RSA RSA public key cryptosystem

Similar documents
Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

RSA. Ramki Thurimella

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 1: Introduction to Public key cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Attacks on RSA & Using Asymmetric Crypto

CPSC 467b: Cryptography and Computer Security

Mathematics of Cryptography

Public-Key Cryptosystems CHAPTER 4

Introduction to Modern Cryptography. Benny Chor

Public-Key Encryption: ElGamal, RSA, Rabin

8.1 Principles of Public-Key Cryptosystems

Lecture Notes, Week 6

Discrete Mathematics GCD, LCM, RSA Algorithm

10 Public Key Cryptography : RSA

CPSC 467b: Cryptography and Computer Security

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

CIS 551 / TCOM 401 Computer and Network Security

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Lecture V : Public Key Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

10 Modular Arithmetic and Cryptography

CPSC 467b: Cryptography and Computer Security

Public Key Cryptography

OWO Lecture: Modular Arithmetic with Algorithmic Applications

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Public Key Cryptography

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Lecture 22: RSA Encryption. RSA Encryption

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Practice Assignment 2 Discussion 24/02/ /02/2018

MATH 158 FINAL EXAM 20 DECEMBER 2016

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Public-key Cryptography and elliptic curves

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

Cryptography. P. Danziger. Transmit...Bob...

Ma/CS 6a Class 3: The RSA Algorithm

CPSC 467: Cryptography and Computer Security

ASYMMETRIC ENCRYPTION

Encryption: The RSA Public Key Cipher

Number Theory & Modern Cryptography

The RSA cryptosystem and primality tests

dit-upm RSA Cybersecurity Cryptography

THE RSA CRYPTOSYSTEM

Introduction to Cybersecurity Cryptography (Part 5)

Week 7 An Application to Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

9 Knapsack Cryptography

Cryptography. pieces from work by Gordon Royle

Part V. Public-key cryptosystems, I. Key exchange, knapsack, RSA

Asymmetric Encryption

Public Key Algorithms

An Introduction to Probabilistic Encryption

Theory of Computation Chapter 12: Cryptography

Powers in Modular Arithmetic, and RSA Public Key Cryptography

Algorithmic Number Theory and Public-key Cryptography

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

19. Coding for Secrecy

Chapter 4 Asymmetric Cryptography

ECE 646 Lecture 9. RSA: Genesis, operation & security

Asymmetric Cryptography

1 Number Theory Basics

5199/IOC5063 Theory of Cryptology, 2014 Fall

Great Theoretical Ideas in Computer Science

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

THE RSA ENCRYPTION SCHEME

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Public-key Cryptography and elliptic curves

Solution to Midterm Examination

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

and Other Fun Stuff James L. Massey

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Introduction to Cryptography. Lecture 8

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Introduction. What is RSA. A Guide To RSA by Robert Yates. Topics

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Exam Security January 19, :30 11:30

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Introduction to Modern Cryptography. Benny Chor

Innovation and Cryptoventures. Cryptography 101. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

The security of RSA (part 1) The security of RSA (part 1)

One can use elliptic curves to factor integers, although probably not RSA moduli.

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Math/Mthe 418/818. Review Questions

Implementation Tutorial on RSA

Discrete Logarithm Problem

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Transcription:

RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them. Of course, the fact that a secret key is necessary to secure the system is itself a weakness, for how are the users supposed to share a secret key if it has to be sent from one to the other?! In 1975, Americans Whitfield Diffie and Martin Hellman developed the idea of a public key cryptosystem (although we know now that James Ellis had this same idea at the British GCHQ in Cheltenham as early as 1970). Here s how it works: if Alice wants to send a message to Bob, she first looks up Bob s public encryption key (which Bob has published in a directory accessible to everyone) and uses it to encrypt the message. She then sends it to Bob, who uses his own secret decryption key to decrypt and read the message. The security of this system rests on the fact that knowledge of the encryption key gives no information about the decryption key, despite the fact that each is the inverse of the other.

RSA 2 Diffie was able to implement this by means of a one-way trapdoor function f. Such a function has the property that its values y = f (x ) are easy to compute but given an output y, it is computationally infeasible to find the x that generated it (hence the term one-way ), unless some special information is known (the trapdoor ). In the public key cryptosystem, a one-way trapdoor function is used as the public encryption key by Alice to encrypt the message x into its ciphertext y. Since only Bob has the special information (the decryption key), only he can recover the plaintext. The most successful implementation of a public key cryptosystem was devised by Ron Rivest, Adi Shamir & Leonard Adelman at MIT in 1977, a method now known as RSA. This implementation uses a one-way trapdoor function of the form f (x ) = x e mod n, where n is carefully chosen to be the product of two large prime numbers: n = pq. (Notice that f (x ) is most efficiently calculated via binary exponentiation.)

RSA 3 More specifically, Bob first chooses the primes p and q. He computes n = pq and ϕ(n ) = ( p 1)(q 1). He then chooses a random exponent e that is relatively prime to ϕ(n ) so that He can find its inverse mod ϕ(n ) by solving de 1 (modϕ(n )) for d. He then publishes the values of n and e, and keeps secret p, q and d. That is, he makes public the information that allows other users to compute his encryption function f (x ) = x e mod n. When Alice wants to send a message to Bob (encoded as an integer m satisfying 0 m < n), she computes c = m e modn; the integer c encodes the ciphertext, which she sends to Bob. Upon receiving c, Bob calculates c d modn. Since de 1 (modϕ(n )), he knows that c d (m e ) d 1+ k ϕ( n ) m m(m ϕ ( n ) ) k m 1 k m (modn ) so he is able to recover Alice s message.

RSA 4 We used the fact that m ϕ ( n ) 1 (mod n) (Euler s Theorem) in this last computation, but we know this only under the condition that m is relatively prime to n. Must we first check that this condition is satisfied in order to decrypt? The answer is no: if m and n share a proper factor, then as n = pq, at least one of p or q is a common factor with m. If p is, then c d (m e ) d (0 e ) d 0 m (mod p), whereas if q is not, then Fermat s Little Theorem guarantees that c d (m e ) d 1+ k ϕ( n ) m 1+ k( p 1)( q 1) m m(m q 1 k( p 1) ) k( p 1 ) m 1 m (modq ) In any case, we will have both c d m (mod p ) and c d m (modq ), so by the CRT, we can still conclude that c d m (modn ).

RSA 5 What makes f (x ) = x e mod n a one-way trapdoor function? The computation of f (x ) is easy and straightforward. But in order to decrypt, one needs to know the value of d mod ϕ(n ). Since e is published information, finding ϕ(n ) will suffice for this purpose. But ϕ(n ) = ( p 1)(q 1) = pq p q +1 = n p q +1, so n ϕ(n) +1 = p +q and n = pq. This pair of equations is enough information to determine p and q, since it is a trivial matter to solve the quadratic equation (X p)( X q) = X 2 ( p + q)x + pq = X 2 (n ϕ(n) +1)X + n. So knowledge of ϕ(n ) is equivalent to knowledge of the factors p, q of n. That is, knowledge of ϕ(n ) is equivalent to knowing how n factors. Here, then, is the main point: if p and q are chosen to be rather large (say 100-150 digits long), then n is a very large number, and finding p and q is computationally very difficult. That is, f (x ) is effectively a one-way function, and Bob holds the trapdoor as he alone knows the values of p and q.

RSA 6 Attacks on RSA The effectiveness and security of RSA rests on the difficulty of factoring large integers. It should come as no surprise, then, that attacks on RSA are basically steps taken to improve integer factorization algorithms. There are, however, a few well-understood weaknesses that can be exploited. Low exponent attacks capitalize on the desire of users to encrypt (or decrypt) messages quickly. One way to speed encryption or decryption is not to select e or d randomly from the invertible numbers mod ϕ(n ), but rather, select it to be small, for the exponentiations required to encrypt or decrypt messages will then run very fast. However, in 1995 Don Coppersmith showed that when e is small and f (x) is a degree e polynomial with integer coefficients and leading coefficient 1, a very fast algorithm can be employed to find all solutions to the polynomial congruence f (x) 0 (mod n). This will be true in particular for the congruence x e c 0 (modn) where c is our ciphertext; this allows Eve to recover the plaintext rather easily. Thus, it s a bad idea for Bob to select an encryption exponent that is too small.

RSA 7 Furthermore, in 1990 Michael J. Wiener showed that if d is chosen too small (specifically, less than 1 3 n1/4 ), then an efficient algorithm exists to compute from e and n a set of no more than log 2 n integers which must include the integer d. This indicates that it is a bad idea for Bob to select d too small either. The short plaintext attack works when Alice sends a message m which is very small relative to n. Anticipating that m is small, Eve creates a list of all the encryptions x e (modn) for x = 1,2,,B for some feasible upper bound B. If one of these values matches the intercepted ciphertext c, she then recovers the plaintext. Even if the plaintext message m is not smaller than B, this may still will work, for then Eve also computes another list of the values cy e (modn) for y = 1,2,, B, and searches for a match between her two lists. Such a match corresponds to a pair of values x and y for which cy e x e (mod n) c (xy) e (mod n) whence m = xy; this happens whenever m has a pair of factors smaller than B, i.e., when m < B 2.

RSA 8 As a result, Alice should never send too small a message m. Instead, she should pad m with additional (random) bits to form a larger plaintext before she encrypts. One recommended method for padding messages is the Optimal Asymmetric Encryption Padding (OAEP) system designed for use with RSA. Alice specifies two integers k 0,k 1, where k 0 + k 1 equals the number of bits needed to pad m. So if m has k m bits and n has k n bits, we have k m +k 0 + k 1 = k n. She also uses two functions G and H; G takes input bistrings of length k 0 and returns output bitstrings of length k m +k 1, and H does the reverse, taking input bistrings of length k m +k 1 and returning output bitstrings of length k 0. Then, to encrypt m, Alice first appends k 1 zero bits to it; we denote the result m0 k 1. She then chooses a random bitstring r of length k 0 and determines x 1 = m0 k 1 G(r), a string of length k m +k 1, and x 2 = r H(x 1 ), a string of length k 0. She then feeds the k n -bit string x 1 x 2 (the concatenation of x 1 and x 2 ) into the RSA scheme to determine the ciphertext c (x 1 x 2 ) e (mod n).

RSA 9 Bob will decrypt this as c d x 1 x 2 (mod n). He then computes x 1 G(H(x 1 ) x 2 ) = x 1 G(r) = m0 k 1, from which he recovers the original message m. Notice that the padding depends on the size of m and on the random string r, so the method is resistant to chosen ciphertext attacks. Paul Kocher devised an extremely clever attack in 1995 while he was a Stanford undergraduate (!) by carefully monitoring the computation times of Bob s computer as he decrypt enciphered messages and performing a statistical analysis of the resulting data. Here s how his timing attack works. First, Eve needs to know what algorithm is being used by Bob s computer to perform binary exponentiation. A typical way to find c d modn assumes that d = d k d k 1 d 1 d 0 is a binary representation; then the following loop is performed:

RSA 10 initialize a = b = 1 for i from k by 1 to 0 do if d i = 0, then set a = b; else if d i = 1, then set a = bc modn set b a 2 (mod n) end do return a The claim is that a c d (modn) (work an example to check this.) Notice that the multiplications a = bc modn are performed only when the bits of the exponent d equal 1, whereas the squaring step b a 2 (mod n) occurs at each bit position. The effectiveness of the timing attack is based on the fact that it then takes measurably more time to run through the loop when d i = 1 than it does when d i = 0. Eve marks the time t it takes for Bob s machine to compute the decryption a c d (modn). In fact, we assume that Eve has measurements τ 1,τ 2,,τ m of the time required for Bob to decrypt m distinct ciphertexts c 1,c 2,,c m ; Eve will need to monitor a good deal of traffic, because m needs to be a large number for the statistical appraoch to work. Let the mean decryption time for all m messages be T.

RSA 11 Eve will now make guesses for the successive values of the bits of d = d k d k 1 d 1 d 0. Note that she needs no guess to know that d k = 1. Given that Eve has correctly found the bits d i for i > j, how does she find d j? For each µ = 1,2,,m, let t µ be the time it takes to decrypt c µ using the bits d i with i > j (the bits Eve already knows) and d j = 1. She then computes t µ = τ µ t µ as well. If d j = 1, then t µ is the time it takes to complete the decryption of c µ after the jth step through the loop. It is reasonable to assume that the two times t µ and t µ are independent events (changes in one should not influence changes in the other). So we can use a fact from probability theory: the variance of τ µ = t µ + t µ is the sum of the variances of the independent quantities t µ and t µ : Var(τ µ ) = Var( t µ ) + Var( t µ ). (The variance of the set of values of a quantity is the average squared deviation from their mean value.) Since variances are never negative, this means that Var(τ µ ) > Var( t µ ).

RSA 12 On the other hand, if d j = 0, then the extra multiplication never takes place, so t µ is now completely unrelated to the actual decryption times τ µ, so t µ = τ µ +( t µ ) is the sum of independent quantities: Var( t µ ) = Var(τ µ ) + Var( t µ ), whence Var( t µ ) > Var(τ µ ). In particular, Eve can compare the measured variances between τ µ and t µ to determine the correct value of d j. She repeats this process for each choice of j to discover the encryption exponent!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback