Public-key cryptographyBased on slides of Prof. Bart Preneel
Dr. F. Vercauteren
Katholieke Universiteit Leuven
7 June 2005
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Prime numbers
Definition
◮ a prime is an integer > 1 whose only divisors are 1 and thenumber itself
◮ numbers which are not prime are composites◮ 1 is neither a prime nor a composite (but a unit)
Every number can be written as a product of prime numbersExample: 12 = 2 · 2 · 3 210 = 2 · 3 · 5 · 7Unique factorisation of integers (fundamental theorem ofnumber theory)
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
The sieve of Eratosthenes (1)
◮ How does one find all prime numbers ≤ n?◮ Delete all multiples (≤ n) of all primes 2, 3, 5, 7, . . . to
√n
◮ Method is called sieve of Eratosthenes
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
The sieve of Eratosthenes (2)
n = 100,√
100 = 10⇒ 2, 3, 5, 7
0 1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16 17 18 19
20 21 22 23 24 25 26 27 28 29
30 31 32 33 34 35 36 37 38 39
40 41 42 43 44 45 46 47 48 49
50 51 52 53 54 55 56 57 58 59
60 61 62 63 64 65 66 67 68 69
70 71 72 73 74 75 76 77 78 79
80 81 82 83 84 85 86 87 88 89
90 91 92 93 94 95 96 97 98 99
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
The sieve of Eratosthenes (2a)
n = 100,√
100 = 10⇒ 2, 3, 5, 7
0 1 2 3 5 7 9
11 13 15 17 19
21 23 25 27 29
31 33 35 37 39
41 43 45 47 49
51 53 55 57 59
61 63 65 67 69
71 73 75 77 79
81 83 85 87 89
91 93 95 97 99
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
The sieve of Eratosthenes (2b)
n = 100,√
100 = 10⇒ 2, 3, 5, 7
0 1 2 3 5 7
11 13 17 19
23 25 29
31 35 37
41 43 47 49
53 55 59
61 65 67
71 73 77 79
83 85 89
91 95 97
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
The sieve of Eratosthenes (2c)
n = 100,√
100 = 10⇒ 2, 3, 5, 7
0 1 2 3 5 7
11 13 17 19
23 29
31 37
41 43 47 49
53 59
61 67
71 73 77 79
83 89
91 97
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
The sieve of Eratosthenes (2d)
n = 100,√
100 = 10⇒ 2, 3, 5, 7
0 1 2 3 5 7
11 13 17 19
23 29
31 37
41 43 47
53 59
61 67
71 73 79
83 89
97
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Group (1)
DefinitionA group (G, ·) consists of a set G and an operation ·, satisfying
1. associative: a · (b · c) = (a · b) · c,∀a, b, c ∈ G
2. identity element: ∃1 ∈ G,∀a ∈ G : a · 1 = 1 · a = a
3. inverse element: ∀a ∈ G,∃a−1 ∈ G : a · a−1 = a−1 · a = 1
4. commutative (extra): ∀a, b ∈ G : a · b = b · a
DefinitionThe order of an element a of a group (G, ·) is t , iff t is thesmallest positive number such that
a · a · · · · · a︸ ︷︷ ︸
t
= 1
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Field
DefinitionA field (F ,+, ·) consists of a set F and two operations + and ·,satisfying
1. (F ,+) is a commutative group, with identity element 0
2. (F\{0}, ·) is a commutative group, with identity element 1
3. distributive: ∀a, b, c ∈ F : a · (b + c) = (a · b) + (a · c)
DefinitionThe characteristic of the field, is the order of 1 in the group(F ,+) or zero if the order is not finite
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Modular Arithmetic (1)
◮ Given integers a, b and n 6= 0◮ a is congruent to b modulo n⇔ a− b = k · n, i.e. n | a− b◮ Notation: a ≡ b mod n
Example: 17 ≡ 7 mod 5 since 17− 7 = 2 · 5
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Modular Arithmetic (2)
◮ a ≡ a mod n◮ a ≡ b mod n ⇔ b ≡ a mod n◮ a ≡ b mod n & b ≡ c mod n⇒ a ≡ c mod n
; equivalence relation
Every equivalence class (residue class) can be represented byan element in [0, n − 1]
Convention: a mod n represents the residue of a modulo n inthe range [0, n − 1]
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Modular Arithmetic (3)
TheoremGiven integers a1, a2
(a1 + a2) mod n ≡ [a1 mod n + a2 mod n] mod n
(a1 − a2) mod n ≡ [a1 mod n − a2 mod n] mod n
(a1 · a2) mod n ≡ [a1 mod n · a2 mod n] mod n
; integers modulo n, + and · commutative ring
TheoremFor all exponents t
et mod n ≡ [
t∏
i=1
(e mod n)] mod n
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Modular Arithmetic (4)
◮ Existence of inverse: given a ∈ [0, n − 1], find x ∈ [0, n − 1]such that a · x mod n ≡ 1
◮ Example: 3 · 7 mod 10 ≡ 21 mod 10 ≡ 1, thus 3 and 7 areeach other’s inverse modulo 10
Theorema ∈ [0, n − 1] has a unique inverse modulo n⇔ a and n arerelatively prime, i.e. gcd(a, n) = 1
◮ ; if n is a prime, all elements have an inverse◮ ; integers modulo p, + and · is a (finite) field
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Modular Arithmetic (5): Euclid’s algorithm
Example: 160−1 mod 841 ≡ ? Compute gcd(841, 160)
841 = 5 · 160 + 41
160 = 3 · 41 + 37
41 = 1 · 37 + 4
37 = 9 · 4 + 1
; 1 = 37− 9 · 4 = 37− 9 · (41− 1 · 37)
= 10 · 37− 9 · 41 = 10 · (160− 3 · 41)− 9 · 41
= 10 · 160− 39 · 41 = 10 · 160− 39 · (841− 5 · 160)
= 205 · 160− 39 · 841
; 160−1 mod 841 ≡ 205⇐⇒ 160 · 205 ≡ 1 mod 841
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Fermat’s Little Theorem (1)
Let p be a prime, then for each integer a one has:
ap ≡ a mod p
and for p 6 |a:ap−1 ≡ 1 mod p
; the order of a non-zero element is a divisor of p − 1
Example: p = 11, a = 2 compute 210 mod 11:
24 mod 11 ≡ 16 mod 11 ≡ 5
28 mod 11 ≡ 52 mod 11 ≡ 25 mod 11 ≡ 3
210 mod 11 ≡ 3 · 22 mod 11 ≡ 12 mod 11 ≡ 1
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Fermat’s Little Theorem (2)
◮ Fermat’s little theorem can only be used as acompositeness test
◮ If gcd(a, n) = 1 and an−1 6≡ 1 mod n then n is composite◮ But : the theorem cannot be used as a prime test◮ gcd(2, 341) = 1 and 2340 ≡ 1 mod 341, but 341 = 11 · 31
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Euler ϕ function
DefinitionFor an integer n > 0, ϕ(n) is the number of non-negativeintegers less than n which are relatively prime to n, i.e.
ϕ(n) = #{0 < a < n | gcd(a, n) = 1}
◮ p prime: ϕ(p) = p − 1◮ n = p · q with p, q prime
ϕ(n) = ϕ(p) · ϕ(q) = (p − 1) · (q − 1)
Example: p = 3, q = 5, n = 15
ϕ(15) = (3− 1) · (5− 1) = 2 · 4 = 8,
Indeed, the numbers co-prime to 15 are {1, 2, 4, 7, 8, 11, 13, 14}
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Euler’s generalisation of Fermat’s LT
Theorem∀a, n, gcd(a, n) = 1:
aϕ(n) mod n ≡ 1
Solving a · x mod n ≡ 1, with gcd(a, n) = 1
x = a−1 ≡ aϕ(n)−1 mod n
Example: a = 2, n = 15, ϕ(15) = 8
x ≡ aϕ(n)−1 mod n ≡ 27 mod 15 ≡ 8,
indeed, 2 · 8 ≡ 1 mod 15
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Computing modular inverse
gcd(a, n) = 1: inverse a−1 mod n can be computed
1. As aϕ(n)−1 mod n if the factorisation of n is known
2. Using the generalisation of Euclid’s algorithm for the gcd (=more efficient than using ϕ(n))
3. Possibly in combination with the Chinese RemainderTheorem (see below)
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Chinese Remainder Theorem (CRT) (1)
Let n = 15 = 3 · 5, then every number between 0 and 14 can berepresented by unique coordinates:
0 1 2 3 4
0 0 6 12 3 91 10 1 7 13 42 5 11 2 8 14
All elements in the 3 × 5 matrix are being used.(note gcd(3, 5) = 1)
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Chinese Remainder Theorem (CRT) (2)
Is this always the case?Example: Let n = 24 = 4 · 6, then
0 1 2 3 4 5
0 0, 12 8, 10 4, 161 1, 13 9, 21 5, 172 6, 18 2, 14 10, 223 7, 19 3, 15 11, 23
Note gcd(4, 6) 6= 1
TheoremIf m1, m2 satisfy gcd(m1, m2) = 1, then one can replace thebasis m1 ·m2, by the bases m1, m2.
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Chinese Remainder Theorem (CRT) (3)
TheoremSuppose we want to solve a system of congruences to differentmoduli mi , with gcd(mi , mj) = 1, i 6= j :
x ≡ a1 mod m1
x ≡ a2 mod m2
...
x ≡ ar mod mr
Then there exists a simultaneous solution x to all of thecongruences, with x ∈ [0, m − 1] with m = m1 ·m2 · · ·mr .
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Chinese Remainder Theorem (CRT) (4)
Application: replace computation modulo m by
1. Computation modulo factors of m that are co-prime
2. Reconstruct the result modulo m
Advantages:◮ Computations with smaller numbers◮ FLT: computation with smaller exponents
Example: Decryption operation in RSA (see below)
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
CRT (5): how to find x?
Special case: m = m1 ·m2 (gcd(m1, m2) = 1)
x ≡ a1 modm1
x ≡ a2 modm2
◮ First equation equivalent to:
∃k ∈ Z : x = a1 + k ·m1
◮ Second equation then implies:
x = a1 + km1 ≡ a2 mod m2
◮ Determines k mod m2 as
k ≡ (a2 − a1) ·m−11 mod m2
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
CRT (6): example
Example: Inverse of 7 modulo 55 = 5 · 11?
7 · x1 ≡ 1 mod 5
7 · x2 ≡ 1 mod 11
◮ Euclid: x1 = 3, x2 = 8◮ Use CRT to find solution for
x ≡ 3 mod 5
x ≡ 8 mod 11
◮ k = (8− 3) · 5−1 ≡ 1 mod 11⇒ x ≡ 8 mod 55
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Primes revisited (1)
◮ Are the primes randomly distributed?◮ How many primes of are there of a given length?◮ How can one test whether a number is prime?
TheoremThe number of primes smaller than x is asymptotically:
π(x) ≈ xln x
Example: Number of 512-bit primes: π(2512)−π(2511) ≈ 2502.5
◮ 1 in 355 512-bit numbers is prime◮ 1 in 178 odd 512-bit numbers is prime◮ 1 in 118 512-bit odd numbers that are not a multiple of 3 is
prime
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Primes revisited (2)
prime test 6= generation of primes
◮ TEST: given p, verify whether p is prime◮ GENERATION: given [r1, r2], find a prime in this interval
DefinitionLet s be an integer satisfying
bs−1 ≡ 1 mod s, for some b, 1 < b < s
then s is called a basis-b-pseudoprime (notation: b-psp)
Theorem (Fermat’s Little Theorem)If s is prime and gcd(b, s) = 1, then s is an b-psp
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Primes revisited (3)
DefinitionLet s be an odd integer with
s − 1 = 2v · s′, s′ odd
then s is a strong basis-b-pseudoprime (notation: strong b-psp)if either
bs′ ≡ 1 mod s
orb2k
·s′ ≡ −1 mod s, for an integer k , 0 ≤ k < v
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Miller-Rabin prime test
◮ If for a given basis b, 1 < b < s, s is not a strong b-psp,then s is a composite
◮ If s is a composite, then there are at least 3(s − 1)/4 suchbases [Rabin 1976, Monier 1978]
◮ If s is prime, then for all 0 < b < s, s is a strong b-psp◮ Leads to Miller-Rabin prime test , i.e. for random bases b,
test if s is strong b-psp◮ Fails with probability 1/4, so repeated application makes
error exponentially small
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
One-way functions
Definitionf : X −→ Y : x 7→ f (x) = y is a one-way function⇔
◮ ∀x ∈ X , f (x) is easy to compute◮ Given y ∈ Y , finding an x ∈ X , with f (x) = y is a hard
problem (computationally infeasible)
Note: do such functions exist? = open problem
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Candidate One-way functions
Multiplication : given p, q, compute n = p · q◮ Inverse problem: given a large n, product of 2 primes of
about the same size, find these primes
Modular exponentiation : given a, n with a ∈ [1, n − 1]am mod n can be computed efficiently (square and multiply)
◮ Inverse problem (= discrete logarithm): given a, n and b,find x such that
ax mod n ≡ b
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
One-way functions: example
Example: 54 mod 21 ≡ 16,; 4 is the discrete log of 16 w.r.t. the basis 5 modulo 21
But: there is no general polynomial time (efficient) algorithm tocompute discrete logs
One-way functions:◮ Cannot be used directly for encryption, because Bob
cannot recover m from f (m)
◮ Useful for Diffie-Hellman key agreement protocol and theprotection of passwords
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Trapdoor one-way functions
DefinitionOne-way functions which can be inverted using additionalinformation, i.e. the trapdoor information
Example:◮ Let n = p · q, consider modular exponentiation modulo n
b = ae mod n
◮ Inverse operation: e-th root of b◮ Given p and q inverse operation is easy, so p (and q) are
the trapdoor information
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Public-key agreement: Diffie-Hellman
Agree on a secret key using commutative one-way functions
Alice BobYA = fA(Z )
−YA−−−−−−−−→
YB = fB(Z )
←YB−−−−−−−−−
KAB = fA(YB) = fA(fB(Z )) KBA = fB(fA(Z ))
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Diffie-Hellman with discrete log (1)
Choose a large prime number p and a generator α mod p
Alice BobxA ∈R [1, p − 1], αxA
−αxA
−−−−−−−−→xB ∈R [1, p − 1], αxB
←αxB
−−−−−−−−−KBA = (αxB )xA KBA = (αxA)xB
Note: all calculations mod p
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Diffie-Hellman with discrete log (2)
◮ How to find KAB from YA and YB, i.e. αxA·xB from αxA mod pand αxB mod p?
◮ Only known solution: find xA from αxA or xB from αxB (=DLP in GF (p))
◮ Other algorithm? Currently not very likely . . .
DefinitionThe Diffie-Hellman assumption: given αxA and αxA , it is hard tocompute αxA·xB
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Diffie-Hellman with discrete log (3)
◮ If Diffie-Hellman assumption true, then key agreementsecure (bar authentication)
◮ Diffie-Hellman problem cannot be harder than the discretelogarithm problem
◮ Many groups: DHP equivalent with DLP, i.e. given oracle tosolve DHP, also possible to solve DLP
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Discrete log problem
Discrete log in GF (p):◮ Hard if p ‘safe prime’: (p− 1)/2 prime, else Pohlig-Hellman◮ Security: 512 bits ≃ 1 month, 1024 bits ≃ 5 . . . 6 year◮ Algorithms: index calculus algorithms exploiting
representation of elements, e.g. general number field sieve
Discrete logs in other groups :◮ Diffie-Hellman only needs the group structure◮ Less algebraic structure implies that logarithm is probably
harder◮ Example: Group of points on elliptic curve over a finite field
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Public-key encryption (1)
Send a confidential message protected with a public key(trapdoor one-way functions)
DSB[EPB
(m)] = m
E� �
D� �
- - -
?
