14-applications-of-number

advertisement
Applications of Number
Theory
CS 202
Epp section 10.4
Aaron Bloomfield
1
About this lecture set
• I want to introduce RSA
– The most commonly used cryptographic algorithm
today
• Much of the underlying theory we will not be
able to get to
– It’s beyond the scope of this course
• Much of why this all works won’t be taught
– It’s just an introduction to how it works
2
Private key cryptography
• The function and/or key to encrypt/decrypt is a
secret
– (Hopefully) only known to the sender and recipient
• The same key encrypts and decrypts
• How do you get the key to the recipient?
3
Public key cryptography
• Everybody has a key that encrypts and a
separate key that decrypts
– They are not interchangable!
• The encryption key is made public
• The decryption key is kept private
4
Public key cryptography goals
• Key generation should be relatively easy
• Encryption should be easy
• Decryption should be easy
– With the right key!
• Cracking should be very hard
5
Is that number prime?
• Use the Fermat primality test
• Given:
– n: the number to test for primality
– k: the number of times to test (the certainty)
• The algorithm is:
repeat k times:
pick a randomly in the range [1, n−1]
if an−1 mod n ≠ 1 then return composite
return probably prime
6
Is that number prime?
• The algorithm is:
repeat k times:
pick a randomly in the range [1, n−1]
if an−1 mod n ≠ 1 then return composite
return probably prime
• Let n = 105
– Iteration 1: a = 92: 92104 mod 105 = 1
– Iteration 2: a = 84: 84104 mod 105 = 21
– Therefore, 105 is composite
7
Is that number prime?
• The algorithm is:
repeat k times:
pick a randomly in the range [1, n−1]
if an−1 mod n ≠ 1 then return composite
return probably prime
• Let n = 101
–
–
–
–
–
Iteration 1: a = 55: 55100 mod 101 = 1
Iteration 2: a = 60: 60100 mod 101 = 1
Iteration 3: a = 14: 14100 mod 101 = 1
Iteration 4: a = 73: 73100 mod 101 = 1
At this point, 101 has a (½)4 = 1/16 chance of still
8
being composite
More on the Fermat primality test
• Each iteration halves the probability that the number is a
composite
– Probability = (½)k
– If k = 100, probability it’s a composite is (½)100 = 1 in 1.2  1030
that the number is composite
• Greater chance of having a hardware error!
– Thus, k = 100 is a good value
• However, this is not certain!
– There are known numbers that are composite but will always
report prime by this test
• Source: http://en.wikipedia.org/wiki/Fermat_primality_test
9
Google’s recruitment campaign
10
RSA
• Stands for the inventors: Ron Rivest, Adi Shamir
and Len Adleman
• Three parts:
– Key generation
– Encrypting a message
– Decrypting a message
11
Key generation steps
1. Choose two random large prime numbers p ≠ q, and
n = p*q
2. Choose an integer 1 < e < n which is relatively prime to
(p-1)(q-1)
3. Compute d such that d * e ≡ 1 (mod (p-1)(q-1))
–
Rephrased: d*e mod (p-1)(q-1) = 1
4. Destroy all records of p and q
12
Key generation, step 1
•
Choose two random large prime numbers p ≠ q
– In reality, 2048 bit numbers are recommended
•
That’s  617 digits
– From last lecture: chance of a random odd 2048 bit
number being prime is about 1/710
•
•
•
We can compute if a number is prime relatively quickly via
the Fermat primality test
We choose p = 107 and q = 97
Compute n = p*q
– n = 10379
13
Key generation, step 1
• Java code to find a big prime number:
BigInteger prime = new BigInteger
(numBits, certainty, random);
The number of
bits of the prime
Certainty that the
number is a prime
The random number
generator
14
Key generation, step 1
• Java code to find a big prime number:
import java.math.*;
import java.util.*;
class BigPrime {
static int numDigits = 617;
static int certainty = 100;
static final double LOG_2 = Math.log(10)/Math.log(2);
static int numBits = (int) (numDigits * LOG_2);
public static void main (String args[]) {
Random random = new Random();
BigInteger prime = new BigInteger (numBits, certainty,
random);
System.out.println (prime);
}
}
15
Key generation, step 1
• How long does this take?
