RSA and Public Key Cryptography Cryptography Chester Rebeiro IIT - - PowerPoint PPT Presentation

RSA and Public Key Cryptography

CR

Cryptography

Chester Rebeiro IIT Madras

STINSON : chapter 5, 6

Ciphers

• Symmetric Algorithms

– Encryption and Decryption use the same key – i.e. KE = KD – Examples:

• Block Ciphers : DES, AES, PRESENT, etc.
• Stream Ciphers : A5, Grain, etc.

CR

• Stream Ciphers : A5, Grain, etc.
• Asymmetric Algorithms

– Encryption and Decryption keys are different – KE ≠ KD – Examples:

• RSA
• ECC

2

Asymmetric Key Algorithms

Alice Bob Plaintext untrusted communication link E D KE KD “Attack at Dawn!!” encryption decryption #%AR3Xf34^$ (ciphertext)

CR

Plaintext “Attack at Dawn!!”

The Key K is a secret

3

Encryption Key KE not same as decryption key KD KE known as Bob’s public key; KD is Bob’s private key

Advantage : No need of secure key exchange between Alice and Bob

Asymmetric key algorithms based on trapdoor one-way functions

One Way Functions

• Easy to compute in one direction
• Once done, it is difficult to inverse

CR

Press to lock (can be easily done) Once locked it is difficult to unlock without a key

4

Trapdoor One Way Function

• One way function with a trapdoor
• Trapdoor is a special function that if possessed can be used to

easily invert the one way

CR

Locked (difficult to unlock) Easily Unlocked trapdoor

5

Public Key Cryptography (An Anology)

• Alice puts message into box and locks it
• Only Bob, who has the key to the lock can open it and read

the message

CR

6

Mathematical Trapdoor One way functions

• Examples

– Factorization of two primes

• Given P, Q are two primes
• and N = P * Q

– It is easy to compute N – However given N it is difficult to factorize into P and Q

CR

– However given N it is difficult to factorize into P and Q

• Used in cryptosystems like RSA

– Discrete Log Problem

• Consider b and g are elements in a finite group and bk = g, for some k
• Given b and k it is easy to compute g
• Given b and g it is difficult to determine k
• Used in cryptosystems like Diffie-Hellman
• A variant used in ECC based crypto-systems

7

Applications of Public key Cryptography

• Encryption
• Digital Signature :

“Is this message really from Alice?”

• Alice signs by ‘encrypting’ with private key

CR

• Anyone can verify signature by ‘decrypting’ with Alice’s public key
• Why it works?

– Only Alice, who owns the private key could have signed

8

Applications of Public key Cryptography

• Key Establishment :

“Alice and Bob want to use a block cipher for encryption. How do they agree upon the secret key”

Alice and Bob agree upon a prime p and a generator g. This is public information

Diffie-Hellman Key Exchange

CR

9

This is public information choose a secret a compute A = ga mod p choose a secret b compute B = gb mod p B A Compute K = Ba mod p Compute K = Ab mod p Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p

RSA

CR Shamir, Rivest, Adleman (1977)

10

More Number Theory

Mathematical Background CR Mathematical Background

11

RSA : Key Generation

Bob first creates a pair of keys (one public the other private)

)) ( mod( Compute . 4 1 )) ( , gcd( and )) ( 1 ( random a Choose . 3 ) 1 )( 1 ( ) ( and Compute . 2 ) ( , primes large two Generate . 1

1

n b a n b n b b q p n q p n q p q p φ φ φ φ

−

= = < < − − = × = ≠

CR

12

) , , ( ' ) , ( ' )) ( mod( Compute . 4

1

a q p is key private s Bob b n is key public s Bob n b a φ

−

=

Given the private key it is easy the public key Given the public key it is difficult to derive the private key

RSA Encryption & Decryption

Encryption Decryption

CR

13 n b K

Z x where n x y x e ∈ = = mod ) (

n y x d

a K

mod ) ( =

RSA Example

1 ) 571152 , 13 gcd( that note ; 13 b key public Choose 3. 571152 876 652 (n) 572681; 877 653 . 2 877 and 653 p primes two Take 1. = = = × = = × = = = n q φ

CR

14

12345 572681 mod 536754 x : decryption 536754 572681 mod 12345 : 12345 571152 mod 13 395413 key Private . 4

395413 13 1

• ≡

= ≡ = = = = y encryption x Message a

Correctness

Encryption

n b K

Z x where n x y x e ∈ = = mod ) (

Decryption

n y x d

a K

mod ) ( =

1 ) , gcd( = ∈ n x and Z x when

n

CR

15

x n x x n x n x n x y

n t n t ab a b a

≡ ≡ ≡ ≡ ≡

+

mod ) ( mod ) ( mod ) ( mod ) (

) ( 1 ) ( φ φ

1 ) ( ) ( 1 ) ( mod 1 + = = − ≡ n t ab n t ab n ab ϕ ϕ ϕ

From Fermat’s theorem

Correctness

1 ) , gcd( ≠ ∈ n x and Z x when

n

q n x

• r

p n x pq n Since = = = ) , gcd( ) , gcd( , mod p x x If

ab

≡

mod mod : | ) , gcd( ≡ ≡ = = = = p pk p x LHS x pk x p p x n Assume > >

CR

16

) ( mod mod mod CRT by n x x q x x p x x

ab ab

≡ = ≡ ≡ >

mod : mod mod : ≡ ≡ ≡ p x RHS p pk p x LHS

ab

x q x q x x q x q x q x x q implies it p x p

p t p t q q p t n t ab

≡ ⋅ ≡ ⋅ ≡ ≡ ≡ = =

+ +

mod ) 1 ( mod ) ( mod mod mod 1 ) , gcd( ) , gcd(

) ( ) ( ) ( 1 ) ( ) ( 1 ) ( ϕ ϕ φ φ φ φ

Q

RSA Implementation

n x y

c mod

=

CR

17

c = 23 = (10111)2

i ei z 4 1 12* x = x 3 x2 2 1 x4 * x = x5 1 1 X10 * x = x11 1 x22 * x = x23

RSA Implementation in Software (Multi-precision Arithmetic)

• RSA requires arithmetic in 1024 or 2048 bit numbers
• Modern processors have ALUs that are 8, 16, 32, 64 bit

– Typically can perform arithmetic on 8/16/32/64 bit numbers

• solution: multi-precision arithmetic (gmp library)

CR

18

base : 2b, where b = 64/32/16/8 bits 1024 bits

Multi-precision Addition

• ADD : a = 9876543210

b = 1357902468 base = 8 bit (256)

= (2, 76, 176, 22, 234)256 = (80, 239, 242, 132)256 i ai bi cin ai+bi+cin(mod 256) Carry? cout

CR

19

i ai bi cin ai+bi+cin(mod 256) Carry? cout 234 132 110 (110 < 234)? 1 1 22 242 1 9 (9 < 22)? 1 2 176 239 1 160 (160 ≤ 176)? 1 3 76 80 1 157 (157 ≤ 76)? 4 2 2 (2 ≤ 2)?

a + b = (2, 157, 160, 9, 110)256 = 11234445678

“Computational Number Theory”, Abhijit Das, CRC Press

Multi-precision Subtraction

• SUB : a = 9876543210

b = 1357902468 base = 256 (8 bit)

= (2, 76, 176, 22, 234)256 = (80, 239, 242, 132)256 i ai bi

Cin Borrow?

Cout ai-bi-cin(mod 256)

CR

20

i ai bi Cout ai-bi-cin(mod 256) 234 132 (234 < 132)? 102 1 22 242 (22 < 242)? 1 36 2 176 239 1 (176 < 239)? 1 192 3 76 80 1 (76 < 80)? 1 251 4 2 1 (2 < 0)? 1

a - b = (1, 251, 192, 36, 102)256 = 8658640742

Multi-precision Multiplication (Classical Multiplication)

• MUL : a = 1234567

b = 76543210 base = 8 bit (256)

= (18, 214, 135)256 = (4, 143, 244, 234)256

a * b =

CR

21

a * b = (0 85 241 247 25 195 102)256 = 99447721140070

Multi-precision Multiplication (Karatsuba Multiplication)

m m l m h l m h

b B b b a B a a n m Let n b a + + + = × + = + = = − 2 / . words ary B with integers sion multipreci two be , Let

2

CR

22

( )

l l h l l h h h l h l h l l m l h l h l l h h m h h l l m h l l h m h h

b a b a b a b a b b a a b a B b b a a b a b a B b a b a B b a b a B b a b a + − − = − − + − − + + + = + + + = × ) )( ( using ) )( ( ) ( ) ( ) (

2 2

Karatsuba multiplication converts n bit multiplications into 3 multiplications of n/2 bits The penalty is an increased number of additions

Multi-precision Multiplication (Karatsuba Multiplication)

B = 256; a = 123456789 = (7, 91, 205, 21)256 b = 987654321 = (58, 222, 104, 177)256

n=4; m=2 ah = (7, 91); al = (205, 21)

ahbh = (1, 176, 254, 234)256 albl = (83, 222, 83, 133)256 ah - bh = -(197, 186)256 al - bl = -(45, 211)256 (a b ) (a b) = (35, 100, 170, 78)

CR

23

ah = (7, 91); al = (205, 21) a = (7, 91)2562 + (205, 21) bh = (58, 222); bl = (104, 177) b = (58, 222)2562 + (104, 177)

(ah - bh) (al - bl) = (35, 100, 170, 78)256 ahbl + albh = ahbh+ albl - (ah - bh) (al - bl) = (50, 42, 168, 33)256 1 176 254 234 50 42 168 33 83 222 83 133 1 177 49 20 251 255 83 133

ab

Speeding RSA decryption with CRT

• Decryption is done as follows :

x = ya mod n

• Bob can also decrypt by using CRT

x = ya mod p

CR

x = y mod p x = ya mod q (since he knows the factors of n, i.e. p,q)

• CRT turns out to be much faster since the size (in

bits) of p and q is about ½ that of n

24

Multi-precision libraries

• GMP : GNU Multi-precision library
• Make use of Intel’s SSE/AVX instructions

– These are SIMD instructions that have large registers (128, 256, 512 bit)

CR

registers (128, 256, 512 bit)

• Crypto libraries

– OpenSSL, PolarSSL, NaCL, etc.

25

Finding Primes

CR

26

Test for Primes

• How to generate large primes?

– Select a random large number – Test whether or not the number is prime

• What is the probability that the chosen number is a

CR

• What is the probability that the chosen number is a

prime?