�
�
�
�
?P PC
(PB, SB)
PB
PB
SB
authentic channel
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Public-key encryption (2): notions of security
Perfect security = information theoretic security :◮ Adversary with infinite computing power can learn nothing
about plaintext given ciphertext◮ Shannon: key is as long as message, key only used once◮ Not useful for public key cryptography
Semantic security :◮ Like perfect security, but with polynomially bounded
computing power◮ Ciphertext does not leak any information about plaintext◮ Hard to use in practice
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Public-key encryption (3): notions of security
Polynomial security = indistinguishability of encryption s:◮ Definition according to the following game:
1. Adversary A is given encryption function fy with y public key2. Find stage : A produces two plaintext messages m0 and m1
3. Guess stage : A is given encryption cb of one of theplaintext messages m0 or m1
4. Goal : A has to guess the value of b with probability greaterthan 1/2
◮ Note: deterministic encryption function can never bepolynomially secure
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Public-key encryption (4): attack models
Passive attack = CPA :◮ Adversary has access to black box performing encryption,
but not decryption◮ Always possible in public-key system
Chosen ciphertext attack = CCA1 :◮ Adversary has access to black box performing decryption,
during the find stage only (not the guess stage)
Adaptive chosen ciphertext attack = CCA2 :◮ Adversary has access to black box performing decryption,
during the both the find and guess stage, except to decryptciphertext cb
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Public-key encryption (5): definition of security
DefinitionA public key encryption algorithm is called secure if it issemantically secure against an adaptive chosen ciphertextattack
◮ In many cases, much easier to prove that encryptionalgorithm is IND-CCA2 secure
◮ In practice, IND-CCA2 is used as definition of security◮ None of the textbook public key encryption algorithms is
IND-CCA2 secure!
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Public-key encryption (6): further notions of security
Non-malleability :◮ Given plaintext/ciphertext pair (m, c), impossible to
determine valid ciphertext c′ on a related message m′
◮ Malleable encryption scheme is not secure against anadaptive chosen ciphertext attack
Plaintext aware :◮ Very strong notion of security◮ Computationally infeasible to construct valid ciphertext,
without starting from a plaintext◮ Implies that decryption oracle is useless since cannot
construct valid ciphertexts
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (1): description
Key generation◮ Find 2 primes p and q of ± 155 digits and set n = p · q◮ Compute
λ(n) = lcm(p − 1, q − 1) = ϕ(n)/(gcd(p − 1, q − 1))
◮ Choose e co-prime to λ(n) (6= ±1)◮ Compute d = e−1 mod λ(n)
public key = (e, n)
private key = (d , n) or (p, q)
◮ Encryption : c = me mod n◮ Decryption : m = cd mod n
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (2): example
◮ p = 19, q = 23, n = 437, e = 13◮ λ(437) = 18 · 22/ gcd(18, 22) = 9 · 22 = 198◮ d = e−1 mod 198 (and NOT mod 437 !!!!)◮ Euclid’s algorithm gives: d = 61
Let the message be m = 123, then◮ Encryption: c = 12313 mod 437 = 386◮ Decryption: 38661 mod 437 = 123 = m
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (3): implementation aspects
◮ Choose small public exponent with low Hamming weight,e.g. e = 3, 212 + 3, 216 + 1 for faster encryption, security isquestionable for encryption
◮ Do not use small private exponents (see below)◮ p, q known by owner of private key, so faster modular
exponentiation with CRT (2.5 . . . 3×)◮ Miller-Rabin used as prime test for p and q◮ Much slower than DES, e.g. SW 200 MHz Pentium Pro:
◮ DES: 35 Mbit/s, AES: 70 Mbit/s◮ 1024-bit RSA encryption: 250 Kbit/s (32-bit exponent)◮ 1024-bit RSA decryption: 30 Kbit/s
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (4): proof
To be shown: ed ≡ 1 mod λ(n)⇒ med ≡ m mod n
Case 1: gcd(m, n) = 1◮ (p − 1)|λ(n) and (q − 1)|λ(n)
◮ By FLT, we therefore have
mλ(n) ≡ 1 mod p and mλ(n) ≡ 1 mod q
◮ Write ed = 1 + kλ(n) with k ∈ Z, then
med ≡ m mod p and med ≡ m mod q
◮ By CRT, med ≡ m mod pq
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (5): proof
Case 2: gcd(m, n) 6= 1, so p|m or q|m◮ Note that if p|m, then m ≡ 0 mod p, so med ≡ m mod p◮ If p 6 |m, then same reasoning as in case 1 holds
med ≡ m mod p and med ≡ m mod q
◮ By CRT, med ≡ m mod pq
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (6): security in practice
◮ Best known attack: simply factor n◮ Security: 512 bits ≃ less than a month, 1024 bits ≃ 5 year◮ Choice of ‘strong’ primes p and q, i.e. p− 1 and q − 1 need
a ‘large’ prime factor◮ Computing λ(n) is equivalent to factoring n
Example: Simple proof if one can find ϕ(n):◮ n − ϕ(n) + 1 = p + q and pq = n ; p and q
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (7): security in practice
◮ Need to use padding scheme, else exploit homomorphicproperty
◮ Each user needs to have a different modulus◮ Small secret exponents d are not secure (< 29% of
modulus length)◮ Partial key exposure attacks . . .◮ Chosen ciphertext attack on PKCS#1 v1.5 based on error
messages (needs 300 000 to 2 000 000 ciphertexts)◮ Currently, PKCS#1 v2.1 based on Optimal Asymmetric
Encryption (OAEP)◮ But OAEP also has its problems: move to RSA-KEM.
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (8): security in practice
Problems of small public exponent e (for encryption):◮ If a fraction (e − 1)/e of the plaintext bits is known, the
remaining bits can be determined◮ If identical plaintext is sent to e users (with moduli n1, n2,
. . . , ne):ci ≡ me mod ni
with CRT (ni are relatively prime)
c̃ ≡ me mod n1 · n2 · · · ne
me < n1 · n2 · · · ne hence solving for m is easy
Note: can be extended to different but ‘related’ messages
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
RSA (9): exercises
The purpose of this exercise is to show that textbook RSA isnot secure at all:
◮ Show that textbook RSA cannot be polynomially secure◮ Show that RSA is malleable◮ Given (m, c) derive encryption of 2m using an adaptively
chosen ciphertext attack
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Factorisation records
Factoring n or computing discrete logs mod n: O(Ln[13 , 1.902])
Ln[a, b] = exp[
(b + O(1))(ln(n))a · (ln(ln(n))1−a]
year # digits computing effort1984 71 0.1 MY1989 105 ?1992 110 75 MY1994 129 5000 MY1996 130 1000 MY1999 140 2000 MY1999 155 8400 MY2003 174 48640 MY2005 200 165000 MY
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
ElGamal encryption (1)
Key generation:◮ Parameters: (safe) prime p and generator α of GF (p)×
◮ Private key : x (1 < x < p − 1)◮ Public key : y = αx mod p
Encryption:◮ Generate random k (1 < k < p − 1) with gcd(k , p − 1) = 1◮ r = αk mod p (k and r are ephemeral key pair)◮ s = yk ·m mod p (0 ≤ m ≤ p − 1)◮ Ciphertext : c = (r , s)
Decryption:◮ m = s · r−x mod p◮ Indeed: r−x = α−kx = y−k mod p
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
ElGamal encryption (2)
◮ Security relies on the discrete log problem and not onfactoring
◮ Ciphertext twice as long as the plaintext◮ Secure random number generator required for k◮ Non-deterministic encryption: the same plaintext will
always result in different ciphertexts
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Hybrid systems
For encryption:◮ triple-DES or AES: parties need to share a secret key◮ RSA: too slow for bulk data (1000 times slower)
DefinitionHybrid systems: public-key system to agree on the secret key,which is then used as the secret key in a conventional system(such as triple AES) to encrypt the bulk information
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signatures (1)
Authentication :◮ Data integrity: authentication of content◮ Data origin authentication: authentication of sender
Digital signature :◮ Can be verified by a third party (such as a judge)◮ 2 operations: sign and verify
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signatures (2)
V� �
S� �
� � �
?
�
��
��
�
?P PC
(PA, SA)
PA
PA
SA
authentic channel
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signatures: security notions
The following types of forgery are commonly used:
1. Total break : adversary can produce signatures on anymessage, as if she was the valid key holder (basically hasthe private key)
2. Selective forgery : adversary can forge a signature onsingle message chosen by someone else with highprobability
3. Existential forgery : adversary can forge signature onsingle message, even random message is OK
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signatures: attack models
Key only attack :◮ Adversary has access to verification function (is public
anyway)
Known message attack :◮ Adversary has list of messages previously signed by key
holder
Chosen message attack :◮ Adversary has access to singing oracle
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signatures algorithms
◮ RSA: advised to use different key pair for encryption andsigning in one system
◮ ElGamal signature (1985) and variants (1989, . . . )◮ DSA (Digital Signature Algorithm), FIPS 186 (1994) and
variants such as elliptic curve DSA (ECDSA)◮ QUARTZ (based on MQ problem)
Digital signature standards: ISO/IEC 9796, ISO/IEC 14888
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signatures with RSA (with recovery)
For short messages (up to 50. . . 80 bytes):◮ Signer uses padding scheme to add redundancy to the
message m giving m′
◮ Signing operation: c = m′d mod n◮ Verifier computes m′d mod n and checks the redundancy◮ Verifier recovers m from m′
Goal of padding scheme:◮ Avoid small messages: no reduction◮ Otherwise all ciphertexts c would be valid signatures◮ Homomorphic property:
RSA(m1 ·m2) = RSA(m1) · RSA(m2)
◮ After two signatures, one can forge a third one, . . .
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signature with RSA (without recovery)
For long messages:
.. -
.. -
Where dips the rockyhighland of Sleuth Wood in thelake, There lies a leafy islandwhere flapping herons wake thedrowsy water-rats; there we’vehid our faery vats, full of berriesand of reddest stolen cherries.Come away, o human child! Tothe
?@@
��
?hash
signSA-
?12239215682364
Where dips the rockyhighland of Sleuth Wood in thelake, There lies a leafy islandwhere flapping herons wake thedrowsy water-rats; there we’vehid our faery vats, full of berriesand of reddest stolen cherries.Come away, o human child! Tothe
?@@
��
?hash
verifyPA-
612239215682364
- OK?
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
Digital signature with RSA: padding schemes
Many padding schemes have been broken!◮ ISO/IEC 9796-1 has been withdrawn in 2000◮ ISO/IEC 9796-2 is suspicious (only for restricted
applications)◮ PKCS#1 is still not broken, but several revisions (current
version 2.1)◮ PSS, PSS-R, provably secure signing
Note: attacks require chosen texts, which may or may not berealistic
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
DSA (1) (Digital Signature Algorithm) (1994)
Specification in FIPS 186
Key generation:◮ General system parameters: prime p and 160-bit prime q,
with q|(p − 1)
◮ Generator α of group of order q◮ Every user has:◮ Private key : x (1 < x < q − 1)◮ Public key : y = αx mod p
Note: parameters have to be generated as described (complexalgorithm) in order to avoid certain attacks
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
DSA (2) (Digital Signature Algorithm)
Signing:◮ Message m (0 ≤ m ≤ q − 1)◮ Ephemeral key, i.e. choose random number k (1 < k < q),
compute r = (αk mod p) mod q◮ Compute s = (m + x · r) · k−1 mod q◮ Signature = (r , s), (if r or s = 0, choose new value for k)
Verification:◮ Compute w = s−1 mod q and verify whether
r =(αmw · y rw mod p
)mod q
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
DSA (3) (Digital Signature Algorithm)
◮ Security of generation of ephemeral key k is paramount◮ Howgrave-Graham & Smart: if you know 3 bits of k for 100
signatures, can easily recover secret key◮ Based on lattice reduction techniques to solve hidden
number problem◮ Some implementations always use small k . . .
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel
DSA versus RSA
◮ Discrete log/factoring: ± equivalent◮ Advantage DSA: some operations mod q, shorter
signature, r can be precomputed◮ Disadvantage DSA: cannot be used for encryption!◮ Disadvantage DSA: verification of signature slower than
signing◮ RSA: patent expired in 2000, DSA: US government has a
patent but currently license-free
Future: discrete log in different algebraic structures, such asthe group of an elliptic curve over GF (p). Important advantageis that shorter keys could be sufficient (200 bits)
Dr. F. Vercauteren Public-key cryptography Based on slides of Prof. Bart Preneel