Public-Key Cryptography and RSA

transcript

CSE 651: Introduction to Network Security

Abstract

• We will discuss

– The concept of public-key cryptography

– RSA algorithm

– Attacks on RSA

• Suggested reading:

– Sections 4.2, 4.3, 8.1, 8.2, 8.4

– Chapter 9

Public-Key Cryptography

• Also known as asymmetric-key cryptography.

• Each user has a pair of keys: a public key and a private key.

• The public key is used for encryption.

– The key is known to the public.

• The private key is used for decryption.

– The key is only known to the owner.

Bob Alice

Why Public-Key Cryptography?

• Developed to address two main issues:– key distribution

– digital signatures

• Invented by Whitfield Diffie & Martin Hellman 1976.

trapdoor

Use as the private key.

Many public-key cryptosystems are

based on trapdoor one-way fu

trapdoor

One-way function with trapdoorf

nctions.

Modular Arithmetic

Mathematics used in RSA(Sections 4.2, 4.3, 8.1, 8.2, 8.4)

| : divides , is a divisor of .

gcd( , ): greatest common divisor of and .

Coprime or relatively prime: gcd( , ) 1.

Euclid's algorithm: computes gcd( , ).

Extented Eucl

Integers

a b a b a b

a b a b

id's algorithm: computes integers

and such that gcd( , ).x y ax by a b

Comment: compute gcd( , ), where 1.

for : 1, 2, until = 0

return ( )

Euclidean Algorithm

a b a b

299 221

221 78

5 5 13 0

gcd(229,221) 13

( 2 ) 3

3 (299 221) 221

78 221 78 78 22

Extended Euclidean Algorithm:Example

gcd(299,221) ?

A group, denoted by ( , ), is a set with a

binary operation : such that

1. ( ) ( ) (associative)

2. s.t. , ( )

3. , s.t.

entity

a b c a b c

e G x G x x x

x G y G x y y x

A group ( , ) is if , , .

Examples: ( ,

), ( , ), ( \ {0}, ), ( ,

( \ {0}

G x y G x y y x

Z Q Q R

Let 2 be an integer.

Def: is congruent to modulo , written

mod , if | ( ), i.e., and have the

same remainder when d

ivided by .

Note: dod an

Integers modulo

a b n n a b a b

are different.

Def: [ ] all integers congruent to modulo .

[ ] is called a residue calss modulo , and is a

representati

ve of that class.

[ ] [ ] if and only if mod .

There are exactly residue classes modulo :

[0], [1], [2], , [ 1].

If [ ], [ ], then [ ] and [ ].

Define addition and multiplication

n na b a b n

x a y b x y a b x y a b

for residue classes:

[ ] [ ] [ ]

[ ] [ ] [ ].

a b a b

Define [0], [1], ..., [ 1] .

Or, more conveniently, 0, 1, ..., 1 .

, forms an abelian additive group.

For , ,

( ) mod . (Or, [ ] [ ] [ ] [ mod ].)

0 is th

a b a b n a b a b a b n

e identity element.

The inverse of , denoted by , is .

When doing addition/substraction in , just do the regular

addition/substraction and reduce the result modulo .

In , 5

a a n a

5 9 4 6 2 8 3 ?

, is not a group, because 0 does not exist.

Even if we exclude 0 and consider only \ {0},

, is not necessarily a group; some may not exist.

For , exists if and on

ly if gcd( , ) 1.

gcd( , ) 1 1 for some integers and

[ ] [ ] [ ] [ ] [1] in

[ ] [ ] [1] in

a n ax ny x y

a x n y Z

1] [ ] in na x Z

Let : gcd( , ) 1 .

, is an abelian multiplicative group.

1 is the identity element.

The inverse of , written , can be computated

Z a Z a n

a b ab n

by the

Extended Euclidean Algorithm.

For example, 1,5,

Q: How many

7,11 . 5

7 35mod12 11.

ments are t

here in ? nZ

( ) : 1 , gcd( ,

Euler's totient function:

Facts:

1. ( ) ( 1) for prime .

2. ( ) ( ) ( ) if gcd( , ) 1.

How many elements are there in ?

n Z a a n a n

pq p q p q

Let be a (multiplicative) finite group.

The order of , written , is the smallest

p ( , identity elos emitiv ent.e integer such that .

The order of ,

ord( )

ord( , is the number

* *15 15

of elements in .

Example: Consider

ord( ) (15)

ord(8) 4, since 8 64 mod15 4

8 (8 8) mod15 (4 8) mod15 2

4 2 2 8 (8 8 ) mod15 (4 4) mod15 1

* (15) 815

= 1, 2, 4, 7, 8, 11, 13, 14

(15) (3) (5) 2 4 8

: 1 2 4 7 8 11 13 14

ord( ) : 1 4 2 4 4 2 4 2

For all , we have 1

Example: 15

a Z a a

ord( )

Theorem: For any element , ord( ) | ord( ).

Fermat's little theorem:

If ( a prime), th

Corollary: For any element ,

Euler's theorem:

a G a G

a G a e

, then 1. ( ord( ) ( ).)

That is, for any integer relatively prime to ,

1 mod .

The Chinese Remainder Problem

• A problem described in an ancient Chinese arithmetic book.

• Problem: We have a number of things, but we do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many things are there?

3 5 7 105

2mod3, 3mod5, 2mod7

? All integers 2 3 2 23 .

If integers , , are pairwise coprime,

then the system of congruences

has a unique solution in :

Chinese remainder theorem

i i i i

x a N N n

where , and .

Furthermore, every integer is a solution.

N n n n N N n

Suppose

1 mod 3

6 mod 7

8 mod 10

By the Chinese remainer theorem, the solution is:

1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10)

1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 mod10)

1 70 1 6 30 4 8 21 1 mod 210

958 mod 210

118 mod 210

Example: Chinese remainder theorem

(the numbers are pairwise coprime)

There is a one-to-one correspondence :

, , , where

Chinese remainder theorem (another version)

N n n N n n

N n n n n

Z Z Z Z Z Z

A a a A Z

and mod

One-to-one correspondence :

Operations in can be performed individually in each .

, , If

A B a b

, , if

mod mo d mod

A B a b a b

A B a b a

* * *15 3 5 15 3 5

Suppose we want to compute 8 11 in .

8 (2, 3) 8mod3, 8mod5

11 (2, 1) 11mod3, 11mod5

8 11 (2 2, 3 1) (1, 3).

(1, 3)

Example: Chinese remainder theorem

Z Z Z Z Z Z

1mod3 Solve 13

gcd( , ),

Can be done in (log ) time.

Important Problems

Compute in .

exists if and only if gcd( , ) 1.

Use extended Euclidean algorithm to find ,

such that gcd( , ) 1

1 (beca

mod ?How to compute

ax ny a n

use 0 in )

Note: every computation is reduced modulo .

1 Compute 15 mod 47.

47 15 3 (divide 47 by 15; remainder 2)

15 2 7 (divide 15 by 2; remainder 1)

1 15 7 (mod 47)

5 ( ) 7 (mod 47)47 15 3

Example

15 22 47 7 (mod 47)

15 22 (mod 47)

15 mod 47 22

By ivest, hamir & dleman of MIT in 1977.

Best known and most widely used public-key scheme.

Based on the one-way property

powering:

assumed

The RSA Cryptosystem

: mod (easy)

: mod (hard)

f x x n

f y y n

Encryption (easy):

Decryption (hard):

Looking for a trapdoor: ( ) .

If is a number such that 1mod ( ), then

It works in group

Idea behind RSA

d ed n

( ) 1 ( )

for some , and

( ) 1 .ke ed n nd k

x x x x x x x

Setting up an RSA Cryptosystem

• A user wishing to set up an RSA cryptosystem will:– Choose a pair of public/private keys: (PU, PR).

– Publish the public (encryption) key.

– Keep secret the private (decryption) key.

Select two large primes and at random.

Compute . Note: ( ) ( 1)( 1).

Select an encryption key satisfying 1 ( ) and

gcd( , ( )) 1. (i.e., , 1.)

RSA Key Setup

n pq n p q

e n e Z e

1mpute the descryption key: mod ( ).

1 mod ( ).

is the inverse of mod ( ).

Public key: . Private key: .

Important: , , and ( ) must be kep

( , ) ( ,

PU n e P

Suppose Bob is to send a secret message to Alice.

To encrypt, Bob will

obtain Alice's public key { , }.

encrypt as mod .

RSA Encryption and Decryption

PU e n

m c m n

To decrypt the ciphertext , Alice will compute

mod , using her private key { , }.

What key will Alice use to encrypt

her reply to Bob?

m c n PR d n

The settig of RSA is the group , :

Plaintexts and ciphertexts are elements in .

Recall: : 0 , gcd( , ) 1 .

has ( ) elements. (The group h a

Why RSA Works

Z x x n x n

* * ( )

order ( ).)

In group , , for any , we have 1.

We have chosen , such that 1 mod ( ), i.e.,

( ) 1 for some positive integer .

de edn

Z x Z x

e d ed n

ed k n k

x Z x x

( ) 1 ( ) .kk n nx x x x

Select two primes: 17, 11.

Compute the modulus 187.

Compute ( ) ( 1)( 1) 160.

Select between 0 and 160 such that gcd( ,160) 1.

Let 7.

Compute

RSA Example: Key Setup

1 1mod ( ) 7 mod160 23

(using extended Euclid's algorithm).

Public key: .

Private k

) (7, 187)

( , ) (23: ., 7 18 )

PU e n

Suppose 88.

Encryption: mod 88 mod187 11.

Decryption: mod 11 mod187 88.

When computing 11 mod187, we first

compute 11 and

RSA Example: Encryption & Decryption

reduce it modulo 187.

Rather, when conmputing 11 , reduce the intermediate

results modulo 187 whenever they get bigger than 187.

Comment: compute mod , where in binary.

for downto 0 do

then mod

Algorithm: Square-and-Multiply( , , )c

x n c c c c

...Note: At

iteratio

z z x n

23 10111

11 mod 187 11 (square and multiply)

mod 187 121 (square)

11 mod 187 44 (square and multiply)

11 mod 187 165 (square and

11 mod187

Example:

ltiply)

11 mod 187 88 (square and multiply)z z

To speed up encryption, small values are usually

used for .

Popular choices are 3, 17 2 1, 65537 2 1.

These values have only two 1's in their binary

representation.

Encryption Key

There is an interesting attack on small .e

A message sent to users who employ the same

encryption expo

nent is not protected by RSA.

Say, 3, and Bob sends a message to three

receipients encry

Low encryption exponent attack

3 3 31 2 2 3

pted as:

mod , mod , mod .

Eve intercepts the three ciphertexts, and recovers :

mod , mod , mod .

By CRT, mod for som

m mc n c n c n

m c n m c n m c n

3 3 31 2 3

Also, . So, , and .

c n n n

m n n n m c m c

One may be tempted to use a small to speed up

decryption.

Unfortunately, that is risky.

Wiener's attack: If /3 and 2 ,

then the decryption exponent

Decryption Key

d n p q p

can be computed

from ( , ). (The condition 2 often holds

in practice.)

CRT can be used to speed up decryption by four times.

n e p q p

2 Multiplying two numbers of bits takes ( ) time.

. 1024-2058 bits. , half the size.

Decryption: .

Instead of computing

direod ctlm

Speeding up Decryption by CRT

n pq n

1 1 2 2

compute mod and mod

mod recover the plaintext b

y solv

c c p c c q

m c p m c q

Four categories of attacks on RSA:

brute-force key search

infeasible given the large key space

ematical attacks

timing attacks

chosen ciphe r

Security of RSA

text attacks

Then ( ) ( 1)( 1) and

mod ( ) can be calculated

Factor into .

Determine ( ) directly

easily.

Equivalent to factoring .

Knowing ( ) will enable us to f

Mathematical Attacks

actor by solving

( ) ( 1)( 1)

Best known algorithms are not

faster than those for factoring . Besides, if is know

then can be factored with

ine dir

ectly.d

h probability.

A difficult problem, but more and more efficient

algorithms have been developed.

In 1977, RSA challenged resea

rchers to decode a

ciphertex encrypted with a key ( ) of

Integer Factorization

129 digits

(428 bits). Prize: $100. Would take quadrillion

years using best algorithms of that time.

In 1991, RSA put forward more challenges, with prizes,

to encourage research on f

actorization.

Each RSA number is a semiprime. (A number is

semiprime if it is the product of two primes.)

There are two labeling schemes.

by the number of decimal digits:

RSA-100, .

RSA Numbers

.., RSA-500, RSA-617.

by the number of bits:

RSA-576, 640, 704, 768, 896, 1024, 1536, 2048.

RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve.

RSA-110 ( bits), 1992, 75 MIPS-year, QS.

RSA-120

3 ( bits), 1993, 830 MIPS-year, QS.

RSA-129

RSA Numbers which have been factored bits), 1994, 5000 MIPS-year, QS.

RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS.

RSA-16

bits), 2003, Lattice Sieve.

RSA- (174 digits), 2003, Lattice Sieve.

RSA- (193 digits), 2005, Lattice Sieve.

RSA-200 ( bits), 2005, Lattice

663 Sieve.

RSA-200 =

27,997,833,911,221,327,870,829,467,638,

722,601,621,070,446,786,955,428,537,560,

009,929,326,128,400,107,609,345,671,052,

955,360,856,061,822,351,910,951,365,788,

637,105,954,482,006,576,775,098,580,557,

613,579,098,734,950,144,178,863,178,946,

295,187,237,869,221,823,983.

In light of current factorization technoligies,

RSA recommends that be of 1024-2048 bits.

Encrypting messages \ is insecure.

Such an is not relatively prime to , i. e.,

Remarks

gcd( , ) 1.

By computing gcd( , ), one will be able to factor .

gcd( , ) 1 gcd( , ) 1, where mod

Question: what is the probability that \

m n n pq

m n c n c m n

Paul Kocher in mid-1990’s demonstrated that a snooper

can determine a private key by keeping track of how

long a computer takes to decipher messages.

RSA decryption: mod .

Timing Attacks

Countermeasures:

Use constant decryption time

Add a random delay to decryption time

modify the ciphertext to

Blin and computeding

1 2 1 2

RSA encryption has a homomorphism property:

RSA( ) RSA( ) RSA( ).

To decrypt a ciphertext RSA( ):

Generate a random secret mess

Blinding in Some of RSA Products

m m m m

Encrypt as RSA( ).

Multiply the two ciphertexts: RSA( ).

Decrypting yields a value e

qual to .

Multiplying that value by yields .

Note: all calculation

mr m r

c c c mr

*s are done in (i.e., modulo ).nZ n

RSA's homomorphism property is the basis of a simple

chosen-ciphertext attack.

The attacker intercepts a ciphertext .

An oracle can decrypt ciphertexts, except ,

Chosen-Ciphertext Attacks

for you.

To launch a chosen-ciphertext attack:

Generate a message, say, 2.

Encrypt as RSA( ).

Multiply the two ciphertexts: RSA( ).

Ask the oracle

to decryp

c c c mr

t , yielding a value equal to .

Multiplying that value by yields the plaintext .

If the message space is small. The adversary can

encrypt all messages and compare them with the

intercepted ciphertext.

