Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1
|
|
- Mary Marian McDowell
- 6 years ago
- Views:
Transcription
1 Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
2 RSA history Public-key system introduced in 1978 by Rivest, Shamir and Adleman from left to right : Adleman, Shamir and Rivest Based on the diculty to factor numbers, eg = = Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
3 RSA keys Private key p and q two large prime numbers (with some conditions) An integer d coprime to (p 1)(q 1) These data are strictly condential Public key n = p q e the inverse of d modulo (p 1)(q 1) (ie an integer such that e d = 1 mod (p 1)(q 1)) These data are public and must be divulged The public key is easy to deduce from the private key (extended euclidean algorithm) but given e and n, it is very dicult to recover d, p or q Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
4 RSA Encryption/Decryption We assume that B wants to send a message m (which is an integer in the range [1, n]) to A Encryption B gets (on A's web page or on the Certication Authority server) n and e which compose A's public key B computes the ciphertext c = m e mod n B sends c to A Decryption A recovers the plaintext m computing c d mod n A (and its government because of key escrow) is the only person able to decrypt c since nobody else knows or can compute d One-way function : x x e mod n Trapdoor : d Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
5 Mathematical tools for the proof of RSA Euler's theorem Let ϕ(n) denote the number of integers in [1, n] coprime to n. Let a be an integer coprime to n. We have a ϕ(n) = 1 mod n n = p, with p prime a p 1 = 1 mod p (Fermat's little theorem) n = pq, with p, q prime a (p 1)(q 1) = 1 mod n Chinese remainder theorem (CRT) Let m 1 and m 2 be coprime integers. Let a 1 and a 2 be integers. The system { x = a 1 mod m 1 x = a 2 mod m 2 has exactly one solution modulo m 1 m 2 which is a 1 n 1 m 2 + a 2 n 2 m 1 where n 2 is the inverse of m 1 modulo m 2 and n 1 is the inverse of m 2 modulo m 1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
6 RSA proof We want to prove that c d = m ed = m mod n RSA proof if m coprime to n e is the inverse of d mod (p 1)(q 1) ed = 1 + k(p 1)(q 1) for some integer k. Thus m ed = m 1+k(p 1)(q 1) = m Conclude using Euler's theorem (m (p 1)(q 1)) k RSA proof if m not coprime to n (eg q divides m) We have trivially m ed = m mod q (both are 0) Fermat's little theorem implies that m ed = m mod p { x = m mod p So the equation x = m mod q has m and med as solutions. CRT m = m ed mod pq Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
7 Ecient decryption It is possible to speed up decryption using p and q Usual decryption : computes c d mod n Ecient decryption Speed-up Compute c d = c dp mod p with d p = d mod p 1 Compute c q = c dq mod q with d q = d mod q 1 Recover c d mod n using chinese remainder theorem p is half the length of n. Simple implementations of multiplication take quadratic time multiplication modulo p is 4 times faster than modulo n. d p is half the length of d computing c dp mod p is 8 times faster than computing c d mod n. The running time of the last CRT step is negligible. Overall decryption time is reduced by a factor of 4. Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
8 Ecient implementation : exponentiation algorithms Both for encryption and decryption, modular exponentiation is the central operation We assume that algorithms for modular multiplication are known Not the subject of this course Can be found in books given in bibliography or in Knuth's Art of Computer Programming vol. 2 Provided by numerous, very ecient multiprecision libraries (as GMP) Naive method g e = g g g g requires e 1 multiplications exponential complexity in the size of the exponent Binary methods Based on binary representation of the exponent linear complexity in the size of the exponent Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
9 Square and multiply method It is clear that g 2s left-to-right square and multiply can be obtained with only s squarings Given g and e = (e t 1 e 0 ) 2, the following computes g e h 1 and i t 1 while i 0 do return h h h 2 if e i = 1 then h h g i i 1 Proof : Related to Horner's rule Very old method (more than 2000 years) Very ecient (t squarings and t multiplications in average) 2 Often the only one given in books Impossible to reduce the number of squarings Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
10 2 k -ary method Example in base 4 : 00 ( ) 2 h 2 = h 4 01 ( ) 2 h 2 g = h 4 g 10 ( 2 h g) 2 = h 4 g 2 11 ( 2 h g) 2 g = h 4 g 3 Left-to-right 2 k -ary (or window method with window size k) Precompute g i = g i for i [1, 2 k 1] h 1 and i t 1 while i 0 do return h h h 2k h h g (ei e i k+1 )2 i i k Precomputations can be divided by 2 Requires around t(2k 1) multiplications in average k 2 k Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
11 Sliding window method Idea : skip consecutive zeros Exemple : 334 = ( ) 2 3 multiplications with 2 3 -ary Example : 334 = ( ) 2 only 2 multiplications required Sliding window method with window size k Precompute g 3, g 5, g 7,, g 2k 1 h 1 and i t 1 While i 0 do return h Requires around if e i = 0 then h h 2 and i i 1 else s max(i k + 1, 0) while e s = 0 do s s + 1 repeat i s + 1 times h h 2 h h g (e i e s ) 2 i s 1 t multiplications k+1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
