Public Key Cryptography

Transcription

1 Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74

2 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 2 of 74

3 Course main reference 3 of 74

4 Secure communications Alice wants to send a private message to Bob over a public channel. 4 of 74

5 Secure communications Alice wants to send a private message to Bob over a public channel. Private key cryptography: Alice and Bob both have a key to some locked box. 4 of 74

6 Secure communications Alice wants to send a private message to Bob over a public channel. Private key cryptography: Alice and Bob both have a key to some locked box. Public key cryptography: Alice uses a lock for which only Bob has the key. 4 of 74

7 Public key vs Private key cryptography No preshared key needed with public key crypto. Security reduced to hard number theory problems vs. ad hoc security for block ciphers, hash functions. Mathematical problems have independent interest, so more scrutinized. Typically 1500 bits vs. 160 bits. 5 of 74

8 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 6 of 74

9 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 7 of 74

10 What do we mean by hard problem? Is hard? Is factoring integers hard? 8 of 74

11 What do we mean by hard problem? Is hard? Is factoring integers hard? Is inverting a matrix hard? 8 of 74

12 What do we mean by hard problem? Is hard? Is factoring integers hard? Is inverting a matrix hard? what if it has billions of rows and columns? 8 of 74

13 Big Oh notation Let f, g : N R. We say f = O(g) if there exist N and c such that for all n > N, we have g(n) cf (n). Examples: x = O ( x 2 ) x = O ( x 2 ) x n = O(e x ) for any n log x = O(x) 9 of 74

14 Measuring complexity (theory) Consider the multiplication problem: given two integers p and q, compute n = pq Hardness is function of s := log 2 p + log 2 q, the input size Trivial algorithm runs in time O(log 2 p log 2 q) = O ( s 2 ) : multiply p by each bit of q, shift by appropriate powers of 2, and make additions with carries Best algorithms achieve O(s log s) 10 of 74

15 Measuring complexity (theory) Consider exhaustive search on a key of n bits Hardness is function of n Complexity is O(2 n ): try every possible key Exponential complexity! 11 of 74

16 Measuring complexity (theory) Consider the factorization problem: given a positive composite integer n, find p and q such that n = pq Hardness is function of log 2 n, that is the size of input The best algorithms today run in subexponential time with α = 1/3 L n (α; c) = exp(c(log n) α (log log n) 1 α ) 12 of 74

17 P and NP A problem is in P if it can be solved in polynomial time (in other words, there is an integer n such that it can be solved in time O(x n ) for an input of size x) Refinements to this: randomization, memory, etc. A problem is in NP if a solution can be checked in polynomial time P=NP? is worth a million dollars (and glory!) NP-complete problems are as hard as the hardest known NP problems such as 3-SAT, graph coloring, traveling salesman, etc Factorization, Dlog, are (probably) NOT NP-complete 13 of 74

18 In practice Hardness depends on your computer power, your time, your memory Hard for you might be easy for NSA Compare with exhaustive search: 2 20 is certainly possible on a laptop, 2 60 becomes very hard for most organizations See for key sizes 14 of 74

19 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 15 of 74

20 Group A group (G, ) is a set G with some binary operation : G G G such that Identity (neutral) element: there exists e G such that for all x G, we have x e = x = e x Inverse: for all x G, there exists y such that x y = e = y x Associativity: for all x, y, z G, we have (x y) z = x (y z) A group is Abelian if for all x, y, we have x y = y x A group is finite if G is finite 16 of 74

21 Group examples (Z, +) is a group with neutral element 0 (Q, +) is a group with neutral element 0 (Q, ) is not a group: 0 has no inverse (Q, ) is a group with neutral element 1 Here Q = Q \ {0} (Z n, +) is a group for any positive integer n Here Z n = Z/nZ are integers modulo n (Z p, ) is a group for any prime number p Here Z p = Z p \ {0} of 74

22 Rank of a group The rank of a group (G, +) is the minimal number of elements needed to generate the whole group min{k : S = {g 1,..., g k } G s.t. g G, g = i g ei with g ei S} Example: (Z Z, +) is a group of rank 2 with generating set {(1, 0), (0, 1)} A group of rank 1 is called a cyclic group 18 of 74

23 Lagrange theorem Let (G, ) a finite group For any integer k and any g G, we write g k for g g... g, k times Lagrange s theorem: for any g G, we have g G = e where e is the neutral element in the group Fermat s little theorem: for any prime p and any g 0 mod p, we have g p 1 = 1 mod p 19 of 74

24 Field A field (K, +, ) is a set K with two binary operations + : K K K and : K K K such that (K, +) is an Abelian group (K, ) is a group, where K = K \ {e}, where e is the neutral element of K for + A field (K, +, ) is finite if K is finite 20 of 74

25 Field examples (C, +, ) is a field with neutral elements 0 and 1 for + and * (Q, +, ) is a field with neutral elements 0 and 1 for + and * (Z p, +, ) is a finite field for any prime p This field is often denoted F p 21 of 74

26 Field examples Let f be a polynomial of degree n with coefficients in F p, such that f has no factor of degree different than 0 or n. Consider (K, +, ) where K = all polynomials over F p + and are addition and multiplication modulo the polynomial f Then (K, +, ) is a finite field with p n elements Example: let f (x) = x 2 + x + 1 F 2 [x] then F 4 = F 2 [x]/(f (x)f 2 [x]) is a finite field with 4 elements {0, 1, x, x + 1} 22 of 74

27 Ring A ring (R, +, ) is a set R with two operations + : R R R and : R R R such that (R, +) is an Abelian group (R, ) is associative and has a neutral element (but some elements may have no inverse) Distributivity: for all a, b, c R, we have (a + b) c = a c + b c 23 of 74

28 Ring examples Let K be a field and let K[X] be the set of polynomials with coefficients in K. Then (K[X], +, ) is a ring Z n := Z/nZ (the integers modulo n) is a ring for any n N. It is a field if and only if n is prime. Let K be a field. Let f K[X] and let K = K[X]/(f (X)) be the set of polynomials over K modulo f (x), then K is a ring. K is a field if and only if f is irreducible. 24 of 74

29 Addition in F p Let p be a prime and let K := F p = Z/pZ Addition in K: given a and b, return a + b mod p 1: c a + b 2: if c > p then 3: c c p 4: end if 5: return c Complexity O(log p) bit operations 25 of 74

30 Multiplication in F p Let p be a prime and let K := F p = Z/pZ Multiplication in K: given a and b, return ab mod p n 1: Let b = b i 2 i, where b i {0, 1} i=0 2: a a; c b 0 a 3: for i=1 to n do 4: a 2a mod p 5: c c + b i a mod p 6: end for 7: return c Complexity O ( n 2 ) = O ( log 2 p ) bit operations Best algorithms achieve O(log p log log p) 26 of 74

31 Modular exponentiation: Square-and-Multiply Let p be a prime and let K := F p = Z/pZ Exponentiation in K: given a and k, return a k mod p n 1: Let k = k i 2 i i=0 2: a a; c a k 0 3: for i=1 to n do 4: a a 2 mod p 5: c c(a ) k i mod p 6: end for 7: return c Complexity O(n) = O(log p) multiplications 27 of 74

32 Euclid s algorithm Goal: given integers a and b, find d = gcd(a, b) 28 of 74

33 Euclid s algorithm Goal: given integers a and b, find d = gcd(a, b) d a, d b imply d (a + kb) for any integer k 28 of 74

34 Euclid s algorithm Goal: given integers a and b, find d = gcd(a, b) d a, d b imply d (a + kb) for any integer k Require: a b Ensure: gcd(a, b) 1: if b a then 2: return b 3: else 4: Compute q such that 0 < a qb < b 5: return gcd(b, a qb) 6: end if Complexity O ( a 2 ) ; best algorithms achieve O( a log a ) 28 of 74

35 Example gcd(36, 16) = gcd(16, ) = gcd(16, 4) = 4 29 of 74

36 Extended Euclidean algorithm Goal: compute r and s such that ra + sb = gcd(a, b) Require: a b Ensure: d = gcd(a, b) and r, s, such that ar + bs = 1 1: if b a then 2: return a, 0, 1 3: else 4: Compute q such that 0 < a qb < b 5: d, r, s gcd(b, a qb) 6: return d, s, r qs 7: end if 30 of 74

37 Extended Euclidean algorithm Goal: compute r and s such that ra + sb = gcd(a, b) Require: a b Ensure: d = gcd(a, b) and r, s, such that ar + bs = 1 1: if b a then 2: return a, 0, 1 3: else 4: Compute q such that 0 < a qb < b 5: d, r, s gcd(b, a qb) 6: return d, s, r qs 7: end if Indeed if rb + s(a qb) = d then sa + (r qb)b = d Complexity O ( a 2 ) ; best algorithms achieve O( a log a ) 30 of 74

38 Example gcd(36, 16) = gcd(16, ) = gcd(16, 4) = 4 4 = = (0 2 1)16 31 of 74

39 The RSA ring Let p, q be two primes and let n = pq Let Z n := Z/nZ be the ring of integers modulo n Not a field: for any k, neither kp nor kq are invertible The map f : Z n Z p Z q : x (x mod p, x mod q) is a ring isomorphism. Its inverse is given by f 1 : Z p Z q Z n (x p, x q ) x p q(q 1 mod p) + x q p(p 1 mod q) 32 of 74

40 Chinese Remainder Theorem More generally if n = N i=1 p e i i then the map f : Z n N i=1 Z p e i i : x (x mod p e 1 1,..., x mod pe N N ) is a ring isomorphism In other words given all residue values, there exists a unique value that corresponds to them modulo n 33 of 74

41 Euler s theorem Let n = N i=1 p e i i where the p i are distinct primes The Euler totient function φ(n) is the number of positive integers less than or equal to n that are relatively prime to n, more formally, φ(n) = Then for all x Z n, we have N i=1 (p i 1)p e i 1 i x φ(n) = 1 mod n If n = p a prime, then φ(n) = p 1 and we recover Fermat s little theorem x p 1 = 1 mod p If n = pq like in RSA, then φ(n) = (p 1)(q 1) 34 of 74

42 Prime numbers 2,3,5,7,11,... are prime numbers whereas 4,6,8,9,10,... are not. Any integer n can be decomposed uniquely as a product of prime numbers. There are infinitely many primes. Prime Number Theorem: the number of primes up to some bound B is roughly equal to B/ log B. Bertrand s postulate: For any n > 1, the fraction of the n-bit integers that are prime is at least 1/3n. 35 of 74

43 Primality testing Given an integer n, decide whether n is prime or not. There are deterministic algorithms for primality testing (see AKS test). In practice, we use probabilistic algorithms (having a small probability to return prime for composite numbers) that are much faster. 36 of 74

44 Generating Random Primes You can generate primes by picking random numbers smaller than B and checking whether they are prime: need about log B trials by the prime number theorem. More formally, Algorithm Input: Length n, parameter t For i = 1 to t: p {0, 1} n 1 p := 1 p if Primality_test (p) = 1 return p return fail 37 of 74

45 Generating Random Primes Remember that for any n > 1, the fraction of the n-bit integers that are prime is at least 1/3n. Now, set t = 3n 2, then the probability of the previous algorithm to not output a prime in t iteration is (1 1 3n )t = ( (1 1 3n )3n) n (e 1 ) n = e n This probability is negligible in n if we have a number of iterations that is polynomial in n. We still need to study the algorithms that test numbers primality! 38 of 74

46 Fermat test Observation: if n is prime then a n 1 = 1 mod n for all a (Fermat s little theorem) Idea: choose random a and check whether a n 1 = 1 mod n. If not then n is composite. We define a witness that n is composite any a Z n, s.t. a n 1 1 mod n. 39 of 74

47 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 40 of 74

48 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 However, try 561 or of 74

49 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 However, try 561 or Carmichael numbers: are composite and pass this test for all 0 < a < n, i.e. they don t have any witnesses. 40 of 74

50 Fermat test Algorithm Input: Integer n and parameter 1 t for i = 1 to t a {1,, n 1} if a n 1 1 mod n return composite return prime Theorem If n has a witness that it is composite, then {witnesses} n Z n /2 However, try 561 or Carmichael numbers: are composite and pass this test for all 0 < a < n, i.e. they don t have any witnesses. Solution? 40 of 74

51 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). 41 of 74

52 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). In Fermat s test, we check if a n 1 = a 2ku = of 74

53 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). In Fermat s test, we check if a n 1 = a 2ku = 1. What about a u, a 2u,, a 2k 1u? 41 of 74

54 Testing Primality We have just seen that Carmichael numbers don t have any witnesses! We need to refine Fermat s test. Let n 1 = 2 k u, where u is odd and k 1 (and therefore n is odd). In Fermat s test, we check if a n 1 = a 2ku = 1. What about a u, a 2u,, a 2k 1u? Strong witness: a Z n is a strong witness that n is composite if a u ±1 mod n and a 2iu 1 for all i {1,, k 1} 41 of 74

55 Testing Primality If n is prime, then n doesn t have any strong witness that it is composite. More formally, Theorem Let n be an odd number that is not a prime power, then we have that at least half of the elements of Z n are strong witnesses that n is composite. 42 of 74

56 Miller-Rabin test Algorithm Input: Integer n > 2 and parameter 1 t If n is even, return composite If n is a perfect power, return composite a Write n 1 = 2 k u where u is odd and k 1 for j = 1 to t a {1,, n 1} if a u ±1 mod n and a 2iu 1 mod n for i {1,, k 1} return composite return prime a Exercise: Show that this test can be done in polynomial time 43 of 74

57 Miller-Rabin test Theorem If p is prime, then the Miller-Rabin test always outputs prime. If p is composite, the algorithm outputs composite except with probability at most 2 t 44 of 74

58 Miller-Rabin test Theorem If p is prime, then the Miller-Rabin test always outputs prime. If p is composite, the algorithm outputs composite except with probability at most 2 t (Exercise-1) Show that the Miller-Rabin algorithm runs in time polynomial in p and t. 44 of 74

59 Miller-Rabin test Theorem If p is prime, then the Miller-Rabin test always outputs prime. If p is composite, the algorithm outputs composite except with probability at most 2 t (Exercise-1) Show that the Miller-Rabin algorithm runs in time polynomial in p and t. (Exercise-2) Compare its running time to the (deterministic) AKS running time. 44 of 74

60 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 45 of 74

61 Public Key Cryptosystems An asymmetric encryption scheme consists of the following algorithms: KeyGen(1 n ): is a randomized algorithm that takes the security parameters as input and returns a pair of keys (PK, SK), the public key PK and its matching secret key SK, respectively. Enc(PK, m): A randomized algorithm that takes a public key PK, a plaintext m and returns a ciphertext c. Dec(SK, c): A deterministic algorithm that takes the secret key SK and a ciphertext c, and returns a message m M. Correctness: m M, Pr[(SK, PK) KeyGen(n) : Dec(Enc(PK, m), SK) = m] = 1 46 of 74

62 CPA Indistinguishability Experiment PubK cpa A,E Challenger Ch PK, SK KeyGen(n) b {0, 1} Definition m 0,m 1, m 0 = m 1 Adversary A c=enc(pk,m b) Outputs his guess b An encryption scheme is CPA-secure if for all efficient A the following holds: Adv cpa A,E (n) = Pr[PubKcpa A,E (n) = 1] 1/2 = negl(n) Where PubK cpa A,E (n) = 1 if b = b, and 0 otherwise. 47 of 74

63 CCA Indistinguishability Experiment PubK cca A,E Challenger Ch Adversary A PK, SK = KeyGen(n) Access to the oracle Dec(SK, ) b {0, 1} m 0,m 1, m 0 = m 1 Definition c=enc(pk,m b) Access to the oracle Dec(SK, ) c Outputs his guess b An encryption scheme is CCA-secure if for all efficient A the following holds: Adv cca A,E(n) = Pr[PubK cca A,E(n) = 1] 1/2 = negl(n) 48 of 74

64 Dealing with arbitrary-length messages Theorem If a public-key encryption scheme is CPA-secure, then it also has indistinguishable multiple encryptions, where the adversary is allowed to send two lists of messages to be challenged on instead of sending a pair of messages. As a consequence, any CPA-secure public-key encryption scheme for fixed-length messages (down to one bit!) can be used as a public key-encryption scheme for arbitrary-length messages. 49 of 74

65 Hybrid Encryption A better approach to deal with arbitrary-length messages. We will use a private-key encryption scheme along with a public-key encryption scheme. Remember that private-key encryption scheme are significantly faster than public ones. We call this approach the key-encapsulation mechanism and data-encapsulation mechanism (KEM/DEM). 50 of 74

66 KEM An key-encapsulation mechanism scheme (KEM) consists of the following PPT algorithms: KeyGen(1 n ): takes the security parameter as input and returns a pair of keys (PK, SK), the public key PK and its matching secret key SK, respectively, each of length n. Encaps(PK, 1 n ): it returns a ciphertext c and a key k {0, 1} l(n). Decaps(SK, c): A deterministic algorithm that takes a secret key SK and a ciphertext c, and returns a key k or. 51 of 74

67 Hybrid Encryption An hybrid encryption scheme consists of a KEM scheme and a private-key encryption scheme: KeyGen hy (1 n ): is a randomized algorithm that takes the security parameters as input and returns a pair of keys (PK, SK). Enc hy (PK, m {0, 1} ): takes a public key PK, a plaintext m and does the following: compute (c, k) Encaps(PK, 1 n ). compute c Enc(k, m). output the ciphertext (c, c ). Dec hy (SK, (c, c )): takes a secret key SK and a ciphertext (c, c ) and does the following: k Decaps(SK, c). output m Dec(k, c ). 52 of 74

68 Hybrid Encryption: Efficiency Fix n. Let α =cost(encaps(1 n )) and β =cost(enc(1 bit)). Then cost(enc hy (1 bit)) = α + β m m = α m + β For sufficiently large m, cost(enc hy (1 bit)) β. In other words, cost(enc hy (1 bit)) cost(enc(1 bit)), which is the cost of encrypting one bit using a private-key encryption scheme! 53 of 74

69 Security of KEM Intuitively speaking, for a KEM to be CPA secure, we require the encapsulated key to be indistinguishable from a uniform key that is independent of the ciphertext. Experiment Run KeyGen(1 n ) to get (PK, SK), then run Encaps(PK, 1 n ) to generate (c, k) where k {0, 1} n. Choose random b {0, 1}, if b = 0 set k := k, otherwise choose k uniformly at random from {0, 1} n. Give the adversary A the tuple (PK, c, k), he should output a bit b. Experiment output: 1 if b = b and 0 otherwise. 54 of 74

70 Security of the Hyprid Encryption Scheme Theorem The hybrid encryption scheme is a CPA-secure public-key encryption scheme if KEM is CPA secure and the private-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper. 55 of 74

71 Security of the Hyprid Encryption Scheme Let k Encaps(1 n ) and k {0, 1} n (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 56 of 74

72 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 57 of 74 PrivEnc is secure

73 Security of the Hyprid Encryption Scheme KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 58 of 74 PrivEnc is secure

74 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 59 of 74 PrivEnc is secure

75 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) KEM is CPA secure KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 60 of 74 PrivEnc is secure

76 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) KEM is CPA secure KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 61 of 74 PrivEnc is secure

77 Security of the Hyprid Encryption Scheme (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) KEM is CPA secure KEM is CPA secure (pk, Encaps pk, 1 n, Enc(k, m 0 )) (pk, Encaps pk, 1 n, Enc(k, m 1 )) 62 of 74 PrivEnc is secure

78 Security of the Hyprid Encryption Scheme We need to prove the following: Pr[PubK eav A hy,s hy (n) = 1] negl(n) Whereas, by definition of the security experiment, we have Pr[PubK eav A hy,s hy (n) = 1] = 1 2 Pr[Ahy outputs 0 k = k, m = m 0 ] Pr[Ahy outputs 1 k = k, m = m 1 ] 63 of 74

