Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Similar documents
1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Introduction to Modern Cryptography. Benny Chor

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

CPSC 467b: Cryptography and Computer Security

Factorization & Primality Testing

Lecture 1: Introduction to Public key cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography IV: Asymmetric Ciphers

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture Notes, Week 6

Introduction to Cryptography. Lecture 8

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

CPSC 467b: Cryptography and Computer Security

Algorithmic Number Theory and Public-key Cryptography

Public Key Algorithms

Applied Cryptography and Computer Security CSE 664 Spring 2018

Topics in Cryptography. Lecture 5: Basic Number Theory

CIS 551 / TCOM 401 Computer and Network Security

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

Introduction to Public-Key Cryptosystems:

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Public-Key Encryption: ElGamal, RSA, Rabin

ECEN 5022 Cryptography

Lecture 11 - Basic Number Theory.

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

The security of RSA (part 1) The security of RSA (part 1)

Basic elements of number theory

Basic elements of number theory

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

10 Concrete candidates for public key crypto

Introduction to Cryptography. Lecture 6

CSE 521: Design and Analysis of Algorithms I

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

basics of security/cryptography

The RSA cryptosystem and primality tests

Mathematics of Cryptography

Number Theory and Algebra: A Brief Introduction

Cryptography: Joining the RSA Cryptosystem

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

RSA RSA public key cryptosystem

ALG 4.0 Number Theory Algorithms:

Attacks on RSA & Using Asymmetric Crypto

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Chapter 8 Public-key Cryptography and Digital Signatures

Math/Mthe 418/818. Review Questions

Public Key Encryption

Pseudo-random Number Generation. Qiuliang Tang

CPSC 467b: Cryptography and Computer Security

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Public-Key Cryptosystems CHAPTER 4

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Mathematical Foundations of Public-Key Cryptography

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

One can use elliptic curves to factor integers, although probably not RSA moduli.

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Ma/CS 6a Class 4: Primality Testing

IRREDUCIBILITY TESTS IN F p [T ]

CPSC 467b: Cryptography and Computer Security

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

COMP4109 : Applied Cryptography

CS March 17, 2009

RSA. Ramki Thurimella

Ti Secured communications

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

ASYMMETRIC ENCRYPTION

Introduction to Cybersecurity Cryptography (Part 5)

Introduction to Information Security

Public Key Encryption

Elliptic Curve Cryptography with Derive

Introduction to Cybersecurity Cryptography (Part 4)

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Basic Algorithms in Number Theory

Introduction to Elliptic Curve Cryptography. Anupam Datta

10 Public Key Cryptography : RSA

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 3.1: Public Key Cryptography I

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Asymmetric Encryption

Public Key Cryptography

Introduction to Modern Cryptography. Benny Chor

Number theory. Myrto Arapinis School of Informatics University of Edinburgh. October 9, /29

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

CPSC 467b: Cryptography and Computer Security

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Foundations of Network and Computer Security

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CPSC 467: Cryptography and Computer Security

Primzahltests und das Faktorisierungsproblem

Ma/CS 6a Class 4: Primality Testing

Transcription:

Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1

Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings: Katz and Lindell: Section 7.2, Appendix B.2 Topic 18 2

Why does RSA work? Need to show that (M e ) d (mod n) = M, n = pq We know that when MZ pq *, i.e., when gcd(m, n) = 1, then M ed M (mod n) What if gcd(m, n) 1? Assume, wlog, that gcd(m, n) = p ed 1 (mod (n)), so ed = k(n) + 1, for some integer k. M ed mod p = (M mod p) ed mod p = 0 so M ed M mod p M ed mod q = (M k*(n) mod q) (M mod q) = M mod q so M ed M mod q As p and q are distinct primes, it follows from the Chinese Remainder Theorem that M ed M mod pq What is the probability that when one chooses M Z pq, gcd(m, n) 1? Topic 18 3

Square and Multiply Algorithm for Exponentiation Computing (x) c mod n Example: suppose that c=53=110101 x 53 =((x 13 ) 2 ) 2 x=(((x 3 ) 2 ) 2 x) 2 ) 2 x =(((x 2 x) 2 ) 2 x) 2 ) 2 x mod n Alg: Square-and-multiply (x, n, c = c k-1 c k-2 c 1 c 0 ) z=1 for i k-1 downto 0 { z z 2 mod n if c i = 1 then z (z x) mod n } return z Topic 18 4

Efficiency of computation modulo n Suppose that n is a k-bit number, and 0 x,y n computing (x+y) mod n takes time O(k) computing (x-y) mod n takes time O(k) computing (xy) mod n takes time O(k 2 ) computing (x -1 ) mod n takes time O(k 3 ) computing (x) c mod n takes time O((log c) k 2 ) Topic 18 5

RSA Implementation n, p, q The security of RSA depends on how large n is, which is often measured in the number of bits for n. Currently, 1024 bits for n is considered similar to 80- bit security, and is not recommended for serious security p and q should have the same bit length, so for 2048 bits RSA, p and q should be about 1024 bits. p q should not be small Otherwise, factoring pq is easy Topic 18 6

RSA Implementation Select p and q prime numbers In general, select numbers, then test for primality Many implementations use the Rabin-Miller test, (probabilistic test) Topic 18 7

RSA Implementation e e is usually chosen to be 3 or 2 16 + 1 = 65537 In order to speed up the encryption the smaller the number of 1 bits, the better why? Topic 18 8

Pohlig-Hellman Exponentiation Cipher A symmetric key exponentiation cipher encryption key (e,p), where p is a prime decryption key (d,p), where ed1 (mod (p-1)) to encrypt M, compute M e mod p to decrypt C, compute C d mod p Why is this not a public key cipher? What makes RSA different? Topic 18 9

Factoring Large Numbers One idea many factoring algorithms use: Suppose one find x 2 y 2 (mod n) such that xy (mod n) and x-y (mod n). Then n (x-y)(x+y). As neither (x-y) or (x+y) is divisible by n; gcd(x-y,n) is a non-trivial factor of n Given one factor, easily compute the other Topic 18 10

More Details on Factoring Fact: if n=pq, then x 2 1 (mod n) has four solutions that are <n. x 2 1 (mod n) if and only if both x 2 1 (mod p) and x 2 1 (mod q) Two trivial solutions: 1 and n-1 1 is solution to x 1 (mod p) and x 1 (mod q) n-1 is solution to x -1 (mod p) and x -1 (mod q) Two other solutions solution to x 1 (mod p) and x -1 (mod q) solution to x -1 (mod p) and x 1 (mod q) E.g., n=3 5=15, then x 2 1 (mod 15) has the following solutions: 1, 4, 11, 14 Topic 18 11

An Example Knowing a nontrivial solution to x 2 1 (mod n) compute gcd(x+1,n) and gcd(x-1,n) E.g., 4 and 11 are solution to x 2 1 (mod 15) gcd(4+1,15) = 5 gcd(4-1,15) = 3 gcd(11+1,15) = 3 gcd(11-1, 15) = 5 Topic 18 12

Time complexity of factoring quadratic sieve: O(e (1+o(1))sqrt(ln n ln ln n) ) for n around 2 1024, O(e 68 ) elliptic curve factoring algorithm O(e (1+o(1))sqrt(2 ln p ln ln p) ), where p is the smallest prime factor for n=pq and p,q around 2 512, for n around 2 1024 O (e 65 ) number field sieve O(e (1.92+o(1)) (ln n)^1/3 (ln ln n)^2/3 ), for n around 2 1024 O (e 60 ) 768-bit modulus was factored in 2009 Extrapolating trends of factoring suggests that 1024-bit moduli will be factored by 2018 Topic 18 13

RSA Security RSA security depends on hardness of factoring n=pq Knowing (n) enables factoring n Knowing (e,d) such that ed mod (n)=1 enables factoring n Topic 18 14

(n) implies factorization Knowing both n and (n), one knows n = pq (n) = (p-1)(q-1) = pq p q + 1 = n p n/p + 1 p(n) = np p 2 n + p p 2 np + (n)p p + n = 0 p 2 (n (n) + 1) p + n = 0 There are two solutions of p in the above equation. Both p and q are solutions. Topic 18 15

Factoring when knowing e and d Knowing ed such that ed 1 (mod (n)) write ed 1 = 2 s r (r odd) choose w at random such that 1<w<n-1 if w not relative prime to n then return gcd(w,n) (if gcd(w,n)=1, what value is (w 2^s r mod n)?) compute w r, w 2r, w 4r,, by successive squaring until find w 2^t r 1 (mod n) Fails when w r 1 (mod n) or w 2^t r -1 (mod n) Failure probability is less than ½ (Proof is complicated) Topic 18 16

Example: Factoring n given (e,d) Input: n=2773, e=17, d=157 ed-1=2668=2 2 667 (r=667) Pick random w, compute w r mod n w=7, 7 667 =1 no good w=8, 8 667 =471, and 471 2 =1, so 471 is a nontrivial square root of 1 mod 2773 compute gcd(471+1, 2773)=59 gcd(471-1, 2773)=47. 2773=5947 Topic 18 17

Summary of Math-based Attacks on RSA Three possible approaches: 1.Factor n = pq 2.Determine (n) 3.Find the private key d directly All are equivalent finding out d implies factoring n if factoring is hard, so is finding out d Should never have different users share one common modulus Topic 18 18

The RSA Problem The RSA Problem: Given a positive integer n that is a product of two distinct large primes p and q, a positive integer e such that gcd(e, (p-1)(q- 1))=1, and an integer c, find an integer m such that m e c (mod n) widely believed that the RSA problem is computationally equivalent to integer factorization; however, no proof is known The security of RSA encryption s scheme depends on the hardness of the RSA problem. Topic 18 19

Other Decryption Attacks on RSA Small encryption exponent e When e=3, Alice sends the encryption of message m to three people (public keys (e, n 1 ), (e, n 2 ), (e,n 3 )) C 1 = M 3 mod n 1, C 2 = M 3 mod n 2, C 3 = M 3 mod n 3, An attacker can compute a solution to the following system x c 1 mod n 1 x c 2 mod n 2 x c 3 mod n 3 The solution x modulo n 1 n 2 n 3 must be M 3 (No modulus!), one can compute integer cubit root Countermeasure: padding required Topic 18 20

Other Attacks on RSA Forward Search Attack If the message space is small, the attacker can create a dictionary of encrypted messages (public key known, encrypt all possible messages and store them) When the attacker sees a message on the network, compares the encrypted messages, so he finds out what particular message was encrypted Q uicktime and a TI FF ( Uncompressed) decompressor are needed t o see t his pict ure. Topic 18 21

Timing Attacks Timing Attacks on Implementations of Diffie- Hellman, RSA, DSS, and Other Systems (1996), Paul C. Kocher By measuring the time required to perform decryption (exponentiation with the private key as exponent), an attacker can figure out the private key Possible countermeasures: use constant exponentiation time add random delays blind values used in calculations Topic 18 22

Timing Attacks (cont.) Is it possible in practice? YES. OpenSSL Security Advisory [17 March 2003] Timing-based attacks on RSA keys ================================ OpenSSL v0.9.7a and 0.9.6i vulnerability ---------------------------------------- Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Topic 18 23

Distribution of Prime Numbers Theorem (Gaps between primes) For every positive integer n, there are n or more consecutive composite numbers. Proof Idea: The consective numbers (n+1)! + 2, (n+1)! + 3,., (n+1)! + n+1 are composite. (Why?) Topic 18 24

Distribution of Prime Numbers Definition Given real number x, let (x) be the number of prime numbers x. Theorem (prime numbers theorem) (x) lim x x /ln x 1 For a very large number x, the number of prime numbers smaller than x is close to x/ln x. Topic 18 25

Generating large prime numbers Randomly generate a large odd number and then test whether it is prime. How many random integers need to be tested before finding a prime? the number of prime numbers p is about N / ln p roughly every ln p integers has a prime for a 512 bit p, ln p = 355. on average, need to test about 177=355/2 odd numbers Need to solve the Primality testing problem the decision problem to decide whether a number is a prime Topic 18 26

Naïve Method for Primality Testing Theorem Composite numbers have a divisor below their square root. Proof idea: n composite, so n = ab, 0 < a b < n, then a sqrt(n), otherwise we obtain ab > n (contradiction). Algorithm 1 for (i=2, i < sqrt(n) + 1); i++) { If i a divisor of n { n is composite } } n is prime Running time is O(sqrt(n)), which is exponential in the size of the binary representation of n Topic 18 27

More Efficient Algorithms for Primality Testing Primality testing is easier than integer factorization, and has a polynomial-time algorithm. The Agrawal Kayal Saxena primality test was discovered in 2002 Improved version of the algorithm runs in O((ln x) 6 ), less efficient than randomized algorithms How can we tell if a number is prime or not without factoring the number? The most efficient algorithms are randomized. Solovay-Strassen Rabin-Miler Topic 18 28

Quadratic Residues Modulo A Prime Definition a is a quadratic residue modulo p if b Z * p such that b 2 a mod p, otherwise when a0, a is a quadratic nonresidue is the set of all quadratic residues Q p Q p is the set of all quadratic nonresidues If p is prime there are (p-1)/2 quadratic residues in Z p*, that is Q p = (p-1)/2 let g be generator of Z p*, then a=g j is a quadratic residue iff. j is even. Topic 18 29

How Many Square Roots Does an Element in Q p have? A element a in Q p has exactly two square roots a has at least two square roots if b 2 a mod p, then (p-b) 2 a mod p a has at most two square roots in Z p * if b 2 a mod p and c 2 a mod p, then b 2 c 2 0 mod p then p (b+c)(b-c), either b=c, or b+c=p Topic 18 30

Legendre Symbol Let p be an odd prime and a an integer. The Legendre symbol is defined a p 0, if p a 1, if a Q p 1, if a Q p Topic 18 31

Euler s Criterion Theorem: If a (p-1)/2 1 mod p, then a is a quadratic residue ( if -1 then a is a quadratic nonresidue) I.e., the Legendre symbol a p = a (p-1)/2 mod p Proof. If a = y 2, then a (p-1)/2 = y (p-1) = 1 (mod p) If a (p-1)/2 =1, let a = g j, where g is a generator of the group Z p *. Then g j (p-1)/2 = 1 (mod p). Since g is a generator, (p-1) j (p-1)/2, thus j must be even. Therefore, a=g j is QR. Topic 18 32

Topic 18 33 Jacobi Symbol Let n 3 be odd with prime factorization The Jacobi symbol is defined to be The Jacobi symbol is in {0,-1,1}, and can be computed without factoring n or knowing whether n is prime or not e k k e e p a p a p a n a... 2 1 2 1 e k k e e p p p n... 2 1 2 1

Euler Pseudo-prime For any prime p, the Legendre symbol = a (p-1)/2 mod p For a composite n, if the Jacobi symbol = a (n-1)/2 mod n then n is called an Euler pseudo-prime to the base a, i.e., a is a pseudo evidence that n is prime a p a n For any composite n, the number of pseudo evidences that n is prime for at most half of the integers in Z n * Topic 18 34

The Solovay-Strassen Algorithm for Primality Testing Solovay-Strassen(n) choose a random integer a s.t. 1an-1 a x n if x=0 then return ( n is composite ) // gcd(x,n)1 y a (n-1)/2 mod n if (x=y) then return ( n is prime ) // either n is a prime, or a pseudo-prime else return ( n is composite ) // violates Euler s criterion If n is composite, it passes the test with at most ½ prob. Use multiple tests before accepting n as prime. Topic 18 35

Rabin-Miller Test Another efficient probabilistic algorithm for determining if a given number n is prime. Write n-1 as 2 k m, with m odd. Choose a random integer a, 1 a n-1. b a m mod n if b=1 then return n is prime compute b, b 2,b 4,,b 2^(k-1), if we find -1, return n is prime return n is composite A composite number pass the test with ¼ prob. When t tests are used with independent a, a composite passes with (¼) t prob. The test is fast, used very often in practice. Topic 18 36

Why Rabin-Miller Test Work Claim: If the algorithm returns n is composite, then n is not a prime. Proof: if we choose a and returns composite on n, then a m 1, a m -1, a 2m -1, a 4m -1,, a 2^{k-1}m -1 (mod n) suppose, for the sake of contradiction, that n is prime, then a n-1 =a 2^{k}m =1 (mod n) then there are two square roots modulo n, 1 and -1 then a 2^{k-1}m = a 2^{k-2}m = a 2m = a m = 1 (contradiction!) so if n is prime, the algorithm will not return composite Topic 18 37

Coming Attractions Public Key Encryption Reading: Katz & Lindell: Chapter 10 Topic 18 38

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback