1 / 76

RSA Cryptosystems: Understanding Asymmetric Encryption

This project delves into RSA cryptosystems, focusing on the fundamentals of asymmetric encryption. It explains the roles of public and private keys in secure communications between Bob and Alice using RSA as a trap-door one-way function. Detailed discussions include key generation with large prime numbers, the mathematics of encryption and decryption, and methods for factoring integers, such as trial division and the Euclidean algorithm. The project also highlights historical context and technological evolution, including machines like the Cray-1, essential for cryptographic computations.

nenet
Télécharger la présentation

RSA Cryptosystems: Understanding Asymmetric Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECE 645 Spring 2007 PROJECT 2 Specification

  2. Topic Options

  3. Public Key (Asymmetric) Cryptosystems Private key of Bob - kB Public key of Bob - KB Network Decryption Encryption Bob Alice

  4. RSA as a trap-door one-way function PUBLIC KEY C = f(M) = Me mod N M C M = f-1(C) = Cd mod N PRIVATE KEY N = P  Q P, Q - large prime numbers e  d  1 mod ((P-1)(Q-1))

  5. RSA keys PUBLIC KEY PRIVATE KEY { e, N } { d, P, Q } N = P  Q P, Q - large prime numbers e  d  1 mod ((P-1)(Q-1))

  6. Early Factoring Device – Lehmer Sieve Bicycle chain sieve [D. H. Lehmer, 1928] Computer Museum, Mountain View, CA

  7. Supercomputer Cray-1 from 1980’s Computer Museum, Mountain View, CA

  8. FPGA based supercomputers Machine Released SRC 6 fromSRC Computers Cray XD1 fromfrom Cray SGI Altix from SGI SRC 7 from SRC Computers, Inc, 2002 2005 2005 2006

  9. COPACOBANA Ruhr University, Bochum, University of Kiel, Germany, 2006 Cost: € 8980 120 Spartan 3 FPGAs Clock frequency 100 MHz

  10. Factoring 1024-bit RSA keysusing Number Field Sieve (NFS) Polynomial Selection Relation Collection Cofactoring 200 bit & 350 bit Trial division ECM, p-1 method, rho method Sieving numbers Linear Algebra Square Root

  11. Topic 1 Trial Division Sieve

  12. Topic 1: Trial Division Sieve (1) Given: Inputs: Variables: • Integers N1, N2, N3, .... each of the size of k-bits Constants: 2. Factor base = set of all primes smaller smaller than a certain bound B = { p1=2, p2=3, p3=5, ... , pt ≤ B } Parameters of interest: 4 ≤ k ≤ 512 3 ≤ B ≤ 105

  13. Topic 1: Trial Division Sieve (2) Required: Outputs: For each integer Ni: A list of primes from the factor base that divides Ni, and the number of times each prime divides Ni. For example if Ni = p1e1 · p2e2 · p3e3· Mi, where Mi is not divisible by any prime belonging to a factor base, then the output is {p1, e1}, {p2, e2}, {p3, e3}

  14. Topic 1: Trial Division Sieve (3) Example: Constants: k=10, B=5 Factor base = {2, 3, 5} Variables: N1 = 408 = 23· 3 · 17 N2 = 630 = 2 · 32· 5 · 7 Outputs: {2, 3}, {3, 1} {2, 1}, {3, 2}, {5, 1}

  15. Topic 1: Trial Division Sieve (4) Optimization Criteria: Maximum number of integers Ni fully processed per unit of time for a given k and B.

  16. Topic 2 Greatest Common Divisor & Multiplicative Inverse

  17. Topic 2: Greatest Common Divisorand Multiplicative Inverse(2) Given: Inputs: a, N: k-bit integers; a < N Outputs: y = gcd(a, N) x = a-1 mod N i.e., integer 1 ≤ x < N, such that a  x (mod N) = 1 Parameters of interest: 4 ≤ k ≤ 1024

  18. Greatest common divisor Greatest common divisor of a and b, denoted by gcd(a, b), is the largest positive integer that divides both a and b. d = gcd (a, b) iff 1) d | a and d | b 2) if c | a and c | b then c d

  19. gcd (8, 44) = gcd (-15, 65) = gcd (45, 30) = gcd (31, 15) = gcd (121, 169) =

  20. Quotient and remainder Given integers a and n, n>0 ! q, r  Z such that a = q n + r and 0  r < n a q = q – quotient r – remainder (of a divided by n) = a div n n a r = a - q n = a –  n = n = a mod n

  21. Euclid’s Algorithm for computing gcd(a,b) qi q-1 q0 q1 … qt-1 ri r-2 = max(a, b) r-1 = min(a, b) r0 r1 … rt-1 = gcd(a, b) rt=0 i -2 -1 0 1 … t-1 t ri+1 = ri-1 mod ri ri-1 qi = ri ri+1 = ri-1 - qi ri

  22. Euclid’s Algorithm Example: gcd(36, 126) qi q-1= 3 q0= 2 q1 ri r-2 = max(a, b) =126 r-1 = min(a, b) =36 r0= 18 = gcd(36, 126) r1= 0 i -2 -1 0 1 ri+1 = ri-1 mod ri ri-1 qi = ri ri+1 = ri-1 - qi ri

  23. Multiplicative inverse modulo n The multiplicative inverse of a modulo n is an integer [!!!] x such that a x  1 (mod n) The multiplicative inverse of a modulo n is denoted by a-1 mod n (in some books a or a*). According to this notation: a a-1  1 (mod n)

  24. Extended Euclid’s Algorithm (1) ri = xi a + yi n qi q-1 =  n/a  q0 q1 … qt-1 yi y-2=1 y-1=0 y0 y1 … yt-1 yt xi x-2=0 x-1=1 x0 x1 … xt-1 xt ri r-2 = n r-1 = a r0 r1 … rt-1 rt=0 i -2 -1 0 1 … t-1 t ri-1 qi = ri ri+1 = ri-1 - qi ri xi+1 = xi-1 - qi xi yi+1 = yi-1 - qi yi rt-1 = xt-1 a + yt-1 n

  25. Extended Euclid’s Algorithm (2) rt-1 = xt-1 a + yt-1 n rt-1 = xt-1 a + yt-1 n  xt-1 a (mod n) If rt-1 = gcd (a, n) = 1 then xt-1 a  1 (mod n) and as a result xt-1 = a-1 mod n

  26. Extended Euclid’s Algorithm for computing z = a-1 mod n qi q-1 =  n/a  q0 q1 … qt-1 ri r-2 = n r-1 = a r0 r1 … rt-1 = 1 rt=0 xi x-2=0 x-1=1 x0 x1 … xt-1 = a-1 mod n xt = n i -2 -1 0 1 … t-1 t ri-1 qi = ri ri+1 = ri-1 - qi ri xi+1 = xi-1 - qi xi If rt-1 1 the inverse does not exist Note:

  27. Extended Euclid’s Algorithm Example z = 20-1 mod 117 ri-1 qi q-1 = 5 q0 = 1 q1 = 5 q2 = 1 q3 = 2 ri r-2 = 117 r-1 = 20 r0 = 17 r1 = 3 r2 = 2 r3 = 1 r4 = 0 xi x-2= 0 x-1= 1 x0 =-5 x1 = 6 x2 = -35 x3 = 41 = 20-1 mod 117 x4 = -117 i -2 -1 0 1 2 3 4 qi = ri ri+1 = ri-1 - qi ri xi+1 = xi-1 - qi xi Check: 20  41 mod 117 = 1

  28. Topic 3 RSA Encryption & Decryption with Montgomery Multipliers based on Carry Save Adders

  29. RSA as a trap-door one-way function PUBLIC KEY C = f(M) = Me mod N M C M = f-1(C) = Cd mod N PRIVATE KEY N = P  Q P, Q - large prime numbers e  d  1 mod ((P-1)(Q-1))

  30. Exponentiation: Y = XE mod N Right-to-left binary exponentiation Left-to-right binary exponentiation E = (eL-1, eL-2, …, e1, e0)2 Y = 1; S = X; for i=0 to L-1 { if (ei == 1) Y = Y  S mod N; S = S2 mod N; } Y = 1; for i=L-1 downto 0 { Y = Y2 mod N; if (ei == 1) Y = Y  X mod N; }

  31. Montgomery Modular Multiplication (1) C = A  B mod M A, B, M – k-bit numbers Montgomery domain Integer domain A A’ = A  2k mod M B B’ = B  2k mod M C’ = MP(A’, B’, M) = = A’  B’  2-k mod M = = (A  2k)  (B  2k)  2-k mod M = = A  B  2k mod M C = A  B C’ = C  2k mod M

  32. Montgomery Modular Multiplication (2) A A’ A’ = MP(A, 22k mod M, M) C C’ C = MP(C’, 1, M)

  33. Montgomery Modular Multiplication (3) 2k bits X = A’B’ x2n-1 x2n-2 x2n-3 xn . . . . . . x0 x1 + q0M x2n-1 x2n-2 0 x2n-3 xn . . . . . . x1 + q1Mb x2n-1 x2n-2 0 0 x2n-3 x2 . . . . . . . . . C’ 2k = X + zM C’ 2k X = A’B’ C’  A’B’ 2-k 0 0 . . . 0 C’ k bits

  34. Fast modular exponentiation using Chinese Remainder Theorem d N = C M mod CP = C mod P dP = d mod (P-1) CQ = C mod Q dQ = d mod (Q-1) dQ dP = CQ Q MQ = mod CP P MP mod M = MP ·RQ + MQ ·RP mod N where RP = (P-1 mod Q) ·P = PQ-1 mod N RQ = (Q-1 mod P) ·Q= QP-1 mod N

  35. Time of exponentiation without and with Chinese Remainder Theorem SOFTWARE Without CRT tEXP(k) = cs k3 With CRT k 1 tEXP-CRT(k)  2  cs ( )3 = tEXP(k) 2 4 HARDWARE Without CRT tEXP(k) = ch k2 With CRT 1 k tEXP-CRT(k) ch ( )2 = tEXP(k) 4 2

  36. Topic 4 RSA Encryption & Decryption with Word-Based Montgomery Multipliers

  37. Data dependency graph of a classical architecture by Tenca & Koc

  38. Data dependency graph of a new design from GWU & GMU

  39. Block diagram of the new architecture

  40. Block diagram of the main Processing Element

  41. Topic 5 p-1 Method of Factoring

  42. p-1 algorithm Inputs : N – number to be factored a – arbitrary integer such that gcd(a, N)=1 B1 – smoothness bound for Phase1 Outputs: q - factor of N, 1 < q ≤ N or FAIL

  43. p-1 algorithm – Phase 1 precomputations main computations postcomputations out of scope for this project

More Related