p1. public-key cryptography and rsa 5351: introduction to cryptography spring 2013
TRANSCRIPT
p1.
Public-Key Cryptography and RSA
5351: Introduction to Cryptography
Spring 2013
p2.
Public-Key Cryptography
• Also known as asymmetric-key cryptography.
• Each user has a pair of keys: a public key and a private key.
• The public key is used for encryption.
– The key is known to the public.
• The private key is used for decryption.
– The key is only known to the owner.
p3.
Why Public-Key Cryptography?
• Developed to address two main issues:– key distribution– digital signatures
• Invented by Diffie & Hellman in 1976.
p4.
Key generation algorithm : On input 1 , (1 ) outputs
a pair of keys, , , each of length at least .
Encryption algorit
hm : On input a public key and a pla
Public-key encryption schemen nG G
pk sk n
E pk
intext
, outputs a ciphertext . We write ( ).
(The message space may depend on .)
Decryption algorithm : On input a secret key and a ciphertext
, outputs a messag
e
pk pkm M E c c E m
pk
D sk
c D
. We write : ( ).
Correctness requirement:
Pr ( ) : 1
except for a negligible measure of key pairs output by ( ).
1
sk
sk p p
n
k k
m m D c
D E m m
G
m M
p5.
Adversary: a polynomial-time eavesdropper.
( , , ) : a public-key encryption scheme.
Imagine a
n experiment:
(1 ) is run to obtain a pair of keys , .
Ciphertext-Indistinguishability
n
G E D
G pk sk
0 1
The adversary is given , and outputs a pair of
messages , of the same length.
A random bit {0,1} is chosen; and a ciphertext
( ) is computed and given to the a
pk
pk b
pk
m m M
b
c E m
0 1
dversary.
The adversary determines whether is the encryption
of or .
c
m m
p6.
ciphertext-indistinguishable against eave
A publick-key encryption scheme with security
parameter is
if for every polynomial-time adversary
Definit
there
sdropper
exists
ion:
a neg
ligib
s
le
n
A
0 1 0 1
0 1
function such that
Pr ( , , , ) : ( , ) (1 ), { , }
{ , }, ( )
1 negl( )
2
nA pk
u pk
negl
A pk m m c m pk sk G m m M
m m m c E m
n
p7.
Since the adversary knows the publick key , it can encrypt
any polynomial number of messages of its choice.
That is, eavesdroppers are capable of CPA's.
Thus, if a pub
lic-key encryp
Remarks
pk
tion scheme is secure against
eavesdroppers, then it is also CPA-secure.
A public-key encryption scheme is
not CPA-secure, and hence
not ciphertext-ind
deter
istin
g
minist
uishab
ic
le a
gainst eavesdroppers.
p8.
1
1
trapdoor
Easy:
Hard:
Easy:
Use as the privat
e key.
Most public-key encryption schemes are based on
one-wa
trapdoor
assumed
One-way function with trapdoorf
f
f
x y
x y
x y
y functions.
Most one-way functions come from number the . ory
p9.
Modular Arithmetic
p10.
| : divides , is a divisor of .
gcd( , ): greatest common divisor of and .
Coprime or relatively prime: gcd( , ) 1.
Euclid's algorithm: compute gcd( , ).
Extented Eucli
Integers
a b a b a b
a b a b
a b
a b
d's algorithm: compute integers
and such that gcd( , ).x y ax by a b
p11.
Let 2 be an integer.
Def: is congruent to modulo , written
mod , if | ( ), i.e., and have the
same remainder when d
m
ivided by .
Note: dod an
Integers modulo
n
a b n
a b n n a b a b
n
a b n
n
are different.
Def: [ ] all integers congruent to modulo .
[ ] is called a residue class modulo , and is a
representati
mod
ve of that class.
n
n
a b
a a n
a n a
n
p12.
congruence m
There are exactly residue classes modulo :
[0], [1], [2], , [ 1].
Note: " " is an equivalence relation, whose
equivalence classes are the residue classes.
If [ ]
,
od n
n n
n
x a
[ ], then [ ] and [ ].
Define addition and multiplication for residue classes:
[ ] [ ] [ ]
[ ] [ ] [ ].
y b x y a b x y a b
a b a b
a b a b
p13.
id
A group, denoted by ( , ), is a set with a
binary operation : such that
1. ( ) ( ) (associative)
2. s.t. , ( )
3. , s.t.
entity
Group
G G
G G G
a b c a b c
e G x G x x x
x G y G x y y x
e e
( )
A group ( , ) is if , , .
Examples: ( ,
abel
), ( , ), ( \ {0}, ), ( ,
inver
),
( \ {0}
ian
s
, ).
ee
G x y G x y y x
Z Q Q R
R
p14.
Define [0], [1], ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an abelian additive group.
For , ,
( )mod . (Or, [ ] [ ] [ ] [ mod ].)
0 is th
n
n
n
n
Z n
Z n
Z
a b Z
a b a b n a b a b a b n
10
e identity element.
The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular
addition/substraction and reduce the result modulo .
In , 5
n
a a n a
Z
n
Z
5 9 4 6 2 8 3 ?
p15.
1
1
1
, is not a group, because 0 does not exist.
Even if we exclude 0 and consider only \ {0},
, is not necessarily a group; some may not exist.
For , exists if and on
n
n n
n
n
Z
Z Z
Z a
a Z a
ly if gcd( , ) 1.a n
p16.
*
1
Let : gcd( , ) 1 .
, is an abelian multiplicative group.
mod .
mod .
1 is the identity elemen
t.
The inverse of , written , can be computated b
n n
n
Z a Z a n
Z
a b ab n
a b ab n
a a
*12
*
y the
Extended Euclidean Algorithm.
For example, 1,5,7
Q: How many
,11 . 5 7
eleme
35mod12 11.
nts are ther ? e in nZ
Z
p17.
*
1
Euler's totient function:
Fa
( )
= : 1 and gcd( , ) 1
1. ( ) ( 1) for prime
2. ( ) ( ) ( ) if gcd( ,
cts:
) 1
n
e e
n Z
a a n a n
p p p p
ab a b a b
p18.
Let be a (multiplicative) group.
The order of , ord( ), is the number of elements in .
The order of , written ord( ), is the smallest
positive integer such that .
f
( , i
inite
t
G
G G G
a G a
t e ea
ord( )
( ) 1
| |
*
dentity element.)
Corollary: For any
Lagrange's theorem: For any element , ord( ) | ord( ).
Fermat's little theorem:
If ( a prime), t
element , .
hen
G G
p pp
a G a
a G a G
a Z
a e
p a a
*
* ( ) *
1 in .
Euler's theorem:
If (for any 1), then 1 in .
p
nn n
Z
a Z n a Z
p19.
*15
*15
*15
( ) 8
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14
ord( ) : 1 4 2 4 4 2 4 2
1
Example: 15
n
Z
Z
a Z
a
a a
n
p20.
The Chinese Remainder Problem
• A problem described in an ancient Chinese arithmetic
book, Sun Tze Suan Ching, by Sun Tze (around 300AD,
author of The Art of War).
• Problem: We have a number of objects, but we do not
know exactly how many. If we count them by threes we
have two left over. If we count them by fives we have
three left over. If we count them by sevens we have two
left over. How many objects are there?Mathematically, if 2mod3, 3mod5, 2mod7,
wh
at is ?
x x x
x
p21.
1
1 1
2 2
1 2
If integers , , are pairwise coprime,
then the system of congruences
mod
mod
mod
has a unique solution modulo :
Chinese remainder theorem
k
k k
k
i
n n
x a n
x a n
x a n
N n n n
x a N
1
1 A fo
mod
where an rmula by Gausd mod ( s)
k
i ii
i i i i i
y N
N N n y N n
p22.
1 1 1
1 1 1
Suppose
1 mod 3
6 mod 7
8 mod 10
By the Chinese remainer theorem, the solution is:
1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10)
1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 mod10)
x
x
x
x
1 70 1 6 30 4 8 21 1 mod 210
958 mod 210
118 mod 210
Example: Chinese remainder theorem
p23.
1
1 2
1
(the numbers are pairwise coprime)
There is a one-to-one correspondence :
, , , where and mod
( ) ( ) ( ).
( )
Another version of CRT
k
k i
N n n
k N i i
N n n n n
Z Z Z
a a a a Z a a n
x y x y
x y
( ) ( ).
For math students: is a ring isomorphism.
x y
p24.
1 2
1 2 1
1 2
Let , where , , are pairwise coprime.
Define a mapping
:
( mod , mod , , mod )
Then,
is bijective (one-to-one and on
Chinese remainder theorem
k
k k
N n n n
k
N n n n n n
Z Z Z Z
x x n x n x n
to).
( ) ( ) ( ).
( ) ( ) ( ).
x y x y
x y x y
p25.
1 2
1
1
1
Computations in can be done by performing
corresponding computations in , , , , and
then solve the CRP.
, , If
, ,
then
k
N
n n n
k
k
Z
Z Z Z
a a a
b b b
a b a
*
1
1
1 1
1 1
, ,
, ,
, , if
mod mo d mod
k k
k k
k k
k
N
b a b
a b a b a b
a b a b a b b Z
N n n
p26.
* * *15 3 5 15 3 5
8 8mod3, 8mod5 (2,3)
11 11mod3, 11mod5 (2,1)
Suppose we want to compute 8 11 mod15.
8 11mod15 (2 2mod3, 3 1mod5) (1,3).
(1,3) (
Example: Chinese remainder theoremZ Z Z Z Z Z
x
15which number corresponds to (1,3)?)
1mod3 Solve 13
3mod5
x Z
xx
x
p27.
Algorithms
1
3
gcd ,
mod
mod
Running time: log
k
a b
a n
a n
O n
p28.
0
1
1
1 1
Comment: compute gcd( , ), where 1.
:
:
for : 1, 2, until = 0
: mod
return ( )
Running time:
(log ) i t
Euclidean Algorithm
n
i i i
n
a b a b
r a
r b
i r
r r r
r
O a
2
3
erations; (log ) time for each mod.
Overall running time: (lo g )
O a
O a
p29.
Example: gcd(299,221) ?
299 221
Given 0, compute , such that gcd( , ) .
1 78
2 65
221 78
78 65
78 65
78 221 78
1 13
65 5 13 0
gcd(229,221) 13
( 2 ) 3
78 2 1
(
2
23
Extended Euclidean Algorithm
a b x y a b ax by
99 221) 221
299
1
23 2 14
p30.
1
1 *
1
Compute in .
exists if and only if gcd( , ) 1.
Use extended Euclidean algorithm to find ,
such that gcd( , ) 1 (in )
mod
[ ]
?How to compute
na Z
a a n
x y
ax ny a n
a n
Z
a
1
[ ] [ ][ ] [1]
[ ][ ] [1] (since [ ] [0])
[ ] [ ].
Note: may omit [ ], but reduce everything modulo .
x n y
a x n
a x
n
p31.
1 Compute 15 mod 47.
47 15 3 (divide 47 by 15; remainder 2)
15 2 7 (divide 15 by 2; remainder 1)
1 15 7 (mod 47)
1
2
1
2
5 ( ) 7 (mod 47)47 15 3
Example
1
1 *47
15 22 47 7 (mod 47)
15 22 (mod 47)
15 mod 47 22
That is, 15 22 in Z
p32.
1 0
2
Comment: compute mod , where in binary.
1
for downto 0 do
mod
if 1
then mod
Algorithm: Square-and-Multiply( , , )c
k k
i
x n c c c c
z
i k
z z n
c
z z x
x c n
...Note: At
i.e.,
the e
mod
nd of
retu
iteratio
rn
n , .
