RSA and Public Key Cryptography Chester Rebeiro IIT Madras CR CR - PowerPoint PPT Presentation

Montgomery’s Trick (why it works) Montgomery ' s trick 1) t = a ⋅ b 2) u = ( t + (( t mod R ) ⋅ m 'mod R ) ⋅ m ) / R 3) if ( u ≥ m ) return u − m ; else return u . • First note that R | t • Then R | ( t ⋅ m ' ⋅ m mod R ) .... this follows because RR − 1 − m ' m = 1; then takemod R • Therefore R | ( t + t ⋅ m ' ⋅ m mod R ) .... the division in step 2 is valid • u ⋅ R = t + t ⋅ m ' ⋅ m mod R = t + t ⋅ m ' ⋅ m = t + k ⋅ m = t mod m CR CR 30

Montgomery Mul<plier in the Montgomery Ladder Input: c, y Output: y c mod N exp(c,y) { Convert to Montgomery domain. R0 = 1 * R mod N R1 = y * R mod N for i=n-1 to 0 do if ci = 0 then R1 = R0 * R1 R0 = R0 * R0 Multiplications in Montgomery domain. else Note. Each result is also in Montgomery R0 = R0 * R1 domain. R1 = R1 * R1 Return to Original domain return (R0 * R -1 ) } CR CR 31

Speeding RSA decryp<on with CRT • DecrypAon is done as follows : x = y a mod n • Bob can also decrypt by using CRT x = y a mod p x = y a mod q (since he knows the factors of n, i.e. p,q) • CRT turns out to be much faster since the size (in bits) of p and q is about ½ that of n CR CR 32

Mul<-precision libraries • GMP : GNU MulA-precision library • Make use of Intel’s SSE/AVX instrucAons – These are SIMD instrucAons that have large registers (128, 256, 512 bit) • Crypto libraries – OpenSSL, PolarSSL, NaCL, etc. CR CR 33

RSA Speeds CR CR 34

RSA Speeds 32 Bit ARM Cortex 16 Bit TI Micro-controller CR CR 35

Finding Primes CR CR 36

Test for Primes • How to generate large primes? – Select a random large number – Test whether or not the number is prime • What is the probability that the chosen number is a prime? – Let π(N) be the number of primes < N – From number theory, π(N) ≈ N/ln N – Therefore probability of a random number (< N) being a prime is 1/ln N • As N increases, it becomes increasingly difficult to find large primes CR CR 37

GIMPS • There are infinite prime numbers (proved by Euclid) • Finding them becomes increasingly difficult as N increases • GIMPS : Great Internet Mersenne Prime Search – Mersenne Prime has the form 2 n – 1 – Largest known prime (found in Dec 2017) has 23 million digits 2 77,232,917 − 1 • $3000 to beat this J CR CR hPps://en.wikipedia.org/wiki/Largest_known_prime_number 38

Primality Tests with Trial Division • School book methods (trial division) – Find if N divides any number from 2 to N-1 – find if N divides any number from 2 to N 1/2 – Find if N divides any prime number from 2 to N 1/2 – Too slow!!! • Need to divide by N-1 numbers • Need to divide by N 1/2 numbers • Need to divide by (N/lnN) 1/2 primes – For example, if n is approx 2 1024 , then need to check around 2 507 numbers • Need something bePer for large primes – Randomized algorithms CR CR 39

Randomized Algorithms for Primality Tes<ng • Monte-carlo Randomized Algorithms – Always runs in polynomial Ame – May produce incorrect results with bounded probability – Yes-based Monte-carlo method • Answer YES is always correct, but answer NO may be wrong – No-based Monte-carlo method • Answer NO is always correct, but answer YES may be wrong CR CR 40

Finding Large Primes (using Fermat’s Theorem) 1 ≡ a n − 1 mod n If n is prime, then is true for any ‘a’. Therefore the algorithm would always return FALSE. is _ composite ( n ){ 1 ≡ a n − 1 mod n If n is composite pick a ← Z n is false but may be true for some if ( a n − 1 ≡ 1mod n ) choices of a. In this case, the algorithm may return TRUE sometime and FALSE other times. returnFALSE For example: n = 221 (13*17) else and a = 38 then 38 220 mod 221 ≡ 1. returnTRUE (FALSE returned) } We need to increase our confidence with more values of a CR CR 41

Fermat’s Primality Test • Increasing confidence with mulAple bases primality _ test ( n ){ c = 0 for ( i = 0; i < 1000; ++ i ){ if ( is _ composite ( n ) == TRUE ) returnCOMPOSITE } return probablyPRIME } CR CR 42

Carmichael Number Some composites act as primes. 1 ≡ Irrespective of the ‘a’ chosen, the test a n 1 mod n − passes. for example Carmichael numbers are composite numbers which satisfy Fermat’s little theorem irrespective of the value of a. Eg. 561 = 3 x 11 x 17 CR CR 43

Strong probable-primality test • If n is prime, the square root of a n-1 is either +1 or -1 n − 1 2 = b let a b 2 ≡ 1mod n b 2 − 1 ≡ mod n ( b + 1)( b − 1) ≡ 0mod n either ( b + 1) ≡ 0mod n or ( b − 1) ≡ 0mod n CR CR 44

Miller-Rabin Primality Test • Yes-base primality test for composites • Does not suffer due to Carmichael numbers • Write n-1 = 2 s d – where d is odd and s is non-negaAve – n is a composite if a d ≠ 1mod n and ( a d ) 2 r ≠ − 1mod n forallnumbersrlessthans CR CR 45

Proof of Miller-Rabin test • Write n-1 = 2 s d r d d 2 a 1 mod n and ( a ) 1 mod n ≠ ≠ − for all number r less than s • Proof: We prove the contra-posiAve. We will assume n to be prime. Thus, r d d 2 a 1 mod n or ( a ) 1 mod n ≡ ≡ − for some number r less than s CR CR 46

Proof of Miller-Rabin test Proof: We prove the contra-posiAve. We will assume n to be prime. Thus we prove, r d d 2 a 1 mod n or ( a ) 1 mod n ≡ ≡ − for some number r less than s 1 (Fermat ‘s and we assume n is prime) • Consider the sequence : a d , a 2 1 d , a 2 2 d , a 2 3 d , !! , a 2 s − 1 d , a 2 s d – The roots of x 2 = 1 mod n is either +1 or -1 – In the sequence, if a d is 1, then all elements in the sequence will be 1 – If a d is not 1, then there should be some element in the sequence which is -1, in order to have the final element as 1 CR CR 47

Miller-Rabin Algorithm (test for composites) Input n s T 1 . Find an odd integer d such that n 1 2 d − = T 2 . Select at random a nonzero a Z ∈ n d T 3 . Compute b a mod n = If b 1 , return ' n is prime ' = ± i 2 T 4 . For i 1 , � , r 1 , calculate c b mod n = − ≡ If c 1 , return ' n is prime ' = − T 5 . Otherwise return ' n is composite ' CR CR 48

Quadra<c Residues • Example : m=13, square elements in Z 13 . a cannot be 0 1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1 The quadraAc residues Z 13 are therefore {1, 4, 3, 9, 10, 12} If an element is not a quadratic residue, then it is a quadratic non-residue quadratic non-residues in Z 13 are {2, 5, 6, 7, 8, 11} CR CR 49

Legendre Symbol 0 if p | a ⎧ a ⎛ ⎞ ⎪ 1 if a is a QR mod p ⎜ ⎟ = ⎨ ⎜ ⎟ p ⎝ ⎠ ⎪ 1 if a is a QNR mod p − ⎩ Given p is an odd prime CR CR 50

Euler’s Criteria A result from Euler p 1 − a ⎛ ⎞ a mod p 2 ⎜ ⎟ ≡ ⎜ ⎟ p ⎝ ⎠ 2 when a is a QR , x Z s . t . a x mod p ∃ ∈ ≡ p when p | a p 1 ( p 1 ) − − 2 p 1 − ▹ a x mod p 2 2 = ≡ a 0 mod p 2 ≡ p 1 x mod p − ≡ 1 ≡ CR CR 51

when Quadra<c Non Residue 2 when a is a QNR , no such x Z exists s . t . a x mod p ∈ ≡ p p 1 − consider : a mod p ( note p 1 is even , if p is an odd prime ) 2 − p 1 squaring : a − mod p 1 ≡ 2 p 1 − ⎛ ⎞ so , a 1 mod p 2 ⎜ ⎟ ≡ ⎜ ⎟ ⎝ ⎠ p 1 − Thus , a 1 mod p 2 ≡ ± p 1 − a 1 mod p , since a is not a QR 2 ≠ p 1 − Thus a 1 mod p 2 ≡ − CR CR 52

Examples Congruence always holds when p 1 a − ⎛ ⎞ a mod p 4 is a QR mod 13 2 ⎜ ⎟ ≡ n is an odd prime ⎜ ⎟ p ⎝ ⎠ 13 1 − 6 4 mod 13 4 mod 13 1 2 ≡ ≡ 5 is a QNR mod 13 6 5 mod 13 12 mod 13 1 ≡ ≡ − 15 1 Congruence may or may not hold − Euler’s Witness n is not prime 7 7 mod 15 7 mod 15 2 2 ≡ ≡ − when 15 1 Euler’s Liar − 7 14 mod 15 14 mod 15 1 2 ≡ ≡ − CR CR 53

Solovay Strassen Primality Test SOLOVAYSTR ASSEN ( n ){ choose a random integer a such that 1 a n- 1 ≤ ≤ a ⎛ ⎞ compute x = ⎜ ⎟ n ⎝ ⎠ How to compute if ( x 0 ) return COMPOSITE = Legendre’s symbol n 1 − compute y a mod n 2 = if ( x y mod n ) return possibly PRIME ≡ else return COMPOSITE } error probability is at most ½ CR CR 54

Jacobi Symbol • Jacobi Symbol is a generalizaAon of the Legendre symbol • Let n be any posiAve odd integer and a>=0 any integer. The Jacobi symbol is defined as: Suppose n is an odd positive integer with prime factorizat ion e e e e n p p p p ... = × × × 1 2 3 4 1 2 3 4 T Then, e e e e 1 2 3 4 a a a a a ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ � ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ = × × × × ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ n p p p p ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ 1 2 3 4 CR CR 55

Jacobi Proper<es a b ⎛ ⎞ ⎛ ⎞ P 1 . If a b mod n then ≡ = ⎜ ⎟ ⎜ ⎟ n n ⎝ ⎠ ⎝ ⎠ 1 if n 1 mod 8 2 ≡ ± ⎧ ⎛ ⎞ P 2 . = ⎜ ⎟ ⎨ n 1 if n 3 mod 8 − ≡ ± ⎝ ⎠ ⎩ ab a b ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ P 3 . = ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ n n n ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ k a 2 t ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ k P 4 . if a is even , a 2 t , = = ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ n n n ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ P 5 . if a is odd , n ⎧ ⎛ ⎞ if n a 3 mod 4 − ≡ ≡ ⎜ ⎟ ⎪ a a ⎛ ⎞ ⎪ ⎝ ⎠ = ⎜ ⎟ ⎨ n n ⎛ ⎞ ⎝ ⎠ ⎪ otherwise ⎜ ⎟ a ⎪ ⎝ ⎠ ⎩ CR CR 56

Compu<ng Jacobi From the theorem P5, P1, then P2 P5, P1, P5, P1, P3, P2 P5, P1 and 1 is a QR mod 13 CR CR 57

Factoring Algorithms CR CR 58

Factoriza<on to get the private key • Public informaAon (n, b) • If Mallory can factorize n into p and q then, • She can compute φ(n) = (p-1)(q-1) • She can then computethe private key by finding a ≡ b -1 mod φ(n) How to factorize n? CR CR 59

Trial Division Fundamental theorem of arithmeAc Any integer number (greater than 1) is either prime or a product of prime powers e e e e � n p p p p = 1 2 3 k 1 2 3 k prime generation algorithm Prime factors of n cannot be greater than ⎣ n ⎦ n = n / p : remove this factor from n Running Time of algorithm order of π (n 1/2 ) CR CR 60

Pollard p-1 Factoriza<on 1 n p q choose arandom integer a (1 < a < n ). = × If gcd( a , n ) ≠ 1,then a is a prime factor. However, this is most likely not the case. 2 Supposeweselectsome Land compute d=gcd(a L -1,n) why a L -1? since d is prime and d |( a L − 1) if 1 < d < n then we have factored n d | n and d |( a L − 1) a L ≡ 1mod d d has to be the prime p or the prime q ϕ ( d )| L => ( d − 1)k= L Thus we need to find L which is some factor of ( d − 1). 3 If gcd( a L − 1, n ) = n How to choose L? No easy way, trial and This is possible only when p | n and p | a L − 1 ( or q | n and q | a L − 1) error!! and a L − 1 > n Factorials have a lot of divisors. So that is a nice way. So, take L as a factorial of some number r. CR CR 61

Pollard p-1 Factoriza<on Pollard p-1 factorization for n. S 1 . a 2 ← S 2 . if gcd (a, n) > 1 , then this gcd is a prime factor of n, we are done. r! S 3 . compute d gcd (a - 1 , n) ← if d n , start again from S 1 with next value of a = else if d 1 , increment r and repeat S 3 = else d is the prime factor of n ; we are done! r = 2,3, 4, … .. 1. Will the algorithm terminate? 2. When will we choose the next value of a? (will we get an infinite loop?) When r = d-1 then L = r! = (d-1)! = d-1(d-2)! = (d-1)k (d-1) | L à we will get the gcd(a k(d-1) , n) = n or its prime factor. CR CR 62

Pollard Rho Algorithm • Form a sequence S1 by selecAng randomly (all different) from the set Z n x x mod p ≡ S = 1 x , x , x , x , x , � 0 0 0 1 2 3 4 x x mod p ≡ • Also assume we magically find a 1 1 new sequence S2 comprising of x x mod p ≡ 2 2 x x � S = 2 , , x , x , x , where 0 1 2 3 4 x x mod p ≡ 3 3 x x mod p • If we keep adding elements to ≡ 4 4 x = x S1, we will eventually find an x i and x j (i≠j) such that i j When this happens, p | ( x x ) − i j ∵ p | n also , gcd(( x x ), n ) is p . We found a factor of n ! ! − CR CR i j 63

Doing without magic • Form a sequence S1 by selecAng randomly (with replacement) from the set Z n S = 1 x , x , x , x , x , � 0 1 2 3 4 • For every pair i,j in the sequence compute d gcd(( x x , n ) ← i − j • If d > 1 then it is a factor of n CR CR 64

Selec<ng elements of S1 To choose the next element of S1, Pollard suggests using a funcAon f : Z Z → n n with requirement that the output looks random. 2 + f ( x ) x 1 mod n Example : = x where x is chosen randomly from Z ⎛ ⎞ ⎧ 0 0 n S 1 ⎜ ⎟ = ⎨ ⎜ ⎟ x i 0 and x f ( x − ) > = ⎩ ⎝ ⎠ i i i 1 CR CR 65

