public-key encryption - computer science and...
TRANSCRIPT
![Page 1: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/1.jpg)
p1.
Public-Key Encryption
Reading: K&L Chapter 11
![Page 2: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/2.jpg)
p2.
Public-Key Encryption
• Also known as asymmetric-key encryption.
• The receiver has a pair of keys:
a public key pk and a private key sk.
• The public key, known to the public, is used for encryption.
• The private key, known only to its owner, is used for decryption.
![Page 3: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/3.jpg)
p3.
mcE D
Bob Alice
m
Alice’s Alice’spublic key secret key
Public-key Encryption
![Page 4: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/4.jpg)
p4.
Why Public-Key Cryptography?
• Developed to address two main issues:– key distribution– digital signatures
• Invented by Diffie & Hellman in 1976.
![Page 5: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/5.jpg)
p5.
A tuple of polynomial-time algorithms: ( , , ) Key generation algorithm : On input 1 , outputs a
key {0,1} . We write (1 )
.
Symmetric-key encryption scheme (for comparison)
n
n n
Gen Enc DecGen
k k Gen∈ ←
•
•
Π =
*
( : security parameter.) Encryption algorithm : On input a key and a message
{0,1} , outputs a ciphertext . We write ( ). Decryption algorithm : On input a key and a cip
k
nEnc k
m c c Enc mDec k•
∈
•
←
( )
*
hertext , outputs a message or an error symbol . We write : ( ).
Correctness requirement: for every (1 ) and {0,1} , ( ) .
, are probabi
i l
kn
k k
cDec m
m Dec ck Gen m
Dec Enc m mGen Enc
•
•
⊥=
← ∈
=
stic. , deterministic. Dec
![Page 6: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/6.jpg)
p6.
( )( )
: on input 1 , outputs a pair of keys, , ,
each of length at least . We write (1 ). : on input a public key and a message ,
out
,
Public-key encryption schemen
n
pk
Gen pk sk
n GenEnc pk
km
sM
p k
•
•
←
∈
puts a ciphertext . We write ( ). ( .)
: On input a secret key and a ciphertext , oThe message space may depend o
utputs a mess
n
age or an error symbol . We
te
wri
pk
pk
c c Enc m
Dec sp
km
Mc
k←
⊥•
( )
( )
except possibly with
: ( ).
It is
negligible
r
probability over key pairs ,
equired that Pr ( ) : 1
output by (
1 ).
sk
sk pk pk
n
m Dec c
Dec Enc m m m
pk sk Gen
M
=
= ← = •
![Page 7: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/7.jpg)
p7.
EAV-security (against eavedroppers, ciphertext-only-attacks) one encryption multiple encryptions
CPA-security (against chosen-plaintext attacks) on
Different notions of security•
•
e encryption multiple encryptions
CCA-security (against chosen-ciphertext attacks) one encryption multiple encryptions
•
![Page 8: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/8.jpg)
p8.
eav,
Adversary : a polynomial-time eavesdropper. ( , , ) : a public-key encryption scheme. Experiment PubK
( ):
(1 ) is run to obtain a pair
Ciphertext Indistinguishability
A
n
AGen Enc Dec
n
GenΠ
• Π =•
•
( )
0 1
of keys , . , and outputs a pair of
messages , of the same length. A random bit {0,1} is chosen;
The ad
and a
ciphert
versary
ext ( ) is computed
is given
pk
pk b
pkpk sk
m m Mb
c E m
∈
←←
eav,
and given to the adversary. The adversary output s a bit . PubK ( ) 1 if and
only if .
A
bn b bΠ
′
′= =
![Page 9: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/9.jpg)
p9.
eav,
A publick-key encryption scheme is if for every polynomial-time adversary there exists a negligible function such that
1 Pr PubK
De EAV-secu
( ) 1 negl( )2
refinition:
W
A
Anegl
n nΠ = ≤
•
+
•
CPA-secue may si ritymilarly define a CCA-securnd ity.
![Page 10: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/10.jpg)
p10.
Since the adversary knows the publick key , it can encrypt any polynomial number of me
eavesdropperssages of its choice.
That is, are automatically capas CPA'ble of . Thus, if a pu
b
s
Remarkspk•
•• lic-key encryption scheme is EAV-secure, then it is also CPA-secure.
A public-key encryption scheme is not CPA-secure, and hence not EAV-secure.
If
d
a public-key enc
eterministic
r
•
•
yption scheme is CPA-secure, then it is mult C iplePA-secur encrypte for ions.
![Page 11: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/11.jpg)
p11.11
Compared with private-key encryption, public-key encryption is slower has longer ciphertexts
Hybrid encryption Use public-key encryption to obtain a shared key
Hybrid Encryption•
•
Use private-key encryption to encrypt the message under key k
k
![Page 12: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/12.jpg)
p12.
![Page 13: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/13.jpg)
p13.
The KEM/DEM Paradigm
![Page 14: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/14.jpg)
p14.
( )( )
on input 1 , outputs a pair of keys, , ,
each of length at least . (1 ).
on input 1 and a public key , outputs a ciphe
:
,
:r
Key-encapsulation mechanism (KEM)n
n
n
pk sk
n Gen
Gen
p
pk sk
Enca kps
←
•
•
( )
( )text and a key {0,1} . We write , (1 ).
on input a secret key and a ciphertext , outputs a key or an error
symbol . We write : ( ). It is requir
:
n
npk
sk
c kc k Encaps
sk ck
Decapk Decaps c
s
∈
←
⊥•
•
=
( )
( )
ed that with all but negligible probability over ,
output by (1 ), it holds: , (1 ) ( )
n
npk sk
pk sk
Genc k Encaps Decaps c k← ⇒ =
![Page 15: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/15.jpg)
p15.
Hybrid encryption using KEM
![Page 16: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/16.jpg)
p16.
hy hy hy hy
hy
Construct an encryption scheme ( , , ) from a KEM ( , , ) and a private-key encryption scheme ( , , ).
: on
Hybrid encryption using KEM
Gen Enc DecGen Encaps Decaps
Gen Enc DecGen
Π =Π =
′ ′ ′ ′Π =
•
• ( )
( )
( )
hy *
hy
input 1 , run , (1 ).
: on input a public key and message {0,1} , , (1 ) ( ) output the ciphertext , .
