The security of RSA (part 1) The security of RSA (part 1)

Similar documents
MATH 145 Algebra, Solutions to Assignment 4

5199/IOC5063 Theory of Cryptology, 2014 Fall

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Chapter 8 Public-key Cryptography and Digital Signatures

Mathematics of Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Lecture 22: RSA Encryption. RSA Encryption

Numbers. Çetin Kaya Koç Winter / 18

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Algorithmic Number Theory and Public-key Cryptography

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Mathematical Foundations of Public-Key Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Math.3336: Discrete Mathematics. Mathematical Induction

Number Theory and Group Theoryfor Public-Key Cryptography

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Iterated Encryption and Wiener s attack on RSA

Introduction to Modern Cryptography. Benny Chor

Introduction to Public-Key Cryptosystems:

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Carmen s Core Concepts (Math 135)

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

RSA. Ramki Thurimella

Attacks on RSA & Using Asymmetric Crypto

Implementation Tutorial on RSA

Number Theory A focused introduction

Homework 4 for Modular Arithmetic: The RSA Cipher

10 Public Key Cryptography : RSA

Public Key Cryptography

Public-Key Cryptosystems CHAPTER 4

DM49-2. Obligatoriske Opgave

The Chinese Remainder Theorem

10 Modular Arithmetic and Cryptography

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Number Theory & Modern Cryptography

Practice Assignment 2 Discussion 24/02/ /02/2018

Chinese Remainder Theorem

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

CPSC 467b: Cryptography and Computer Security

Solution to Midterm Examination

Exercise Sheet Cryptography 1, 2011

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

Question: Total Points: Score:

Applied Cryptography and Computer Security CSE 664 Spring 2018

Chinese Remainder Algorithms. Çetin Kaya Koç Spring / 22

Public Key Algorithms

Ma/CS 6a Class 3: The RSA Algorithm

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Elementary Number Theory Review. Franz Luef

Public-Key Encryption: ElGamal, RSA, Rabin

CPSC 467b: Cryptography and Computer Security

LECTURE 4: CHINESE REMAINDER THEOREM AND MULTIPLICATIVE FUNCTIONS

Math From Scratch Lesson 20: The Chinese Remainder Theorem

A Readable Introduction to Real Mathematics

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

MATH 25 CLASS 12 NOTES, OCT Contents 1. Simultaneous linear congruences 1 2. Simultaneous linear congruences 2

Chapter 4 Public Key Cryptology - Part I

CPSC 467: Cryptography and Computer Security

The RSA cryptosystem and primality tests

Cryptography. P. Danziger. Transmit...Bob...

On the Security of Multi-prime RSA

RSA RSA public key cryptosystem

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

Generalized Splines. Madeline Handschy, Julie Melnick, Stephanie Reinders. Smith College. April 1, 2013

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Homework Problems, Math 134, Spring 2007 (Robert Boltje)

Efficient encryption and decryption. ECE646 Lecture 10. RSA Implementation: Efficient Encryption & Decryption. Required Reading

Simultaneous Linear, and Non-linear Congruences

10 Problem 1. The following assertions may be true or false, depending on the choice of the integers a, b 0. a "

ICS141: Discrete Mathematics for Computer Science I

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Mathematics of Cryptography

Lecture 1: Introduction to Public key cryptography

COMP4109 : Applied Cryptography

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Number Theory. Modular Arithmetic

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Basic elements of number theory

MATH3302 Cryptography Problem Set 2

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Basic elements of number theory

CPSC 467b: Cryptography and Computer Security

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

NET 311D INFORMATION SECURITY

Lecture Notes, Week 6

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Cryptography IV: Asymmetric Ciphers

Name: Mathematics 1C03

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

dit-upm RSA Cybersecurity Cryptography

Transcription:

The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1

The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1) p. Substituting this into the equation of n we find

The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1) p. Substituting this into the equation of n we find n = p ((n φ(n) + 1) p) and thus

The modulus n and its totient value φ(n) are known i.e. φ(n) = p q (p + q) + 1 = n (p + q) + 1 q = (n φ(n) + 1) p. Substituting this into the equation of n we find and thus n = p ((n φ(n) + 1) p) p 2 p (n φ(n) + 1) + n = 0 Solving the equation for p we find p = n φ(n)+1± (n φ(n)+1) 2 4 n 2

The modulus n and its totient value φ(n) are known i.e. φ(n) = p q (p + q) + 1 = n (p + q) + 1 q = (n φ(n) + 1) p. Substituting this into the equation of n we find and thus n = p ((n φ(n) + 1) p) p 2 p (n φ(n) + 1) + n = 0 Solving the equation for p we find and then compute q. p = n φ(n)+1± (n φ(n)+1) 2 4 n 2

Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are:

Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and

Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n

Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n Theorem Let a and b be integers, not both zero. Then a and b are relatively prime if and only if there are integers x and y such that a x + b y = 1.

Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n Theorem Let a and b be integers, not both zero. Then a and b are relatively prime if and only if there are integers x and y such that a x + b y = 1. We use the extended Euclidean algorithm to compute the integers x and y. Then

Common modulus attack Suppose that same message M < n is send to two different parties whose encryption exponents respectively are e 1 and e 2 and suppose that gcd(e 1, e 2 ) = 1. The encrypted messages are: E = M e 1 mod n and F = M e 2 mod n Theorem Let a and b be integers, not both zero. Then a and b are relatively prime if and only if there are integers x and y such that a x + b y = 1. We use the extended Euclidean algorithm to compute the integers x and y. Then E x F y M mod n

Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users,

Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered).

Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered). Consider a message M not known to the eavesdropper.

Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered). Consider a message M not known to the eavesdropper. Suppose that M is encrypted for all these k owners. M < n i for each i. e < k.

Common encryption exponent Assume that a common value for the encryption exponent e is shared by k different users, and let n 1, n 2,..., n k are their RSA encryption moduli. Assume that for i j we have that gcd(n i, n j ) = 1 (otherwise the factors of n i and n j can be discovered). Consider a message M not known to the eavesdropper. Suppose that M is encrypted for all these k owners. M < n i for each i. e < k. Now the k encrypted versions are: E i = M e mod n i, i = 1,..., k.

Common encryption exponent (cont.) Chinese Remainder Theorem Let n 1, n 2,..., n k be natural numbers such that for i, j distinct indices one has gcd(n i, n j ) = 1. Then the system of linear congruences x b 1 mod n 1 x b 2 mod n 2 x b 3 mod n 3 x b k mod n k has a solution which is unique modulo N = n 1 n 2... n k. The solution is x = b 1 N 1 x 1 + b 2 N 2 x 2 +... + b k N k x k mod N where N i = N/n i and x i = 1 N i mod n i.

Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k.

Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k. But we know that M e < n 1 n 2... n e < n 1 n 2... n k,

Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k. But we know that M e < n 1 n 2... n e < n 1 n 2... n k, and also satisfies these equations.

Common encryption exponent (cont.) By the CRT theorem we know that there is a unique x < n 1 n 2... n k that is a solution to c E i = x mod n i for all 1 i k. But we know that M e < n 1 n 2... n e < n 1 n 2... n k, and also satisfies these equations. The plaintext M can be discovered by taking the ordinary e-th root of the solution x.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback