rsa public key cryptosystem one way trapdoor functionsalberto/didattica/cns-slides/rsa_5.pdf ·...
TRANSCRIPT
RSA Public Key CryptoSystemOne way Trapdoor Functions
Diffie and Hellman (76)“New Directions in Cryptography”
Split the Bob’s secret key K to two parts:
• KE , to be used for encrypting messages to Bob.• KD , to be used for decrypting messages by Bob.KE can be made public (public key cryptography, assymetric cryptography)
Integer Multiplication & Factoring as a One Way Function.
p,q N=pqhard
easy
Q.: Can a public key system be basedon this observation ?????
Excerpts from RSA paper (CACM, 1978)The era of “electronic mail” may soon be upon us; we mustensure that two important properties of the current “papermail” system are preserved: (a) messages are private, and (b)messages can be signed. We demonstrate in this paper howto build these capabilities into an electronic mail system.
At the heart of our proposal is a new encryption method.This method provides an implementation of a “public-keycryptosystem,” an elegant concept invented by Diffie andHellman. Their article motivated our research, since theypresented the concept but not any practical implementationof such system.
The Multiplicative Group Zpq*
Let p and q be two large primes and N=pq be theirproduct.
The multiplicative group ZM* =Zpq* containsall integers in the range [1,pq-1] that arerelatively prime to both p and q.
The size of the group isφ(pq) = (p-1) (q-1) = N - (p+q) + 1,so for every x ∈∈ Zpq*, x(p-1)(q-1) = 1.
Exponentiation in Zpq*
Motivation: We want to exponentiation forencryption.Note that not all integers in {1,2,..,pq-1} belong to
Zpq*. These elements do not have an inverse inZpq* (therefore multiplication in Zpq* is not a one-to-one mapping)
However the choice of e impliesLet e be an integer, 1 < e < (p-1) (q-1).
Question: When is exponentiation to the eth
power, x --> xe, a one-to-one op in Zpq* ?
Exponentiation in Zpq*
Claim: If e is relatively prime to (p-1)(q-1)then x --> xe is a one-to-one op in Zpq*
Constructive proof: Since gcd(e, (p-1)(q-1))=1,e has a multiplicative inverse mod (p-1)(q-1).Denote it by d, then ed=1 + C(p-1)(q-1).
Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =xmeaning y --> yd is the inverse of x-->xe QED
RSA Public Key Cryptosystem• Let N=pq be the product of two primes• Choose e such that gcd(e,φ(N))=1• Let d be such that de≡1 mod φ(N)• The public key is (N,e)• The private key is d• Encryption of M∈ZN* by C=E(M)=Me mod N• Decryption of C∈ZN* by M=D(C)=Cd mod N
“The above mentioned method should not be confused with the exponentiation technique presented by Diffie and Hellman to solve the key distribution problem”.
Constructing an instance of RSA PKC• Alice first picks at random two large primes, p
and q.• Alice then picks at random a large d that is
relatively prime to (p-1)(q-1) ( gcd(d,φ(N))=1 ).• Alice computes e such that de≡1 mod φ(N)
• Let N=pq be the product of p and q.• Alice publishes the public key (N,e).• Alice keeps the private key d, as well as the
primes p, q and the number φ(N), in a safe place.
A Small Example• Let p=47, q=59, N=pq=2773. φ(N)=
46*58=2668.
Pick d=157, then 157*17 - 2668 =1, so e=17 isthe inverse of 157 mod 2668.For N =2773 we can encode two letters perBlock, using a two digit number per letter:blank=00, A=01,B=02,…,Z=26.Message: ITS ALL GREEK TO ME is encoded0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
A Small Example
N=2773, e=17 (10001 in binary).ITS ALL GREEK TO ME is encoded as0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
First block M=0920 encrypts to
Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)The whole message (10 blocks) is encrypted as0948 2342 1084 1444 2663 2390 0778 0774 0219 1655
Indeed 0948d=0948157=920 (mod 2773), etc.
RSA: implementation
1. Finda large prime numbers (random)Algorithm:
- randomly choose a random odd integer i- check whether i is prime (we’ll see soon)
Note:- Prime numbers are frequent (between Nand
2N there are ≈ N/log N prime numbers)- Hence by randomly choosing an odd you
expect to find a prime every log N attempts
RSA: implementation2. Coding algorithm (compute exponentiation) Algoritmo per
ottenere una codifica veloceCompute power by repeated squaring (so computing power of
2, 4, 8,..) and then executing multiplication (based on binarynotation of the exponent e)
- No. Of operation required: O(log N)- Constant no. of operations if e is small and its binary
reprensetation has few onesexample:- e= 3, compute M^2 mod N,
M^3 mod N = ((M mod N) * (M^2 mod N)) mod N- e= 65537 (2^16 + 1), compute M^2 mod N,M^4 mod N, M^8
mod N, M^16 mod N ... M^65536 mod Ncomplete by computing M* M^65536 - total 5 multiplicat.
RSA as a One Way Trapdoor Function.
x xe mod Nhard
easy
Easy with trapdoor info ( d )
Trap-Door OWF
• Definition: f:D→R is a trap-door one wayfunction if there is a trap-door s suchthat:– Without knowledge of s, the function f is a one
way function– Given s, inverting f is easy
• Example: fg,p(x) = gx mod p is not a trap-door one way function.
• Example: RSA is a trap-door OWF.
RSA as a collection of Trap-doorOWF
Note: RSA is a method that depends on the parameter givenby the key
Def.: Let I be a set of indices and D a finite set. A collectionof trap-door one way function is a set of function F
fi:Di→Ri such that for all i in I fi is a trap-door one wayfunction
Idea: We need an algorithm that given a security parameterselect a random function fi in F together with a trapdoor tiinformation
Security of RSA vs computing factors
• Fact 1: given n, e, p and q it is easy to compute d• Fact 2: given n, e,
– If you factor n then you can compute φ(n)– If you factor n then you can compute d
• Conclusion:– If you factor n then you invert RSA– OPEN QUESTION: if you invert RSA can you factor n?
NOTE: factoring large numbers is an open problemsince thousands of years…
Attacks on RSA
NOTE: RSA robustness does not imply it is robust always.In fact1. Factor N=pq. This is believed hard unless p, q have some
“bad” properties. To Avoid such primes, it isrecommended to
• Take p, q large enough (100 digits each).• Make sure p, q are not too close together.• Make sure both (p-1), (q-1) have large prime factors
(otherwise there is a good factoring algorithm).2. Some messages might be easy to decode
Properties of RSA
• The requirement (e,ϕ(n))=1 is important foruniqueness
• Finding d, given p and q is easy. Finding d givenonly n and e is assumed to be hard (the RSAassumption)
• The public exponent e may be small. Typically itsvalue is either 3 (problematic) or 216+1
• Each encryption involves several modularmultiplications. Decryption is longer.
RSA: Attacks
Factor N=pq: RSA challenges (sfide)RSA Security publics challenges for factoring:- RSA 426 bit, 129 digit:
- published 1977- factored in 1994 (8 months using 1600 computer in internet
(10000 Mips))- RSA 576 bit, 173 digit: factored in dec. 2003, 10000 $- RSA 640 (prize 20K$), RSA 1024 (100K$), RSA 2048
(200K$)
RSA: AttacksFactoring is difficult in general• BUT there are cases in which decoding
RSA is easy• Easy messages: eg m= 0,1,n-1 then RSA(m)
= m: SOLUT: rare messages, use salt• If m is small and e is small (eg e=3) then it
may happen that m^3 < n; thereforem^3 mod n = m^3
adversary computes cubic root SOLUT.Add random bytes at the beginning of themessage to avoid these cases
RSA - Attacks
Small value of e (eg e=3)• If adevrsary has two encoding of similar
messages, eg m and (m+1)c1= m^3 mod n and c2= (m+1)^3 mod n
• in this case we havem = (c2+ 2 c2 -1)/ (c2 - c1 +2)
• Similar problem if the two mess. are m and(am + b)
SOLUT.: choose large e / add random bits -to avoid similar messages
RSA - Attacks
• If messages space is small then the adversary cancompute all possible encodingsexample: adevrsary knows encoded messages andknows that m is either
m1=10101010 o m2=01010101adversary code m1 and m2 using public key andthen checks the correct messages
• SOLUT: add random string to increase messagespace
•
RSA - Attacks
• If two users have same n (even different e and d)then sysem is weak
SOLUT: choose your own n (there are primenumbers; so the probability you choose the samen is very very small)
Important: we need algorithms to cchoose randomnumbers
RSA : Attacks
chosen ciphertext attack using multiplicativeproperty of RSA:– Adversary knows c = Me mod n– Adversary randomly chooses X and computes
c’ = c Xe mod n– Adversary ask Alice to decode c’– Alice computes (c’)d = c d (X e) d = M X mod n !!– Adversary knows X and computes M !!!
• Solution: messages should be strucutured (Adoes not decode if M does verify requiredstructure)
RSA - implementation attacks
Known attacks:• Timing: uses time used for computing Cd
(small time implies small d)Analougously• Energy: analyses how much energy is
required by a smart card to compute Cd
RSA- attacks: conclusion
Textbook implementation of RSA is NOT safe• Does not guarantee basic security properties for
all messagesTherefore you must use a STANDARD version• Given a message M before encoding• preproces M to obtain M’ and then apply RSA M’
(M and M’ have the same semantic)M M’ CRSA
Public-Key Crypto. Standard (PKCS)Standard to use RSA and cryptography protocols• Many versions (1-15).• PKCS-1: standard to encode messages (byte)
m= 0||2||at least 8 non zero byte || 0|| M(M message to be sent)• first byte 0 implies m< n • second byte (2 = 00000010) denotes encoding of
a message (1 denotes signature of messages) ; itimplies message is big
• Random bytes imply– Same message sent several times is each time
different;– Adversary that knows message space cannot
encode and verify (adv. Does not know randomnumber used for coding the block)
RSA and Data integrity:OAEPOAEP (also known as PKCS-1 version 2)• codif. c= RSA[M || 0k1 exor G(r)] ||
[(H(RSA[M || 0k1 exor G(r)]) exor r]• k0, k1 known constants; G,H known hash function;
r random string of k0 bit (chosen by the sender);• Decode; let c, c= s||t, be decoded text (t last k0
bits); u=t exorH(s); v=s exor G(u); ACCEPT if v =m || 0k1; OTHERWISE REJECT
• Random r implies that OAEP is robust also in thecase of chosen ciphertext (we assume H and Gare cryptographic strong hash functions)
Basic Scheme of Public key Crypt.
• A public key encryption scheme includesthe following elements:– A private key k– A public key k’– An encryption algorithm, which is a trap door
OWF. The trap-door info is the private key• Public key is published• Encryption uses the public key (anyone can
encrypt)• Decryption requires the private key
El-Gamal Encryption
• Constructed by El-Gamal in 1985• Similar to DH• Alice publishes p, g as public parameters• Alice chooses x as a private key and
publishes gx mod p as a public key• Encryption of m∈Zp by sending (gy mod p,
mgxy mod p) or (gy mod p, m+gxy mod p)• Requires two exponentiations per each
block transmitted.
Real World usage
Two words: Key Exchange
In fact: RSA (as other known Public Keyalgorithms) is slow. So it is generally usedto define a secret key (say using Diffieand Hellman).