public-key cryptography and rsa

Post on 22-Feb-2016

80 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Public-Key Cryptography and RSA. 5351: Introduction to Cryptography Spring 2013. Public-Key Cryptography. Also known as asymmetric-key cryptography. Each user has a pair of keys: a public key and a private key . The public key is used for encryption. The key is known to the public. - PowerPoint PPT Presentation

TRANSCRIPT

p1.

Public-Key Cryptography and RSA

5351: Introduction to Cryptography

Spring 2013

p2.

Public-Key Cryptography

• Also known as asymmetric-key cryptography.• Each user has a pair of keys: a public key and a private key.• The public key is used for encryption.

– The key is known to the public.• The private key is used for decryption.

– The key is only known to the owner.

p3.

Why Public-Key Cryptography?

• Developed to address two main issues:– key distribution– digital signatures

• Invented by Diffie & Hellman in 1976.

p4.

Key generation algorithm : On input 1 , (1 ) outputs

a pair of keys, , , each of length at least . Encryption algorit

hm : On input a public key and a pla

Public-key encryption schemen nG G

pk sk n

E pk

intext , outputs a ciphertext . We write ( ).

(The message space may depend on .) Decryption algorithm : On input a secret key and a ciphertext

, outputs a messag

e

pk pkm M E c c E m

pkD sk

c D

. We write : ( ). Correctness requirement:

Pr ( ) : 1

except for a negligible measure of key pairs output by ( ).

1

sk

sk p p

n

k k

m m D c

D E m m

G

m M

p5.

Adversary: a polynomial-time eavesdropper. ( , , ) : a public-key encryption scheme. Imagine a

n experiment:

(1 ) is run to obtain a pair of keys , .

Ciphertext-Indistinguishability

n

G E D

G pk sk

0 1

The adversary is given , and outputs a pair of messages , of the same length.

A random bit {0,1} is chosen; and a ciphertext ( ) is computed and given to the a

pk

pk b

pkm m M

bc E m

0 1

dversary.

The adversary determines whether is the encryption

of or .

c

m m

p6.

ciphertext-indistinguishable against eave A publick-key encryption scheme with security

parameter is if for every polynomial-time adversary

Definit

theresdropper

exists

ion:

a neg

ligibs

len

A

0 1 0 1

0 1

function such that

Pr ( , , , ) : ( , ) (1 ), { , }

{ , }, ( )

1 negl( )2

nA pk

u pk

negl

A pk m m c m pk sk G m m M

m m m c E m

n

p7.

Since the adversary knows the publick key , it can encrypt any polynomial number of messages of its choice.

That is, eavesdroppers are capable of CPA's. Thus, if a pub

lic-key encryp

Remarkspk

tion scheme is secure against eavesdroppers, then it is also CPA-secure.

A public-key encryption scheme is not CPA-secure, and hence not ciphertext-ind

deter

istin

g

minist

uishab

ic

le a

gainst eavesdroppers.

p8.

1

1

trapdoor

Easy:

Hard:

Easy:

Use as the privat

e key.

Most public-key encryption schemes are based on one-wa

trapdoor

assumed

One-way function with trapdoorf

f

f

x y

x y

x y

y functions.

Most one-way functions come from number the . ory

p9.

Modular Arithmetic

p10.

| : divides , is a divisor of . gcd( , ): greatest common divisor of and . Coprime or relatively prime: gcd( , ) 1. Euclid's algorithm: compute gcd( , ). Extented Eucli

Integers

a b a b a ba b a b

a ba b

d's algorithm: compute integers and such that gcd( , ).x y ax by a b

p11.

Let 2 be an integer.

Def: is congruent to modulo , written

mod , if | ( ), i.e., and have the

same remainder when d

m

ivided by .

Note: dod an

Integers modulo n

a b n

a b n n a b a b

n

a b n

n

are different.

Def: [ ] all integers congruent to modulo .

[ ] is called a residue class modulo , and is a

representati

mod

ve of that class.

n

n

a b

a a n

a n a

n

p12.

congruence m

There are exactly residue classes modulo :

[0], [1], [2], , [ 1].

Note: " " is an equivalence relation, whose

equivalence classes are the residue classes.

If [ ]

,

od n

n n

n

x a

[ ], then [ ] and [ ].

Define addition and multiplication for residue classes:

[ ] [ ] [ ]

[ ] [ ] [ ].

y b x y a b x y a b

a b a b

a b a b

p13.

id

A group, denoted by ( , ), is a set with a binary operation : such that 1. ( ) ( ) (associative) 2. s.t. , ( ) 3. , s.t.

entity

Group

G GG G G

a b c a b ce G x G x x xx G y G x y y x

e e

( )

A group ( , ) is if , , .

Examples: ( ,

abel

), ( , ), ( \ {0}, ), ( ,

inver

), ( \ {0}

ian

s

, ).

ee

G x y G x y y x

Z Q Q RR

p14.

Define [0], [1], ..., [ 1] .

Or, more conveniently, 0, 1, ..., 1 .

, forms an abelian additive group.

For , ,

( )mod . (Or, [ ] [ ] [ ] [ mod ].)

0 is th

n

n

n

n

Z n

Z n

Z

a b Za b a b n a b a b a b n

10

e identity element. The inverse of , denoted by , is .

When doing addition/substraction in , just do the regular addition/substraction and reduce the result modulo .

In , 5

n

a a n a

Zn

Z

5 9 4 6 2 8 3 ?

p15.

1

1

1

, is not a group, because 0 does not exist.

Even if we exclude 0 and consider only \ {0},

, is not necessarily a group; some may not exist.

For , exists if and on

n

n n

n

n

Z

Z Z

Z a

a Z a

ly if gcd( , ) 1.a n

p16.

*

1

Let : gcd( , ) 1 .

, is an abelian multiplicative group.

mod .

mod . 1 is the identity elemen

t.

The inverse of , written , can be computated b

n n

n

Z a Z a n

Z

a b ab n

a b ab n

a a

*12

*

y the Extended Euclidean Algorithm.

For example, 1,5,7

Q: How many

,11 . 5 7

eleme

35mod12 11.

nts are ther ? e in nZ

Z

p17.

*

1

Euler's totient function:

Fa

( )

= : 1 and gcd( , ) 1

1. ( ) ( 1) for prime

2. ( ) ( ) ( ) if gcd( ,

cts:

) 1

n

e e

n Z

a a n a n

p p p p

ab a b a b

p18.

Let be a (multiplicative) group. The order of , ord( ), is the number of elements in . The order of , written ord( ), is the smallest

positive integer such that .

f

( , i

inite

t

GG G Ga G a

t e ea

ord( )

( ) 1

| |

*

dentity element.)

Corollary: For any

Lagrange's theorem: For any element , ord( ) | ord( ).

Fermat's little theorem:

If ( a prime), t

element , .

hen

G G

p pp

a G a

a G a G

a Z

a e

p a a

*

* ( ) *

1 in .

Euler's theorem:

If (for any 1), then 1 in .

p

nn n

Z

a Z n a Z

p19.

*15

*15

*15

( ) 8

= 1, 2, 4, 7, 8, 11, 13, 14

(15) (3) (5) 2 4 8

: 1 2 4 7 8 11 13 14ord( ) : 1 4 2 4 4 2 4 2

1

Example: 15

n

Z

Z

a Za

a a

n

p20.

The Chinese Remainder Problem

• A problem described in an ancient Chinese arithmetic book, Sun Tze Suan Ching, by Sun Tze (around 300AD, author of The Art of War).

• Problem: We have a number of objects, but we do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many objects are there?Mathematically, if 2mod3, 3mod5, 2mod7,

wh

at is ?x x x

x

p21.

1

1 1

2 2

1 2

If integers , , are pairwise coprime, then the system of congruences

modmod

mod

has a unique solution modulo :

Chinese remainder theorem

k

k k

k

i

n n

x a nx a n

x a n

N n n n

x a N

1

1 A fo

mod

where an rmula by Gausd mod ( s)

k

i ii

i i i i i

y N

N N n y N n

p22.

1 1 1

1 1 1

Suppose 1 mod 3 6 mod 7 8 mod 10By the Chinese remainer theorem, the solution is:

1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10)

1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 mod10)

xxx

x

1 70 1 6 30 4 8 21 1 mod 210

958 mod 210 118 mod 210

Example: Chinese remainder theorem

p23.

1

1 2

1

(the numbers are pairwise coprime) There is a one-to-one correspondence :

, , , where and mod

( ) ( ) ( ). ( )

Another version of CRT

k

k i

N n n

k N i i

N n n n n

Z Z Z

a a a a Z a a n

x y x yx y

( ) ( ).

For math students: is a ring isomorphism.

x y

p24.

1 2

1 2 1

1 2

Let , where , , are pairwise coprime.Define a mapping

:

( mod , mod , , mod )

Then,

is bijective (one-to-one and on

Chinese remainder theorem

k

k k

N n n n

k

N n n n n n

Z Z Z Z

x x n x n x n

to).

( ) ( ) ( ).

( ) ( ) ( ).

x y x y

x y x y

p25.

1 2

1

1

1

Computations in can be done by performing corresponding computations in , , , , and

then solve the CRP.

, , If

, ,

then

k

N

n n n

k

k

ZZ Z Z

a a ab b b

a b a

*

1

1

1 1

1 1

, , , ,

, , if

mod mo d mod

k k

k k

k k

k

N

b a ba b a b a ba b a b a b b Z

N n n

p26.

* * *15 3 5 15 3 5

8 8mod3, 8mod5 (2,3)

11 11mod3, 11mod5 (2,1)

Suppose we want to compute 8 11 mod15. 8 11mod15 (2 2mod3, 3 1mod5) (1,3). (1,3) (

Example: Chinese remainder theoremZ Z Z Z Z Z

x

15which number corresponds to (1,3)?)

1mod3 Solve 13

3mod5

x Z

xx

x

p27.

Algorithms

1

3

gcd ,

mod

mod

Running time: log

k

a b

a n

a n

O n

p28.

0

1

1

1 1

Comment: compute gcd( , ), where 1. : : for : 1, 2, until = 0 : mod return ( )

Running time:

(log ) i t

Euclidean Algorithm

n

i i i

n

a b a br ar b

i rr r rr

O a

2

3

erations; (log ) time for each mod.

Overall running time: (lo g )

O a

O a

p29.

Example: gcd(299,221) ?

299 221

Given 0, compute , such that gcd( , ) .

1 782 65

221 7878 65

78 6578 221 78

1 13

65 5 13 0

gcd(229,221) 13( 2 ) 3

78 2 1

(

223

Extended Euclidean Algorithm

a b x y a b ax by

99 221) 221299

123 2 14

p30.

1

1 *

1

Compute in .

exists if and only if gcd( , ) 1. Use extended Euclidean algorithm to find ,

such that gcd( , ) 1 (in )

mod

[ ]

?How to compute na Z

a a nx y

ax ny a n

a n

Za

1

[ ] [ ][ ] [1] [ ][ ] [1] (since [ ] [0])

[ ] [ ]. Note: may omit [ ], but reduce everything modulo .

x n ya x n

a xn

p31.

1 Compute 15 mod 47. 47 15 3 (divide 47 by 15; remainder 2) 15 2 7 (divide 15 by 2; remainder 1) 1 15 7 (mod 47) 1

21

25 ( ) 7 (mod 47)47 15 3

Example

1

1 *47

15 22 47 7 (mod 47) 15 22 (mod 47)

15 mod 47 22

That is, 15 22 in Z

p32.

1 0

2

Comment: compute mod , where in binary.

1 for downto 0 do

mod if 1

then mod

Algorithm: Square-and-Multiply( , , )c

k k

i

x n c c c c

zi k

z z nc

z z x

x c n

...Note: At

i.e.,

the e

mod

nd of

retu

iteratio

rn

n , .

( )

k

i

i

c

c ci

z z x n

z

z

n

x

p33.

2

2

2

2

3

2

23 10111

1

11 mod 187 11 (square and multiply)

mod 187 121 (square)

11 mod 187 44 (square and multiply)

11 mod 187 165 (square and

11 mod187

mu

Example:

b

z

z z

z z

z z

z z

2

ltiply)

11 mod 187 88 (square and multiply)z z

p34.

The RSA Cryptosystem

• RSA Encryption• RSA Digital Signature

p35.

By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the one-way property

of mo

R S

du

lar powering:

A

assumed

 

The RSA Cryptosystem

1

: mod (easy)

: mod

In turn based on the hardness

(hard)

of integer factorization.

e

e

f x x n

f x x n

p36.

1

RSA

RSA

*

Encryption (easy):

Decryption (hard):

Looking for a trapdoor: ( ) .If is a number such that 1mod ( ), then

( )

It works in group

1

.

Idea behind RSA

e

e

e d

n

x x

x x

x xd ed n

e n

Z

d k

( ) 1 ( )

for some , and

( ) 1 .ke ed n nd k

k

x x x x x x x

p37.

1

(a) Choose large primes and , and let : . (b) Choose (1 ( )) coprime to ( ), and

compute : mod ( ). ( .) (c) Public ke

Key generation:

1 mod ( )

RSA Cryptosystem

p q n pqe e n n

d nn ede

*

*

y: . Secret key: .

( ) : mod , w

( , ) ( , )

here .

( ) : mod , where .

E

ncryption:

Decryptio

n:

epk n

dsk n

E x x n x Z

D y y n y

pk n e sk n d

Z

p38.

*

* * ( )

The setting of RSA is the group , :

In group , , for any , we have 1.

We have chosen , such that 1 mod ( ), i.e., ( ) 1 for some o

p

Why RSA Works?

n

nn n

Z

Z x Z x

e d ed ned k n

* ( ) 1 ( )

sitive integer .

For , . d ke ed k n n

n

k

x Z x x x x x x

p39.

*

( ) 1 ( 1)( 1) 1

*

RSA still works, but .

gcd( , ) 1 or for some .

Say . Then

0 mod

not secur

mod

By CRT,

\ ?

e

What if n n

n

ed

ed ed k n k p q

ed

x Z x n x ap x aq a

x ap

x p

x x q x x x

x

x Z Z

mod mod

( )

edx n x n xD E x x

p40.

Select two primes: 17, 11. Compute the modulus 187. Compute ( ) ( 1)( 1) 160. Select between 0 and 160 such that gcd( ,160) 1.

Say 7.

Compute

RSA Example: Key Setup

p qn pq

n p qe e

e

d

1 1mod ( ) 7 mod160 23 (using extended Euclid's algorithm). Public key: . Secret ke

( ,y:

) (7, 187)( , ) (23 ., 7 18 )

pk e n

e

s n

n

k d

p41.

7

23

23

23

Suppose 88.

Encryption: mod 88 mod187 11.

Decryption: mod 11 mod187 88.

When computing 11 mod187, we first

compute 11 and

d

the

o

n

ot

n

RSA Example: Encryption & Decryption

e

d

m

c m n

m c n

reduce it modulo 187. Rather, use , and reduce intermediate

results modulo 187 whenever they gsquare-a

et biggend-mult

r than iply

187.

p42.

4 16

To speed up encryption, small values are usually used for .

Popular choices are 3, 17 2 1, 65537 2 1. These values have only two 1's in their binary representation.

Encryption Key

e

e

There is an interesting attack on small .e

p43.

1/4

One may be tempted to use a small to speed up decryption.

Unfortunately, that is risky.

Wiener's attack: If

and 2 ,3

then the decryption exponent c

Decryption Key

d

nd p q

d

p

d

an be computed from ( , ).

CRT can be used to speed up decryption.

n e

p44.

3

1 2

o1

*

m d1

Decryption:

Time: ( ).

In

mod (i.e., compute in )

mstead of computing directly,

we compute : mod , an

d : mod

:

od

Speeding up Decryption by CRTd

n

d

d

d

O n

c c p c c

c n c Z

c nq

m c

( ) mod ( )2 2

1

2

1 2

mod , and : modmod

recover the plaintext by solving mod

Time: 1 4 of the direct computation. If ... , will speed up even

m

ore.

p d q

t

p m c qx m px m q

n p p p

p45.

Attacks on RSA

p46.

Four categories of attacks on RSA: brute-force key search

infeasible given the large key space

mathem

atical attacks timing attacks

chosen ciphe t r

Attacks on RSA

ext attacks

p47.

1

Then ( ) ( 1)( 1) and

mod ( ) can be calculated

Factor into .

Determine ( ) directly

easily.

Equivalent to factoring . Knowing ( ) will enable us to f

.

Mathematical Attacksn p q

d e n

nn

n pq

n

Determine direc

actor by solving

( 1)( 1)

If is known, can be factored

tl with high probability.

.

( )

y

npq

p

d

qn

d

n

n

p48.

A difficult problem, assumed to be infeasible.

More and more efficient algorithms have been developed.

In 1977, RSA challenged researchers to decode a ciphertext encrypt

Integer Factorization

ed with a key ( ) of 129 digits (428 bits).

Prize: $100. RSA thought it would take quadrillion years to break the code using fastest algorithms and computers of that time. Solved in 1994.

n

In 1991, RSA put forward more challenges, with prizes, to encourage research on factorization.

p49.

Each RSA number is a semiprime. (A number is semiprime if it is the product of two primes.) There are two labeling schemes.

by the number of decimal digits: RSA-100, .

RSA Numbers

.., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048

p50.

RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve. RSA-110 ( bits), 1992, 75 MIPS-year, QS. RSA-120

3323653 ( bits), 1993, 830 MIPS-year, QS.

RSA-129 98

4(

RSA Numbers which have been factored bits), 1994, 5000 MIPS-year, QS. RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS. RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS. RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.

284

314655

RSA-161

0 (2

530

576 6

bits), 2003, Lattice Sieve. RSA- (174 digits), 2003, Lattice Sieve. RSA- (193 digits), 2005, Lattice Sieve. RSA-200 ( bits), 2005, Lattice

40663 Sieve.

p51.

RSA-200 =

27,997,833,911,221,327,870,829,467,638,

722,601,621,070,446,786,955,428,537,560,

009,929,326,128,400,107,609,345,671,052,

955,360,856,061,822,351,910,951,365,788,

637,105,954,482,006,576,775,098,580,557,

613,579,098,734,950,144,178,863,178,946,

295,187,237,869,221,823,983.

p52.

*

In light of current factorization technoligies, RSA recommends 1024-2048 bits.

If a message \ ,

RSA works, but Since gc

d( , ) 1, the sender can factor .

Sin

c

Remarks

n n

n

m Z Z

m n n

*

e gcd( , ) 1, the adversary can factor , too.

Question: how likely is \ ?

e

n n

m n n

m Z Z

p53.

1 2

Suppose two users use the same modulus , and their encryption exponents and are coprime.

A message sent to them, encrypted as

Common modulus:

Miscellaneous attacks against RSA

ne e

m

1

2

1 2 1 2

1

2

1 2 1 2

1 2

mod

and mod , is not protected by RSA: , coprime 1 for some , .

mod mod .

e

e

re se re se r s

c m n

c m ne e re se r s

m m m n c c n

p54.

Owners of keys ( , , ) usually do not know . But, actually, given ( , , ), one can factor with high probability of success. Thus

Another problem with common modulus:

n e d n pqn e d n

,

if tw

o RSA

So, do

users share

not use a c

the same , they can

ommon . Also,

figure out each other's secret key (

if your is compromised, do not just

valu

change

e). n

de

nd

and . You should also change .d n

p55.

2

2

2

1mod has four solutions:

1, for some 1.

If 1mod and 1

1 0mod

| ( 1)( 1)

gcd( , 1)

If is known , we can fac (skipp )t d : eor

x n

a

a n a

a n

n a a

n a

a

d n

2

yield the factors of

Factor by looking for a nontrivial square root of 1

mod (i.e., an 1 such that 1mod ).

.n

n

n a a n

p56.

2 3 1

* 1

2

* *

2 2 2 2 2 2

For all , 1 mod .

Write 1 2 , where is odd. (So, 1mod )

Pick any . (What if \ ?)

Compute , , , , , , , ,

u

s

t st

edn

s r

n n n

r r r r r rr

w Z w n

ed r r w n

w Z w Z Z

w w w w w ww

1

2

2 2

ntil we find the first 1mod for some .

If 0, let mod . Then 1mod , and 1.

If 1, then is a nontrivial square root o

f 1 mod .

Otherwise (i.e., 0 or 1),

t

t

r

r

w n t

t a w n a n a

a n a n

t a n

try another .w

p57.

A message sent to users who employ the same encryption exponent is not protect

ed by RSA.

Say, 3, and Bob sends a message to three re

Low encryption exponent attack

m ee

e m

1 2 3

1 3

1 2 3

3 3 31 2

3 3

2 3

3

cipients encrypted as:

mod , mod , mod .

Eve intercepts the three ciphertexts, and recovers :

mod , mod , mod .

B

y

T

CR

c n c n c n

m

m c n m c n m c n

m m m

31 2 3 1 2 3

3 3 31 2 3

, mod for some .

Also, . So, , and .

m c n n n c n n n

m n n n m c m c

p58.

Recall: ( , ), ( , ), and ( ) mod . One may be tempted to use a small to speed up decryption. Unfortunately, that may be risky.

Wiener's low decryption exponent attack:d

skpk n e sk n d D c c nd

1/ 43 and

The decryption exponent can be computed

from ( , ) if . (Before Wiener's attack, the condition 2 often held in practice.)

2d n p q p

d

n ep q p

p59.

1 1 2

2

3

Continued fraction :1 [ , ,..., ]1

1

Any (positive) rational number can be expressed as a continued fraction, called its continued fraction expansion. Convergents of [

m

m

q q q qq

qq

a b

q

1 2 1 1 2 1 2 3

1 2 1 2

, ,..., ] : [ ], [ , ], [ , , ], [ , ,..., ]. (This sequence converges to [ , ,..., ].)

m

m m

q q q q q q q qq q q q q q

p60.

34 1 Example: 0 [0,2,1,10,3]199 2 11 1103

Obtained from Euclidean algorithm: 34 99 34, 99 34 31, 34 31 3, 31 3 1, 3 1 Convergents of [0,2,1,1

0 2 110 3

0,3]: [0], [0,2], [0,2,1]

, [0,2,1,10], [0,2,1,10,3]

p61.

1/4

2

1 Theorem. If , wheregcd( , ) 1,2

then equals one of the convergents of the continued fraction expansion of .

For RSA, ( ) 1 for some . So, .( )

If an 3

a c db d

a be e ted t n tn n d

cd

c d

d n

2

1 then .2

So, equals one of the convergents of . Check the convergents one by one to find the right one

d ,

.

2

e tn d d

t d

p q p

e n

p62.

If the message space is small. The adversary can encrypt all messages and compare them with the intercepted ciphertext.

This attack is snot p

Small message space attack:

ecific to RSA.

p63.

Paul Kocher in mid-1990’s demonstrated that a snooper can determine a private key by keeping track of how long a computer takes to decipher messages.

RSA decryption: mod .

Timing Attacks

dc n

Countermeasures: Use constant decryption time Add a random delay to decryption time modify the ciphertext to

Blin and computeding

mod .

:d

c c

c n

p64.

RSA encryption has a homomorphism property: RSA( ) RSA( ) RSA( ). To decrypt a ciphertext RSA(

):

Generate a random

messag

e . Encrypt

Blinding in Some of RSA Products

m

m r m rc m

r

1

as RSA( ). Multiply the two ciphertexts: RSA( ). Decrypting yields a value equal to .

Multiplying that value by yields

N

.

ote: all calculations are

done in

r

m r

r c rc c c mr

m

Z

c mr

r

* (i.e., modulo ).n n

p65.

Based on RSA's homomorphism property: RSA( ) RSA( ) RSA( )

Assume Eve has acess to a decryption oracle.

The attack: Given : RSA( ),

A chosen-ciphertext attack

m r m r

c m

*

Eve wants to know

She computes RSA( ) for an arbitrary . Now, presenting RSA( ) RSA( ) RSA( ) to the Oracle, she obtains , from which she can

?

nr r Zm r m rm r

m

1 compute ( ) . m m r r

p66.

Padded RSA

p67.

We have seen many attacks on RSA.

Also, RSA is deterministic and, therefore, not CPA-secure (i.e., not ciphertext-indistinguishable against CPA).

We wish to make RSA secure

Security of RSA

against CPA and aforementioned attacks.

The RSA we have described so far is called: RSA primitive, plain RSA, or textbook RSA

p68.

Encryption: ( ) RSA( ) ( ) mod ,

where is a random string.

Thus, Padded-RSA( ) RSA( ) for some random .

Secure against many of aforementioned attacks.

Theorem: Padd

Padded RSAe

pkE m r m r m n

r

m r m r

ed RSA is CPA-secure if log .

Padded RSA was adopted in PKCS #1 v.1.5.

m O n

p69.

PKCS: ublic ey ryptography tandard. Let ( , , ) give a pair of RSA keys. Let in bytes (e.g., 216). To encrypt a message :

pad so

P K C S

that 00 0

Padded RSA as in PKCS #1 v.1.5

n e dk n

mm

k

m

2 00 ( bytes) where 8 or more random bytes 00. original message must be 11 bytes.

the ciphertext is : RSA mod .

In 1998, B

leichenbacher published a chosen-ciph

e

r kr

m k

c m m

m

n

ertext attack, forcing RSA to upgrade its PKCS #1 to v.2.

p70.

A message is called if it has the specified format: 00 02 padding string 00 original message. PKCS #1 implementations usually

PKCS conforming

Bleichenbacher's chosen-ciphertext attack

1

1

send you (sender)

an error message if RSA ( ) is PKCS conforming. It is just like you have an Oracle which, given , answers

whether or not RSA ( ) is PKCS conforming. Bleich

not

enbacher'

cc

c

s attack takes advange of such an Oracle.

p71.

*

Given RSA( ), Eve tries to find . (Assume is PKCS conforming.)

How can the Oracle help? Recall that RSA is homomorphic:

RSA( ) =RSA

( ) RSA( ) (computated i

n

)

n

c m mm

a b a b Z

*

*

Given RSA( ), Eve can compute RSA( ) for many . She then asks the Oracle,

Is PKCS conforming? (That is, is PKCS conforming?)

Why is this

fmod

in

n

n

m m

ms Zn

s s Z

ms

o useful?

p72.

8( 2) 8( 2)

8( 2) 8( 2)

Recall PKCS Format ( bytes): 00 02 padding string 00 original message

Let 00 01 0 2 (as a binary integer)

Then,

2 00 02 0 and 3 00 03 0 . If is PKCS c

o

k k

k k

k

B

B Bm

modmo

nforming 2 3 . If, in addition, is PKCS con

dforming

2 3 2 3 for some 2 3 for some

m

ms nms n

msm

B B

B BB tn B tn tB s t n s B s t n s t

p73.

• • •

• • •

0 n 2n 3n 4n

ns

2B 3B

If is PKCS conforming is in the blue area. If is also PKCS conforming

is in the blue area is in the red areas is in the red lines. Thus, is in the red line

mod

s

m

o

o

d

f t

m mms nms nmsmm

he blue area.

p74.

blue area Let's focus on the blue area, (2B, 3B). If is PKCS conforming is in the . If is also PKCS conforming

mod

red areas/is in If is also PKCS conforming

modline

s

ms

ms nm

m

m

mn

purple areas/line is in So, blu purplre e d

sem

2B 3B

p75.

1 2 3

1

So, starting with the fact that is PKCS conforming, Eve finds a sequence of integers , , , ... such that

2 and mod is PKCS conforming.

To find , ra n

i i

i

i

ms s s

s sms ns

1domly choose an 2 , and ask the oracle whether is PKCS conforming. If not, then try a different .

This way, Eve can repeatedly narrow down the area containing , and even

d

mo

tu

i

mss

m

ns

s

1 2 3

ally finds . For having 1024 bits, it takes roughly 1 million accesses

to the oracle in order to find , , , ...

mn

s s s

p76.

CCA-Secure RSA in the Random Oracle Model

p77.

There are CCAs that only require the oracle to reveal partial information about the plaintext such as: whether the plaintext is PKCS conforming whether the plai

Protecting Every Bit

*

ntext is even or odd

whether the plaintext is in the first half or the second half of (i.e., / 2 or / 2?)

It is desired to protect every bit (or any partial informa ion t )

n

n

x ZZ x n x n

of the plaintext.

p78.

Message padding: not or , but , where is a random. As such, however, there is a 50% overhead.

So, we wish to use a shorter bit string . Besides, shoul

OAEP: basic ideam r r m

m r r r

rr

d be protected, too. This leads to a scheme called ptimal symmetric

ncryp can be appliedtion adding ( ). It t other tr

O AE P O

apdooo RSA r fun a ctAE

id .P

n ons

p79.

Choose , ( ) s.t. = . ( , RSA modulus).

:{0,1} {0,1} , a pseudorandom generator.

:{0,1} {0,1} , a hash function.

To encrypt a block of bits :

1. choose a

Encryption.

rand

OAEP

k l

l k

k l k l k l n n

G

h

m l

om bit string {0,1} . 2. encode as : ( ( ) ( ( ))) (if , the message space of RSA, return to step 1). 3. compute the ciphertext : ( ).

: ( ) . Decryption:

k

n

pk

sk

rm x m G r r h m G r

x Zy E x

x D y a b

( ) .m a G b h a

p80.

OAEP is adopted in current RSA PKCS #1 (v. 2.1). A or scheme, not an encryption scheme. Intuitively, with OAEP, the ciphertext

p

adwould not reveal any

inform

ding

atio

encoding

Remarks on OAEP

n about the plaintext if RSA is one-way and and are A slightly more complicated version of OAEP, in which

truely random (r

( 0 ( ) ( 0 ( ))), has b

andom oracles).

e

k k

h G

x m G r r h m G r

en proved CCA-secure in the model

(i.e., if , are random oracles.)

In practice, hash functions such as SHA-1 are

ra

u

ndom ora

sed for

cl

e

, .

G h

G h

p81.

A mathematical model. A random oracle may be thought of as a server that

keeps an initially empty table and, upon a query if contains an entry ( , ), returns

Random Oracle

T x DT x y y

A random oracle (with domain and range

otherwise, returns a random value

) is a black box that implem

and

ents a ra

stores ( , )

ndom functio

in .

(Note: we:

r.

n

y Rx y T

D Rh D

hR

efer to the function by the oracle's name.)

The only way to know ( ) is to ask the oracle.h x

p82.

Let be the set of all functions from to .

Any randomly selected function is called random function a (from

random

to ).

A imple oracl ments ae ra

Random Oracle vs. Random Function

u

H D R

h HD R

ndom function without revealing the identity or anything of , except that it is willing to tells ( ) when asked.

Suppose each is stored in a file as a table.Alice and Bob agree

hh

h x

h H on a random .

Alice and Bob agree on a ran function or acdom .le

hh

p83.

Random oracle is a mathematical model.

No practical way known to implement a random oracle. The "server" implementation is impractical

Is it useful to

Is the random oracle model useful?

some scheme is secure in the random oracle mode

prove that ?

It's controversial, but more "for" than "again " l

st.

p84.

Digital Signatures

p85.

RSA (or any trapdoor one-way function ) can be used for digital signatures. Digital signature is the same as MAC except that

the tag (signature) is produced using the s

Digital Signaturesf

ecret key of a

public-key cryptosystem.

Message m MACk(m)

Message m Sigsk(m)

p86.

Digital signature: 1. Bob has a key pair ( , ). 2. Bob sends Sig ( ) to Alice. 3. Alice verifies the received by checking if Verify ( )?

Sig ( ) is calle sd ignaa

sk

pk

sk

sk pkm m

m ss m

m

. Security requirement: infeasible to produce a valid

pair ( , Sig ( )) withou

ture f

t know

or

ing

.skm m sk

m

p87.

MCE D

PKBob SKBob

Alice Bob

M

M SE D

PKBob SKBob

Alice Bob

Verify the signature Sign

Encryption (using RSA):

Signing (using RSA-1):

E(S)=M?

p88.

*

are generated as for RSA encryption:

Public key: . Secret key: .

a message

Keys

Signi : ( ) mod .

T

( ,

ha

)

t

( , )

ng

Basic RSA Signature

dn sk

pk

m

n e

Z

sk n d

D m m n

1is, RSA ( ).

a signature ( , ) :

check if ( ) mod , or RSA( ).

Verifying

epk

m

m

m E n m

p89.

As in RSA encryption, ( ) , for all . A signed message ( , ) produced by Bob using his will be verified and accepted.

Remarks:

Correctness

Basic RSA signature i t

:

s he

nE D m m m Zm

sk

reverse of basic RSA encryption. Secure RSA signature is the reverse of secure RSA encrypt

notion.

p90.

1

1 2 1 2

1. Every message is a valid signature of its ciphertext

, since RSA ( ) . 2. If Bob signed and , then the signature

Existentially forgeable:

for can be easil

m

c c mm m mm

1 2 1 2y forged: ( ) ( ) ( ).

( ( )), using some

hash then scollision-resistant hash

fu

ign (HTSRemedy:

nct

ion

)

.

:

sk

mm m m

D h mh

p91.

Does hash-then-sign make RSA signature secure against chosen-message attacks?

Question:

Answer: random oracle

Yes, is a i.e.,

is a

all

if full-

random or

d

a

,

cle mapping {0

omainh

h

*,1} ( is the full domain of RSA)

n

n

ZZ

p92.

1 1

1 1

1

RSA RSA1 1 1 1 1

RSA RSA

RSA

Forger

( ) ( ) ( )

( ) ( ) ( )

( )

Basic RSA signature Hash-then-si

y

gn

:

Chosen-mesage attacks on

h

hk k k k k

m m m h m m

m m m h m m

m m

1RSA ( ) ( )

hm h m m

p93.

1

Theorem: is secure against any chosen-message attack under the random

F

We will show RSA Chosen-message attack. Thus, assume a polynomial-time probab

ull-domai

oracle mod

n hash RSA signature

e

i

l.

1 *

listic chosen- message forger with non-negligible success probability. We will design a polynomial-time algorithm that

computes RSA ( ) for with non-negligible success probabil

n

F

y

A

y Z

ity, by calling .

This contradicts the RSA one-way assumption.F

p94.

, the forger, having access to a random oracle and a hash-then-sign oracle , works as follows.

requests ( ) and/or Sig( ) for various messages and then produces a forgery

( , ) :

i i i

F hSig

F h m m mm

1

1

1

RSA0 1 1

R

RSA

SA

( )

( )

( )

Forgery:

( ) h

h

ht t

hk k k

h m m

h m

h m

m

m m

m

h

p95.

1 2

If is able to produce a valid signature for , it must be one of the two cases: ,

Why?

Are we able to say the same if is not a ra

, ,

a pure fluke (

ndom ora

)

cle

?

ifk

F m

m M m

h

m m

m M

p96.

1Algorithm ( , , ) 0. Let be the max number of queries may make to the random oracle; is bounded by the running time

//compute RSA ( ) by call

of .

1. Randomly choo

ing //

se signatures

A N e yk F

k F

k

y F

*1 2

1 2 1

, , , ;

compute RSA( ) mod , 0 ; randomly replace one of them, say , by

adaptively .

2. Run algorithm (which prepares up to messages , , , ; requests ( )

k N

ei i i

t

k

Z

h N i kh y

F km m m h m

2, ( ), , ( ); requests ( ) for polynomial times).3. Whenever asks for ( ), give it . Thus, for ,

if ( )

otherwise

k

i i

ii

h m h mSig mF h m h F

y i th m

h

p97.

1

1

1

1

1

RSA

RSA1 1 1

RSA

Algorithm (to compute RSA ( )) :

Forgery:

RSA( )

RSA(

)

k k

t

h

k

h

t

hk

h

m

h

y

h

A

m

y

m

y

m

p98.

*

4. Whenever asks for ( ), if , , give it ; if , return("failure");

if for all 1 , give it a random value in . // didn't ask for ( ) but now

i i

t

i N

F Sig mm m i tm m

m i k ZF mhm

1 1

asks for ( ) //5. If returns a valid forgery ( , ) with ,

then return( ) // RSA ( ) RSA ( )// else return("failure")

t

t

SigF m m m

h m y

m

p99.

1 ( )

1

Let { , ..., }, queries to random oracle .

successfully computes RSA ( ) if and only if forges a valid ( , ) and . Pr forges a valid

Analy

( ,

sis:

) wi

k n

t

M m m h

A yF m m m

F m

th

Pr forges a valid ( , ) with

Pr |1 (non-negligible( ))( )

non-negligible( ), where |N|.

t

t

m m

F m m M

m m m M

nk n

n n

p100.

160

In practice, is full-domain.

For instance, the range of SHA-1 is {0,1} ,

while 0,1,...,2 1 , wi

Problem with full-

th 1024.

domain hash:

Desired: a sec

no

ure signature scheme

t

nn

h

Z n

that does not require a full-domain hash.

p101.

*

pad

Hash function :{0,1} {0,1} (not full domain).

| |. (E.g., SHA-1, 160; RSA, 1024.)

Idea:

Probabilistic signature schemel

Nh Z

l n N l n

m m r

*

hash

expand 1

si

1

gn 1

{0,1}

( ) {0,1}

( ) {0,1}

RSA ( )

(

)

0n l

l

nkr

w h m r

y w G w

y

1

where {0,1}

: {0,1} {0,1} (pseudorandom generator)

N

k

l n l

Z

r

G

p102.

*

11 2 2

1

a message {0,1} :

1. choose a random {0,1} ; compute ( );

2. compute ; /

Si

/ //

3. The signature is RSA ( ).

a signature ( , ) :

gning

Verifying

( ) )

(

c

k

y w r

m

r w h m r

GG w

y

G w G G

m

2 1

ompute RSA( ) ;

check if ( ), ( ( )).

w t u

u G w w h m t G w

p103.

PSS is secure against chosen-message attacks in the random oracle model (i.e., if and are random oracles). PSS is adopted in PKCS #1 v.2.1. Hash functions such as SHA-1

Remarks

are used f

h G

1 2

or and . For instance,

let 1024, and 160 let = SHA-1 ( , )( ) ( ) ( 0) ( 1) ( 2), ...

h G

n l kh

G G w G w h w h w h w

p104.

Generating large primes

To set up an RSA cryptosystem,

we need two large primes p and q.

p105.

1 2

1 2

Infinitely many.

First proved by Euclid: Assume only a finite number of primes , , , .  Let 1. is not a prime, bec

••

aus• e

How many prime numbers are there?

n

n

i

p p pM p p p

M M p

, 1 .

So, is composite and has a prime factor for some | |1 contradiction.

• i

i i

i nM p ip M p

p106.

*,

Let ( ) denote the number of primes . Then

( ) for lar

The Prime

ge .ln

For , let ( ) denote the num

Number Theorem:

Dirichlet' bes Theorem : r

Distribution of Prime Numbers

n n b

x xxx xx

b Z x

,

of primes such that and mod . Then,1 ( ) for large .

ln ( )n b

y y x y b nxx xx n

p107.

Generate a random odd number of desired size.

Test if is prime.

If not, discard it and try a different number.

Q: How many numbers are expected to be

How to generate a large prime number?

n

n

tested before a prime is found?

p108.

12

10.5

Can it be solved in polynomial time? A long standing open problem until 2002.

AKS(Agrawal, Kayal, Saxena) :  log .

Later improved by others to log ,

Primality test : Is a prime?

O n

O n

n

6

3

and then

to log .

In practice, Miller-Rabin's probabilistic algorithm is still

the most popular --- much faster, log .

O n

O n

p109.

*

*

Looking for a characteristic property of prime numbers: is prime

is prime , ( )

is

wha

pri

t?

me , ( )

Miller-Rabin primality test : Is a prime?

n

n

n

n a Z P a true

n a Z P a t

n

*

*

not prime elements , ( )

Check ( ) for random elements . If ( ) all true, then return "prime"

else return "composite.

n

n

rue

a Z P a false

P a t a ZP a

k

*

"A "prime" answer may be incorrect with prob ( , ).

1 1 If

,

then ( , )

2

.2

n t

p k t

k Z p k t

p110.

*nZ

*If is prime, then for all , ( ) is true.nn a Z P a

( )P a true

p111.

*nZ

*

not prime strong witnesIf is , then there are

which are elements s.t

ses

( ) .n P a

n

ea Z fals

( )P a true

p112.

1

* 1

Looking for ( ) :

How about ( ) 1 mod ?

Fermat's little theorem:

If is prime , 1 mod .

If is not prime maybe no strong witnesses.

(

n

nn

P a

P a a n

n a Z a n

n

1 *

1

composite numbers

for which 1 mod .)

Need to refine

Ca

the conditio

rmichael number

n 1 mod .

s :

nn

n

n

a n a Z

a n

p113.

*

* 2

Fact: if 2 is prime, then 1 has exactly two square

roots in , namely 1.

Write 1 2 , where is odd. If is prime

, 1 mod (Fermat's little theorem)

k

n

k

un

n

Z

n u un

a Z a n

2 1

2

*

2 2 2 2

1 mod ( )

1 mod for some ,

, ( ) , where

Why? Consider the sequence

, ,

, ,

0

o

1

1

,

ri

k k

n

u u u u u

u

u

a nP a

a n i i k

a Z P a true

a a a a a

p114.

*

If not prime strong witnesses always exist

Loosely speaking, :If is an odd composite and not a prime power, then

of the

e

le

?

yes

at le menast one ts are strong

hal

f

n

n

n

a Z

*

witnesses.As mentioned earlier, given a number ,

randomly pick and check ( ). If is a strong witness, then return "composite"

n

n

a Z P aa

else return "prime."A "prime" answer may be incorrect with probabili ty . 1 2

p115.

prime powerperfect po

A composite number is a if for some prime and integer 2. (A if

Theo

we

re

for some integer and 2.)

If is an odd composite a

r

nd not a prm: ime p

e

e

n n pp e

n k k e

n

*

* *

ower,

then of the elements are strong witnesses.

Idea of Proof: The set of -strong witnesses

forms a proper subgroup of . So, ord

at least on

( ) ord( ) and

or

e a

( )

l

d

h f n

n n

a Z

A

Z A Z

non

A

* *1| ord( ). So, ord( ) ord( ). 2n nZ A Z

p116.

Input: integer 2 and parameter Output: a decision as to whether is prime or if is even, return "composit

composite1. e"

if is a per2

. fect

Algorithm: Miller-Rabin primality testn t

nnn

power, return "composite" for : 1 to do choose a random integer , 2 1 if gcd( , ) 1, return "composite" if is a strong witness, ret

3

urn "com

. i ta a n

a na

posite"

return ("pri4. me")

p117.

If the algorithm answers "composite", it is always correct.

If the algorithm answers "prime", it may or may not be correct.

The algorithm gives a wrong answ

Analysis: Miller-Rabin primality test

er if is composite but the algorithm fails to find a strong witness in iterations.

This may happen with probability at most 2 .

Actually, at most 4 , by a more sophisticated analysis.

t

t

nt

p118.

A is a probabilistic algorithm which always gives an answer but sometimes the answer may be inco

Mo

rr

nte

ect.

Carlo a

A

lgorithm

Monte Carlo algorithm for a decisi

Monte Carlo algorithms

on problem is if its “yes” answer is always correct but a “no” answer may be incorrect with some error probability.

A -iteration Miller-Rabin is a “composite”-biased Mon

yes-bias

te Carl

ed

o

t

algorithm with error probability at most 1 4 .t

p119.

A is a probabilistic algorithm which may sometimes fail to give an answer but never gives an incorrect

Las Ve

one

gas algori

A Las Vegas algorithm can be conver

thm

Las Vegas algorithms

ted into a Monte Carlo algorithm.

p120.

* *, ( , )

RSA : , , where

: ( , ) | , primes, 0 ( )

RSA family:

RSA assumption

, prime to ( ) .

Let : ( , ) | , | | | | , with .

For any pr

:

o

RSA Assumptione

n e n n n e I

k

Z Z x x

I n e n pq p q e n e n

I n e I n pq p q k k

1 *,

babilistic polynomial-time algorithm ( , , ), there is a negligible function negl( ) such that

Pr ( , , ) RSA ( ) : ( , ) , negl( ).n e u k u n

A n e yk

A n e y y n e I y Z k

p121.

Let be a key (index) set with security parameter .

Let : be a family of functions between

finite sets and . Let be a proba

Formal Definition of One-Way Functions

k k

i i i i I

i i

I I k

f f D R

D RK

bilistic polynomial-time sampling algorithm

for , which on input 1 outputs . Let be a probabilistic polynomial-time sampling algorithm

for that on input outputs .

(We m

kk

i ii I

I i IXD D i x D

ay allow and to fail or make errors with negligible probability.)

K X

p122.

is a family of one-way functions (or, for short, a one-way function) with key generator and domain sampling algorithm if and only if can be computed by a polynomial-time algorithm

fK

Xf

( , ). is not invertible by any polynomial-time algorithm. That is, for every probabilistic polynomial-time algorithm ( , ), there is a function negl( ) such that

Pr ( ,

F i xf

A i yk

A i

1) ( ) : 1 , ( ), : ( )

negl( ).

ki iy f y i K x X i y f x

k

top related