Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Similar documents
Algorithmic Number Theory and Public-key Cryptography

Mathematics of Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Lecture 1: Introduction to Public key cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Introduction to Public-Key Cryptosystems:

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Introduction to Cybersecurity Cryptography (Part 5)

RSA. Ramki Thurimella

Public Key Algorithms

Attacks on RSA & Using Asymmetric Crypto

Cryptography IV: Asymmetric Ciphers

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

RSA RSA public key cryptosystem

Mathematical Foundations of Public-Key Cryptography

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

CIS 551 / TCOM 401 Computer and Network Security

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

10 Public Key Cryptography : RSA

Cryptography. pieces from work by Gordon Royle

Asymmetric Encryption

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Introduction to Modern Cryptography. Benny Chor

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Public Key Cryptography

A New Attack on RSA with Two or Three Decryption Exponents

Public-Key Cryptosystems CHAPTER 4

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Public Key Cryptography

The RSA cryptosystem and primality tests

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

CRYPTOGRAPHY AND NUMBER THEORY

Introduction to Modern Cryptography. Benny Chor

8.1 Principles of Public-Key Cryptosystems

COMP4109 : Applied Cryptography

10 Concrete candidates for public key crypto

Number theory (Chapter 4)

ASYMMETRIC ENCRYPTION

CPSC 467b: Cryptography and Computer Security

1 Number Theory Basics

CPSC 467b: Cryptography and Computer Security

Chapter 11 : Private-Key Encryption

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

Chapter 8 Public-key Cryptography and Digital Signatures

Encryption: The RSA Public Key Cipher

Public-Key Encryption: ElGamal, RSA, Rabin

CPSC 467b: Cryptography and Computer Security

The RSA Cipher and its Algorithmic Foundations

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

The security of RSA (part 1) The security of RSA (part 1)

5199/IOC5063 Theory of Cryptology, 2014 Fall

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Public Key Algorithms

Lecture Notes, Week 6

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Lecture V : Public Key Cryptography

THE CUBIC PUBLIC-KEY TRANSFORMATION*

basics of security/cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

MATH 145 Algebra, Solutions to Assignment 4

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Applied Cryptography and Computer Security CSE 664 Spring 2018

Pseudo-random Number Generation. Qiuliang Tang

Discrete Mathematics GCD, LCM, RSA Algorithm

Basic elements of number theory

Basic elements of number theory

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

Basic Algorithms in Number Theory

Numbers. Çetin Kaya Koç Winter / 18

An Introduction to Probabilistic Encryption

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

CSE 521: Design and Analysis of Algorithms I

Number Theory & Modern Cryptography

Ma/CS 6a Class 3: The RSA Algorithm

during signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

10 Modular Arithmetic and Cryptography

Ma/CS 6a Class 4: Primality Testing

Factorization & Primality Testing

Congruence of Integers

Public Key Encryption

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

RSA Encryption. Computer Science 52. Encryption: A Quick Overview. Spring Semester, 2017

2 3 DIGITAL SIGNATURE STANDARD (DSS) [PROPOSED BY NIST, 1991] Pick an x 2 Z p,1 as the private key Compute y = g x (mod p) asthe public key To sign a

Public Key Cryptography

Dual Discrete Logarithms

Public-key Cryptography and elliptic curves

Arithmétique et Cryptographie Asymétrique

Transcription:

Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1 / 35

RSA history Public-key system introduced in 1978 by Rivest, Shamir and Adleman from left to right : Adleman, Shamir and Rivest Based on the diculty to factor numbers, eg 2 27 +1=340282366920938463463374607431768211457=59649589127497217 5704689200685129054721 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 2 / 35

RSA keys Private key p and q two large prime numbers (with some conditions) An integer d coprime to (p 1)(q 1) These data are strictly condential Public key n = p q e the inverse of d modulo (p 1)(q 1) (ie an integer such that e d = 1 mod (p 1)(q 1)) These data are public and must be divulged The public key is easy to deduce from the private key (extended euclidean algorithm) but given e and n, it is very dicult to recover d, p or q Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 3 / 35

RSA Encryption/Decryption We assume that B wants to send a message m (which is an integer in the range [1, n]) to A Encryption B gets (on A's web page or on the Certication Authority server) n and e which compose A's public key B computes the ciphertext c = m e mod n B sends c to A Decryption A recovers the plaintext m computing c d mod n A (and its government because of key escrow) is the only person able to decrypt c since nobody else knows or can compute d One-way function : x x e mod n Trapdoor : d Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 4 / 35

Mathematical tools for the proof of RSA Euler's theorem Let ϕ(n) denote the number of integers in [1, n] coprime to n. Let a be an integer coprime to n. We have a ϕ(n) = 1 mod n n = p, with p prime a p 1 = 1 mod p (Fermat's little theorem) n = pq, with p, q prime a (p 1)(q 1) = 1 mod n Chinese remainder theorem (CRT) Let m 1 and m 2 be coprime integers. Let a 1 and a 2 be integers. The system { x = a 1 mod m 1 x = a 2 mod m 2 has exactly one solution modulo m 1 m 2 which is a 1 n 1 m 2 + a 2 n 2 m 1 where n 2 is the inverse of m 1 modulo m 2 and n 1 is the inverse of m 2 modulo m 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 5 / 35

RSA proof We want to prove that c d = m ed = m mod n RSA proof if m coprime to n e is the inverse of d mod (p 1)(q 1) ed = 1 + k(p 1)(q 1) for some integer k. Thus m ed = m 1+k(p 1)(q 1) = m Conclude using Euler's theorem (m (p 1)(q 1)) k RSA proof if m not coprime to n (eg q divides m) We have trivially m ed = m mod q (both are 0) Fermat's little theorem implies that m ed = m mod p { x = m mod p So the equation x = m mod q has m and med as solutions. CRT m = m ed mod pq Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 6 / 35

Ecient decryption It is possible to speed up decryption using p and q Usual decryption : computes c d mod n Ecient decryption Speed-up Compute c d = c dp mod p with d p = d mod p 1 Compute c q = c dq mod q with d q = d mod q 1 Recover c d mod n using chinese remainder theorem p is half the length of n. Simple implementations of multiplication take quadratic time multiplication modulo p is 4 times faster than modulo n. d p is half the length of d computing c dp mod p is 8 times faster than computing c d mod n. The running time of the last CRT step is negligible. Overall decryption time is reduced by a factor of 4. Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 7 / 35

Ecient implementation : exponentiation algorithms Both for encryption and decryption, modular exponentiation is the central operation We assume that algorithms for modular multiplication are known Not the subject of this course Can be found in books given in bibliography or in Knuth's Art of Computer Programming vol. 2 Provided by numerous, very ecient multiprecision libraries (as GMP) Naive method g e = g g g g requires e 1 multiplications exponential complexity in the size of the exponent Binary methods Based on binary representation of the exponent linear complexity in the size of the exponent Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 8 / 35

Square and multiply method It is clear that g 2s left-to-right square and multiply can be obtained with only s squarings Given g and e = (e t 1 e 0 ) 2, the following computes g e h 1 and i t 1 while i 0 do return h h h 2 if e i = 1 then h h g i i 1 Proof : Related to Horner's rule Very old method (more than 2000 years) Very ecient (t squarings and t multiplications in average) 2 Often the only one given in books Impossible to reduce the number of squarings Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 9 / 35

2 k -ary method Example in base 4 : 00 ( ) 2 h 2 = h 4 01 ( ) 2 h 2 g = h 4 g 10 ( 2 h g) 2 = h 4 g 2 11 ( 2 h g) 2 g = h 4 g 3 Left-to-right 2 k -ary (or window method with window size k) Precompute g i = g i for i [1, 2 k 1] h 1 and i t 1 while i 0 do return h h h 2k h h g (ei e i k+1 )2 i i k Precomputations can be divided by 2 Requires around t(2k 1) multiplications in average k 2 k Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 10 / 35

Sliding window method Idea : skip consecutive zeros Exemple : 334 = (101 001 110) 2 3 multiplications with 2 3 -ary Example : 334 = (101001110) 2 only 2 multiplications required Sliding window method with window size k Precompute g 3, g 5, g 7,, g 2k 1 h 1 and i t 1 While i 0 do return h Requires around if e i = 0 then h h 2 and i i 1 else s max(i k + 1, 0) while e s = 0 do s s + 1 repeat i s + 1 times h h 2 h h g (e i e s ) 2 i s 1 t multiplications k+1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 11 / 35