– Let π(N) be the number of primes < N – From number theory, π(N) ≈ N/ln N – Therefore probability of a random number (< N) being a prime is 1/ln N

• As N increases, it becomes increasingly difficult to find large

primes

27

GIMPS

• There are infinite prime numbers (proved by Euclid)
• Finding them becomes increasingly difficult as N

increases

• GIMPS : Great Internet Mersenne Prime Search

CR

• GIMPS : Great Internet Mersenne Prime Search

– Mersenne Prime has the form 2n – 1 – Largest known prime (found in 2016) has 22 million digits 2274,207,281 − 1

• $3000 to beat this ☺

28

https://en.wikipedia.org/wiki/Largest_known_prime_number

Primality Tests with Trial Division

• School book methods (trial division)

– Find if N divides any number from 2 to N-1 – find if N divides any number from 2 to N1/2 – Find if N divides any prime number from 2 to N1/2

CR

– Too slow!!!

• Need to divide by N-1 numbers
• Need to divide by N1/2 numbers
• Need to divide by (N/lnN)1/2 primes

– For example, if n is approx 21024, then need to check around 2507 numbers

• Need something better for large primes

– Randomized algorithms

29

Randomized Algorithms for Primality Testing

• Monte-carlo Randomized Algorithms

– Always runs in polynomial time – May produce incorrect results with bounded probablity

CR

– Yes-based Monte-carlo method

• Answer YES is always correct, but answer NO may be wrong

– No-based Monte-carlo method

• Answer NO is always correct, but answer YES may be wrong

30

Finding Large Primes (using Fermat’s Theorem)

){ ( _ Z a pick n prime is

n

≡ ←

−

If n is prime, then is true for any ‘a’ If n is composite

n an mod 1

1 ≡ −

n an mod 1

1 ≡ −

CR

31

} ) mod 1 (

1

FALSE return else TRUE return n a if

n

≡

−

If n is composite is false but may be true for some values of a. For example: n = 221 and a = 38 38220 mod 221 ≡ 1. We need to increase our confidence with more values of a

n an mod 1

1 ≡ −

Fermat’s Primality Test

• Increasing confidence with multiple bases

){ ( _ c n test primality =

CR

32

} } ) ) ( _ ( ){ ; 1000 ; ( PRIME probably return COMPOSITE return FALSE n prime is if i i i for == + + < =

Flaw in the Fermat’s Primality Test

Some composites act as primes. Irrespective of the ‘a’ chosen, the test passes. for example Carmichael numbers are composite numbers which

n an mod 1

1 ≡ −

CR

33

for example Carmichael numbers are composite numbers which satisfy Fermat’s little theorem irrespective of the value of a.

Strong probable-primality test

• If n is prime, the square root of an-1 is either

+1 or -1

n a mod 1

2 ≡

CR

34

n a

• r

n a either n a a n a mod ) 1 ( mod ) 1 ( mod ) 1 )( 1 ( mod 1

2

≡ − ≡ + ≡ − + ≡ −

Miller-Rabin Primality Test

• Yes-base primality test for composites
• Does not suffer due to Carmichael numbers
• Write n-1 = 2sd

– where d is odd and s is non-negative

CR

– where d is odd and s is non-negative – n is a composite if

35

s than less r number all for n a and n a

r

d d

mod 1 ) ( mod 1

2

− ≠ ≠

Proof of Miller-Rabin test

• Write n-1 = 2sd
• Proof: We prove the contra-positive. We will assume n to be

s than less r number all for n a and n a

r

d d

mod 1 ) ( mod 1

2

− ≠ ≠

CR

• Proof: We prove the contra-positive. We will assume n to be
• prime. Thus,

36

s than less r number some for n a

• r

n a

r

d d

mod 1 ) ( mod 1

2

− ≡ ≡

Proof of Miller-Rabin test

Proof: We prove the contra-positive. We will assume n to be

• prime. Thus we prove,

s than less r number some for n a

• r

n a

r

d d

mod 1 ) ( mod 1

2

− ≡ ≡

CR

• Consider the sequence :

– The roots of x2 = 1 mod n is either +1 or -1 – In the sequence, if ad is 1, then all elements in the sequence will be 1 – If ad is not 1, then there should be some element in the sequence which is -1, in order to have the final element as 1

37

s than less r number some for

d d d d d

s

a a a a a

2 2 2 2

, , , , ,

3 2 1

L L

1 (Fermat ‘s)

Miller-Rabin Algorithm (test for composites)

' prime is ' , 1 mod Compute . 3 nonzero a random at Select . 2 2 1 that such integer

• dd

an Find . 1 n return b If n a b T Z a T d n d T

d n s

± = = ∈ = − Input n

CR

38

' composite is ' Otherwise . 5 ' prime is ' , 1 mod b c calculate , 1 , , 1 For . 4 ' prime is ' , 1

i

2

n return T n return c If n r i T n return b If − = ≡ − = ± = L

Quadratic Residues

• Example : m=13, square elements in Z13.

1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1

CR

1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1 The quadratic residues Z13 are therefore {1, 4, 3, 9, 10, 12}

39

If an element is not a quadratic resiidue, then it is a quadratic non-residue quadratic non-residues in Z13 are {2, 5, 6, 7, 8, 11}

Legendre Symbol

   =         p QR a is a if a p if p a mod 1 |

CR

40

   − =       p QNR a is a if p QR a is a if p mod 1 mod 1

Given p is an odd prime

Euler’s Criteria

p a p a

p

mod

2 1 −

≡        

A result from Euler

CR

41

1 mod mod mod . . , when

1 2 ) 1 ( 2 2 1 2

≡ ≡ ≡ = ≡ ∈ ∃

− − −

p x p x a p x a t s Z x QR a is a

p p p p

> p a a p

p

mod | when

2 1

≡

−

when Quadratic Non Residue

p a squaring prime

• dd

an is p if even is p note p a consider p x a t s exists Z x such no QNR a is a

p p p

1 mod : ) , 1 ( mod : mod . . , when

2 1 2 1 2

  ≡ − ≡ ∈

− − −

CR

42

p a Thus p a p a Thus p a so

p p p p

mod 1 QR a not is a since , mod 1 mod 1 , mod 1 ,

2 1 2 1 2 1 2 2 1

− ≡ ≠ ± ≡ ≡        

− − − −

Examples

p a p a

p

mod

2 1 −

≡         13 mod 5 1 13 mod 4 13 mod 4 13 mod 4

6 2 1 13

≡ ≡

−

QNR a is QR a is

Congurence always hold n is an odd prime

CR

43

1 13 mod 12 13 mod 5 13 mod 5

6

− ≡ ≡ QNR a is 2 15 mod 7 15 mod 7

7 2 1 15

− ≡ ≡

−

1 15 mod 14 15 mod 14

7 2 1 15

− ≡ ≡

−

Euler’s Witness Euler’s Liar s holds when prime Congurence may

• r may not hold

when n is an odd prime

Solovay Strassen Primality Test

) ( compute 1 1 that such integer random a choose ){ ( COMPOSITE return x if n a x n- a a n ASSEN SOLOVAYSTR =       = ≤ ≤

How to compute

CR

44

} ) mod ( mod ) (

2 1

COMPOSITE return else PRIME possibly return n y x if n a y compute COMPOSITE return x if

n

≡ = =

−

error probability is at most ½ after k invocations of this algorithm, Legendre’s symbol

Jacobi Symbol

• Jacobi Symbol is a generalization of the Legendre symbol
• Let n be any positive odd integer and a>=0 any integer. The

Jacobi symbol is defined as:

ion factorizat prime with integer positive

• dd

an is Suppose n

CR

45

... p p p p n ion factorizat prime with integer positive

• dd

an is Suppose

4 3 2 1

e 4 e 3 e 2 e 1

× × × = n L ×         ×         ×         ×         =      

4 3 2 1

4 3 2 1 e e e e

p a p a p a p a n a

Then,

T

Jacobi Properties

        =        ± ≡ − ± ≡ =             =       ≡ b a ab n if n if n n b n a then n b a If . 3 P 8 mod 3 1 8 mod 1 1 2 . 2 P mod . 1 P

CR

46

             ≡ ≡       − =                   =       =         =    

• therwise

a n a n if a n n a

• dd

is a if n t n n a t a even is a if n n n

k k

4 mod 3 , . 5 P 2 , 2 , . 4 P . 3 P

Computing Jacobi

From the theorem P5, P1, then P2 P5, P1, P5, P1, P3, P2

CR

47

P5, P1, P5, P1, P3, P2 P5, P1 and 1 is a QR mod 13

Factoring Algorithms

CR

48

Factorization to get the private key

• Public information (n, b)
• If Mallory can factorize n into p and q then,
• She can compute φ(n) = (p-1)(q-1)
• She can then computethe private key by finding a ≡ b-1 mod φ(n)

CR

49

How to factorize n?

Trial Division

Fundamental theorem of arithmetic Any integer number (greater than 1) is either prime or a product of prime powers

k

e k e e e

p p p p n L

3 2 1

3 2 1

=

CR

50

prime generation algorithm

Prime factors of n cannot be greater than 



n n = n / p : remove this factor from n

Running Time of algorithm order of π(2n/2)

Pollard p-1 Factorization

q p n × =

. 1 gcd as case the not likely most is this However, factor. prime a is then , 1 ) , gcd( If ). 1 ( integer random a choose = ≠ < < (a,n) a n a n a a

1

). 1 ( compute to use We . 1 such that L an get we Suppose −

L

a L L |

• p

magically

2

How to find the magic L?

4

CR

51

1 | , ) ' ( mod 1 ) 1 ( | 1 ). 1 ( compute to use We

) 1 (

− ≡ ≡ = − = − −

− L k p L L

a p Thus Theorem Little s Fermat by p a a L k p L p a L >

anything. conclude Cannot also. 1 | then n, n) 1,

• gcd(a

if n.

• f

factor a found have we then , ) , 1 gcd( if Thus . be also may and either is ) , 1 gcd( , 1 | and | , Since ) , 1 gcd( compute Now

L

− = ≠ − − − −

L L L L L

a q n n a n p n a a p n p n a

3

No easy way, trial and error!! Factorials have a lot of divisors. So that is a nice way. So, take L as a factorial of some number r.

Pollard p-1 Factorization

• f

next value with 1 from again start , 1 gcd compute 3 done. are we n,

• f

factor prime a is gcd then this , 1 gcd if 2 2 1 a S n d if , n)

• (a

d . S (a, n) > . S a . S

r!

= ← ←

Pollard p-1 factorization for n.

CR

52

done! are we ;

• f

factor prime the is 3 repeat and increment , 1

• f

next value with 1 from again start , n else d S r d if else a S n d if = =

r = 2,3, 4, H.. Will the algorithm terminate?

Pollard Rho Algorithm

• Form a sequence S1 by selecting randomly (with replacement)

from the set Zn

• Also assume we magically find a

new sequence S2 comprising of

L , , , , , 1

4 3 2 1

x x x x x S = p x x p x x p x x mod mod mod

1 1

≡ ≡ ≡

CR

new sequence S2 comprising of

• If we keep adding elements to

S1, we will eventually find an xi and xj (i≠j) such that When this happens,

53

L , , , , , 2

4 3 2 1

x x x x x S = p x x p x x p x x mod mod mod

4 4 3 3 2 2

≡ ≡ ≡

where

j i

x x =

! ! . ) ), gcd(( , | ) ( | n

• f

factor a found We p is n x x also n p x x p

j i j i

− − Q

Doing without magic

• Form a sequence S1 by selecting randomly (with replacement)

from the set Zn

• For every pair i,j in the sequence compute

L , , , , , 1

4 3 2 1

x x x x x S =

CR

• For every pair i,j in the sequence compute
• If d > 1 then it is a factor of n

54

) , gcd(( n x x d

j i −

←

Selecting elements of S1

To choose the next element of S1, Pollard suggests using a function with requirement that the output looks random.

n n

Z Z f → :

Example :

n x x f mod 1 ) (

2 +

=

CR

55

Example :

n x x f mod 1 ) (

2 +

=

           = > =

− )

( 1

1 i i i n

x f x and i x Z from randomly chosen is x where x S

Example

• N= 82123, x0 = 631, f(x) = x2 + 1

DrawbackH Large number of GCD

This column is just for understanding. In reality we will not know this

CR

56

41 ) 82123 , 63222 gcd( ) , gcd(

10 3

= = − N x x

A factor of N

Large number of GCD

• computations. In this case

55. Can we reduce the number

• f gcd computations?

Given xi mod N, we compute gcds of every pair until we find a gcd greater than 1

The Rho in Pollard-Rho

• N= 82123, x0 = 631, f(x) = x2 + 1

40 2 5 26 21 32 1

CR

57

p x x

l t t

mod

+

=

• The smallest value of t and l, for which the above congruence holds is t=3, l=7
• For l=7, all values of t > 3 satisfy the congruence
• This leads to a cycle as shown in the figure

(and a shape like the Greek letter rho)

16 11 40

3 mod ≥ =

+

t p x x

l j j

Reducing gcd computations

• GCD computations can be expensive.
• Use Floyd’s cycle detection algorithm to reduce the number of

GCD computations.

∈ =

n

Z y x random a choose

5 26 21 32

CR

58

)) ( ( ) (

1 2 1 − −

= = = ∈ =

i i i i i n

y f f x y x f x Z y x random a choose

16 11 40 2 1

claim : The first time xi = yi mod p occurs when i ≤ t + l

d return N y x d If

i i

, ) , gcd( > − =

loop

The first time xi = yi mod p occurs is when i ≤ t + l

• l is the number of points in the cycle
• t is the smallest value of i such that

N y x

i i

mod ≡

xi and yi meet at the same point in the cycle Therefore, yi must have traversed (some) cycles more

CR

59

i lk i l i i l N x x N y x

i i i i

= = − ≡ ≡ > | ) 2 ( | mod mod

2

l t l kl l k consider + ≤ + = + ) 1 (

Expected number of operations before a collision

• Can be obtained from Birthday paradox

to be

p

CR

60

Congruences of Squares

• Given N=p x q, we need to find p and q
• Suppose we find an x and y such that
• Then,
• This implies,

N y x mod

2 2 ≡

) )( ( | ) ( |

2 2

y x y x N y x N + − = − >

CR

• This implies,

61

N y x N y x N factors )) ( , gcd(

• r

)) ( , gcd( + −

Example

• Consider N = 91

) 13 7 ( | 91 ) 3 10 )( 3 10 ( | 91 91 mod 3 10

2 2

× + − ≡ 26 42 | 91 ) 8 34 )( 8 34 ( | 91 91 mod 8 34

2 2

× − + ≡

CR

62

) 13 7 ( | 91 × 7 ) 42 , 91 gcd( 13 ) 26 , 91 gcd( 26 42 | 91 = = ×

7 ) 7 , 91 gcd( 13 ) 13 , 91 gcd( = =

SoH we can use x and y to factorize N.

N y x mod

2 2 ≡

But how do we find such pairs?

Another Example

• N = 1649

32 and 200 are not perfect squares. However (32x200 = 6400) = 802 is a perfect square

1649 mod 200 43 1649 mod 32 41

2 2

≡ ≡

CR

63

1649 mod 80 1649 mod ) 200 32 ( ) 43 41 (

2 2

≡ × ≡ ×

Thus, it is possible to combine non-squares to form a prefect square

the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/)

Forming Perfect Squares

Recall, Fundamental theorem of arithmetic Any integer number (greater than 1) is either prime or a product of prime powers

k

e k e e e

p p p p n L

3 2 1

3 2 1

=

Thus, a number is a perfect square if it prime factors have even powers.

CR

64

Thus, a number is a perfect square if it prime factors have even powers.

even is e e e ,... , ,

3 2 1

Thus, 32 = 2550 not a perfect square 200 = 2352

not a perfect square

(32x200) = 2550 x 2352 = 2852 = (2451)2 is a prefect square

Dixon’s Random Squares Algorithm

1. Choose a set B comprising of ‘b’ smallest primes. Add -1 to this set.

(A number is said to be b-smooth, if its factors are in this set)

2. Select an r at random

– Compute

N r y mod

2

=

CR

– Compute – Test if y factors completely in the set B. – If NO, then discard. ELSE save (y, r) (these are called B-smooth numbers)

3. Repeat step 2, until we have b+1 such (y,r) pairs

• 4. Solve the system of linear congruencies

65

N r y mod =

Example

• N = 1829
• b = 6 B = {-1, 2,3,5,7,11,13}
• Choose random values of r, square and factorize

CR

66

All numbers are B-smooth except 60 and 75. Leave these and consider all others

Check Exponents

• 1

2 3 5 7 11 13

• 65

1 1 1 20 2 1 63 2 1

• 11

1 1

CR

• 91

1 1 1 80 4 1

67

Check Exponents

• 1

2 3 5 7 11 13

• 65

1 1 1 20 2 1 63 2 1

• 11

1 1

CR

• 91

1 1 1 80 4 1

68

Find rows where exponents sum is even

• 65, 20, 63, -91

sum 2 2 2 2 2 2

1829 mod 901 1459 1829 mod ) 13 7 5 3 2 1 ( ) 85 61 43 42 (

2 2 2 2

≡ × × × × × − ≡ × × ×

Final Steps

1829 mod 901 1459 1829 mod ) 13 7 5 3 2 1 ( ) 85 61 43 42 (

2 2 2 2

≡ × × × × × − ≡ × × × 59 ) 2360 , 1829 gcd( 2360 | 1829 ) 901 1459 )( 901 1459 ( | 1829 = = − + >

CR

69

31 59 1829 31 ) 558 , 1829 gcd( 558 | 1829 59 ) 2360 , 1829 gcd( 2360 | 1829 × = = = = = Thus > >

State of the Art Factorization Techniques

• Quadratic Sieve

– Fastest for less than 100 digits

• General Number field Sieve

– Fastest technique known so far for greater than 100 digits – Open source code (google GGNFS)

• RSA factoring challenge

CR

• RSA factoring challenge

– Best so far is 768 bit factorization – Current challenges 896 bits (reward $75,000), 1024 bit ($100,000)

70

https://en.wikipedia.org/wiki/RSA_Factoring_Challenge

RSA Attacks attacks that don’t require

CR

attacks that don’t require factorization algorithms

71

Φ(n) leaks

• If an attacker gets Φ(n) then n can be factored

) 1 )( 1 ( ) ( / + + − = − − = = = q p n p n q pq n φ

CR

72

) 1 ) ( ( 1 ) ( ) ( 1 ) (

2

= + + − − + + − = + + − = n p n n p p n p n n q p pq φ φ

Solve to get p (a factor of n)

square roots of 1 mod n

There are two trivial and two non-trivial solutions for The trivial solutions are +1 and -1

n y mod 1

2 ≡

   ≡ ≡ 〈=〉 ≡ q y p y n y mod 1 mod 1 mod 1

2 2 2

By CRT, these congruences are equivalent

   − ≡ ≡ p y p y mod 1 mod 1  ≡ q y mod 1

CR

73

 ≡ q y mod 1    − ≡ ≡ q y q y mod 1 mod 1 q y p y mod 1 mod 1 − ≡ + ≡ q y p y mod 1 mod 1 + ≡ − ≡

To get the non-trivial solutions solve using CRT

Example

• n=403 = 13 x 31
• To get the non-trivial solutions of solve using CRT

q y p y mod 1 mod 1 − ≡ + ≡ q y p y mod 1 mod 1 + ≡ − ≡

n y mod 1

2 ≡

CR

74

311 91 403 92 403 mod ) 12 13 8 31 ( 403 mod ) 31 mod 13 13 13 mod 31 31 (

1 1

= − ≡ ⋅ − ⋅ ⋅ − ⋅

− −

403 mod 1 311 92 :

2 2

≡ ≡ Note

The non-trivial solutions are 92 and 311 What happens when we solve

q y p y mod 1 mod 1 + ≡ + ≡

Decryption exponent leaks

• If the decryption exponent ‘a’ leaks, then n can be factored
• The attacker can then compute
• Now, for any message x ≠ 0

) 1 ( ) ( ) ( mod 1 − = ≡ ab n k n ab φ φ

ab

CR

• Now, for any message x ≠ 0

75

n xab mod 1

1 ≡ −

• Attack Plan, take square root :

i.e.,

n x y

ab

mod

2 1 −

≡ ) 1 )( 1 ( | ) 1 ( | mod 1

2 2

+ − = − = ≡ y y n y n n y > > n

• f

factor a is y n ) 1 , gcd( −

However we need to have a non- trivial result

1 ± ≠ y

The Attack (basic idea)

mod put . 4 message any choose . 3 2 1 Represent . 2 1 compute given . 1 n x y x ab t ab a

t

= − = −

) 1 )( 1 ( | mod ) 1 ( , mod 1

2 1 2 1 1

− + ≡ − ≡ =

−

y y n n y thus n x y

ab

1 ) ( ) ( mod 1 − = ≡ ab n k n ab φ φ we assume we know the private key a

CR

76

" " 4 step ; 2 / ) even is ( . 7 ; " d is n

• f

factor a " , 1 . 6 ) , 1 gcd( compute . 5 mod put . 4 failure return else goto t t t if exit return d if n y d n x y

t

= ≠ − ← =

) 1 )( 1 ( | − + y y n

This will only work if y ≠±1 mod n. If y = ±1 mod n. then goto step 7

Probability of success of the attack is at-least 1/2

Example

• N=403, b=23, a=47

311 403 mod 2 403 mod 270 540 : 2 1 403 mod 2 403 mod 540 2 1080 : 1 2 1080 1

270 540

x y t loop x y t loop x ab t

t t

≡ = ≡ = = ≡ = ≡ = = = = − =

CR

77

) ( 31 ) 403 , 310 gcd( 311 403 mod 2 403 mod 270 2 : 2 n

• f

factor a x y t loop = ≡ = ≡ = = 1 403 mod 9 403 mod 135 2 270 : 3 1 403 mod 9 403 mod 270 2 540 : 2 1 403 mod 9 403 mod 540 2 1080 : 1 9 1080 1

135 270 540

≡ = ≡ = = ≡ = ≡ = = ≡ = ≡ = = = = − =

t t t

x y t loop x y t loop x y t loop x ab t can’t divide 135 further. failure

Small Encryption Exponent

• In order to improve efficiency of encryption, a small

encryption exponent is preferred

• However, this can lead to a vulnerability

CR

78

Small Encryption Exponent

Alice m3mod N1 m m3mod N2 m3mod N2 c1 c2 c3

CR

79

• Consider, Alice sending the same message x to 3 different people.
• Each having a different N (say N1, N2, N3)
• But same public key b (say 3)

Insecure channel

Small Encryption Exponent

Alice m3mod N1 m m3mod N2 m3mod N2 c1 c2 c3

3 3 3 2 3 2 1 3 1

mod mod mod N m c N m c N m c ≡ ≡ ≡

CR

80

• Consider, Alice sending the same message x to 3 different people.
• Each having a different N (say N1, N2, N3)
• But same public key b (say 3)
• This allows Mallory to snoop in and get 3 ciphertexts

Insecure channel

Small Encryption Exponent

• Thus, Mallory can compute X

) mod( mod mod mod

3 2 1 3 3 3 3 2 3 2 1 3 1

N N N m X N m c N m c N m c ⋅ ⋅ ≡ 〈=〉      ≡ ≡ ≡

By CRT

CR

• Thus, Mallory can compute X
• Since m < N1, m<N2, m<N3 => n < ( N1 x N2 x N3)
• Thus, X1/3=m

– i.e. The message can be decrypted

81

It is tempting to have small private and public keys, so that encryption or decryption may be carried out efficiently. However you would do this at the cost of security!!

Low Decryption Exponent

• The attack applies when the private key a is

small,

• In such a case ‘a’ can be computed efficiently

3

4 n

a <

CR

• In such a case ‘a’ can be computed efficiently

82

Partial Information of Plaintexts

Computing Jacobi of the plaintext

• dd

be must therefore , even is ) 1 )( 1 ( 1 1 1 gcd Thus, 1 )) ( gcd( and key public the is message the ; ciphertext the is mod b q p )) )(q- (b, (p- n b, φ b x y n x y

b

− − = = ≡

CR

83

• dd

is since 1 b n x n x n y n y Jacobi consider

b

      =       =       ± =       thus, RSA encryption leaks the value of the Jacobi symbol       n x

Partial Information of Plaintexts first half or second half?

• given y = xbmod n,

– is it possible to determine if (0 ≤ x < n/2) or (n/2 ≤ x < n-1)

first half second half

CR

84

• We prove that RSA does not leak this information
• If there exists an efficient algorithm that can

determine if x is in the first or second half then, the entire plaintext can be obtained

Binary Search Trees on x

) ( 13 mod 3 = = x HALF x      − < ≤ < ≤ = 1 2 1 2 ) ( n x n if n x if x HALF

Consider this function example [0-6.5) [6.5,13) [0,13) [0,3.25) [0,1.625) 1

CR

85

1 ) 16 ( 13 mod 9 16 1 ) 8 ( 13 mod 11 8 1 ) 4 ( 13 mod 12 4 ) 2 ( 13 mod 6 2 ) ( 13 mod 3 = ≡ = ≡ = ≡ = ≡ = = x HALF x x HALF x x HALF x x HALF x x HALF x

[0,1.625) [1.625,3.25) 1 3

Partial Information of Plaintexts

(first or second half proof)

• Assume a hypothetical oracle called HALF as follows

     − < ≤ < ≤ = 1 2 1 2 ) , , ( n x n if n x if y b n HALF

n x y n x y n x y

b b b b b

mod ) 4 ( 4 mod ) 2 ( 2 mod ≡ ⋅ ≡ ⋅ ≡

) [ ,

) ( n x y HALF ∈ = =

CR

86

n x y n x y n x y

b b b b b b

mod ) 16 ( 16 mod ) 8 ( 8 mod ) 4 ( 4 ≡ ⋅ ≡ ⋅ ≡ ⋅

) [

2 , ) ( n x y HALF ∈ = = >

) [

2 , 4 1 ) 2 ( n n x y HALF

b

∈ = = >

) [

4 , ) 2 ( n x y HALF

b

∈ = = >

) [

8 , ) 2 (

2

n x y HALF

b

∈ = = >

) [

4 , 8 ) 2 (

2

n n x y HALF

b

∈ = = >

Example

1 1 1 1

hi n=1457, b=779, y=722

CR

87

1 1 1 1

Thus, if we have an efficient function HALF, we can recover the plaintext message.

Man in the Middle Attack

• The process of encryption with a public key

cipher CR

88

Bob decrypts with his private key

Man in the Middle Attack

• The process of encryption with a public key

cipher

Man in the middle Intercepts messages

CR

89

Bob decrypts with his private key Mallory decrypts with her private key and re- encrypts with Bob’s public key

Searching the Message Space

• Suppose message space is small,

– Mallory can try all possible messages, encrypt them (since she knows Bob’s public key) and check if it matches Alice’s ciphertext

CR

90

Bob decrypts with his private key

if it matches Alice’s ciphertext

Bad Prime Generation Algorithms

• Suppose the prime generation was faulty

– So that, primes generated were always from a small subset – Then, RSA can be broken

CR

– Then, RSA can be broken

• Pairwise GCD of over a million RSA modulii

collected from the Internet showed that

– 2 in 1000 have a common prime factor

91

Ron was Wrong, Whit is right, 2012

Discrete Log Problem, ElGamal, and Diffie Hellman CR and Diffie Hellman

92

STINSON : chapter 6

Primitive Elements of a Group

en element th primitive a is If .

• rder

has it if a as termed is 1 = such that integer smallest the is

• f
• rder

The G, Let .

• rder
• f

group a be Let

m

∈ ⋅ α α α α α n element primitive m n ) (G,

CR

93

G in elements all generates 1}

• n

i : {

i

≤ ≤ = α α } 1 , 2 , 4 , 8 , 3 , 6 , 12 , 11 , 9 , 5 , 10 , 7 { 7 , 7 Let 12

• rder
• f

group a forms ) , ( } 12 , , 3 , 2 , 1 {

* 13 * 13 *

13

= ∈ ⋅ = Z Z Z Consider L

<7> has order 12 and generates all elements in Z. Thus, 7 is a primitive element

Discrete Log Problem

} 1 : { set the Define

• rder

with group the in element primitive a be ) , ( − ≤ ≤ = ∈ ⋅ n i n G Let group a be G Let

i

α α α

CR

94

β β β α

α

• f

logarithm discrete the as log Denote let ), 1 ( integer unique any For = = − ≤ ≤ a n a a

a

Given α and a, it is easy to compute β Given α and β it is computationally difficult to determine what a was

ElGamal Public Key Cryptosystem

• Fix a prime p (and group Zp)
• Let be a primitive element
• Choose a secret ‘a’ and compute

p

Z ∈ α

p

a mod

α β ≡

Private key : Public keys :

p , ,β α a

CR

95

Private key : Public keys :

p , ,β α a

Encryption

p x y p y where y y x e Z k ret random a choose

k k k p

mod , mod ) , ( ) ( ) (sec

2 1 2 1

β α ⋅ = = = ←

Decryption

x p x p x p y y x d

ka ka ka k a k

≡ ⋅ = ⋅ = =

− − −

mod ) ( mod ) ( mod ) ( ) (

1 1 1 1 2

α α α β

ElGamal Example

• p = 2579, α = 2 (α is a primitive element mod p)
• Choose a random a = 765
• Compute β ≡ 2765 mod 2579

Encryption of message x = 1299

CR

96

choose a random key k = 853 y1 = 2853 mod 2579 = 435 y2 = 1299 x 949853 = 2396 Decryption of cipher (435, 2396) 2396 x (435765)-1 mod p = 1299

Finding the Log

• Brute force (compute intensive)

compute

p

a mod

α β ≡

Given α and β it is computationally difficult to determine what a was

...... , , ,

4 3 2

α α α α

(until you reach β)

CR

compute this would definitely work, but not practical if p is large complexity O(p), space complexity O(1)

• Memory Intensive

precompute (all values). Sort and store. For any given β look up the table of stored values. complexity O(1) but space complexity O(n)

97

...... , , , α α α α

(until you reach β)

...... , , ,

4 3 2

α α α α

Shank’s Algorithm

(also known as Baby-step Giant-step)

p

a mod

α β ≡

 

p m where Rewrite = + = r mq a as a

CR

98

 

( )

p p

r q m r mq

mod mod α α β α α β ≡ ≡

−

We neither know q nor r, so we need to try out several values for q and r until we find a collision

Shank’s Algorithm (example)

• p= 31 and α=3. Suppose β=6.
• What is a?

 

6 31 = = m 2 31 mod ) 3 (

6 1

=

−

6

= ⋅ =

−

α β

collision

CR

99

31 mod 26 3 19 31 mod 19 81 27 9 3

5 4 3 2

≡ ⋅ = ≡ = ≡ ≡ ≡ α α α α α 31 mod 3 2 6 ) ( 31 mod 17 2 6 ) ( 24 2 6 ) ( 12 2 6 ) ( 6 2 6 ) (

4 4 6 3 3 6 2 2 6 1 1 6 6

≡ ⋅ = ≡ ⋅ = = ⋅ = = ⋅ = = ⋅ =

− − − − −

α β α β α β α β α β

collision Thus, m=6, q=4, r=1, a= mq+r = 25 List 1 List 2

Shank’s Algorithm

Create List 1

CR

100

Create List 1 Create List 2 Find collision

Complexity of Shank’s Algorithm

O(m) O(mlog m)

CR

101

O(m) O(mlog m) O(log m) O(mlogm) ~ O(m) = O(p1/2)

Other Discrete Log Algorithms

• Pollard-Hellman Algorithm

used when n is a composite

n

a mod

α β ≡

CR used when n is a composite

• Pollard-Rho Algorithm

about the same runtime as the Shank’s algorithm, but has much less memory requirements

102

Diffie Hellman Problem

} 1 : { set the Define

• rder

with group the in element primitive a be ) , ( − ≤ ≤ = ∈ ⋅ n i n G Let group a be G Let

i

α α α

CR

103

ab b a

find and given α α α ,

Computational DH (CDH)

n ab c and given

c b a

mod if determine , , ≡ α α α

Decision DH (DDH)

Recall… Diffie Hellman Key Exchange

Alice and Bob agree upon a prime p and a generator g. This is public information choose a secret a compute A = ga mod p choose a secret b compute B = gb mod p

CR

104

B A Compute K = Ba mod p Compute K = Ab mod p Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p