: on input a secret key
n n
npk
k
pk sk Gen
Enc pk mc k Encaps
c Enc mc c
Dec sk
←
∈
←
′ ′←
•
′
•
( ) and a ciphertext , , : ( )
: ( )sk
k
c ck Decaps cm Dec c
′
=′ ′=
![Page 17: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/17.jpg)
p17.
( )( )
cpa,
( )
( , , ) : a KEM. Experiment KEM ( ):
(1 ) is run to obtain a pair of k
eys , .
(1 ) is run to generate , with {
0,1} .
CPA-security of KEMs
A
n
n npk
Gen Encaps Decapsn
Gen pk sk
Encaps c k k
Π
Π =
∈
•
•
( )
( )
cpa,
A random bit {0,1} is chosen; and if 0ˆ :
a random string in{0,1} else
The adversary, given , outputs a bit .
KEM ( ) 1 if and only if
ˆ, ,
n
A
p
bk b
k
b
n b b
k c k
Π
←
==
′
′= =
cpa,
.1 is iff , Pr KEM (C ) 1 neglPA-sec ( ).2
ure AA n nΠ Π ∀ = +• ≤
![Page 18: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/18.jpg)
p18.
hy hy hy hy Let ( , , ) be constructed from ( , , ) and ( , , ) as above.
If is CPA-Theore secure a d
m n:
Security of hybrid encryption
Gen Enc DecGen Encaps DecapsGen Enc Dec
Π =Π =′ ′ ′ ′Π =
Π• ′Π
•
hy
hy
is EAV-secure, then is CPA-secure.
If is CCA-secure and is CCA-secure, then is CCA-secu
Theo e :re
r m.
•
Π
′Π Π
Π
![Page 19: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/19.jpg)
p19.
1
1
trapdoor
Easy:
Hard:
Easy:
Use as the private key.
Most public-key
trapd
enc
oor
ryption schemes are based on ass
One-way function with trapdoor (informal)f
f
f
x y
x y
x y
−
−
→
←
•
←
one-way functions.
Most one-way functions come from number th
ume
.
d
eory•
![Page 20: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/20.jpg)
p20.
Modular Arithmetic
Reading: K&L Section 8.1
![Page 21: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/21.jpg)
p21.
| : divides , is a divisor of . gcd( , ): greatest common divisor of and . Coprime or relatively prime: gcd( , ) 1. Euclid's algorithm: compute gcd( , ). Extented Eucli
Integersa b a b a b
a b a ba ba b
••• =•• d's algorithm: compute integers and such that gcd( , ) .x y ya b ax b+ =
![Page 22: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/22.jpg)
p22.
Let 2 be an integer.
Definition: is to modulo , written
mod (or mod as in the book)
if | ( )
congruen
, i.e., and have the m
t
sa e
Integers modulo N
a b N
a b N a b N
N a b a b
N≥
−
•
•
≡ =
{ }
remainder
when divided by .
Define [ ] : mod .
[ ] is called a modulo , and is a
residue cl
representative of that cl
ass
ass.
N
N
N
a x x a N
a N a
• = ≡
•
∈
![Page 23: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/23.jpg)
p23.
There are exactly residue classes modulo :
[0] , [1] , [2] , , [ 1] .
[0] [1] [ 1] .
If [ ] , [ ] , then
[ ] and [ ] .
Define addition and multiplicati
N N N N
N N N
N N
N N
N N
N
N
x a y b
x y a b x y a b
−
= ∪ ∪ ∪ −
∈ ∈
+
•
•
•
∈ + ⋅ ∈
•
⋅
on for residue classes:
[ ] [ ] [ ]
[ ] [ ] [ ] .N N N
N N N
a b a b
a b a b
+
⋅
= +
= ⋅
![Page 24: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/24.jpg)
p24.
A , denoted by ( , ), is a set along with a binary operation such that: 1. (Closure) For all , , 2. (Associativity) ( ) ( ) 3. (Existence of an identi
group
t
GroupG G
x y G x y Gx y z x y z
•
∈ ∈=
y) There exists an s.t. , 4. (Existence of inverses) For all , there exists an element s.t. . Such a is called an
identity
inverse of . A
Gx G x x x
x Gy G x y y
ee e
x e yx
∈∀ ∈ = =
∈∈ = =
•
abelian ( commutat group ( , ) is or if for all
ive), , .
Gx y G x y y x∈ =
![Page 25: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/25.jpg)
p25.
A group ( , ) is if is finite.
The identity of a group is unique.
The inverse of an element is unique.
If ( , ) is a group and itself is a group under the same operation , then
finiteG G
G H GH
•
•
•
• ⊆
is a of .
Examples: ( , ), ( , ), ( \{0}, ), ( , ), ( \{0},
subg
.
o
)
r up G
• + + × +×
![Page 26: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/26.jpg)
p26.
{ }{ }
( )
( )
Define [0] , [1] , ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an ab
elian (additive) group.
For , , ( ) mod .
(That is, [ ] [ ] [ ] [
N N N N
N
N
N
N N N
N
N
a ba b a b N
a b a b a b
= −
= −
∈
= +
=
•
•
•
+
•
+ = +
+
+
mod ] .) 0 is the identity element. The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular addition/substraction and r
e
duce the result m d
o
N
N
N
a a N a−
•
−
10
ulo . In , 5 5 9 4 6 2 8 3 ?
N+ + + + + + + =
![Page 27: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/27.jpg)
p27.
( )
( )
1
1
1
, is a group, because 0 does not exist.
Even if we exclude 0 and consider only \{0},
, is necessarily a group; some may not exist.
For
not
, exists if and on
not
N
N N
N
N
a
a a
−
+
+ −
−
∗
=
∗
∈
•
•
•
ly if gcd( , ) 1.a N =
![Page 28: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/28.jpg)
p28.
{ }
( )( )
1
Let : gcd( , ) 1 .
, is an abelian (multiplicative) group.
mod . 1 is the identity element. The inverse of , written , can be computed by the
Exte
N N
N
a a N
a b ab N
a a
∗
∗
−
=
•
=• ∈
∗
∗ =
{ }*12
nded Euclidean Algorithm.
For example, 1,5,7,11 . 5
Q: How many element
7 35mod12 11.
s are there in ? N
Z∗
= ∗• =
•
=
![Page 29: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/29.jpg)
p29.
{ }
1
Euler's totient function:
Th
( )
= : 1 and gcd( , ) 1
1. ( ) ( 1) for prime
2. ( ) ( ) ( ) if g
eorem
cd( ) 1
:
,
N
e e
N
a a N a N
p p p p
ab a b a b
ϕ
ϕ
ϕ ϕ ϕ
∗
−
=
≤ ≤ =
= −
=
•
•
=
![Page 30: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/30.jpg)
p30.
Let be a (multiplicative) group.
The order of is defined as ord( ) .
The order of , written ord( ), is the smallest positive integer such ( , ident that
finite
ity el. t.) emenk
G
G G G
a G ak ea e
•
• =
• ∈
=
ord( )
mod
Corollary: For any
For a
element
ny element , orLagrang d( ) | ord( )
, .
Corollary: For any element
e's theore .
m
, .
:
GG
m Gm
a G a a e
a G a
a G a G
a
∈ = =
∈ =
• ∈
•
•
![Page 31: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/31.jpg)
p31.
(
* ( ) *
*
) 1
Euler's theorem:
Fermat's little theorem:
If
If (
(fo
a prime), then 1 i
r any 1), then
n .
1 in .
Corollary:
If (for any 1), then
NN
p p
m
p
N
N
p
a N a
a N a
a p a a
ϕ
ϕ∗ − ∗
•
∈ = =
>
•
•
∈ > =
∈
mod ( ) * in .m NNa ϕ=
![Page 32: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/32.jpg)
p32.
{ }*15
*15
*15
(15) 8
816243240481
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14ord
(
) : 1 4 2 4 4 2 4 2
1
13 ?
Example: 15
aa
a a
N
ϕ
ϕ ϕ ϕ= = × = × =
•
•
•
•
•
∈
= =
=
=
![Page 33: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/33.jpg)
p33.
The Chinese Remainder Problem
• A problem described in an ancient Chinese arithmetic book by Sun Tze (around 300AD, the author of The Art of War).
• Problem: We have a number of objects, but we do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many objects are there?
Mathematically, if 2mod3, 3mod5, 2mod7, wh
at is ?x x x
x≡ ≡ ≡
![Page 34: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/34.jpg)
p34.
1
2
1
1 1 1
2 2 2
If integers , , are , then the system of congruences
mod // //
mod // //
mod
pairwise coprime
Chinese remainder theorem
k
n
n
k k
n n
x a n a
x a n a
x a n
≡ ∈
≡ ∈
≡
1 2
11
// //
has a unique solution modulo :
mod
where and A formula by mod Gau ( )ss
kk n
kk
i i ii
i i i i i
a
N n n n
x a N y N
N N n y N n=
−
∈
=
≡
= =
∑
![Page 35: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/35.jpg)
p35.
( )1 1 1
1 1 1
Suppose 1 mod 3 6 mod 7 8 mod 10By the Chinese remainer theorem, the solution is:
1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10) mod 210
1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 m
xxx
x − − −
− − −
≡≡≡
≡ × × + × × + × ×
≡ × × + × × + × ×( )( )
od10) mod 210
1 70 1 6 30 4 8 21 1 mod 210 958 mod 210 118 mod 210
≡ × × + × × + × ×
≡≡
Example: Chinese remainder theorem
![Page 36: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/36.jpg)
p36.
1 2
1 2 1
1 2
Let , where , , are pairwise coprime.There is a one-to-one correspondence
( mod , mod , , mod )
Then,
Denote th
Chinese remainder theorem
k
k k
N n n n
k
N n n n n n
x x n x n x n
=
←→ × × ×
←→
•
1 2e mapping : .
( ) ( ) ( ).
( ) ( ) ( ).
kN n n n
x y x y
x y x y
ψ
ψ ψ ψ
ψ ψ ψ
→ × × ×
• ⋅ = ⋅
• + = +
![Page 37: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/37.jpg)
p37.
( )( )
1 2
1
1
Computations in can be done by performing corresponding computations in , , , , and
then solve the CRP.
, , If
, ,
then
k
N
n n n
k
k
a a ab b b
a b a
•
↔• ↔
± ↔
( )( )( )
1 1
1 1
1
1
*1
, , , ,
, , if m
od m od mod
k k
k k
k
k k N
b a ba b a b a ba b a b a b b Z
N n n
± ±× ↔ × ×÷ ↔ ÷ ÷ ∈↑ ↑ ↑
![Page 38: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/38.jpg)
p38.
( )( )( )
* * *15 3 5 15 3 5
8 8mod3, 8mod5 (2,3)
11 11mod3, 11mod5 (2,1) Suppose we want to compute 8 11 mod15. 8 11mod15 (2 2mod3, 3 1mod5) (1,3). (1,3) (
Example: Chinese remainder theorem
x
• ↔ × ↔ ×
↔ =
↔ =
• ו × ↔ × × =• ↔
15which number corresponds to (1,3)?)1mod3
Solve 133mod5
xx
xx
∈
≡• ⇒ = ≡
![Page 39: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/39.jpg)
p39.
Algorithms( )
( ) ( )
1
33
gcd , //1 , //
mod mod
Running time: log
k
a b a b N
a Na N
O N O N
−
•
•
•
=•
≤ ≤
![Page 40: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/40.jpg)
p40.
0
1
1
1 1
Comment: compute gcd( , ), where 1. : : for : 1, 2, until = 0 : mod return ( )
Running time: (log ) i t
Euclidean Algorithm
n
i i i
n
a b a br ar b
i rr r r
r
O a
+
+ −
> >=
==
=
2
3
erations; (log ) time for each mod. Overall running time: (lo g )
O aO a
![Page 41: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/41.jpg)
p41.
Example: gcd(299,221) ?
299 221
Given 0, compute , such that gcd( , ) .
1 782 65
221 7878 65
78 6578 221 78
1
65 5 0
gcd(229,221) 13( 2 ) 3
78 22
3
131
2
3
1(
Extended Euclidean Algorithma b x y a b ax by> > = +
= × += × += × += ⋅ +
= = −= − − × = ⋅ −= ×
=
99 221) 221299
123 2 14
− ⋅ −= × − ×
![Page 42: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/42.jpg)
p42.
1
* 1 *
1
*
That is, for , compute in . exists if and only if gcd( , ) 1. Use the extended Euclidean algorithm to find ,
such that 1. Then, in ,
modHow to compute N N
N
a aa a N
x yax Ny
Na−
−
−
• ∈
• =•
+ =
•
[ ] [ ] [ ] [ ] [ ][ ] [ ] [ ][ ] [ ]1
we have 1
1
a x N y
a x
a x−
⋅ + ⋅ =
⇒ ⋅ =
⇒ =
![Page 43: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/43.jpg)
p43.
1 Compute 15 mod 47. 47 15 3 (divide 47 by 15; remainder 2) 15 2 7 (divide 15 by 2; remainder 1) 1 15 7 ( mod 47) 1
21
25 ( ) 7 ( mod 47)47 15 3
Example−•
= × + == × + == − ×= − ×− ×
1
1 *47
15 22 47 7 ( mod 47) 15 22 ( mod 47) 15 mod 47 22 That is, 15 22 in
−
−
= × − ×= ×
=
=
![Page 44: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/44.jpg)
p44.
( )
1 0
2
Comment: compute mod , where in binary.
1 for downto 0 do mod
if 1
then mod
Algorithm: Square-and-Multiply( , , )c
k k
i
x N c c c c
zi k
z z Nc
z z x
x c N
−=
←←
←
=
← ×
( )
...Note: At t
i.
he end of iteration
e., mod
retu )
rn
, .
(
k
i
i
c
c c
z z x NN
z
i z x
← ×
=
![Page 45: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/45.jpg)
p45.
2
2
2
2
3
2
23 10111
1 11 mod 187 11 (square and multiply) mod 187 121 (square) 11 mod 187 44 (square and multiply) 11 mod 187 165 (square and
11 mod187
mu
Example:
b
zz zz zz zz z
=
←
← ⋅ =
← =
← ⋅ =
← ⋅ =2
ltiply) 11 mod 187 88 (square and multiply)z z← ⋅ =
![Page 46: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/46.jpg)
p46.
RSA Encryption
![Page 47: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/47.jpg)
p47.
By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the one-way property
of mo
R S
du
lar powering:
A
assumed
The RSA Cryptosystem•••
1
: mod (easy) : mo
Related to the hardne
d (
ss of integer factorizatio
hard)
n.
e
e
f x x Nf x x N− →
•
→
![Page 48: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/48.jpg)
p48.
1
RSA
RSA
*
Encryption (easy):
Decryption (hard):
Looking for a trapdoor: ( ) .If is a number such that 1mod ( ), then
( )
It works in group
1
.
Idea behind RSA
e
e
e d
N
x x
x x
x xd ed N
ed k Nϕ
ϕ
−
→
←
=≡
= +
( )
*
( ) 1 ( )
for some , and thus in the grou ,
( .
p
) 1kd d
N
e e N k N
k
x x x x x x xϕ ϕ+= = = ⋅ = ⋅ =
![Page 49: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/49.jpg)
p49.
(a) Choose two large primes and , and let : . ( , determined by the security parameter.) (b) Choose , 1 ( ), coprime to ( ), and
Key generati
on:
RSA encryption scheme
p q N pqp q
e e N Nϕ ϕ
=
< <
•
1
*
*
compute : mod ( ). ( .) (c) Public key: . Secret key: . ( ) : mod , where
1 mod
.
( ) : mod , where .
( )
Encryption:
Decryptio
( ,
n
) )
:
( ,e
pk N
dsk N
d e N N
Enc xpk N e
x N x
Dec y y N y
ds N d
ek
ϕ ϕ−=
= ∈
= ∈•
≡=
•
=
![Page 50: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/50.jpg)
p50.
( )( )
*
* * ( )
mod ( )
The setting of RSA is the group , :
In group , , for any , we have 1
and, thus, . We have chosen , s
uch that 1 mod ( ),
Why RSA Works?
N
NN N
m m N
x x
x xe d ed N
ϕ
ϕ
ϕ
∈ =
=≡
•
( )* mod ( ) 1
so, mod ( ) 1.
For , . de ed ed N
N
ed N
x x x x x xϕ
ϕ =
∈ = = = =
![Page 51: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/51.jpg)
p51.
*
*
RSA still works, but .
gcd( , ) 1 | or | .
Say | and 0 (it is trivial if 0). Then,
0 mod 0 mod
mod m
\ ?
and
n
od
ot sec
e
ur
What if
N
e
N
e
N
d
d
x x N p x q x
p x x x
x p x px x q x x q
x
∉ ≠
≠ =
≡ ≡≡
•
•
⇒
≡
•
⇒
∈
( )
( )
The last " " holds 1mod ( ) 1mod ( ).
Both and are a solution of the system, so by CRT
mod mod ( ) .
ed
ed ed
ed N ed q
x x
x x N x N x Dec Enc x x
ϕ ϕ≡ ≡≡ ⇒
⇒ ⇒
=
•
=≡
![Page 52: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/52.jpg)
p52.
Select two primes: 17, 11. Compute the modulus 187. Compute ( ) ( 1)( 1) 160. Select between 0 and 160 such that gcd( ,160) 1.
Say 7. Compute
RSA Example: Key Setupp q
N pqN p q
e ee
d
ϕ
= == =
••• = −
•
==
•− =
1 1mod ( ) 7 mod160 23 (using extended Euclid's algorithm). Public key: . Secret ke
( ,y:
) (7, 187)( , ) (23 ., 7 18 )
pk e N
e
s N
N
k d
ϕ− −
= == =
=
•
= =
•
![Page 53: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/53.jpg)
p53.
7
23
23
23
Suppose 88. Encryption: mod 88 mod187 11. Decryption: mod 11 mod187 88. When computing 11 mod187, we first
compute 11 andd
theo
not
n
RSA Example: Encryption & Decryption
e
d
mc m Nm c N
•
•
•
•
=
= = =
= = =
reduce it modulo 187. Rather, use , and reduce intermediate
results modulo 187 whenever they gsquare-a
et biggend-mult
r than iply
187.•
![Page 54: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/54.jpg)
p54.
4 16
To speed up encryption, small values are usually used for .
Popular choices include 3, 17 2 1, 65537 2 1. These values have only two 1's in their binary representatio
Encryption Key
e
e
= + = +
•
•
n.
There is an interesting attack on small .e•
![Page 55: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/55.jpg)
p55.
1/4
One may be tempted to use a small to speed up decryption.
Unfortunately, that is risky.
Wiener's attack: If
and 2 ,3
then the decryption exponent c
Decryption Key d
Nd p q
d
p
d•
•
< < <•
an be computed from ( , ).
CRT can be used to speed up decryption.
N e
•
![Page 56: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/56.jpg)
p56.
32
1 2
* Decryption:
Time: ( ). log 1
Instead of
mod (i.e.,
computing
compute
directly, we compute
in
: m od , and :
)
mod o m
Speeding up Decryption by CRTd d
N
d
c N c
c
O N N
cN
N
c p c c
= +
•
•= =
•
mod ( ) mod ( )1 1 2 2
1
2
1 2
d : mod , and : mod
mod recover the plaintext by solving
mod Time: about 1 4 of the direct computation.
If ... , this strategy will
p
s
d p d q
t
qm c p m c q
x m px m q
N p p p
ϕ ϕ= =
≡ ≡
•
=•
eed up even more.
![Page 57: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/57.jpg)
p57.
Attacks on RSA
![Page 58: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/58.jpg)
p58.
( )
Five categories of attacks on RSA: brute-force key search
infeasible given the large key space mathem
atical attacks miscellaneous atta cks timing a
Attacks on RSA•
ttacks chosen ciphertext att acks
![Page 59: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/59.jpg)
p59.
1
Then ( ) ( 1)( 1) andmod ( ) can be calculated
Factor into .
Determine ( ) directly
easily.
Equivalent to factoring . Knowing ( ) will enable us to f
.
Mathematical AttacksN p q
d e N
NN
N pq
Nϕ
ϕ
ϕ
ϕ
−
= − −
=
•
•
Determine direc
actor by solving
( 1)( 1)
If is known, can be factored
tl with high probability.
.
( )
y
Npq
p
d
qN
d
N
N
ϕ
•
= = − −
![Page 60: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/60.jpg)
p60.
A difficult problem.
More and more efficient algorithms have been developed.
In 1977, RSA challenged researchers to decode a ciphertext encrypted with a key ( ) of 129 d
Integer Factorization
N
•
•
•igits (428 bits).
Prize: $100. RSA thought it would take quadrillion years to break the code using fastest algorithms and computers of that time. Solved in 1994.
In 1991, RSA put forwar• d more challenges, with prizes, to encourage research on factorization.
![Page 61: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/61.jpg)
p61.
Each RSA number is a semiprime. (A number is if it is the product of two primes.) There are two labeling schemes.
by the number of decimal digits: RSA-10
semip
0,
rim
.
e
RSA Numbers•
•
.., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048
![Page 62: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/62.jpg)
p62.
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve. RSA-110 ( bits), 1992, 75 MIPS-year, QS. RSA-120
3323653 ( bits), 1993, 830 MIPS-year, QS.
RSA-129 98
4(
RSA Numbers which have been factored•••• bits), 1994, 5000 MIPS-year, QS. RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS. RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS. RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
284
314655
RSA-161
0 (2
530
••••
576 6
bits), 2003, Lattice Sieve. RSA- (174 digits), 2003, Lattice Sieve. RSA- (193 digits), 2005, Lattice Sieve. RSA-200 ( bits), 2005, Lattice
40663 Sieve.
•••
![Page 63: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/63.jpg)
p63.
RSA-200 =27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
![Page 64: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/64.jpg)
p64.
*
In light of current factorization technologies, RSA recommends 1024 to 2048 bits.
I
f a message \ ,
RSA works, but Since gcd( , ) 1, the sender can factor . S
Remarks
N N
N
m
m N N
•
=
• ∈
>
*
ince gcd( , ) 1, the adversary can factor , too.
Question: how likely is \ ?
e
N N
m N N
m
>
• ∈
![Page 65: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/65.jpg)
p65.
1 2
If two users use the same modulus and their encryption exponents and are coprime, then a message sent to them, encrypt
Common modulus:
Miscellaneous attacks against RSA
Ne e
m
•
1
2
1 2 1 2
1
2
1 2
1 2
1 2
ed as : mod and : mod , is not protected by RSA.
For , coprime
1 for some , mod mod .
e
e
re se re se r s
c m Nc m N
e e
re se r sm m m N c c N+ +
=
=
⇒ + =
⇒ = = =
![Page 66: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/66.jpg)
p66.
Owners of keys ( , , ) usually do not know . But, actually, given ( , , ), one can factor with high probability of success. Thus
Another problem with common modulus:
N e d N pqN e d N
=
•
,
if tw
o RSA
So, do
users share
not use a c
the same , they can
ommon . Also,
figure out each other's secret key (
if your is compromised, do not just
valu
change
e). N
de
Nd
and . You should also change .d N
![Page 67: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/67.jpg)
p67.
2
2
2
1mod has four solutions:
1, for some 1.
If 1mod and 1
1 0mod
| ( 1)( 1)
gcd( ,
(may skip If is known, we can )factor :
x N
a
a N a
a N
N a a
a
a
n
d N
≡
± ≠ ±
≡ ≠ ±
− ≡
+ −
±
±
⇒
⇒
⇒
•
2
1) yield the factors of
Factor by looking for a nontrivial square root of 1 mod (i.e., an 1 such that 1mod ).
.N
NN a a N≠ ± ≡
![Page 68: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/68.jpg)
p68.
2 3 1
* 1
2
* *
2 2 2 2 2 2
For all , 1 mod .
Write 1 2 , where is odd. (So, 1mod )
Pick any . (What if \ ?)
Compute , , , , , , , ,
u
s
t st
edN
s r
N N N
r r r r r r r
w w N
ed r r w N
w w
w w w w w w w−
−∈ ≡
− = ≡
∈ ∈
1
2
2 2
ntil we find the first 1mod for some .
If 0, let mod . Then 1mod , and 1.
If 1, then is a nontrivial square root o
f 1 mod .
Otherwise (i.e., 0 or 1),
t
t
r
r
w N t
t a w N a N a
a N a N
t a N
−
≡
≠ = ≡ ≠
≠ −
= = −
try another .w
![Page 69: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/69.jpg)
p69.
A message sent to users who employ the same encryption exponent is not protect
ed by RSA.
Say, 3, and Bob sends a message to three re
Low encryption exponent attack
m ee
e m
•
• =
•
1 2 3
1 3
1 2 3
3 3 31 2
3 3
2 3
3
cipients encrypted as: mod , mod , mod .
Eve intercepts the three ciphertexts, and recovers : mod , mod , mod .
B
y
T
CR
c n c n c n
mm c n m c n m c n
m m m= = =
≡ ≡ ≡
•
31 2 3 1 2 3
3 3 31 2 3
, mod for some .
Also, . So, , and .
m c n n n c n n n
m n n n m c m c
≡ <
< = =
![Page 70: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/70.jpg)
p70.
Recall RSA decryption: : mod . One may be tempted to use a small to speed up decryption. Unfortunately, that may be risky.
The d cry
e p
Wiener's low decryption exponent attack:dm c N
d=
•
1 4
tion exponent may be computed from ( , ) if and
(Before Wiener's attack, the condition usually held because , were usually chosen to have the same numbe
3 2 .
2
r
dN e
p
d N p q p
p q pq
< < <
< <
of bits.)
![Page 71: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/71.jpg)
p71.
1 1 2
2
3
Continued fraction :1 [ , ,..., ]1
1
Any (positive) rational number can be expressed as a continued fraction, called its continued fraction expansion. Convergents of [
m
m
q q q qq
a b
q
+ =+
+ +
1 2 1 1 2 1 2 3
1 2 1 2
, ,..., ] : [ ], [ , ], [ , , ], [ , ,..., ]. (This sequence converges to [ , ,..., ].)
m
m m
q q q q q q q qq q q q q q
![Page 72: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/72.jpg)
p72.
34 1 Example: 0 [0,2,1,10,3]199 2 11 1103
Obtained from Euclidean algorithm: 34 99 34, 99 34 31, 34 31 3, 31 3 1, 3 1 Convergents of [0, 2,1,1
0 2 110 3
0,3] : [0], [0, 2], [0, 2,1]
= + =+
++
= × + = × + = × += × + = ×
, [0, 2,1,10], [0, 2,1,10,3]
![Page 73: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/73.jpg)
p73.
/
2
1 4
1 If , wheregcd( , ) 1,2
then equals one of the convergents of the continued fraction expansion of .
For RSA, ( ) 1 for some . So, .( )
Theorem.
If
a 3
cd
c
a c db d
a be e ted t N tN
d
N d
d N
ϕϕ
− < =
= +
<
≈ ≈
2
1 then .2
So, equals one of the convergents of . Check the convergents one by one to find the right on
nd ,
e.
2
e tN d d
t d e N
p q p − << <
![Page 74: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/74.jpg)
p74.
If the message space is small. The adversary can encrypt all messages and compare them with the intercepted ciphertext.
This attack is snot p
Small message space attack:•
ecific to RSA.
![Page 75: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/75.jpg)
p75.
Paul Kocher in mid-1990’s demonstrated that a snooper can determine a private key by keeping track of how long a computer takes to decrypt messages.
RSA decryption: mod .
Timing Attacks
dc N
•
•
( )
Countermeasures: Use constant decryption time Add a random delay to decryption time modify the ciphertext to
Blin and computeding
mod .
:d
c c
c N
′
′
•
![Page 76: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/76.jpg)
p76.
RSA encryption has a homomorphism property: RSA( ) RSA( ) RSA( ). To decrypt a ciphertext RSA(
):
Generate a random
messag
e . Encrypt
Blinding in Some of RSA Products
m
m r m rc m
r
⋅ =•
⋅=
•
1
as RSA( ). Multiply the two ciphertexts: RSA( ). Decrypting yields a value equal to . Multiplying that value by yields
. Note: all calculations are done in
r
m r
r c rc c c mr
c mrr m−
•
== =
* (i.e., modulo ).N N
![Page 77: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/77.jpg)
p77.
Based on RSA's homomorphism property: RSA( ) RSA( ) RSA( )
Assume Eve has acess to a decryption oracle.
The attack: Given : RSA
(
)
A chosen-ciphertext attack
m
m r m r
c m
•
•=
=•
⋅ ⋅
*
, Eve wants to know She computes : RSA( ) for an arbitrary . Now, presenting RSA( ) to the Oracle, Eve obtains ,
?
from which she
r N
m r m r
c r rc m r c c
m
m r⋅
= ∈= =
⋅
=
⋅
1can compute ( ) . m m r r−= ⋅ ⋅
![Page 78: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/78.jpg)
p78.
Padded RSA
![Page 79: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/79.jpg)
p79.
We have seen many attacks on RSA.
Also, RSA is deterministic and, therefore, not CPA-secure.
We wish to make RSA secure against CPA and aforementioned attacks.
The RSA we h
Security of RSA•
•
•
• ave described so far is called: RSA primitive, plain RSA, or textbook RSA
![Page 80: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/80.jpg)
p80.
Encryption: ( ) RSA( ) ( ) mod , where is a random string.
Thus, Padded-RSA( ) RSA( ) for some random .
Secure against many of aforeme
Theorem (i
ntioned attacks
nf r
.
o
Padded RSAe
pkE m r m r m Nr
m r m r
=•
•
•
•
=
=
( ) Under some assumption, Padded RSA
is CPA-secure if log , where .
Padded RSA was adopted in PKCS #1 v.1.5.
mal):m O n n N=
•
=
![Page 81: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/81.jpg)
p81.
PKCS: ublic ey ryptography tandard. Let ( , , ) give a pair of RSA keys. Let be the length of in bytes (e.g., 216). To encrypt a message :
P K C S
pa
Padded RSA as in PKCS #1 v.1.5
N e dk
mN N k
••
• =
•
=
( ) ( )
d so that 00 02 00 ( bytes) where 8 or more random bytes 00. original message must be 11 bytes.
the ciphertext is : RSA mod . In 1998, Bleichenbacher
b
pu l
e
m r kr
m k
c
m m
m m N
′ == ≠
≤ −
′
•
′= =
ished a chosen-ciphertext attack on this padded RSA.
![Page 82: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/82.jpg)
p82.
A (padded) message is called if it has the specified format: 00 02 pa
PKCS confo
dding stri
rmi
ng 00 original message. PKCS #1 implementation
ng
Bleichenbacher's chosen-ciphertext attack•
•
1
1
s usually send you (sender) an error message if RSA ( ) is PKCS conforming. It is just like you have an Oracle which, given , answers
whether or not RSA ( ) is PKCS conforming. Bleich
notcc
c
−
−
•
• enbacher's attack takes advange of such an Oracle.
![Page 83: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/83.jpg)
p83.
*
Given RSA( ), Eve tries to find . (Assume is PKCS conforming.)
How can the Oracle help? Recall that RSA is homomorphic: RSA( ) RSA( ) RSA( ) (computed in ) G
ivN
c m mm
m s m s
=
⋅
•
= ⋅
•
*
*
en RSA( ), Eve can compute RSA( ) for many . She then asks the Oracle, Is PKCS conforming? (That is, is PKCS conforming?)
Why is this informodmati
N
Nms Z
m m s
m N
s
s•
∈
⋅ ∈
on useful?
![Page 84: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/84.jpg)
p84.
2 8( 2)
2 2
Recall PKCS format ( bytes): 00 02 padding string 00 original message.
Let 00 01 (00) (hexadecimal) 2 (binary
)
Then 2 00 02 (00) and 3 00 03 (00)
If is PKCS
k k
k k
k
B
B B
m
− −
− −
•
•
•
•
= =
= =
conforming 2 3 .
If is also PKCS conforming 2 3 2 3 for some (2 ) (3 )
m
d
d
omo
m
ms Nm
B B
B BB t N B t N tB t N
s Nmss B t Nm s
⇒ < <
⇒ < <⇒ + < < +
< < +
•
⇒ +
![Page 85: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/85.jpg)
p85.
• • •
• • •
0 N 2N 3N 4N
sN
2B 3B
If is PKCS conforming is in the blue area. If is also PKCS conforming
is in the blue area is in the red areas is in the red lines. Thus, is in the red line
mod
s
m
o
o
d
f t
m mms N
ms Nmsm
m
⇒
⇒
•
⇒
•
⇒
•
he blue area.
![Page 86: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/86.jpg)
p86.
blue area Let's focus on the blue area, (2B, 3B). If is PKCS conforming is in the . If is also PKCS conforming
mod
red areas/is in If is also PKCS conforming
modline
s
ms
ms Nm
m
m
mN
•
•⇒
⇒
•
•⇒
′
purple areas/line is in So, blu purplre e d
sem• ∈ ∩ ∩
2B 3B
![Page 87: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/87.jpg)
p87.
1 2 3
1
So, starting with the fact that is PKCS conforming, Eve finds a sequence of integers , , , ... such that
2 and mod is PKCS conforming.
To find , ra n
i i
i
i
ms s s
s sms N
s
−
•
≤
•
1domly choose an 2 , and ask the oracle whether is PKCS conforming. If not, then try a different .
This way, Eve can repeatedly narrow down the area containing and event
d
mo
ua
i
mss
m
Ns
s
−
•
≥
1 2 3
lly find . For having 1024 bits, it takes roughly 1 million accesses
to the oracle in order to find , , , ...
mN
s s s•
![Page 88: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/88.jpg)
p88.
CCA-Secure RSA in the Random Oracle Model
![Page 89: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/89.jpg)
p89.
There are CCAs that only require the oracle to reveal partial information about the plaintext such as: whether the plaintext is PKCS conforming whether the plai
Protecting Every Bit•
−−
*
ntext is even or odd whether the plaintext is in the first half or the second half of (i.e., / 2 or / 2?)
It is desired to protect every bit (or any partial informati ) on
N
N
xx N x N
•
− ∈< ≥
of the plaintext.
![Page 90: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/90.jpg)
p90.
Message padding: not simply or , but , where is a random string. As such, however, there is a 50% overhead.
So, we wish to use a shorter bit string . Be
OAEP: basic ideam r r m
m r r r
r
⊕•
•
•
sides, should be protected, too. This leads to a scheme called ptimal symmetric
can be appl ncryption adding ( ). It to RSA and
ied other trapdoor f
O AE P
unctO
.AEP
ions
r•
![Page 91: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/91.jpg)
p91.
Choose , ( ) s.t. ( , RSA modulus).
:{0,1} {0,1} , a pseudorandom generator. :{0,1} {0,1} , a hash function.
To eEncryptio ncrypt a block of bits : 1. choose a rando
nm
.
OAEP
k l
l k
k l k l k l N N
Gh
m l
+ =
→•
• →
•
•
bit string {0,1} . 2. encode as : ( ) ( ( )) (if , the message space of RSA, return to step 1). 3. compute the ciphertext : (
Decrypt
).
ion: : ( ) .
k
N
pk
sk
rm x m G r r h m G r
x Zy Enc x
x Dec y a b•
∈= ⊕ ⊕ ⊕
∉=
= =
( )( ) .m a G b h a= ⊕ ⊕
![Page 92: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/92.jpg)
p92.
padding encod OAEP is adopted in current version of RSA PKCS #1 (v. 2.1). It is a scheme. Intuitively, with OAEP, the ciphertext would not reveal any
i
i
ng
nf
/
ormation about the
Remarks on OAEP•••
plaintext if RSA is one-way and and are A slightly more complicated version of OAEP, in which
( 0
truely random
( ) ( 0 ( ))), has been proved
(random oracles).
CC
k k
h G
x m G r r h m G r′ ′= ⊕ ⊕
•
⊕
A-secure in the model (i.e., if , are random oracles.)
In practice, hash functions such as SHA-1 are
ran
us
dom orac
ed for
e
,
l
.
G h
G h•
![Page 93: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/93.jpg)
p93.
Generating large primesTo set up an RSA cryptosystem,
we need two large primes p and q.
![Page 94: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/94.jpg)
p94.
1 2
1 2
Infinitely many.
First proved by Euclid: Assume only a finite number of primes , , , . Let 1. is not a prime, bec
••
aus• e
How many prime numbers are there?
n
n
i
p p pM p p p
M M p
•
…•
= … +≠ , 1 .
So, is composite and has a prime factor for some | |1 contradiction.
• i
i i
i nM p ip M p
≤ ≤
⇒ ⇒ ⇒⇐
![Page 95: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/95.jpg)
p95.
Let ( ) denote the number of primes . Then
( ) for large .l
The Prime Number Theorem:
Bertrand's The
n
For any 1, the fraction of -bit integeorem:
Distribution of Prime Numbers
x xxx xx
n n
π
π
≤
≈
> rsthat are prime is at least 1 3 .n
![Page 96: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/96.jpg)
p96.
Generate a random odd number of desired length.
Test if is prime.
If not, discard it and try a different number.
Q: How many numbers are expected to
How to generate a large prime number?N
N
•
•
•
• be tested before a prime is found?
![Page 97: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/97.jpg)
p97.
( )( )( )( )
12
10.5
Can it be solved in polynomial time? A long standing open problem until 2002.
AKS(Agrawal, Kayal, Saxena) : log .
Later improved by others to log ,
Primality test : Is a prime?
O N
O N
N
ε+
••
•
( )( )
( )( )
6
3
and then
to log .
In practice, Miller-Rabin's probabilistic algorithm is still
the most popular --- much faster, log .
O N
O N
ε+
•
![Page 98: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/98.jpg)
p98.
*
*
Looking for a characteristic property of prime numbers: is prime is prime , ( )
wha
is prime , ( )
t?
Miller-Rabin primality test : Is a prime?
N
N
NN a P a trueN a P a t
N
⇔
⇔ ∀ ∈ =
∀ =⇒ ∈
•
*
*
not prime elements , ( )
Algorithm: Check ( ) for random elements . If ( ) is true for all of them then re priturn
m e
N
N
rueN a P a false
a
k
P a tP a
≥∃ ∈
∈
⇒
•
=
( )
else return . A "prime" answer may be incorrect with probabilit
composi
)
te
(
y
1 tk Nϕ≤ −
•
![Page 99: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/99.jpg)
p99.
*N
*If is prime, then for all , ( ) is true.NN a P a∈
( )P a true=
![Page 100: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/100.jpg)
p100.
*N
*If is , then there are elements ,called
not primestrong witnesses , .( )s.t.
NN aP a false
∈=
( )P a true=
![Page 101: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/101.jpg)
p101.
1
* 1
* 1
Looking for ( ) :
How about ( ) 1 mod ?
Fermat's little theorem: If is prime , 1 mod .
If is not prime possible that , 1 mod .
N
NN
NN
P a
P a a N
N a a N
N a a N
−
−
−
⇒
⇒
= ≡
∀ ∈ ≡
∀ ∈ ≡
•
1
1 *
( composite numbers for which
C
1 mod .)
Need to strengthen the condition .
armichael numbers :
1 mod
N
N
NN a
a N
N
a
−
− ≡
≡
∀ ∈
![Page 102: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/102.jpg)
p102.
*
* 2
Fact: if 2 is prime, then 1 has exactly two square roots in , namely 1. Write 1 2 , where is odd. If is prime
, 1 mod (Fermat's little theorem)
k
Nk
uN
N
N u uN
a a N
• ≠
±
• − =•
∀ ∈ ≡⇒
2 1
*
2 2 2 2
2
1 mod ( )
1 mod for some , 0
, ( ) , where
Why? Consider the sequence
, , , ,
o
1
r
1
, k
i
k
N
u
u
u u
u
u u
a P a true
a a a a
a NP a
a N i i k
a−
≡= ≡ − ≤ ≤ −
∈ =
•
≡
⇒ ∀
![Page 103: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/103.jpg)
p103.
3
5 10 20 40
*41
Example: 41 1 40 2 5 2 . ( 3, 5) For 2, ( , , , ) (32, 1, 1, 1) mod 41
(2) . For every , ( ) is true.
Example: 25
k
NN u k u
a a a a aP true
a P a
N
=
• − = = ⋅ = = =
• = ≡ −=
• ∈
=
( ) ( )
3
3
3 6 12 24
1 24 2 3 2 . ( 3, 3) For 2, 2 8 mod 25
, , 8, 14, 21, 16 mod 25
(2) .
k
u
N u k ua a
a a a a
P false
• − = = ⋅ = = =
• = = ≡
≡
=
![Page 104: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/104.jpg)
p104.
*
If not prime strong witnesses always exist
Loosely speaking, :If is an odd composite and not a prime power, then
of the
e
le
?
yes
at le menast one ts are strong
hal
f
N
N
Na
⇒
∈
•
•
*
witnesses.For such an , we may check ( ) for random elements
. If ( ) is true for all of them then return
primecompos
else return .A "prime" answer may be
ite
N
N P a ta P a∈
incorrect with probability 2 .t−≤
![Page 105: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/105.jpg)
p105.
prime powerperfect pow
A composite number is a if for some prime and integer 2. (It is a if for some integer and 2.)
If is
er
an odd composite and noTheorem: t a p
e
e
N N pp e
N k k e
N
=
=
•
•
≥
≥
*
*
rime power, then of the elements are strong witnesses that is not prime.
Idea of Proof: The set of all -strong witnesses f
at least on
orms a proper subgroup of . So,
e half N
N
n
N
on
a
B•
∈
*
* *
ord( ) ord( ) and1 ord( ) | ord( ). So, ord( ) ord( ). 2
N
N N
B
B B
<
≤
![Page 106: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/106.jpg)
p106.
Input: integer 2 and parameter Output: a decision as to whether is prime or if is even, return "composit
composite1. e"
if is a per2
. fect
Algorithm: Miller-Rabin primality testN t
NNN
>
power, return "composite" for : 1 to do choose a random integer if gcd( , ) 1, return "composite" if is a strong witness, ret
3
urn "composit
.
e
N
i ta
a Na
=∈
≠
" return ("pri4. me")
![Page 107: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/107.jpg)
p107.
If the algorithm answers "composite", it is always correct.
If the algorithm answers "prime", it may be incorrect with probability at most 2 .
Actually
Analysis: Miller-Rabin primality test
t−
•
•
• , at most 4 , by a more sophisticated analysis. t−
![Page 108: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/108.jpg)
p108.
A is a probabilistic algorithm which always gives an answer but sometimes the answer may be inco
Mo
rr
nte
ect.
Carlo a
A
lgorithm
Monte Carlo algorithm for a decisi
Monte Carlo algorithms•
•
on problem is if its “yes” answer is always correct but a “no” answer may be incorrect with some error probability.
A -iteration Miller-Rabin is a “composite”-biased Mon
yes-bias
te Carl
ed
o
t•
algorithm with error probability at most 1 4 .t
![Page 109: Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption](https://reader030.vdocuments.us/reader030/viewer/2022020319/5c8fafd209d3f23a138c0315/html5/thumbnails/109.jpg)
p109.
A is a probabilistic algorithm which may sometimes fail to give an answer but never gives an incorrect
Las Ve
one
gas algori
A Las Vegas algorithm can be conver
thm
Las Vegas algorithms•
•
ted into a Monte Carlo algorithm.