( )
k
i
i
c
c ci
z z x n
z
z
n
x
p33.
2
2
2
2
3
2
23 10111
1
11 mod 187 11 (square and multiply)
mod 187 121 (square)
11 mod 187 44 (square and multiply)
11 mod 187 165 (square and
11 mod187
mu
Example:
b
z
z z
z z
z z
z z
2
ltiply)
11 mod 187 88 (square and multiply)z z
p34.
The RSA Cryptosystem
• RSA Encryption
• RSA Digital Signature
p35.
By ivest, hamir & dleman of MIT in 1977.
Best known and most widely used public-key scheme.
Based on the one-way property
of mo
R S
du
lar
powering:
A
assumed
The RSA Cryptosystem
1
: mod (easy)
: mod
In turn based on the hardness
(hard)
of integer factorization.
e
e
f x x n
f x x n
p36.
1
RSA
RSA
*
Encryption (easy):
Decryption (hard):
Looking for a trapdoor: ( ) .
If is a number such that 1mod ( ), then
( )
It works in group
1
.
Idea behind RSA
e
e
e d
n
x x
x x
x x
d ed n
e n
Z
d k
( ) 1 ( )
for some , and
( ) 1 .ke ed n nd k
k
x x x x x x x
p37.
1
(a) Choose large primes and , and let : .
(b) Choose (1 ( )) coprime to ( ), and
compute : mod ( ). ( .)
(c) Public ke
Key generation:
1 mod ( )
RSA Cryptosystem
p q n pq
e e n n
d nn ede
*
*
y: . Secret key: .
( ) : mod , w
( , ) ( , )
here .
( ) : mod , where .
E
ncryption:
Decryptio
n:
epk n
dsk n
E x x n x Z
D y y n y
pk n e sk n d
Z
p38.
*
* * ( )
The setting of RSA is the group , :
In group , , for any , we have 1.
We have chosen , such that 1 mod ( ),
i.e., ( ) 1 for some o
p
Why RSA Works?
n
nn n
Z
Z x Z x
e d ed n
ed k n
* ( ) 1 ( )
sitive integer .
For , . d ke ed k n n
n
k
x Z x x x x x x
p39.
*
( ) 1 ( 1)( 1) 1
*
RSA still works, but .
gcd( , ) 1 or for some .
Say . Then
0 mod
not secur
mod
By CRT,
\ ?
e
What if n n
n
ed
ed ed k n k p q
ed
x Z x n x ap x aq a
x ap
x p
x x q x x x
x
x Z Z
mod mod
( )
edx n x n x
D E x x
p40.
Select two primes: 17, 11.
Compute the modulus 187.
Compute ( ) ( 1)( 1) 160.
Select between 0 and 160 such that gcd( ,160) 1.
Say 7.
Compute
RSA Example: Key Setup
p q
n pq
n p q
e e
e
d
1 1mod ( ) 7 mod160 23
(using extended Euclid's algorithm).
Public key: .
Secret ke
( ,
y:
) (7, 187)
( , ) (23 ., 7 18 )
pk e n
e
s n
n
k d
p41.
7
23
23
23
Suppose 88.
Encryption: mod 88 mod187 11.
Decryption: mod 11 mod187 88.
When computing 11 mod187, we first
compute 11 and
d
the
o
n
ot
n
RSA Example: Encryption & Decryption
e
d
m
c m n
m c n
reduce it modulo 187.
Rather, use , and reduce intermediate
results modulo 187 whenever they g
square-a
et bigge
nd-mult
r than
iply
187.
p42.
4 16
To speed up encryption, small values are usually
used for .
Popular choices are 3, 17 2 1, 65537 2 1.
These values have only two 1's in their binary
representation.
Encryption Key
e
e
There is an interesting attack on small .e
p43.
1/4
One may be tempted to use a small to speed up
decryption.
Unfortunately, that is risky.
Wiener's attack: If
and 2 ,3
then the decryption exponent c
Decryption Key
d
nd p q
d
p
d
an be computed
from ( , ).
CRT can be used to speed up decryption.
n e
p44.
3
1 2
o1
*
m d1
Decryption:
Time: ( ).
In
mod (i.e., compute in )
mstead of computing directly,
we compute
: mod , an
d : mod
:
od
Speeding up Decryption by CRTd
n
d
d
d
O n
c c p c c
c n c Z
c n
q
m c
( ) mod ( )2 2
1
2
1 2
mod , and : mod
mod recover the plaintext by solving
mod
Time: 1 4 of the direct computation.
If ... , will speed up even
m
ore.
p d q
t
p m c q
x m p
x m q
n p p p
p45.
Attacks on RSA
p46.
Four categories of attacks on RSA:
brute-force key search
infeasible given the large key space
mathem
atical attacks
timing attacks
chosen ciphe t r
Attacks on RSA
ext attacks
p47.
1
Then ( ) ( 1)( 1) and
mod ( ) can be calculated
Factor into .
Determine ( ) directly
easily.
Equivalent to factoring .
Knowing ( ) will enable us to f
.
Mathematical Attacks
n p q
d e n
n
n
n pq
n
Determine direc
actor by solving
( 1)( 1)
If is known, can be factored
tl
with high probability.
.
( )
y
n
pq
p
d
q
n
d
n
n
p48.
A difficult problem, assumed to be infeasible.
More and more efficient algorithms have been developed.
In 1977, RSA challenged researchers to decode a
ciphertext encrypt
Integer Factorization
ed with a key ( ) of 129 digits (428 bits).
Prize: $100. RSA thought it would take quadrillion years
to break the code using fastest algorithms and computers
of that time. Solved in 1994.
n
In 1991, RSA put forward more challenges, with prizes,
to encourage research on factorization.
p49.
Each RSA number is a semiprime. (A number is
semiprime if it is the product of two primes.)
There are two labeling schemes.
by the number of decimal digits:
RSA-100, .
RSA Numbers
.., RSA-500, RSA-617.
by the number of bits:
RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048
p50.
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve.
RSA-110 ( bits), 1992, 75 MIPS-year, QS.
RSA-120
332
365
3 ( bits), 1993, 830 MIPS-year, QS.
RSA-129
98
4(
RSA Numbers which have been factored bits), 1994, 5000 MIPS-year, QS.
RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS.
RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS.
RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
28
4
31
465
5
RSA-16
1
0 (
2
530
576
6
bits), 2003, Lattice Sieve.
RSA- (174 digits), 2003, Lattice Sieve.
RSA- (193 digits), 2005, Lattice Sieve.
RSA-200 ( bits), 2005, Lattice
40
663 Sieve.
p51.
RSA-200 =
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
p52.
*
In light of current factorization technoligies,
RSA recommends 1024-2048 bits.
If a message \ ,
RSA works, but
Since gc
d( , ) 1, the sender can factor .
Sin
c
Remarks
n n
n
m Z Z
m n n
*
e gcd( , ) 1, the adversary can factor , too.
Question: how likely is \ ?
e
n n
m n n
m Z Z
p53.
1 2
Suppose two users use the same modulus ,
and their encryption exponents and are coprime.
A message sent to them, encrypted as
Common modulus:
Miscellaneous attacks against RSA
n
e e
m
1
2
1 2 1 2
1
2
1 2 1 2
1 2
mod
and mod , is not protected by RSA:
, coprime 1 for some , .
mod mod .
e
e
re se re se r s
c m n
c m n
e e re se r s
m m m n c c n
p54.
Owners of keys ( , , ) usually do not know .
But, actually, given ( , , ), one can factor with high
probability of success.
Thus
Another problem with common modulus:
n e d n pq
n e d n
,
if tw
o RSA
So, do
users share
not use a c
the same , they can
ommon .
Also,
figure out each other's secret key (
if your is compromised, do not just
valu
change
e).
n
d
e
n
d
and . You should also change .d n
p55.
2
2
2
1mod has four solutions:
1, for some 1.
If 1mod and 1
1 0mod
| ( 1)( 1)
gcd( , 1)
If is known , we can fac (skipp )t d : eor
x n
a
a n a
a n
n a a
n a
a
d n
2
yield the factors of
Factor by looking for a nontrivial square root of 1
mod (i.e., an 1 such that 1mod ).
.n
n
n a a n
p56.
2 3 1
* 1
2
* *
2 2 2 2 2 2
For all , 1 mod .
Write 1 2 , where is odd. (So, 1mod )
Pick any . (What if \ ?)
Compute , , , , , , , ,
u
s
t st
edn
s r
n n n
r r r r r rr
w Z w n
ed r r w n
w Z w Z Z
w w w w w ww
1
2
2 2
ntil we find the first 1mod for some .
If 0, let mod . Then 1mod , and 1.
If 1, then is a nontrivial square root o
f 1 mod .
Otherwise (i.e., 0 or 1),
t
t
r
r
w n t
t a w n a n a
a n a n
t a n
try another .w
p57.
A message sent to users who employ the same
encryption exponent is not protect
ed by RSA.
Say, 3, and Bob sends a message to three
re
Low encryption exponent attack
m e
e
e m
1 2 3
1 3
1 2 3
3 3 31 2
3 3
2 3
3
cipients encrypted as:
mod , mod , mod .
Eve intercepts the three ciphertexts, and recovers :
mod , mod , mod .
B
y
T
CR
c n c n c n
m
m c n m c n m c n
m m m
31 2 3 1 2 3
3 3 31 2 3
, mod for some .
Also, . So, , and .
m c n n n c n n n
m n n n m c m c
p58.
Recall: ( , ), ( , ), and ( ) mod .
One may be tempted to use a small to speed up
decryption. Unfortunately, that may be risky.
Wiener's low decryption exponent attack:
dskpk n e sk n d D c c n
d
1/ 43 and
The decryption exponent can be computed
from ( , ) if .
(Before Wiener's attack, the condition 2 often
held in practice.)
2d n p q p
d
n e
p q p
p59.
1 1 2
2
3
Continued fraction :
1 [ , ,..., ]
11
Any (positive) rational number can be expressed
as a continued fraction, called its continued fraction
expansion.
Convergents of [
m
m
q q q qq
a b
q
1 2 1 1 2 1 2 3
1 2 1 2
, ,..., ] : [ ], [ , ], [ , , ],
[ , ,..., ]. (This sequence converges to [ , ,..., ].) m
m m
q q q q q q q q
q q q q q q
p60.
34 1 Example: 0 [0,2,1,10,3]
199 21
11
103
Obtained from Euclidean algorithm:
34 99 34, 99 34 31, 34 31 3,
31 3 1, 3 1
Convergents of [0,2,1,1
0 2 1
10 3
0,3]:
[0], [0,2], [0,2,1]
, [0,2,1,10], [0,2,1,10,3]
p61.
1/4
2
1 Theorem. If , wheregcd( , ) 1,
2
then equals one of the convergents of the continued
fraction expansion of .
For RSA, ( ) 1 for some . So, .( )
If an 3
ac d
b d
a b
e e ted t n t
n n d
c
d
c d
d n
2
1 then .
2
So, equals one of the convergents of . Check the
convergents one by one to find the right one
d ,
.
2
e t
n d d
t d
p q p
e n
p62.
If the message space is small. The adversary can
encrypt all messages and compare them with the
intercepted ciphertext.
This attack is snot p
Small message space attack:
ecific to RSA.
p63.
Paul Kocher in mid-1990’s demonstrated that a snooper
can determine a private key by keeping track of how
long a computer takes to decipher messages.
RSA decryption: mod .
Timing Attacks
dc n
Countermeasures:
Use constant decryption time
Add a random delay to decryption time
modify the ciphertext to
Blin and computeding
mod .
:d
c c
c n
p64.
RSA encryption has a homomorphism property:
RSA( ) RSA( ) RSA( ).
To decrypt a ciphertext RSA(
):
Generate a random
messag
e .
Encrypt
Blinding in Some of RSA Products
m
m r m r
c m
r
1
as RSA( ).
Multiply the two ciphertexts: RSA( ).
Decrypting yields a value equal to .
Multiplying that value by yields
N
.
ote: all calculations are
done in
r
m r
r c r
c c c mr
m
Z
c mr
r
* (i.e., modulo ).n n
p65.
Based on RSA's homomorphism property:
RSA( ) RSA( ) RSA( )
Assume Eve has acess to a decryption oracle.
The attack:
Given : RSA( ),
A chosen-ciphertext attack
m r m r
c m
*
Eve wants to know
She computes RSA( ) for an arbitrary .
Now, presenting RSA( ) RSA( ) RSA( )
to the Oracle, she obtains , from which she can
?
nr r Z
m r m r
m r
m
1 compute ( ) . m m r r
p66.
Padded RSA
p67.
We have seen many attacks on RSA.
Also, RSA is deterministic and, therefore, not CPA-secure
(i.e., not ciphertext-indistinguishable against CPA).
We wish to make RSA secure
Security of RSA
against CPA and
aforementioned attacks.
The RSA we have described so far is called:
RSA primitive, plain RSA, or textbook RSA
p68.
Encryption: ( ) RSA( ) ( ) mod ,
where is a random string.
Thus, Padded-RSA( ) RSA( ) for some random .
Secure against many of aforementioned attacks.
Theorem: Padd
Padded RSAe
pkE m r m r m n
r
m r m r
ed RSA is CPA-secure if log .
Padded RSA was adopted in PKCS #1 v.1.5.
m O n
p69.
PKCS: ublic ey ryptography tandard.
Let ( , , ) give a pair of RSA keys.
Let in bytes (e.g., 216).
To encrypt a message :
pad so
P K C S
that 00 0
Padded RSA as in PKCS #1 v.1.5
n e d
k n
m
m
k
m
2 00 ( bytes)
where 8 or more random bytes 00.
original message must be 11 bytes.
the ciphertext is : RSA mod .
In 1998, B
leichenbacher published a chosen-ciph
e
r k
r
m k
c m m
m
n
ertext
attack, forcing RSA to upgrade its PKCS #1 to v.2.
p70.
A message is called if it has the
specified format:
00 02 padding string 00 original message.
PKCS #1 implementations usually
PKCS conforming
Bleichenbacher's chosen-ciphertext attack
1
1
send you (sender)
an error message if RSA ( ) is PKCS conforming.
It is just like you have an Oracle which, given , answers
whether or not RSA ( ) is PKCS conforming.
Bleich
not
enbacher'
c
c
c
s attack takes advange of such an Oracle.
p71.
*
Given RSA( ), Eve tries to find .
(Assume is PKCS conforming.)
How can the Oracle help?
Recall that RSA is homomorphic:
RSA( ) =RSA
( ) RSA( ) (computated i
n
)
n
c m m
m
a b a b Z
*
*
Given RSA( ), Eve can compute RSA( ) for many .
She then asks the Oracle,
Is PKCS conforming?
(That is, is PKCS conforming?)
Why is this
f
mod
in
n
n
m m
ms Z
n
s s Z
ms
o useful?
p72.
8( 2) 8( 2)
8( 2) 8( 2)
Recall PKCS Format ( bytes):
00 02 padding string 00 original message
Let 00 01 0 2 (as a binary integer)
Then,
2 00 02 0 and 3 00 03 0 .
If is PKCS c
o
k k
k k
k
B
B B
m
mod
mo
nforming 2 3 .
If, in addition, is PKCS con
d
forming
2 3
2 3 for some
2 3 for some
m
ms n
ms n
ms
m
B B
B B
B tn B tn t
B s t n s B s t n s t
p73.
• • •
• • •
0 n 2n 3n 4n
ns
2B 3B
If is PKCS conforming is in the blue area.
If is also PKCS conforming
is in the blue area
is in the red areas
is in the red lines.
Thus, is in the red line
mod
s
m
o
o
d
f t
m m
ms n
ms n
ms
m
m
he blue area.
p74.
blue area
Let's focus on the blue area, (2B, 3B).
If is PKCS conforming is in the .
If is also PKCS conforming
mod
red areas/is in
If is also PKCS conforming
mod
line
s
ms
ms n
m
m
m
m
n
purple areas/line is in
So, blu purplre e d
s
em
2B 3B
p75.
1 2 3
1
So, starting with the fact that is PKCS conforming,
Eve finds a sequence of integers , , , ... such that
2 and
mod is PKCS conforming.
To find , ra n
i i
i
i
m
s s s
s s
ms n
s
1domly choose an 2 , and ask the oracle
whether is PKCS conforming. If not, then
try a different .
This way, Eve can repeatedly narrow down the area
containing , and even
d
mo
tu
i
ms
s
m
n
s
s
1 2 3
ally finds .
For having 1024 bits, it takes roughly 1 million accesses
to the oracle in order to find , , , ...
m
n
s s s
p76.
CCA-Secure RSA in the Random Oracle Model
p77.
There are CCAs that only require the oracle to reveal
partial information about the plaintext such as:
whether the plaintext is PKCS conforming
whether the plai
Protecting Every Bit
*
ntext is even or odd
whether the plaintext is in the first half or the
second half of (i.e., / 2 or / 2?)
It is desired to protect every bit (or any partial informa ion t )
n
n
x Z
Z x n x n
of the plaintext.
p78.
Message padding: not or ,
but , where is a random.
As such, however, there is a 50% overhead.
So, we wish to use a shorter bit string .
Besides, shoul
OAEP: basic idea
m r r m
m r r r
r
r
d be protected, too.
This leads to a scheme called ptimal symmetric
ncryp can be appliedtion adding ( ). It
t other tr
O A
E P O
apdooo RSA r fun a ct
AE
id .
P
n ons
p79.
Choose , ( ) s.t. = . ( , RSA modulus).
:{0,1} {0,1} , a pseudorandom generator.
:{0,1} {0,1} , a hash function.
To encrypt a block of bits :
1. choose a
Encryption.
rand
OAEP
k l
l k
k l k l k l n n
G
h
m l
om bit string {0,1} .
2. encode as : ( ( ) ( ( )))
(if , the message space of RSA, return to step 1).
3. compute the ciphertext : ( ).
: ( ) . Decryption:
k
n
pk
sk
r
m x m G r r h m G r
x Z
y E x
x D y a b
( ) .m a G b h a
p80.
OAEP is adopted in current RSA PKCS #1 (v. 2.1).
A or scheme, not an encryption scheme.
Intuitively, with OAEP, the ciphertext
p
ad
would not reveal any
inform
ding
atio
encoding
Remarks on OAEP
n about the plaintext if RSA is one-way and
and are
A slightly more complicated version of OAEP, in which
truely random (r
( 0 ( ) ( 0 ( ))),
has b
andom oracles).
e
k k
h G
x m G r r h m G r
en proved CCA-secure in the model
(i.e., if , are random oracles.)
In practice, hash functions such as SHA-1 are
ra
u
ndom ora
sed for
cl
e
, .
G h
G h
p81.
A mathematical model.
A random oracle may be thought of as a server that
keeps an initially empty table and, upon a query
if contains an entry ( , ), returns
Random Oracle
T x D
T x y y
A random oracle (with domain and range
otherwise, returns a random value
) is a
black box that implem
and
ents a ra
stores ( , )
ndom functio
in .
(Note: we
:
r
.
n
y R
x y T
D R
h D
h
R
efer to the function by the oracle's name.)
The only way to know ( ) is to ask the oracle.h x
p82.
Let be the set of all functions from to .
Any randomly selected function is called
random function a (from
random
to ).
A imple oracl ments ae ra
Random Oracle vs. Random Function
u
H D R
h H
D R
ndom function
without revealing the identity or anything of ,
except that it is willing to tells ( ) when asked.
Suppose each is stored in a file as a table.
Alice and Bob agree
h
h
h x
h H on a random .
Alice and Bob agree on a ran
function
or acdom .le
h
h
p83.
Random oracle is a mathematical model.
No practical way known to implement a random oracle.
The "server" implementation is impractical
Is it useful to
Is the random oracle model useful?
some scheme is secure in the
random oracle mode
prove that
?
It's controversial, but more "for" than "again "
l
st.
p84.
Digital Signatures
p85.
RSA (or any trapdoor one-way function ) can be used for
digital signatures.
Digital signature is the same as MAC except that
the tag (signature) is produced using the s
Digital Signatures
f
ecret key of a
public-key cryptosystem.
Message m MACk(m)
Message m Sigsk(m)
p86.
Digital signature:
1. Bob has a key pair ( , ).
2. Bob sends Sig ( ) to Alice.
3. Alice verifies the received
by checking if Verify ( )?
Sig ( ) is calle sd ignaa
sk
pk
sk
sk pk
m m
m s
s m
m
.
Security requirement: infeasible to produce a valid
pair ( , Sig ( )) withou
ture f
t know
or
ing
.skm m sk
m
p87.
MCE D
PKBob SKBob
Alice Bob
M
M SE D
PKBob SKBob
Alice Bob
Verify the signature Sign
Encryption (using RSA):
Signing (using RSA-1):
E(S)=M?
p88.
*
are generated as for RSA encryption:
Public key: . Secret key: .
a message
Keys
Signi : ( ) mod .
T
( ,
ha
)
t
( , )
ng
Basic RSA Signature
dn sk
pk
m
n e
Z
sk n d
D m m n
1is, RSA ( ).
a signature ( , ) :
check if ( ) mod , or RSA( ).
Verifying
epk
m
m
m E n m
p89.
As in RSA encryption, ( ) , for all .
A signed message ( , ) produced by Bob using
his will be verified and accepted.
Remarks:
Correctness
Basic RSA signature i t
:
s he
nE D m m m Z
m
sk
reverse of basic RSA
encryption.
Secure RSA signature is the reverse of secure
RSA encrypt
not
ion.
p90.
1
1 2 1 2
1. Every message is a valid signature of its ciphertext
, since RSA ( ) .
2. If Bob signed and , then the signature
Existentially forgeable:
for
can be easil
m
c c m
m m mm
1 2 1 2y forged: ( ) ( ) ( ).
( ( )), using some
hash then s
collision-resistant hash
fu
ign (HTSRemedy:
nct
ion
)
.
:
sk
mm m m
D h m
h
p91.
Does hash-then-sign make RSA signature secure
against chosen-message attacks?
Question:
Answer:
random oracle
Yes, is a i.e.,
is a
all
if full-
random or
d
a
,
cle mapping {0
omainh
h
*,1}
( is the full domain of RSA)n
n
Z
Z
p92.
1 1
1 1
1
RSA RSA1 1 1 1 1
RSA RSA
RSA
Forger
( ) ( ) ( )
( ) ( ) ( )
( )
Basic RSA signature Hash-then-si
y
gn
:
Chosen-mesage attacks on
h
hk k k k k
m m m h m m
m m m h m m
m m
1RSA ( ) ( )
hm h m m
p93.
1
Theorem: is secure
against any chosen-message attack under the random
F
We will show RSA Chosen-message attack.
Thus, assume a polynomial-time probab
ull-domai
oracle mod
n hash RSA signature
e
i
l.
1 *
listic chosen-
message forger with non-negligible success probability.
We will design a polynomial-time algorithm that
computes RSA ( ) for with non-negligible success
probabiln
F
y
A
y Z
ity, by calling .
This contradicts the RSA one-way assumption.
F
p94.
, the forger, having access to a random oracle and a
hash-then-sign oracle , works as follows.
requests ( ) and/or Sig( ) for various messages
and then produces a forgery
( , ) :
i i i
F h
Sig
F h m m m
m
1
1
1
RSA0 1 1
R
RSA
SA
( )
( )
( )
Forgery:
( ) h
h
ht t
hk k k
h m m
h m
h m
m
m m
m
h
p95.
1 2
If is able to produce a valid signature for , it must be
one of the two cases:
,
Why?
Are we able to say the same if is not a ra
, ,
a pure fluke (
ndom ora
)
cle
?
ifk
F m
m M m
h
m m
m M
p96.
1Algorithm ( , , )
0. Let be the max number of queries may make to
the random oracle; is bounded by the running time
//compute RSA ( ) by call
of .
1. Randomly choo
ing //
se signatures
A N e y
k F
k F
k
y F
*1 2
1 2 1
, , , ;
compute RSA( ) mod , 0 ;
randomly replace one of them, say , by
adaptively
.
2. Run algorithm (which prepares up to
messages , , , ; requests ( )
k N
ei i i
t
k
Z
h N i k
h y
F k
m m m h m
2, ( ), , ( );
requests ( ) for polynomial times).
3. Whenever asks for ( ), give it . Thus, for ,
if ( )
otherwise
k
i i
ii
h m h m
Sig m
F h m h F
y i th m
h
p97.
1
1
1
1
1
RSA
RSA1 1 1
RSA
Algorithm (to compute RSA ( )) :
Forgery:
RSA( )
RSA(
)
k k
t
h
k
h
t
hk
h
m
h
y
h
A
m
y
m
y
m
p98.
*
4. Whenever asks for ( ),
if , , give it ;
if , return("failure");
if for all 1 , give it a random value in .
// didn't ask for ( ) but now
i i
t
i N
F Sig m
m m i t
m m
m i k Z
F mh
m
1 1
asks for ( ) //
5. If returns a valid forgery ( , ) with ,
then return( ) // RSA ( ) RSA ( )//
else return("failure")
t
t
Sig
F m m m
h m y
m
p99.
1 ( )
1
Let { , ..., }, queries to random oracle .
successfully computes RSA ( ) if and only if
forges a valid ( , ) and .
Pr forges a valid
Analy
( ,
sis:
) wi
k n
t
M m m h
A y
F m m m
F m
th
Pr forges a valid ( , ) with
Pr |
1 (non-negligible( ))
( )
non-negligible( ), where |N|.
t
t
m m
F m m M
m m m M
nk n
n n
p100.
160
In practice, is full-domain.
For instance, the range of SHA-1 is {0,1} ,
while 0,1,...,2 1 , wi
Problem with full-
th 1024.
domain hash:
Desired: a sec
no
ure signature scheme
t
nn
h
Z n
that does not
require a full-domain hash.
p101.
*
pad
Hash function :{0,1} {0,1} (not full domain).
| |. (E.g., SHA-1, 160; RSA, 1024.)
Idea:
Probabilistic signature schemel
Nh Z
l n N l n
m m r
*
hash
expand 1
si
1
gn 1
{0,1}
( ) {0,1}
( ) {0,1}
RSA ( )
(
)
0n l
l
nkr
w h m r
y w G w
y
1
where {0,1}
: {0,1} {0,1} (pseudorandom generator)
N
k
l n l
Z
r
G
p102.
*
11 2 2
1
a message {0,1} :
1. choose a random {0,1} ; compute ( );
2. compute ; /
Si
/ //
3. The signature is RSA ( ).
a signature ( , ) :
gning
Verifying
( ) )
(
c
k
y w r
m
r w h m r
GG w
y
G w G G
m
2 1
ompute RSA( ) ;
check if ( ), ( ( )).
w t u
u G w w h m t G w
p103.
PSS is secure against chosen-message attacks in the
random oracle model (i.e., if and are random oracles).
PSS is adopted in PKCS #1 v.2.1.
Hash functions such as SHA-1
Remarks
are used f
h G
1 2
or and .
For instance,
let 1024, and 160
let = SHA-1
( , )( ) ( ) ( 0) ( 1) ( 2), ...
h G
n l k
h
G G w G w h w h w h w
p104.
Generating large primes
To set up an RSA cryptosystem,
we need two large primes p and q.
p105.
1 2
1 2
Infinitely many.
First proved by Euclid:
Assume only a finite number of primes , , , .
Let 1.
is not a prime, bec
•
•
aus• e
How many prime numbers are there?
n
n
i
p p p
M p p p
M M p
, 1 .
So, is composite and has a prime factor for some
| |1 contradiction.
• i
i i
i n
M p i
p M p
p106.
*,
Let ( ) denote the number of primes . Then
( ) for lar
The Prime
ge .ln
For , let ( ) denote the num
Number Theorem:
Dirichlet' bes Theorem : r
Distribution of Prime Numbers
n n b
x x
xx x
x
b Z x
,
of primes such that and mod . Then,
1 ( ) for large .
ln ( )n b
y y x y b n
xx x
x n
p107.
Generate a random odd number of desired size.
Test if is prime.
If not, discard it and try a different number.
Q: How many numbers are expected to be
How to generate a large prime number?
n
n
tested before
a prime is found?
p108.
12
10.5
Can it be solved in polynomial time?
A long standing open problem until 2002.
AKS(Agrawal, Kayal, Saxena) : log .
Later improved by others to log ,
Primality test : Is a prime?
O n
O n
n
6
3
and then
to log .
In practice, Miller-Rabin's probabilistic algorithm is still
the most popular --- much faster, log .
O n
O n
p109.
*
*
Looking for a characteristic property of prime numbers:
is prime
is prime , ( )
is
wha
pri
t?
me , ( )
Miller-Rabin primality test : Is a prime?
n
n
n
n a Z P a true
n a Z P a t
n
*
*
not prime elements , ( )
Check ( ) for random elements .
If ( ) all true, then return "prime"
else return "composite.
n
n
rue
a Z P a false
P a t a Z
P a
k
*
"
A "prime" answer may be incorrect with prob ( , ).
1 1 If
,
then ( , )
2
.2
n t
p k t
k Z p k t
p110.
*nZ
*If is prime, then for all , ( ) is true.nn a Z P a
( )P a true
p111.
*nZ
*
not prime strong witnesIf is , then there are
which are elements s.t
ses
( ) .n P a
n
ea Z fals
( )P a true
p112.
1
* 1
Looking for ( ) :
How about ( ) 1 mod ?
Fermat's little theorem:
If is prime , 1 mod .
If is not prime maybe no strong witnesses.
(
n
nn
P a
P a a n
n a Z a n
n
1 *
1
composite numbers
for which 1 mod .)
Need to refine
Ca
the conditio
rmichael number
n 1 mod .
s :
nn
n
n
a n a Z
a n
p113.
*
* 2
Fact: if 2 is prime, then 1 has exactly two square
roots in , namely 1.
Write 1 2 , where is odd.
If is prime
, 1 mod (Fermat's little theorem)
k
n
k
un
n
Z
n u u
n
a Z a n
2 1
2
*
2 2 2 2
1 mod ( )
1 mod for some ,
, ( ) , where
Why? Consider the sequence
, ,
, ,
0
o
1
1
,
ri
k k
n
u u u u u
u
u
a nP a
a n i i k
a Z P a true
a a a a a
p114.
*
If not prime strong witnesses always exist
Loosely speaking, :
If is an odd composite and not a prime power, then
of the
e
le
?
yes
at le menast one ts are strong
hal
f
n
n
n
a Z
*
witnesses.
As mentioned earlier, given a number ,
randomly pick and check ( ).
If is a strong witness, then return "composite"
n
n
a Z P a
a
else return "prime."
A "prime" answer may be incorrect with probabili ty . 1 2
p115.
prime power
perfect po
A composite number is a if for
some prime and integer 2. (A if
Theo
we
re
for some integer and 2.)
If is an odd composite a
r
nd not a prm: ime p
e
e
n n p
p e
n k k e
n
*
* *
ower,
then of the elements are strong
witnesses.
Idea of Proof: The set of -strong witnesses
forms a proper subgroup of . So, ord
at least on
( ) ord( ) and
or
e a
( )
l
d
h f n
n n
a Z
A
Z A Z
non
A
* *1| ord( ). So, ord( ) ord( ).
2n nZ A Z
p116.
Input: integer 2 and parameter
Output: a decision as to whether is prime or
if is even, return "composit
composite
1. e"
if is a per2
. fect
Algorithm: Miller-Rabin primality testn t
n
n
n
power, return "composite"
for : 1 to do
choose a random integer , 2 1
if gcd( , ) 1, return "composite"
if is a strong witness, ret
3
urn "com
. i t
a a n
a n
a
posite"
return ("pri4. me")
p117.
If the algorithm answers "composite", it is always correct.
If the algorithm answers "prime", it may or may not be correct.
The algorithm gives a wrong answ
Analysis: Miller-Rabin primality test
er if is composite but
the algorithm fails to find a strong witness in iterations.
This may happen with probability at most 2 .
Actually, at most 4 , by a more sophisticated analysis.
t
t
n
t
p118.
A is a probabilistic algorithm
which always gives an answer
but sometimes the answer may be inco
Mo
rr
nte
ect.
Carlo a
A
lgorithm
Monte Carlo algorithm for a decisi
Monte Carlo algorithms
on problem is
if its “yes” answer is always correct but a “no” answer may
be incorrect with some error probability.
A -iteration Miller-Rabin is a “composite”-biased Mon
yes-bias
te Carl
ed
o
t
algorithm with error probability at most 1 4 .t
p119.
A is a probabilistic algorithm
which may sometimes fail to give an answer
but never gives an incorrect
Las Ve
one
gas algori
A Las Vegas algorithm can be conver
thm
Las Vegas algorithms
ted into a
Monte Carlo algorithm.
p120.
* *, ( , )
RSA : , , where
: ( , ) | , primes, 0 ( )
RSA family:
RSA assumption
, prime to ( ) .
Let : ( , ) | , | | | | , with .
For any pr
:
o
RSA Assumption
en e n n n e I
k
Z Z x x
I n e n pq p q e n e n
I n e I n pq p q k k
1 *,
babilistic polynomial-time algorithm ( , , ),
there is a negligible function negl( ) such that
Pr ( , , ) RSA ( ) : ( , ) , negl( ).n e u k u n
A n e y
k
A n e y y n e I y Z k
p121.
Let be a key (index) set with security parameter .
Let : be a family of functions between
finite sets and .
Let be a proba
Formal Definition of One-Way Functions
k k
i i i i I
i i
I I k
f f D R
D R
K
bilistic polynomial-time sampling algorithm
for , which on input 1 outputs .
Let be a probabilistic polynomial-time sampling algorithm
for that on input outputs .
(We m
kk
i ii I
I i I
X
D D i x D
ay allow and to fail or make errors with negligible
probability.)
K X
p122.
is a family of one-way functions (or, for short, a one-way
function) with key generator and domain sampling algorithm
if and only if
can be computed by a polynomial-time algorithm
f
K
X
f
( , ).
is not invertible by any polynomial-time algorithm. That is,
for every probabilistic polynomial-time algorithm ( , ),
there is a function negl( ) such that
Pr ( ,
F i x
f
A i y
k
A i
1) ( ) : 1 , ( ), : ( )
negl( ).
ki iy f y i K x X i y f x
k