Recoding the exponent coding exponent with many zeros less multiplications Example 31 = (11111) 2 but 31 = (100001) (with 1 = 1) g 31 = g 32 g 1 : faster if g 1 precomputed Denition : w-naf Every integer e has a unique representation e = t 1 e i=0 i 2 i where each e i is zero or odd e i < 2 w 1 among any w consecutive coecients, at most one is nonzero Example above is with w = 2 Exponentiation algorithms must be adapted Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 12 / 35

Recoding the exponent w is such that w bits are necessary to represent all coecient Example : w = 3 e i < 2 2, 7 possibilities for e i Algorithm to compute w-naf expansion is very easy Computation of the w-naf expansion of e i 0 While e > 0 do if e is odd then e i e mod 2 w e e e i else e i 0 e e/2 and i i + 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 13 / 35

Key generation What do we need? Find two large prime numbers p and q Find an integer d coprime to (p 1)(q 1) easy : compute gcd(d, (p 1)(q 1)) Find the inverse of d modulo (p 1)(q 1) easy : ext eulidean algorithm How can we nd large prime numbers Pick random numbers until nding a prime number requires primality tests The number of prime numbers less than n is known to be around n/log(n) (prime number theorem) Primality tests are relatively slow Compositeness tests are faster but do not prove primality Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 14 / 35

Compositeness tests : Fermat's test Based on the Fermat's little theorem : if p prime then a p 1 = 1 mod p Fermat primality test of n Repeat several times Choose a random integer a [2, n 2] Compute r = a n 1 mod n If r 1 then return "composite" If the n succeed this test, it might be prime Unfortunately, there exists an innite number of composite numbers that succeed Fermat's test for every a (Carmichael numbers). Hopefully, they are very rare Most of compositeness test or primality test are based on analogs of Fermat's test but use more complicated mathematical tools than Z/pZ Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 15 / 35

Compositeness tests : Rabin-Miller test Modication of Fermat's little theorem Let p be a prime number, a an integer coprime to p. Denote s the largest integer such that 2 s divides p 1 and d = p 1, then 2 s either a d = 1 mod p or r [0, s 1] with a 2r d = 1 mod p An integer which does not verify one of these properties is said to be a witness for the compositeness of n Central theorem If n is composite, there are least 3(n 1) 4 witnesses for its compositeness Consequences No Carmichael-like numbers It's bad luck if a random choice of a do not provide a witness If the property is satised for more than n 1 values of a, n is proved 4 to be prime Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 16 / 35

Miller-Rabin test of n Write n 1 = 2 s d with d odd and repeat t times Choose a random integer a [2, n 2] Compute y = a d mod n If y ±1 then do r 1 while r < s and y 1 do y y 2 mod n r r + 1 If y 1 then return "composite" Return "prime with an error probability less than 1 4 t " Probabilistic Very ecient Considered as sucient for common cryptographic use (only 1 chance over 10 12 to mistake with t = 20 in theory, even better in practice) Do not prove the primality (in polynomial time) Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 17 / 35

Primality test or primality proving There exists very fast algorithms for specic numbers (Mersenne numbers, n such that n 1 can be factored) but no interest in cryptography Jacobi sum test ECPP AKS Uses an analog of Fermat's little theorem in cyclotomic ring Probabilistic with almost polynomial complexity (O(log(n) c log(log(log(n))) )) Uses ellitic curves Probabilistic algorithm with polynomial complexity (O(log(n) 4 )) Provide a "certicate of primality" which can be easily veried Uses polynomial analog of Fermat's little theorem Proves that primality P (Deterministic polynomial complexity) Inecient in practice even if O(log(n) 4 ) Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 18 / 35

RSA and Factorization The main attack of RSA is factorization of n Brute force Try to divide n by all integers smaller than n Eratosthene sieve If 2 does not divide n, it is not necessary to test even numbers Quadratic sieve (QS) Use quadratic number elds (from number theory) to nd x and y such that x 2 = y 2 mod n gcd(x y, n) divides n Subexponential complexity : e log(n) 1 2 log(log(n)) 1 2 Number eld sieve (NFS) Generalisation of QS using higher degree number elds to nd x and y Subexponential complexity : e ( 64 9 ) 1 3 log(n) 1 3 log(log(n)) 2 3 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 19 / 35

RSA and Factorization : the p 1 method smooth numbers An integer s is said to be B-smooth if q α s with q prime, q α B. Assume p n with p 1 B-smooth and let a be an integer coprime to p If k = q α then a k 1 = 0 mod p q α B gcd(a k 1, n) is a factor of n Pseudo-algorithm Choose a reasonnable bound B pick a random a and compute b = a k 1 mod n Compute g = gcd(b, n) If g 1 return g If g = 1, choose a larger B or cancel Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 20 / 35

RSA and Factorization : the Pollard-ρ method Let u k+1 = f (u k ) mod n be a random walk. Idea : if p n and u i = u j mod p, then gcd(u i u j, n) is a factor of n Algorithm Repeat the following Compute u k+1 = f (u k ) mod n Compute g = gcd(u k+1 u i, n) i k If g 1 return g Drawback : requires a lot of memory and gcd computations. Variant (Floyd cycles) Stock only the u k such that k = 2 a. Much less memory and gcd computations (log(i) instead of i) Only double the number of steps O( (p) steps are necessary Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 21 / 35

RSA and Factorization History of RSA factorization Using NFS (number eld sieve) Size (in decimal digits) of n Date of factorization 120 1993 129 1994 130 1996 140 1999 155 1999 160 2003 174 2003 200 2005 Much faster than Moore's law algorithm improvements Here are p and q for the last one p=3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349 q=7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 22 / 35

RSA and Factorization History of RSA factorization Using NFS (number eld sieve) Size (in decimal digits) of n Date of factorization 120 1993 129 1994 130 1996 140 1999 155 1999 160 2003 174 2003 200 2005 Much faster than Moore's law algorithm improvements Lot of progress in factorization : is RSA really secure? Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 22 / 35

RSA and factorization Solving factorization Solving RSA What about? We don't know but we know that Finding p and q nding d Again, is trivial, but is not : k = ed 1 multiple of (p 1)(q 1) g Z/nZ we have g k = 1 g k/2 is a square root of 1 There are 4 square roots of 1 in Z/nZ : 1, -1 and x and x such that { x = 1 mod p x = 1 mod q If g k/2 = ±1 then choose another g else gcd(x 1, n) gives a factor of n. For a random chosen g there is 1/2 chance that g k/2 = ±1 very fast Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 23 / 35

Choice of p and q Pollard p 1 If p 1 is B-smooth, factorization is easy p and q too close We have trivially that (p + q) 2 /4 n = (p q) 2 /4 Let x be the rst integer greater than n If x 2 n is a perfect square y 2 then p = x + y and q = x y else x x + 1 Central idea of sieving methods for factorization (nd such equality not in Z but in more complex rings (number elds)) In practice random prime numbers are never weak for these attacks Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 24 / 35

Small encryption exponent e For eciency of public key operations (encryption, signature verication), it is attractive to choose e as small as possile : e = 3 Attack on e = 3 Assume A wants to send the same message m to 3 dierent persons (with 3 dierent public moduli n 1, n 2 and n 3 ) who choose e = 3. Of course m < n i An eavesdropper Eve can observe c i = m 3 mod n i and can easily solve the system x = c 1 mod n 1 x = c 2 mod n 2 x = c 3 mod n 3 Hence Eve knows m 3 mod n 1 n 2 n 3 (unicity of the solution). But m 3 < n 1 n 2 n 3 as an integer Eve knows m 3 It is then easy to recover m by taking the (real) third root of m 3 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 25 / 35

Protection against small exponent attacks Trivial protection Take a random public exponent (ie a large one) Never send the same message to dierent persons Not satisfactory In practice we want a small public exponent Use e = 65537 = 2 16 + 1 is a good compromise Good performance (50 times faster than random exponent) and very rare to send the same message to so many people Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 26 / 35

Protection against small exponent attacks Use a padding of the message For each n i, modify the message m so that all sent plaintext are dierent. But sensitive to attacks using the so called Coppersmith's theorem Sending f 1 (m), f 2 (m) and f 3 (m) where f i is a polynomial is not secure (Hastad attack) The messages m i must not be linked (Franklin-Reiter attack), eg if there exist a polynomial f such that f (m 1 ) = m 2 The most natural way to dierentiate messages is to realize a padding (concatenate the message with a random bitstring). Coppersmith's short pad attack breaks such a system if the length of the padding is less than the length of n i divided by e 2 (unpracticable with e = 65537) Padding ecient but use very carefully (uses OAEP) e = 65537 most secure Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 27 / 35

Small decryption key For eciency of private key operations (decryption, signature), it is attractive to choose d as small as possile Wiener attack Let n = pq be a RSA module with q < p < 2q Assume that d < 1 3 n 1 4 d can be recovered very fast using the continued fraction expansion of e n This attack can be extended to d < n 0.292 (and n 0.5 is expected) Avoid small private keys Remark If e is chosen small (3 or 65537), d cannot be chosen Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 28 / 35

Small messages Forward search attack Small message space or predictable (eg "yes" or "no") encrypt all possible plaintexts and compare with intercepted ciphertext small message and small exponent If m < n 1 e, then m can be recovered by taking the (real) e th -root of the ciphertext Use padding to extend message size Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 29 / 35

Common modulus attack Assume that A and B have the same module n and coprime public exponents e A and e B. If C send a message m to both A and B c A = m e A mod n c B = m e B mod n An eavesdropper can recover m : thanks to an extended euclidean algorithm between e A and e B e A u + e B v = 1 Hence c u A c v B = me Au+e B v = m Remark This attack is articial since if A and B have the same keys, A can decrypt B's message and sign in the name of B Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 30 / 35

Timing attacks (side channel attacks) Introduced by Kocher on RSA in 1995 : Eve measures decryption times for several known ciphertexts d In 2003, Boneh and Brumley practical attack SSL webserver (uses leaks of CRT decryption) Timing attack protection Ensure that decryption takes a constant amount of time for every ciphertext reduce performance Introduce hazard : blinding technique Choose a random number r for each ciphertext c Computes y = (r e c) d Recover m = yr 1 mod n mod n Decryption time is no longer correlated to c timing attack fails. Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 31 / 35

Multiplicative (or homomorphic) properties Let m 1 and m 2 two plaintext messages. We have c 1 = m e 1 mod n, c 2 = m e 2 mod n c 1c 2 = m e 1 me 2 = (m 1 m 2 ) e mod n Adaptative chosen-ciphertext attack Assume that E want to decrypt A's message c = m e mod n E chooses a random x and computes c = cx e mod n E aks A to decrypt c (eg as a challenge for authentication) A computes c d and send it to E E can recover m since c d = c d x ed = mx Protection Do not use the same key for authentication and encryption Impose some structural constraints on plaintext messages (not possible to nd x such that both m and mx have the required structure) Introduce hash function in the encryption process (OAEP) Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 32 / 35

Multiplicative (or homomorphic) properties multiplicativity RSA is not semantically secure This means that partial information on plaintext can be recovered But, lot of results like Parity bit If we are able to recover the parity bit of the plaintext then we are able to recover the whole plaintext Proves that RSA does not gives this partial information Bleichenbaker's attack Chosen ciphertext attack on the standard PKCS v1.5 in 1998 Does not need a decryption oracle (its oracle detects only PKCS conformity of ciphertext) realizable in practice New PKCS version use OAEP which is prove to be semantically secure Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 33 / 35

Summary of Parameter choice Choose p and q at random such that RSA n as the required security level security level 80 112 128 192 256 size of n in bits 1024 2048 3072 8192 15360 (p and q not too close and p 1, q 1 not smooth) Do not choose d small Do not use common modules Do not encrypt small messages Choose e = 3 (but very carefully) or e = 65537 for eciency Use suciently large padding (and no polynomial padding) Use OAEP for more quietness Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 34 / 35

Patents and standards RSA patent expired in 2000 PKCS =// 1 : RSA Cryptography Standard Last version : 2.1 (2002) Recommendations for cryptographic primitives encryption schemes signature schemes syntax for representing keys available at ftp ://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf and http ://etudes.univ-rennes1.fr/master-crypto Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 35 / 35

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback