Some Comments on the Security of RSA. Debdeep Mukhopadhyay

Similar documents
The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Semantic Security of RSA. Semantic Security

Solution to Problem Set 3

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

5199/IOC5063 Theory of Cryptology, 2014 Fall

Chapter 11 : Private-Key Encryption

Pseudo-random Number Generation. Qiuliang Tang

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

CSE 521: Design and Analysis of Algorithms I

COMP4109 : Applied Cryptography

Lecture Notes, Week 6

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Implementation Tutorial on RSA

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Cryptography and Security Midterm Exam

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Introduction to Cybersecurity Cryptography (Part 5)

A New Attack on RSA with Two or Three Decryption Exponents

Mathematics of Cryptography

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Introduction to Cybersecurity Cryptography (Part 4)

The security of RSA (part 1) The security of RSA (part 1)

Introduction to Cybersecurity Cryptography (Part 4)

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Cryptography IV: Asymmetric Ciphers

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Mathematical Foundations of Public-Key Cryptography

Basic Algorithms in Number Theory

Written examination. Tuesday, August 18, 2015, 08:30 a.m.

CIS 551 / TCOM 401 Computer and Network Security

basics of security/cryptography

1 Rabin Squaring Function and the Factoring Assumption

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Cryptography and Security Final Exam

Partial Key Exposure: Generalized Framework to Attack RSA

Public-Key Cryptosystems CHAPTER 4

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

CPSC 467: Cryptography and Computer Security

Introduction to Cryptology. Lecture 20

Applied Cryptography and Computer Security CSE 664 Spring 2018

Numbers. Çetin Kaya Koç Winter / 18

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

CPSC 467b: Cryptography and Computer Security

Basic elements of number theory

Basic elements of number theory

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Cryptography. pieces from work by Gordon Royle

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Topics in Cryptography. Lecture 5: Basic Number Theory

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Cryptography & Data Security - Comp 547. Assignment 5. Maxime CHAMBREUIL McGill ID:

Introduction to Modern Cryptography. Benny Chor

Cryptography: Joining the RSA Cryptosystem

CPSC 467: Cryptography and Computer Security

} has dimension = k rank A > 0 over F. For any vector b!

1 Number Theory Basics

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

DM49-2. Obligatoriske Opgave

Lecture 11 - Basic Number Theory.

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

RSA. Ramki Thurimella

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Advanced Cryptography Quantum Algorithms Christophe Petit

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

CPSC 467b: Cryptography and Computer Security

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Applications of Lattice Reduction in Cryptography

RSA Cryptosystem and Factorization

Discrete Mathematics GCD, LCM, RSA Algorithm

CSc 466/566. Computer Security. 5 : Cryptography Basics

13.1 Modular Arithmetic & Number Theory

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

RSA RSA public key cryptosystem

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

Exercise Sheet Cryptography 1, 2011

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Transcription:

Some Comments on the Security of RSA Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Computing Φ(n) is no easier than factoring n. Computing the Decryption exponent is no easier than factoring n. Bit Security of RSA. Low Power Ajit Pal IIT Kharagpur 1

Computing Φ(n) For if n and Φ(n) are known, and n is the product of two primes p, q: then n can be factored by solving: n=pq Φ(n)=(p-1)(q-1) Combining we obtain: p 2 -(n- Φ(n) +1)p+n=0 The roots are p and q. Decryption Exponent If the decryption exponent is known, then n can be factored: we will see a randomized algorithm there is a deterministic algorithm published in Crypto 2004 by Alexander May if: a and b are of the same bit size ab < n 2 Run Time: O(log 2 n) Low Power Ajit Pal IIT Kharagpur 2

Importance of this result This result is important from practical point of view: if b (the RSA secret key) is leaked, then changing it does not suffice one needs to change the modulus n. We shall study a Las Vegas Algorithm which can factor n with a probability of at least ½ Non-trivial Square Roots How many roots does x 2 1 (mod n) has, where n=pq? There are 4 roots: Trivial Roots: x = ±1 (mod n) Other two are Non-trivial roots Low Power Ajit Pal IIT Kharagpur 3

Example n=403=13 x 31 y 2 =1 (mod 403) is equivalent to the system of equations: y 2 =1 (mod 13): there are two roots x=+1, -1 mod 13 y 2 =-1 (mod 31) : there are two roots x=+1, -1 mod 13 Example The root x=92 is a solution to: x=+1 mod 13 x=-1 mod 31 The root x=311 is a solution to: x=-1 mod 13 x=+1 mod 31 Low Power Ajit Pal IIT Kharagpur 4

Example If x is a non-trivial square root of 1 modulo n, thus x 2 =1 2 mod n, but x 1 mod n Then we compute the gcd of (x+1,n) and gcd(x-1,n) to get the factors of n. Here, gcd(93,403)=31 and gcd(91,403)=13. The Algorithm Low Power Ajit Pal IIT Kharagpur 5

Analysis: Termination We do the analysis for w not being a multiple of p or q. w is relatively prime to n: we compute successive squares: w r, w 2r, w 4r,, w (2^s)r Now, since ab-1=(2^s)r=0 (mod Φ(n)), w (2^s)r =1 mod n. Hence the while loop terminates after at most s iterations. Analysis: Correctness At the end of the while loop we have found out a v 0 st.: (v 0 ) 2 =1 mod n, v 0 1 mod n If v 0 =-1 mod n, the algorithm fails. Otherwise v 0 is indeed a non-trivial square root of 1. Hence, gcd(v 0 +1,n) is a factor of n. Low Power Ajit Pal IIT Kharagpur 6

Partial Information of Plaintexts Sometimes the attacker has modest goals: to achieve partial information of the plaintext: partial break We shall consider two types of partial information of the plaintext bits: Jacobi of the plaintext Parity of the lowest bit of the plaintext Whether the plaintext is less than or more than n/2, where n is the RSA modulus. Jacobi of the Plaintext y=x b mod n, where x is the plaintext. Note that b is co-prime to Φ(n)=(p-1)(q-1), which is even: thus b is odd. From definition: y x = n n b x x x Note, =± 1, thus =, n n n as b is odd. b Thus RSA leaks some information of the plaintext Low Power Ajit Pal IIT Kharagpur 7

Parity(y) and Half(y) Parity(y) denotes the low order bit of x, that is parity(y)=0, if x is even and parity(y)=1 if x is odd. Half(y)=0, if 0 x<n/2 and half(y)=1 if n/2<x n-1. Reductions Existence of a polynomial time algorithm that computes half(y)=>existence of a polynomial time algorithm for RSA decryption. RSA Hard => Computing half(y) is hard. Low Power Ajit Pal IIT Kharagpur 8

The Proof Idea Let there be an oracle HALF, which computes half(y). if half(y)=0, then x ε [0, n/2) Now, y=x b mod n. Compute, y=2 b y mod n =(2x) b mod n if half(y)=0, then 2x ε [0, n/2) =>x ε [0, n/4) U [n/2, 3n/4) Continuing in this fashion we obtain distinct boundaries of x. Then the actual x value, can be found out using binary search technique. Algorithm Algorithm: Oracle RSA Decryption(n,b,y) external HALF k floor(log 2 n) for i=0 to k, { h i = HALF( n, b, y) b y=y 2 (mod n) } Binary Search Routine for i=0 to k { mid=(hi+lo)/2 if(hi == 1) lo=mid else hi=mid } return floor(hi) Low Power Ajit Pal IIT Kharagpur 9

Parity? Computing parity(y) is polynomially equivalent to computing half(y): half(y)=parity((y x e K (2)) mod n) parity(y)=half((y x e k (2-1 )) mod n) Proof Sketch Parity((y x e k (2)) mod n) = Parity(e k (2x) mod n) = 0, if 2x is even 1, if 2x is odd Now, n=2t+1, where t is an integer and 0 x<n/2 => 0 x t => 0 2x 2t=n-1 All these number are even If, n/2 x n-1 => t+1 x 2t => 2t+2 2x 4t or, n+1 2x 2n-2 Taking, modulo n we have: 1 2x n-2 All these numbers are odd. This proves first eqn. Low Power Ajit Pal IIT Kharagpur 10

Points to Ponder Prove that the algorithm to factor n, from the decryption exponent succeeds with at-least ½ probability. Prove the second relation to show that parity(y) and half(y) are polynomially equivalent. References D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC Low Power Ajit Pal IIT Kharagpur 11

Next Days Topic Discrete Logarithm Problem (DLP) Low Power Ajit Pal IIT Kharagpur 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback