Iterated Encryption and Wiener s attack on RSA

Size: px

Start display at page:

Download "Iterated Encryption and Wiener s attack on RSA"

Bethanie McCarthy
5 years ago
Views:

2 Iterated Encryption

3 Euler s function Euler s function: φ(n) = {1 x n : gcd(x, n) = 1} Theorem (Euler) If n is a positive integer and m is a positive integer coprime to n then m φ(n) mod n = 1.

4 Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key:

5 Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n

6 Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n

7 Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n E 3 = E2 e mod n

8 Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n E 3 = E2 e mod n E k = Ek 1 e mod n.

9 Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n E 3 = E2 e mod n E k = Ek 1 e mod n. Using the laws of exponents we have that for each n, E k = M ek mod n.

10 Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n.

11 Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1.

12 Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1. Corollary If n is a product of distinct primes then for all a, a λ(n)+1 = a mod n.

13 Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1. Corollary If n is a product of distinct primes then for all a, a λ(n)+1 = a mod n. Theorem For p > 3 and k 2, λ(p k ) = p k 1 (p 1).

14 Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1. Corollary If n is a product of distinct primes then for all a, a λ(n)+1 = a mod n. Theorem For p > 3 and k 2, λ(p k ) = p k 1 (p 1). Theorem λ(p1 k1pk pkt t ) = lcm(λ(p k 1 )λ(p k 2 )...λ(p kt )

15 Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n).

16 Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then

17 Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n =

18 Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n =

19 Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n = M λ(n) t+1 mod n =

20 Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n = M λ(n) t+1 mod n = (M λ(n) ) t M 1 mod n =

21 Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n = M λ(n) t+1 mod n = (M λ(n) ) t M 1 mod n = 1 t M mod n = M

22 Wiener s attack

23 Euclidean Algorithm Recall how the Euclidean Algorithm computes the greatest common divisor, g, of two numbers a and b with a < b. One obtains a list of equations using long division: b = q 1 a + r 1, 0 r 1 < b a = q 2 r 1 + r 2, 0 r 2 < r 1 r 1 = q 3 r 2 + r 3, 0 r 3 < r 2 r 2 = q 4 r 3 + r 4, 0 r 4 < r 3 r n 1 = q n+2 r n+1 + r n+2 and r n+2 = 0 while r n+1 > 0.

24 Euclidean Algorithm Recall how the Euclidean Algorithm computes the greatest common divisor, g, of two numbers a and b with a < b. One obtains a list of equations using long division: b = q 1 a + r 1, 0 r 1 < b a = q 2 r 1 + r 2, 0 r 2 < r 1 r 1 = q 3 r 2 + r 3, 0 r 3 < r 2 r 2 = q 4 r 3 + r 4, 0 r 4 < r 3 r n 1 = q n+2 r n+1 + r n+2 and r n+2 = 0 while r n+1 > 0. The last non-zero remainder, r n+1, is gcd(a, b).

25 Continued Fractions Consider a rational number b/a with gcd(a, b) = 1. Then r n+1 = 1. From the same set of equations we obtain: b/a = q 1 + (r 1 /a) = q 1 + 1/(a/r 1 ) = q 1 + 1/(q 2 + (r 2 /r 1 )) = q 1 + 1/(q 2 + 1/(r 1 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + r 3 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + 1/(q 4 + 1/(q 5 + ( /q n+2 )...)))))

26 Continued Fractions Consider a rational number b/a with gcd(a, b) = 1. Then r n+1 = 1. From the same set of equations we obtain: b/a = q 1 + (r 1 /a) = q 1 + 1/(a/r 1 ) = q 1 + 1/(q 2 + (r 2 /r 1 )) = q 1 + 1/(q 2 + 1/(r 1 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + r 3 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + 1/(q 4 + 1/(q 5 + ( /q n+2 )...))))) The expression is known as continued fraction expansion of b/a and it is denoted by b/a = [q 1, q 2, q 3, q 4,..., q n+2 ].

27 Continued Fractions Consider a rational number b/a with gcd(a, b) = 1. Then r n+1 = 1. From the same set of equations we obtain: b/a = q 1 + (r 1 /a) = q 1 + 1/(a/r 1 ) = q 1 + 1/(q 2 + (r 2 /r 1 )) = q 1 + 1/(q 2 + 1/(r 1 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + r 3 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + 1/(q 4 + 1/(q 5 + ( /q n+2 )...))))) The expression is known as continued fraction expansion of b/a and it is denoted by b/a = [q 1, q 2, q 3, q 4,..., q n+2 ].The number C j = [q 1, q 2,..., q j+1 ] is called the j-th convergent of b/a.

28 Continued Fractions Theorem Let a 0, a 1,..., a n R with a 0, a 1,..., a n > 0. Let the sequence p 0, p 1,..., p n and q 0, q 1,..., q n be defined by

29 Continued Fractions Theorem Let a 0, a 1,..., a n R with a 0, a 1,..., a n > 0. Let the sequence p 0, p 1,..., p n and q 0, q 1,..., q n be defined by p 0 = a 0, q 0 = 1 p 1 = a 0 a 1 + 1, q 1 = a 1 p k = a k p k 1 + p k 1, q k = a k q k 1 + q k 2 for k = 1, 2,..., n.

30 Continued Fractions Theorem Let a 0, a 1,..., a n R with a 0, a 1,..., a n > 0. Let the sequence p 0, p 1,..., p n and q 0, q 1,..., q n be defined by p 0 = a 0, q 0 = 1 p 1 = a 0 a 1 + 1, q 1 = a 1 p k = a k p k 1 + p k 1, q k = a k q k 1 + q k 2 for k = 1, 2,..., n. Then the k-th convergent. C k = [a 0, a 1,..., a k ] = p k q k

31 Continued Fractions Theorem (Dirichle,1842) Assume that gcd(a, b) = 1. If r, s are any natural numbers such that gcd(r, s) = 1, and a/b r/s < 1/(2s 2 ) then r/s is one of the convergents of a/b.

32 Continued Fractions Theorem (Dirichle,1842) Assume that gcd(a, b) = 1. If r, s are any natural numbers such that gcd(r, s) = 1, and a/b r/s < 1/(2s 2 ) then r/s is one of the convergents of a/b. Theorem (M. Wiener, 1990) Let n be an RSA modulus, say n = pq where p and q are primes, and let e be the public encryption exponent and dthe private decryption exponent. Let d < n, q < p < 2q and ed = 1 + kφ(n).then k d e n < 1 and d can be calculated 2d 2 quickly.

33 Proof of Wiener s theorem Since q 2 < pq = n, we have

34 Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q,

35 Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) =

36 Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 <

37 Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1.

38 Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1. Since e < φ(n) we have

39 Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1. Since e < φ(n) we have so k < 1 3 n 1 4. φ(n)k < ed < 1 3 φ(n)n 1 4

40 Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1. Since e < φ(n) we have so k < 1 3 n 1 4. Therefore, φ(n)k < ed < 1 3 φ(n)n 1 4 kn ed = k(n φ(n)) 1 < k(n φ(n)) < 1 3 n 1 4 (3 n) = n 3/4

41 Proof of Wiener s theorem(cont.) Also, since kn φ(n)) 1 > 0, we have

42 Proof of Wiener s theorem(cont.) Also, since kn φ(n)) 1 > 0, we have kn ed > 0. Dividing by dn both sides of the equation and taking the absolute value we get

43 Proof of Wiener s theorem(cont.) Also, since kn φ(n)) 1 > 0, we have kn ed > 0. Dividing by dn both sides of the equation and taking the absolute value we get since 3d < n 1/4 by assumption. 0 < k d e n < 1 dn 1/4 < 1 3d 2, Then by Dirichle s theorem k d is one of the convergent of e n.

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION Recall that RSA works as follows. A wants B to communicate with A, but without E understanding the transmitted message. To do so: A broadcasts RSA method,