COMP4109 : Applied Cryptography

Similar documents
Introduction to Cybersecurity Cryptography (Part 5)

A New Attack on RSA with Two or Three Decryption Exponents

Iterated Encryption and Wiener s attack on RSA

On the Security of Multi-prime RSA

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Mathematics of Cryptography

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Lecture 1: Introduction to Public key cryptography

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

Introduction to Public-Key Cryptosystems:

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Chapter 11 : Private-Key Encryption

Introduction to Cybersecurity Cryptography (Part 4)

Elliptic Curve Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Cryptography IV: Asymmetric Ciphers

New Partial Key Exposure Attacks on RSA Revisited

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CPSC 467b: Cryptography and Computer Security

Congruence of Integers

Another Generalization of Wiener s Attack on RSA

New attacks on RSA with Moduli N = p r q

CPSC 467b: Cryptography and Computer Security

CIS 551 / TCOM 401 Computer and Network Security

Introduction to Cryptography. Lecture 8

Public Key Encryption

Mathematical Foundations of Public-Key Cryptography

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Algorithmic Number Theory and Public-key Cryptography

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

ECE596C: Handout #11

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

The security of RSA (part 1) The security of RSA (part 1)

Lecture 6: Cryptanalysis of public-key algorithms.,

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

10 Public Key Cryptography : RSA

Foundations of Network and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

5199/IOC5063 Theory of Cryptology, 2014 Fall

10 Modular Arithmetic and Cryptography

basics of security/cryptography

Fully Deterministic ECM

Discrete Mathematics GCD, LCM, RSA Algorithm

DM49-2. Obligatoriske Opgave

1 Number Theory Basics

Public Key Algorithms

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Basic Algorithms in Number Theory

Number Theory and Group Theoryfor Public-Key Cryptography

RSA Cryptosystem and Factorization

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Cryptography. pieces from work by Gordon Royle

CRYPTOGRAPHY AND NUMBER THEORY

Implementation Tutorial on RSA

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Solutions to homework 2

CPSC 467: Cryptography and Computer Security

ASYMMETRIC ENCRYPTION

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Solution to Problem Set 3

NUMBER THEORY FOR CRYPTOGRAPHY

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

A new attack on RSA with a composed decryption exponent

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Public-Key Cryptosystems CHAPTER 4

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

On the Design of Rebalanced RSA-CRT

Lecture Notes, Week 6

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

CPSC 467b: Cryptography and Computer Security

Lecture 22: RSA Encryption. RSA Encryption

Public Key Cryptography

Partial Key Exposure: Generalized Framework to Attack RSA

Cryptography and Security Midterm Exam

Mathematics of Public Key Cryptography

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

Public Key Cryptography

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Asymmetric Encryption

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Applied Cryptography and Computer Security CSE 664 Spring 2018

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Attempt QUESTIONS 1 and 2, and THREE other questions. penalised if you attempt additional questions.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

One can use elliptic curves to factor integers, although probably not RSA moduli.

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

RSA RSA public key cryptosystem

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Applications of Lattice Reduction in Cryptography

9 Knapsack Cryptography

Transcription:

COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University

Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2

RSA cryptosystem textbook RSA choose random primes p, q, let N = pq P = C = Z N (plaintext-space and ciphertext-space) choose e, d such that ed mod φ(n) Public key is pk = (e, N) Private key is sk = (p, q, d) Encrypt to encrypt plaintext m ENC pk (m) = m e mod N = c Decrypt given ciphertext c DEC sk (c) = c d mod N = m 3

Pollard s p method Let N = pq be an RSA modulus Let p = α α 2 α l each α i is a power of a single prime gcd(α i, α j ) = for all i j Let B satisfy α i < B for each α i Compute X := 2 B! mod N as shown in class Since B > (α α 2 α l ) = (p ), we know that each α i will be present in B!. Thus, B! = k(p ) for some integer k. Alternatively, we know that That is, p divides B! p B! 4

Pollard s p method We now have X = 2 B! + un (converting relation to equation, for some u) p B! Therefore, (X mod p) = ( 2 B! + un mod p ) = ( 2 B! mod p ) = Recalling Fermat s Little Theorem a q mod q q a prime and a 0 ( ) 2 k(p ) mod p we conclude that X mod p and so (for some integer v) X = vp 5

Pollard s p method Therefore, gcd(x, N) = gcd(vp, pq) = p How did we know that v is not a multiple of q? (If it was, we fail because the gcd will output N = pq instead of just p) Since X is originally computed modulo N, we know that 0 X < N. If v was a multiple of q, we would have X = v pq = v N (where v = v/q) and then X > N. (A contradiction) We have then found one of the primes in N = pq and know the factorization now. (The other prime is simply N/p) 6

Pollard s p method What is the runtime of the method? Let n = log 2 (N) bitlength of N computing 2 B! mod N we need B modular exponentiations a modular exponentiation is O(n 3 ) total cost is O(Bn 3 ) If B = N /2 guarantees that one prime p satisfies p < B for any N = pq runtime is O(N /2 n 3 ) = O(2 0.5 log 2 (N) n 3 ) = O(2 0.5n n 3 ) (exponential in n; no better then trial division to factor) If B = cn k runtime is polyomial in n we have to be really lucky for p < B 7

Factoring Factoring arbitrary integers is believed to be difficult Best known algorithms to factor a number N (p is a prime factor of N) method Quadratic Sieve (QS) Elliptic Curve Method (ECM) Number Field Sieve (NFS) heuristic runtime O (e (+o())(log n log log n)/2) (+o())(2 log p log log O (e p)/2) O (e (.92+o())(log n)/3 (log log n) 2/3) 8

Wiener s Attack RSA is completely insecure if the private (decrypting) exponent is chosen to be too small assume that N = pq, where p and q are random balanced primes q < p < 2q < 2N /2 (balanced primes) ed (mod φ(n)) (key relation) ed = + kφ(n) (key equation) d < 6 N/4 (private exponent is small ) < e < φ(n) (e is computed modulo φ(n)) let φ(n) = (p )(q ) = N p q + = N Λ, where Λ = p + q < 2q + q < 3q < 3N /2 Notice that k = ed φ(n) = ed φ(n) φ(n) < ed φ(n) < d 9

Wiener s Attack Notice that e N k d = ed kn dn = kλ dn < 2 kλ dn < 2 dλ dn (k < d) < 2 d3n /2 dn (Λ < 3N /2 ) < N /4 N /2 dn (6d < N /4 ) = dn /4 < ( 6d 2 N < ) /4 6d < 2d 2 0

Wiener s Attack We then have and... e N k d < 2d 2

Mathematical Aside any rational number can be written as finite (simple) continued fraction a = q + q 2 + q 3+ q 4 + + qm the continued fraction expansion of a is given by [q, q 2,..., q m ] The integers q i can easily be computed by repeated division (Euclidean algorithm) for example, consider 37/0 37 = 0 0 + 37 0 = 2 37 + 27 37 = 27 + 0 27 = 2 0 + 7 0 = 7 + 3 7 = 2 4 + 3 = 4 + 0 2

Mathematical Aside for example, consider 37/0 37 = 0 0 + 37 0 = 2 37 + 27 37 = 27 + 0 27 = 2 0 + 7 0 = 7 + 3 7 = 2 4 + 3 = 4 + 0 this corresponds to or 37 0 = 0 + 2 + + 2+ + 2+ 4 [0, 2,, 2,, 2, 4] 3

Mathematical Aside let a have a continued fraction expansion [q, q 2,..., q m ] then C i = [q, q 2,..., q i ] is called the i th convergent of [q, q 2,..., q m ] the convergents of a are a sequence of (rational) approximations of a. If a is rational, the final convergent is equal to a. the convergents of 37/0 are given by C = 0 C 2 = 2 = 0.5 C 3 = C 4 = C 5 = C 6 = 2 + / = 3 0.333333 2 + +/2 2 + + 2+/ 2 + + 2+ +/2 = 3 8 = 0.375000 = 4 0.363636 = 30 0.366666 C 7 = 37 0 0.366336 4

Mathematical Aside C = 0 C 2 = 0.5 C 3 0.333333 C 4 = 0.375000 C 5 0.363636 C 6 0.366666 C 7 0.366336 the first convergent underestimates a, the next overestimates it, the next under, the next over,... C j is a better estimate then C j 2 5

Mathematical Aside Theorem: given α R and c, d Z such that gcd(c, d) =, and then c d α c d < 2d 2, is one of the convergents in the continued fraction expansion of α Note: when α = a/b is rational, then the number of convergents is polynomial in log max(a, b). (computing all the convergents requires polynomial time) 6

Wiener s Attack We then have e N k d < 2d 2 and so k d is one of the convergents in the continued fraction expansion of (which is known!) e N this leads to the following attack 7

Wiener s Attack compute each convergent C i of e/n for each convergent C i = c i /d i, compute φ i := ed i c i if φ i is not an integer, go to the next convergent otherwise, φ i is a candidate for φ(n) solve the system N = xy φ i = (x )(y ) if φ i = φ(n) then x, y reveal the factorization p, q otherwise, go to next convergent 8

Wiener s Attack RSA with balanced primes and d < N /4 = N 0.25 is insecure! this attack came out of left field... (it was not anticipated at all! many attacks are like this) don t use small d to try and speed up decryption using lattices and lattice basis reduction, d < N 0.292 is insecure (asymptotically) don t use small d to try and speed up decryption 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback