primality

  32. RSA algorithm – decide parameters Example: 1. Select primes p and q. 2. Calculate n=pq. 3. Calculate f(n)=(p-1)(q-1) 4. Select e that is relative prime to and less than f(n) 5. Determine d such that de ≡ 1 mod f(n),and d< f(n) (d is the multiplicative inverse of e, find it using Extended Euclid’s algorithm) p=17, q=11 n= 17x11 = 187 f(n)= 16x10 = 160 e = 7 d = 23

  33. RSA encryption/decryption example • Public key: KU={e,n}={7,187} • Private key: KR={d,n}={23,187}

  34. Ingredient and security of RSA • p, q: two primes (private, chosen) • n=pq (public, calculated) • e, with gcd(f(n),e)=1 (public, chosen) 1<e< f(n) • d ≡ e-1 mod f(n) (private, calculated) p, q must be secrets => f(n) = (p-1)(q-1) n is known => f(n) can be calculated from n? => p, q calculated from n? f(n)must be a secret, else d can be calculated

  35. The security of RSA • Brute-force: try all private keys • Mathematical attacks: • Factor n into its two prime factors, n=> p×q • Determine f(n) directly • Determine d directly without f(n) • Timing attacks: depends on the running time of the decryption algorithm Same complexity

  36. RSA recommended key size • How to evaluate RSA security ? • rough extrapolations of the running times for smaller keys • TWIRL: a hardware for integer factorization • for a 1024-bit RSA key in less than a year with only $10 million worth of hardware

  37. Single prime modulus • RSA algorithm: • Fermat’s theorem: • A single prime modulus n? (aed)≡ a mod n an≡ a mod n , n is a prime ak(n-1)+1≡ a mod n an-1≡ 1 mod n => ed = k(n-1) + 1 ed ≡ 1 mod (n-1) => e, d 互為 Zn-1下的乘法反元素 However, if (e, n) is public We can calculate d easily !!! (Zn-1下的乘法反元素)

  38. MultiPrime RSA • RSA: n = p  q • MultiPrime RSA: n = p  q  r ? • More primes to make up the modulus, • Ex. 1024 bits RSA, 341, 341, 342 bits primes • the faster the private key operations • the easier to factor

  39. Computation – encryption/decryption • Modular exponentiation: • Fast algorithm use the property: • Write exponential d as binary number: bkbk-1…b1b0 • ex. 2310 = 101112 = 24+22+21+20 M = Cd mod n (a x b) mod n = (a mod n) x (b mod n) mod n 1123 mod 187 =(1116×114×112×111) mod 187 =[(1116 mod 187)×(114 mod 187)×(112 mod 187)×(111 mod 187)] mod 187 =…=88

  40. Fast exponentiation • ab mod n • b=10111 2+1 2+1 2+1 1 2 101 1011 10111 10 自乘a 自乘a 自乘a 自乘 a1011 a10111 a1 a10 a101 ax ax =a2x

  41. Pseudo-code for fast exponentiation Timing attacks c=0; /* c will be the exponent at last */ d=1; /* d will be the ab mod n at last */ for(i=k; i>=0; i--){ /* k+1 bits for b */ c = 2*c; d = (d*d) mod n; if ( bi == 1 ){ c = c+1; d = (d*a) mod n } } If this bit is 1, exec. time will be slower

  42. Resist to timing attacks • Constant exponentiation time • return the results of exponentiation after a fixed time • Random delay • Add random delay to the exp. execution time • Blinding • Multiply ciphertext by a random number

  43. Reading assignment • The code book (碼書) • 報告重點:年代,人物,故事,加解密方式 • 投影片請多用書上圖片解說故事及人物 • Report one chapter per week • Chap .1:洪善群,張凱鈞 • Chap. 2:鄧偉華 • Chap. 3: • Chap. 4: • Chap. 5: • Chap. 6: • Chap. 7: PGP 93321510, 93321538, 93321518

More Related