rsa

CS470, A.Selcuk RSA 1

RSA

CS 470

Introduction to Applied Cryptography

Instructor: Ali Aydin Selcuk


RSA

• First successful public key system (Rivest, Shamir, Adleman, 1977).

• Q: Would a DH-like PKC as xe mod p work?• RSA:

– Alice chooses large primes p, q; n = pq.– e, such that gcd(e, (n)) = 1.– d = e-1 mod (n)– n, e public. d is the private key.– Encryption: E(x) = xe mod n

Decryption: D(x) = xd mod n


RSA Encryption

Encryption: y = E(x) = xe mod n,

Decryption: D(y) = yd mod n.

Why does it work?

D(y) = (xe)d mod n = xed mod n= x k(n) + 1 mod n, for some k= (x(n))k x mod n= x, if x Zn

* (what if not?)


Generation of RSA Parameters

• p, q can be generated randomly.• (n) = (p-1)(q-1)• choosing e, gcd(e, (n)) = 1:

– Take e to be a prime. – Generate p, q, such that e ∤ (p – 1), e ∤ (q – 1).

• Compute d = e-1 mod (n) by ext. Euclid’s.• Popular: e = 3, e = 65537. • Randomness of d: due to n.


Security of RSA

• Based on difficulty of factoring large integers.• NFS: e(1.923 + O(1)) ((ln n)^(1/3)) ((ln ln n)^(2/3))

(btw, factoring is reducible to DLP in Zp*)

• Computing d is equivalent to factoring n. (i.e., given d and e, one can find p and q.)

• RSA problem: Given n, e, xe mod n, what is x?(conjecture: It is equivalent to factoring n.)

• Bit Security of RSA: Computing LSB(x) is equivalent to computing the whole x.


Signing with RSA

Signature: y = S(x) = xd mod n

Verification: ye mod n = x ?

Some problems:• “Existential Forgery”: x = ye mod n

(solution?)

• Distributiveness: Given (x1,S(x1)), (x2,S(x2)), attacker can compute: S(x1x2) = S(x1)S(x2).

• Or, similarly, S(x1/x2) or any S(x1ix2

j) can be computed.

• “Smooth numbers” threat: This may be significant when messages to be signed are small. (solution?)


Optimizing RSA Private Key Op.s

• Instead of xd mod n, compute xd mod p xd mod q

and obtain xd mod n by the CRT.

• For dp = d mod (p – 1), dq = d mod (q – 1), xd ≡ xd

p (mod p) xd ≡ xd

q (mod q)hence, halving the size of the modulus & the exponents.

• Approximately 2-3 times speedup.• Q: Can this be utilized for the public key operations as

well?


e = 3 Issues

Cube root problem:• Encryption: If a small msg (i.e. x < n1/3) is

encrypted, attacker can solve x from x3 mod n.• Signature: If short msg.s are padded randomly

at LSBs, attacker can sign any short msg x: – attacker pads x with 0s on the LSBs, – computes its cube root,– rounds up to the nearest integer r,– take the padded message as r3.


e = 3 Issues (cont.)

Broadcast problem:

• Bob, Bart, Bert all use e = 3 with mods n1, n2, n3.

• Alice sends the same message x to all:x3 mod n1

x3 mod n2

x3 mod n3

• Eve computes y = x3 mod n1n2n3 by the CRT.

• Which is y = x3, since x < n1, n2, n3, and x is the cube root of y.


PKCS Solutions(RSA Labs)

Encryption: (PKCS #1 v1.5, RFC 2313)

• first 0: to guarantee x < n• 2: indicates encryption• second 0: indicates end of padding

Protects against:• guessable message attacks (e.g., a yes/no message)• cube root problem, for e = 3• broadcast problem, for e = 3

random non-zero octets0 2 0 data

1 byteeach

1 byte≥ 8 bytes


PKCS (cont.)

Signature: (PKCS #1 v1.5)

• Why not random padding?

• Why include the hash type?

octets of (ff)16 0 1 0 hash type & hash

1 byteeach

1 byte≥ 8 bytes


PKCS v2

Encryption: Optimal Asymmetric Encryption Padding (OAEP)• Bellare & Rogaway, 1994. Adopted for PKCS #1 v2 (RFC 3447).• Message m, padded with 0s and random r, passes through a

Feistel-like structure and is then encrypted with RSA.• Padding is provably secure assuming that hash fnc. G & H behave

randomly.


PKCS v2 (cont.)

Signature: Probabilistic Signature Scheme (PSS)

• Bellare & Rogaway, 1996.

• Provably secure (~OAEP) assuming hash functions produce random outputs. (“Random oracle” assumption)

• Adopted for PKCS #1 v2.1.

rsa

Documents