Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing100@Persistent

© 2013 Persistent Systems Ltd
www.persistentsys.com
RSA : The Inventors and the Algorithm
Pandurang Kamat
Turing100 Lecture series @ Persistent Systems
11 May 2013

2
Dr. Ronald Rivest, Dr. Adi Shamir and Dr. Leonard Adleman
Citation :
“… for their ingenious contribution to making public-key
cryptography useful in practice.”
“A method for obtaining digital signatures and public-key
cryptosystems,” Communications of the ACM, Feb. 1978.
ACM A. M. Turing Award

3
RSA used in the Public Key Certificates

RSA : The Inventors

5
Time Magazine 1977
P = NP

6
 Born : 1947, Schenectady, New York, USA
 Education :
 BA (Mathematics, Yale University, 1969)
 Ph.D. (Computer Science, Stanford University, 1973)
 Professional Career :
 MIT (Viterbi Professor of Computer Science in the EECS Department)
 Leader of MITs Cryptography and Information Security Group, from 1974)
 Member of MIT's Computer Science and Artificial Intelligence Laboratory, CSAIL,
and of their Theory of Computation Group.
 Co-founder of RSA Data Security (now owned by EMC as RSA Security), Verisign
and Peppercoin
Ronald (Ron) Linn Rivest

7
 Research : cryptography, computer and network security, voting systems
 Inventor of MD2, MD4, MD5 & MD6 (co-inventor) cryptographic hash functions
 Inventor of RC2, RC4, RC5 and co-inventor of RC6 ciphers
 Book : Popularly known as CLRS
 Co-author (with Professors Cormen, Leiserson, and Stein)
of “Introduction to Algorithms”, published by MIT Press
 Awards and Recognition :
 ACM Paris Kanellakis Theory and Practice Award (1997)
 ACM Turing Award, with A. Shamir and L. Adleman (2002)
 Marconi Prize (2007)
 National Cyber Security Hall of Fame Award (2012)
Ronald Rivest : Research and Recognition

8
 Born : 1952, Tel Aviv, Israel
 Education :
 BSc (Mathematics, Tel Aviv University, 1973)
 PhD (Computer Science, Weizmann Institute, Israel, 1977)
 Assistant Professor Department of Mathematics, MIT (1978-1980)
 Associate Professor at Department of Applied Mathematics, Weizmann Institute of
Science, Rehovot, Israel (1980-1984)
 Paul and Marlene Borman Professor, Department of Applied Mathematics, The
Weizmann Institute of Science, Rehovot, Israel(1984 onward)
 Co-founder of RSA Data Security (now owned by EMC as RSA Security)
Adi Shamir

9
 Research : Cryptography
 Broadcast encryption, ring signatures and T-functions
 Cryptanalytic attacks against block ciphers, stream ciphers
 Protective techniques against side channel attacks such as
power analysis.
 IEEE WRG Baker Award (1986)
 Israel Mathematical Society Erdos Prize (1983)
 Fellow, International Association of Cryptographic
Research (2004)
Adi Shamir : Research and Recognition

10
 Shamir’s secret sharing
 k points enough to define polynomial of degree k-1
 Differential Cryptanalysis -- New Field
 Co-wrote a book with his graduate student Eli Biham :
“Differential Cryptanalysis of the DES”
 Identity Based Cryptography (1984) – New Field
 Proposed Identity based Encryption (1984)
 First practical implementations came in 2001 via 2 different
techniques : Weil Pairing (Boneh & Franklin ) and Quadratic
Residue (Cocks)
 Visual Cryptography (1994) – New Field
 Decryption is a visual process
Adi Shamir : Other Major Contributions

11
 Born : 1945, San Francisco, California
 Education :
 BA, Mathematics (University of California, Berkley, 1968)
 PhD, Computer Science (UC, Berkley, 1976)
 MIT, Department of Mathematics (1979-1980 Associate Professor, 1977-1979
Assistant Professor)
 University of Southern California (1980 Associate Professor, 1983 Professor, 1985
Henry Salvatori Professor)
 Co-founder of RSA Data Security (now owned by EMC as RSA Security)
Leonard (Len) Max Adleman

12
 Research :
 “Adleman-Pomerance-Rumely primality test”
 Almost polynomial time, deterministic primality testing algorithm.
 “Recognizing Primes in random polynomial time” (1987)
 only topped in 2002 by “PRIMES in P” (IITK)
 Proved “first case of Fermat’s last theorem holds for infinitely many primes” (1986)
 Andrew Wiles proved Fermat’s last theorem (conjectured 1637) in 1995.
 Father of DNA computing : Solved Hamiltonian Path Problem using DNA (1994)
 Distinguished Professor title University of Southern California (2000)
Len Adleman: Research and Recognition

Video snippet from Adleman’s Turing lecture

History of Cryptography

15
Cryptography is derived from Greek words Krypto (hidden)
+ grafo (writing)
Used as early as 1900 BC – as inferred from archeological
finds.
Until the 1970s, encryption was Symmetric.
Sender and Receiver use the same key to encrypt and
decrypt.
A separate, secure (and usually offline) channel was used to
exchange a shared secret
Encryption through history

16
Transposition Cipher
Used by ancient Greeks and Spartans
Scytale

17
Shift Cipher
Used by Romans
Caesar Cipher

18
Inventor: Arthur Scherbius
Polyalphabetic substitution cipher
Used by Nazi military in WWII
Polish Cipher Bureau first broke enigma
ciphers
Alan Turing played a major role in British
efforts to break enigma
Enigma Machine

Public Key Cryptography

20
Private and Public Key Cryptography
Private Key Cryptography (Symmetric)
Uses a single key to encrypt and decrypt
Key shared by both sender and receiver
Cannot be used as a signature
Public Key Cryptography (Asymmetric)
Uses two keys – one private and the other public
Operations are slower than private key cryptography
In communication, typically used to establish a
symmetric session key

21
Public key encryption
E D
Alice Bob
PK SK
m c c m
Bob: generates (PK, SK) and gives PK to Alice
Non-secure
Channel

22
Challenge - Response

23
Claude Shanon : Information Theoretic Security
A code is unbreakable when the adversary does not have
enough information. E.g. One Time Pad
Computational Complexity introduced new ideas
A code could be unbreakable because the adversary does
not have enough computational power or time
Cryptology meets Computational Complexity

24
 1974, CS244 (Computer Security) course by Lance Hoffman
 Establishing secure communications between separate
secure sites over insecure communication lines.
 “… your description of project 1 is muddled terribly.”
 1975 : Paper submited to CACM --- Rejected
 “… not in the main stream of present cryptography thinking … “
 Finally a revised version is published in April 1978
 "Secure Communications over Insecure Channels". Communications
of the ACM
Ralph Merkle

25
Merkle’s Puzzles (1974)
Million Puzzles --
complexity O(N)
each
Bob
Alice
Eve
Has to solve 500K
puzzles on average
O(N2)

26
“PKC was born in the spring of 1975, a child of two problems
and a misunderstanding” *Diffie, 1988]
 Problem 1: Key distribution
 How do two parties establish a common cryptographic key
(symmetric) without any prior secret sharing ?
 Problem 2: Signatures
 Is there a way for the recipient of a digital message to verify
that the message came from a particular sender ?
 Misunderstanding : Key Distribution Center used in conventional
symmetric key cryptography was insecure.
The birth of PKC

27
One-way functions
Given x => easy to compute f(x) ;
but given f(x) => hard to compute x
Trapdoor functions
one way functions where a secret “trapdoor” y,
allows one to compute x from f(x)
Trapdoor Functions

28
What if Alice could pose challenges whose answers she
didn’t know (and couldn’t feasibly compute) but could
feasibly verify ?
 Bob creates a function ‘f’ (public info) for which only he knows the
trapdoor ‘y’.
 Alice sends a value from the f(x) space and asks Bob to solve it for x.
 Bob can only solve it if he knows the secret ‘y’ --- SIGNATURE
verification
 If ‘x’ is the message Alice wants to send Bob -- ENCRYPTION.
 “Multiuser Cryptographic Techniques” : Diffie and Hellman (1976)
Verifiable Challenges

29
John Gill : Discrete exponentiation because the inverse,
discrete logarithm, is hard.
 DH chose this for the DH scheme
Knapsack Or Subset-sum problem
 Merkle-Hellman (first) and others
 Can’t be used for signing. Now considered broken.
Donald Knuth : Prime multiplication , because
factorization is hard.
 RSA chose this.
Three possible tracks to find trapdoor functions

30
Whitfield Diffie and Martin E. Hellman,
“New Directions in Cryptography,”
IEEE Transactions On Information Theory, 1976.
“We stand today on the brink of a revolution in
cryptography …”
The Diffie Hellman Paper – inspired RSA

31
Diffie-Hellman Key Exchange
Finite cyclic group G of order n
Generator g in G ( G = {1, g, g2, g3, … , gn-1 } )
Alice Bob
Picks random a in {1,…,n} Picks random b in {1,…,n}
kAB = gab = (ga)
b
= KAbKBa = (gb)
a
=
KA = ga
KB = gb

Video snippet of Rivest Turing Lecture

RSA : The Algorithm

34
Greatest Common Divisor, gcd (a,b) – of a and b is the
largest positive integer dividing both a and b.
 e.g. gcd (24, 60) = 12
 a and b are called relatively prime if gcd (a,b) = 1
Congruence : Given integers a, b and n (s.t. n ≠ 0), a is
congruent to b mod n if (a - b) is a positive or negative
multiple of n.
 e.g. 17 ≡ 2 mod 5
Number Theory and Modular Arithmetic

35
Given gcd (a,n) = 1
Let s and t be integers s.t. as+nt=1
Then as ≡ 1 (mod n) and
s is the multiplicative inverse of a (mod n)
Multiplicative Inverse

36
Due to Sun Tzu.
Suppose gcd (p, q) = 1.
Given a and b, there exists exactly one solution
x (mod pq) to the simultaneous congruences
x ≡ a (mod p) and x ≡ b (mod q)
Chinese Remainder Theorem (CRT)

37
If p is prime and p does not divide a, then
ap – 1 ≡ 1 (mod p)
Fermat’s Little Theorem

38
Euler’s phi ( Φ ) function : For a composite
n, Φ (n) is the number of integers 1 <= a <=
n such that gcd (a,n) = 1.
 If n = pq (where p and q are primes) then using
Chinese Remainder Theorem we get
Φ(n) = (p – 1) (q – 1)
Euler’s Theorem : For a composite n, If
gcd(a, n) = 1, then
aΦ(n) ≡ 1 (mod n)
Euler’s theorem

39
Large random primes, p and q, s.t. n = pq
Φ = (p-1)(q-1)
Choose an integer e, 1 < e < Φ, such that gcd(e, Φ) = 1
Compute d, such that ed ≡ 1 (mod Φ)
Public key is (n, e) and the private key (d, p, q)
n  modulus e  public/encryption exponent
d  secret/private exponent .
RSA Key Generation

40
M=Message H(m)= Cryptographic Hash of m
 Encrypt c ≡ me mod n
 Decrypt m ≡ cd mod n
 Sign s ≡ (H(m))d mod n
 Verify H(m) ≡ se mod n
RSA Trapdoor Functions

RSA Explained Video

42
ed ≡ 1 (mod (p - 1)(q - 1))
ed – 1 = h (p – 1) (q – 1) , for some non-negative integer h
If (me)d ≡ 0 (mod p)  (me)d is a multiple of p  (me)d ≡ 0 ≡ m (mod
p) If (me)d !≡ 0 (mod p) 
(me)d = m(ed – 1)m = mh(p-1)(q-1)m = (mp-1)h(q-1)m ≡ 1h(q-1)m ≡ m (mod p)
using Fermat’s Little Thm.
Similarly (me)d ≡ m (mod q)
 (me)d ≡ m (mod pq) using Chinese Remainder Thm
Proof of Correctness

43
Plain RSA is a Deterministic encryption algorithm (no
random aspect)
 Open to chosen plaintext attacks
Not semantically secure
Chosen Ciphertext attacks exist
Solution: random padding – Optimal Asymmetric
Encryption Padding (OAEP)
RSA algorithm by itself is vulnerable in practice

44
 Public Key Cryptography Standard #1 (current version 2.2)
 Specifies RSA encryption, decryption, signature and verification
primitives
 I2OSP, OS2IP: Convert non-negative integers to Octet strings and vice versa.
 RSAEP, RSADP: Basic encryption and decryption algorithms.
 RSASP1, RSAVP1: Algorithms for producing and verifying signatures.
 Specifies RSA encryption and signature schemes
 Specifies encoding methods for these schemes
 Other signature scheme standards
 ANSI X9.31, Bellare-Rogaway PSS
PKCS #1

45
EME-OAEP from PKCS#1 v2.2
lHash PS 01 MDB =
MGF
seed
MGF
00 maskedSeed maskedDBEM =
00

46
Practical choices with RSA
To speed up RSA encryption use a small e:
c = me (mod N)
Minimum value: e=3
Recommended value: e=65537=216+1

47
RSA Key Lengths
Strength compared with symmetric cipher key sizes
Symmetric (AES) key size in bits RSA Key size in bits
128 3072
192 7680
256 15360

48
Illegal” Perl prior to 1999
 #!/bin/perl -
sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo
16dioU$k"SK$/SM$nEsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/W//g;$_=pack('H*',/((..)*)$/)
Reference: Adam Back
http://www.cypherspace.org/adam/rsa/
RSA and the US Export Regulations

49
Unknown to the RSA team, British mathematician
Clifford Cocks, while working at the Government
Communications Headquarters (GCHQ), had built upon
the work of James Ellis and developed a similar
method.
It was however classified as a secret by the British
Government and not made public until 1997.
Used N=e
The Pre-RSA PKC algorithm (1973)

Video snippet of Shamir Turing Lecture

51
Source : xkcd comic

Attacks on RSA

53
RSA Attack Approaches
Brute forcing the Key
 Not feasible given the sizes of numbers
Factorization
 Mathematical attacks for factoring modulus N
Implementation Attacks
 Timing attacks
 Power attacks
 Fault attacks

54
Mathematical approach takes 3 forms:
 factor N=p.q, hence find ø(N) and then d
 determine ø(N) directly and find d
 find d directly
 Considered equally hard == factoring
Factoring algorithms have gotten better over the years
 Best algorithms use “Quadratic Sieve” or “Generalized Number
Field Sieve”
 1024+ bit RSA currently considered secure for most uses and
2048 bit recommended for high-security.
Factorization

55

Factoring Complexity

56
 RSA-768 factored in 2009 by Thorsten Kleinjung et al.
 The largest RSA challenge modulus factored till date
 232 decimal digits, 768 bits
 RSA-768 =
1230186684530117755130494958384962720772853569595334792197
3224521517264005072636575187452021997864693899564749427740
6384592519255732630345373154826850791702612214291346167042
921431160222124047927473779408066535141959745985
6902143413
 RSA-768 =
3347807169895689878604416984821269081770479498371376856891
2431388982883793
878002287614711652531743087737814467999489 ×
The RSA Challenge

57
Implementation attacks
 Timing attack: [Kocher et al. 1997]
 The time it takes to compute cd (mod N) can expose d
 countermeasures
 use constant exponentiation time
 add random delays
 Power attack: [Kocher et al. 1999)
 The power consumption of a smartcard while it is computing
cd (mod N) can expose d.
 Faults attack: [Boneh et al. 1997]
 A computer error during cd
(mod N) can expose d.

58
An Example Fault Attack on RSA
A common optimization of RSA decryption
decrypt mod p: mp ≡ cd (mod p)
decrypt mod q: mq ≡ cd (mod q)
If an error occurs when computing mq , but not with mp
Then: output is m’ where
m’ ≡ cd (mod p) but m’ ! ≡ cd (mod q)
(m’)e ≡ c (mod p) but (m’)e ! ≡ c in (mod q)
 gcd((m’)e- c, n) = p
combine to get m ≡ cd (mod n)

59
Problems with RSA Key Generation
[Heninger et al./Lenstra et al.]
:
 0.4% of publicly available https keys were factored. Mostly
devices like routers
 Random number generation is a critical cog; must ensure good
source of entropy.
prng.seed(seed)
p = prng.generate_random_prime()
prng.add_randomness(bits)
q = prng.generate_random_prime()
N = p*q
Poor initial entropy  same p
on multiple devices
N1 , N2 : 2 different keys s.t.
gcd(N1,N2) = p

60
 Low Private Exponent
 M. Wiener (1987) - a linear time algorithm for recovering d if d < N 0.25
 Boneh and Durfee (1998) - d < N 0.292 RSA is insecure
 This is a problem for low-power devices like smartcards.
 Workaround :
 dp = d mod (p – 1) and dq = d mod (q – 1) are small, while d is still large.
 Also Qinv = q -1 (mod p) then
 mp = cdp (mod p) and mq = cdq (mod q)
 h = Qinv * (mp – mq) (mod p)
 m = mq + (h * q)
 dp and dq can’t be too small though.
Low Private Exponent

61
 Quantum computing
 Based on qubit
 Can be 1 , 0 or a superposition of both at the same time
 Quantum parallelism allows for exponentially many computations
 Shor ‘s Algorithm (1994)
 Can factor large numbers in polynomial time -- O ( (log n)3 ) for factoring n bit
number. Probabilistic.
 Thankfully quantum computers are long way from reality
 Best implementation so far
 Bristol University researchers (1999) – computed the “order finding routine” part of Shor
 IBM (2011) and UCSB researchers (2012) could factor 15 = 3 * 5 (48% of the time)
Quantum Computing and Factoring

62
 Merkle-Hellman (1978) – Knapsack
 Rabin-Williams (1979) – Factoring
 Goldwasser-Micali (1984) – Quadratic Residue
 Blum-Goldwasser (1984) – Factoring
 ElGamal (1985) – Discrete Log Problem
 Miller-Koblitz (1985) – Elliptic Curves
 Cramer-Shoup (1998) – Discrete Log Problem
 Boneh-Franklin (2001) – Bilinear Diffie-Hellman Problem
 Cocks IBE (2001) – Quadratic Residue
 …
Other PKC Systems

63
RSA (1977) was the first (publicly known) public key
encryption and signature algorithm
Based on number theory and core security derived
from hardness of factoring
Widely deployed and used in modern communication
Most effective attacks have been on implementation
 Slow and steady progress on factoring attacks
Summary

64
This presentation has referenced and borrowed material from the
following sources.
 ACM’s Turing Award website
 RSA inventor’s own web pages
 10 years of public key cryptography – Whitfield Diffie
 Wikipedia
 Dan Boneh’s Crypto course on Coursera.org
 Introduction to Cryptography and Coding Theory – Trappe and
Washington
References and acknowledgements

65
Prof. Dan Boneh
https://www.coursera.org/course/crypto
Learn More

6666
Thank You !

Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing100@Persistent

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing100@Persistent

Semelhante a Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing100@Persistent (20)

Mais de Persistent Systems Ltd.

Mais de Persistent Systems Ltd. (20)

Life and Work of Ronald L. Rivest, Adi Shamir & Leonard M. Adleman | Turing100@Persistent

Notas do Editor