RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and - - PowerPoint PPT Presentation

RSA Public Key CryptoSystem One way Trapdoor Functions

Diffie and Hellman (76) “New Directions in Cryptography”

Split the Bob’s secret key K to two parts:

• KE , to be used for encrypting messages

to Bob.

• KD , to be used for decrypting messages

by Bob. KE can be made public

(public key cryptography, assymetric cryptography)

Integer Multiplication & Factoring as a One Way Function.

p,q N=pq

hard easy Q.: Can a public key system be based

• n this observation ?????

Excerpts from RSA paper (CACM, 1978)

The era of “electronic mail” may soon be upon us; we must ensure that two important properties of the current “paper mail” system are preserved: (a) messages are private, and (b) messages can be signed. We demonstrate in this paper how to build these capabilities into an electronic mail system. At the heart of our proposal is a new encryption method. This method provides an implementation of a “public-key cryptosystem,” an elegant concept invented by Diffie and

• Hellman. Their article motivated our research, since they

presented the concept but not any practical implementation

• f such system.

The Multiplicative Group Zpq*

Let p and q be two large primes and N=pq be their product. The multiplicative group ZM* =Zpq* contains all integers in the range [1,pq-1] that are relatively prime to both p and q. The size of the group is

φ(pq) = (p-1) (q-1) = N - (p+q) + 1,

so for every x ∈

∈ Zpq*, x(p-1)(q-1) = 1.

Exponentiation in Zpq*

Motivation: We want to exponentiation for encryption. Note that not all integers in {1,2,..,pq-1} belong to Zpq*. These elements do not have an inverse in Zpq* (therefore multiplication in Zpq* is not a one- to-one mapping) However the choice of e implies Let e be an integer, 1 < e < (p-1) (q-1). Question: When is exponentiation to the eth power, x --> xe, a one-to-one op in Zpq* ?

Exponentiation in Zpq*

Claim: If e is relatively prime to (p-1)(q-1) then x --> xe is a one-to-one op in Zpq* Constructive proof: Since gcd(e, (p-1)(q-1))=1, e has a multiplicative inverse mod (p-1)(q-1). Denote it by d, then ed=1 + C(p-1)(q-1). Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =x meaning y --> yd is the inverse of x-->xe QED

RSA Public Key Cryptosystem

• Let N=pq be the product of two primes
• Choose e such that gcd(e,φ(N))=1
• Let d be such that de≡1 mod φ(N)
• The public key is (N,e)
• The private key is d
• Encryption of M∈ZN* by C=E(M)=Me mod N
• Decryption of C∈ZN* by M=D(C)=Cd mod N

“The above mentioned method should not be confused with the exponentiation technique presented by Diffie and Hellman to solve the key distribution problem”.

Constructing an instance of RSA PKC

• Alice first picks at random two large primes, p

and q.

• Alice then picks at random a large d that is

relatively prime to (p-1)(q-1) ( gcd(d,φ(N))=1 ).

• Alice computes e such that de≡1 mod φ(N)
• Let N=pq be the product of p and q.
• Alice publishes the public key (N,e).
• Alice keeps the private key d, as well as the

primes p, q and the number φ(N), in a safe place.

A Small Example

• Let p=47, q=59, N=pq=2773. φ(N)=

46*58=2668.

Pick d=157, then 157*17 - 2668 =1, so e=17 is the inverse of 157 mod 2668. For N =2773 we can encode two letters per Block, using a two digit number per letter: blank=00, A=01,B=02,…,Z=26. Message: ITS ALL GREEK TO ME is encoded

0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

A Small Example

N=2773, e=17 (10001 in binary). ITS ALL GREEK TO ME is encoded as

0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

First block M=0920 encrypts to Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773) The whole message (10 blocks) is encrypted as

0948 2342 1084 1444 2663 2390 0778 0774 0219 1655

Indeed 0948d=0948157=920 (mod 2773), etc.

RSA: implementation

• 1. Finda large prime numbers (random)

Algorithm:

• randomly choose a random odd integer i
• check whether i is prime (we’ll see soon)

Note:

• Prime numbers are frequent (between Nand

2N there are ≈ N/log N prime numbers)

• Hence by randomly choosing an odd you

expect to find a prime every log N attempts

RSA: implementation

• 2. Coding algorithm (compute exponentiation) Algoritmo per
• ttenere una codifica veloce

Compute power by repeated squaring (so computing power of 2, 4, 8,..) and then executing multiplication (based on binary notation of the exponent e)

• No. Of operation required: O(log N)
• Constant no. of operations if e is small and its binary

reprensetation has few ones example:

• e= 3, compute M^2 mod N,

M^3 mod N = ((M mod N) * (M^2 mod N)) mod N

• e= 65537 (2^16 + 1), compute M^2 mod N,M^4 mod N, M^8

mod N, M^16 mod N ... M^65536 mod N complete by computing M* M^65536 - total 5 multiplicat.

RSA as a One Way Trapdoor Function.

x xe mod N

hard easy Easy with trapdoor info ( d )

Trap-Door OWF

• Definition: f:D→R is a trap-door one way

function if there is a trap-door s such that:

– Without knowledge of s, the function f is a one way function – Given s, inverting f is easy

• Example: fg,p(x) = gx mod p is not a trap-

door one way function.

• Example: RSA is a trap-door OWF.

RSA as a collection of Trap-door OWF

Note: RSA is a method that depends on the parameter given by the key Def.: Let I be a set of indices and D a finite set. A collection

• f trap-door one way function is a set of function F

fi:Di→Ri such that for all i in I fi is a trap-door one way function Idea: We need an algorithm that given a security parameter select a random function fi in F together with a trapdoor ti information

Security of RSA vs computing factors

• Fact 1: given n, e, p and q it is easy to compute d
• Fact 2: given n, e,

– If you factor n then you can compute φ(n) – If you factor n then you can compute d

• Conclusion:

– If you factor n then you invert RSA – OPEN QUESTION: if you invert RSA can you factor n?

NOTE: factoring large numbers is an open problem since thousands of years…

Attacks on RSA

NOTE: RSA robustness does not imply it is robust always. In fact 1. Factor N=pq. This is believed hard unless p, q have some “bad” properties. To Avoid such primes, it is recommended to

• Take p, q large enough (100 digits each).
• Make sure p, q are not too close together.
• Make sure both (p-1), (q-1) have large prime factors

(otherwise there is a good factoring algorithm).

• 2. Some messages might be easy to decode

Properties of RSA

• The requirement (e,ϕ(n))=1 is important for

uniqueness

• Finding d, given p and q is easy. Finding d given
• nly n and e is assumed to be hard (the RSA

assumption)

• The public exponent e may be small. Typically its

value is either 3 (problematic) or 216+1

• Each encryption involves several modular
• multiplications. Decryption is longer.

RSA: Attacks

Factor N=pq: RSA challenges (sfide) RSA Security publics challenges for factoring:

• RSA 426 bit, 129 digit:
• published 1977
• factored in 1994 (8 months using 1600 computer in internet

(10000 Mips))

• RSA 576 bit, 173 digit: factored in dec. 2003, 10000 $
• RSA 640 (prize 20K$), RSA 1024 (100K$), RSA 2048

(200K$)

RSA: Attacks

Factoring is difficult in general

• BUT there are cases in which decoding

RSA is easy

• Easy messages: eg m= 0,1,n-1 then RSA(m)

= m: SOLUT: rare messages, use salt

• If m is small and e is small (eg e=3) then it

may happen that m^3 < n; therefore m^3 mod n = m^3 adversary computes cubic root SOLUT. Add random bytes at the beginning of the message to avoid these cases

RSA - Attacks

Small value of e (eg e=3)

• If adevrsary has two encoding of similar

messages, eg m and (m+1) c1= m^3 mod n and c2= (m+1)^3 mod n

• in this case we have

m = (c2+ 2 c2 -1)/ (c2 - c1 +2)

• Similar problem if the two mess. are m and

(am + b) SOLUT.: choose large e / add random bits - to avoid similar messages

RSA - Attacks

• If messages space is small then the adversary can

compute all possible encodings example: adevrsary knows encoded messages and knows that m is either m1=10101010 o m2=01010101 adversary code m1 and m2 using public key and then checks the correct messages

• SOLUT: add random string to increase message

space

RSA - Attacks

• If two users have same n (even different e and d)

then sysem is weak SOLUT: choose your own n (there are prime numbers; so the probability you choose the same n is very very small) Important: we need algorithms to cchoose random numbers

RSA : Attacks

chosen ciphertext attack using multiplicative property of RSA: – Adversary knows c = Me mod n – Adversary randomly chooses X and computes c’ = c Xe mod n – Adversary ask Alice to decode c’ – Alice computes (c’)d = c d (X e) d = M X mod n !! – Adversary knows X and computes M !!!

• Solution: messages should be strucutured (A

does not decode if M does verify required structure)

RSA - implementation attacks

Known attacks:

• Timing: uses time used for computing Cd

(small time implies small d) Analougously

• Energy: analyses how much energy is

required by a smart card to compute Cd

RSA- attacks: conclusion

Textbook implementation of RSA is NOT safe

• Does not guarantee basic security properties for

all messages Therefore you must use a STANDARD version

• Given a message M before encoding
• preproces M to obtain M’ and then apply RSA M’

(M and M’ have the same semantic) M M’ C RSA

Public-Key Crypto. Standard (PKCS)

Standard to use RSA and cryptography protocols

• Many versions (1-15).
• PKCS-1: standard to encode messages (byte)

m= 0||2||at least 8 non zero byte || 0|| M (M message to be sent)

• first byte 0 implies m< n
• second byte (2 = 00000010) denotes encoding of

a message (1 denotes signature of messages) ; it implies message is big

• Random bytes imply

– Same message sent several times is each time different; – Adversary that knows message space cannot encode and verify (adv. Does not know random number used for coding the block)

RSA and Data integrity:OAEP

OAEP (also known as PKCS-1 version 2)

• codif. c= RSA[M || 0k1 exor G(r)] ||

[(H(RSA[M || 0k1 exor G(r)]) exor r]

• k0, k1 known constants; G,H known hash function;

r random string of k0 bit (chosen by the sender);

• Decode; let c, c= s||t, be decoded text (t last k0

bits); u=t exorH(s); v=s exor G(u); ACCEPT if v = m || 0k1; OTHERWISE REJECT

• Random r implies that OAEP is robust also in the

case of chosen ciphertext (we assume H and G are cryptographic strong hash functions)

Basic Scheme of Public key Crypt.

• A public key encryption scheme includes

the following elements:

– A private key k – A public key k’ – An encryption algorithm, which is a trap door

• OWF. The trap-door info is the private key
• Public key is published
• Encryption uses the public key (anyone can

encrypt)

• Decryption requires the private key

El-Gamal Encryption

• Constructed by El-Gamal in 1985
• Similar to DH
• Alice publishes p, g as public parameters
• Alice chooses x as a private key and

publishes gx mod p as a public key

• Encryption of m∈Zp by sending (gy mod p,

mgxy mod p) or (gy mod p, m+gxy mod p)

• Requires two exponentiations per each

block transmitted.

Real World usage

Two words: Key Exchange

In fact: RSA (as other known Public Key algorithms) is slow. So it is generally used to define a secret key (say using Diffie and Hellman).