Lecture 9 – Public-Key Encryption

COSC-466 Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Recall Symmetric-Key Crypto

• In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. Recall Symmetric-Key Crypto

• In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. • If Alice wants to also communicate with Charlie they need a shared key KAC. Recall Symmetric-Key Crypto

• In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. • If Alice wants to also communicate with Charlie they need a shared key KAC.

• If Alice generates KAB and KAC they must be communicated to Bob and Charlie over secure channels. How can this be done? Public-Key Crypto

• Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. Public-Key Crypto

• Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. Public-Key Crypto

• Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. • Public key is like a phone number: Anyone can look it up in a phone book. Public-Key Crypto

A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where

Alice has a secret key that is shared with nobody, and an associated • pk public key that is known to everybody. K Anyone (Bob, Charlie, ...)canuseAlice’spublickeytosendheran • encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database

Senders don’t need secrets • M CC M or There are no shared secrets • E D ?

Mihir Bellare UCSD 5 Mihir Bellare UCSD 6

Correct decryption requirement How it works

Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certiﬁcates as we will see later. •

Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 Code Obfuscation Perspective

Diffie÷i÷÷". Hellman PKI? Public Key Encryption Syntax of PKE

A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where

Senders don’t need secrets • M CC M or There are no shared secrets • E D ?

Mihir Bellare UCSD 5 Mihir Bellare UCSD 6

Correct decryption requirementCorrectness How it works

Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E e Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certiﬁcates as we will see later. •

Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 Public Key Encryption Syntax of PKE

A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where

Senders don’t need secrets • M CC M or There are no shared secrets • E D ?

Mihir Bellare UCSD 5 Mihir Bellare UCSD 6

Correct decryption requirement How it works How It Works

Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 The games for IND-CPAIND-CPA

Let =( , , )beaPKEschemeandA an adversary. AE K E D Game Left Game Right AE AE procedure Initialize procedure Initialize (pk, sk) $ ; return pk (pk, sk) $ ; return pk K K procedure LR(M0, M1) procedure LR(M0, M1) Return C $ (M ) Return C $ (M ) Epk 0 Epk 1 Associated to , A are the probabilities AE Pr LeftA 1 Pr RightA 1 AE ) AE ) h i h i that A outputs 1 in each world. The ind-cpa advantage of A is Advind-cpa(A)=Pr RightA 1 Pr LeftA 1 AE AE ) AE ) h i h i Mihir Bellare UCSD 9 Problem: Legitimate receiver needs to compute discrete logarithm to decrypt too! But decryption needs to be feasible. Above, receiver has no secret key!

Security of PKE Schemes The games for IND-CPA

Let =( , , )beaPKEschemeandA an adversary. AE K E D Game Left Game Right AE AE procedure Initialize procedure Initialize (pk, sk) $ ; return pk (pk, sk) $ ; return pk Same as for symmetric encryption, except for one new element: The K K procedure LR(M0, M1) procedure LR(M0, M1) adversary needs to be given the public key. $ $ Return C pk (M0) Return C pk (M1) We formalize IND-CPA accordingly. E E Associated to , A are the probabilities AE Pr LeftA 1 Pr RightA 1 AE ) AE ) h i h i that A outputs 1 in each world. The ind-cpa advantage of A is Advind-cpa(A)=Pr RightA 1 Pr LeftA 1 AE AE ) AE ) h i h i Mihir Bellare UCSD 9 Mihir Bellare UCSD 10

IND-CPA: Explanations Building a PKE Scheme Explanations We would like security to result from the hardness of computing discrete logarithms. The “return pk” statement in Initialize means the adversary A gets the public key pk as input. It does not get sk. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then It can call LR with any equal-length messages M0, M1 of its choice to get $ back an encryption C (M ) of M under sk,whereb = 0 in game x hard Epk b b g x Left and b = 1 in game Right . Notation indicates encryption ! AE AE g (x) algorithm may be randomized. E |{z} A is not allowed to call LR with messages M0, M1 of unequal length. Any so to recover x, adversary must compute discrete logarithms, and we know such A is considered invalid and its advantage is undeﬁned or 0. it can’t, so are we done? It outputs a bit, and wins if this bit equals b.

Mihir Bellare UCSD 11 Mihir Bellare UCSD 12 Building aHow to Build a Scheme? PKE Scheme Recall DH Secret Key Exchange

We would like security to result from the hardness of computing discrete The following are assumed to be public: A large prime p and a generator g logarithms. of Zp⇤. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then Alice Bob $ x x Zp 1; X g mod p hard g x x X ! ! $ g (x) y E y Zp 1; Y g mod p |{z} Y so to recover x, adversary must compute discrete logarithms, and we know K Y x mod pKX y mod p it can’t, so are we done? A B Problem: Legitimate receiver needs to compute discrete logarithm to Y x =(g y )x = g xy =(g x )y = X y modulo p,soK = K decrypt too! But decryption needs to be feasible. • A B Adversary is faced with the CDH problem. Above, receiver has no secret key! •

Mihir Bellare UCSD 13 Mihir Bellare UCSD 14

From key exchange to PKE The DHIES scheme

Let G = g be a cyclic group of order m and H: G 0, 1 k a(public) h i ! { } hash function. The DHIES PKE scheme =( , , )isdeﬁnedfor We can turn DH key exchange into a public key encryption scheme via AE K E D messages M 0, 1 k via Let Alice have public key g x and secret key x 2 { } • If Bob wants to encrypt M for Alice, he Alg X (M) • Alg E Alg x (Y , W ) Picks y and sends g y to Alice K $ y D • xy x y $ y Zm; Y g x Encrypts M under g =(g ) and sends ciphertext to Alice. x Zm y K Y • x K X But Alice can recompute g xy =(g y )x because X g M H(K) W • W H(K) M g y is in the received ciphertext return (X , x) return M • return (Y , W ) x is her secret key • Thus she can decrypt and adversary is still faced with CDH . Correct decryption is assured because K = X y = g xy = Y x

Note: This is a simpliﬁed version of the actual scheme.

Mihir Bellare UCSD 15 Mihir Bellare UCSD 16 Building a PKE Scheme A More Basic Problem: Key ExchangeRecall DH Secret Key Exchange

We would like security to result from the hardness of computing discrete The following are assumed to be public: A large prime p and a generator g logarithms. of Zp⇤. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then Alice Bob $ x x Zp 1; X g mod p hard g x x X ! ! $ g (x) ÷ y E y Zp 1; Y g mod p |{z} ⑤Y so to recover x, adversary must compute discrete logarithms, and we know K Y x mod pKX y mod p it can’t, so are we done? A B Problem: Legitimate receiver needs to compute discrete logarithm to Y x =(g y )x = g xy =(g x )y = X y modulo p,soK = K decrypt too! But decryption needs to be feasible. • A B Adversary is faced with the CDH problem. Above, receiver has no secret key! •

Mihir Bellare UCSD 13 Mihir Bellare UCSD 14

From key exchange to PKE The DHIES scheme

Note: This is a simpliﬁed version of the actual scheme.

Mihir Bellare UCSD 15 Mihir Bellare UCSD 16 Building a PKE Scheme Recall DH Secret Key Exchange

Mihir Bellare UCSD 13 Mihir Bellare UCSD 14

From key exchange to PKE The DHIES scheme Key Exchange to PKE Let G = g be a cyclic group of order m and H: G 0, 1 k a(public) h i ! { } hash function. The DHIES PKE scheme =( , , )isdeﬁnedfor We can turn DH key exchange into a public key encryption scheme via AE K E D messages M 0, 1 k via Let Alice have public key g x and secret key x 2 { } • If Bob wants to encrypt M for Alice, he Alg X (M) • Alg E Alg x (Y , W ) Picks y and sends g y to Alice K $ y D • xy x y $ y Zm; Y g x Encrypts M under g =(g ) and sends ciphertext to Alice. x Zm y K Y • x K X But Alice can recompute g xy =(g y )x because X g M H(K) W • W H(K) M g y is in the received ciphertext return (X , x) return M • return (Y , W ) x is her secret key • Thus she can decrypt and adversary is still faced with CDH . Correct decryption is assured because K = X y = g xy = Y x

Note: This is a simpliﬁed version of the actual scheme.

Mihir Bellare UCSD 15 Mihir Bellare UCSD 16 Building a PKE Scheme Recall DH Secret Key Exchange

Mihir Bellare UCSD 13 Mihir Bellare UCSD 14

Diffie-Hellman Integrated Encryption Scheme

From key exchange to PKE The DHIES scheme got, DHIES g a EYES Homg¥ ¥ I Let G = g be a cyclic group of order m and H: G 0, 1 k a(public) h i ! { } hash function. The DHIES PKE scheme =( , , )isdeﬁnedfor We can turn DH key exchange into a public key encryption scheme via k AE K E D messages M 0, 1 via a) conygrtrmuan.fnrewdsigtabi.li Let Alice have public key g x and secret key x 2 { } uses • (2) length mis - match of If Bob wants to encrypt M for Alice, he Alg X (M) • Alg E Alg x (Y , W ) y $ Maez there Picks y and sends g to Alice K y D • xy x y $ y Zm; Y g x Encrypts M under g =(g ) and sends ciphertext to Alice. x Zm y K Y • x K X But Alice can recompute g xy =(g y )x because X g M H(K) W • W H(K) M g y is in the received ciphertext return (X , x) return M • £qqw-AEµncMIsreturn (Y , W ) x is her secret key • Thus she can decrypt and adversary is still faced with CDH . e- Correct decryption is assured because K = X y = g xy = Y x

Note: This is a simpliﬁed version of the actual scheme. ml Eats : 160*1 etietngtn

- bit Mihir Bellare UCSD 15 Mihir Bellare UCSDfor 80 16 Tht . D HIES : 1024 + Imf s.ec Security of DHIES ECIES Security of DHIES

ECIES is DHIES with the group being an elliptic curve group. The DHIES scheme =( , , ) associated to cyclic group G = g AE K E D h i and (public) hash function H can be proven IND-CPA assuming CDH is hard in G,and ECIES features: • H is a “random oracle,” meaning a “perfect” hash function. Operation Cost • = encryption 2 160-bit exp In practice, H(K) could be the ﬁrst k bits of the sequence decryption 1 160-bit exp ciphertext expansion 160-bits SHA256(08 K) SHA256(071 K) k k k k ··· ciphertext expansion = (length of ciphertext) - (length of plaintext)

Mihir Bellare UCSD 17 Mihir Bellare UCSD 18

Exercise RSA Math

k Let p 3 be a prime, g Z⇤ a generator of Z⇤ and H: G 0, 1 a Recall that '(N)= Z . 2 p p ! { } N⇤ hash function. (These are all public.) Consider the key-generation and | | k encryption algorithms below, where M 0, 1 : Claim: Suppose e, d Z⇤ satisfy ed 1 (mod '(N)). Then for any 2 { } 2 '(N) ⌘ x ZN⇤ we have Alg Alg (X , M) 2 K E $ $ y x Zp⇤ 1 y Zp 1; Y g mod p e d X g x mod p Z X y mod p ; W H(Y ) M (x ) x (mod N) ⌘ return (X , x) Return (Z, W ) Proof:

Specify a ( p 3 + k)-time decryption algorithm such that e d ed mod '(N) 1 O | | D (x ) x x x =( , , ) is an asymmetric encryption scheme satisfying the correct ⌘ ⌘ ⌘ AE K E D decryption property, and prove this is the case. modulo N

Mihir Bellare UCSD 19 Mihir Bellare UCSD 20 Security of DHIES ECIES ECIES

ECIES is DHIES with the group being an elliptic curve group. The DHIES scheme =( , , ) associated to cyclic group G = g AE K E D h i and (public) hash function H can be proven IND-CPA assuming CDH is hard in G,and ECIES features: • H is a “random oracle,” meaning a “perfect” hash function. Operation Cost • encryption 2 160-bit exp In practice,MazaraH(K) could be the ﬁrst k bits of the sequence decryption 1 160-bit exp ciphertext expansion 160-bits SHA256(0Mma8 K) SHA256(071 K) k k k k ··· ciphertext expansion = (length of ciphertext) - (length of plaintext) " " Emiii.÷÷;:. .

Mihir Bellare UCSD 17 Mihir Bellare UCSD 18

Exercise RSA Math

Mihir Bellare UCSD 19 Mihir Bellare UCSD 20 ECIES features ( for 80 bit security )

Cost Operation -

encryption z 160 - bit exponentiation

- - decryption ) I bit exp .

ciphertext expansion = - of length of ciphertext length plaintext

1$= 160 bits

Nowadays need

128 - bit security

' - - bit 256 groupelements Security of DHIES ECIES

ECIES is DHIES with the group being an elliptic curve group. The DHIES scheme =( , , ) associated to cyclic group G = g AE K E D h i and (public) hash function H can be proven IND-CPA assuming CDH is hard in G,and ECIES features: • H is a “random oracle,” meaning a “perfect” hash function. Operation Cost • encryption 2 160-bit exp In practice, H(K) could be the ﬁrst k bits of the sequence decryption 1 160-bit exp ciphertext expansion 160-bits SHA256(08 K) SHA256(071 K) k k k k ··· ciphertext expansion = (length of ciphertext) - (length of plaintext)

Mihir Bellare UCSD 17 Mihir Bellare UCSD 18

Exercise RSA Math RSA Math

Mihir Bellare UCSD 19 Mihir Bellare UCSD 20 x f (x) g(f (x)) Let e =3andd = 3. Then 1 1 1 ed 9 1 (mod 8) 2 8 2 ⌘ ⌘ 4 4 4 Let 7 13 7 8 2 8 f (x)=x3 mod 15 11 11 11 g(y)=y 3 mod 15 13 7 13 14 14 14

The RSA function N =p .q Example The RSA function primes p , q AmodulusN and encryption exponent e deﬁne the RSA function Let N = 15. So f : ZN⇤ ZN⇤ deﬁned by ! - ZN⇤ = 1, 2, 4, 7, 8, 11, 13, 14 e Cx ) . xe { } f (x)=x mod N RSAN e N , mod '(N)=8 for all x ZN⇤ . 2 Z⇤ = 1, 3, 5, 7 '(N) { } Avalued Z satisfying ed 1 (mod '(N)) is called a decryption 2 '⇤(N) ⌘ exponent.

Claim: The RSA function f : Z Z is a permutation with inverse N⇤ ! N⇤ f 1 : Z Z given by N⇤ ! N⇤ 1 d f (y)=y mod N Proof: For all x Z we have 2 N⇤ 1 e d f (f (x)) (x ) x (mod N) ⌘ ⌘ by previous claim.

Mihir Bellare UCSD 21 Mihir Bellare UCSD 22

Example Exercise

Let N = 15. So

Z⇤ = 1, 2, 4, 7, 8, 11, 13, 14 N { } '(N)=8 1. List all possible encryption exponents for RSA modulus 35:

Z⇤ = 1, 3, 5, 7 '(N) { } x f (x) g(f (x)) Let e =3andd = 3. Then 2. The decryption exponent corresponding to RSA modulus 187 and 1 1 1 encryption exponent 107 is ed 9 1 (mod 8) 2 8 2 ⌘ ⌘ 4 4 4 Let 7 13 7 8 2 8 f (x)=x3 mod 15 11 11 11 g(y)=y 3 mod 15 13 7 13 14 14 14

Mihir Bellare UCSD 23 Mihir Bellare UCSD 24 x f (x) g(f (x)) Let e =3andd = 3. Then 1 1 1 ed 9 1 (mod 8) 2 8 2 ⌘ ⌘ 4 4 4 Let 7 13 7 8 2 8 f (x)=x3 mod 15 11 11 11 g(y)=y 3 mod 15 13 7 13 14 14 14

The RSA function Example

AmodulusN and encryption exponent e deﬁne the RSA function Let N = 15. So f : ZN⇤ ZN⇤ deﬁned by ! ZN⇤ = 1, 2, 4, 7, 8, 11, 13, 14 f (x)=xe mod N { } '(N)=8 for all x ZN⇤ . 2 Z⇤ = 1, 3, 5, 7 '(N) { } Avalued Z satisfying ed 1 (mod '(N)) is called a decryption 2 '⇤(N) ⌘ exponent.

Mihir Bellare UCSD 21 Mihir Bellare UCSD 22

Example Example Exercise

Let N = 15. So

Z⇤ = 1, 2, 4, 7, 8, 11, 13, 14 N { } '(N)=8 1. List all possible encryption exponents for RSA modulus 35:

Mihir Bellare UCSD 23 Mihir Bellare UCSD 24 RSA usage RSA generators RSA usage Baby RSA An RSA generator with security parameter k is an algorithm that pk = N, e; sk = N, d enwytiou Krsa • returns N, p, q, e, d satisfying (x)=xe mod N = f (x) we will see • Epk a d 1 " KSA p, q are distinct odd primes sk(y)=y mod N = f (y) plain • • D N = pq and is called the (RSA) modulus Security will rely on it being hard to compute f 1 without knowing d. • N = k,meaning2k 1 N 2k • | |   e Z is called the encryption exponent RSA is a trapdoor, one-way permutation: • 2 '⇤ (N) Easy to invert given trapdoor d d Z⇤ is called the decryption exponent • hardness • 2 '(N) Hard to invert given only N, e → ed 1 (mod '(N)) • assumption • ⌘

on RSA .

Mihir Bellare UCSD 25 Mihir Bellare UCSD 26

Plan A formula for Phi

Fact: Suppose N = pq for distinct primes p and q.Then

'(N)=(p 1)(q 1) . Building RSA generators • Basic RSA security • Encryption with RSA Example: Let N = 15 = 3 5. Then the Fact says that • · '(15) = (3 1)(5 1) = 8 .Asacheck,Z = 1, 2, 4, 7, 8, 11, 13, 14 indeed has size 8. 15⇤ { }

Mihir Bellare UCSD 27 Mihir Bellare UCSD 28 RSA usage RSA generators RSA generators There RSA can be many possible generators An RSA generator with security parameter k is an algorithm that pk = N, e; sk = N, d Krsa • returns N, p, q, e, d satisfying ← (x)=xe mod N = f (x) - key • pk length E - d 1 p, q are distinct odd primes sk(y)=y mod N = f (y) • • D N = pq and is called the (RSA) modulus Security will rely on it being hard to compute f 1 without knowing d. • N = k,meaning2k 1 N 2k I • | |   e Z is called the encryption exponent RSA is a trapdoor, one-way permutation: • 2 '⇤ (N) Easy to invert given trapdoor d d Z⇤ is called the decryption exponent • • 2 '(N) Hard to invert given only N, e ed 1 (mod '(N)) • • ⌘ random Example : pig

- e chosen at random

Mihir Bellare UCSD 25 Mihir Bellare UCSD 26

Plan A formula for Phi

Fact: Suppose N = pq for distinct primes p and q.Then

Mihir Bellare UCSD 27 Mihir Bellare UCSD 28 Next…

• Building RSA generators • Basic RSA security • Encryption with RSA RSA usage RSA generators

An RSA generator with security parameter k is an algorithm that pk = N, e; sk = N, d Krsa • returns N, p, q, e, d satisfying (x)=xe mod N = f (x) • Epk d 1 p, q are distinct odd primes sk(y)=y mod N = f (y) • • D N = pq and is called the (RSA) modulus Security will rely on it being hard to compute f 1 without knowing d. • N = k,meaning2k 1 N 2k • | |   e Z is called the encryption exponent RSA is a trapdoor, one-way permutation: • 2 '⇤ (N) Easy to invert given trapdoor d d Z⇤ is called the decryption exponent • • 2 '(N) Hard to invert given only N, e ed 1 (mod '(N)) • • ⌘

Mihir Bellare UCSD 25 Mihir Bellare UCSD 26

Plan A formula for Phi A formula

Fact: Suppose N = pq for distinct primes p and q.Then

'(N)=(p 1)(q 1) . Building RSA generators 0 • Basic RSA security • Encryption with RSA Example: Let N = 15 = 3 5. Then the Fact says that • · '(15) = (3 1)(5 1) = 8 .Asacheck,Z = 1, 2, 4, 7, 8, 11, 13, 14 indeed has size 8. 15⇤ { }

Mihir Bellare UCSD 27 Mihir Bellare UCSD 28 A more generalThe general formula formula for Phi Recall

Fact: Suppose N 1 factors as N = p↵1 p↵2 ... p↵n 1 · 2 · · n Given '(N)ande Z'⇤ (N), we can compute d Z'⇤ (N) satisfying ed 1 where p < p <...

Note prior Fact is a special case of the above. (Make sure you understand We have algorithms to eciently test whether a number is prime, and a why!) random number has a pretty good chance of being a prime. Example: Let N = 45 = 32 51.ThentheFactsaysthat · '(45) = 31(3 1) 50(5 1) = 24 ·

Mihir Bellare UCSD 29 Mihir Bellare UCSD 30

Building RSA generators One-wayness of RSA

Say we wish to have e =3(foreciency). The generator 3 with (even) Krsa security parameter k: The following should be hard: repeat Given: N, e, y where y = f (x)=xe mod N p, q $ 2k/2 1,...,2k/2 1 ; N pq; M (p 1)(q 1) { } until Find: x N 2k 1 and p, q are prime and gcd(e, M)=1 d MOD-INV(e, M) Formalism picks x at random and generates N, e via an RSA generator. return N, p, q, e, d

Mihir Bellare UCSD 31 Mihir Bellare UCSD 32 A more general formula for Phi Recall Recall Fact: Suppose N 1 factors as N = p↵1 p↵2 ... p↵n 1 · 2 · · n Given '(N)ande Z'⇤ (N), we can compute d Z'⇤ (N) satisfying ed 1 where p < p <...

Mihir Bellare UCSD 29 Mihir Bellare UCSD 30

Building RSA generators One-wayness of RSA

Mihir Bellare UCSD 31 Mihir Bellare UCSD 32 A more general formula for Phi Recall

Fact: Suppose N 1 factors as N = p↵1 p↵2 ... p↵n 1 · 2 · · n Given '(N)ande Z'⇤ (N), we can compute d Z'⇤ (N) satisfying ed 1 where p < p <...

Mihir Bellare UCSD 29 Mihir Bellare UCSD 30

Building RSABuilding RSA generators generators One-wayness of RSA

- I 99% e- -2W 3 Say we wish to have e =3(foreciency). The generator rsa with (even) - K security parameter k: k want modulus length The following should be hard: repeat Given: N, e, y where y = f (x)=xe mod N $ k/2 1 k/2 p, q 2 ,...,2 1 ; N pq; M (p 1)(q 1) { } - until Find: x k 1 N 2 and p, q are prime and gcd(e, M)=1 . d MOD-INV(e, M) Formalism picks x at random and generates N, e via an RSA generator. return N, p, q, e, d I

e fired

random pig to

e relatively prime ee.cnkcp-y.L.is Mihir Bellare UCSD 31 Mihir Bellare UCSD 32 A more general formula for Phi Recall

Fact: Suppose N 1 factors as N = p↵1 p↵2 ... p↵n 1 · 2 · · n Given '(N)ande Z'⇤ (N), we can compute d Z'⇤ (N) satisfying ed 1 where p < p <...

Mihir Bellare UCSD 29 Mihir Bellare UCSD 30

Building RSA generators One-wayness of RSA One-wayness of RSA I Say we wish to have e =3(foreciency). The generator 3 with (even) RSA Krsa security parameter k: generator The following should be hard: repeat Given: N, e, y where y = f (x)=xe mod N p, q $ 2k/2 1,...,2k/2 1 ; N pq; M (p 1)(q 1) { } until Find: x N 2k 1 and p, q are prime and gcd(e, M)=1 d MOD-INV(e, M) Formalism picks x at random and generates N, e via an RSA generator. To I return N, p, q, e, d

Mihir Bellare UCSD 31 Mihir Bellare UCSD 32 One-waynessOne-wayness of RSA formally of RSA, formally Inverting RSA

Let be a RSA generator and I an adversary. Krsa Game OW Krsa Inverting RSA : given N, e, y ﬁnd x such that xe y (mod N) procedure Initialize ⌘ $ procedure Finalize(x0) (N, p, q, e, d) rsa K return (x = x0) x $ Z ; y xe mod N N⇤ return N, e, y

The ow-advantage of I is

Advow (I )=Pr OWI true Krsa Krsa ) h i

Mihir Bellare UCSD 33 Mihir Bellare UCSD 34

Inverting RSA Inverting RSA

Mihir Bellare UCSD 35 Mihir Bellare UCSD 36 Inverting RSA Inverting RSA Inverting RSA

Inverting RSA : given N, e, y ﬁnd x such that xe y (mod N) ⌘ Inverting RSA : given N, e, y ﬁnd x such that xe y (mod N) ⌘ 1 d EASY because f (y)=y mod N because f 1(y)=y d mod N EASY Know d Know d 1 EASY because d = e mod '(N) because d = e 1 mod '(N) EASY Know '(N) Know '(N) EASY because '(N)=(p 1)(q 1) EASY because '(N)=(p 1)(q 1) Know p, q Know p, q ? Know N

Mihir Bellare UCSD 37 Mihir Bellare UCSD 38

Factoring Problem A factoring algorithm

Alg FACTOR(N) // N = pq where p, q are primes

Given: N where N = pq and p, q are prime for i =2,..., pN do if N mod i =0l thenm Find: p, q p i ; q N/i ; return p, q

If we can factor we can invert RSA. We do not know whether the converse This algorithm works but takes time is true, meaning whether or not one can invert RSA without factoring. (pN)= (e0.5lnN ) O O which is prohibitive.

Mihir Bellare UCSD 39 Mihir Bellare UCSD 40 Inverting RSA Inverting RSA

Mihir Bellare UCSD 37 Mihir Bellare UCSD 38

Factoring Problem A factoring algorithm Factoring problem

Alg FACTOR(N) // N = pq where p, q are primes

Given: N where N = pq and p, q are prime for i =2,..., pN do if N mod i =0l thenm Find: p, q p i ; q N/i ; return p, q

Mihir Bellare UCSD 39 Mihir Bellare UCSD 40 Inverting RSA Inverting RSA

Mihir Bellare UCSD 37 Mihir Bellare UCSD 38

Factoring Problem A factoring algorithm A factoring algorithm

Alg FACTOR(N) // N = pq where p, q are primes

Given: N where N = pq and p, q are prime for i =2. ,..., pN do if N mod i =0l thenm Find: p, q p i ; q N/i ; return p, q

Mihir Bellare UCSD 39 Mihir Bellare UCSD 40 Factoring algorithms Factoring records

Factoring algorithms Number bit-length Factorization alg Algorithm Time taken to factor N RSA-400 400 1993 QS RSA-428 428 1994 QS Naive O(e0.5lnN ) RSA-431 431 1996 NFS c(ln N)1/2(ln ln N)1/2 Quadratic Sieve (QS) O(e ) RSA-465 465 1999 NFS 1/3 2/3 Number Field Sieve (NFS) O(e1.92(ln N) (ln ln N) ) RSA-515 515 1999 NFS RSA-576 576 2003 NFS

¥7 need 2048 - bit modulus RSA-768 768 2009 NFS

for 128 bit Sec ( roughly )

" " E- CM : Smooth numbers

- small prime factor Mihir Bellare UCSD 41 Mihir Bellare UCSD 42

How big is big enough? RSA Video

Current wisdom: For 80-bit security, use a 1024 bit RSA modulus

80 80-bit security: Factoring takes 2 time. http://www.youtube.com/watch?v=wXB-V_Keiu8 Factorization of RSA-1024 seems out of reach at present.

Estimates vary, and for more security, longer moduli are recommended.

Mihir Bellare UCSD 43 Mihir Bellare UCSD 44 Factoring algorithms Factoring records

Number bit-length Factorization alg Algorithm Time taken to factor N RSA-400 400 1993 QS RSA-428 428 1994 QS Naive O(e0.5lnN ) RSA-431 431 1996 NFS c(ln N)1/2(ln ln N)1/2 Quadratic Sieve (QS) O(e ) RSA-465 465 1999 NFS 1/3 2/3 Number Field Sieve (NFS) O(e1.92(ln N) (ln ln N) ) RSA-515 515 1999 NFS RSA-576 576 2003 NFS RSA-768 768 2009 NFS

Mihir Bellare UCSD 41 Mihir Bellare UCSD 42

How big is big enough? RSA Video Key size

Current wisdom: For 80-bit security, use a 1024 bit RSA modulus

80 80-bit security: Factoring takes 2 time. http://www.youtube.com/watch?v=wXB-V_Keiu8 Factorization of RSA-1024 seems out of reach at present.

Estimates vary, and for more security, longer moduli are recommended.

Mihir Bellare UCSD 43 Mihir Bellare UCSD 44 Getting sk from pk involves factoring N. But is deterministic so we can detect repeats and the scheme is not But is deterministic so we can detect repeats and the scheme is not E E IND-CPA secure. IND-CPA secure.

RSA: what to rememberRSA Cheat Sheet Plain-RSA encryption

The plain RSA PKE scheme =( , , ) associated to RSA generator AE K E D is Krsa The RSA function f (x)=xe mod N is a trapdoor one way permutation: Alg Alg (M) Alg (C) K pk sk Easy forward: given N, e, x it is easy to compute f (x) $ E D • (N, p, q, e, d) C Me mod N M C d mod N Krsa Easy back with trapdoor: Given N, d and y = f (x)itiseasyto pk (N, e);sk (N, d) return C return M • 1 d compute x = f (y)=y mod N return (pk, sk) Hard back without trapdoor: Given N, e and y = f (x)itishardto • 1 compute x = f (y) Decryption correctness: The “easy-backwards with trapdoor” property implies that for all M Z we have ( (M)) = M. 2 N⇤ Dsk Epk Note: The message space is ZN⇤ . Messages are assumed to be all encoded as strings of the same length, for example length 4 if N = 15.

Mihir Bellare UCSD 45 Mihir Bellare UCSD 46

Plain-RSA encryption security Plain-RSA encryption security

The plain RSA PKE scheme =( , , ) associated to RSA generator The plain RSA PKE scheme =( , , ) associated to RSA generator AE K E D AE K E D is is Krsa Krsa Alg Alg pk(M) Alg (C) Alg Alg pk(M) Alg (C) K E Dsk K E Dsk (N, p, q, e, d) $ C Me mod N M C d mod N (N, p, q, e, d) $ C Me mod N M C d mod N Krsa Krsa pk (N, e);sk (N, d) return C return M pk (N, e);sk (N, d) return C return M

return (pk, sk) return (pk, sk)

Getting sk from pk involves factoring N.

Mihir Bellare UCSD 47 Mihir Bellare UCSD 48 Getting sk from pk involves factoring N. But is deterministic so we can detect repeats and the scheme is not But is deterministic so we can detect repeats and the scheme is not E E IND-CPA secure. IND-CPA secure.

. - - RSA : one way want IND CPA RSA: what to remember Plain-RSA encryption ← meh Plain RSA Encryption stranger How 3 ? ? The plain RSA PKE scheme =( , , ) associated to RSA generator AE K E D is Krsa The RSA function f (x)=xe mod N is a trapdoor one way permutation: Alg Alg (M) Alg (C) K pk sk Easy forward: given N, e, x it is easy to compute f (x) $ E D • (N, p, q, e, d) C Me mod N M C d mod N Krsa Easy back with trapdoor: Given N, d and y = f (x)itiseasyto pk (N, e);sk (N, d) return C return M • 1 d compute x = f (y)=y mod N return (pk, sk) Hard back without trapdoor: Given N, e and y = f (x)itishardto • 1 compute x = f (y) Decryption correctness: The “easy-backwards with trapdoor” property implies that for all M Z we have ( (M)) = M. 2 N⇤ Dsk Epk Note: The message space is ZN⇤ . Messages are assumed to be all encoded as strings of the same length, for example length 4 if N = 15.

attak on Attacks ? 47 usual det em . Mihir Bellare UCSD 45 Mihir Bellare UCSD 46 encrypt yourself and (2) - check if ctxl match Plain-RSA encryption security Plain-RSA encryption security

Getting sk from pk involves factoring N.

Mihir Bellare UCSD 47 Mihir Bellare UCSD 48 The SRSA scheme The SRSA scheme “Simple RSA” (SRSA)

Encrypt M unde pk = N, e via: The SRSA PKE scheme =( , , ) associated to RSA generator $ e AE K E D Krsa x ZN⇤ ; Ca x mod N; and (public) hash function H: 0, 1 0, 1 k encrypts k-bit messages • { }⇤ ! { } K H(x) via: • Cs K M • Alg Alg N,e (M) Alg N,d (Ca, Cs ) Ciphertext is (Ca, Cs ) K E D • $ $ d (N, p, q, e, d) rsa x Z x Ca mod N K N⇤ Decrypt (C , C )undersk = N, d via: pk (N, e) K H(x) K H(x) a S Tt e x C d mod N sk (N, d) Ca x mod N M Cs K • a return (pk, sk) C K M c return M K H(x) s • return (C , C ) a s \ AE M C K could use • s fixes the problems by

- ene (1) randomizing .

a hash function . Mihir Bellare UCSD 53 Mihir BellareEs using UCSD 54

- IND CPA in RO model .

Security of SRSA OAEP [BR94]

Receiver keys: pk =(N, e)andsk =(N, d)where N = 1024 | | Hash functions:G: 0, 1 128 0, 1 894 and H: 0, 1 894 0, 1 128 { } ! { } { } ! { } The SRSA PKE scheme =( , , ) associated to RSA generator rsa AE K E D k K Algorithm N,e (M) // M 765 Algorithm N,d (C) // C ZN⇤ and (public) hash function H: 0, 1 ⇤ 0, 1 can be proven IND-CPA E | |  D 2 { } ! { } r $ 0, 1 128; p 765 M x C d mod N assuming { } | | s t x is one-way 128 894 || rsa 128 894 • K r 0128 M 10p H is a “random oracle,” meaning a “perfect” hash function. k k s t • G In practice, H(K) could be the ﬁrst k bits of the sequence H H SHA256(08 K) SHA256(071 K) G k k k k ··· s t r a M 10p k k x s t || 128 C x e mod N if a =0 then return M

return C else return ?

Mihir Bellare UCSD 55 Mihir Bellare UCSD 56 The SRSA scheme The SRSA scheme

Encrypt M unde pk = N, e via: The SRSA PKE scheme =( , , ) associated to RSA generator $ e AE K E D Krsa x ZN⇤ ; Ca x mod N; and (public) hash function H: 0, 1 0, 1 k encrypts k-bit messages • { }⇤ ! { } K H(x) via: • Cs K M • Alg Alg N,e (M) Alg N,d (Ca, Cs ) Ciphertext is (Ca, Cs ) K E D • $ $ d (N, p, q, e, d) rsa x Z x Ca mod N K N⇤ Decrypt (Ca, CS )undersk = N, d via: pk (N, e) K H(x) K H(x) e x C d mod N sk (N, d) Ca x mod N M Cs K a • return (pk, sk) C K M return M K H(x) s • return (Ca, Cs ) M C K • s

Mihir Bellare UCSD 53 Mihir Bellare UCSD 54

(1) SHIN K S the ciphertext to length '

Of modules . (g) uses Feist Security of SRSA OAEP [BR94] rounds OAEP

- or Std model ③) IND CPA in Ro C ) Receiver keys: pk =(N, e)andsk =(N, d)where N = 1024 | | Hash functions:G: 0, 1 128 0, 1 894 and H: 0, 1 894 0, 1 128 { } ! { } { } ! { } The SRSA PKE scheme =( , , ) associated to RSA generator rsa AE K E D k K Algorithm N,e (M) // M 765 Algorithm N,d (C) // C ZN⇤ and (public) hash function H: 0, 1 ⇤ 0, 1 can be proven IND-CPA E | |  D 2 { } ! { } r $ 0, 1 128; p 765 M x C d mod N assuming { } | | s t x is one-way 128 894 || rsa 128 894 • K r 0128 M 10p H is a “random oracle,” meaning a “perfect” hash function. k k s t • G In practice, H(K) could be the ﬁrst k bits of the sequence H H SHA256(08 K) SHA256(071 K) G k k k k ··· s t r a M 10p k k x s t || 128 C x e mod N if a =0 then return M

return C else return ? btw . Mihir Bellare UCSD 55 Mihir Bellare UCSDdelavan forges 56 , KNOW Advantages / - - DL need RSA based Arnoldbase . RSA OAEPOAEP Usage usage Exercise Let m, k, ` be integers such that 2 m < k and k 2048 and  Protocols: ` = k m 1and` is even. Let be a RSA generator with associated Krsa SSL ver. 2.0, 3.0 / TLS ver. 1.0, 1.1 security parameter k. Consider the key-generation and encryption • algorithms below, where M 0, 1 m: SSH ver 1.0, 2.0 2 { } • ... Alg Alg ((N, e), M) • K E (N, e, d, p, q) $ Pad $ 0, 1 ` ; x 0 Pad M Krsa { } k k return ((N, e), (N, d)) C xe mod N ; return C Standards: 1. Specify a (k3)-time decryption algorithm such that RSA PKCS #1 versions 1.5, 2.0 O D • =( , , ) is an asymmetric encryption scheme satisfying the IEEE P1363 AE K E D • correct decryption property. NESSIE (Europe) • 2. Specify an adversary A making at most 2`/2 queries to its LR oracle CRYPTREC (Japan) ind-cpa • and achieving Adv (A) 1/4. Your adversary should have ... (` 2`/2) runningAE time, not counting the time taken by game • O · procedures to execute.

Mihir Bellare UCSD 57 Mihir Bellare UCSD 58

PKE summary

Scheme IND-CPA? DHIES Yes Plain RSA No SRSA Yes RSA OAEP Yes

Mihir Bellare UCSD 59 RSA OAEP usage Exercise

Let m, k, ` be integers such that 2 m < k and k 2048 and  Protocols: ` = k m 1and` is even. Let be a RSA generator with associated Krsa SSL ver. 2.0, 3.0 / TLS ver. 1.0, 1.1 security parameter k. Consider the key-generation and encryption • algorithms below, where M 0, 1 m: SSH ver 1.0, 2.0 2 { } • ... Alg Alg ((N, e), M) • K E (N, e, d, p, q) $ Pad $ 0, 1 ` ; x 0 Pad M Krsa { } k k return ((N, e), (N, d)) C xe mod N ; return C Standards: 1. Specify a (k3)-time decryption algorithm such that RSA PKCS #1 versions 1.5, 2.0 O D • =( , , ) is an asymmetric encryption scheme satisfying the IEEE P1363 AE K E D • correct decryption property. NESSIE (Europe) • 2. Specify an adversary A making at most 2`/2 queries to its LR oracle CRYPTREC (Japan) ind-cpa • and achieving Adv (A) 1/4. Your adversary should have ... (` 2`/2) runningAE time, not counting the time taken by game • O · procedures to execute.

Mihir Bellare UCSD 57 Mihir Bellare UCSD 58

PKE summary Security Results

Scheme IND-CPA? DHIES Yes Plain RSA No SRSA Yes RSA OAEP Yes

Mihir Bellare UCSD 59