Homework 4 for Modular Arithmetic: The RSA Cipher

Similar documents
1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

10 Modular Arithmetic and Cryptography

The security of RSA (part 1) The security of RSA (part 1)

Cryptography. P. Danziger. Transmit...Bob...

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Mathematical Foundations of Public-Key Cryptography

RSA. Ramki Thurimella

CIS 551 / TCOM 401 Computer and Network Security

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

CRYPTOGRAPHY AND NUMBER THEORY

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Introduction to Modern Cryptography. Benny Chor

Number theory (Chapter 4)

Public Key Cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Practice Assignment 2 Discussion 24/02/ /02/2018

Week 7 An Application to Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Public-key Cryptography and elliptic curves

Implementation Tutorial on RSA

Simple Math: Cryptography

Lecture Notes, Week 6

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public-Key Cryptosystems CHAPTER 4

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Encryption: The RSA Public Key Cipher

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

Lecture 1: Introduction to Public key cryptography

Solution to Midterm Examination

MATH 158 FINAL EXAM 20 DECEMBER 2016

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Math.3336: Discrete Mathematics. Mathematical Induction

RSA-256bit 數位電路實驗 TA: 吳柏辰. Author: Trumen

Number Theory & Modern Cryptography

The RSA cryptosystem and primality tests

Cryptography IV: Asymmetric Ciphers

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Public Key Cryptography

Introduction to Cryptography. Lecture 8

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Number Theory A focused introduction

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Cryptography. pieces from work by Gordon Royle

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public-key Cryptography and elliptic curves

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Public Key Algorithms

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

19. Coding for Secrecy

Math Circles Cryptography

Cryptography and Number Theory

Public-Key Encryption: ElGamal, RSA, Rabin

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Introduction to Public-Key Cryptosystems:

CPSC 467b: Cryptography and Computer Security

Powers in Modular Arithmetic, and RSA Public Key Cryptography

DM49-2. Obligatoriske Opgave

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

8.1 Principles of Public-Key Cryptosystems

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

CPSC 467b: Cryptography and Computer Security

NET 311D INFORMATION SECURITY

Question: Total Points: Score:

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

10 Public Key Cryptography : RSA

Ma/CS 6a Class 3: The RSA Algorithm

ICS141: Discrete Mathematics for Computer Science I

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

Elliptic Curves and an Application in Cryptography

An Introduction to Cryptography

MATHEMATICS EXTENDED ESSAY

Notes 10: Public-key cryptography

Great Theoretical Ideas in Computer Science

Mathematics of Cryptography

Notes for Lecture 17

Lecture 22: RSA Encryption. RSA Encryption

Solutions to the Midterm Test (March 5, 2011)

RSA: Genesis, Security, Implementation & Key Generation

8 Elliptic Curve Cryptography

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Ti Secured communications

Lecture V : Public Key Cryptography

basics of security/cryptography

The Laws of Cryptography Zero-Knowledge Protocols

RSA RSA public key cryptosystem

5199/IOC5063 Theory of Cryptology, 2014 Fall

Fall 2017 September 20, Written Homework 02

CMSC 389T MIDTERM SOLUTION

Transcription:

Homework 4 for Modular Arithmetic: The RSA Cipher Gregory V. Bard April 25, 2018 This is a practice workbook for the RSA cipher. It is not suitable for learning the RSA cipher from scratch. However, there are many websites that explain the RSA cipher. In the solutions of this packet, the black ink represents the question, and the blue ink represents the answer. The red ink is additional information that would normally only be calculated with technology (e.g. Sage), or extraordinary patience. Most problems have been cloned 3 4 times. A clone is an identical version of a problem with only the coefficients changed. All clones have the same number, but a different letter. So problems 1a, 1b, and 1c are clones of each other. Some problems cannot be cloned, because nothing changes. 1

Problem 1 Let s see how much you remember of the alphabet soup in RSA. Problem 1a Describe each of these with a short phrase. What is m? What is d? What is N? What is e? What is q? What is φ? What is c? What is p? Problem 1b For each of the following, tell me what is the standard choice of letter (from English or Greek) for representing that in RSA. The plaintext message. The encryption exponent. The decryption exponent. The two huge primes. The ciphertext message. The modulus. The Euler Totient Function of the modulus. 2

Problem 1 Let s see how much you remember of the alphabet soup in RSA. Problem 1a Describe each of these with a short phrase. What is m? The plaintext message. What is d? The decryption exponent. What is N? The modulus. What is e? The encryption exponent. What is q? One of the two huge primes. What is φ? The Euler Totient Function of the modulus. What is c? The ciphertext message. What is p? One of the two huge primes. Problem 1b For each of the following, tell me what is the standard choice of letter (from English or Greek) for representing that in RSA. The plaintext message. m The encryption exponent. e The decryption exponent. d The two huge primes. p, q The ciphertext message. c The modulus. N The Euler Totient Function of the modulus. φ 3

Problem 2a Let p = 101 and q = 103. Compute a valid N, φ, e, and d. You can leave d as a formula, but I want numbers for the other three. Problem 2b Let p = 101 and q = 97. Compute a valid N, φ, e, and d. You can leave d as a formula, but I want numbers for the other three. Problem 2c Let p = 103 and q = 107. Compute a valid N, φ, e, and d. You can leave d as a formula, but I want numbers for the other three. 4

Problem 2a Let p = 101 and q = 103. Compute a valid N, φ, e, and d. You can leave d as a formula, but I want numbers for the other three. N = (101)(103) = 10, 403 φ = (100)(102) = 10, 200 For e, you can pick any integer coprime to φ. Accordingly, we have to factor φ, to learn what is safe. 10, 200 = (100)(102) = (25)(4)(2)(51) = (5 2 )(2 3 )(3)(17) As you can see, whatever e we choose must have no 2s, no 3s, no 5s, and no 17s in its prime factorization. The first few choices are {7, 11, 13, 19, 23, 29, 31, 37, 41, 43,...} and you can just pick one, provided that 2 < e < 10, 200. Whatever you choose for e, the formula for d should be e 1 mod φ. Note, that is mod φ, not mod N. Also, you should put your particular chosen number in place of the e. Problem 2b Let p = 101 and q = 97. Compute a valid N, φ, e, and d. You can leave d as a formula, but I want numbers for the other three. N = (101)(97) = 9797 φ = (100)(96) = 9600 For e, you can pick any integer coprime to φ. Accordingly, we have to factor φ, to learn what is safe. 9600 = (100)(96) = (25)(4)(4)(24) = (5 2 )(4 3 )(6) = (5 2 )(2 7 )(3) As you can see, whatever e we choose must have no 2s, no 3s, and no 5s in its prime factorization. The first few choices are: {7, 11, 13, 17, 19, 23, 29, 31, 37, 41,...} and you can just pick one, provided that 2 < e < 9600. Whatever you choose for e, the formula for d should be e 1 mod φ. Note, that is mod φ, not mod N. Also, you should put your particular chosen number in place of the e. Problem 2c Let p = 103 and q = 107. Compute a valid N, φ, e, and d. You can leave d as a formula, but I want numbers for the other three. N = (103)(107) = 11, 021 φ = (102)(106) = 10, 812 For e, you can pick any integer coprime to φ. Accordingly, we have to factor φ, to learn what is safe. 10, 812 = (102)(106) = (2)(51)(2)(53) = (2)(3)(17)(2)(53) = 2 2 (3)(17)(53) 5

As you can see, whatever e we choose must have no 2s, no 3s, no 17s, and no 53s in its prime factorization. The first few choices are: {5, 7, 11, 13, 19, 23, 29, 31, 35, 37,...} and you can just pick one, provided that 2 < e < 10, 812. Whatever you choose for e, the formula for d should be e 1 mod φ. Note, that is mod φ, not mod N. Also, you should put your particular chosen number in place of the e. 6

Problem 3 Now we ll learn whether or not you understand how the different outputs of the key-generation algorithm should be handled. Problem 3a A friend of yours is generating an RSA public-private key pair. He has followed all the steps of the keygeneration process, but has forgotten what to do with each of the six things he has computed. Of the six items computed during RSA key generation, p, q, N, φ, e, d, label each one as public, private, or destroy. Circle one. For security, e should be: public private destroyed. Circle one. For security, d should be: public private destroyed. Circle one. For security, N should be: public private destroyed. Circle one. For security, Φ should be: public private destroyed. Circle one. For security, p should be: public private destroyed. Circle one. For security, q should be: public private destroyed. Problem 3b A friend of yours has completed the RSA key generation process, and has made a public-private key pair. Of the six items computed during RSA key generation, p, q, N, φ, e, d, which should be made public? kept private? be destroyed? Made Public: (list them) Kept Private: (list them) Destroyed: (list them) 7

Problem 3 Now we ll learn whether or not you understand how the different outputs of the key-generation algorithm should be handled. Problem 3a A friend of yours is generating an RSA public-private key pair. He has followed all the steps of the keygeneration process, but has forgotten what to do with each of the six things he has computed. Of the six items computed during RSA key generation, p, q, N, φ, e, d, label each one as public, private, or destroy. Choose one. For security, e should be: public private destroyed. Choose one. For security, d should be: public private destroyed. Choose one. For security, N should be: public private destroyed. Choose one. For security, Φ should be: public private destroyed. Choose one. For security, p should be: public private destroyed. Choose one. For security, q should be: public private destroyed. Warning: The six items can be presented in any order. Problem 3b A friend of yours has completed the RSA key generation process, and has made a public-private key pair. Of the six items computed during RSA key generation, p, q, N, φ, e, d, which should be made public? kept private? be destroyed? Made Public: (list them) N, e Kept Private: (list them) d Destroyed: (list them) φ, p, q 8

Problem 4 Problem 4a: 1. Bob generates the following during key generation: p = 103, q = 107, N = 11, 021, φ = 10, 812, but clearly he isn t finished yet. What are the requirements for e? 2. Okay, now Bob chooses e = 2141. What are the requirements for d? 3. Which of the six items will comprise Bob s public key? (Variable names are fine.) 4. Which of the six items will comprise Bob s private key? (Variable names are fine.) 5. As it comes to pass, Bob computes d = 101. Charlene sends him an encrypted message, c = 9798. What does Bob have to compute to decipher the message? (Your answer should be a formula, with numbers but not variables.) 6. Alice wants to send Bob a secret message. She downloads his public key. The message is m = 1234. What should she compute in order to encrypt this message for him? (Your answer should be a formula, with numbers but not variables.) Problem 4b: 1. Bob generates the following during key generation: p = 101, q = 107, N = 10, 807, φ = 10, 600, but clearly he isn t finished yet. What are the requirements for e? 2. Okay, now Bob chooses e = 2143. What are the requirements for d? 3. Which of the six items will comprise Bob s public key? (Variable names are fine.) 4. Which of the six items will comprise Bob s private key? (Variable names are fine.) 5. As it comes to pass, Bob computes d = 5807. Charlene sends him an encrypted message, c = 6076. What does Bob have to compute to decipher the message? (Your answer should be a formula, with numbers but not variables.) 6. Alice wants to send Bob a secret message. She downloads his public key. The message is m = 5678. What should she compute in order to encrypt this message for him? (Your answer should be a formula, with numbers but not variables.) Problem 4c: 1. Bob generates the following during key generation: p = 103, q = 107, N = 11, 021, φ = 10, 812, but clearly he isn t finished yet. What are the requirements for e? 2. Okay, now Bob chooses e = 1009. What are the requirements for d? 3. Which of the six items will comprise Bob s public key? (Variable names are fine.) 4. Which of the six items will comprise Bob s private key? (Variable names are fine.) 5. As it comes to pass, Bob computes d = 8401. Charlene sends him an encrypted message, c = 6710. What does Bob have to compute to decipher the message? (Your answer should be a formula, with numbers but not variables.) 6. Alice wants to send Bob a secret message. She downloads his public key. The message is m = 1234. What should she compute in order to encrypt this message for him? (Your answer should be a formula, with numbers but not variables.) 9

Problem 4 Problem 4a: 1. Bob generates the following during key generation: p = 103, q = 107, N = 11, 021, φ = 10, 812, but clearly he isn t finished yet. What are the requirements for e? We need e to be coprime to φ = 10, 812. This means that we have to factor 10,812 to understand the requirements further. We obtain 10, 812 = (102)(106) = (2)(51)(2)(53) = (2)(3)(17)(2)(53) = 2 2 (3)(17)(53) which means that the factorization of e must have no 2s, no 3s, no 17s, and no 53s. Furthermore, 2 < e < 10, 812. 2. Okay, now Bob chooses e = 2141. What are the requirements for d? It is a simple calculation. We require d = e 1 mod φ, which means d = 2141 1 mod 10, 812. We need to compute the inverse of 2141 mod 10,812. Sage says that this is 101. 3. Which of the six items will comprise Bob s public key? (Variable names are fine.) Bob s public key will consist of N and e. 4. Which of the six items will comprise Bob s private key? (Variable names are fine.) Only d. 5. As it comes to pass, Bob computes d = 101. Charlene sends him an encrypted message, c = 9798. What does Bob have to compute to decipher the message? (Your answer should be a formula, with numbers but not variables.) Bob must compute 9798 101 mod 11,021. Sage says that this is 420. 6. Alice wants to send Bob a secret message. She downloads his public key. The message is m = 1234. What should she compute in order to encrypt this message for him? (Your answer should be a formula, with numbers but not variables.) Alice must compute 1234 2141 mod 11,021. Sage says that this is 6643. Problem 4b: 1. Bob generates the following during key generation: p = 101, q = 107, N = 10, 807, φ = 10, 600, but clearly he isn t finished yet. What are the requirements for e? We need e to be coprime to φ = 10, 600. This means that we have to factor 10,600 to understand the requirements further. We obtain 10, 600 = (106)(100) = (2)(53)(4)(25) = (2 3 )(5 2 )(53) which means that the factorization of e must have no 2s, no 5s, and no 53s. Furthermore, 2 < e < 10, 600. 2. Okay, now Bob chooses e = 2143. What are the requirements for d? We require d = e 1 mod φ, which means d = 2143 1 mod 10, 600. We need to compute the inverse of 2143 mod 10,600. Sage says that this is 5807. 3. Which of the six items will comprise Bob s public key? (Variable names are fine.) Bob s public key will consist of N and e. 10

4. Which of the six items will comprise Bob s private key? (Variable names are fine.) Only d. 5. As it comes to pass, Bob computes d = 5807. Charlene sends him an encrypted message, c = 6076. What does Bob have to compute to decipher the message? (Your answer should be a formula, with numbers but not variables.) Bob must compute 6076 5807 mod 10,807. Sage says that this is 888. This means good fortune or lots of money in some classical Chinese numerology. 6. Alice wants to send Bob a secret message. She downloads his public key. The message is m = 5678. What should she compute in order to encrypt this message for him? (Your answer should be a formula, with numbers but not variables.) Alice must compute 5678 2143 mod 10,807. Sage says that this is 6973. Problem 4c: 1. Bob generates the following during key generation: p = 103, q = 107, N = 11, 021, φ = 10, 812, but clearly he isn t finished yet. What are the requirements for e? We need e to be coprime to φ = 10, 812. This means that we have to factor 10,812 to understand the requirements further. We obtain 10, 812 = (102)(106) = (2)(51)(2)(53) = (2 2 )(3)(17)(53) which means that the factorization of e must have no 2s, no 3s, no 17s, and no 53s. Furthermore, 2 < e < 10, 812. 2. Okay, now Bob chooses e = 1009. What are the requirements for d? We require d = e 1 mod φ, which means d = 1009 1 mod 10, 812. We need to compute the inverse of 1009 mod 10,812. Sage says that this is 8401. 3. Which of the six items will comprise Bob s public key? (Variable names are fine.) Bob s public key will consist of N and e. 4. Which of the six items will comprise Bob s private key? (Variable names are fine.) Only d. 5. As it comes to pass, Bob computes d = 8401. Charlene sends him an encrypted message, c = 6710. What does Bob have to compute to decipher the message? (Your answer should be a formula, with numbers but not variables.) Bob must compute 6710 8401 mod 11,021. Sage says that this is 4321. 6. Alice wants to send Bob a secret message. She downloads his public key. The message is m = 1234. What should she compute in order to encrypt this message for him? (Your answer should be a formula, with numbers but not variables.) Alice must compute 1234 1009 mod 11,021. Sage says that this is 146. It is a small number. Indeed, this does sometimes happen. 11

Problem 5 There is a distrustful user, Vincent. He doesn t understand why it is so important that φ, p, and q get destroyed. 5.1: Let s assume that no one publishes an algorithm to make it easier to factor huge numbers. Suppose Vincent s φ becomes public, but nothing else (besides Vincent s public key) becomes public. What could happen then? 5.2: Okay, so now we understand that φ should be destroyed. We learn that RSA is very dependent on the hardness of factoring. Why would it be so bad if factoring huge numbers became easy?! In particular, what would happen if nothing other than Vincent s public key was public, but factoring huge numbers was easy? 5.3: Let s assume that no one publishes an algorithm to make it easier to factor huge numbers. Suppose Vincent s q becomes public, but nothing else (besides Vincent s public key) becomes public. What could happen then? 5.4: Let s assume that no one publishes an algorithm to make it easier to factor huge numbers. Suppose Vincent s p becomes public, but nothing else (besides Vincent s public key) becomes public. What could happen then? 12

Problem 5 There is a distrustful user, Vincent. He doesn t understand why it is so important that φ, p, and q get destroyed. 5.1: Let s assume that no one publishes an algorithm to make it easier to factor huge numbers. Suppose Vincent s φ becomes public, but nothing else (besides Vincent s public key) becomes public. What could happen then? We know that e is part of the public key. If φ becomes public also, then one can compute e 1 mod φ. This is the inverse of e mod φ. Clearly, the number obtained would be d. Whoever does this computation now has Vincent s d, which means that they can read his messages and probably sign documents, such as checks, as if they were him. 5.2: Okay, so now we understand that φ should be destroyed. We learn that RSA is very dependent on the hardness of factoring. Why would it be so bad if factoring huge numbers became easy?! In particular, what would happen if nothing other than Vincent s public key was public, but factoring huge numbers was easy? Again, we know that e and N comprise the public key. If factoring became easy, someone could compute p and q by factoring N = pq, because N is public after all. Then since the attacker knows p and q, it is extremely easy to compute φ = (p 1)(q 1). Once the attacker knows φ, they can do what we wrote in the answer to Subproblem 3.1. 5.3: Let s assume that no one publishes an algorithm to make it easier to factor huge numbers. Suppose Vincent s q becomes public, but nothing else (besides Vincent s public key) becomes public. What could happen then? Given q, simple division would reveal p. Because N = pq, the attacker just needs to compute N/q = p. Recall, N is public after all. Also, note that this is ordinary division, in the sense of the ordinary integers, not modular arithmetic. Then since the attacker knows p and q, it is extremely easy to compute φ = (p 1)(q 1). Once the attacker knows φ, they can do what we wrote in the answer to Subproblem 3.1. 5.4: Let s assume that no one publishes an algorithm to make it easier to factor huge numbers. Suppose Vincent s p becomes public, but nothing else (besides Vincent s public key) becomes public. What could happen then? This is clearly the same question as Subproblem 3.3. Given p, simple division would reveal q. Because N = pq, the attacker just needs to compute N/p = q. Then since the attacker knows p and q, it is extremely easy to compute φ = (p 1)(q 1). Once the attacker knows φ, they can do what we wrote in the answer to Subproblem 3.1. Moral: What is the moral of the story? Do not violate the requirements of the algorithm under any circumstances! 13

Question 6 Whenever you use your web browser in https mode, and see that key icon or lock icon that indicates an encrypted communication, then you re using either RSA, or a related algorithm called Diffie-Hellman. The mechanism for doing this is a protocol called SSL (the secure socket s layer) and its successor, TLS (transport level security). In 2012, some researchers (see bibliographic references below) took a bunch of RSA public keys (11,400,000 of them) from the Electronic Frontier Foundation s SSL Observatory, and started taking gcds of pairs of N s. It turns out that this exceptionally simple operation downloading lots of public keys, picking random pairs of Ns, and taking gcds broke 0.2% of public keys. That s a lot larger than it sounds like. There were 26,965 that were broken, which is alarming since most programmers who use cryptography think that RSA is unbreakable. Question 6a Suppose e 1 = 151, 153 and e 2 = 176, 303, but N 1 = 302, 303 and N 2 = 352, 603. You compute gcd(n 1, N 2 ) = 503 using the Extended Euclidean Algorithm, or Sage. What is the factorization of N 1? What is φ 1? How can we obtain the private key, d 1? What is the factorization of N 2? What is φ 2? How can we obtain the private key, d 2? Question 6b Suppose e 1 = 386, 329 and e 2 = 387, 197, but N 1 = 772, 637 and N 2 = 774, 391. You compute gcd(n 1, N 2 ) = 877 using the Extended Euclidean Algorithm, or Sage. What is the factorization of N 1? What is φ 1? How can we obtain the private key, d 1? What is the factorization of N 2? What is φ 2? How can we obtain the private key, d 2? Citations A. Lenstra, J. Hughes, M. Augier, J. Bos, T. Kleinjung, and C. Wachte. Ron was wrong, Whit is right. Posted to eprint.iacr.org, 17 February, 2012. https://eprint.iacr.org/2012/064.pdf There is also a NY Times article about this: J. Markoff. Flaw Found in an Online Encryption Method. The New York Times. February 15th, 2012. http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method. html 14

Question 6 See the previous page for the background on Question 6. Question 6a Suppose e 1 = 151, 153 and e 2 = 176, 303, but N 1 = 302, 303 and N 2 = 352, 603. You compute gcd(n 1, N 2 ) = 503 using the Extended Euclidean Algorithm, or Sage. What is the factorization of N 1? Because N 1 /g = 302, 303/503 = 601, we know (503)(601) = 302, 303. What is φ 1? We compute (502)(600) = 301, 200. How can we obtain the private key, d 1? Compute the inverse of 151,153 mod 301,200, namely 151, 153 1 mod 301,200. According to Sage, d = 817. What is the factorization of N 2? Because N 2 /g = 352, 603/503 = 701, we know (503)(701) = 352, 603. What is φ 2? We compute (502)(700) = 351, 400. How can we obtain the private key, d 2? Compute the inverse of 176,303 mod 351,400, namely 176, 303 1 mod 351,400. According to Sage, d = 24, 767. Note: Now you have both private keys, and can read their mail and sign checks as if you were them! Question 6b Suppose e 1 = 386, 329 and e 2 = 387, 197, but N 1 = 772, 637 and N 2 = 774, 391. You compute gcd(n 1, N 2 ) = 877 using the Extended Euclidean Algorithm, or Sage. What is the factorization of N 1? Because N 1 /g = 772, 637/877 = 881, we know (877)(881) = 772, 637. What is φ 1? We compute (876)(880) = 770, 880. How can we obtain the private key, d 1? Compute the inverse of 386,329 mod 770,880, namely 386, 329 1 mod 770,880. According to Sage, d = 352, 489. What is the factorization of N 2? Because N 2 /g = 774, 391/877 = 883, we know (877)(883) = 774, 391. What is φ 2? We compute (876)(882) = 772, 632. How can we obtain the private key, d 2? Compute the inverse of 387,197 mod 772,632, namely 387, 197 1 mod 772,632. According to Sage, d = 231, 965. Note: Now you have both private keys, and can read their mail and sign checks as if you were them! Citations A. Lenstra, J. Hughes, M. Augier, J. Bos, T. Kleinjung, and C. Wachte. Ron was wrong, Whit is right. Posted to eprint.iacr.org, 17 February, 2012. https://eprint.iacr.org/2012/064.pdf There is also a NY Times article about this: J. Markoff. Flaw Found in an Online Encryption Method. The New York Times. February 15th, 2012. http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method. html 15

Question 7 We return to Vincent, who doesn t trust all the details of the algorithm specification. When we require that 2 < e < φ, we are explicitly ruling out e {0, 1, 2, φ} 7.1: What would go wrong if e = 1? 7.2: What would go wrong if e = 0? 7.3: What would go wrong if e = φ? 7.4: What would go wrong if e = 2? 16

Question 7 We return to Vincent, who doesn t trust all the details of the algorithm specification. When we require that 2 < e < φ, we are explicitly ruling out e {0, 1, 2, φ} 7.1: What would go wrong if e = 1? When you encrypt a message, the ciphertext is c = m e mod N. We would have c = m 1 = m mod N. Your messages would not be encrypted you would be transmitting your messages in plaintext. 7.2: What would go wrong if e = 0? When you encrypt a message, the ciphertext is c = m 0 mod N. We would have c = m 0 = 1 mod N. The ciphertext would be 1 regardless of the message. The receiver would have no idea which message you wanted to send, because all messages turn into a 1. This is like the sender putting a letter into an envelope, and burning it, rather than mailing it. While no one will be able to read the original message, the intended receiver will have no idea what the message contains. 7.3: What would go wrong if e = φ? When you encrypt a message, the ciphertext is c = m φ mod N. We would have c = m φ = m 0 = 1 mod N. That s because exponents, when working mod N, should be reduced mod φ, and φ = 0 mod φ. The ciphertext would be 1 regardless of the message, like the previous subproblem. 7.4: What would go wrong if e = 2? Since p and q are huge primes, they are odd. This means that (p 1) and (q 1) are even. The product of two even numbers is even. Since φ = (p 1)(q 1) is even, and e = 2 is even, then gcd(e, φ) = gcd(2, φ) = 2. This means gcd(e, φ) 1 and therefore, d will not exist. The receiver cannot decode the message, because d does not exist. 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback