Iterated Encryption and Wiener s attack on RSA

Similar documents
AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Euler s ϕ function. Carl Pomerance Dartmouth College

COMP4109 : Applied Cryptography

Mathematical Foundations of Public-Key Cryptography

The security of RSA (part 1) The security of RSA (part 1)

ECE596C: Handout #11

Number Theory and Group Theoryfor Public-Key Cryptography

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Introduction to Public-Key Cryptosystems:

Chapter 8 Public-key Cryptography and Digital Signatures

Public Key Cryptography

MATH 145 Algebra, Solutions to Assignment 4

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Introduction to Cybersecurity Cryptography (Part 5)

The RSA Cipher and its Algorithmic Foundations

Number Theory A focused introduction

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Carmen s Core Concepts (Math 135)

Numbers. Çetin Kaya Koç Winter / 18

Integers and Division

A New Attack on RSA with Two or Three Decryption Exponents

1 Structure of Finite Fields

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

A Readable Introduction to Real Mathematics

CPSC 467: Cryptography and Computer Security

CSE 521: Design and Analysis of Algorithms I

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Ma/CS 6a Class 4: Primality Testing

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

CS March 17, 2009

COMP424 Computer Security

Some Facts from Number Theory

CPSC 467b: Cryptography and Computer Security

Chapter 5. Modular arithmetic. 5.1 The modular ring

Lecture 22: RSA Encryption. RSA Encryption

Applied Cryptography and Computer Security CSE 664 Spring 2018

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

PMA225 Practice Exam questions and solutions Victor P. Snaith

Applied Cryptography and Computer Security CSE 664 Spring 2017

Basic elements of number theory

Basic elements of number theory

CRYPTOGRAPHY AND NUMBER THEORY

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Discrete Mathematics GCD, LCM, RSA Algorithm

The RSA cryptosystem and primality tests

Congruence of Integers

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

4 Powers of an Element; Cyclic Groups

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

CPSC 467b: Cryptography and Computer Security

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Lecture 3.1: Public Key Cryptography I

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

8. Given a rational number r, prove that there exist coprime integers p and q, with q 0, so that r = p q. . For all n N, f n = an b n 2

Number Theory and Algebra: A Brief Introduction

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

Implementation Tutorial on RSA

RSA. Ramki Thurimella

CPSC 467b: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Public Key Encryption

The number of ways to choose r elements (without replacement) from an n-element set is. = r r!(n r)!.

Number theory. Myrto Arapinis School of Informatics University of Edinburgh. October 9, /29

Homework #2 solutions Due: June 15, 2012

Introduction to Cybersecurity Cryptography (Part 4)

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Solutions to Practice Final 3

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Basic Algorithms in Number Theory

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

A Few Facts from Number Theory and the RSA Cryptosystem OVERVIEW. RSA Producing Big Primes. Table of Contents. Overview Basic Facts of Number Theory

Introduction to Number Theory

NOTES ON SIMPLE NUMBER THEORY

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Public Key Algorithms

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

ICS141: Discrete Mathematics for Computer Science I

Notes on Systems of Linear Congruences

Math From Scratch Lesson 20: The Chinese Remainder Theorem

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Ma/CS 6a Class 4: Primality Testing

Homework Problems, Math 134, Spring 2007 (Robert Boltje)

Mathematics of Cryptography

Introduction to Number Theory

The Chinese Remainder Theorem

Part II. Number Theory. Year

Transcription:

Iterated Encryption

Euler s function Euler s function: φ(n) = {1 x n : gcd(x, n) = 1} Theorem (Euler) If n is a positive integer and m is a positive integer coprime to n then m φ(n) mod n = 1.

Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key:

Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n

Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n

Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n E 3 = E2 e mod n

Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n E 3 = E2 e mod n E k = Ek 1 e mod n.

Iterated Encryption Consider a public RSA key with encryption modulus n and encryption exponent e. Also, consider a message M < n in padded ASCII form. Consider what might happen when M is encrypted iteratively using this key: E 1 = M e mod n E 2 = E1 e mod n E 3 = E2 e mod n E k = Ek 1 e mod n. Using the laws of exponents we have that for each n, E k = M ek mod n.

Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n.

Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1.

Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1. Corollary If n is a product of distinct primes then for all a, a λ(n)+1 = a mod n.

Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1. Corollary If n is a product of distinct primes then for all a, a λ(n)+1 = a mod n. Theorem For p > 3 and k 2, λ(p k ) = p k 1 (p 1).

Carmichael function Carmichael s function: λ(n) is defined as the smallest positive integer m such that a m 1 mod n. Theorem (Carmichael) If n is a positive integer and a is a positive integer coprime to n then a λ(n) mod n = 1. Corollary If n is a product of distinct primes then for all a, a λ(n)+1 = a mod n. Theorem For p > 3 and k 2, λ(p k ) = p k 1 (p 1). Theorem λ(p1 k1pk 2 2...pkt t ) = lcm(λ(p k 1 )λ(p k 2 )...λ(p kt )

Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n).

Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then

Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n =

Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n =

Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n = M λ(n) t+1 mod n =

Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n = M λ(n) t+1 mod n = (M λ(n) ) t M 1 mod n =

Iterated Encryption Note that when n is a product of distinct primes then λ(n) divides φ(n) making λ(n) < φ(n). Assume that e k = 1 mod λ(n) for some k where e is the encryption exponent. Then (M ek mod n) mod n = M ek mod n = M λ(n) t+1 mod n = (M λ(n) ) t M 1 mod n = 1 t M mod n = M

Wiener s attack

Euclidean Algorithm Recall how the Euclidean Algorithm computes the greatest common divisor, g, of two numbers a and b with a < b. One obtains a list of equations using long division: b = q 1 a + r 1, 0 r 1 < b a = q 2 r 1 + r 2, 0 r 2 < r 1 r 1 = q 3 r 2 + r 3, 0 r 3 < r 2 r 2 = q 4 r 3 + r 4, 0 r 4 < r 3 r n 1 = q n+2 r n+1 + r n+2 and r n+2 = 0 while r n+1 > 0.

Euclidean Algorithm Recall how the Euclidean Algorithm computes the greatest common divisor, g, of two numbers a and b with a < b. One obtains a list of equations using long division: b = q 1 a + r 1, 0 r 1 < b a = q 2 r 1 + r 2, 0 r 2 < r 1 r 1 = q 3 r 2 + r 3, 0 r 3 < r 2 r 2 = q 4 r 3 + r 4, 0 r 4 < r 3 r n 1 = q n+2 r n+1 + r n+2 and r n+2 = 0 while r n+1 > 0. The last non-zero remainder, r n+1, is gcd(a, b).

Continued Fractions Consider a rational number b/a with gcd(a, b) = 1. Then r n+1 = 1. From the same set of equations we obtain: b/a = q 1 + (r 1 /a) = q 1 + 1/(a/r 1 ) = q 1 + 1/(q 2 + (r 2 /r 1 )) = q 1 + 1/(q 2 + 1/(r 1 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + r 3 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + 1/(q 4 + 1/(q 5 + (... + 1/q n+2 )...)))))

Continued Fractions Consider a rational number b/a with gcd(a, b) = 1. Then r n+1 = 1. From the same set of equations we obtain: b/a = q 1 + (r 1 /a) = q 1 + 1/(a/r 1 ) = q 1 + 1/(q 2 + (r 2 /r 1 )) = q 1 + 1/(q 2 + 1/(r 1 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + r 3 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + 1/(q 4 + 1/(q 5 + (... + 1/q n+2 )...))))) The expression is known as continued fraction expansion of b/a and it is denoted by b/a = [q 1, q 2, q 3, q 4,..., q n+2 ].

Continued Fractions Consider a rational number b/a with gcd(a, b) = 1. Then r n+1 = 1. From the same set of equations we obtain: b/a = q 1 + (r 1 /a) = q 1 + 1/(a/r 1 ) = q 1 + 1/(q 2 + (r 2 /r 1 )) = q 1 + 1/(q 2 + 1/(r 1 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + r 3 /r 2 )) = q 1 + 1/(q 2 + 1/(q 3 + 1/(q 4 + 1/(q 5 + (... + 1/q n+2 )...))))) The expression is known as continued fraction expansion of b/a and it is denoted by b/a = [q 1, q 2, q 3, q 4,..., q n+2 ].The number C j = [q 1, q 2,..., q j+1 ] is called the j-th convergent of b/a.

Continued Fractions Theorem Let a 0, a 1,..., a n R with a 0, a 1,..., a n > 0. Let the sequence p 0, p 1,..., p n and q 0, q 1,..., q n be defined by

Continued Fractions Theorem Let a 0, a 1,..., a n R with a 0, a 1,..., a n > 0. Let the sequence p 0, p 1,..., p n and q 0, q 1,..., q n be defined by p 0 = a 0, q 0 = 1 p 1 = a 0 a 1 + 1, q 1 = a 1 p k = a k p k 1 + p k 1, q k = a k q k 1 + q k 2 for k = 1, 2,..., n.

Continued Fractions Theorem Let a 0, a 1,..., a n R with a 0, a 1,..., a n > 0. Let the sequence p 0, p 1,..., p n and q 0, q 1,..., q n be defined by p 0 = a 0, q 0 = 1 p 1 = a 0 a 1 + 1, q 1 = a 1 p k = a k p k 1 + p k 1, q k = a k q k 1 + q k 2 for k = 1, 2,..., n. Then the k-th convergent. C k = [a 0, a 1,..., a k ] = p k q k

Continued Fractions Theorem (Dirichle,1842) Assume that gcd(a, b) = 1. If r, s are any natural numbers such that gcd(r, s) = 1, and a/b r/s < 1/(2s 2 ) then r/s is one of the convergents of a/b.

Continued Fractions Theorem (Dirichle,1842) Assume that gcd(a, b) = 1. If r, s are any natural numbers such that gcd(r, s) = 1, and a/b r/s < 1/(2s 2 ) then r/s is one of the convergents of a/b. Theorem (M. Wiener, 1990) Let n be an RSA modulus, say n = pq where p and q are primes, and let e be the public encryption exponent and dthe private decryption exponent. Let d < 1 4 3 n, q < p < 2q and ed = 1 + kφ(n).then k d e n < 1 and d can be calculated 2d 2 quickly.

Proof of Wiener s theorem Since q 2 < pq = n, we have

Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q,

Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) =

Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 <

Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1.

Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1. Since e < φ(n) we have

Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1. Since e < φ(n) we have so k < 1 3 n 1 4. φ(n)k < ed < 1 3 φ(n)n 1 4

Proof of Wiener s theorem Since q 2 < pq = n, we have q < n. Therefore, since p < 2q, n φ(n) = pq (p 1)(q 1) = p + q 1 < 3q < 3 n Write ed = 1 + φ(n)k for some integer k 1. Since e < φ(n) we have so k < 1 3 n 1 4. Therefore, φ(n)k < ed < 1 3 φ(n)n 1 4 kn ed = k(n φ(n)) 1 < k(n φ(n)) < 1 3 n 1 4 (3 n) = n 3/4

Proof of Wiener s theorem(cont.) Also, since kn φ(n)) 1 > 0, we have

Proof of Wiener s theorem(cont.) Also, since kn φ(n)) 1 > 0, we have kn ed > 0. Dividing by dn both sides of the equation and taking the absolute value we get

Proof of Wiener s theorem(cont.) Also, since kn φ(n)) 1 > 0, we have kn ed > 0. Dividing by dn both sides of the equation and taking the absolute value we get since 3d < n 1/4 by assumption. 0 < k d e n < 1 dn 1/4 < 1 3d 2, Then by Dirichle s theorem k d is one of the convergent of e n.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback