The possibility of the public key cryptosystem was first publicly suggested by Diffie and Hellman. However, they did not present a practical implementation. In next few years, several methods were proposed. The most successful, based on the idea that factorization of integers into their prime factors is hard, was proposed by Rivest, Shamir, and Adleman in 1977 and is known as the RSA algorithm.
Although the cryptanalysis neither proved nor disproved RSA’s security, it does suggest a confidence level in the algorithm. Rabin developed a public-key cryptosystem based on the difficulty of computing a square root modulo a composite integer. Rabin’s work has a theoretic importance, since the security of the Rabin cryptosystem is exactly the intractability of the integer factorization problem.
The primary objective of an adversary who wishes to ‘attack’ a public-key encryption scheme is to systematically recover plaintext from ciphertext intended for some other entity. If this is achieved, the encryption scheme is informally said to have been broken. A more ambitious objective is key private recovery.
A considerable attack is a chosen-ciphertext attack where an adversary selects ciphertext of its choice, and then obtains by some means the corresponding plaintext.
(1) The (indifferent) chosen-ciphertext attack. (2) The adaptive chosen-ciphertext attack.
The public-key encryption schemes described in this lecture that there is a means for the sender of a message to obtain an authentic copy of the intended receiver’s public key. There are many techniques in practice by which authentic public keys can be distributed, including exchanging keys over a trusted channel, using a trusted public file, using an on-line trusted server, and using an off-line server and certificates.
Some of the public-key encryption schemes described in this lecture assume that the message to be encrypted is, at most, some fixed size (bit-length). Plaintext messages longer than this maximum must be broken into blocks, each of the appropriate size. To provide protection against manipulation (e.g., re-ordering) of the blocks, the Cipher Block Chaining (CBC) mode may be used.
Outline RSA Encryption Algorithm Implementation of RSA Encryption Security of RSA Encryption RSA Encryption in Practice Rabin Encryption Algorithm Implementation of Rabin Encryption Security of Rabin Encryption Summary of Public Key Encryption
1 RSA Encryption Algorithm1.1 Description
. iskey private s' );,( iskey public s' (5)
). (mod 1such that , < < 1 ,integer
unique thecompute toalgorithmEuclidean extended the Use(4)
1. = ) ,gcd(such that ,< < 1 ,integer random aSelect (3)
1). 1)( ( = and = Compute (2)
size. same eroughly th
each ,and primes distinct) (and random large twoGenerate (1)
:following thedo should entity Each key. private ingcorrespond
a andkey publicRSA an createsentity Each :SUMMARY
)encryptionkey -publicRSA for generation(Key
dA enA
φdeφdd
φeφee
qpφqpn
qp
A
1 Algorithm
1.1 Description (Continued)
). mod(recover tokey private the Use(1)
:following
thedo should , from plaintext recover To .
. to ciphertext theSend (4)
.) mod( Compute (3)
1]. [0, interval in the integer an as message theRepresent (2)
). ,(key public authentic s'Obtain (1)
:following thedo should .
decrypts. which ,for message a encrypts :SUMMARY
)encryptionkey -public(RSA
n cm d
AcmDecryption
Ac
n mc
nm
enA
BEncryption
A AmB
d
e
2 Algorithm
1.1 Description (Continued)
). (mod cases allin Hence,
. modulo 0 tocongruent is sideeach since dagain vali is
congruencelast then this, = ) ,gcd( if hand,other On the
). (mod
yields by sidesboth gmultiplyin then and
1)(power the tocongruence thisof sidesboth Raising
).1(mod
theorem,sFermat'by then 1 =
) ,gcd( if Now, .+1such that integeran exists
there),(mod 1 Since worksdecryption that Proof
1)1)((+1
1
pmm
p
ppm
pmm
m
qk
pm
pmφkd =e k
φde.
de
qpk
p
1.1 Description (Continued)
). (mod )(
hence, and,
), (mod
that
followsit primes,distinct are and since Finally,
). (mod
argument, same By the
nmmc
nmm
qp
qmm
ded
de
de
1.1 Description (Continued)
size. same the
ofroughly be will and ly consequent and small,
be toexpected is 1) 1,gcd( then random,at
chosen are and if However, .decryptionfaster in
resultmay which ,exponent decryptionsmaller a
inresult can Using. ofdivisor proper a is that
Observe .generationkey RSA in 1)1)(( =
of instead used bemay , ofexponent universal the
called sometimes multiple,common least denotes lcm
where1), 1,lcm( = number The
λφ
qp
q p
d
λφλ
qpφ
n
qpλ
Comment.
1.2 Example
5234673. 6012707) (mod 3650502 ) (mod
computes ,decrypt To
. to thissends and
3650502,6012707) (mod5234673 ) (mod
compute tion toexponentiamodular for
algorithman uses 5234673, = message aencrypt To .
422191. = iskey private s' while3674911), = 6012707, = (
pair theiskey public s' ). (mod 1such that 422191 = finds
algorithm,Euclidean extended theusing and, 3674911, = chooses
6007800. = 1)1)(( = and 6012707 = = computes and
2551, = 2357, = primes thechooses Entity .
422191
3674911
ncm
Ac. Decryption
A
nmc
BmEncryption
dAe n
Aφded
eA
qp φqpn
qpAtionKey genera
d
e
1 Example
2 Implementation of RSA Encryption2.1 Primality Testing
It might be surprising, but factorization and primality testing are not the same. It is much easier to prove a number is composite than it is to factor it. There are many large integers that are known to be composite but that have not been factored.
2.1 Primality Testing (Continued)
. base for the epseudoprim a is
say that then we), 1(mod and composite is If #
).prime"" Return( (2)
)composite"return(" then 1 If (1.3)
.) (mod Compute (1.2)
2. 2 ,integer random a Choose (1.1)
:following thedo to1 from For (1)
prime?" Is" :question
the tocomposite""or prime""answer an :OUTPUT
1.parameter security and 3 integer oddan :INPUT
test)primality (Fermat
1
1
a
nnan
r
nar
naa
ti
n
tn
n
n
3 Algorithm
2.2 Modular Exponentiation
). (mod))))(((() (mod #
).(Return (3)
.)(mod then ,1 If (2.2)
.)(mod (2.1)
:following thedo 0 down to from For (2)
1.= (1)
). (mod :OUTPUT
.)( = integer positive a and integers are , :INPUT
tion)exponentiabinary right -to-(Left
011 222
2011
nggggng
A
ngAA = b
nAA A
ti
A
ng
bbbbbng
bbbbb
i
b
tt
tt
4 Algorithm
3 Security of RSA Encryption3.1 Security Parameters , d p, q
.2
4)1()1(,
So, . and are
))(( )( )1 (
polynomial theofroot The . and know weTherefore,
.1)1)(1(1
that Note Proof.
. and findquickly can then we, and konw weIf
primes.distinct twoofproduct theis Suppose
2
22
nnnqp
qp
qXpXqpXqpXnXnX
qpqp
qpqpqpn
qpn
qpn
1 Claim
3.1 Security Parameters , d p, q (Continued)
applied. be nowcan
exponents univeralfor method The 1.),gcd(whenever
) (mod 1)(
have we,1say , of
multiple a is 1Since .factor probably can then we
1,),gcd( with allfor ) 1(modsuch that 0
exopnent universal a have weif that show wefollowing,
in the methodsion factorizat of disscusion In the
.factor
probablycan then we, and konw weIf
1
na
naa
kde
d en
naana
n
ed
kde
2 Claim
3.2 Relation to Factoring
sizes.different slightly of be chosen tooften are
modulusRSA afor primes theSo ion.factorizat thefind tosteps
/2|| it takes , If together.close very are that prime
twoofproduct theis when well worksmethodion factorizat
Fermat The square. a find until , ,2,1 Compute
. ofion factorizat a gives ))((Then .
:squares twoof difference a as express tois idea The method.
ionfactorizatFermat thecalledusually is slow, also iswhich
method, One purposes.most for slow much too is
primes allby integer an of dividing of method basic The
22
22
qpqpn
n
nn
nyxyxnyxn
n
np
n
3.2.1 Exponent Factorization Method
35. offactor nontrivial
a is 52,35)gcd(12 Moreover, composite. is 35 that know
we5),3 (mod212but 35), (mod212 Since
. offactor nontrival a is so ,,1 Therefore, ). (mod
that assumption scontradict which 1, and ))((
divides Since 1. Suppose happen. not to assumed is
which), (mod then , If ). ,gcd(Let Proof.
. offactor
nontrivial a gives ) ,gcd( Moreover, compsite. is Then
). (modbut ), (mod with and integers
exist theresuppose andinteger an be Let
22
22
22
2 Example
1 Principle Basic
ndndny
xdyxyx
yxnd
nyxndnyxd
n
nyxn
nyxnyxyx
n
3.2.1 Exponent Factorization Method (Continued)
. offactor
nontrival a gives ),1gcd( then ), (mod 1but
) (mod 1 have we, somefor If, .different a try and stop
then), (mod 1 have we, somefor If, .different
a try and stopthen ), (mod 1 If .10for
) (mod definely successive and ), (mod Let
1.),gcd( assume so , offactor a have we1,),gcd( If
.22 ,integer random a Choose odd. is such that
2 = Write.1),gcd( with allfor ) (mod 1
i.e. ,integer for the 0exponent universalan have we
Suppose
1
0
210
n
nyny
nyua
nyua
nyku
nyynay
nanna
naam
mrnaana
nr
uu
u
u
uum
kr
Method ionFactorizatExponent Universal
3.2.1 Exponent Factorization Method (Continued)
. offactor
nontrival a gives ),1gcd( then ), (mod 1but
) (mod 1 have we, somefor If, stop.then ), (mod 1
have we, somefor If, . stopthen ), (mod 1 If
.10for ) (mod definely successive and
), (mod Let odd. is such that 2 = Write
). (mod 1such that integer an and 0exponent
an have weSuppose
1
0
21
0
n
nyny
nyun
yuny
kunyy
naymmr
naar
uu
u
u
uu
mk
r
Method ionFactorizatExponent
3.2.1 Exponent Factorization Method (Continued)
.factor
willmethod that thischance good a is theremethod, sensible
reasonably someby found are and ifBut fails. method
theso ,1But then works.any then ,1 take weIf (2)
practice.in used becannot test thisand difficult, very is this
Generally, exponent. universal a findcan wehowask might
weHowever, . factoring ofy probabilithigh very ahas
thefact,In (1)
0
n
r a
yra
n
Method ionFactorizatExponent Universal
Comment.
3.2.2 Pollard’s p1 Algorithm
factors. primedistinct large two
leastat has ifoccur ounlikely t is thishowever, fails; algorithm thecase
in which , that possible isIt . then), ,1gcd( = if Hence
). (mod 1 that implies theoremsFermat' 1, = ) ,gcd( satisfying
anyfor ly consequent and ,1 then smooth,- is 1such that of
factor prime a is If . primesdistinct allover isproduct thewhere
,
Thus . ln/ln
so and ,lnln then , If .are that primes of
powers all of multiplecommon least thebe Let bound. smoothness
a be Let following. theis algorithm 1 sPollard' behind idea The
ln
ln
n
d=n p|dnad
papaa
|QpBpn
pBq
qQ =
qn
lnqlnqnB
Q
Bp
Q
Q
q
n
Bq
l
3.2.2 Pollard’s p1 Algorithm (Continued)
).(return Otherwise,
failure. with algorithm theinate then term,or 1 If (5)
). ,1gcd(Compute (4)
. ) (mod Compute (3.2)
.ln
ln Compute (3.1)
:following thedo primeeach For (3)
).(return then 2 If ). ,gcd(
compute and ,12 ,integer random aSelect (2)
. bound smoothness aSelect (1)
. of factor trivial-non a :OUTPUT
power. prime anot is that integer composite a :INPUT
integers) factoringfor algorithm 1 s(Pollard'
d
d=nd=
na d=
n aa
q
nl =
Bq
ddnad=
naa
B
nd
n
p
lq
5 Algorithm
3.2.2 Pollard’s p1 Algorithm (Continued)
hand.at
situation on the depend willused valueactual The slow.
verybe willalgorithm then the, large very a choose we
If success. of chance small very a have but willquickly
run willalgorithm then the, small a choose weIf (2)
. of luesmaller va
a choose could weely,Alternativ .factor will
that thechance good a is There
). (mod1such that aan and exponent an have we
case, In this lost. is allnot , if fact,In (1)
B
B
B
n
n ar
ndr
Method
ionFactorizatExponent
Comment.
3.2.2 Pollard’s p1 Algorithm (Continued)
smooth.-19not is 1 whilesmooth,-19 is 1 is,That
601. 3 2 = 3606 =1 and 11,5 3 2 = 5280 = 1 that Notice
prime).fact in are factors (these 3607 and 5281 = are of
factors trivial-non Two 5281. = ) 1, gcd(554506 = computecan now We
554506. 5, 19, 11406961;5, 17,
13271154;6, 13, 9685355;6, 11,
15214586;8, 7, 16937223;10, 5,
13555889;15, 3, 2293244;24, ,2
:in 3 step ofiteration each after a and ,,
variables theof valuesteintermedia thelists following 1.The = ) ,3gcd(
compute and,3integer the,19 bound smoothness select the We
.19048567
offactor trivial-non a findingfor algorithm 1 sPollard'
5
qp
qp
q=n/p = pn
nd
alq alq
alq alq
alq alq
alq alq
lq
n
a=B=
n=
p
5 Algorithm
3 Example
3.2.3 Quadratic Sieve
.
00102200
00200105
10000001
00010026
00300020
10110102
10000500
14262
3397
8077
17078
1964
19095
9398
matrix obtain the We
3837523). (mod137514262
, 3837523) (mod13523397 3837523), (mod1928077
3837523), (mod113217078 3837523), (mod1331964
3837523), (mod1913115219095 3837523), 19(mod59398
222
522
262322
2252
Sieve Quadratic The
sieve. quadratic thecalled is method above theof version improvedAn
primes. small ofproduct
relations congruence produce tois stepsmain The#
.1093)3837523 ,177451147907gcd( and 177451147907
,1093)3837523 ,25867052230387gcd( and 25867052230387
),3837523 (mod2470003590523but ,2470003590523
have weTherefore,
.)31753()142629641(
,)913111532()170789641909519398(
,)913152(9131523397)80779398(
thatfindfurther can We
)(Continued Sieve Quadratic The
2
22
22
22
22
223232
23322662
x
3.2.3 Quadratic Sieve (Continued)
3.2.4 Advance in Factoring
infinity. togoes as zero to
goes term(1) the where, modulusRSA afactor to
][
toalproportion
timerequire toexpected becan NFS scope.Theour
beyond are and d,complicate quite are algorithm
theof details The (NFS). Sieve FieldNumber the
is today published algorithm factoringfastest The
3231 ))(ln(ln)(ln))1(92291(
n
on
= enL// nn + o.
3.3 Small Encryption Exponent e
theorem.remainder Chinese by the
) (mod
) (mod
) (mod
scongruence three the to,0,solution a find
can , , observinger eavesdroppan prime, relatively
pairwiselikely most are moduli theseSince .3 ,2 ,1for
), (mod send would then ,3 are exponents
encryption whoseand , , , are moduli public whose
entities three to message same thesend to wishesentity
an If .exponent encryption same thehave allmay entities of
groupA .3 assuch exponent encryption small aselect to
desirable isit ,encryption of efficiency theimprove order toIn
33
22
11
321
321
3
321
ncx
ncx
ncx
nnnx x
ccc
i=
nmcAe=
nnn
mA
e
e=e
ii
3.3 Small Encryption Exponent e (Continued)
. ofroot th
integer thecomputingby simply ) (mod ciphertext
thefrom recovered becan then , if because ,
messages smallfor problem a also are exponents encryption
Small entities.many sent to is message same theif used be
not should 3 assuch exponent encryption small a Thus
.plaintext erecover thcan
er eavesdropp the, ofroot cubeinteger thecomputingby
Hence, . that case thebemust it , Since
1
3321
3
ce
nmc
mm<nm
e =
m
x
x=mnn<nm
e
/e
3.4 Small Decryption Exponent d
system.RSA break they efficientl
can one, as long as that showed andresult s Wiener'to
t improvemen lsubstantia thegave Durfee andBoneh 2000,In
. computingfor procedureefficient an is there
),(mod1such that ) ,(Given .3 Suppose
.2 with primes are and where,Let
:showedWiener
1990,in However, .decryption of efficiency theimprove
order toin exponent decryption small aselect todesirable
seemmay it ,exponent encryption with thecase the wasAs
292.0
25.0
nd
d
d een/nd
qpqqpqp n
d
e
3.5 Multiplicative Properties
.encryption
RSA on attack ciphertext-chosen adaptive following theto
leadsn observatio This RSA. ofproperty chomomorphi theas to
referred sometimes is This ). (mod is ) (mod
plaintext the toingcorrespond ciphertext thes,other wordIn
). (mod )(
thatObserve s.encryptionRSA respective their be
and let and messages,plaintext twobe and Let
2121
212121
2121
ncccnmmm
nccmmmm
ccmm
eee
3.5 Multiplicative Properties (Continued)
).(mod computecan then adversary the
), (mod )()(
Since ). (mod )(adversary for the
compute will , ofon presentati Upon ). (mod
computing and integer random a selectingby conceal
can adversary The itself. other than adversary, for the
ciphertextarbitrary decrypt will that also Suppose
.for intended ) (mod ciphertext particular
adecrypt towishesadversary activean that Suppose
1 nxmm
nxmxccm
nc m
Acnxcc
xc
c
A
Anmc
dedd
d
e
e
3.5 Multiplicative Properties (Continued)
adversary. for the decrypt not
will because fail willprevious in the describedattack
ciphertext-chosen adaptive theThusstructure. thebenot
will) (mod y probabilithigh then withstructure,
chosen) (carefully thishas messageplaintext a ifNow,
.fraudulent being asdecryptor by the rejected is then
structure, thispossessingnot message a todecrypted
is ciphertext a If messages.plaintext on sconstraint
structural some imposingby practicein edcircumvent
be shouldattack ciphertext-chosen adaptive This
c
A
nxm
m
c
c
3.6 Common Modulus Attack
network. in the entitiesother all of exponents
decryption thedeterminely subsequent couldentity
any hence and ,modulus theofion factorizat the
for allowspair ) ,(any of knowledge However,
network. ain entity each to) ,(pair exponent
n /decryptioencryptiondistinct a distribute then and
, modulusRSA single aselect shouldauthority
trustedcentral a that suggested sometimes isIt
n
de
de
n
ii
ii
3.7 Partial Key Exposure Attacks
. of
ion factorizat the tolead eventually will1000 of variousfor the
theof method theTrying digits. 50last theof 47 know
willused is method that thisknows hoattacker wAn ).1000
for happen shouldwhich ( prime a find weuntilprimality for
,1,3,5,,10 form theof numbers test and number
digit -50 random a take wesuppose example,For e.predictabl
not is ofamount large asuch that be should method the
, primeour choose point to starting random a choose weif
Therefore, .factor can then we, of digits, 50last or the digits, 50
first theknow weand digits, 100 have and If
.factor y efficientlcan we,of digits ,4last or the
,4first theknow weIf digits. have Let
50
n
k
k
p
kkNN
p
p
np
qp
n pl/
l/lqpn
3 Claim
Comment.
3 Claim
3.7 Partial Key Exposure Attacks (Continued)
.forsearch case-by -case an better tha
no isit large, is If . ofpart large a know when wefind to
fast quite thereforeisit small, is If .login linear function
a as bounded is find to time that themeans This
.login
linear is that in time findy efficientlcan we,of digits 4
last least theat have weIf exponent. decryption thebe Let
digits. has andkey publicRSA a is ),( Suppose
:result following thegaveh Coppersmit
2
2
d
ed d
eee
d
e e
d dl/
d
lnen
Comment.
4 Claim
3.8 Cycling Attacks
.plaintext the toequal is ),(mod
namely cycle, in thenumber previous then the), (mod If
.first time for the obtained is until . . . ),(mod ),(mod
),(mod computesadversary An .encryptionRSA on
attack cycling following the toleadsn observatio This ). (mod
that case thebemust it reason same For the
exist.must integer an such 1} , 1, {0, space message the
onn permutatio a is encryption Since ). (mod such that
integer positive a be Let .ciphertext a be ) (modLet
1
32
11
m nc
ncc
c nc nc
nc
nm
cc
kn
ncc
knmc
k
k
kk
k
e
e
ee
e
eee
e
e
3.8 Cycling Attacks (Continued)
).(mod and then
), (mod and )(mod
both if hand,other On the . then and recover can
adversary theand factored,been has case,either In .then
) (mod and )(mod
if Similarly, .then
) (mod and )(mod
If 1. ) ,gcd(=such that
integer positivesmallest thefind toisattack cycling dgeneralizeA
nc cf=n
qc c pc c
md
nf = q
qc c pc c
f = p
qc c pc c
>ncc fu
u
uu
uu
uu
u
e
ee
ee
ee
e
3.8 Cycling Attacks (Continued)
.encryptionRSA ofsecurity the threat toa posenot do attacks
cycling thesee,intractabl be toassumed is factoring Since
. factoringfor algorithman y essentiall
being as viewedbecan attack cycling dgeneralize the
reason, For this does.attack cycling thebefore terminates
usually attack cycling dgeneralize thecondition, second the
or condition first than thefrequently lessmuch occur to
expected iscondition third theSince y.efficientl computed
becan )(mod so and succeeded hasattack
cycling basic thecase, In this ).(mod for which
integer positivesmallest thebemust fact,In
1
n
n
nm c
nc c
ku
u
k
e
e
Comment.
3.9 Message Concealing
1)]. ,1gcd( + [11)] ,1gcd( + [1
exactly is messages
dunconceale ofnumber thefact,In ).1
,1 ,0 example(for dunconceale arewhich
messages some always are There ). (mod
is,That itself. toencryptsit if dunconceale
be tosaid is scheme encryptionkey -public
RSA in the ,10 , messageplaintext A
qepe
m= n
m = m =
nmm
nmm
e
3.9 Message Concealing (Continued)
practice.in encryptionRSA ofsecurity thethreat to
a posenot do messages dunconceale hence and
small, negligibly be general,in will,encryption
RSA by dunconceale are which messages of
proportion then the),6553712or 3 as
suchnumber small a be chosen to is if(or random
at chosen is if and primes, random are and
If 9.least at always is messages dunconceale of
number theeven, all are 1 and 1 ,1 Since
16 =+ e=e =
e
eq
p
qpe
3.10 Forward Search Attack
attack.an such
preventing of method simple one is message
theSalting obtained. is until messages
plaintext possible all encryptingsimply
by ciphertext adecrypt can adversary an
e,predictablor small is space message theIf
c
c
3.11 RSA-OAEP
ion.concatenat denotes
|| and ,bitlength of stringbinary random a is ,bitlength
of 0s of string a with edconcatenat denotes0|| where
))}),( 0||( {||)}( 0||({ = )(
is function,
encryption Then the functions. random be 1} {0,→ 1} {0,
: and}1,0{→}1,0{:Let ).768 ,1024for
(e.g., = be tofixed is plaintext theoflength The
128). = = (e.g., work of amounts infeasiblerepresent each
steps 2 and 2such that parameters be and Let RSA.
npermutatioway -oneor bit trapdo- bit to- a be Let
01
10
10
10
1
11
01
10
10
krk
mm
rGmHrrGmfmE
H Gn = k =
kk knm
kk
kk
kkf
k
kk
kn+k
n+kk
kk
3.11 RSA-OAEP (Continued)
modulus. theoflength
theof 75% touplength a havecan scheme OAEP-RSA
theinside encrypted messageplaintext theis,that
768,= 2561024 = |=|||length a have
can massageplaintext then the, 128Consider
algorithm.hash
secure theassuch function hash hiccryptograp a from
derived becan and practice,In functions. random
are and thatassumption Under the
10
10
kknm
= = kk
HG
H GComment.
3.12 Timing Attacks
The implementation of a cryptographic algorithm can have weaknesses that were unanticipated by the designers of the algorithm. Adversaries can exploit these weaknesses to circumvent the security of the underlying cryptographic algorithm. Attacks on the implementations of cryptographic systems are a great concern to operators and users of secure systems.
3.12 Timing Attacks (Continued)
Implementation attacks include timing attacks, power analysis attacks, fault insertion attacks, and electromagnetic emission attacks. We refer to them as side-channel attacks. The term side-channel is used to describe the leakage of unintended information from a supposedly tamper-resistant device, such as a smartcard.
3.12 Timing Attacks (Continued)
In a timing attacks the side-channel is the device’s time required to perform private key operations. An adversary can carefully measure the operation of time of a vulnerable system to learn the secrets contained inside the device and break the entire system’s security. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements.
3.12 Timing Attacks (Continued)
Assumption environment. The adversary can observe the system decrypts several ciphertexts g. He also knows the hardware being used to calculate and can use this information to calculate the computation times for various steps that potentially occur in the process. In addition, let gd (mod n) is computed by the Algorithm 4.
3.12 Timing Attacks (Continued)
s.ation takemultilplic thislong howin variation
large reasonably a is there,situationsmany In
.1bit theonly when occurs )(mod
ation multilplic the, In the
= bngAA i4 Algorithm1Fact
3.12 Timing Attacks (Continued)
}).Var({})Var({})Var({
have We. be will time
totalThe .and times takel which wilprocesses,t independen two
intocomputer by the donen computatio break thecan weIf
.)()()(
})Var({
byely approximat is process random
for the varianceThe ./)(by ely approximat
be shouldmean the,,,, outputs record weIf outputs.
theseof valueaverage theismean The .input random agiven
n,calculatio a complete ocomputer t for the it takes time thebe Let
222
21
21
21
iii
ni
n
n
ttt
ttt
t t
n
EtEtEtt
ntttE
ttt
g
t
2Fact
3.12 Timing Attacks (Continued)
.0guest else,1guest then }),Var({
})Var({ If }).Var({ and })Var({ Compute .Let (2.2)
em.Collect th
(2.2). step theof in the )(mod perform to
computer theit takes timeofamount thebe Let .1 Suppose (2.1)
:following thedo 0 down to from For (2)
exponent.secret theis )(
where,)(modeach compute it took to that
,, , times themeasure and ,,, , sciphertextSelect (1)
:following thedocan adversary The
tion)exponentiabinary right -to-lefton attack (Timing
201
2121
jji
iiiiii
i
ij
kk
din
n
ddt
tttttt
ngAA
td
kj
dddd
ngt
ttggg
4 Algorithm
6 Algorithm
3.12 Timing Attacks (Continued)
}).Var({})Var({})Var({ })Var({
So, other.each t independen are and assume
toreasonable isit occurs,not doestion multiplica theIf
}).Var({})Var({})Var({ })Var({
Therefore, other.each t independen
are and assume toreasonable isIt tion.multiplica the
after n calculatio thecomplete ocomputer t the
it takes timeofamount is occurs,tion multiplica theIf (2)
. timeget the and
1 supposecan he ,(2.2) step theof the
in )(mod previous thegcalculatinin used was
much time howknown hasadversary theSince (1)
iiii
ii
iiii
ii
i
i
j
i
tttt
tt
tttt
tt
t
t
d
ngAA
4 Algorithm
Explain.
4 RSA Encryption in Practice4.1 Recommended Size of Modulus
Given the latest progress in algorithms for factoring integers, special number field sieve factoring algorithms, a modulus n of at least 1024 bits is recommended. For long term security, 2048-bit or larger moduli should be used.
4.2 Selecting Primes
(1) The primes p and q should be selected so that factoring n = pq is computationally infeasible. The major restriction on p and q in order to avoid the elliptic curve factoring algorithm is that p and q should be about the same bit-length, and sufficiently large. For example, if a 1024-bit modulus n is to be used, then each of p and q should be about 512 bits in length.
4.2 Selecting Primes (Continued)
(2) Another restriction on the primes p and q is that the difference pq should not be too small. If p and q are chosen at random, then pq will be appropriately large with overwhelming probability.
4.2 Selecting Primes (Continued)
(3) Many authors have recommended that p and q be strong primes. A prime p is said to be a strong prime if the following three conditions are satisfied:
* p1 has a large prime factor, denoted r;
** p+1 has a large prime factor;
*** r 1 has a large prime factor.
The reason for the first condition is to foil Pollard’s p1 factoring algorithm which is efficient only if n has a prime factor p such that p1 is smooth. The second condition foils the p1 factoring algorithm, which is efficient only if n has a prime factor p such that p1 is smooth. Finally, the third condition ensures that the cycling attacks will fail.
If the prime p is randomly chosen and is sufficiently large, then both p1 and p+1 can be expected to have large prime factors. Additionally, it has been shown that the chances of a cycling attack succeeding are negligible if p and q are randomly chosen. Thus, strong primes offer little protection beyond that offered by random primes. Given the current state of knowledge of factoring algorithms, there is no compelling reason for requiring the use of strong primes in RSA key generation. On the other hand, they require only minimal additional running time to compute. Thus there is little real additional cost in using them.
4.3 Exponents (1) If the encryption exponent e is chosen at
random, then RSA encryption using the Algorithm 4 takes k modular squarings and an expected k/2 modular multiplications, where k is the bit-length of the modulus n. Encryption can be sped up by selecting e to be small and/or by selecting e with a small number of 1’s in its binary representation.
(2) The encryption exponent e=3 is commonly used in practice. In this case, it is necessary that neither p1 nor q1 be divisible by 3. This results in a very fast encryption operation since encryption only requires 1 multiplication and 1 squaring. Another encryption exponent used in practice is e=216+1=65537. This number has only two 1’s in its binary representation, and so encryption using the Algorithm 4 requires only 16 squarings and 1 multiplication. The encryption exponent e=216+1 has the advantage over e=3 , since it is unlikely the same message will be sent to 216+1 recipients.
(3) Due to small decryption exponent attack, it requires the secret exponent d >n0.292. Although Boneh and Durfee cannot state their attack as a theorem, since they cannot prove that it always succeeds. But experiments that they carried out demonstrate its effectiveness. They were not able to find a single example where the attack fails.
5 Rabin Encryption Algorithm 5.1 Description
). ,( iskey private s' and , iskey public s' (3)
. Compute (2)
size. same eroughly th
each , and primes distinct) (and random large twoGenerate (1)
:following thedo should entity Each
key. private
ingcorrespond a andkey public a createsentity each :SUMMARY
)encryptionkey -publicRabin for generation(Key
qpAnA
qn=p
qp
A
7 Algorithm
5.1 Description (Continued)
. is theseofwhich
decides somehow .or ,,,either sent was message The (2)
. modulo of and ,,, roots squarefour theFind (1)
:following thedo should , from plaintext recover To .
. to ciphertext theSend (4)
). (mod Compute (3)
1]. , [0 range in the integer an as message theRepresent (2)
.key public authentic s'Obtain (1)
:following thedo should .
decrypts. which ,for message a encrypts :SUMMARY
)encryptionkey -public(Rabin
4321
4321
2
m
A mmmm
nc mmmm
AcmDecryption
Ac
nmc
nm
nA
BEncryption
AAmB
8 Algorithm
5.1 Description (Continued)
). (mod 0 )( congruence with theeequivalenc is
) (mod 0 )(
) (mod 0 )(
) (mod 0 )(
scongruence
ussimultaneo of system then the, = and prime,
relatively pairwise are ,, , integers theIf
2
1
21
21
nxf
nxf
nxf
nxf
nnnn
nnn
k
k
k
3Fact
Explain.
5.1 Description (Continued)
).(= isother then the them, toone by Denoting
. modulo a of roots square oexactly tw are there
, any for Then number. prime a be Let
.by denoted is residues-non quadratic
all ofset theand by denoted is modulo residues
quadratic all ofset The . modulo residue-non quadratic
a called is then exists,such no If ). (mod
such that , an exists thereif ,1 modulo residue
quadratic a be tosaid is . 1),gcd(Let
)(Continued Explain.
2
xpxx
p
Qap
Q
Qn
n
a x nax
xn
ana
n
n
n
4Fact
1 Definition
5.1 Description (Continued)
. to thissends and
62111 91687) (mod 405692 ) (mod computes then
40569. = isnotation decimalin which ,1110011001111001
messagebit -16 obtain the to of bitssix last
thereplicates ,1001111001messagebit -10 eencrypt th
order toIn .encryption prior to replicated be torequired are
messages original of bitssix last that theSuppose
).331 ,277( iskey private s' while
,91687 iskey public s' .91687 computes and
331, = 277, = primes thechooses Entity
2
A
nmcB
mm=
m
B m =
.Encryption
q = p = A
n = Aq =n = p
qpAtion.Key genera
4 Example
5.1 Description (Continued)
.1001111001 = message original therecovers
and to decrypts ,redundancy required thehas only Since
101110.1100011110 = 111001,1001111001 =
10001,1010110000 = 0010110,1000100000 =
arebinary in which
51118, = 40569, = 22033, = 69654, =
:) (mod of roots squarefour thecompute
to of factors theof knowledgeher uses ,decrypt To
)(Continued
33
43
21
4321
m
mcAm
mm
mm
mmmm
nc
nAc.Decryption
4 Example
6 Implementation of Rabin Encryption 6.1 Finding Square Roots
.) (mod
,) (mod are modulo of roots squarefour The (6)
.) (mod ) ( Compute (5)
.) (mod ) + ( Compute (4)
). (mod Compute (3)
.) (mod Compute (2)
stage. generationkey theduring allfor and once computed
becan and that Note 1. = + satisfying and
integers find toalgorithmEuclidean extended the Use(1)
:follows as simplifies modulo of roots squarefour the
computingfor 4), (mod 3 be chosen toboth are and If
1)/4+(
1)/4+(
ny
nxnc
nrqbspay
nrqbspax
qcs
pcr
baqbpaba
nc
qp
q
p
6.2 About Efficiency
Rabin encryption is an extremely fast operation as it only involves a single modular squaring. By comparison, RSA encryption with e=3 takes one modular multiplication and one modular squaring.
Rabin decryption is slower than encryption, but comparable in speed to RSA decryption.
6.3 Redundancy Problem A drawback of the Rabin public-key scheme is
that the receiver is faced with the task of selecting the correct plaintext from among four possibilities. This ambiguity in decryption can easily be overcome in practice by adding pre-specified redundancy to the original plaintext prior to encryption. (For example, the last 64 bits of the message may be replicated.) Then, with high probability, exactly one of the four square roots of a legitimate ciphertext will possess this redundancy. If none of the square roots possesses this redundancy, then the receiver should reject the ciphertext as fraudulent.
(1) The Rabin public-key encryption scheme is susceptible to attacks similar to those on RSA described about small encryption exponent and forward search problems. It can be circumvented by salting the plaintext message.
7 Security of Rabin Encryption
(2) The task faced by a passive adversary is to recover plaintext m from the corresponding ciphertext c. This is precisely the SQROOT problem. The problems of factoring n and computing square roots modulo n are computationally equivalent. Hence, assuming that factoring n is computationally intractable, the Rabin public-key encryption scheme is provably secure against a passive adversary.
Justification. Suppose that one has a polynomial-time algorithm R for solving the SQROOT problem. This algorithm can then be used to factor a given composite integer n as follows. Select an integer x at random with gcd(x, n)=1, and compute a x2 (mod n). Next, algorithm R is run with inputs a and n, and a square root y of a modulo n is returned. If y x (mod n), then the trial fails, and the above procedure is repeated with a new x chosen at random. Otherwise, then gcd(xy, n) is guaranteed to be a non-trivial factor of n, namely, p or q. Since a has four square roots modulo n, the probability of success for each attempt is 1/2 .
(3) While secure against an active adversary, the Rabin public-key encryption scheme succumbs to a chosen-ciphertext attack. Such an attack can be mounted as follows. The adversary selects a random integer m and computes cm2 (mod n). The adversary then presents c to A’ s decryption machine, which decrypts c and returns some plaintext y. Since A does not know m, and m is randomly chosen, the plaintext y is not necessarily the same as m. With probability 1/2 , y is not equal to m (mod n), in which case gcd(my, n) is one of the prime factors of n. Otherwise, then the attack is repeated with a new m.
(4) If redundancy is used as above, the Rabin public-key encryption scheme is no longer susceptible to the chosen ciphertext attack. If an adversary selects a message m having the required redundancy and gives cm2(mod n) to A's decryption machine, with very high probability the machine will return the plaintext m itself to the adversary (since the other three square roots of c will most likely not contain the required redundancy), providing no new information.
(4) (Continued) On the other hand, if the adversary selects a message m which does not contain the required redundancy, then with high probability none of the four square roots will possess the required redundancy. In this case, the decryption machine will fail to decrypt c and thus will not provide a response to the adversary. Hence, Rabin public-key encryption, suitably modified by adding redundancy, is of great practical interest.
8 Summary of Public Key Encryption 8.1 Requirements for Public Key Encryption
In a public key system, the message set M, the key set K, and the encryption/decryption function E/D, must satisfy the following requirements:
(1) Ek(Dk(m))=m and Dk(Ek (m))=m for every
mM.
(2) For every m and every k, the values of Ek(m) and Dk(m) are easy to compute.
8.1 Requirements for Public Key Encryption (Continued)
(3) For almost every kK, if someone knows only the function Ek, it is computationally infeasible to find an algorithm to compute Dk.(4) Given kK, it is easy to find the functions Ek and Dk.
8.1 Requirements for Public Key Encryption (Continued)
keys. verify toused becan authority
trusteda poster, with problem a is thereIf secret.kept is while
public, made is function encryption The . and determines
and key a generateuser each up,set is sytemkey public a Once
). (mod)(
isfunction decryption The
). (mod)(
isfunction
encryption The ).,,( triplea isRSA for key a ,previously
mentioned weAs ts.requiremen thesesatisfiesRSA how see sLet'
k
kkk
dk
ek
D
EDE
k
nmmD
nmmE
ndek
5 Example
8.2 About Authentication and Non-Repudiation
(1) In a symmetric system, authentication is easy but non-repudiation is not.(2) In an asymmetric system, authentication and non-repudiation are not. However, the goals are easily accomplished. For example, compute and send the message Ekb(Ska(m))=
Ekb(Dka(m)) for the RSA algorithm.
8.3 Trapdoor Functions and Collections
functions.way -onetrapdoor
andway -onefor candidates good ofnumber a are there
However, unknown. also is functionsway -onetrapdoor
of existence theunknown, still is functionsway -one of
existence theSince '.infeasiblenally computatio' and easy''
of sdefinition rigorous) (and reasonableunder functions
such of existence theprovedly definitiveyet has one No #
.=)(that
such an ,given any for find tofeasible becomes
it n)informatio trapdoor the(calledn informatio extra some
given hat property t additional with the→ : function
way -one a isfunction way -one A trapdoor
yxf
XxYy
YXf
2 Definition
8.3 Trapdoor Functions and Collections (Continued)
. and isn informatio
trapdoor ).The (mod ),( isfunction The
function.or way trapdo-one candidate a also isRabin (2)
). (mod 1 where, or , , and isn informatio
trapdoor The 1.) ,gcd( where), (mod
),,( isfunction The factor. tohard is asuch
that believed isIt primes. twoofproduct a be
Let function.or way trapdo-one candidate a isRSA (1)
Functions.Trapdoor Candidate
2
qp
nxnxf
eddqp
enx
enxfn
qpn
e