RSA: More about attacks Need to take care with the implementation, - - PowerPoint PPT Presentation

rsa more about attacks
SMART_READER_LITE
LIVE PREVIEW

RSA: More about attacks Need to take care with the implementation, - - PowerPoint PPT Presentation

Nov 06, 2023 121 likes •206 views

RSA: More about attacks Need to take care with the implementation, e.g.: - Do not take p or q very small. - Difference of p and q should not be very small. More subtle, e.g.: Thm: If 3d < n and q<p<2q, then d can be found in

slide-1
SLIDE 1

RSA: More about attacks

Need to take care with the implementation, e.g.:

  • Do not take p or q very small.
  • Difference of p and q should not be very small.

More subtle, e.g.: Thm: If 3d < n¼ and q<p<2q, then d can be found in polynomial time. More info: Section 6.2

slide-2
SLIDE 2

RSA: More about attacks

Public-key cryptosystem: can it have perfect secrecy ? RSA is insecure against a chosen-ciphertext attack (we’ll do soon). Is RSA insecure against a known-plaintext attack ? Is RSA insecure against a chosen-plaintext attack ?

slide-3
SLIDE 3

RSA: Protocol Failures

Secure system can still be used in an insecure (careless) way. This is called a protocol failure. Examples: Exercises 16 and 17 (Chapter 6, page 194)

slide-4
SLIDE 4

RSA: Insecurity against Chosen-Ciphertext

Eve wants to decrypt y (a ciphertext). She can choose another ciphertext ŷ  y that she can use to decrypt y. Choose a random x0 and compute y0 = (x0)e mod n. Let ŷ = y0y mod n. Eve gets the decryption of ŷ. How to find x ?

slide-5
SLIDE 5

RSA: Timing Attacks

In 1995, Paul Kocher (an undergraduate at Standford), discovered that it is possible to determine d (the decryption exponent) by carefully timing the computation times for a sequence of decryptions. Moral of the story: a new type of attack can break a system that is though to be secure… Good news for RSA: it is possible to thwart the timing attack.

slide-6
SLIDE 6

Other Public-key Cryptosystems

RSA is the “standard” but there are other public-key

  • cryptosystems. E.g. one by Rabin and one by ElGamal.

All three cryptosystems:

  • thought to be secure
  • can be used for digital signatures
  • slow

Hence: used to encrypt a session key, then use a (secure) private key cryptosystem

slide-7
SLIDE 7

Other Public-key Cryptosystems

The Rabin cryptosystem:

  • based on the difficulty of finding square roots mod a

composite number (problem equivalent to factoring)

  • provably secure (unlike RSA; assuming factoring is

computationally infeasible, the Rabin cryptosystem is secure)

  • 4 possible plaintexts for each ciphertext

[RSA: conjectured to be as secure as factoring.] The ElGamal cryptosystem:

  • based on the difficulty of computing discrete logarithms in a

finite field

  • used in many cryptographic protocols
slide-8
SLIDE 8

Public-key Cryptosystems

Outline of a general public-key cryptosystem:

  • components: a set M of messages, a set K of keys, for each

key k∈K, an encryption function Ek and a decryption function Dk (usually functions from M to M)

  • requirements:
  • Ek(Dk(m)) = Dk(Ek(m)) for all m, k.
  • Ek(m) and Dk(m) are easy to compute for all m, k.
  • figuring out Dk from Ek is computationally infeasible for

almost all k∈K

  • given k∈K, finding Ek and Dk is easy