Introduction to Modern Cryptography. Benny Chor

Similar documents
Public-Key Encryption: ElGamal, RSA, Rabin

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Introduction to Modern Cryptography. Benny Chor

RSA. Ramki Thurimella

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 1: Introduction to Public key cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Lecture Notes, Week 6

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Public Key Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

RSA RSA public key cryptosystem

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Mathematics of Cryptography

Introduction to Cryptography. Lecture 8

CRYPTOGRAPHY AND NUMBER THEORY

Chapter 8 Public-key Cryptography and Digital Signatures

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

CIS 551 / TCOM 401 Computer and Network Security

Lecture V : Public Key Cryptography

CPSC 467: Cryptography and Computer Security

Cryptography IV: Asymmetric Ciphers

10 Modular Arithmetic and Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Asymmetric Encryption

CPSC 467b: Cryptography and Computer Security

Cryptography. P. Danziger. Transmit...Bob...

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

One can use elliptic curves to factor integers, although probably not RSA moduli.

CPSC 467b: Cryptography and Computer Security

Public-Key Cryptosystems CHAPTER 4

8.1 Principles of Public-Key Cryptosystems

Discrete Mathematics GCD, LCM, RSA Algorithm

Applied Cryptography and Computer Security CSE 664 Spring 2018

The RSA cryptosystem and primality tests

The security of RSA (part 1) The security of RSA (part 1)

Number theory (Chapter 4)

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Public Key Algorithms

10 Public Key Cryptography : RSA

Math/Mthe 418/818. Review Questions

Public Key Cryptography

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Introduction to Public-Key Cryptosystems:

MATH 158 FINAL EXAM 20 DECEMBER 2016

CPSC 467b: Cryptography and Computer Security

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Question: Total Points: Score:

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

8 Elliptic Curve Cryptography

Number Theory & Modern Cryptography

Algorithmic Number Theory and Public-key Cryptography

basics of security/cryptography

Practice Assignment 2 Discussion 24/02/ /02/2018

CPSC 467: Cryptography and Computer Security

Elliptic Curve Cryptography

Cryptography. pieces from work by Gordon Royle

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Topics in Cryptography. Lecture 5: Basic Number Theory

ECE596C: Handout #11

Public-key Cryptography and elliptic curves

CPSC 467b: Cryptography and Computer Security

Cryptography: Joining the RSA Cryptosystem

Encryption: The RSA Public Key Cipher

My brief introduction to cryptography

CPSC 467b: Cryptography and Computer Security

Theory of Computation Chapter 12: Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Cryptography and Security Final Exam

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

ASYMMETRIC ENCRYPTION

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

10 Concrete candidates for public key crypto

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Attacks on RSA & Using Asymmetric Crypto

Lecture 22: RSA Encryption. RSA Encryption

An Introduction to Probabilistic Encryption

1 Number Theory Basics

Discrete Logarithm Problem

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

CPSC 467: Cryptography and Computer Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

MATH3302 Cryptography Problem Set 2

Transcription:

Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008

Reminder: The Prime Number Theorem Let π(x) denote the number of primes, p, up to x. For example, π(30) = 4 + 4 + 2 = 10. The prime number theorem: π(x) x ln x. Furthermore, for x 55, x ln x + 2 π(x) x ln x 4. This means that there are a lot of primes. In particular, if we pick n bit long integers at random, then about one in n will be prime.

Reminder: Primality Testing P In terms of complexity classes, the Miller-Rabin algorithm, as well as the Solovay-Strassen algorithm, imply Composites RP Where RP=Random Poly Time, one sided error. Easy fact: RP is contained in NP. The 2003 result of Agrawal, Kayal and Saxena is Composites P For all practical purposes, the Miller-Rabin algorithm (and various optimizations thereof) supply a satisfactory and fast solution for identifying primes.

Integer Multiplication & Factoring as a One Way Function. Multiplying two n bit numbers takes time O(n 2 ). Finding a random n bit long prime, and verifying its primality, is easy. Factoring an n bit number takes time 2 c n1/3 (using the currently best algorithm). Easy: p, q m = p q Hard: m = p q p, q (integer multiplication). (integer factorization). Question: Can public key cryptosystem be based on this observation?

The RSA Public Key Cryptosystem (MIT, 1978) Rivest (still at MIT), Shamir (now at Weizmann Inst.), and Adelman (now at USC), some 30 years ago. Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms

Excerpts from RSA paper (CACM, 1978) The era of electronic mail may soon be uopn us; we must ensure that two important properties of the current paper mail system are preserved: (a) messages are private, and (b) messages can be signed. We demonstrate in this paper how to build these capabilities into an electronic mail system. At the heart of our proposal is a new encryption method. This method provides an implementation of a public-key cryptosystem, an elegant concept invented by Diffie and Hellman. Their article motivated our research, since they presented the concept but not any practical implementation of such system.

The Multiplicative Group Z pq Let p, q be two large primes. Denote their product m = p q. The multiplicative group Z m = Z pq contains all integers in the range [1... pq 1] that are relatively prime to both p and q. The size of the group is φ(pq) = (p 1) (q 1) = m (p + q) + 1. So for every Z pq, x (p 1) (q 1) = 1 (mod pq). Remark: Recall that Z pq has no multiplicative generators.

Square Roots in Z pq Start with square roots of 1. in Z p, 1 has two square roots: 1 and p 1. in Z q, 1 has two square roots: 1 and q 1. What about the square roots of 1 in Z pq? y 2 = 1 (mod pq) iff y 2 = 1 (mod p) and y 2 = 1 (mod q). So y = ±1 (mod p) and y = ±1 (mod q). This gives rise to four systems of modular equations 1. y = 1 (mod p) and y = 1 (mod q). 2. y = 1 (mod p) and y = 1 (mod q). 3. y = 1 (mod p) and y = 1 (mod q). 4. y = 1 (mod p) and y = 1 (mod q). The solution to (1) is y = 1. The solution to (2) is y = pq 1 = 1 (mod p). The solutions to (3) and (4) are obtained using the Chinese remainder theorem.

Square Roots in Z pq In general, the square roots of y 2 are any of the four square roots of 1 (mod pq), multiplied by y. This implies that every square in Z pq has exactly four square roots. The number of quadratic residues in Z pq is (p 1)(q 1)/4. The mapping x x 2 mod pq is a four to one mapping.

Exponentiation in Z pq Motivation: We want to use exponentiation for encryption. Let e be an integer, 1 < e < (p 1) (q 1). Question: When is exponentiation to the e-th power, x x e, a one-to-one operation in Z pq?

Exponentiation in Z pq Claim: If e is relatively prime to φ(m) = (p 1) (q 1), then x x e, a one-to-one operation in Z pq. Constructive Proof: Since gcd(e, (p 1) (q 1)) = 1, e has a multiplicative inverse mod (p 1) (q 1). Denote this inverse by d, then ed = 1 + C(p 1)(q 1), where C is an integer. Denote y = x e, then y d = (x e ) d = x ed = x 1+C(p 1)(q 1) = x. This means that y y d is the inverse operation of x x e.

The RSA Public Key Cryptosystem Bob s private information: two large primes p, q. Public information: Their product, m = p q. An integer e that is relatively prime to φ(m) = (p 1) (q 1). More private information: An integer d that is relatively prime to φ(m) = (p 1) (q 1) and satisfies d e = 1 mod φ(m). Messages P are elements in Z m, namely numbers in [1,..., m 1]. To encrypt P, compute C = P e (mod m), and send C to Bob. To decrypt C, Bob computes C d = P d e = P (mod m). The above mentioned method should not be confused with the exponentiation technique presented by Diffie and Hellman to solve the key distribution problem

Constructing an Instance of RSA Public Key Cryptosystem Bob picks at random two large primes p, q. Bob picks an integer e that is relatively prime to φ(m) = (p 1) (q 1). This does not have to be random or large. Bob computes d such that ed = 1 (mod (p 1)(q 1)). Let m = p q be the product of both primes. Bob publishes the public key m, e. Bob keeps the private key d, as well as the primes p, q and the number φ(m) in a safe place.

A Small Example Let p = 47, q = 59, N = pq = 2773.?Then φ(n) = 46 58 = 2668. Pick e = 17, then 157 17 2668 = 1, so d = 157 is the inverse of e = 17 mod 2668. e = 17 is 10001 in binary. For N = 2773 we can encode two letters per block, using a two digit number per letter: blank=00, A=01, B=02,...,Z=26. The message: ITS ALL GREEK TO ME is encoded as 0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

A Small Example m = 2773, e = 17 (10001 in binary). The message: ITS ALL GREEK TO ME is encoded as 0920 1900 0112 1200 0718 0505 1100 2015 0013 0500 Message is encrypted block by block. First block is P 1 = 0920. It encrypts to P e 1 = P 17 1 = (((P 2 1 )2 ) 2 ) 2 P 1 = 948 (mod 2)773. The whole message (ten blocks) ids encrypted as 0948 2342 1084 1444 2663 2390 0778 0774 0219 1655 Indeed C d 1 = 0948157 = 920 (mod 2773), etc.

How Strong is RSA If Eve could factor pq then she obtains all private information of Bob. Hence breaking RSA cannot be harder than factoring. How hard is it to compute the secret key, d, from the public information m, e? If Eve can find d, then she can compute ed 1. This is a multiple of φ(m) = (p 1)(q 1). Miller has shown that such multiple enables factoring m. Does this imply that breaking RSA is equivalent to factoring?

Some RSA Properties Deterministic Encryption: Plaintext block P is always encrypted as P e (mod m). So, just like ECB mode encryption of symmetric ciphers, we can detect repetitions. RSA is multiplicative (aka homomorphic): Let P1, P 2 be two plaintext blocks. Then E(P1 P 2 ) = E(P 1 ) E(P 2 ). This immediately implies that RSA does not behave like a pseudo random function (these are not multiplicative). Multiplicativity implies volnurability to chosen ciphertext attacks. Given a ciphertext C = P e (mod m), choose at random R and compute C = CR e (mod m), which is an encryption of P R, a random looking text. A decryption of C = CR e (mod m) will reveal P (after one division mod m).

Using CRT to Speed Up RSA Decryption CRT preprocessing (done once): Given p, q, compute a, b such that ap + bq = 1. Define A = ap, B = bq (coefficients of Chinese remainder theorem for p and q). Decryption, on input C: Originally, Bob computed C d = P d e = P (mod m). Now, Bob computes y 1 = C d (mod p 1) (mod p). And also y 2 = C d (mod q 1) (mod q). Finally, Bob computes P = Ay1 + By 2 (mod m).

Using a Small Exponent to Speed Up RSA Encryption The public exponent, e, can be small This will substantially improve efficiency of encryption. It does not mean that the private exponent, d, is small too. Neither does it seem to make it easier to derive d. Small public exponents are used in practice. Most popular values are either 3 or 2 16 + 1. The public exponent, e and φ(m) = (p 1)(q 1) should still be relatively prime. For e = 3 this means 3 should divide neither p 1 nor q 1.

Using a Small Exponent to Speed Up RSA Encryption (2) Small exponents are fine for sending a single message to a single user, Bob. But they are vulnerable if the same message is to be sent to multiple users. For example, suppose Bob, Bobi, and Bubchek are all using e = 3 (with public moduli m 1, m 2, m 3, respectively). Alice wishes to send the plaintext message P to each of them. She encrypts the plaintext message P and sends P 3 (mod m 1 ), P 3 (mod m 2 ), P 3 (mod m 3 ). Notice that P < m1, m 2, m 3, and thus P 3 < m 1 m 2 m 3. Denote x = P 3 (as an integer, not modulo anything). Eve heard x (mod m 1 ), x (mod m 2 ), x (mod m 3 ). She also knows that x < m 1 m 2 m 3.

Using a Small Exponent to Speed Up RSA Encryption (3) Eve heard x (mod m1 ), x (mod m 2 ), x (mod m 3 ). She also knows that x < m 1 m 2 m 3. m 1, m 2, m 3 are pairwise relatively prime. Eve (who overheard our Friday class on CRT and followed every iota) knows that this enables her to efficiently compute y = x (mod m 1 m 2 m 3 ). But since x < m1 m 2 m 3, this implies that y = x (over the integers!). Therefore Eve now holds P 3 = x without any modular subtractions. Computing cubic roots over the integers is easy. So Eve finds P and successfully retrieves the plaintext. Is this a weakness of small exponent RSA? No! It is a weakness in the manner small exponent RSA was used. In general, if we have cryptographic building blocks that are secure on their own, this does not mean we can compose or interleave them any way we want, and still maintain security.

Random Self Reducibility of RSA Let m = pq, e be a given RSA modulus, of length n bits, plus a RSA exponent. Suppose A is an deterministic n c time algorithm which, on input E(x) = x e (mod m), outputs x for εm of the inputs in Z m. Then A can be converted into a randomized ε 1 n c expected time algorithm, R which, on input E(x) = x e (mod m), outputs x for all the inputs in Z m. Whenever R terminates, it gives the correct output x. Proof: on board (easy). Consequence: For a given m = pq and e, inverting RSA is either hard everywhere or easy everywhere.

Real World Usage of RSA (1) Key exchange. (2) Digital signatures.

RSA as a One Way Trapdoor Function Easy: x x e = y (mod pq) Hard: y y d = x (mod pq) (e is known). (d is unknown). Easy with trapdoor information: y y d = x (mod pq) (d is known).

Trapdoor One Way Functions Definition: f : D R is a trapdoor one way function if there is a trapdoor s such that: Without knowledge of s, the function f is a one way function. Given s, inverting the function f is easy. Example: the function f g,p (x) = g x (mod p) is not a trapdoor one way function. Example: RSA is a trapdoor one way function.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback