06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 22 November, 2012 Handout 9 Summary of this handout: RSA — Generating Prime Numbers — Arithmetic Modulo a Composite IV.4 RSA RSA was the first public key cipher, invented by Ronald Rivest, Adi Shamir and Leonard Adleman in 1978 and it is probably the most widely used public key cipher today. Its security is based on the difficulty of factoring large integers, a problem that has been studied for more than 2000 years. RSA has properties similar to the Diffie-Hellman key exchange since it is also based on discrete expo- nentiation. However, instead of using a one-way function as Diffie-Hellman ( g x (mod p ) can be easily computed but not inverted), it uses a trap-door one way function: Given the public information e and n , it is easy to compute M e (mod n ) for a message M . This is still infeasible to invert, but given as additional information the factorisation of n , it is easy to invert the function. Thus the factorisation of n is the trapdoor, often called RSA trapdoor function. 65. Key Generation As usual the RSA cipher consists of three algorithms ( G, E, D ) for key generation, encryption and decryption. The key generator G works as follows: • Choose two large random prime numbers p and q . • Compute n = p · q . • Compute ϕ ( n ) = ( p − 1) · ( q − 1) . • Choose an integer e > 1 such that gcd( e, ϕ ( n )) = 1 . • Compute a d such that d · e ≡ 1(mod ϕ ( n )) . • Publish the public key � K = ( e, n ) . • Retain the private key K = d . 66. Encryption The encryption algorithm E takes the public key � K = ( e, n ) to encrypt the message M . This time we assume that M is a number with M < n . In case the actual message is larger than n , then M is split into blocks of the right size and each block is encrypted separately. In addition we can use some padding scheme. The algorithm E is simple exponentiation of the message M to get the ciphertext C M e ≡ C (mod n ) . 67. Decryption Given the ciphertext C , Alice can now use her secret K = d to recover the original message M by computing C d ≡ M (mod n ) . 68. Correctness The obvious next question is of course, why does that work? Let’s have a look: First we note that C d ≡ ( M e ) d ≡ M ed (mod n ) . We now want to show that we have M ed ≡ M (mod n ) 22
We know that ed ≡ 1(mod ( p − 1)( q − 1)) . We therefore have ed − k ( p − 1)( q − 1) = 1 for some k ∈ Z and hence get: M ed = M 1+ k ( p − 1)( q − 1) = M · M k ( p − 1)( q − 1) = M · ( M ( p − 1)( q − 1) ) k ≡ M (mod n ) , where the last step follows 1. either from Euler’s theorem, i.e., M ϕ ( n ) = M ( p − 1)( q − 1) ≡ 1(mod n ) for M, n ∈ Z when gcd( M, n ) = 1 , 2. or using the Chinese Remainder Theorem: Given that 0 ≤ M < n = pq and gcd( M, n ) � = 1 , we know that M can only be a multiple of p or q . Suppose it is a multiple of q then we have gcd( M, p ) = 1 and with Euler’s theorem we know that M p − 1 ≡ 1(mod p ) as ϕ ( p ) = p − 1 , thus M · M k ( p − 1)( q − 1) ≡ M (mod p ) . Since M is a multiple of q we have M ≡ 0(mod q ) and also M · M k ( p − 1)( q − 1) ≡ 0 = M (mod q ) . Therefore, by the Chinese Remainder Theorem, we get M · M k ( p − 1)( q − 1) ≡ M (mod n ) . The similar reasoning holds if the M is a multiple of p . And what does all this have to do with factorisation? Only if we know ϕ ( n ) we can then efficiently decrypt the message. However, Eve could only learn ϕ ( n ) if she was able to factorise n into p and q . For large enough primes this is, however, infeasible. Nevertheless there need to be some precautions for the choice of parameters of RSA as we will see later. Example: Here is a very simple example of RSA encryption. The key generation G consists of the steps: • We choose p = 7 and q = 11 . • We compute n = p · q = 77 . • And also ϕ ( n ) = ( p − 1)( q − 1) = 6 · 10 = 60 . • We now need an exponent e such that gcd( e, 60) = 1 . We pick e = 43 , for which it is easy to see that gcd(43 , 60) = 1 as 43 is a prime number. • To obtain the secret key we have to compute d using the extended Euclidean algorithm. This results in d = 7 since 43 · 7 = 301 ≡ 1(mod 60) . • We now publish the public key � K = (43 , 77) . • We retain the secret key K = 7 . Suppose we now want to transmit the message M = 14 . We then encrypt it by computing M e ≡ C (mod n ) 14 43 ≡ 49(mod 77) . as To decrypt the ciphertext C = 49 we compute C d ≡ M (mod n ) 49 7 ≡ 14(mod 77) . as Note that not all elements are invertible elements in Z 77 and we can therefore not always generate sub- groups. However, we can still using counting for computing the discrete exponentiations. For example � 14 � = { 14 1 = 14 , 14 2 = 42 , 14 3 = 49 , 14 4 = 70 , 14 5 = 56 , 14 6 = 14 , . . . } = { 14 , 42 , 49 , 70 , 56 } 23
IV.4.1 Attacks on RSA There are many attacks on RSA, most of them challenging its structure with sophisticated mathematical tools. Discussing these attacks would go beyond the scope of this lecture. However, we can easily demonstrate that RSA is already vulnerable to a chosen-ciphertext attack, i.e., an attack in which Eve can obtain decrypted plaintexts for ciphertexts of her choice. K ( M ) = M e (mod n ) Suppose RSA is used as defined above, that is, messages are encrypted with E � and decrypted with D K ( C ) = C d (mod n ) . Suppose also Eve has intercepted a ciphertext C that she wants to decrypt. She then starts a chosen ciphertext attack by: • Choose C 1 ∈ Z n arbitrary and ask for its decryption, yielding a message M 1 . • Let C 2 := C · C 1 − 1 and ask for its decryption, yielding a message M 2 . 1 · C d · C − d = 1 · C d = M ed = M . • Compute M 1 · M 2 = C d 1 · C d 2 = C d 1 Eve can do even better and break the message with only one chosen ciphertext. Again we assume she has intercepted the ciphertext C . • Choose M 1 ∈ Z n arbitrary and let C 1 := M e 1 (mod n ) . • Let C 2 := C · C − 1 and ask for its decryption, yielding a message M 2 . 1 = M ed = M . = M 1 · C d · M − 1 = M 1 · ( M e ) d · M − 1 • Compute M 1 · M 2 = M 1 · C d 2 = M 1 · C d · C − d 1 1 1 IV.4.2 Using RSA in Practice While brute force attacks on RSA are still computationally infeasible, many attacks become possible if only a tiny bit of information is leaked or if the RSA parameters have not been chosen carefully. Here are a number of criteria that should be met in order to operate RSA securely: • Choose e such that both e and d are large numbers. • Never leak even a small number of bits of p , q , and d . • Never encrypt small messages (corresponding to small numbers in Z n .) as they are easy to attack. But despite all these precautions the main problem with RSA is that it has too much mathematical struc- ture and is therefore vulnerable. Recall that for symmetric ciphers we always required a cipher to act as randomly as possible, i.e., there should be no obvious connection between the plaintext and the cipher- text and small changes in the plaintext should lead to big changes in the ciphertext. Ideally, the same plaintext should also be enciphered differently at different times (for block ciphers we have achieved this for example with different modes of operation). For the RSA and most public ciphers this is however not the case. 69. Encryption Schemes One way to overcome the mathematical regularity of many public key ciphers is by using so called Encryption Schemes . They aim at 1. adding randomness to the encryption, and 2. preventing attacks of the form presented above. There are several general encryption schemes for public key ciphers as well as specialist schemes for RSA known as PKCS standards. They pre-process the messages before applying the RSA function in order to achieve the above goals. This can be done, for example, by adding random bit strings to a message or applying hash functions, in order to vary the resulting ciphertext. 24
Recommend
More recommend
