This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 10 1 Oneway function A oneway function is a fundamental notion in cryptography. It is a function on n bits such that given x it is easy to compute f ( x ) but on input f ( x ) it is hard to recover x (or any other preimage of f ( x ) ). One of the fundamental sources of oneway functions is the remarkable contrast between multiplication, which is fast, and factoring, for which we know only exponential time algorithms. The simplest procedures for factoring a number require an enormous effort if that number is large. Given a number N , one can try dividing it by 1 , 2 ,..., N 1 in turn, and returning all the factors that emerge. This algorithm requires N 1 steps. If N is in binary representation, as is customary, then its length is n = d log 2 N e bits, which means that the running time is proportional to 2 n , exponential in the size of the input. One clever simplification is to restrict the possible candidates to just 2 , 3 ,..., N , and for each factor f found in this shortened list, to also note the corresponding factor N / f . As justification, witness that if N = ab for some numbers a and b , then at most one of these numbers can be more than N . The modified procedure requires only N steps, which is proportional to 2 n / 2 but is still exponential. Factoring is one of the most intensely studied problems by algorithmists and number theorists. The best algorithms for this problem take 2 cn 1 / 3 log 2 / 3 n steps. The current record is the factoring of RSA576, a 576 bit challenge by RSA Inc. The factoring of 1024 bit numbers is well beyond the capability of current algorithms. The security of the RSA public key cryptosystem is based on this stark contrast between the hardness of factoring and multiplication. 2 Outline of RSA In the RSA cryptosystem, each user selects a public key ( N , e ) , where N is a product of two large primes P and Q , and e is the encryption exponent (usually e = 3). P and Q are unknown to the rest of the World, and are used by the owner of the key (say Alice), to compute the private key ( N , d ) . Even though d is uniquely defined by the public key ( N , e ) , actually recovering d from ( N , e ) is as hard as factoring N . i.e. given d there is an efficient algorithm to recover P and Q . The encryption function is a permutation on { , 1 ,..., N 1 } . It is given by E ( m ) = m e mod N . The decryption function is D ( c ) = c d mod N , with the property that D ( E ( m )) = m . i.e. for every m , m e d = m mod N . To establish these properties and understand how to choose d , e we must review modular arithmetic. Before we do that let us make some observations about RSA. First, what makes public key cryptography counterintuitive is the seeming symmetry between the recepient of the message, Alice, and the eavesdrop per, Eve. After all, the ciphertext m e mod N together with the public key ( N , e ) uniquely specifies the plaintext m . In principle one could try computing....
View
Full
Document
This note was uploaded on 01/29/2008 for the course CS 194 taught by Professor Joseph during the Fall '05 term at University of California, Berkeley.
 Fall '05
 Joseph
 Computer Security

Click to edit the document details