Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Similar documents
Course Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week

Chapter 11 : Private-Key Encryption

Public Key Cryptography

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Public Key Cryptography

Introduction to Public-Key Cryptosystems:

10 Concrete candidates for public key crypto

CSE 521: Design and Analysis of Algorithms I

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

1 Number Theory Basics

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Cryptography CS 555. Topic 4: Computational Security

Introduction to Cybersecurity Cryptography (Part 4)

10 Public Key Cryptography : RSA

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 1: Introduction to Public key cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Cryptography IV: Asymmetric Ciphers

basics of security/cryptography

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

The RSA cryptosystem and primality tests

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Introduction to Cybersecurity Cryptography (Part 5)

El Gamal A DDH based encryption scheme. Table of contents

The security of RSA (part 1) The security of RSA (part 1)

ASYMMETRIC ENCRYPTION

Introduction to Modern Cryptography. Benny Chor

Lecture 22: RSA Encryption. RSA Encryption

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Ma/CS 6a Class 4: Primality Testing

Katz, Lindell Introduction to Modern Cryptrography

Attempt QUESTIONS 1 and 2, and THREE other questions. penalised if you attempt additional questions.

NET 311D INFORMATION SECURITY

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

COMP4109 : Applied Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Computational security & Private key encryption

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Math/Mthe 418/818. Review Questions

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture Notes, Week 6

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

CPSC 467b: Cryptography and Computer Security

Cryptography: Joining the RSA Cryptosystem

III. Pseudorandom functions & encryption

CSC 5930/9010 Modern Cryptography: Number Theory

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

General Impossibility of Group Homomorphic Encryption in the Quantum World

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

CPSC 467b: Cryptography and Computer Security

Mathematical Foundations of Public-Key Cryptography

Cryptography and Security Midterm Exam

CTR mode of operation

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Fully Homomorphic Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Modern Cryptography Lecture 4

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Introduction to Cryptology. Lecture 20

CS 6260 Applied Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Some Comments on the Security of RSA. Debdeep Mukhopadhyay

Advanced Topics in Cryptography

On the CCA1-Security of Elgamal and Damgård s Elgamal

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Provable security. Michel Abdalla

Ma/CS 6a Class 4: Primality Testing

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Advanced Cryptography 1st Semester Public Encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 5, CPA Secure Encryption from PRFs

5.4 ElGamal - definition

RSA. Ramki Thurimella

Public-Key Encryption

An Introduction to Probabilistic Encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

10 Modular Arithmetic and Cryptography

Public Key Cryptography

Public Key Cryptography

Mathematics of Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Transcription:

Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1

Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod N 2

RSA Key-Generation KeyGeneration(1 n ) Step 1: Pick two random n-bit primes p and q Step 2: Let N=pq, φφ NN = (pp 1)(qq 1) Step 3: Question: How do we accomplish step one? 3

Bertrand s Postulate Theorem 8.32. For any n > 1 the fraction of n-bit integers that are prime is at least 1 3nn. GenerateRandomPrime(1 n ) For i=1 to 3n 2 : p {0,1} n-1 p 1 ppp if isprime(p) then return p return fail Can we do this in polynomial time? 4

Bertrand s Postulate Theorem 8.32. For any n > 1 the fraction of n-bit integers that are prime is at least 1 3nn. GenerateRandomPrime(1 n ) For i=1 to 3n 2 : p {0,1} n-1 p 1 ppp if isprime(p) then return p return fail Assume for now that we can run isprime(p). What are the odds that the algorithm fails? On each iteration the probability that p is not a prime is 1 1 3nn We fail if we pick a non-prime in all 3n 2 iterations. The probability is 1 1 3nn 2 = 1 1 3nn nn ee nn 3nn 3nn 5

isprime(p): Miller-Rabin Test We can check for primality of p in polynomial time in pp. Theory: Deterministic algorithm to test for primality. See breakthrough paper Primes is in P Practice: Miller-Rabin Test (randomized algorithm) Guarantee 1: If p is prime then the test outputs YES Guarantee 2: If p is not prime then the test outputs NO except with negligible probability. https://www.cse.iitk.ac.in/users/manindra/algebra/primality_v6.pdf 6

The Almost Miller-Rabin Test Input: Integer N and parameter 1 t Output: prime or composite for i=1 to t: a {1,,N-1} if aa NN 1 mod N then return composite Return prime Claim: If N is prime then algorithm always outputs prime Proof: For any a {1,,N 1} we have aa NN 1 φφ NN = aa = 1 mmmmmm NN 7

The Almost Miller-Rabin Test Input: Integer N and parameter 1 t Output: prime or composite for i=1 to t: a {1,,N-1} if aa NN 1 1 mod N then return composite Return prime Need a bit of extra work to handle Carmichael numbers. Fact: If N is composite and not a Carmichael number then the algorithm outputs composite with probability 1 2 tt 8

Back to RSA Key-Generation KeyGeneration(1 n ) Step 1: Pick two random n-bit primes p and q Step 2: Let N=pq, φφ NN = (pp 1)(qq 1) Step 3: Pick e > 1 such that gcd(e, φφ NN )=1 Step 4: Set d=[e -1 mod φφ NN ] (secret key) Return: N, e, d How do we find d? Answer: Use extended gcd algorithm to find e -1 mod φφ NN. 9

(Plain) RSA Encryption Public Key: PK=(N,e) Message m Z N Enc PK (m) = mm ee mod N Remark: Encryption is efficient if we use the power mod algorithm. 10

(Plain) RSA Decryption Public Key: SK=(N,d) Ciphertext c Z N Dec SK(c) = cc dd mod N Remark 1: Decryption is efficient if we use the power mod algorithm. Remark 2: Suppose that m Z N and let c=enc PK (m) = mm ee mod N Dec SK (c) = mm ee dd mod N = mm eeee mod N = mm [eeee mmmmmm φφ NN ] mod N = mm 1 mod N = mm 11

RSA Decryption Public Key: SK=(N,d) Ciphertext c Z N Dec SK(c) = cc dd mod N Remark 1: Decryption is efficient if we use the power mod algorithm. Remark 2: Suppose that m Z N and let c=enc PK (m) = Dec SK (c) = mm mm ee mod N then Remark 3: Even if m Z N Z N and let c=enc PK (m) = mm ee mod N then Dec SK (c) = mm Use Chinese Remainder Theorem to show this 12

Factoring Assumption Let GenModulus(1 n ) be a randomized algorithm that outputs (N=pq,p,q) where p and q are n-bit primes (except with negligible probability negl(n)). Experiment FACTOR A,n 1. (N=pq,p,q) GenModulus(1 n ) 2. Attacker A is given N as input 3. Attacker A outputs p > 1 and q > 1 4. Attacker A wins if N=p q. 13

Factoring Assumption Experiment FACTOR A,n 1. (N=pq,p,q) GenModulus(1 n ) 2. Attacker A is given N as input 3. Attacker A outputs p > 1 and q > 1 4. Attacker A wins (FACTOR A,n = 1) if and only if N=p q. Necessary for security of RSA. Not known to be sufficient. PPPPPP AA μμ (negligible) s. t Pr FACTOR A,n = 1 μμ(nn) 14

RSA-Assumption RSA-Experiment: RSA-INV A,n 1. Run KeyGeneration(1 n ) to obtain (N,e,d) 2. Pick uniform y Z N 3. Attacker A is given N, e, y and outputs x Z N 4. Attacker wins (RSA-INV A,n =1) if xx ee = y mod N PPPPPP AA μμ (negligible) s. t Pr RSA INV A,n = 1 μμ(nn) 15

(Plain) RSA Discussion We have not introduced security models like CPA-Security or CCA-security for Public Key Cryptosystems However, notice that (Plain) RSA Encryption is stateless and deterministic. Plain RSA is not secure against chosen-plaintext attacks Plain RSA is also highly vulnerable to chosen-ciphertext attacks Attacker intercepts ciphertext c of secret message m Attacker generates ciphertext c for secret message 2m Attacker asks for decryption of c to obtain 2m Divide by 2 to recover original message m 16

(Plain) RSA Discussion However, notice that (Plain) RSA Encryption is stateless and deterministic. Plain RSA is not secure against chosen-plaintext attacks In a public key setting the attacker does have access to an encryption oracle Encrypted messages with low entropy are vulnerable to a brute-force attack 17

(Plain) RSA Discussion Plain RSA is also highly vulnerable to chosen-ciphertext attacks Attacker intercepts ciphertext cc = mm ee mod N Attacker asks for decryption of cc2 ee mod N and receives 2m. Divide by two to recover message As above example shows plain RSA is also highly vulnerable to ciphertext-tampering attacks See homework questions 18

Mathematica Demo https://www.cs.purdue.edu/homes/jblocki/courses/555_spring17/slid es/lecture24demo.nb Note: Online version of mathematica available at https://sandbox.open.wolframcloud.com (reduced functionality, but can be used to solve homework bonus problems) 19

Next Class Read Katz and Lindell 8.3, 11.5.1 Discrete Log, DDH + Attacks on Plain RSA 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback