rsa• for rsa, calculate gcd(phi(n), e) to find d using extended euclidean algorithm (see handout...
TRANSCRIPT
![Page 1: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/1.jpg)
RSA
Last Updated: Oct 14, 2017
![Page 2: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/2.jpg)
Recap• Number theory
o What is a prime number?o What is prime factorization?o What is a GCD?o What does relatively prime mean?
• What does co-prime mean?o What does congruence mean?o What is the additive inverse of 13 % 17 ?o What is the multiplicative inverse of 7 % 8 ?
![Page 3: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/3.jpg)
Recap: Diffie-Hellman• You’re trapped in your
spaceship• You have enough energy to
send a single message to your HQ
• You have:o HQ’s public DH values
• g=5, p = 875498279345…ga = 32477230478…
o Your AES implementation from Labs #1 & 2
o An arbitrary precision calculator
• How can you construct your message so that it will be safe from eavesdroppers?
![Page 4: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/4.jpg)
Asymmetric Encryption
![Page 5: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/5.jpg)
Public Key Terminology• Public Key• Private Key• Digital Signature
• You encrypt with a public key, and you decrypt with a private key
• You sign with a private key, and you verify with a public key
![Page 6: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/6.jpg)
Encryption Algorithm Decryption Algorithm
Model for Encryption with Public Key Cryptography
Alice Bob
Plaintext
Bob’s Public Key Bob’s Private Key
Ciphertext Plaintext
![Page 7: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/7.jpg)
Signing Algorithm Signature Verification Algorithm
Model for Digital Signature with Public Key Cryptography
Alice Bob
Plaintext
Alice’s Private Key Alice’s Public Key
Signed Document Plaintext
![Page 8: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/8.jpg)
History of RSA• Invented in 1977 by
o Ron Rivesto Adi Shamiro Leonard Adleman
• Patented until 2000
• It’s withstood years of extensive cryptanalysis o Suggests a level of confidence in the algorithmo Example of successful attacks against implementations
• Side channel attacks• Poor random number generators
![Page 9: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/9.jpg)
Textbook RSA• m = message• c = ciphertext• e = public exponent• d = private exponent• n = modulus
• RSA Encryptiono c = me % n
• RSA Decryptiono m = cd % n
![Page 10: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/10.jpg)
The Math Behind RSA• RSA encrypt/decrypt operations are simple
• The math to get to the point where these operations work is not so simple (at first)o Fermat’s little theoremo Euler’s generalization of Fermat’s little theorem
![Page 11: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/11.jpg)
Fermat’s Little Theorem• If
o p is primeo a is relatively prime to p
• (co-prime)
• Then Fermat’s theorem stateso ap-1 º 1 (mod p)
o for all 0 < a < p• This serves as the basis for
o Fermat’s primality testo Euler’s generalization Pierre de Fermat
(1601-1655)
Which values of a aren’t co-prime to p?
![Page 12: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/12.jpg)
Euler’s Generalization of Fermat’s Little Theorem
• Euler saido aphi(n) º 1 (mod n)
• phi(n)o Euler’s totient function j(n)o The number of values less than n which are relatively prime
to n• Multiplicative group of integers (Zn*)
• RSA is interested in values of n that are the product of two prime numbers p and q
Leonhard Euler(1707-1783)
n doesn’t need to be primea must still be co-prime to n
![Page 13: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/13.jpg)
Computing phi(n) in RSA• phi(n) is the number of integers between 0 and n that are co-prime to n
• When p * q = n, and p and q are prime, what is the phi(n)?
• Proof (When p * q = n)
Observations1) there are p-1 multiples of q between 1 and n2) there are q-1 multiples of p between 1 and nThese multiples are not co-prime to n
Definition:phi(n) = # of values between 0 and n that are co-prime to n phi(n) = # of values between 0 and n minus
# of values between 0 and n not co-prime to n
phi(n) = [ n – 1] – [(p-1) + (q-1)]
= [pq – 1] – (p-1) – (q-1)
= pq – p – q + 1
= (p-1)(q-1)
(p-1)(q-1)
Why not?
![Page 14: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/14.jpg)
RSA• Euler said: aphi(n) º 1 (mod n)
o m(p-1)(q-1) º 1 (mod n)
• Notice: m(p-1)(q-1) * m º m(p-1)(q-1)+1 º m (mod n)o mphi(n)+1 º m (mod n)
• Let e*d = k*phi(n) + 1o Then e*d º 1 (mod phi(n))o Therefore med º mk*phi(n)+1 º mphi(n) *mphi(n) *… * m º m (mod n)
• RSA Encryptiono me = c (mod n)
• RSA Decryptiono cd = m (mod n)
![Page 15: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/15.jpg)
Steps for RSA Encryption• Select p, q (large prime numbers)• n=p*q• phi(n) = (p-1)(q-1)
• Select integer e where e is relatively prime to phi(n)o Common values for e are 3 and 65537. Why?
• Calculate d, where d*e = 1 (mod phi(n))
• Public key is KU = {e, n}• Private key is KR = {d, n}
• RSA encryptiono me = c (mod n)
• RSA decryptiono cd = m (mod n)
Why is RSA Secure?• Hard to factor large numbers
• Hard to compute d without phi(n)• Discrete logs are hard (md % n)
• Given signature, hard to find d
![Page 16: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/16.jpg)
RSA Usage• Given me = c (mod n) and cd = m (mod n)
o What restrictions should be placed on m?
• For bulk encryption (files, emails, web pages, etc)o Some try using RSA as block ciphero Never, never, never encrypt data directly using RSA
• Inefficient• Insecure
o Always use symmetric encryption for data, and use RSA to encrypt the symmetric key (after adding the appropriate padding)
• Digital signatureso Do not sign the entire document - too slowo Sign (“encrypt”) a hash of the document using the private key
• The length of the hash is < n
![Page 17: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/17.jpg)
How do we get p, q, e, & d?
• What is p?o How do we get it?
• What is q?o How do we get it?
• What is e?o How do we get it?o What is the relationship of e and (p-1)(q-1)?
• What is d?o How do we get it?
![Page 18: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/18.jpg)
Multiplicative Inverses• Use the extended Euclidean algorithm
o Based on the fact that GCD can be defined recursively• If x > y, then GCD(x,y) =(recursively) GCD(y, x-y)• Also if x > y, then GCD(x,y) =(recursively) GCD(y, x%y)
o GCD can also be used as follows:• Suppose ax + by = gcd(x,y)• If x is the modulus, and gcd (x,y) = 1
o Then ax + by = 1 and b is y-1
![Page 19: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/19.jpg)
Steps for RSA Encryption• Select p, q (large prime numbers)• n=p*q• phi(n) = (p-1)(q-1)
• Select integer e where e is relatively prime to phi(n)o Common values for e are 3 and 65537. Why?
• Calculate d, where d*e = 1 (mod phi(n))
• Public key is KU = {e, n}• Private key is KR = {d, n}
• RSA encryptiono me = c (mod n)
• RSA decryptiono cd = m (mod n)
![Page 20: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/20.jpg)
Extended Euclidean algorithm
We will use this algorithm to compute d
Based on the fact that GCD can be defined recursivelyIf x > y, then GCD(x,y) =(recursively) GCD(y, x-y)
Also if x > y, then GCD(x,y) =(recursively) GCD(y, x%y)
![Page 21: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/21.jpg)
GCD(x,y) = GCD(y, x%y)
Apply this principle recursively
GCD (120,23) 120 / 23 = 5 r 5GCD ( 23, 5) 23 / 5 = 4 r 3GCD ( 5, 3) 5 / 3 = 1 r 2GCD ( 3, 2) 3 / 2 = 1 r 1GCD ( 2, 1) 2 / 1 = 2 r 0
GCD is the last non-zero remainderGCD is 1, 120 and 23 are co-prime
![Page 22: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/22.jpg)
Sum of Products
Each remainder r is equal to a sum of products of the original x and y
GCD (x, y) = q remainder r, where r = x(1) + y(-q)
GCD (120, 23)120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5)23 / 5 = 4 r 3 => 3 = 23(1) + 5(-4)5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1)3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
Notice the first line is a sum of products involving 120 and 23.We can derive a formula for each remainder to be a sum of products of
120,23.
![Page 23: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/23.jpg)
Substitution** Substitute the equation for 5 the prior line and simplify to
produce a sum of products using the original numbers 120 and 23 to replace the sum of products of 23 and 5.
GCD (120, 23)
120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5)
23 / 5 = 4 r 3 => 3 = 23(1) + 5(-4) **
5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1)
3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
GCD (120, 23)
120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5)
23 / 5 = 4 r 3 => 3 = 23 + [120(1) + 23(-5)] (-4)
= 23 + (120(-4) + 23(20))
= 23(21) + 120(-4)
5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1)
3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
![Page 24: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/24.jpg)
Sum of Products** Continue this pattern. Simplify the next line to be a sum of
products of 120 and 23 using equations already in the form for the prior remainders 5 and 3. Simplify. Be careful to get the signs correct. Keep like terms (multiples) together.
