Lecture 9 – Public-Key Encryption
COSC-466 Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Recall Symmetric-Key Crypto
• In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. Recall Symmetric-Key Crypto
• In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. • If Alice wants to also communicate with Charlie they need a shared key KAC. Recall Symmetric-Key Crypto
• In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. • If Alice wants to also communicate with Charlie they need a shared key KAC.
• If Alice generates KAB and KAC they must be communicated to Bob and Charlie over secure channels. How can this be done? Public-Key Crypto
• Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. Public-Key Crypto
• Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. Public-Key Crypto
• Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. • Public key is like a phone number: Anyone can look it up in a phone book. Public-Key Crypto
• Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. • Public key is like a phone number: Anyone can look it up in a phone book. • Senders don’t need secrets; there are no shared secrets Public Key Encryption SyntaxSyntax and Correctness of PKE of PKE
A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where
Alice has a secret key that is shared with nobody, and an associated • pk public key that is known to everybody. K Anyone (Bob, Charlie, ...)canuseAlice’spublickeytosendheran • encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database
Senders don’t need secrets • M CC M or There are no shared secrets • E D ?
A
Mihir Bellare UCSD 5 Mihir Bellare UCSD 6
Correct decryption requirement How it works
Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certificates as we will see later. •
Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 Code Obfuscation Perspective
*
Diffie÷i÷÷". Hellman PKI? Public Key Encryption Syntax of PKE
A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where
Alice has a secret key that is shared with nobody, and an associated • pk public key that is known to everybody. K Anyone (Bob, Charlie, ...)canuseAlice’spublickeytosendheran • encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database
Senders don’t need secrets • M CC M or There are no shared secrets • E D ?
A
Mihir Bellare UCSD 5 Mihir Bellare UCSD 6
Correct decryption requirementCorrectness How it works
Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E e Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certificates as we will see later. •
Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 Public Key Encryption Syntax of PKE
A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where
Alice has a secret key that is shared with nobody, and an associated • pk public key that is known to everybody. K Anyone (Bob, Charlie, ...)canuseAlice’spublickeytosendheran • encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database
Senders don’t need secrets • M CC M or There are no shared secrets • E D ?
A
Mihir Bellare UCSD 5 Mihir Bellare UCSD 6
Correct decryption requirement How it works How It Works
Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certificates as we will see later. •
Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 The games for IND-CPAIND-CPA
Let =( , , )beaPKEschemeandA an adversary. AE K E D Game Left Game Right AE AE procedure Initialize procedure Initialize (pk, sk) $ ; return pk (pk, sk) $ ; return pk K K procedure LR(M0, M1) procedure LR(M0, M1) Return C $ (M ) Return C $ (M ) Epk 0 Epk 1 Associated to , A are the probabilities AE Pr LeftA 1 Pr RightA 1 AE ) AE ) h i h i that A outputs 1 in each world. The ind-cpa advantage of A is Advind-cpa(A)=Pr RightA 1 Pr LeftA 1 AE AE ) AE ) h i h i Mihir Bellare UCSD 9 Problem: Legitimate receiver needs to compute discrete logarithm to decrypt too! But decryption needs to be feasible. Above, receiver has no secret key!
Security of PKE Schemes The games for IND-CPA
Let =( , , )beaPKEschemeandA an adversary. AE K E D Game Left Game Right AE AE procedure Initialize procedure Initialize (pk, sk) $ ; return pk (pk, sk) $ ; return pk Same as for symmetric encryption, except for one new element: The K K procedure LR(M0, M1) procedure LR(M0, M1) adversary needs to be given the public key. $ $ Return C pk (M0) Return C pk (M1) We formalize IND-CPA accordingly. E E Associated to , A are the probabilities AE Pr LeftA 1 Pr RightA 1 AE ) AE ) h i h i that A outputs 1 in each world. The ind-cpa advantage of A is Advind-cpa(A)=Pr RightA 1 Pr LeftA 1 AE AE ) AE ) h i h i Mihir Bellare UCSD 9 Mihir Bellare UCSD 10
IND-CPA: Explanations Building a PKE Scheme Explanations We would like security to result from the hardness of computing discrete logarithms. The “return pk” statement in Initialize means the adversary A gets the public key pk as input. It does not get sk. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then It can call LR with any equal-length messages M0, M1 of its choice to get $ back an encryption C (M ) of M under sk,whereb = 0 in game x hard Epk b b g x Left and b = 1 in game Right . Notation indicates encryption ! AE AE g (x) algorithm may be randomized. E |{z} A is not allowed to call LR with messages M0, M1 of unequal length. Any so to recover x, adversary must compute discrete logarithms, and we know such A is considered invalid and its advantage is undefined or 0. it can’t, so are we done? It outputs a bit, and wins if this bit equals b.
Mihir Bellare UCSD 11 Mihir Bellare UCSD 12 Building aHow to Build a Scheme? PKE Scheme Recall DH Secret Key Exchange
We would like security to result from the hardness of computing discrete The following are assumed to be public: A large prime p and a generator g logarithms. of Zp⇤. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then Alice Bob $ x x Zp 1; X g mod p hard g x x X ! ! $ g (x) y E y Zp 1; Y g mod p |{z} Y so to recover x, adversary must compute discrete logarithms, and we know K Y x mod pKX y mod p it can’t, so are we done? A B Problem: Legitimate receiver needs to compute discrete logarithm to Y x =(g y )x = g xy =(g x )y = X y modulo p,soK = K decrypt too! But decryption needs to be feasible. • A B Adversary is faced with the CDH problem. Above, receiver has no secret key! •
Mihir Bellare UCSD 13 Mihir Bellare UCSD 14
From key exchange to PKE The DHIES scheme
Let G = g be a cyclic group of order m and H: G 0, 1 k a(public) h i ! { } hash function. The DHIES PKE scheme =( , , )isdefinedfor We can turn DH key exchange into a public key encryption scheme via AE K E D messages M 0, 1 k via Let Alice have public key g x and secret key x 2 { } • If Bob wants to encrypt M for Alice, he Alg X (M) • Alg E Alg x (Y , W ) Picks y and sends g y to Alice K $ y D • xy x y $ y Zm; Y g x Encrypts M under g =(g ) and sends ciphertext to Alice. x Zm y K Y • x K X But Alice can recompute g xy =(g y )x because X g M H(K) W • W H(K) M g y is in the received ciphertext return (X , x) return M • return (Y , W ) x is her secret key • Thus she can decrypt and adversary is still faced with CDH . Correct decryption is assured because K = X y = g xy = Y x
Note: This is a simplified version of the actual scheme.
Mihir Bellare UCSD 15 Mihir Bellare UCSD 16 Building a PKE Scheme A More Basic Problem: Key ExchangeRecall DH Secret Key Exchange
We would like security to result from the hardness of computing discrete The following are assumed to be public: A large prime p and a generator g logarithms. of Zp⇤. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then Alice Bob $ x x Zp 1; X g mod p hard g x x X ! ! $ g (x) ÷ y E y Zp 1; Y g mod p |{z} ⑤Y so to recover x, adversary must compute discrete logarithms, and we know K Y x mod pKX y mod p it can’t, so are we done? A B Problem: Legitimate receiver needs to compute discrete logarithm to Y x =(g y )x = g xy =(g x )y = X y modulo p,soK = K decrypt too! But decryption needs to be feasible. • A B Adversary is faced with the CDH problem. Above, receiver has no secret key! •
Mihir Bellare UCSD 13 Mihir Bellare UCSD 14
From key exchange to PKE The DHIES scheme
Let G = g be a cyclic group of order m and H: G 0, 1 k a(public) h i ! { } hash function. The DHIES PKE scheme =( , , )isdefinedfor We can turn DH key exchange into a public key encryption scheme via AE K E D messages M 0, 1 k via Let Alice have public key g x and secret key x 2 { } • If Bob wants to encrypt M for Alice, he Alg X (M) • Alg E Alg x (Y , W ) Picks y and sends g y to Alice K $ y D • xy x y $ y Zm; Y g x Encrypts M under g =(g ) and sends ciphertext to Alice. x Zm y K Y • x K X But Alice can recompute g xy =(g y )x because X g M H(K) W • W H(K) M g y is in the received ciphertext return (X , x) return M • return (Y , W ) x is her secret key • Thus she can decrypt and adversary is still faced with CDH . Correct decryption is assured because K = X y = g xy = Y x
Note: This is a simplified version of the actual scheme.
Mihir Bellare UCSD 15 Mihir Bellare UCSD 16 Building a PKE Scheme Recall DH Secret Key Exchange
We would like security to result from the hardness of computing discrete The following are assumed to be public: A large prime p and a generator g logarithms. of Zp⇤. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then Alice Bob $ x x Zp 1; X g mod p hard g x x X ! ! $ g (x) y E y Zp 1; Y g mod p |{z} Y so to recover x, adversary must compute discrete logarithms, and we know K Y x mod pKX y mod p it can’t, so are we done? A B Problem: Legitimate receiver needs to compute discrete logarithm to Y x =(g y )x = g xy =(g x )y = X y modulo p,soK = K decrypt too! But decryption needs to be feasible. • A B Adversary is faced with the CDH problem. Above, receiver has no secret key! •
Mihir Bellare UCSD 13 Mihir Bellare UCSD 14
From key exchange to PKE The DHIES scheme Key Exchange to PKE Let G = g be a cyclic group of order m and H: G 0, 1 k a(public) h i ! { } hash function. The DHIES PKE scheme =( , , )isdefinedfor We can turn DH key exchange into a public key encryption scheme via AE K E D messages M 0, 1 k via Let Alice have public key g x and secret key x 2 { } • If Bob wants to encrypt M for Alice, he Alg X (M) • Alg E Alg x (Y , W ) Picks y and sends g y to Alice K $ y D • xy x y $ y Zm; Y g x Encrypts M under g =(g ) and sends ciphertext to Alice. x Zm y K Y • x K X But Alice can recompute g xy =(g y )x because X g M H(K) W • W H(K) M g y is in the received ciphertext return (X , x) return M • return (Y , W ) x is her secret key • Thus she can decrypt and adversary is still faced with CDH . Correct decryption is assured because K = X y = g xy = Y x
Note: This is a simplified version of the actual scheme.
Mihir Bellare UCSD 15 Mihir Bellare UCSD 16 Building a PKE Scheme Recall DH Secret Key Exchange
We would like security to result from the hardness of computing discrete The following are assumed to be public: A large prime p and a generator g logarithms. of Zp⇤. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then Alice Bob $ x x Zp 1; X g mod p hard g x x X ! ! $ g (x) y E y Zp 1; Y g mod p |{z} Y so to recover x, adversary must compute discrete logarithms, and we know K Y x mod pKX y mod p it can’t, so are we done? A B Problem: Legitimate receiver needs to compute discrete logarithm to Y x =(g y )x = g xy =(g x )y = X y modulo p,soK = K decrypt too! But decryption needs to be feasible. • A B Adversary is faced with the CDH problem. Above, receiver has no secret key! •
Mihir Bellare UCSD 13 Mihir Bellare UCSD 14
Diffie-Hellman Integrated Encryption Scheme
From key exchange to PKE The DHIES scheme got, DHIES g a EYES Homg¥ ¥ I Let G = g be a cyclic group of order m and H: G 0, 1 k a(public) h i ! { } hash function. The DHIES PKE scheme =( , , )isdefinedfor We can turn DH key exchange into a public key encryption scheme via k AE K E D messages M 0, 1 via a) conygrtrmuan.fnrewdsigtabi.li Let Alice have public key g x and secret key x 2 { } uses • (2) length mis - match of If Bob wants to encrypt M for Alice, he Alg X (M) • Alg E Alg x (Y , W ) y $ Maez there Picks y and sends g to Alice K y D • xy x y $ y Zm; Y g x Encrypts M under g =(g ) and sends ciphertext to Alice. x Zm y K Y • x K X But Alice can recompute g xy =(g y )x because X g M H(K) W • W H(K) M g y is in the received ciphertext return (X , x) return M • £qqw-AEµncMIsreturn (Y , W ) x is her secret key • Thus she can decrypt and adversary is still faced with CDH . e- Correct decryption is assured because K = X y = g xy = Y x
