Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Similar documents
Algorithmic Number Theory and Public-key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Partial Key Exposure: Generalized Framework to Attack RSA

RSA. Ramki Thurimella

The security of RSA (part 1) The security of RSA (part 1)

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Lecture V : Public Key Cryptography

Public Key Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Mathematics of Cryptography

A New Attack on RSA with Two or Three Decryption Exponents

Introduction to Public-Key Cryptosystems:

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Introduction to Cybersecurity Cryptography (Part 5)

Lecture 1: Introduction to Public key cryptography

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

10 Public Key Cryptography : RSA

Fault Attacks Against emv Signatures

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Public-Key Cryptosystems CHAPTER 4

Lattice-Based Fault Attacks on RSA Signatures

Public Key Algorithms

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

CIS 551 / TCOM 401 Computer and Network Security

Mathematical Foundations of Public-Key Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

New attacks on RSA with Moduli N = p r q

On the Security of Multi-prime RSA

dit-upm RSA Cybersecurity Cryptography

5199/IOC5063 Theory of Cryptology, 2014 Fall

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Asymmetric Encryption

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

A new attack on RSA with a composed decryption exponent

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

1 Number Theory Basics

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Week : Public Key Cryptosystem and Digital Signatures

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Carmen s Core Concepts (Math 135)

The RSA cryptosystem and primality tests

Lecture 22: RSA Encryption. RSA Encryption

10 Modular Arithmetic and Cryptography

Public-Key Encryption: ElGamal, RSA, Rabin

New Variant of ElGamal Signature Scheme

RSA RSA public key cryptosystem

CRYPTOGRAPHY AND NUMBER THEORY

ASYMMETRIC ENCRYPTION

Number Theory & Modern Cryptography

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Digital Signatures. p1.

Introduction to Modern Cryptography. Benny Chor

CPSC 467: Cryptography and Computer Security

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Public Key Algorithms

Attacks on RSA & Using Asymmetric Crypto

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Public Key Cryptography

PSS Is Secure against Random Fault Attacks

Discrete Mathematics GCD, LCM, RSA Algorithm

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Theory of Computation Chapter 12: Cryptography

Discrete mathematics I - Number theory

Ti Secured communications

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

Cryptography. pieces from work by Gordon Royle

MATH3302 Cryptography Problem Set 2

Cryptanalysis of RSA Signatures with Fixed-Pattern Padding

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

Iterated Encryption and Wiener s attack on RSA

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

CPSC 467b: Cryptography and Computer Security

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Elementary Number Theory Review. Franz Luef

Simple Math: Cryptography

Cryptographical Security in the Quantum Random Oracle Model

Solution to Midterm Examination

New RSA Vulnerabilities Using Lattice Reduction Methods

ECE596C: Handout #11

Cryptography. P. Danziger. Transmit...Bob...

THE RSA CRYPTOSYSTEM

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

ECE 646 Lecture 9. RSA: Genesis, operation & security

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Twenty Years of Attacks on the RSA Cryptosystem

Question: Total Points: Score:

Chapter 11 : Private-Key Encryption

Transcription:

Course 1: Remainder: RSA Université du Luxembourg September 21, 2010

Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and enables to decrypt. Alice wants to send a message to Bob: She encrypts it using Bob s public-key. Only Bob can decrypt it using his own private-key. Alice and Bob do not need to meet to establish a secure communication. Security: It must be difficult to recover the private-key from the public-key but not enough in practice.

The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented in 1977 by Rivest, Shamir and Adleman. Used for encryption and signature. Widely used in electronic commerce protocols (SSL).

RSA Key generation: Generate two large distinct primes p and q of same bit-size. Compute n = p q and φ = (p 1)(q 1). Select a random integer e, 1 < e < φ such that gcd(e, φ) = 1 Compute the unique integer d such that e d 1 mod φ using the extended Euclidean algorithm. The public key is (n, e). The private key is d.

RSA encryption Encryption Given a message m [0, n 1] and the recipent s public-key (n, e), compute the ciphertext: c = m e mod n Decryption Given a ciphertext c, to recover m, compute: m = c d mod n

Euler function Definition: φ(n) for n > 0 is defined as the number of integers a comprised between 0 and n 1 such that gcd(a, n) = 1. φ(1) = 1, φ(2) = 1, φ(3) = 2, φ(4) = 2. Equivalently: Let Z n be the set of integers a comprised between 0 and n 1 such that gcd(a, n) = 1. Then φ(n) = Z n.

Properties If p 2 is prime, then φ(p) = p 1 More generally, for any e 1, φ(p e ) = p e 1 (p 1) For n, m > 0 such that gcd(n, m) = 1, we have: φ(n m) = φ(n) φ(m)

Euler s theorem Theorem For any integer n > 1 and any integer a such that gcd(a, n) = 1, we have a φ(n) 1 mod n. Proof Consider the map f : Z n Z n, such that f(b) = a b for any b Z. f is a permutation, therefore : b = (a b) = a φ(n) b b Z n b Z n b Z n Therefore, we obtain a φ(n) 1 mod n.

Fermat s little theorem Theorem For any prime p and any integer a 0 mod p, we have a p 1 1 mod p. Moreover, for any integer a, we have a p a mod p. Proof Follows from Euler s theorem and φ(p) = p 1.

Proof that decryption works Since e d 1 mod φ, there is an integer k such that e d = 1 + k φ. If m 0 mod p, then by Fermat s little theorem m p 1 1 mod p, which gives : m 1+k (p 1) (q 1) m mod p This equality is also true if m 0 mod p. This gives m ed m mod p for all m. Similarly, m ed m mod q for all m. By the Chinese Remainder Theorem, if p q, then m ed m mod n

The RSA signature scheme Key generation : Public modulus: N = p q where p and q are large primes. Public exponent : e Private exponent: d, such that d e = 1 mod φ(n) To sign a message m, the signer computes : s = m d mod N Only the signer can sign the message. To verify the signature, one checks that: m = s e mod N Anybody can verify the signature

Hash-and-sign paradigm There are many attacks on basic RSA signatures: Existential forgery: r e = m mod N Chosen-message attack: (m 1 m 2 ) d = m1 d md 2 mod N To prevent from these attacks, one usually uses a hash function. The message is first hashed, then padded. m H(m) 1001...0101 H(m) Example: PKCS#1 v1.5: µ(m) = 0001 FF...FF00 c SHA SHA(m) ISO 9796-2: µ(m) = 6A m[1] H(m) BC The signature is then σ = µ(m) d mod N

Attacks against RSA Factoring Equivalence between factoring and breaking RSA? Mathematical attacks Attacks against plain RSA encryption and signature Heuristic countermeasures Low private / public exponent attacks Provably secure constructions Implementation attacks Timing attacks, power attacks and fault attacks Countermeasures

Factoring attack Factoring large integers Best factoring algorithm: Number Field Sieve Sub-exponential complexity ( ) exp (c + (1)) n 1/3 log 2/3 n for n-bit integer. Current factoring record: 768-bit RSA modulus. Use at least 1024-bit RSA moduli 2048-bit for long-term security.

Factoring vs breaking RSA Breaking RSA: Given (N, e) and y, find x such that y = x e mod N Open problem Is breaking RSA equivalent to factoring? Knowing d is equivalent to factoring Probabilistic algorithm (RSA, 1978) Deterministic algorithm (A. May 2004, J.S. Coron and A. May 2007)

Elementary attacks Plain RSA encryption: dictionary attack If only two possible messages m 0 and m 1, then only c 0 = (m 0 ) e mod N and c 1 = (m 1 ) e mod N. encryption must be probabilistic. PKCS#1 v1.5 µ(m) = 0002 r 00 m c = µ(m) e mod N Still insufficient (Bleichenbacher s attack, 1998)

Attacks against Plain RSA signature Existential forgery r e = m mod N, so r is signature of m Chosen message attack (m 1 m 2 ) d = m1 d md 2 mod N To prevent from these attacks, one first computes µ(m), and lets s = µ(m) d mod N ISO 9796-1: µ(m) = s(m z )s(m z 1 )m z m z 1... s(m 1 )s(m 0 )m 0 6 ISO 9796-2: PKCS#1 v1.5: µ(m) = 6A m[1] H(m) BC µ(m) = 0001 FF...FF00 c SHA SHA(m)

Attacks against RSA signatures Desmedt and Odlyzko attack (Crypto 85) Based on finding messages m such that µ(m) is smooth (product of small primes only) µ(m i ) = p α i,j j for many messages m i. j Solve a linear system and write µ(m k ) = µ(m i ) i Then µ(m k ) d = i µ(m i ) d mod N Application to ISO 9796-1 and ISO 9796-2 signatures Cryptanalysis of ISO 9796-1 (Coron, Naccache, Stern, 1999) Cryptanalysis of ISO 9796-2 (Coron, Naccache, Tibouchi, Weinmann, 2009) Extension of Desmedt and Odlyzko attack. For ISO 9796-2 the attack is feasible if the output size of the hash function is small enough.

Low private exponent attacks To reduce decryption time, one could use a small d Wiener s attack: recover d if d < N 0.25 Boneh and Durfee s attack (1999) Recover d if d < N 0.29 Based on lattice reduction and Coppersmith s technique Open problem: extend to d < N 0.5 Conclusion: devastating attack Use a full-size d

Low public exponent attack To reduce encryption time, one can use a small e For example e = 3 or e = 2 16 + 1 Coppersmith s theorem : Let N be an integer and f be a polynomial of degree δ. Given N and f, one can recover in polynomial time all x 0 such that f(x 0 ) = 0 mod N and x 0 < N 1/δ. Application: partially known message attack : If c = (B m) 3 mod N, one can recover m if m < N /3 Define f(x) = (B 2 k + x) 3 c mod N. Then f(m) = 0 mod N and apply Coppersmith s theorem to recover m.

Low public exponent attack Coppersmith s short pad attack Let c 1 = (m r 1 ) 3 mod N and c 2 = (m r 2 ) 3 mod N One can recover m if r 1, r 2 < N 1/9 Let g 1 (x, y) = x 3 c 1 and g 2 (x, y) = (x + y) 3 c 2. g 1 and g 2 have a common root (m r 1, r 2 r 1 ) modulo N. h(y) = Res x (g 1, g 2 ) has a root = r 2 r 1, with deg h = 9. To recover m r 1, take gcd of g 1 (x, ) and g 2 (x, ). Conclusion: Attack only works for particular encryption schemes. Low public exponent is secure when provably secure construction is used. One often takes e = 2 16 + 1.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback