66
Public-Key Cryptography and RSA CSE 651: Introduction to Network Security
Public-Key Cryptography and RSA
CSE 651: Introduction to Network Security
Abstract
• We will discuss
– The concept of public-key cryptography
– RSA algorithm
– Attacks on RSA
• Suggested reading:
– Sections 4.2, 4.3, 8.1, 8.2, 8.4
– Chapter 9
2
Public-Key Cryptography
• Also known as asymmetric-key cryptography.
• Each user has a pair of keys: a public key and a private key.
• The public key is used for encryption.
– The key is known to the public.
• The private key is used for decryption.
– The key is only known to the owner.
3
4
Bob Alice
Why Public-Key Cryptography?
• Developed to address two main issues:– key distribution
– digital signatures
• Invented by Whitfield Diffie & Martin Hellman 1976.
5
6
1
1
trapdoor
Easy:
Hard:
Easy:
Use as the private key.
Many public-key cryptosystems are
based on trapdoor one-way fu
trapdoor
One-way function with trapdoorf
f
f
x y
x y
x y
nctions.
Modular Arithmetic
Mathematics used in RSA(Sections 4.2, 4.3, 8.1, 8.2, 8.4)
| : divides , is a divisor of .
gcd( , ): greatest common divisor of and .
Coprime or relatively prime: gcd( , ) 1.
Euclid's algorithm: computes gcd( , ).
Extented Eucl
Integers
a b a b a b
a b a b
a b
a b
id's algorithm: computes integers
and such that gcd( , ).x y ax by a b
0
1
1
1 1
Comment: compute gcd( , ), where 1.
:
:
for : 1, 2, until = 0
: mod
return ( )
Euclidean Algorithm
n
i i i
n
a b a b
r a
r b
i r
r r r
r
1 78
2 65
1 13
6
299 221
221 78
78 65
5 5 13 0
gcd(229,221) 13
( 2 ) 3
3 (299 221) 221
299 2
78 65
78 221 78 78 22
21
1
4
1
3
Extended Euclidean Algorithm:Example
gcd(299,221) ?
id
A group, denoted by ( , ), is a set with a
binary operation : such that
1. ( ) ( ) (associative)
2. s.t. , ( )
3. , s.t.
entity
Group
G G
G G G
a b c a b c
e G x G x x x
x G y G x y y x
e e
( )
A group ( , ) is if , , .
Examples: ( ,
abel
), ( , ), ( \ {0}, ), ( ,
inver
),
( \ {0}
ian
s
, ).
ee
G x y G x y y x
Z Q Q R
R
Let 2 be an integer.
Def: is congruent to modulo , written
mod , if | ( ), i.e., and have the
same remainder when d
m
ivided by .
Note: dod an
Integers modulo
n
a b n
a b n n a b a b
n
a b n
n
are different.
Def: [ ] all integers congruent to modulo .
[ ] is called a residue calss modulo , and is a
representati
mod
ve of that class.
n
n
a b
a a n
a n a
n
[ ] [ ] if and only if mod .
There are exactly residue classes modulo :
[0], [1], [2], , [ 1].
If [ ], [ ], then [ ] and [ ].
Define addition and multiplication
n na b a b n
n n
n
x a y b x y a b x y a b
for residue classes:
[ ] [ ] [ ]
[ ] [ ] [ ].
a b a b
a b a b
Define [0], [1], ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an abelian additive group.
For , ,
( ) mod . (Or, [ ] [ ] [ ] [ mod ].)
0 is th
n
n
n
n
Z n
Z n
Z
a b Z
a b a b n a b a b a b n
10
e identity element.
The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular
addition/substraction and reduce the result modulo .
In , 5
n
a a n a
Z
n
Z
5 9 4 6 2 8 3 ?
1
1
1
, is not a group, because 0 does not exist.
Even if we exclude 0 and consider only \ {0},
, is not necessarily a group; some may not exist.
For , exists if and on
n
n n
n
n
Z
Z Z
Z a
a Z a
ly if gcd( , ) 1.
gcd( , ) 1 1 for some integers and
[ ] [ ] [ ] [ ] [1] in
[ ] [ ] [1] in
[
n
n
a n
a n ax ny x y
a x n y Z
a x Z
1] [ ] in na x Z
*
*
1
Let : gcd( , ) 1 .
, is an abelian multiplicative group.
mod .
mod .
1 is the identity element.
The inverse of , written , can be computated
n n
n
Z a Z a n
Z
a b ab n
a b ab n
a a
*12
*
by the
Extended Euclidean Algorithm.
For example, 1,5,
Q: How many
7,11 . 5
ele
7 35mod12 11.
ments are t
here in ? nZ
Z
*
*
( ) : 1 , gcd( ,
Euler's totient function:
Facts:
) 1
1. ( ) ( 1) for prime .
2. ( ) ( ) ( ) if gcd( , ) 1.
How many elements are there in ?
n
n
n Z a a n a n
p p p
pq p q p q
Z
Let be a (multiplicative) finite group.
The order of , written , is the smallest
p ( , identity elos emitiv ent.e integer such that .
The order of ,
ord( )
ord( , is the number
)
)
t
a
G
e
G
a G
t a e
G
*15
* *15 15
2
3 2
of elements in .
Example: Consider
ord( ) (15)
ord(8) 4, since 8 64 mod15 4
8 (8 8) mod15 (4 8) mod15 2
G
Z
Z Z
4 2 2 8 (8 8 ) mod15 (4 4) mod15 1
*15
*15
*15
* (15) 815
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14
ord( ) : 1 4 2 4 4 2 4 2
For all , we have 1
Example: 15
Z
Z
a Z
a
a Z a a
n
( ) 1
ord( )
*
Theorem: For any element , ord( ) | ord( ).
Fermat's little theorem:
If ( a prime), th
Corollary: For any element ,
en 1.
Euler's theorem:
.
If
pp
p
G
a G a G
a p a
a G a e
a
a
Z
( ) *
(
*
)
, then 1. ( ord( ) ( ).)
That is, for any integer relatively prime to ,
1 mod .
nnn
n
a Z n
a n
a
Z
n
The Chinese Remainder Problem
• A problem described in an ancient Chinese arithmetic book.
• Problem: We have a number of things, but we do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many things are there?
3 5 7 105
2mod3, 3mod5, 2mod7
? All integers 2 3 2 23 .
x x x
x x
1
1 1
2 2
10
If integers , , are pairwise coprime,
then the system of congruences
mod
mod
mod
has a unique solution in :
mod
Chinese remainder theorem
k
k k
N
i i i i
n n
x a n
x a n
x a n
Z
x a N N n
1
1 2
0
mod
where , and .
Furthermore, every integer is a solution.
k
i
k i i
N
N
N n n n N N n
x x
1 1 1
1 1 1
Suppose
1 mod 3
6 mod 7
8 mod 10
By the Chinese remainer theorem, the solution is:
1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10)
1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 mod10)
x
x
x
x
1 70 1 6 30 4 8 21 1 mod 210
958 mod 210
118 mod 210
Example: Chinese remainder theorem
1 1 2
1 2
* * *
1
(the numbers are pairwise coprime)
There is a one-to-one correspondence :
also,
, , , where
Chinese remainder theorem (another version)
k
k i
N n n N n n
k N
N n n n n
Z Z Z Z Z Z
A a a A Z
1
and mod
?
? , ,
i i
k
a A n
A
a a
1
1
1
1
1 1
One-to-one correspondence :
, ,
Operations in can be performed individually in each .
, , If
, ,
then
, ,
k
i
N n n
k
N n
k
k
Z Z Z
A a a
Z Z
A a a
B b b
A B a b
1 1*
1
1 1
, ,
, , if
mod mo d mod
k k
k k
k k N
k
a b
A B a b a b
A B a b a
N n n
b B Z
15
* * *15 3 5 15 3 5
Suppose we want to compute 8 11 in .
8 (2, 3) 8mod3, 8mod5
11 (2, 1) 11mod3, 11mod5
8 11 (2 2, 3 1) (1, 3).
(1, 3)
Example: Chinese remainder theorem
Z
Z Z Z Z Z Z
x
1mod3 Solve 13
3mod5
xx
x
1
3
gcd( , ),
mod ,
mod
Can be done in (log ) time.
Important Problems
k
a b
a n
a n
O n
1
1 *
1
Compute in .
exists if and only if gcd( , ) 1.
Use extended Euclidean algorithm to find ,
such that gcd( , ) 1
1 (beca
mod ?How to compute
na Z
a a n
x y
ax ny a n
a
a
x
n
1
use 0 in )
.
Note: every computation is reduced modulo .
nny Z
a x
n
1 Compute 15 mod 47.
47 15 3 (divide 47 by 15; remainder 2)
15 2 7 (divide 15 by 2; remainder 1)
1 15 7 (mod 47)
1
2
1
2
5 ( ) 7 (mod 47)47 15 3
Example
1
15 22 47 7 (mod 47)
15 22 (mod 47)
15 mod 47 22
30
By ivest, hamir & dleman of MIT in 1977.
Best known and most widely used public-key scheme.
Based on the one-way property
of mo
R S
du
lar
powering:
A
assumed
The RSA Cryptosystem
1
: mod (easy)
: mod (hard)
e
e
f x x n
f y y n
1
RSA
RSA
*
Encryption (easy):
Decryption (hard):
Looking for a trapdoor: ( ) .
If is a number such that 1mod ( ), then
( )
It works in group
1
.
Idea behind RSA
e
e
e d
n
x x
x x
x x
d ed n
e n
Z
d k
( ) 1 ( )
for some , and
( ) 1 .ke ed n nd k
k
x x x x x x x
Setting up an RSA Cryptosystem
• A user wishing to set up an RSA cryptosystem will:– Choose a pair of public/private keys: (PU, PR).
– Publish the public (encryption) key.
– Keep secret the private (decryption) key.
32
*( )
Select two large primes and at random.
Compute . Note: ( ) ( 1)( 1).
Select an encryption key satisfying 1 ( ) and
gcd( , ( )) 1. (i.e., , 1.)
Co
RSA Key Setup
n
p q
n pq n p q
e e n
e n e Z e
1mpute the descryption key: mod ( ).
1 mod ( ).
is the inverse of mod ( ).
Public key: . Private key: .
Important: , , and ( ) must be kep
( , ) ( ,
t sec
e .
)
r t
PU n e P
d e n
ed n
d e n
n
p
d
n
R
q
Alice
Suppose Bob is to send a secret message to Alice.
To encrypt, Bob will
obtain Alice's public key { , }.
encrypt as mod .
Note:
RSA Encryption and Decryption
e
m
PU e n
m c m n
m
*
Alice
.
To decrypt the ciphertext , Alice will compute
mod , using her private key { , }.
What key will Alice use to encrypt
her reply to Bob?
n
d
Z
c
m c n PR d n
*
*
*
* *
The settig of RSA is the group , :
Plaintexts and ciphertexts are elements in .
Recall: : 0 , gcd( , ) 1 .
has ( ) elements. (The group h a
s
Why RSA Works
n
n
n
n n
Z
Z
Z x x n x n
Z n Z
* * ( )
*
order ( ).)
In group , , for any , we have 1.
We have chosen , such that 1 mod ( ), i.e.,
( ) 1 for some positive integer .
For ,
nn n
de edn
n
Z x Z x
e d ed n
ed k n k
x Z x x
( ) 1 ( ) .kk n nx x x x
Select two primes: 17, 11.
Compute the modulus 187.
Compute ( ) ( 1)( 1) 160.
Select between 0 and 160 such that gcd( ,160) 1.
Let 7.
Compute
RSA Example: Key Setup
p q
n pq
n p q
e e
e
d
1 1mod ( ) 7 mod160 23
(using extended Euclid's algorithm).
Public key: .
Private k
( ,
ey
) (7, 187)
( , ) (23: ., 7 18 )
PU e n
e
P n
n
R d
7
23
23
23
Suppose 88.
Encryption: mod 88 mod187 11.
Decryption: mod 11 mod187 88.
When computing 11 mod187, we first
compute 11 and
d
the
o
n
ot
n
RSA Example: Encryption & Decryption
e
d
m
c m n
m c n
23
reduce it modulo 187.
Rather, when conmputing 11 , reduce the intermediate
results modulo 187 whenever they get bigger than 187.
1 0
2
Comment: compute mod , where in binary.
1
for downto 0 do
mod
if 1
then mod
Algorithm: Square-and-Multiply( , , )c
k k
i
x n c c c c
z
i k
z z n
c
z z x
x c n
...Note: At
i.e.,
the e
mod
nd of
retu
iteratio
rn
n , .
( )
k
i
i
c
c ci
z z x n
z
z
n
x
2
2
2
2
3
2
23 10111
1
11 mod 187 11 (square and multiply)
mod 187 121 (square)
11 mod 187 44 (square and multiply)
11 mod 187 165 (square and
11 mod187
mu
Example:
b
z
z z
z z
z z
z z
2
ltiply)
11 mod 187 88 (square and multiply)z z
4 16
To speed up encryption, small values are usually
used for .
Popular choices are 3, 17 2 1, 65537 2 1.
These values have only two 1's in their binary
representation.
Encryption Key
e
e
There is an interesting attack on small .e
A message sent to users who employ the same
encryption expo
nent is not protected by RSA.
Say, 3, and Bob sends a message to three
receipients encry
Low encryption exponent attack
m e
e
e m
1 2 3
1 3
1 2 3
3 3 31 2 2 3
31
3 3 3
2 3
pted as:
mod , mod , mod .
Eve intercepts the three ciphertexts, and recovers :
mod , mod , mod .
By CRT, mod for som
m mc n c n c n
m
m c n m c n m c n
m c n
m
n n
1 2 3
3 3 31 2 3
e .
Also, . So, , and .
c n n n
m n n n m c m c
1/4
One may be tempted to use a small to speed up
decryption.
Unfortunately, that is risky.
Wiener's attack: If /3 and 2 ,
then the decryption exponent
Decryption Key
d
d
d n p q p
d
can be computed
from ( , ). (The condition 2 often holds
in practice.)
CRT can be used to speed up decryption by four times.
n e p q p
2 Multiplying two numbers of bits takes ( ) time.
. 1024-2058 bits. , half the size.
Decryption: .
Instead of computing
mod
direod ctlm
Speeding up Decryption by CRT
d
d
c
k O k
n pq n
n
c
p
n
q
1 2
1 1 2 2
1
2
y, we
compute mod and mod
compute mod and mod
mod recover the plaintext b
y solv
ing o
m d
d d
c c p c c q
m c p m c q
x m p
x m q
Four categories of attacks on RSA:
brute-force key search
infeasible given the large key space
math
ematical attacks
timing attacks
chosen ciphe r
Security of RSA
text attacks
1
Then ( ) ( 1)( 1) and
mod ( ) can be calculated
Factor into .
Determine ( ) directly
easily.
Equivalent to factoring .
Knowing ( ) will enable us to f
.
Mathematical Attacks
n p q
d e n
n
n
n pq
n
actor by solving
( ) ( 1)( 1)
Best known algorithms are not
faster than those for factoring . Besides, if is know
Det
n,
then can be factored with
erm
hi
ine dir
g
ectly.d
n
n pq
n p q
n d
n
h probability.
A difficult problem, but more and more efficient
algorithms have been developed.
In 1977, RSA challenged resea
rchers to decode a
ciphertex encrypted with a key ( ) of
Integer Factorization
n
129 digits
(428 bits). Prize: $100. Would take quadrillion
years using best algorithms of that time.
In 1991, RSA put forward more challenges, with prizes,
to encourage research on f
actorization.
Each RSA number is a semiprime. (A number is
semiprime if it is the product of two primes.)
There are two labeling schemes.
by the number of decimal digits:
RSA-100, .
RSA Numbers
.., RSA-500, RSA-617.
by the number of bits:
RSA-576, 640, 704, 768, 896, 1024, 1536, 2048.
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve.
RSA-110 ( bits), 1992, 75 MIPS-year, QS.
RSA-120
332
365
3 ( bits), 1993, 830 MIPS-year, QS.
RSA-129
98
4(
RSA Numbers which have been factored bits), 1994, 5000 MIPS-year, QS.
RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS.
RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS.
RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
28
4
31
465
5
RSA-16
1
0 (
2
530
576
6
bits), 2003, Lattice Sieve.
RSA- (174 digits), 2003, Lattice Sieve.
RSA- (193 digits), 2005, Lattice Sieve.
RSA-200 ( bits), 2005, Lattice
40
663 Sieve.
49
RSA-200 =
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
*
In light of current factorization technoligies,
RSA recommends that be of 1024-2048 bits.
Encrypting messages \ is insecure.
Such an is not relatively prime to , i. e.,
Remarks
n n
n
m Z Z
m n
*
gcd( , ) 1.
By computing gcd( , ), one will be able to factor .
gcd( , ) 1 gcd( , ) 1, where mod
Question: what is the probability that \
?
e
n n
m n
m n n pq
m n c n c m n
m Z Z
Paul Kocher in mid-1990’s demonstrated that a snooper
can determine a private key by keeping track of how
long a computer takes to decipher messages.
RSA decryption: mod .
Timing Attacks
dc n
Countermeasures:
Use constant decryption time
Add a random delay to decryption time
modify the ciphertext to
Blin and computeding
mod .
:d
c c
c n
1 2 1 2
RSA encryption has a homomorphism property:
RSA( ) RSA( ) RSA( ).
To decrypt a ciphertext RSA( ):
Generate a random secret mess
ag .
e
Blinding in Some of RSA Products
m
m m m m
c m
r
1
Encrypt as RSA( ).
Multiply the two ciphertexts: RSA( ).
Decrypting yields a value e
qual to .
Multiplying that value by yields .
Note: all calculation
r
mr m r
mr
r c r
c c c mr
c mr
r m
*s are done in (i.e., modulo ).nZ n
RSA's homomorphism property is the basis of a simple
chosen-ciphertext attack.
The attacker intercepts a ciphertext .
An oracle can decrypt ciphertexts, except ,
Chosen-Ciphertext Attacks
m
m
c
c
for you.
To launch a chosen-ciphertext attack:
Generate a message, say, 2.
Encrypt as RSA( ).
Multiply the two ciphertexts: RSA( ).
Ask the oracle
to decryp
r
m r
r
r c r
c c c mr
1
t , yielding a value equal to .
Multiplying that value by yields the plaintext .
c mr
r m
If the message space is small. The adversary can
encrypt all messages and compare them with the
intercepted ciphertext.
For inst
ance, if the message is known t
Small message space attack
o be a
56-bit DES key, or a social security number.
The RSA we have described is the basic
or textbook RSA, susceptible to many attacks.
In real world, RSA is not used that way.
(now in
version 2.1) is a speRSA PK cificati onCS #1
Textbook RSA
by RSA Labs specifying how to implement RSA.
PKCS: ublic ey ryptography tandard.
Let ( , , ) give a pair of RSA keys.
Let denote the length of in bytes (e.g., 216).
To encrypt a message :
P K C S
Padded RSA as in PKCS #1 v.1.5
n e d
k
m
k n
pad so that 00 02 00 ( bytes)
where 8 or more random bytes 00.
original message must be 11 bytes.
the ciphertext is : RSA mo
d .
This format makes RSA esis
r
e
r k
r
k
c n
m
m
m
mm
m
tant to many of the
aforementioned attacks Q: Whic h ones?
A padded message is called PKCS conforming if it
has the specified format:
00 02 padding string 00 orig
PKC
inal message.
usually send youS #1 implemen
(v.1.5
tati (sons
)RSA PKCS #1
1
ender) an
error message if RSA ( ) is PKCS conforming.
There was a famous chosen-ciphertext attack taking
advantage of these error messages.
PKCS #1 (v 2.1) now uses a scheme call
n
e Opt
o
t
d
c
imal
Asymmetric Encryption Padding (OAEP).
A message is called PKCS conforming if it has the
specified format:
00 02 padding string 00 original message.
PKCS #1 implementations usually
Bleichenbacher's chosen-ciphertext attack
1
1
send you (sender)
an error message if RSA ( ) is PKCS conforming.
It is just like you have an Oracle which, given , answers
whether or not RSA ( ) is PKCS conforming.
Bleich
not
enbacher'
c
c
c
s attack takes advange of such an Oracle.
*
Given RSA( ), Eve tries to find .
(Assume is PKCS conforming.)
How can Oracle help?
Recall that RSA is homomorphic:
RSA( ) =RSA( ) RSA( ) (computa
te
d in )
G
n
c m m
m
a b a b Z
*
*iven RSA( ), Eve can compute RSA( ) for any .
She can ask the Oracle,
Is PKCS conforming?
(That is, is PKCS conforming?
)
Wh
mo
y is this info e
d
us fu
n
n
m m s
ms
n
s
Z
Z
ms
l?
8( 2) 8( 2)
8( 2) 8( 2)
Recall PKCS Format ( bytes):
00 02 padding string 00 original message
Let 00 01 0 2 (as a binary integer)
Then,
2 00 02 0 and 3 00 03 0 .
If is PKCS c
o
k k
k k
k
B
B B
m
mod
mo
nforming 2 3 .
If, in addition, is PKCS con
d
forming
2 3
2 3 for some
2 3 for some
m
ms n
ms n
ms
m
B B
B B
B tn B tn t
B s t n s B s t n s t
• • •
• • •
0 n 2n 3n 4n
ns
2B 3B
If is PKCS conforming is in the blue area.
If is also PKCS conforming
is in the blue area
is in the red areas
is in the red lines.
Thus, is in the red line
mod
s
m
o
o
d
f t
m m
ms n
ms n
ms
m
m
he blue area.
blue area
Let's focus on the blue area, (2B, 3B).
If is PKCS conforming is in the .
If is also PKCS conforming
mod
red areas/is in
If is also PKCS conforming
mod
line
s
ms
ms n
m
m
m
m
n
purple areas/line is in
So, blue red purple
s
m
2B 3B
1 2 3
1
So, starting with the fact that is PKCS conforming,
Eve finds a sequence of integers , , , ... such that
2 and
mod is PKCS conforming.
To find , ra n
i i
i
i
m
s s s
s s
ms n
s
1domly choose an 2 , and ask the oracle
whether is PKCS conforming. If not, then
try a different .
This way, Eve can repeatedly narrow down the area
containing , and even
d
mo
tu
i
ms
s
m
n
s
s
1 2 3
ally finds .
For having 1024 bits, it takes roughly 1 million accesses
to the oracle in order to find , , , ...
m
n
s s s
OAEP
RSA
The current version of PKCS #1 (v 2.1) uses a scheme
called Optimal Asymmetric Encryption Padding
(OAEP).
:
: mod
(v.2
.1
:
)RSA PKCS #1
e
m m m G r r h m G r
c m n
G
pseudorandom generator
: hash function
: random
h
r
Public-Key Applications
• Three categories of applications:– encryption/decryption (provide secrecy)– digital signatures (provide authentication)– key exchange (of session keys)
• Public-key cryptosystems are slower than symmetric-key systems.
• So, mainly used for digital signatures and key exchange.
RSA: basic RSA, textbook RSA
Padded-RSA: PKCS #1 v.1.5
Original message
Padded message•
66
