RSA and Public Key Cryptography Cryptography Chester Rebeiro IIT - PowerPoint PPT Presentation

Test for Primes • How to generate large primes? – Select a random large number – Test whether or not the number is prime • What is the probability that the chosen number is a • What is the probability that the chosen number is a prime? – Let π(N) be the number of primes < N – From number theory, π(N) ≈ N/ln N – Therefore probability of a random number (< N) being a prime is 1/ln N • As N increases, it becomes increasingly difficult to find large primes CR 27

GIMPS • There are infinite prime numbers (proved by Euclid) • Finding them becomes increasingly difficult as N increases • GIMPS : Great Internet Mersenne Prime Search • GIMPS : Great Internet Mersenne Prime Search – Mersenne Prime has the form 2 n – 1 – Largest known prime (found in 2016) has 22 million digits 2 274,207,281 − 1 • $3000 to beat this ☺ CR https://en.wikipedia.org/wiki/Largest_known_prime_number 28

Primality Tests with Trial Division • School book methods (trial division) – Find if N divides any number from 2 to N-1 – find if N divides any number from 2 to N 1/2 – Find if N divides any prime number from 2 to N 1/2 – Too slow!!! • Need to divide by N-1 numbers • Need to divide by N 1/2 numbers • Need to divide by (N/lnN) 1/2 primes – For example, if n is approx 2 1024 , then need to check around 2 507 numbers • Need something better for large primes – Randomized algorithms CR 29

Randomized Algorithms for Primality Testing • Monte-carlo Randomized Algorithms – Always runs in polynomial time – May produce incorrect results with bounded probablity – Yes-based Monte-carlo method • Answer YES is always correct, but answer NO may be wrong – No-based Monte-carlo method • Answer NO is always correct, but answer YES may be wrong CR 30

Finding Large Primes (using Fermat’s Theorem) 1 ≡ is _ prime ( n ){ − a n 1 mod n If n is prime, then is true for any ‘a’ ← pick a Z n 1 ≡ 1 ≡ − − a n a n 1 1 mod mod n n If n is composite If n is composite − − ≡ ≡ n 1 if ( a 1 mod n ) is false but may be true for some values of a. return TRUE For example: n = 221 and a = 38 else 38 220 mod 221 ≡ 1. return FALSE We need to increase our confidence with more values of a } CR 31

Fermat’s Primality Test • Increasing confidence with multiple bases primality _ test ( n ){ = c 0 = < + + for ( i 0 ; i 1000 ; i ){ == if ( is _ prime ( n ) FALSE ) return COMPOSITE } return probably PRIME } CR 32

Flaw in the Fermat’s Primality Test Some composites act as primes. 1 ≡ − a n Irrespective of the ‘a’ chosen, the test 1 mod n passes. for example Carmichael numbers are composite numbers which for example Carmichael numbers are composite numbers which satisfy Fermat’s little theorem irrespective of the value of a. CR 33

Strong probable-primality test • If n is prime, the square root of a n-1 is either +1 or -1 2 ≡ a 1 mod n − ≡ 2 a 1 mod n + − ≡ ( a 1 )( a 1 ) 0 mod n + ≡ − ≡ either ( a 1 ) 0 mod n or ( a 1 ) 0 mod n CR 34

Miller-Rabin Primality Test • Yes-base primality test for composites • Does not suffer due to Carmichael numbers • Write n-1 = 2 s d – where d is odd and s is non-negative – where d is odd and s is non-negative – n is a composite if r ≠ ≠ − d d 2 a 1 mod n and ( a ) 1 mod n for all number r less than s CR 35

Proof of Miller-Rabin test • Write n-1 = 2 s d r ≠ ≠ − d d 2 a 1 mod n and ( a ) 1 mod n for all number r less than s • Proof: We prove the contra-positive. We will assume n to be • Proof: We prove the contra-positive. We will assume n to be prime. Thus, r ≡ ≡ − d d 2 a 1 mod n or ( a ) 1 mod n for some number r less than s CR 36

Proof of Miller-Rabin test Proof: We prove the contra-positive. We will assume n to be prime. Thus we prove, r ≡ ≡ − d d 2 a 1 mod n or ( a ) 1 mod n for for some some number number r r less less than than s s • Consider the sequence : 1 (Fermat ‘s) 1 2 3 s d 2 d 2 d 2 d 2 d a , a , a , a , , a L L – The roots of x 2 = 1 mod n is either +1 or -1 – In the sequence, if a d is 1, then all elements in the sequence will be 1 – If a d is not 1, then there should be some element in the sequence which is -1, in order to have the final element as 1 CR 37

Miller-Rabin Algorithm (test for composites) Input n − = s T 1 . Find an odd integer d such that n 1 2 d ∈ T 2 . Select at random a nonzero a Z n = d T 3 . Compute b a mod n = = ± ± If If b b 1 1 , , return return ' ' n n is is prime prime ' ' i = − ≡ 2 T 4 . For i 1 , , r 1 , calculate c b mod n L = − If c 1 , return ' n is prime ' T 5 . Otherwise return ' n is composite ' CR 38

Quadratic Residues • Example : m=13, square elements in Z 13 . 1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1 1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1 The quadratic residues Z 13 are therefore {1, 4, 3, 9, 10, 12} If an element is not a quadratic resiidue, then it is a quadratic non-residue quadratic non-residues in Z 13 are {2, 5, 6, 7, 8, 11} CR 39

Legendre Symbol  0 if p | a    a     = = 1 1 if if a a is is a a QR QR mod mod p p       p p      − 1 if a is a QNR mod p  Given p is an odd prime CR 40

Euler’s Criteria A result from Euler −   p 1 a   ≡ a mod p 2   p   ∃ ∈ ≡ 2 when a is a QR , x Z s . t . a x mod p p when p | a − − p 1 ( p 1 ) 2 − p 1 = ≡ a x mod p > 2 2 ≡ a 0 mod p 2 − ≡ p 1 x mod p ≡ 1 CR 41

when Quadratic Non Residue ∈ ≡ 2 when a is a QNR , no such x Z exists s . t . a x mod p p − p 1 − consider : a mod p ( note p 1 is even , if p is an odd prime ) 2 − ≡ p 1 squaring : a mod p 1 2 2   − −   p 1   ≡ so , a 1 mod p 2     − p 1 ≡ ± Thus , a 1 mod p 2 − p 1 ≠ a 1 mod p , since a is not a QR 2 − p 1 ≡ − Thus a 1 mod p 2 CR 42

Examples Congurence always hold −   p 1 a   ≡ a mod p 4 is a QR mod 13 2 n is an odd prime   p   − 13 1 ≡ ≡ 6 4 mod 13 4 mod 13 1 2 prime s holds when 5 5 is is a a QNR QNR mod mod 13 13 ≡ ≡ − 6 5 mod 13 12 mod 13 1 − 15 1 n is an odd prime Congurence may Euler’s Witness or may not hold ≡ ≡ − 7 7 mod 15 7 mod 15 2 2 when − 15 1 Euler’s Liar ≡ ≡ − 7 14 mod 15 14 mod 15 1 2 CR 43

Solovay Strassen Primality Test SOLOVAYSTR ASSEN ( n ){ ≤ ≤ choose a random integer a such that 1 a n- 1   a = compute x   n   How to compute = = if if ( ( x x 0 0 ) ) return return COMPOSITE COMPOSITE Legendre’s symbol − n 1 = compute y a mod n 2 ≡ if ( x y mod n ) return possibly PRIME else return COMPOSITE } error probability is at most ½ after k invocations of this algorithm, CR 44

Jacobi Symbol • Jacobi Symbol is a generalization of the Legendre symbol • Let n be any positive odd integer and a>=0 any integer. The Jacobi symbol is defined as: Suppose Suppose n n is is an an odd odd positive positive integer integer with with prime prime factorizat factorizat ion ion = × × × e e e e n p p p p ... 1 2 3 4 1 2 3 4 T Then, e e e e         1 2 3 4   a a a a a         = × × × ×   L          n  p p p p         1 2 3 4 CR 45

Jacobi Properties     a b ≡ =     P 1 . If a b mod n then  n   n  ≡ ±  1 if n 1 mod 8   2 =   P 2 .  − ≡ ± n 1 if n 3 mod 8          ab a b = =             P P 3 3 . .  n   n   n  k       a 2 t = = k P 4 . if a is even , a 2 t ,        n   n   n  P 5 . if a is odd ,    n − ≡ ≡   if n a 3 mod 4     a  a  =      n  n     otherwise   a   CR 46

Computing Jacobi From the theorem P5, P1, then P2 P5, P1, P5, P1, P3, P2 P5, P1, P5, P1, P3, P2 P5, P1 and 1 is a QR mod 13 CR 47

Factoring Algorithms CR 48

Factorization to get the private key • Public information (n, b) • If Mallory can factorize n into p and q then, • She can compute φ(n) = (p-1)(q-1) • She can then computethe private key by finding a ≡ b -1 mod φ(n) How to factorize n? CR 49

Trial Division Fundamental theorem of arithmetic Any integer number (greater than 1) is either prime or a product of prime powers = e e e e n p p p p L 1 2 3 k 1 2 3 k prime generation algorithm Prime factors of n cannot be greater than   n n = n / p : remove this factor from n Running Time of algorithm order of π(2 n/2 ) CR 50

Pollard p-1 Factorization = × n p q 1 < < choose a random integer a ( 1 a n ). ≠ If gcd( a , n ) 1 , then a is a prime factor. = However, this is most likely not the case as gcd (a,n) 1 . 4 2 Suppose we magically get an L such that p - 1 | L . How to find the magic L? L L − − We We use use L L to to compute compute ( ( a a 1 1 ). ). No easy way, trial and error!! − = − = p 1 | L ( p 1 ) k L > Factorials have a lot of divisors. So that ≡ − ≡ is a nice way. L ( p 1 ) k a a 1 mod p ( by Fermat ' s Little Theorem ) So, take L as a factorial of some − L Thus , p | a 1 number r. 3 L − Now compute gcd( a 1 , n ) − Since , p | n and p | a 1 , L L − gcd( a 1 , n ) is either p and may also be n . L − ≠ Thus if gcd( a 1 , n ) n , then we have found a factor of n. = − L L if gcd(a - 1, n) n, then q | a 1 also. Cannot conclude anything. CR 51

Pollard p-1 Factorization Pollard p-1 factorization for n. ← S 1 . a 2 S 2 . if gcd (a, n) > 1 , then this gcd is a prime factor of n, we are done. ← r! S 3 . compute d gcd (a - 1 , n) = = if if d d n n , , start start again again from from S S 1 1 with with next value next value of of a a = else if d 1 , increment r and repeat S 3 else d is the prime factor of n ; we are done! r = 2,3, 4, H.. Will the algorithm terminate? CR 52

Pollard Rho Algorithm • Form a sequence S1 by selecting randomly (with replacement) from the set Z n ≡ x x mod p S = 1 x , x , x , x , x , L 0 0 0 1 2 3 4 ≡ x x mod p • Also assume we magically find a 1 1 new sequence S2 comprising of new sequence S2 comprising of ≡ ≡ x x x x mod mod p p 2 2 = x x S 2 , , x , x , x , L where ≡ 0 1 2 3 4 x x mod p 3 3 ≡ x x mod p • If we keep adding elements to 4 4 x = x S1, we will eventually find an x i and x j (i≠j) such that i j When this happens, − p | ( x x ) i j − p | n also , gcd(( x x ), n ) is p . We found a factor of n ! ! Q CR i j 53

Doing without magic • Form a sequence S1 by selecting randomly (with replacement) from the set Z n S = 1 x , x , x , x , x , L 0 1 2 3 4 • For every pair i,j in the sequence compute • For every pair i,j in the sequence compute ← i − d gcd(( x x , n ) j • If d > 1 then it is a factor of n CR 54

Selecting elements of S1 To choose the next element of S1, Pollard suggests → f : Z Z using a function n n with requirement that the output looks random. 2 + 2 + = = f f ( ( x x ) ) x x 1 1 mod mod n n Example : Example :    x where x is chosen randomly from Z   = 0 0 n S 1    > = x i 0 and x f ( x − )    i i i 1 CR 55

Example This column is just • N= 82123, x 0 = 631, f(x) = x 2 + 1 for understanding. In reality we will not know this DrawbackH Large number of GCD Large number of GCD computations. In this case 55. Can we reduce the number of gcd computations ? Given x i mod N, we compute gcds of every pair until we find a gcd greater than 1 − = = gcd( x x , N ) gcd( 63222 , 82123 ) 41 A factor of N 3 10 CR 56

The Rho in Pollard-Rho • N= 82123, x 0 = 631, f(x) = x 2 + 1 21 26 5 32 2 0 1 40 40 11 16 = x x mod p + t t l • The smallest value of t and l, for which the above congruence holds is t=3, l =7 • For l =7, all values of t > 3 satisfy the congruence • This leads to a cycle as shown in the figure = ≥ x x mod p t 3 (and a shape like the Greek letter rho) + j j l CR 57

Reducing gcd computations • GCD computations can be expensive. • Use Floyd’s cycle detection algorithm to reduce the number of 21 GCD computations. 26 5 32 = = ∈ ∈ choose choose a a random random x x y y Z Z 0 0 0 0 n n 2 0 = x f ( x ) − i i 1 1 40 = = y x f ( f ( y )) loop − i 2 i i 1 11 = − > If d gcd( x y , N ) 0 , return d i i 16 claim : The first time x i = y i mod p occurs when i ≤ t + l CR 58

The first time x i = y i mod p occurs is when i ≤ t + l • l is the number of points in the cycle ≡ x y mod N • t is the smallest value of i such that i i x i and y i meet at the same point in the cycle Therefore, y i must have traversed (some) cycles more ≡ x y mod N i i + ) consider ( k 1 l ≡ x x mod N i 2 i = + ≤ + kl l t l − l | ( 2 i i ) = = l | i lk i > CR 59

Expected number of operations before a collision • Can be obtained from Birthday paradox to be p CR 60

Congruences of Squares • Given N=p x q, we need to find p and q 2 ≡ • Suppose we find an x and y such that 2 x y mod N • Then, − = − + 2 2 N | ( x y ) N | ( x y )( x y ) > • This implies, • This implies, − + gcd( N , ( x y )) or gcd( N , ( x y )) factors N CR 61

Example • Consider N = 91 ≡ ≡ 2 2 2 2 10 3 mod 91 34 8 mod 91 + − − + 91 | ( 10 3 )( 10 3 ) 91 | ( 34 8 )( 34 8 ) × × × × 91 91 | | ( ( 7 7 13 13 ) ) 91 91 | | 42 42 26 26 = gcd( 91 , 26 ) 13 = gcd( 91 , 13 ) 13 = gcd( 91 , 7 ) 7 = gcd( 91 , 42 ) 7 SoH we can use x and y to factorize N. 2 ≡ 2 x y mod N But how do we find such pairs? CR 62

Another Example • N = 1649 32 and 200 are not perfect squares. ≡ 2 41 32 mod 1649 However (32x200 = 6400) = 80 2 2 ≡ is a perfect square 43 200 mod 1649 × ≡ × 2 ( 41 43 ) ( 32 200 ) mod 1649 ≡ 2 80 mod 1649 Thus, it is possible to combine non-squares to form a prefect square CR the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/) 63

Forming Perfect Squares Recall, Fundamental theorem of arithmetic Any integer number (greater than 1) is either prime or a product of prime powers = e e e e n p p p p L 1 2 3 k 1 2 3 k Thus, a number is a perfect square if it prime factors have even powers. Thus, a number is a perfect square if it prime factors have even powers. e , e , e ,... is even 1 2 3 Thus, 32 = 2 5 5 0 not a perfect square not a perfect square 200 = 2 3 5 2 (32x200) = 2 5 5 0 x 2 3 5 2 = 2 8 5 2 = (2 4 5 1 ) 2 is a prefect square CR 64

Dixon’s Random Squares Algorithm 1. Choose a set B comprising of ‘b’ smallest primes. Add -1 to this set. (A number is said to be b-smooth, if its factors are in this set) 2. Select an r at random = = 2 – Compute – Compute y y r r mod mod N N – Test if y factors completely in the set B. – If NO, then discard. ELSE save (y, r) (these are called B-smooth numbers) 3. Repeat step 2, until we have b+1 such (y,r) pairs 4. Solve the system of linear congruencies CR 65

Example • N = 1829 • b = 6 B = {-1, 2,3,5,7,11,13} • Choose random values of r, square and factorize All numbers are B-smooth except 60 and 75. Leave these and consider all others CR 66

Check Exponents -1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0 CR 67

Check Exponents -1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0 Find rows where exponents sum is even -65, 20, 63, -91 sum 2 2 2 2 2 0 2 × × × ≡ − × × × × × 2 2 ( 42 43 61 85 ) ( 1 2 3 5 7 13 ) mod 1829 2 ≡ 2 1459 901 mod 1829 CR 68

Final Steps × × × ≡ − × × × × × 2 2 ( 42 43 61 85 ) ( 1 2 3 5 7 13 ) mod 1829 2 ≡ 2 1459 901 mod 1829 + − 1829 | ( 1459 901 )( 1459 901 ) = = = = 1829 1829 | | 2360 2360 gcd( gcd( 1829 1829 , , 2360 2360 ) ) 59 59 > > = = 1829 | 558 gcd( 1829 , 558 ) 31 > = × Thus 1829 59 31 CR 69

State of the Art Factorization Techniques • Quadratic Sieve – Fastest for less than 100 digits • General Number field Sieve – Fastest technique known so far for greater than 100 digits – Open source code (google GGNFS) • • RSA factoring challenge RSA factoring challenge – Best so far is 768 bit factorization – Current challenges 896 bits (reward $75,000), 1024 bit ($100,000) CR https://en.wikipedia.org/wiki/RSA_Factoring_Challenge 70

RSA Attacks attacks that don’t require attacks that don’t require factorization algorithms CR 71

Φ(n) leaks • If an attacker gets Φ(n) then n can be factored = = n pq q n / p φ = − − ( n ) ( p 1 )( q 1 ) = = − − + + + + pq ( p q ) 1 n φ = − + + ( n ) n ( p ) 1 p − − φ + + = 2 p ( n ( n ) 1 ) p n 0 Solve to get p (a factor of n) CR 72

square roots of 1 mod n 2 ≡ y 1 mod n There are two trivial and two non-trivial solutions for The trivial solutions are +1 and -1 By CRT, these congruences ≡  y 1 mod p are equivalent  ≡ − y 1 mod p   ≡ 2 y 1 mod p ≡ 〈=〉 2 y 1 mod n  ≡ ≡ 2 y y 1 1 mod mod q q   ≡ ≡   y y 1 1 mod mod q q  ≡ − y 1 mod q  To get the non-trivial solutions solve using CRT ≡ − ≡ + y 1 mod p y 1 mod p ≡ + ≡ − y 1 mod q y 1 mod q CR 73

Example • n=403 = 13 x 31 2 ≡ y 1 mod n • To get the non-trivial solutions of solve using CRT ≡ − ≡ + y 1 mod p y 1 mod p ≡ + ≡ − y 1 mod q y 1 mod q − − ⋅ 1 − ⋅ 1 ( 31 31 mod 13 13 13 mod 31 ) mod 403 ⋅ − ⋅ ≡ ( 31 8 13 12 ) mod 403 92 − = 403 91 311 ≡ ≡ 2 2 Note : 92 311 1 mod 403 The non-trivial solutions are 92 and 311 ≡ + y 1 mod p What happens when we solve ≡ + y 1 mod q CR 74

Decryption exponent leaks • If the decryption exponent ‘a’ leaks, then n can be factored • The attacker can then compute ab ≡ φ φ = − ab 1 mod ( n ) k ( n ) ( ab 1 ) • Now, for any message x ≠ 0 • Now, for any message x ≠ 0 1 ≡ − x ab 1 mod n − ab 1 • Attack Plan, take square root : ≡ y x mod n 2 ≡ = − 2 2 y 1 mod n n | ( y 1 ) i.e. , > However we = − + n | ( y 1 )( y 1 ) need > ≠ ± y 1 − gcd( n , y 1 ) is a factor of n to have a non- trivial result CR 75

The Attack (basic idea) we assume we know the private key a ≡ φ ab 1 mod ( n ) − φ = − 1 . given a compute ab 1 k ( n ) ab 1 − ab 1 − ab 1 = 2 . Represent t = ≡ y x 2 1 mod n 2 1 − ≡ 3 . choose any message x 2 thus , ( y 1 ) 0 mod n 1 + + − − = = n n | | ( ( y y 1 1 )( )( y y 1 1 ) ) t t 4 4 . . put put y y x x mod mod n n ← − 5 . compute d gcd( y 1 , n ) This will only work if y ≠±1 mod n. ≠ 6 . if d 1 , return " a factor of n is d " ; exit If y = ±1 mod n. then goto step 7 = 7 . if ( t is even ) t t / 2 ; goto step 4 else return " failure " Probability of success of the attack is at-least 1/2 CR 76

Example • N=403, b=23, a=47 = − = = t ab 1 1080 x 2 1080 = = ≡ = ≡ t 540 loop 1 : t 540 y x mod 403 2 mod 403 1 2 540 = = = = ≡ ≡ = = ≡ ≡ t 270 loop loop 2 2 : : t t 270 270 y y x x mod mod 403 403 2 2 mod mod 403 403 311 311 2 = gcd( 310 , 403 ) 31 ( a factor of n ) = − = = t ab 1 1080 x 9 1080 = = ≡ t = 540 ≡ loop 1 : t 540 y x mod 403 9 mod 403 1 2 540 = = ≡ t = 270 ≡ loop 2 : t 270 y x mod 403 9 mod 403 1 2 270 = = ≡ = ≡ t 135 loop 3 : t 135 y x mod 403 9 mod 403 1 2 can’t divide 135 further. failure CR 77

Small Encryption Exponent • In order to improve efficiency of encryption, a small encryption exponent is preferred • However, this can lead to a vulnerability CR 78

Small Encryption Exponent c 1 Alice m 3 mod N 1 m c 2 m 3 mod N 2 c 3 m 3 mod N 2 Insecure channel • Consider, Alice sending the same message x to 3 different people. • Each having a different N (say N 1 , N 2 , N 3 ) • But same public key b (say 3) CR 79

Small Encryption Exponent c 1 Alice m 3 mod N 1 m ≡ 3 c m mod N c 2 1 1 m 3 mod N 2 ≡ 3 c m mod N 2 2 c 3 ≡ 3 c m mod N 3 3 m 3 mod N 2 Insecure channel • Consider, Alice sending the same message x to 3 different people. • Each having a different N (say N 1 , N 2 , N 3 ) • But same public key b (say 3) • This allows Mallory to snoop in and get 3 ciphertexts CR 80

Small Encryption Exponent By CRT  ≡ 3 c m mod N 1 1  ≡ 〈=〉 ≡ ⋅ ⋅ 3 3 c m mod N X m mod( N N N )  2 2 1 2 3  ≡ 3 c m mod N  3 3 • Thus, Mallory can compute X • Thus, Mallory can compute X • Since m < N 1 , m<N 2 , m<N 3 => n < ( N 1 x N 2 x N 3 ) • Thus, X 1/3 =m – i.e. The message can be decrypted It is tempting to have small private and public keys, so that encryption or decryption may be carried out efficiently. However you would do this at the cost of security!! CR 81

Low Decryption Exponent • The attack applies when the private key a is 4 n small, a < 3 • In such a case ‘a’ can be computed efficiently • In such a case ‘a’ can be computed efficiently CR 82

Partial Information of Plaintexts Computing Jacobi of the plaintext ≡ b y x mod n y is the ciphertext ; x the message = b is the public key and gcd( b, φ ( n )) 1 = Thus, gcd (b, (p- 1 )(q- 1 )) 1 − − ( p 1 )( q 1 ) is even , therefore b must be odd consider Jacobi   y = ±   1  n  b  y   x   x  = =        n   n   n  since b is odd   x   thus, RSA encryption leaks the value of the Jacobi symbol  n  CR 83

Partial Information of Plaintexts first half or second half? • given y = x b mod n, – is it possible to determine if (0 ≤ x < n/2) or (n/2 ≤ x < n-1) first half second half • We prove that RSA does not leak this information • If there exists an efficient algorithm that can determine if x is in the first or second half then, the entire plaintext can be obtained CR 84

Binary Search Trees on x Consider this function [0,13)  n ≤ < 0 if 0 x  0 2 = HALF ( x ) [6.5,13)  [0-6.5) n  ≤ < − 1 if x n 1  0 2 [0,3.25) example = = = = x x 3 3 mod mod 13 13 HALF HALF ( ( x x ) ) 0 0 1 1 [0,1.625) [0,1.625) ≡ = 2 x 6 mod 13 HALF ( 2 x ) 0 ≡ = [1.625,3.25) 4 x 12 mod 13 HALF ( 4 x ) 1 ≡ = 8 x 11 mod 13 HALF ( 8 x ) 1 ≡ = 16 x 9 mod 13 HALF ( 16 x ) 1 3 CR 85

Partial Information of Plaintexts (first or second half proof) • Assume a hypothetical oracle called HALF as follows  n ≤ < 0 if 0 x  2 = HALF ( n , b , y )  n  ≤ < − 1 if x n 1 ≡ b y x mod n  2 b ⋅ ≡ b 2 y ( 2 x ) mod n n n [ [ , ) ) b b ⋅ ⋅ ≡ ≡ b b 4 4 y y ( ( 4 4 x x ) ) mod mod n n = = = = ∈ ∈ HALF HALF ( ( y y ) ) 0 0 x x 0 0 , > 2 b ⋅ ≡ b 8 y ( 8 x ) mod n b ⋅ ≡ b 16 y ( 16 x ) mod n n n n [ ) [ ) b = = ∈ b = = ∈ HALF ( 2 y ) 0 x 0 , HALF ( 2 y ) 1 x , > > 4 4 2 n n n [ ) [ ) 2 b = = ∈ 2 b = = ∈ HALF ( 2 y ) 0 x 0 , HALF ( 2 y ) 0 x , > > 8 8 4 CR 86

Example n=1457, b=779, y=722 h i 1 0 1 0 1 1 1 1 1 1 0 0 Thus, if we have an efficient function HALF, we can recover the plaintext message. CR 87

Man in the Middle Attack • The process of encryption with a public key cipher Bob decrypts with his private key CR 88

Man in the Middle Attack • The process of encryption with a public key cipher Man in the middle Intercepts messages Mallory decrypts with her private key and re- Bob decrypts encrypts with his private with Bob’s key public key CR 89

Searching the Message Space • Suppose message space is small, – Mallory can try all possible messages, encrypt them (since she knows Bob’s public key) and check if it matches Alice’s ciphertext if it matches Alice’s ciphertext Bob decrypts with his private key CR 90

Bad Prime Generation Algorithms • Suppose the prime generation was faulty – So that, primes generated were always from a small subset – Then, RSA can be broken – Then, RSA can be broken • Pairwise GCD of over a million RSA modulii collected from the Internet showed that – 2 in 1000 have a common prime factor CR Ron was Wrong, Whit is right, 2012 91

Discrete Log Problem, ElGamal, and Diffie Hellman and Diffie Hellman CR STINSON : chapter 6 92

Primitive Elements of a Group ⋅ Let (G, ) be a group of order n . α ∈ Let G, α α m The order of is the smallest integer m such that = 1 α is termed as a primitive element if it has order n . α If is a primitive element th en α = α ≤ ≤ i { : 0 i n - 1} generates all elements in G * = Consider Z { 1 , 2 , 3 , , 12 } L 13 ⋅ * ( Z , ) forms a group of order 12 13 <7> has order 12 ∈ * Let 7 Z , 13 and generates all elements in Z. = 7 { 7 , 10 , 5 , 9 , 11 , 12 , 6 , 3 , 8 , 4 , 2 , 1 } Thus, 7 is a primitive element CR 93

Discrete Log Problem ⋅ Let ( G , ) be a group α ∈ Let G be a primitive element in the group with order n Define the set α = α i ≤ ≤ − { : 0 i n 1 } ≤ ≤ − For any unique integer a ( 0 a n 1 ), α = β a let = β β Denote a log as the discrete logarithm of α Given α and a, it is easy to compute β Given α and β it is computationally difficult to determine what a was CR 94

ElGamal Public Key Cryptosystem • Fix a prime p (and group Z p ) • Let be a primitive element α ∈ Z p a mod • Choose a secret ‘a’ and compute β ≡ α p α α , β , β a a Public keys : Public keys : , , p p Private key : Private key : Encryption Decryption − = a 1 ← d ( x ) y ( y ) mod p choose a random (sec ret ) k Z p k 2 1 = e ( x ) ( y , y ) = ⋅ β α − k ka 1 x ( ) mod p k 1 2 = α k where y mod p , = ⋅ α α − ka ka 1 1 x ( ) mod p = ⋅ β k y x mod p CR 2 ≡ x 95

ElGamal Example • p = 2579, α = 2 (α is a primitive element mod p) • Choose a random a = 765 • Compute β ≡ 2 765 mod 2579 Encryption of message x = 1299 choose a random key k = 853 y 1 = 2 853 mod 2579 = 435 y 2 = 1299 x 949 853 = 2396 Decryption of cipher (435, 2396) 2396 x (435 765 ) -1 mod p = 1299 CR 96

Finding the Log a mod β ≡ α p Given α and β it is computationally difficult to determine what a was • Brute force (compute intensive) α α α α α α α α 2 3 4 , , , , , , ...... ...... compute compute (until you reach β) (until you reach β) this would definitely work, but not practical if p is large complexity O(p), space complexity O(1) • Memory Intensive α α α α 2 3 4 precompute , , , ...... (all values). Sort and store. For any given β look up the table of stored values. complexity O(1) but space complexity O(n) CR 97

Shank’s Algorithm (also known as Baby-step Giant-step) a mod β ≡ α p = + Rewrite a as a mq r     = where m p β ≡ α α mq r mod p ( ) q β α − ≡ α m r mod p We neither know q nor r, so we need to try out several values for q and r until we find a collision CR 98

Shank’s Algorithm (example) • p= 31 and α=3. Suppose β=6. • What is a? − = 1 6   ( 3 ) mod 31 2 = 31 = m 6 collision collision α ≡ β β α α − − = = ⋅ ⋅ = = 6 6 0 0 0 0 3 ( ) 6 2 6 α ≡ β α − = ⋅ = 2 6 1 1 9 ( ) 6 2 12 List 1 List 2 α ≡ β α − = ⋅ = 3 6 2 2 27 ( ) 6 2 24 α = ≡ β α − = ⋅ ≡ 4 6 3 3 81 19 mod 31 ( ) 6 2 17 mod 31 α = ⋅ ≡ β α − = ⋅ ≡ 5 6 4 4 19 3 26 mod 31 ( ) 6 2 3 mod 31 Thus, m=6, q=4, r=1, a= mq+r = 25 CR 99

Shank’s Algorithm Create List 1 Create List 1 Create List 2 Find collision CR 100