12 Recoding the exponent coding exponent with many zeros less multiplications Example 31 = (11111) 2 but 31 = (100001) (with 1 = 1) g 31 = g 32 g 1 : faster if g 1 precomputed Denition : w-naf Every integer e has a unique representation e = t 1 e i=0 i 2 i where each e i is zero or odd e i < 2 w 1 among any w consecutive coecients, at most one is nonzero Example above is with w = 2 Exponentiation algorithms must be adapted Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
13 Recoding the exponent w is such that w bits are necessary to represent all coecient Example : w = 3 e i < 2 2, 7 possibilities for e i Algorithm to compute w-naf expansion is very easy Computation of the w-naf expansion of e i 0 While e > 0 do if e is odd then e i e mod 2 w e e e i else e i 0 e e/2 and i i + 1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
14 Key generation What do we need? Find two large prime numbers p and q Find an integer d coprime to (p 1)(q 1) easy : compute gcd(d, (p 1)(q 1)) Find the inverse of d modulo (p 1)(q 1) easy : ext eulidean algorithm How can we nd large prime numbers Pick random numbers until nding a prime number requires primality tests The number of prime numbers less than n is known to be around n/log(n) (prime number theorem) Primality tests are relatively slow Compositeness tests are faster but do not prove primality Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
15 Compositeness tests : Fermat's test Based on the Fermat's little theorem : if p prime then a p 1 = 1 mod p Fermat primality test of n Repeat several times Choose a random integer a [2, n 2] Compute r = a n 1 mod n If r 1 then return "composite" If the n succeed this test, it might be prime Unfortunately, there exists an innite number of composite numbers that succeed Fermat's test for every a (Carmichael numbers). Hopefully, they are very rare Most of compositeness test or primality test are based on analogs of Fermat's test but use more complicated mathematical tools than Z/pZ Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
16 Compositeness tests : Rabin-Miller test Modication of Fermat's little theorem Let p be a prime number, a an integer coprime to p. Denote s the largest integer such that 2 s divides p 1 and d = p 1, then 2 s either a d = 1 mod p or r [0, s 1] with a 2r d = 1 mod p An integer which does not verify one of these properties is said to be a witness for the compositeness of n Central theorem If n is composite, there are least 3(n 1) 4 witnesses for its compositeness Consequences No Carmichael-like numbers It's bad luck if a random choice of a do not provide a witness If the property is satised for more than n 1 values of a, n is proved 4 to be prime Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
17 Miller-Rabin test of n Write n 1 = 2 s d with d odd and repeat t times Choose a random integer a [2, n 2] Compute y = a d mod n If y ±1 then do r 1 while r < s and y 1 do y y 2 mod n r r + 1 If y 1 then return "composite" Return "prime with an error probability less than 1 4 t " Probabilistic Very ecient Considered as sucient for common cryptographic use (only 1 chance over to mistake with t = 20 in theory, even better in practice) Do not prove the primality (in polynomial time) Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
18 Primality test or primality proving There exists very fast algorithms for specic numbers (Mersenne numbers, n such that n 1 can be factored) but no interest in cryptography Jacobi sum test ECPP AKS Uses an analog of Fermat's little theorem in cyclotomic ring Probabilistic with almost polynomial complexity (O(log(n) c log(log(log(n))) )) Uses ellitic curves Probabilistic algorithm with polynomial complexity (O(log(n) 4 )) Provide a "certicate of primality" which can be easily veried Uses polynomial analog of Fermat's little theorem Proves that primality P (Deterministic polynomial complexity) Inecient in practice even if O(log(n) 4 ) Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
19 RSA and Factorization The main attack of RSA is factorization of n Brute force Try to divide n by all integers smaller than n Eratosthene sieve If 2 does not divide n, it is not necessary to test even numbers Quadratic sieve (QS) Use quadratic number elds (from number theory) to nd x and y such that x 2 = y 2 mod n gcd(x y, n) divides n Subexponential complexity : e log(n) 1 2 log(log(n)) 1 2 Number eld sieve (NFS) Generalisation of QS using higher degree number elds to nd x and y Subexponential complexity : e ( 64 9 ) 1 3 log(n) 1 3 log(log(n)) 2 3 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
20 RSA and Factorization : the p 1 method smooth numbers An integer s is said to be B-smooth if q α s with q prime, q α B. Assume p n with p 1 B-smooth and let a be an integer coprime to p If k = q α then a k 1 = 0 mod p q α B gcd(a k 1, n) is a factor of n Pseudo-algorithm Choose a reasonnable bound B pick a random a and compute b = a k 1 mod n Compute g = gcd(b, n) If g 1 return g If g = 1, choose a larger B or cancel Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
21 RSA and Factorization : the Pollard-ρ method Let u k+1 = f (u k ) mod n be a random walk. Idea : if p n and u i = u j mod p, then gcd(u i u j, n) is a factor of n Algorithm Repeat the following Compute u k+1 = f (u k ) mod n Compute g = gcd(u k+1 u i, n) i k If g 1 return g Drawback : requires a lot of memory and gcd computations. Variant (Floyd cycles) Stock only the u k such that k = 2 a. Much less memory and gcd computations (log(i) instead of i) Only double the number of steps O( (p) steps are necessary Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
22 RSA and Factorization History of RSA factorization Using NFS (number eld sieve) Size (in decimal digits) of n Date of factorization Much faster than Moore's law algorithm improvements Here are p and q for the last one p= q= Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
23 RSA and Factorization History of RSA factorization Using NFS (number eld sieve) Size (in decimal digits) of n Date of factorization Much faster than Moore's law algorithm improvements Lot of progress in factorization : is RSA really secure? Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
24 RSA and factorization Solving factorization Solving RSA What about? We don't know but we know that Finding p and q nding d Again, is trivial, but is not : k = ed 1 multiple of (p 1)(q 1) g Z/nZ we have g k = 1 g k/2 is a square root of 1 There are 4 square roots of 1 in Z/nZ : 1, -1 and x and x such that { x = 1 mod p x = 1 mod q If g k/2 = ±1 then choose another g else gcd(x 1, n) gives a factor of n. For a random chosen g there is 1/2 chance that g k/2 = ±1 very fast Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
25 Choice of p and q Pollard p 1 If p 1 is B-smooth, factorization is easy p and q too close We have trivially that (p + q) 2 /4 n = (p q) 2 /4 Let x be the rst integer greater than n If x 2 n is a perfect square y 2 then p = x + y and q = x y else x x + 1 Central idea of sieving methods for factorization (nd such equality not in Z but in more complex rings (number elds)) In practice random prime numbers are never weak for these attacks Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
26 Small encryption exponent e For eciency of public key operations (encryption, signature verication), it is attractive to choose e as small as possile : e = 3 Attack on e = 3 Assume A wants to send the same message m to 3 dierent persons (with 3 dierent public moduli n 1, n 2 and n 3 ) who choose e = 3. Of course m < n i An eavesdropper Eve can observe c i = m 3 mod n i and can easily solve the system x = c 1 mod n 1 x = c 2 mod n 2 x = c 3 mod n 3 Hence Eve knows m 3 mod n 1 n 2 n 3 (unicity of the solution). But m 3 < n 1 n 2 n 3 as an integer Eve knows m 3 It is then easy to recover m by taking the (real) third root of m 3 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
27 Protection against small exponent attacks Trivial protection Take a random public exponent (ie a large one) Never send the same message to dierent persons Not satisfactory In practice we want a small public exponent Use e = = is a good compromise Good performance (50 times faster than random exponent) and very rare to send the same message to so many people Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
28 Protection against small exponent attacks Use a padding of the message For each n i, modify the message m so that all sent plaintext are dierent. But sensitive to attacks using the so called Coppersmith's theorem Sending f 1 (m), f 2 (m) and f 3 (m) where f i is a polynomial is not secure (Hastad attack) The messages m i must not be linked (Franklin-Reiter attack), eg if there exist a polynomial f such that f (m 1 ) = m 2 The most natural way to dierentiate messages is to realize a padding (concatenate the message with a random bitstring). Coppersmith's short pad attack breaks such a system if the length of the padding is less than the length of n i divided by e 2 (unpracticable with e = 65537) Padding ecient but use very carefully (uses OAEP) e = most secure Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
29 Small decryption key For eciency of private key operations (decryption, signature), it is attractive to choose d as small as possile Wiener attack Let n = pq be a RSA module with q < p < 2q Assume that d < 1 3 n 1 4 d can be recovered very fast using the continued fraction expansion of e n This attack can be extended to d < n (and n 0.5 is expected) Avoid small private keys Remark If e is chosen small (3 or 65537), d cannot be chosen Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
30 Small messages Forward search attack Small message space or predictable (eg "yes" or "no") encrypt all possible plaintexts and compare with intercepted ciphertext small message and small exponent If m < n 1 e, then m can be recovered by taking the (real) e th -root of the ciphertext Use padding to extend message size Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
31 Common modulus attack Assume that A and B have the same module n and coprime public exponents e A and e B. If C send a message m to both A and B c A = m e A mod n c B = m e B mod n An eavesdropper can recover m : thanks to an extended euclidean algorithm between e A and e B e A u + e B v = 1 Hence c u A c v B = me Au+e B v = m Remark This attack is articial since if A and B have the same keys, A can decrypt B's message and sign in the name of B Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
32 Timing attacks (side channel attacks) Introduced by Kocher on RSA in 1995 : Eve measures decryption times for several known ciphertexts d In 2003, Boneh and Brumley practical attack SSL webserver (uses leaks of CRT decryption) Timing attack protection Ensure that decryption takes a constant amount of time for every ciphertext reduce performance Introduce hazard : blinding technique Choose a random number r for each ciphertext c Computes y = (r e c) d Recover m = yr 1 mod n mod n Decryption time is no longer correlated to c timing attack fails. Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
33 Multiplicative (or homomorphic) properties Let m 1 and m 2 two plaintext messages. We have c 1 = m e 1 mod n, c 2 = m e 2 mod n c 1c 2 = m e 1 me 2 = (m 1 m 2 ) e mod n Adaptative chosen-ciphertext attack Assume that E want to decrypt A's message c = m e mod n E chooses a random x and computes c = cx e mod n E aks A to decrypt c (eg as a challenge for authentication) A computes c d and send it to E E can recover m since c d = c d x ed = mx Protection Do not use the same key for authentication and encryption Impose some structural constraints on plaintext messages (not possible to nd x such that both m and mx have the required structure) Introduce hash function in the encryption process (OAEP) Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
34 Multiplicative (or homomorphic) properties multiplicativity RSA is not semantically secure This means that partial information on plaintext can be recovered But, lot of results like Parity bit If we are able to recover the parity bit of the plaintext then we are able to recover the whole plaintext Proves that RSA does not gives this partial information Bleichenbaker's attack Chosen ciphertext attack on the standard PKCS v1.5 in 1998 Does not need a decryption oracle (its oracle detects only PKCS conformity of ciphertext) realizable in practice New PKCS version use OAEP which is prove to be semantically secure Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
35 Summary of Parameter choice Choose p and q at random such that RSA n as the required security level security level size of n in bits (p and q not too close and p 1, q 1 not smooth) Do not choose d small Do not use common modules Do not encrypt small messages Choose e = 3 (but very carefully) or e = for eciency Use suciently large padding (and no polynomial padding) Use OAEP for more quietness Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
36 Patents and standards RSA patent expired in 2000 PKCS =// 1 : RSA Cryptography Standard Last version : 2.1 (2002) Recommendations for cryptographic primitives encryption schemes signature schemes syntax for representing keys available at ftp ://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf and http ://etudes.univ-rennes1.fr/master-crypto Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35
Algorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationAttacks on RSA & Using Asymmetric Crypto
Attacks on RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationRSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14
RSA Algorithm http://koclab.org Çetin Kaya Koç Spring 2018 1 / 14 Well-Known One-Way Functions Discrete Logarithm: Given p, g, and x, computing y in y = g x (mod p) is EASY Given p, g, y, computing x in
More informationAddition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?
Ch - Algorithms with numbers Addition Basic arithmetic Addition ultiplication Division odular arithmetic factoring is hard Primality testing 53+35=88 Cost? (n number of bits) O(n) ultiplication al-khwārizmī
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationLecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya
BBM 205 Discrete Mathematics Hacettepe University http://web.cs.hacettepe.edu.tr/ bbm205 Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya Resources: Kenneth Rosen,
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationThe RSA cryptosystem and primality tests
Mathematics, KTH Bengt Ek November 2015 Supplementary material for SF2736, Discrete mathematics: The RSA cryptosystem and primality tests Secret codes (i.e. codes used to make messages unreadable to outsiders
More informationChapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013
RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013 Recap Recap Number theory o What is a prime number? o What is prime factorization? o What is a GCD? o What does relatively prime
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationEncryption: The RSA Public Key Cipher
Encryption: The RSA Public Key Cipher Michael Brockway March 5, 2018 Overview Transport-layer security employs an asymmetric public cryptosystem to allow two parties (usually a client application and a
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationThe RSA Cipher and its Algorithmic Foundations
Chapter 1 The RSA Cipher and its Algorithmic Foundations The most important that is, most applied and most analyzed asymmetric cipher is RSA, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman.
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationCSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography
CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography 1 Two Problems Problem 1. Generate Primes Find a prime number p of between 200 and 1000 decimal digits that has never been
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationPublic Key Algorithms
1 Public Key Algorithms ffl hash: irreversible transformation(message) ffl secret key: reversible transformation(block) encryption digital signatures authentication RSA yes yes yes El Gamal no yes no Zero-knowledge
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationTHE CUBIC PUBLIC-KEY TRANSFORMATION*
CIRCUITS SYSTEMS SIGNAL PROCESSING c Birkhäuser Boston (2007) VOL. 26, NO. 3, 2007, PP. 353 359 DOI: 10.1007/s00034-006-0309-x THE CUBIC PUBLIC-KEY TRANSFORMATION* Subhash Kak 1 Abstract. This note proposes
More informationbasics of security/cryptography
RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationMATH 145 Algebra, Solutions to Assignment 4
MATH 145 Algebra, Solutions to Assignment 4 1: a) Find the inverse of 178 in Z 365. Solution: We find s and t so that 178s + 365t = 1, and then 178 1 = s. The Euclidean Algorithm gives 365 = 178 + 9 178
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationKTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist
Lecture 6: RSA Johan Håstad, transcribed by Martin Lindkvist 2006-01-31, 2006-02-02 and 2006-02-07 1 Introduction Using an ordinary cryptosystem, encryption uses a key K and decryption is performed by
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationCSE 521: Design and Analysis of Algorithms I
CSE 521: Design and Analysis of Algorithms I Randomized Algorithms: Primality Testing Paul Beame 1 Randomized Algorithms QuickSelect and Quicksort Algorithms random choices make them fast and simple but
More informationNumber Theory & Modern Cryptography
Number Theory & Modern Cryptography Week 12 Stallings: Ch 4, 8, 9, 10 CNT-4403: 2.April.2015 1 Introduction Increasing importance in cryptography Public Key Crypto and Signatures Concern operations on
More informationMa/CS 6a Class 3: The RSA Algorithm
Ma/CS 6a Class 3: The RSA Algorithm By Adam Sheffer Reminder: Putnam Competition Signup ends Wednesday 10/08. Signup sheets available in all Sloan classrooms, Math office, or contact Kathy Carreon, kcarreon@caltech.edu.
More informationduring signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech
Generating a Product of Three Primes with an Unknown Factorization Dan Boneh and Jeremy Horwitz Computer Science Department, Stanford University, Stanford, CA 94305-9045 fdabo,horwitzg@cs.stanford.edu
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationMa/CS 6a Class 4: Primality Testing
Ma/CS 6a Class 4: Primality Testing By Adam Sheffer Reminder: Euler s Totient Function Euler s totient φ(n) is defined as follows: Given n N, then φ n = x 1 x < n and GCD x, n = 1. In more words: φ n is
More informationFactorization & Primality Testing
Factorization & Primality Testing C etin Kaya Koc http://cs.ucsb.edu/~koc koc@cs.ucsb.edu Koc (http://cs.ucsb.edu/~ koc) ucsb ccs 130h explore crypto fall 2014 1/1 Primes Natural (counting) numbers: N
More informationCongruence of Integers
Congruence of Integers November 14, 2013 Week 11-12 1 Congruence of Integers Definition 1. Let m be a positive integer. For integers a and b, if m divides b a, we say that a is congruent to b modulo m,
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationRSA Encryption. Computer Science 52. Encryption: A Quick Overview. Spring Semester, 2017
Computer Science 52 RSA Encryption Spring Semester, 2017 This document presents the technique of RSA encryption and its mathematical foundation. The implementation details can be found in Sections II,
More information2 3 DIGITAL SIGNATURE STANDARD (DSS) [PROPOSED BY NIST, 1991] Pick an x 2 Z p,1 as the private key Compute y = g x (mod p) asthe public key To sign a
6.857 Computer and Network Security Fall Term, 1997 Lecture 8 : September 30, 1997 Lecturer: Ron Rivest Scribe: Debajit Ghosh 1 Topics Covered Public Key Cryptography Review of ElGamal DSS RSA Elliptic
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationDual Discrete Logarithms
Dual Discrete Logarithms Benne de Weger Department of Mathematics and Computer Science Eindhoven University of Technology P.O. Box 53, 5600 MB Eindhoven, The Netherlands. E-mail: b.m.m.d.weger@tue.nl version.0,
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More information