rsa
DESCRIPTION
RSA. CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk. RSA. First successful public key system (Rivest, Shamir, Adleman, 1977). Q: Would a DH-like PKC as x e mod p work? RSA: Alice chooses large primes p, q; n = pq. e, such that gcd(e, (n)) = 1. - PowerPoint PPT PresentationTRANSCRIPT
CS470, A.Selcuk RSA 1
RSA
CS 470
Introduction to Applied Cryptography
Instructor: Ali Aydin Selcuk
CS470, A.Selcuk RSA 2
RSA
• First successful public key system (Rivest, Shamir, Adleman, 1977).
• Q: Would a DH-like PKC as xe mod p work?• RSA:
– Alice chooses large primes p, q; n = pq.– e, such that gcd(e, (n)) = 1.– d = e-1 mod (n)– n, e public. d is the private key.– Encryption: E(x) = xe mod n
Decryption: D(x) = xd mod n
CS470, A.Selcuk RSA 3
RSA Encryption
Encryption: y = E(x) = xe mod n,
Decryption: D(y) = yd mod n.
Why does it work?
D(y) = (xe)d mod n = xed mod n= x k(n) + 1 mod n, for some k= (x(n))k x mod n= x, if x Zn
* (what if not?)
CS470, A.Selcuk RSA 4
Generation of RSA Parameters
• p, q can be generated randomly.• (n) = (p-1)(q-1)• choosing e, gcd(e, (n)) = 1:
– Take e to be a prime. – Generate p, q, such that e ∤ (p – 1), e ∤ (q – 1).
• Compute d = e-1 mod (n) by ext. Euclid’s.• Popular: e = 3, e = 65537. • Randomness of d: due to n.
CS470, A.Selcuk RSA 5
Security of RSA
• Based on difficulty of factoring large integers.• NFS: e(1.923 + O(1)) ((ln n)^(1/3)) ((ln ln n)^(2/3))
(btw, factoring is reducible to DLP in Zp*)
• Computing d is equivalent to factoring n. (i.e., given d and e, one can find p and q.)
• RSA problem: Given n, e, xe mod n, what is x?(conjecture: It is equivalent to factoring n.)
• Bit Security of RSA: Computing LSB(x) is equivalent to computing the whole x.
CS470, A.Selcuk RSA 6
Signing with RSA
Signature: y = S(x) = xd mod n
Verification: ye mod n = x ?
Some problems:• “Existential Forgery”: x = ye mod n
(solution?)
• Distributiveness: Given (x1,S(x1)), (x2,S(x2)), attacker can compute: S(x1x2) = S(x1)S(x2).
• Or, similarly, S(x1/x2) or any S(x1ix2
j) can be computed.
• “Smooth numbers” threat: This may be significant when messages to be signed are small. (solution?)
CS470, A.Selcuk RSA 7
Optimizing RSA Private Key Op.s
• Instead of xd mod n, compute xd mod p xd mod q
and obtain xd mod n by the CRT.
• For dp = d mod (p – 1), dq = d mod (q – 1), xd ≡ xd
p (mod p) xd ≡ xd
q (mod q)hence, halving the size of the modulus & the exponents.
• Approximately 2-3 times speedup.• Q: Can this be utilized for the public key operations as
well?
CS470, A.Selcuk RSA 8
e = 3 Issues
Cube root problem:• Encryption: If a small msg (i.e. x < n1/3) is
encrypted, attacker can solve x from x3 mod n.• Signature: If short msg.s are padded randomly
at LSBs, attacker can sign any short msg x: – attacker pads x with 0s on the LSBs, – computes its cube root,– rounds up to the nearest integer r,– take the padded message as r3.
CS470, A.Selcuk RSA 9
e = 3 Issues (cont.)
Broadcast problem:
• Bob, Bart, Bert all use e = 3 with mods n1, n2, n3.
• Alice sends the same message x to all:x3 mod n1
x3 mod n2
x3 mod n3
• Eve computes y = x3 mod n1n2n3 by the CRT.
• Which is y = x3, since x < n1, n2, n3, and x is the cube root of y.
CS470, A.Selcuk RSA 10
PKCS Solutions(RSA Labs)
Encryption: (PKCS #1 v1.5, RFC 2313)
• first 0: to guarantee x < n• 2: indicates encryption• second 0: indicates end of padding
Protects against:• guessable message attacks (e.g., a yes/no message)• cube root problem, for e = 3• broadcast problem, for e = 3
random non-zero octets0 2 0 data
1 byteeach
1 byte≥ 8 bytes
CS470, A.Selcuk RSA 11
PKCS (cont.)
Signature: (PKCS #1 v1.5)
• Why not random padding?
• Why include the hash type?
octets of (ff)16 0 1 0 hash type & hash
1 byteeach
1 byte≥ 8 bytes
CS470, A.Selcuk RSA 12
PKCS v2
Encryption: Optimal Asymmetric Encryption Padding (OAEP)• Bellare & Rogaway, 1994. Adopted for PKCS #1 v2 (RFC 3447).• Message m, padded with 0s and random r, passes through a
Feistel-like structure and is then encrypted with RSA.• Padding is provably secure assuming that hash fnc. G & H behave
randomly.
CS470, A.Selcuk RSA 13
PKCS v2 (cont.)
Signature: Probabilistic Signature Scheme (PSS)
• Bellare & Rogaway, 1996.
• Provably secure (~OAEP) assuming hash functions produce random outputs. (“Random oracle” assumption)
• Adopted for PKCS #1 v2.1.