Public Key Cryptosystems
Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F05
Textbook: —Cryptography: Theory and Applications“,
Douglas Stinson, Chapman & Hall/CRC Press, 2002
Reading: Chapter 5 upto section 5.7
Outline
n Concepts behind public key crypto
n Some number theory
n RSA cryptosystem
n Primality testing
n Factoring numbers and other attacks
CSG252 Classical Cryptography 2
Encryption Models
Plaintext Plaintext Message Encryption Ciphertext Decryption Message source Algorithm Algorithm Destination
Encryption Decryption Key Key
Symmetric encryption: Shared key Shared key
Asymmetric encryption: Early 70’s Private key Published in 76 Public key Cannot provide unconditional security
CSG252 Classical Cryptography 3
1 Applications
n Symmetric algorithms vs. asymmetric algorithms (public-key crypto systems) n About 1000 times faster! n However, require a shared key!
n Practice: n Use public key crypto to establish a shared key n Examples
n Email: n Choose a key for the symmetric algorithm K, encrypt it with the public key of the destination n Use the key K to encrypt the message and integrity protect it
n IPSec/IKE: n IKE: establish a session key (using either public-key cryptosystem or shared secrets) n IPSec uses the session key to provide confidentiality and integrity
CSG252 Classical Cryptography 4
Number Theory
* n Zn : abelian group of numbers < n, relatively prime to n
n Euclidean Algorithm (a, b):
n Computes the gcd(a, b)
n Extended Euclidean Algorithm(a, b):
n Computes r, s, t s.t. sa + bt = r = gcd(a, b) -1 n If r = 1 Ω s = a mod b
n If r ≠ 1 Ω ?
n Time complexity less than O(k3) if a and b are encoded in less than k bits.
CSG252 Classical Cryptography 5
Chinese Remainder Theorem
n Assume that m1, …, mr are pairwise relatively prime positive integers
n Chinese Remainder Theorem (CRT):
n Suppose a1, …, ar are integers s.t. ≡ n x a1 (mod m1) ≡ n x a2 (mod m2)
n … ≡ n x ar (mod mr)
n There exists a unique x mod m1m2…mr that satisfies all previous equations r x = a M y mod M = = −1 ƒ i i i M i M / mi ; yi M i i=1
CSG252 Classical Cryptography 6
2 Other Known Results
n If G is a multiplicative group of order n then the order of any element of G divides n
* φ n Order of Zn = (n)
∈ * φ(n) ≡ n If b Zn , then b 1 (mod n) n How about when n is prime?
* n If p is prime then Zp is a cyclic group
CSG252 Classical Cryptography 7
RSA Cryptosystem
n Due to Rivest-Shamir-Adleman in 1977 n Let n = pq, where p and q are primes
n P = C = Zn n K = {(n, p, q, a, b) : ab ≡ 1 (mod φ(n))}
n Encryption: b n ek(x) = x mod n n Decryption: a n dk(y) = y mod n
n Public key: n and b n Private key: p, q, a
CSG252 Classical Cryptography 8
Example
n p = 101; q = 113 Ω n = 11413
n φ(n) = 11200 = 26527
n Let b = 3533 Ω b-1 = 6597 n How is b chosen?
n Encrypt plaintext: 9726 3533 n Ciphertext = 9726 mod 11413 = 5761 n Decryption ciphertext: 5761 6597 n Plaintext = 5761 mod 11413 = 9726
CSG252 Classical Cryptography 9
3 Use of RSA
n Encryption (A wants to send a message M to B):
n A uses the public key of B and encrypts M (i.e., ekB(M))
n Since only B has the private key, only B can decrypt M (i.e., M = dkB(M)
n Digital signature (A wants to send a signed message to B):
n Based on the fact that ekA(dkA(M)) = dkA(ekA(M))
n A encrypts M using its private key (i.e., dkA(M)) and sends it to B
n B can check that ekA(dkA(M)) = M n Since only A has the decryption key, only him can generate this message
CSG252 Classical Cryptography 10
Security of RSA
n Security of RSA is based on the belief that: b n x mod n is a one-way function
n The trapdoor is the knowledge of the factorization of n into pq
n Conjecture:
n RSA is as difficult as factoring numbers
CSG252 Classical Cryptography 11
RSA Implementation
n RSA Parameters Generation n Generate two large primes: p, q n n ← pq, and φ(n) ← (p -1)(q -1); n Choose a random b (1< b <φ(n)) s.t. gcd(b, φ(n)) =1 -1 n a ← b mod φ(n) n Public key is (n, b) and private key is (p, q, a)
n p and q should be at least 512 bits long each n Ω n is at least 1024 bits long
n Computation Complexity: n Exponentiation cost: SQUARE-AND-MULTIPLY c 2 n (m1) mod n can be computed in O(log(c)xk ) n Modular inverse: Extended Euclidean Alg. -1 3 n (m1) mod n can be computed in O(k ) n Modular Muliplication: 2 n (m1m2) mod n can be computed in O(k )
CSG252 Classical Cryptography 12
4 Prime Numbers Generation
n Density of primes (prime number theorem):
n π(x) ~ x/ln(x)
n E.g., a random number of 512 bits has probability: 1/ln(512) = 1/355 to be prime
n Sieve of Erathostène
n Try if any number less than SQRT(n) divides n
− ≈ b ’ n Fermat‘s Little Theorem does not detectb (nC1)/a2 mromd n =ic∆ h÷ ael « n ◊ numbers n-1 À 0 if a ≡ 0mod p n b ≡ 1 mod n ≈ a ’ Œ ∆ ÷ = à 1 if a is a quadratic residuemod p « p ◊ Œ n E.g., 561 is the smallest Carmichael numÕb−e1 rif a is a quadratic non - residuemod p
n Solovay-Strassen primality test
n If n is not prime at least 50% of b fail to satisfy the following: 3 n Jacobi symbol can be computed in less than O((logn) ) CSG252 Classical Cryptography 13 n Jacobi symbol is a generalization of the Legendre symbol:
Computing Jacobi Symbol
ei k ≈ a ’ k ≈ a ’ n Definition: = ei Ω = ∆ ÷ n ∏ pi ∆ ÷ ∏∆ ÷ i=1 « n ◊ i=1 « pi ◊
n No need to factor n to compute the Jacobi symbol
n Use the following rules [n is positive odd]:
≈ m1 ’ ≈ m2 ’ n m ≡ m (mod n) Ω ∆ ÷ = ∆ ÷ 1 2 « n ◊ « n ◊ ≈ 2 ’ À 1 if n ≡ ±1(mod8) ∆ ÷ = à n « n ◊ Õ−1 if n ≡ ±3(mod8) ≈ m m ’ ≈ m ’≈ m ’ ∆ 1 2 ÷ = ∆ 1 ÷∆ 2 ÷ n « n ◊ « n ◊« n ◊ À ≈ n ’ Œ−∆ ÷ if ≈ m ’ Œ « m ◊ m ≡ n ≡ 3(mod 4) n ∆ ÷ = à « n ◊ ≈ n ’ Œ ∆ ÷ otherwise ÕŒ « m ◊
CSG252 Classical Cryptography 14
n Rabin-Miller primality test
n If n is not prime then it is not pseudoprime to at least 75% of random a < n : k n n-1 = 2 m, m n b ← a mod n;
n Ifb ≡ 1 mod n then return(n prime)
n For i=0 to k-1 do
n If b ≡ -1 mod n then return(n prime)
n Else b ← b2;
n return(n composite)
n Probabilistic test, deterministic if the Generalized Riemann Hypothesis is true
n Deterministic polynomial time primality test [Agrawal, Kayal, Saxena‘2002]
CSG252 Classical Cryptography 15
5 Attacks on RSA
n Factoring
n Many factoring algorithms were proposed: quadratic sieve, elliptic curve factoring, number field sieve, Pollard‘s rho-method
n Capable of factoring a 512 bits modulus ≈ 155 digits in 1999 using 8400 MIPS-years
n Other attacks:
n Computing φ(n)
n Decryption exponent: if a is known!
n Las Vegas algorithm (5.10) that will factor n with probability ²
n Semantic Security
CSG252 Classical Cryptography 16
Rabin Cryptosystem
n Motivation: n The difficulty of factoring does not necessarily prove RSA security n Hardness of factoring leads to security proof of Rabin‘s cryptosystem against chosen-plaintext attack n Scheme: n n = pq (p and q are two primes and p ≡ q ≡ 3 mod 4) * n P = C = Zn ; K = {(n, p, q)} 2 n eK(x) = x mod n √ n dK(y) = y mod n n Note: ≡ ≡ * n Conditions: p q 3 mod 4 and Zn is for simplification of decryption and security proof purpose
CSG252 Classical Cryptography 17
Rabin Cryptosystem
n Observation:
n Is the encryption function injective?
n Solution? n How can we decrypt?
n Solution: CRT
n Consider x s.t.: x ≡ ± y( p+1)/ 4 mod p x ≡ ± y(q+1)/ 4 mod q n x2 ≡ y mod n
n When can we use this technique of decoding?
n Example:
n n = 7x11
n Decrypt y = 23
CSG252 Classical Cryptography 18
6 Security of Rabin Cryptosystem
n If Rabin cryptosystem can be broken then we can build a Las Vegas probabilistic algorithm with success probability ² n Rabin Oracle Factoring(n) n External RabinDecrypt n Choose a random r; n Let y ← r2; n x ← RabinDecrypt(y); n Ifx = ±r mod n return(failure) n Else return(p=gcd(x+r, n) ; q=n/p); n Conclusion: n Rabin cryptosystem is secure against a chosen plaintext attack n Additional security results: n Rabin cryptosystem is insecure against a chosen ciphertext attack
CSG252 Classical Cryptography 19
CSG252 Classical Cryptography 20
7