Note: This is a simplified version of the actual scheme. ml Eats : 160*1 etietngtn
- bit Mihir Bellare UCSD 15 Mihir Bellare UCSDfor 80 16 Tht . D HIES : 1024 + Imf s.ec Security of DHIES ECIES Security of DHIES
ECIES is DHIES with the group being an elliptic curve group. The DHIES scheme =( , , ) associated to cyclic group G = g AE K E D h i and (public) hash function H can be proven IND-CPA assuming CDH is hard in G,and ECIES features: • H is a “random oracle,” meaning a “perfect” hash function. Operation Cost • = encryption 2 160-bit exp In practice, H(K) could be the first k bits of the sequence decryption 1 160-bit exp ciphertext expansion 160-bits SHA256(08 K) SHA256(071 K) k k k k ··· ciphertext expansion = (length of ciphertext) - (length of plaintext)
Mihir Bellare UCSD 17 Mihir Bellare UCSD 18
Exercise RSA Math
k Let p 3 be a prime, g Z⇤ a generator of Z⇤ and H: G 0, 1 a Recall that '(N)= Z . 2 p p ! { } N⇤ hash function. (These are all public.) Consider the key-generation and | | k encryption algorithms below, where M 0, 1 : Claim: Suppose e, d Z⇤ satisfy ed 1 (mod '(N)). Then for any 2 { } 2 '(N) ⌘ x ZN⇤ we have Alg Alg (X , M) 2 K E $ $ y x Zp⇤ 1 y Zp 1; Y g mod p e d X g x mod p Z X y mod p ; W H(Y ) M (x ) x (mod N) ⌘ return (X , x) Return (Z, W ) Proof:
Specify a ( p 3 + k)-time decryption algorithm such that e d ed mod '(N) 1 O | | D (x ) x x x =( , , ) is an asymmetric encryption scheme satisfying the correct ⌘ ⌘ ⌘ AE K E D decryption property, and prove this is the case. modulo N
Mihir Bellare UCSD 19 Mihir Bellare UCSD 20 Security of DHIES ECIES ECIES
ECIES is DHIES with the group being an elliptic curve group. The DHIES scheme =( , , ) associated to cyclic group G = g AE K E D h i and (public) hash function H can be proven IND-CPA assuming CDH is hard in G,and ECIES features: • H is a “random oracle,” meaning a “perfect” hash function. Operation Cost • encryption 2 160-bit exp In practice,MazaraH(K) could be the first k bits of the sequence decryption 1 160-bit exp ciphertext expansion 160-bits SHA256(0Mma8 K) SHA256(071 K) k k k k ··· ciphertext expansion = (length of ciphertext) - (length of plaintext) " " Emiii.÷÷;:. .
Mihir Bellare UCSD 17 Mihir Bellare UCSD 18
Exercise RSA Math
k Let p 3 be a prime, g Z⇤ a generator of Z⇤ and H: G 0, 1 a Recall that '(N)= Z . 2 p p ! { } N⇤ hash function. (These are all public.) Consider the key-generation and | | k encryption algorithms below, where M 0, 1 : Claim: Suppose e, d Z⇤ satisfy ed 1 (mod '(N)). Then for any 2 { } 2 '(N) ⌘ x ZN⇤ we have Alg Alg (X , M) 2 K E $ $ y x Zp⇤ 1 y Zp 1; Y g mod p e d X g x mod p Z X y mod p ; W H(Y ) M (x ) x (mod N) ⌘ return (X , x) Return (Z, W ) Proof:
Specify a ( p 3 + k)-time decryption algorithm such that e d ed mod '(N) 1 O | | D (x ) x x x =( , , ) is an asymmetric encryption scheme satisfying the correct ⌘ ⌘ ⌘ AE K E D decryption property, and prove this is the case. modulo N
Mihir Bellare UCSD 19 Mihir Bellare UCSD 20 ECIES features ( for 80 bit security )
Cost Operation -
encryption z 160 - bit exponentiation
- - decryption ) I bit exp .
ciphertext expansion = - of length of ciphertext length plaintext
1$= 160 bits
Nowadays need
128 - bit security
' - - bit 256 groupelements Security of DHIES ECIES
ECIES is DHIES with the group being an elliptic curve group. The DHIES scheme =( , , ) associated to cyclic group G = g AE K E D h i and (public) hash function H can be proven IND-CPA assuming CDH is hard in G,and ECIES features: • H is a “random oracle,” meaning a “perfect” hash function. Operation Cost • encryption 2 160-bit exp In practice, H(K) could be the first k bits of the sequence decryption 1 160-bit exp ciphertext expansion 160-bits SHA256(08 K) SHA256(071 K) k k k k ··· ciphertext expansion = (length of ciphertext) - (length of plaintext)
Mihir Bellare UCSD 17 Mihir Bellare UCSD 18
Exercise RSA Math RSA Math
k Let p 3 be a prime, g Z⇤ a generator of Z⇤ and H: G 0, 1 a Recall that '(N)= Z . 2 p p ! { } N⇤ hash function. (These are all public.) Consider the key-generation and | | k encryption algorithms below, where M 0, 1 : Claim: Suppose e, d Z⇤ satisfy ed 1 (mod '(N)). Then for any 2 { } 2 '(N) ⌘ x ZN⇤ we have Alg Alg (X , M) 2 K E $ $ y x Zp⇤ 1 y Zp 1; Y g mod p e d X g x mod p Z X y mod p ; W H(Y ) M (x ) x (mod N) ⌘ return (X , x) Return (Z, W ) Proof:
Specify a ( p 3 + k)-time decryption algorithm such that e d ed mod '(N) 1 O | | D (x ) x x x =( , , ) is an asymmetric encryption scheme satisfying the correct ⌘ ⌘ ⌘ AE K E D decryption property, and prove this is the case. modulo N
Mihir Bellare UCSD 19 Mihir Bellare UCSD 20 x f (x) g(f (x)) Let e =3andd = 3. Then 1 1 1 ed 9 1 (mod 8) 2 8 2 ⌘ ⌘ 4 4 4 Let 7 13 7 8 2 8 f (x)=x3 mod 15 11 11 11 g(y)=y 3 mod 15 13 7 13 14 14 14
The RSA function N =p .q Example The RSA function primes p , q AmodulusN and encryption exponent e define the RSA function Let N = 15. So f : ZN⇤ ZN⇤ defined by ! - ZN⇤ = 1, 2, 4, 7, 8, 11, 13, 14 e Cx ) . xe { } f (x)=x mod N RSAN e N , mod '(N)=8 for all x ZN⇤ . 2 Z⇤ = 1, 3, 5, 7 '(N) { } Avalued Z satisfying ed 1 (mod '(N)) is called a decryption 2 '⇤(N) ⌘ exponent.
Claim: The RSA function f : Z Z is a permutation with inverse N⇤ ! N⇤ f 1 : Z Z given by N⇤ ! N⇤ 1 d f (y)=y mod N Proof: For all x Z we have 2 N⇤ 1 e d f (f (x)) (x ) x (mod N) ⌘ ⌘ by previous claim.
Mihir Bellare UCSD 21 Mihir Bellare UCSD 22
Example Exercise
Let N = 15. So
Z⇤ = 1, 2, 4, 7, 8, 11, 13, 14 N { } '(N)=8 1. List all possible encryption exponents for RSA modulus 35:
Z⇤ = 1, 3, 5, 7 '(N) { } x f (x) g(f (x)) Let e =3andd = 3. Then 2. The decryption exponent corresponding to RSA modulus 187 and 1 1 1 encryption exponent 107 is ed 9 1 (mod 8) 2 8 2 ⌘ ⌘ 4 4 4 Let 7 13 7 8 2 8 f (x)=x3 mod 15 11 11 11 g(y)=y 3 mod 15 13 7 13 14 14 14
Mihir Bellare UCSD 23 Mihir Bellare UCSD 24 x f (x) g(f (x)) Let e =3andd = 3. Then 1 1 1 ed 9 1 (mod 8) 2 8 2 ⌘ ⌘ 4 4 4 Let 7 13 7 8 2 8 f (x)=x3 mod 15 11 11 11 g(y)=y 3 mod 15 13 7 13 14 14 14
The RSA function Example
AmodulusN and encryption exponent e define the RSA function Let N = 15. So f : ZN⇤ ZN⇤ defined by ! ZN⇤ = 1, 2, 4, 7, 8, 11, 13, 14 f (x)=xe mod N { } '(N)=8 for all x ZN⇤ . 2 Z⇤ = 1, 3, 5, 7 '(N) { } Avalued Z satisfying ed 1 (mod '(N)) is called a decryption 2 '⇤(N) ⌘ exponent.
Claim: The RSA function f : Z Z is a permutation with inverse N⇤ ! N⇤ f 1 : Z Z given by N⇤ ! N⇤ 1 d f (y)=y mod N Proof: For all x Z we have 2 N⇤ 1 e d f (f (x)) (x ) x (mod N) ⌘ ⌘ by previous claim.
Mihir Bellare UCSD 21 Mihir Bellare UCSD 22
Example Example Exercise
Let N = 15. So
Z⇤ = 1, 2, 4, 7, 8, 11, 13, 14 N { } '(N)=8 1. List all possible encryption exponents for RSA modulus 35:
Z⇤ = 1, 3, 5, 7 '(N) { } x f (x) g(f (x)) Let e =3andd = 3. Then 2. The decryption exponent corresponding to RSA modulus 187 and 1 1 1 encryption exponent 107 is ed 9 1 (mod 8) 2 8 2 ⌘ ⌘ 4 4 4 Let 7 13 7 8 2 8 f (x)=x3 mod 15 11 11 11 g(y)=y 3 mod 15 13 7 13 14 14 14
Mihir Bellare UCSD 23 Mihir Bellare UCSD 24 RSA usage RSA generators RSA usage Baby RSA An RSA generator with security parameter k is an algorithm that pk = N, e; sk = N, d enwytiou Krsa • returns N, p, q, e, d satisfying (x)=xe mod N = f (x) we will see • Epk a d 1 " KSA p, q are distinct odd primes sk(y)=y mod N = f (y) plain • • D N = pq and is called the (RSA) modulus Security will rely on it being hard to compute f 1 without knowing d. • N = k,meaning2k 1 N 2k • | | e Z is called the encryption exponent RSA is a trapdoor, one-way permutation: • 2 '⇤ (N) Easy to invert given trapdoor d d Z⇤ is called the decryption exponent • hardness • 2 '(N) Hard to invert given only N, e → ed 1 (mod '(N)) • assumption • ⌘
on RSA .
Mihir Bellare UCSD 25 Mihir Bellare UCSD 26
Plan A formula for Phi
Fact: Suppose N = pq for distinct primes p and q.Then
'(N)=(p 1)(q 1) . Building RSA generators • Basic RSA security • Encryption with RSA Example: Let N = 15 = 3 5. Then the Fact says that • · '(15) = (3 1)(5 1) = 8 .Asacheck,Z = 1, 2, 4, 7, 8, 11, 13, 14 indeed has size 8. 15⇤ { }
Mihir Bellare UCSD 27 Mihir Bellare UCSD 28 RSA usage RSA generators RSA generators There RSA can be many possible generators An RSA generator with security parameter k is an algorithm that pk = N, e; sk = N, d Krsa • returns N, p, q, e, d satisfying ← (x)=xe mod N = f (x) - key • pk length E - d 1 p, q are distinct odd primes sk(y)=y mod N = f (y) • • D N = pq and is called the (RSA) modulus Security will rely on it being hard to compute f 1 without knowing d. • N = k,meaning2k 1 N 2k I • | | e Z is called the encryption exponent RSA is a trapdoor, one-way permutation: • 2 '⇤ (N) Easy to invert given trapdoor d d Z⇤ is called the decryption exponent • • 2 '(N) Hard to invert given only N, e ed 1 (mod '(N)) • • ⌘ random Example : pig
- e chosen at random
Mihir Bellare UCSD 25 Mihir Bellare UCSD 26
Plan A formula for Phi
Fact: Suppose N = pq for distinct primes p and q.Then
'(N)=(p 1)(q 1) . Building RSA generators • Basic RSA security • Encryption with RSA Example: Let N = 15 = 3 5. Then the Fact says that • · '(15) = (3 1)(5 1) = 8 .Asacheck,Z = 1, 2, 4, 7, 8, 11, 13, 14 indeed has size 8. 15⇤ { }
Mihir Bellare UCSD 27 Mihir Bellare UCSD 28 Next…
• Building RSA generators • Basic RSA security • Encryption with RSA RSA usage RSA generators
An RSA generator with security parameter k is an algorithm that pk = N, e; sk = N, d Krsa • returns N, p, q, e, d satisfying (x)=xe mod N = f (x) • Epk d 1 p, q are distinct odd primes sk(y)=y mod N = f (y) • • D N = pq and is called the (RSA) modulus Security will rely on it being hard to compute f 1 without knowing d. • N = k,meaning2k 1 N 2k • | | e Z is called the encryption exponent RSA is a trapdoor, one-way permutation: • 2 '⇤ (N) Easy to invert given trapdoor d d Z⇤ is called the decryption exponent • • 2 '(N) Hard to invert given only N, e ed 1 (mod '(N)) • • ⌘
Mihir Bellare UCSD 25 Mihir Bellare UCSD 26
Plan A formula for Phi A formula
Fact: Suppose N = pq for distinct primes p and q.Then
'(N)=(p 1)(q 1) . Building RSA generators 0 • Basic RSA security • Encryption with RSA Example: Let N = 15 = 3 5. Then the Fact says that • · '(15) = (3 1)(5 1) = 8 .Asacheck,Z = 1, 2, 4, 7, 8, 11, 13, 14 indeed has size 8. 15⇤ { }
Mihir Bellare UCSD 27 Mihir Bellare UCSD 28 A more generalThe general formula formula for Phi Recall
Fact: Suppose N 1 factors as N = p↵1 p↵2 ... p↵n 1 · 2 · · n Given '(N)ande Z'⇤ (N), we can compute d Z'⇤ (N) satisfying ed 1 where p < p <...