GCD (120, 23)
120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5)
23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4)
5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1) **
3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
GCD (120, 23)
120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5)
23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4)
5 / 3 = 1 r 2 => 2 = [120(1)+23(-5)](1) + [23(21)+120(-4)](-1)
= 120(5) + 23(-26)
3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
![Page 25: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/25.jpg)
Sum of Products
GCD (120, 23)120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5)23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4)5 / 3 = 1 r 2 => 2 = 120(5) + 23(-26)3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1)
GCD (120, 23)120 / 23 = 5 r 5 => 5 = 120(1) + 23(-5)23 / 5 = 4 r 3 => 3 = 23(21) + 120(-4)5 / 3 = 1 r 2 => 2 = 120(5) + 23(-26)3 / 2 = 1 r 1 => 1 = [23(21) + 120(-4)](1) +
[120(5) + 23(-26)](-1)= 23(47) + 120(-9)
Notice that 1 = 23*47 + 120(-9) means that 47 is the multiplicative inverse of 23 (mod 120)
![Page 26: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/26.jpg)
Computing “d”• For RSA, calculate GCD(phi(n), e) to find d using
extended Euclidean algorithm (see handout on Lab #4 page)o Manual iterative method for the examo Use the table method in your lab
• For RSA, the GCD(phi(n),e) will result in an equation of the formo 1 = e*d + phi(n)*k o Where d or k is negative
• If d is negative convert it to an equivalent positive number (mod n) using phi(n) + d
![Page 27: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/27.jpg)
Steps for determining d• Calculate phi(n) and select an e (3, 5, 7 usually for our toy
problems)• Find the GCD of (phi(n), e) which should always be 1 if e is
valid. If the GCD is not 1, repeat for a different value of e.• Create a sum of products expression for each remainder from
x/y of the form [ remainder = X(1) + y(-quotient) ]• Starting from the first expression, use substitution to create an
equation of the form: remainder = phi(n)*k + e(d)• If d is negative, convert to a positive number
d = phi(n) + d
![Page 28: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/28.jpg)
Practicep=5, q=11, e=3
![Page 29: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/29.jpg)
Practicep=5, q=11, e=3
n = p*q = 5*11 = 55phi(n) = (p-1)(q-1) = 4*10 = 40
Calculate d
GCD (phi(n), e) = GCD (40, 3)40/ 3 = 13 r 1 => 1 = 40(1) + 3(-13)
Since d is negative, d = phi(n) + d = 40 + (-13) = 27
Public Key = {3, 55}Private Key = {27, 55}
![Page 30: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/30.jpg)
Practicep=11, q=13, e= number <= 8
![Page 31: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/31.jpg)
Practicep=11, q=13, e= number <= 8
n = p*q = 11*13 = 143phi(n) = (p-1)(q-1) = 10*12 = 120
Calculate d
GCD (phi(n),e) = GCD (120,3/5/7) ** note that 3,5 not co-prime to 120120/ 7 = 17 r 1 => 1 = 120(1) + 7(-17)
Since d is negative, d = phi(n) + d = 120 + (-17) = 103
Public Key = {7, 143}Private Key = {103, 143}
![Page 32: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/32.jpg)
Practicep=5, q=13, e=5
![Page 33: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/33.jpg)
Practicep=5, q=13, e=5
n = p*q = 5*13 = 65phi(n) = (p-1)(q-1) = 4*12 = 48
Calculate d
GCD (phi(n),e) = GCD (48,5)48/ 5 = 9 r 3 => 3 = 48(1) + 5(-9)5 / 3 = 1 r 2 => 2 = 5(1) + 3(-1) = 5(1) + [48(1) + 5(-9)](-1)
5(10) + 48(-1)3 / 2 = 1 r 1 => 1 = 3(1) + 2(-1) = [48(1) + 5(-9)](1) +
[5(10) + 48(-1)](-1)48(2) + 5(-19)
Since d is negative, d = phi(n) + d = 48 + (-19) = 29
Public Key = {5, 65}Private Key = {29, 65}
![Page 34: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/34.jpg)
Practicep=17, q=11, e=7
![Page 35: RSA• For RSA, calculate GCD(phi(n), e) to find d using extended Euclidean algorithm (see handout on Lab #4 page) oManual iterative method for the exam oUse the table method in your](https://reader036.vdocument.in/reader036/viewer/2022070723/5f01fe777e708231d4020d43/html5/thumbnails/35.jpg)
Practicep=17, q=11, e=7
n = p*q = 17*11 = 187phi(n) = (p-1)(q-1) = 16*10 = 160
Calculate d
GCD (phi(n), e) = GCD (160, 7)160/ 7 = 22 r 6 => 6 = 160(1) + 7(-22)7 / 6 = 1 r 1 => 1 = 7(1) + 6(-1)
7(1) + [160(1) + 7(-22)](-1)160(-1) + 7(23)
Public Key = {7, 187}Private Key = {23, 187}