79 Security of the Hyprid Encryption Scheme A hy A 1 (m 0, m 1 ) c = Enc(k, m 0 ) (c, c ) b (pk, c, k) b KEM Challenger b 0,1 0: k Encaps pk, 1 n 1: k {0,1} n Pr A 1 s output = 0 b = 0 = Pr [A hy s output = 0 k = k, m = m 0 ] 64 of 74 Pr A 1 s output = 1 b = 1 = Pr [A hy s output = 1 k = k, m = m 0 ]

80 Security of the Hyprid Encryption Scheme A hy A 2 (m 0, m 1 ) c = Enc(k, m 1 ) (c, c ) b (pk, c, k) 1 b KEM Challenger b 0,1 0: k Encaps pk, 1 n 1: k {0,1} n Pr A 2 s output = 0 b = 0 = Pr [A hy s output = 1 k = k, m = m 1 ] 65 of 74 Pr A 2 s output = 1 b = 1 = Pr [A hy s output = 0 k = k, m = m 1 ]

81 Security of the Hyprid Encryption Scheme A hy A PrivK Challenger (m 0, m 1 ) (c, c ) b (m 0, m 1 ) c c = Encaps(pk, 1 n ) b b 0,1 k 0,1 n c Enc(k, m b ) Pr A output = 0 b = 0 = Pr [A hy s output = 0 k = k, m = m 0 ] 66 of 74 Pr A output = 1 b = 1 = Pr [A hy s output = 1 k = k, m = m 1 ]

82 Security of the Hyprid Encryption Scheme Theorem The hybrid encryption scheme is a CCA-secure public-key encryption scheme if KEM is CCA secure and the private-key encryption scheme is CCA-secure. 67 of 74

83 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions 4 RSA Encryption Scheme 68 of 74

84 RSA Encryption Scheme Designed by Rivest-Shamir-Adleman in 1977 One of the most widely used algorithms today, for both signatures and public key encryption Security requires hardness of integer factorization 69 of 74

85 Pseudorandom Permutations from One Way Functions Informally speaking, one-way functions are easy to compute, hard to invert! We don t know how to prove that one-way functions exist! Assuming the hardness of some problems, we can build one-way functions. Corollary Let n > 1, and for e > 0 define f e : Z n Z n by f e (x) = x e mod n. If GCD(e, φ(n)) = 1, then f e is a permutation. The inverse of f e is f d where d = e 1 mod φ(n) 70 of 74

86 Plain RSA encryption algorithm Let p, q two distinct odd primes, and let n = pq Compute φ(n) = (p 1)(q 1), and choose e > 1 s.t. gcd(e, φ(n)) = 1 Public key is (n, e) and private key is (p, q) Given private key, can also compute d := e 1 mod φ(n) Encryption of m Z n: c = m e mod n Decryption of c Z n: m = c d mod n Correctness follows from by Euler s theorem m = (m e ) d = m ed mod φ(n) = m mod n 71 of 74

87 RSA security Solving the factorization problem is sufficient and necessary to reconstruct the private key Solving the factorization problem might not be necessary for other goals, such as decrypting without the private key In fact, Plain RSA is insecure! What if m is not chosen uniformly from Z n? Plain RSA is deterministic! Therefore, it is not CPA-secure! 72 of 74

88 Further Reading (1) Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1): , Whitfield Diffie and Martin E Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 22(6): , of 74

89 Further Reading (2) 74 of 74 Itai Dinur, Orr Dunkelman, Nathan Keller, and Adi Shamir. New attacks on feistel structures with improved memory complexities. In Advances in Cryptology - CRYPTO th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages , Naofumi Homma, Atsushi Miyamoto, Takafumi Aoki, Akashi Satoh, and Adi Shamir. Collision-based power analysis of modular exponentiation using chosen-message pairs. In Cryptographic Hardware and Embedded Systems - CHES 2008, 10th International Workshop, Washington, D.C., USA, August 10-13, Proceedings, pages 15 29, 2008.