RSA Algorithm

RSA Cryptosystem석사 29기 박준영

Contents• Symmetric / Asymmetric Key Algorithm

• Founders of RSA

• RSA Key Generation Algorithm

• RSA Crack Estimated Time

• Possible Attacks

• Tutorials

• Q & A

Symmetric Key Algorithm

• Same key for Encrypt & Decrypt

• Fast computing speed

• Easy(?) to Develop

• Block Cipher / Stream Cipher

–Benjamin Franklin

‘Three can keep a secret, if two of them are dead.’

Asymmetric Key Algorithm• Different key (Public Key / Private Key)

• Slow computing speed

• Hard to Develop

+ Non-repudiation

• Factorization Problem / Discrete Logarithm Problem

• RSA / ECC / ElGamal / Rabin …

The Founders

Ron RivestAdi ShamirLen Adleman

Key Generation Algorithm

1. Choose two distinct prime numbers p and q. • For security purposes, the integers p and q should be chosen at random,

and should be of similar bit-length. Prime integers can be efficiently found using a primality test.

2. Compute n = pq. • n is used as the modulus for both the public and private keys. Its length,

usually expressed in bits, is the key length.

3. Compute φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = n - (p + q -1), where φ is Euler's totient function.

Key Generation Algorithm

4. Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are coprime.• e is released as the public key exponent. • e having a short bit-length and small Hamming weight results in more efficient

encryption – most commonly 216 + 1 = 65,537. However, much smaller values of e (such as 3) have been shown to be less secure in some settings.[5]

5. Determine d as d ≡ e−1 (mod φ(n)); i.e., d is the multiplicative inverse of e (modulo φ(n)).• This is more clearly stated as: solve for d given d⋅e ≡ 1 (mod φ(n)) • This is often computed using the extended Euclidean algorithm. Using the pseudocode

in the Modular integers section, inputs a and n correspond to e and φ(n), respectively.• d is kept as the private key exponent.

Key Point

Integer Factorization ProblemNP-hard

RSA Crack Estimated Time•RSA-100

- few days / multiple-polynomial quadratic sieve algorithm

•RSA-155

- about six month / general number field sieve algorithm

•RSA-768

- 2 years / parallel computing (almost 2000 years on single-core 2.2 GHz AMD Opteron-based computer)

•RSA-240 to RSA-2048

- not yet factored

- YOU can factor & win the cash prize, US$200,000!

RSA Crack Estimated Time

‘A chain is no stronger than its weakest link’

Possible Attacks

• Guessing d

•

• Low Exponent Vuln.

Side-channel Attacks

Side-channel Attacks

• Based on Time Variance

• Kocher’s Attack

• Schindler’s Attack

• Brumley-Boneh’s Attack

• Many experiments has done.

• Montgomery Reduction

• Choice of Multiplication routine

• Blinding Defense

• Quantize Computation

Side-channel Attacks

‘Seeing is Believing’

Tutorial

RSA Simple Example

Tutorial

Login to SSH using RSA Auth.

Reference

1. 한국전자통신연구원, “암호학의 기초”, 1999

2. RIVEST, Ronald L.; SHAMIR, Adi; ADLEMAN, Len. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 1978, 21.2: 120-126.

3. BRUMLEY, David; BONEH, Dan. Remote timing attacks are practical. Computer Networks, 2005, 48.5: 701-716.

4. MAHAJAN, Sonam; SINGH, Maninder. Analysis of RSA algorithm using GPU programming. arXiv preprint arXiv:1407.1465, 2014.

5. Ronan Killeen, Possible Attacks on RSA (http://www.members.tripod.com/irish_ronan/rsa/attacks.html)

6. 홍정대; 박근수. OpenSSL 기반 RSA 서버 에 대한 Timing Attack 구현. 한국정보과학회 학술발표논문집, 2004, 31.2Ⅰ: 730-732.

Question & Answer