For inst

ance, if the message is known t

Small message space attack

o be a

56-bit DES key, or a social security number.

The RSA we have described is the basic

or textbook RSA, susceptible to many attacks.

In real world, RSA is not used that way.

(now in

version 2.1) is a speRSA PK cificati onCS #1

Textbook RSA

by RSA Labs specifying how to implement RSA.

PKCS: ublic ey ryptography tandard.

Let ( , , ) give a pair of RSA keys.

Let denote the length of in bytes (e.g., 216).

To encrypt a message :

P K C S

Padded RSA as in PKCS #1 v.1.5

pad so that 00 02 00 ( bytes)

where 8 or more random bytes 00.

original message must be 11 bytes.

the ciphertext is : RSA mo

This format makes RSA esis

tant to many of the

aforementioned attacks Q: Whic h ones?

A padded message is called PKCS conforming if it

has the specified format:

00 02 padding string 00 orig

inal message.

usually send youS #1 implemen

(v.1.5

tati (sons

)RSA PKCS #1

ender) an

error message if RSA ( ) is PKCS conforming.

There was a famous chosen-ciphertext attack taking

advantage of these error messages.

PKCS #1 (v 2.1) now uses a scheme call

Asymmetric Encryption Padding (OAEP).

A message is called PKCS conforming if it has the

specified format:

00 02 padding string 00 original message.

PKCS #1 implementations usually

Bleichenbacher's chosen-ciphertext attack

send you (sender)

an error message if RSA ( ) is PKCS conforming.

It is just like you have an Oracle which, given , answers

whether or not RSA ( ) is PKCS conforming.

Bleich

enbacher'

s attack takes advange of such an Oracle.

Given RSA( ), Eve tries to find .

(Assume is PKCS conforming.)

How can Oracle help?

Recall that RSA is homomorphic:

RSA( ) =RSA( ) RSA( ) (computa

d in )

a b a b Z

*iven RSA( ), Eve can compute RSA( ) for any .

She can ask the Oracle,

Is PKCS conforming?

(That is, is PKCS conforming?

y is this info e

8( 2) 8( 2)

Recall PKCS Format ( bytes):

00 02 padding string 00 original message

Let 00 01 0 2 (as a binary integer)

2 00 02 0 and 3 00 03 0 .

If is PKCS c

nforming 2 3 .

If, in addition, is PKCS con

forming

2 3 for some

B tn B tn t

B s t n s B s t n s t

• • •

0 n 2n 3n 4n

If is PKCS conforming is in the blue area.

If is also PKCS conforming

is in the blue area

is in the red areas

is in the red lines.

Thus, is in the red line

he blue area.

blue area

Let's focus on the blue area, (2B, 3B).

If is PKCS conforming is in the .

red areas/is in

purple areas/line is in

So, blue red purple

So, starting with the fact that is PKCS conforming,

Eve finds a sequence of integers , , , ... such that

mod is PKCS conforming.

To find , ra n

1domly choose an 2 , and ask the oracle

whether is PKCS conforming. If not, then

try a different .

This way, Eve can repeatedly narrow down the area

containing , and even

ally finds .

For having 1024 bits, it takes roughly 1 million accesses

to the oracle in order to find , , , ...

The current version of PKCS #1 (v 2.1) uses a scheme

called Optimal Asymmetric Encryption Padding

(OAEP).

)RSA PKCS #1

m m m G r r h m G r

pseudorandom generator

: hash function

: random

Public-Key Applications

• Three categories of applications:– encryption/decryption (provide secrecy)– digital signatures (provide authentication)– key exchange (of session keys)

• Public-key cryptosystems are slower than symmetric-key systems.

• So, mainly used for digital signatures and key exchange.

RSA: basic RSA, textbook RSA

Padded-RSA: PKCS #1 v.1.5

Original message

Padded message•

Public-Key Cryptography and RSA

Documents