– Keep in mind this is Java!
– These tests done on a 850 Mhz Pentium machine
– Average of 100 trials (certainty = 100)
– 200 digits (664 bits): about 1.5 seconds
– 617 digits (2048 bits): about 75 seconds
16
Key generation, step 1
• Practical considerations
– p and q should not be too close together
– (p-1) and (q-1) should not have small prime factors
– Use a good random number generator
18
Key generation, step 2
• Choose an integer 1 < e < n which is relatively
prime to (p-1)(q-1)
• There are algorithms to do this efficiently
– We aren’t going over them in this course
• Easy way to do this: make e be a prime number
– It only has to be relatively prime to (p-1)(q-1), but can
be fully prime
19
Key generation, step 2
• Recall that p = 107 and q = 97
– (p-1)(q-1) = 106*96 = 10176 = 26*3*53
• We choose e = 85
– 85 = 5*17
– gcd (85, 10176) = 1
– Thus, 85 and 10176 are relatively prime
20
Key generation, step 3
• Compute d such that:
d * e ≡ 1 (mod (p-1)(q-1))
– Rephrased: d*e mod (p-1)(q-1) = 1
• There are algorithms to do this efficiently
– We aren’t going over them in this course
• We choose d = 4669
– 4669*85 mod 10176 = 1
• Use
the
script
at
http://www.cs.virginia.edu/cgi-bin/cgiwrap/asb/modpow
21
Key generation, step 3
• Java code to find d:
import java.math.*;
class FindD {
public static void main (String args[]) {
BigInteger pq = new BigInteger("10176");
BigInteger e = new BigInteger ("85");
System.out.println (e.modInverse(pq));
}
}
• Result: 4669
22
Key generation, step 4
• Destroy all records of p and q
• If we know p and q, then we can compute the
private encryption key from the public decryption
key
d * e ≡ 1 (mod (p-1)(q-1))
23
The keys
• We have n = p*q = 10379, e = 85, and d = 4669
• The public key is (n,e) = (10379, 85)
• The private key is (n,d) = (10379, 4669)
• Thus, n is not private
– Only d is private
• In reality, d and e are 600 (or so) digit numbers
– Thus n is a 1200 (or so) digit number
24
Encrypting messages
•
To encode a message:
1. Encode the message m into a number
2. Split the number into smaller numbers m < n
3. Use the formula c = me mod n
•
•
c is the ciphertext, and m is the message
Java code to do the last step:
–
–
m.modPow (e, n)
Where the object m is the BigInteger to encrypt
25
Encrypting messages example
1.
Encode the message into a number
–
–
String is “Go Cavaliers!!”
Modified ASCII codes:
•
2.
41 81 02 37 67 88 67 78 75 71 84 85 03 03
Split the number into numbers < n
–
–
Recall that n = 10379
4181 0237 6788 6778 7571 8485 0303
Use the formula c = me mod n
3.
–
–
–
–
•
418185 mod 10379 = 4501
023785 mod 10379 = 2867
678885 mod 10379 = 4894
Etc…
Encrypted message:
–
4501 2867 4894 0361 3630 4496 6720
26
Encrypting RSA messages

Formula is c = me mod n
27
Decrypting messages
1. Use the formula m = cd mod n on each number
2. Split the number
character numbers
into
individual
ASCII
3. Decode the message into a string
28
Decrypting messages example
•
Encrypted message:
–
4501 2867 4894 0361 3630 4496 6720
Use the formula m = cd mod n on each number
1.
–
–
–
–
2.
45014669 mod 10379 = 4181
28674669 mod 10379 = 0237
48944669 mod 10379 = 6788
Etc…
Split the numbers into individual characters
–
3.
41 81 02 37 67 88 67 78 75 71 84 85 03 03
Decode the message into a string
–
Modified ASCII codes:
•
–
41 81 02 37 67 88 67 78 75 71 84 85 03 03
Retrieved String is “Go Cavaliers!!”
29
modPow computation
1. How to compute c = me mod n or m = cd mod n?
–
•
Example: 45014669 mod 10379 = 4181
Use
the
script
at
http://www.cs.virginia.edu/cgi-bin/cgiwrap/asb/modpow
•
Other means:
–
–
–
Java: use the BigInteger.modPow() method
Perl: use the bmodpow function in the BigInt library
Etc…
30
Why this works
• m = cd mod n
• c = me mod n
• cd ≡ (me)d ≡ med (mod n)
• Recall that:
– ed ≡ 1 (mod p-1)
– ed ≡ 1 (mod q-1)
• Thus,
– med ≡ m (mod p)
– med ≡ m (mod q)
• med ≡ m (mod pq)
• med ≡ m (mod n)
31
Cracking a message
• In order to decrypt a message, we must compute m = cd
mod n
– n is known (part of the public key)
– c is known (the ciphertext)
– e is known (the encryption key)
• Thus, we must compute d with no other information
– Recall: choose an integer 1 < e < n which is relatively prime to
(p-1)(q-1)
– Recall: Compute d such that: d*e mod (p-1)(q-1) = 1
• Thus, we must factor the composite n into it’s component
primes
– There is no efficient way to do this!
– We can, very easily, tell that n is composite, but we can’t tell
what its factors are
• Once n is factored into p and q, we compute d as above
– Then we can decrypt c to obtain m
32
Cracking a message example
•
In order to decrypt a message, we must compute m = cd
mod n
– n = 10379
– c is the ciphertext being cracked
– e = 85
•
In order to determine d, we need to factor n
–
–
–
–
•
d*e mod (p-1)(q-1) = 1
We factor n into p and q: 97 and 107
This would not have been feasible with two large prime factors!!!
d * 85 (mod (96)(106)) = 1
We then compute d as above, and crack the message
33
Signing a message
• Recall
that
we
d*e mod (p-1)(q-1) = 1
computed:
• Note that d and e are interchangable!
– You can use either for the encryption key
• You can encrypt with either key!
– Thus, you must use the other key to decrypt
34
Signing a message
•
To “sign” a message:
1. Write a message, and determine the MD5 hash
2. Encrypt the hash with your private (encryption) key
3. Anybody can verify that you created the message
because ONLY the public (encryption) key can
decrypt the hash
4. The hash is then verified against the message
35
PGP and GnuPG
• Two applications which implement the RSA
algorithm
– GnuPG Is open-source (thus it’s free)
– PGP was first, and written by Phil Zimmerman
• The US gov’t didn’t like PGP…
36
The US gov’t and war munitions
37
How to “crack” PGP
• Factoring n is not feasible
• Thus, “cracking” PGP is done by other means
– Intercepting the private key
• “Hacking” into the computer, stealing the computer, etc.
– Man-in-the-middle attack (next 2 slides)
– Etc.
38
Man-in-the-middle attack:
“Normal” RSA communication
What is your public key?
My public key is 12345…
What is your public key?
My public key is 67890…
Here’s message encrypted with 12345…
Here’s a response encrypted with 67890…
39
What is your public key?
My public key is abcde…
What
Blackishas
yourthe
public key?
private decryption
My
key is 67890…
keypublic
for abcde…
What is your public key?
My public key is 12345…
What is your public key?
My public key is vwxyz…
Here’s message encrypted w/ abcde…
Black has the
Decrypts message with correspondingprivate
privatedecryption
key to abcde…;
key for
re-encrypts message with blue’s public
keyvwxyz…
(12345…)
Here’s message encrypted w/ 12345…
Here’s response encrypted w /vwxyz…
Decrypts message with corresponding private key to vwxyz…;
re-encrypts message with yellow’s public key (67890…)
Here’s response encrypted w/ 67890…
40
Other public key encryption
methods
• Modular logarithms
– Developed by the US government, therefore not
widely trusted
• Elliptic curves
41
Quantum computers
• A quantum computer could (in principle) factor n in
reasonable time
– This would make RSA obsolete!
– Shown (in principle) by Peter Shor in 1993
– You would need a new (quantum) encryption algorithm to
encrypt your messages
• This is like saying, “in principle, you could program a
computer to correctly predict the weather”
• A few years ago, IBM created a quantum computer that
successfully factored 15 into 3 and 5
• I bet the NSA is working on such a computer, also
42
Sources
• Wikipedia article has a lot of info on RSA and the
related algorithms
– Those articles use different variable names
– Link at http://en.wikipedia.org/wiki/RSA
43
Download