Example This column is just for understanding. • N= 82123, x 0 = 631, f(x) = x 2 + 1 In reality we will not know this Drawback … Large number of GCD Computations. 55 gcd computations in this case Can we reduce the number of gcd computations ? Given x i mod N, we compute gcds of every pair until we find a gcd greater than 1 gcd( x x , N ) gcd( 63222 , 82123 ) 41 A factor of N − = = 3 10 CR CR 66

The Rho in Pollard-Rho • N= 82123, x 0 = 631, f(x) = x 2 + 1 21 26 5 32 2 0 1 40 11 16 x x mod p = t t l + • The smallest value of t and l, for which the above congruence holds is t=3, l =7 • For l =7, all values of t > 3 satisfy the congruence • This leads to a cycle as shown in the figure x x mod p t 3 = ≥ (and a shape like the Greek letter rho) j j l + CR CR 67

Reducing gcd computa<ons • GCD computaAons can be expensive. • Use Floyd’s cycle detecAon algorithm to reduce the number 21 of GCD computaAons. 26 5 32 choose a random x y Z = ∈ 0 0 n 2 0 x f ( x ) = i i 1 1 − 40 y x f ( f ( y )) loop = = i 2 i i 1 − 11 If d gcd( x y , N ) 0 , return d = − > i i 16 claim : The first time x i = y i mod p occurs when i ≤ t + l This means that we get a collision before x completing an entire circle CR CR 68

The first <me x i = y i mod p occurs is when i ≤ t + l l • l is the number of points in the cycle • t is the smallest value of i such that x i ≡ y i mod p x i and y i meet at the same point in the cycle Therefore, y i must have traversed (some) cycles more x i ≡ y i mod N consider i = ( k + 1) l = t + ( − t mod l ) x i ≡ x 2 i mod N ≤ t + l l |(2 i − i ) l | i = ▹ l ( k + 1) = i ( − t mod l ) CR CR 69

Expected number of opera<ons before a collision • Can be obtained from Birthday paradox to be p CR CR 70

Congruences of Squares • Given N=p x q, we need to find p and q 2 ≡ • Suppose we find an x and y such that 2 x y mod N • Then, 2 2 N | ( x y ) ▹ N | ( x y )( x y ) − = − + • This implies, gcd( N ,( x − y )) and gcd( N ,( x + y )) factors N CR CR 71

Example • Consider N = 91 2 2 2 2 10 3 mod 91 34 8 mod 91 ≡ ≡ 91 | ( 10 3 )( 10 3 ) 91 | ( 34 8 )( 34 8 ) + − − + 91 | 42 26 91 | ( 7 13 ) × × gcd( 91 , 26 ) 13 gcd( 91 , 13 ) 13 = = gcd( 91 , 7 ) 7 gcd( 91 , 42 ) 7 = = So … we can use x and y to factorize N. 2 ≡ 2 x y mod N But how do we find such pairs? CR CR 72

Another Example • N = 1649 32 and 200 are not perfect squares. 2 41 32 mod 1649 ≡ However (32x200 = 6400) = 80 2 is a perfect square 2 43 200 mod 1649 ≡ 2 ( 41 43 ) ( 32 200 ) mod 1649 × ≡ × 2 80 mod 1649 ≡ Thus, it is possible to combine non-squares to form a prefect square CR CR the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/) 73

Forming Perfect Squares Recall, Fundamental theorem of arithmeAc Any integer number (greater than 1) is either prime or a product of prime powers e e e e � n p p p p = 1 2 3 k 1 2 3 k Thus, a number is a perfect square if it prime factors have even powers. e , e , e ,... is even 1 2 3 Thus, 32 = 2 5 5 0 not a perfect square 200 = 2 3 5 2 not a perfect square (32x200) = 2 5 5 0 x 2 3 5 2 = 2 8 5 2 = (2 4 5 1 ) 2 is a prefect square CR CR 74

Dixon’s Random Squares Algorithm 1. Choose a set B comprising of ‘b’ smallest primes. Add -1 to this set. (A number is said to be b-smooth, if its factors are in this set) 2. Select an r at random 2 – Compute y r mod N = – Test if y factors completely in the set B. – If NO, then discard. ELSE save (y, r) (these are called B-smooth numbers) 3. Repeat step 2, unAl we have b+1 such (y,r) pairs 4. Solve the system of linear congruencies CR CR 75

Example • N = 1829 • b = 6 B = {-1, 2,3,5,7,11,13} • Choose random values of r, square and factorize All numbers are 6-smooth except 60 and 75. Leave these and consider all others CR CR 76

Check Exponents -1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0 CR CR 77

Check Exponents -1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0 Find rows where exponents sum is even -65, 20, 63, -91 sum 2 2 2 2 2 0 2 2 2 ( 42 43 61 85 ) ( 1 2 3 5 7 13 ) mod 1829 × × × ≡ − × × × × × 2 2 1459 901 mod 1829 ≡ CR CR 78

Final Steps 2 2 ( 42 43 61 85 ) ( 1 2 3 5 7 13 ) mod 1829 × × × ≡ − × × × × × 2 2 1459 901 mod 1829 ≡ 1829 | ( 1459 901 )( 1459 901 ) + − ▹ 1829 | 2360 gcd( 1829 , 2360 ) 59 = = ▹ 1829 | 558 gcd( 1829 , 558 ) 31 = = Thus 1829 59 31 = × CR CR 79

State of the Art Factoriza<on Techniques • QuadraAc Sieve – Fastest for less than 100 digits General Number field Sieve • – Fastest technique known so far for greater than 100 digits – Open source code (google GGNFS) RSA factoring challenge • – Best so far is 768 bit factorizaAon – Current challenges 896 bits (reward $75,000), 1024 bit ($100,000) CR CR https://en.wikipedia.org/wiki/RSA_Factoring_Challenge 80

RSA Adacks adacks that don’t require factoriza<on algorithms CR CR 81

Φ(n) leaks • If an aPacker gets Φ(n) then n can be factored n pq q n / p = = ( n ) ( p 1 )( q 1 ) φ = − − pq ( p q ) 1 = − + + n ( n ) n ( p ) 1 φ = − + + p 2 p ( n ( n ) 1 ) p n 0 − − φ + + = Solve to get p (a factor of n) CR CR 82

square roots of 1 mod n 2 ≡ y 1 mod n There are two trivial and two non-trivial soluAons for The trivial soluAons are +1 and -1 By CRT, these congruences y 1 mod p ≡ ⎧ are equivalent ⎨ y 1 mod p ≡ − 2 y 1 mod p ⎧ ⎩ ≡ 2 y 1 mod n ≡ 〈 = 〉 ⎨ 2 y 1 mod q ≡ ⎩ y 1 mod q ≡ ⎧ ⎨ y 1 mod q ≡ − ⎩ To get the non-trivial solutions solve using CRT y 1 mod p y 1 mod p ≡ − ≡ + y 1 mod q y 1 mod q ≡ + ≡ − CR CR 83

Example • n=403 = 13 x 31 2 ≡ y 1 mod n To get the non-trivial soluAons of solve using CRT • y 1 mod p y 1 mod p ≡ − ≡ + y 1 mod q y 1 mod q ≡ + ≡ − (31 ⋅ 31 − 1 mod13 − 13 ⋅ 13 − 1 mod31)mod403 (31 ⋅ 8 − 13 ⋅ 12)mod403 ≡ 92 403 − 92 = 311 2 2 Note : 92 311 1 mod 403 ≡ ≡ The non-trivial solutions are 92 and 311 y 1 mod p ≡ + What happens when we solve y 1 mod q ≡ + CR CR 84

Decryp<on exponent leaks • If the decrypAon exponent ‘a’ leaks, then n can be factored • The aPacker can then compute ab ab 1 mod ( n ) k ( n ) ( ab 1 ) ≡ φ φ = − • Now, for any message x ≠ 0 1 ≡ x ab 1 mod n − ab 1 − • APack Plan, take square root : y x mod n 2 ≡ i.e. , 2 2 y 1 mod n ▹ n | ( y 1 ) ≡ = − However we need ▹ n | ( y 1 )( y 1 ) = − + y 1 ≠ ± gcd( n , y 1 ) is a factor of n − to have a non- trivial result CR CR 85

The Adack (basic idea) we assume we know the private key a ab 1 mod ( n ) ≡ φ 1 . given a compute ab 1 k ( n ) ab 1 − φ = − ab 1 − ab 1 − 2 . Represent t = y x 1 mod n 2 = ≡ 2 1 3 . choose any message x 2 thus , ( y 1 ) 0 mod n − ≡ 1 t n | ( y 1 )( y 1 ) 4 . put y x mod n + − = 5 . compute d gcd( y 1 , n ) ← − This will only work if y ≠ ±1 mod n. 6 . if d 1 , return " a factor of n is d " ; exit ≠ If y = ±1 mod n. then goto step 7 7 . if ( t is even ) t t / 2 ; goto step 4 = else return " failure " Probability of success of the attack is at-least 1/2 CR CR 86

Example • N=403, b=23, a=47 t ab 1 1080 x 2 = − = = 1080 t 540 loop 1 : t 540 y x mod 403 2 mod 403 1 = = ≡ = ≡ 2 540 t 270 loop 2 : t 270 y x mod 403 2 mod 403 311 = = ≡ = ≡ 2 gcd( 310 , 403 ) 31 ( a factor of n ) = t ab 1 1080 x 9 = − = = 1080 t 540 loop 1 : t 540 y x mod 403 9 mod 403 1 = = ≡ = ≡ 2 540 t 270 loop 2 : t 270 y x mod 403 9 mod 403 1 = = ≡ = ≡ 2 270 t 135 loop 3 : t 135 y x mod 403 9 mod 403 1 = = ≡ = ≡ 2 can’t divide 135 further. failure CR CR 87

Small Encryp<on Exponent • In order to improve efficiency of encrypAon, a small encrypAon exponent is preferred • However, this can lead to a vulnerability CR CR 88

Small Encryp<on Exponent c 1 Alice m 3 mod N 1 m c 2 m 3 mod N 2 c 3 m 3 mod N 2 Insecure channel • Consider, Alice sending the same message x to 3 different people. • Each having a different N (say N 1 , N 2 , N 3 ) • But same public key b (say 3) CR CR 89

Small Encryp<on Exponent c 1 Alice m 3 mod N 1 m 3 c m mod N c 2 ≡ 1 1 m 3 mod N 2 3 c m mod N ≡ 2 2 c 3 3 c m mod N ≡ m 3 mod N 2 3 3 Insecure channel • Consider, Alice sending the same message x to 3 different people. • Each having a different N (say N 1 , N 2 , N 3 ) • But same public key b (say 3) • This allows Mallory to snoop in and get 3 ciphertexts CR CR 90

Small Encryp<on Exponent By CRT 3 c m mod N ⎧ ≡ 1 1 ⎪ 3 3 c m mod N X m mod( N N N ) ≡ 〈 = 〉 ≡ ⋅ ⋅ ⎨ 2 2 1 2 3 ⎪ 3 c m mod N ≡ ⎩ 3 3 • Thus, Mallory can compute X • Since m < N 1 , m<N 2 , m<N 3 => n < ( N 1 x N 2 x N 3 ) • Thus, X 1/3 =m – i.e. The message can be decrypted It is tempAng to have small private and public keys, so that encrypAon or decrypAon may be carried out efficiently. However you would do this at the cost of security!! CR CR 91

Low Decryp<on Exponent • The aPack applies when the private key a is 4 n small, a < 3 • In such a case ‘a’ can be computed efficiently CR CR 92

Par<al Informa<on of Plaintexts CompuAng Jacobi of the plaintext b y x mod n y is the ciphertext ; x the message ≡ b is the public key and gcd( b, φ ( n )) 1 = Thus, gcd (b, (p- 1 )(q- 1 )) 1 = ( p 1 )( q 1 ) is even , therefore b must be odd − − consider Jacobi y ⎛ ⎞ 1 = ± ⎜ ⎟ n ⎝ ⎠ b y x x ⎛ ⎞ ⎛ ⎞ ⎛ ⎞ = = ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ n n n ⎝ ⎠ ⎝ ⎠ ⎝ ⎠ since b is odd x ⎛ ⎞ thus, RSA encrypAon leaks the value of the Jacobi symbol ⎜ ⎟ n ⎝ ⎠ CR CR 93

Par<al Informa<on of Plaintexts first half or second half? • given y = x b mod n, – is it possible to determine if (0 ≤ x < n/2) or (n/2 ≤ x < n-1) first half second half • We prove that RSA does not leak this informaAon • If there exists an efficient algorithm that can determine if x is in the first or second half then, the enAre plaintext can be obtained CR CR 94

Find x Consider this function [0,13) ⎧ if 0 ≤ mx mod n < n ⎪ 0 0 ⎪ 2 [6.5,13) HALF ( m ) = ⎨ [0-6.5) if n ⎪ 1 2 ≤ mx mod n < n − 1 0 ⎪ ⎩ [0,3.25) example x = 3mod13 HALF (1) = 0 1 [0,1.625) 2 x ≡ 6mod13 HALF (2) = 0 [1.625,3.25) 4 x ≡ 12mod13 HALF (4) = 1 8 x ≡ 11mod13 HALF (8) = 1 3 16 x ≡ 9mod13 HALF (16) = 1 CR CR 95

Par<al Informa<on of Plaintexts (first or second half proof) • Assume a hypotheAcal oracle called HALF as follows ⎧ if 0 ≤ x < n 0 ⎪ ⎪ 2 HALF ( n , b , y ) = ⎨ if n ⎪ b y x mod n 1 2 ≤ x < n − 1 ≡ ⎪ ⎩ b b 2 y ( 2 x ) mod n ⋅ ≡ n [ ) b b 4 y ( 4 x ) mod n ⋅ ≡ HALF ( y ) 0 ▹ x 0 , = = ∈ 2 b b 8 y ( 8 x ) mod n ⋅ ≡ b b 16 y ( 16 x ) mod n ⋅ ≡ n n n [ ) [ ) b b HALF ( 2 y ) 0 ▹ x 0 , HALF ( 2 y ) 1 ▹ x , = = ∈ = = ∈ 4 4 2 n n n [ ) [ ) 2 b 2 b HALF ( 2 y ) 0 ▹ x 0 , HALF ( 2 y ) 0 ▹ x , = = ∈ = = ∈ 8 8 4 CR CR 96

Example n=1457, b=779, y=722 h i 1 0 1 0 1 1 1 1 1 0 0 Thus, if we have an efficient function HALF, we can recover the plaintext message. CR CR 97

Man in the Middle Adack • The process of encrypAon with a public key cipher Bob sends his public key Alice encrypts with Bob’s public key Bob decrypts with his private key CR CR 98

Man in the Middle Adack • The process of encrypAon with a public key cipher Man in the middle Intercepts messages Bob sends his public key Mallory sends her public key Alice encrypts Mallory decrypts with Mallory’s public key with her private key and re- Bob decrypts encrypts with his private with Bob’s key public key CR CR 99

Searching the Message Space • Suppose message space is small, – Mallory can try all possible messages, encrypt them (since she knows Bob’s public key) and check if it matches Alice’s ciphertext Bob sends his public key Bob decrypts A l i c e e n c r y p t s w i t h B o b ’ s p u with his private b l i c k e y key CR CR 100