Mini Topics On RSA and Discrete Logarithm Problem
賴奕甫
1 Contents
• Mini Topics on RSA Encryption • RSA bit Security • DLP bit Security
2 自我介紹
• 賴奕甫 (男) • 82 (1993) 年生 • 台大數學所碩二 (已通過口試) • 興趣:半夜慢跑, 摺紙
3 Chinese Remainder Theorem
中國南北朝時期(公元5世紀)的數學著作《孫子算經》卷下第二十六題, 叫做「物不知數」問題,原文如下: 有物不知其數,三三數之剩二,五五數之剩三,七七數之剩二。問物幾何?
푥 = 2 푚표푑 3 푥 = 3 푚표푑 5 푥 = 2 푚표푑 7
4 Chinese Remainder Theorem
Chinese Remainder Theorem: For 푥 ∈ ℤ푛∗푚, Given 푛, 푚 with 푔푐푑 푛, 푚 = 1. 휙 푥 = 푥 푚표푑 푛 , 푥 푚표푑 푚
Then the natural homomorphism 휙 ∶ ℤ푛∗푚 → ℤ푛 × ℤ푚 is an isomorphism.
“hom”
“surjective”
5 RSA Encryption (Notation)
• Public Key :(푁 = 푝 ∗ 푞, 푒) ( 푝, 푞: distinct primes, 푔푐푑 푒, 휙 푁 = 1)
• Private Key: 푑 (푑푒 = 1 푚표푑 휙 푁 )
(푁, 푒)
푐
Message: 푚 ∈ ℤ푁
Decryption: Encryption: 푑 푒 푐 = 푚 ∈ ℤ푁 푐 = 푚 (푚표푑 푁)
6 Mini Topics on RSA encryption.
• The following content is not about the factoring algorithms but about some little topics in usage or on parameter settings in the RSA encryption.
7 RSA
• Can 휙(푁) be leaked? • 푑 can be chosen to be 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 • What if 푒 is chosen too small (푒 = 3)? Can N be a domain parameter? • Can we only choose new 푑 if the old one is exposed • Can 푑 chosen to be small? (for speeding up decryption) • Is the least significant bit encryption of RSA as secure as the whole?
8 Can 휙(푁) be leaked?
Solve 푞 by the following steps: • Assume 휙 푁 = 푝 − 1 푞 − 1 is given • Public Key 푁 = 푝푞
• Write 푝 = 푁/푞 • Then 푁 휙 푁 = 푞 − 1 푞 − 1 ⇒ 휙 푁 푞 = 푁 − 푞 푞 − 1 • ⇒? 9 푑 can be chosen to be 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1
• Show the correctness: 푑푒 푚 = 푚 푚표푑 푁 푓표푟 푎푛푦 푚 ∈ ℤ푁
푚푙푐푚 푝−1,푞−1 = 1 푚표푑 푝 , so 푚푑푒−1 = 1 푚표푑 푝 ∎ 11 What if 푒 is chosen too small? -Hastad’s Broadcast Attack
• Take 푒 = 3 for example • Assumption:
• There are 3 people use RSA encryption with public key 푁1, 푒 , 푁2, 푒 , (푁3, 푒) (relatively prime 푁1, 푁2, 푁3) • They receive a cipher 푐𝑖 from the same message 푚 with their own public keys. (푚 < 푁𝑖 for all 푖)
• Oscar collects 푁𝑖, 푒 = 3 , and 푐𝑖. By CRT, ∃! 푐 ∈ ℤ푁1푁2푁3 satisfies
푐 = 푐1 푚표푑 푁1 푐 = 푐2 푚표푑 푁2 푐 = 푐3 푚표푑 푁3
12 What if 푒 is chosen too small? -Hastad’s Broadcast Attack
• Oscar collects 푁𝑖, 푒 = 3 , and 푐𝑖. By CRT, ∃! 푐 ∈ ℤ푁1푁2푁3 satisfies
3 푐 = 푐1 = 푚 푚표푑 푁1 3 푐 = 푐2 = 푚 푚표푑 푁2 3 푐 = 푐3 = 푚 푚표푑 푁3 3 • Hence, 푐 = 푚 푚표푑 푁1푁2푁3 3 • Notice that 푚 < 푁1푁2푁3 • ⇒?
13 Example
• (See)
14 If 푒 = 3, then half of bits of 푑 are exposed (roughly).
Assume primes 푝, 푞 > 5 and 푑 < 휙 푁 . Claim: 푒 = 3 ⇒ 푒푑 = 1 + 2휙 푁
∎ 15 If 푒 = 3, then half of bits of 푑 are exposed (roughly).
1 1 • Let 푑′ = 1 + 푘푁 = 1 + 2푁 . 푒 푒 • Claim 푑′ − 푑 < 푝 + 푞
1 1 Write 푑′ = 1 + 2푁 = 1 + 2푁 + 휖 for some 휖, 휖 < 0.5 푒 푒 Then 푑′ − 푑 =?
16 If 푒 = 3, then the linear relation of messages can not be known.
• Assumption: • Alice uses RSA encryption with her public key 푁, 푒 = 3
• Encrypting 푚1 and 푚2 with a linear relation 푚2 = 푎푚1 + 푏 • Given two ciphertexts 푐1, 푐2 and the coefficients 푎 and 푏
• Oscar calculates 3 3 푏 푐2 + 2푎 푐1 − 푏 3 3 푚표푑 푁 푎 푐2 − 푎 푐1 + 2푏
3 3 푏 푐2 + 2푎 푐1 − 푏 3 3 =? 푚표푑 푁 푎 푐2 − 푎 푐1 + 2푏
17 Example
• (See)
18 Can N be a domain parameter?
푁 = 푝푞 Compute 푑𝑖푒𝑖 = 1 푚표푑 푁
푑1, 푒1 푑3, 푒3
푑2, 푒2
19 Can we only choose new 푑 (and 푒) if the old one is exposed?(With the same 푁)
• Claim: Given 푒. “Knowing 푑 ⇔ Factoring 푁” • “⇐”: Obviously, “Factoring 푁”⇒”Obtain 휙(푁)” ⇒”Getcha 푑” • “⇒”: The proof is an algorithm: Main idea: find x, 푥2 = 1 푚표푑 푁 Since 푁 = 푝푞 | 푥 + 1 푥 − 1 , if 푥 ≠ ±1 푚표푑 푁 , then gcd 푥 ± 1, 푁 will factor 푁.
Intuition: 푚푑푒−1 = 1 푚표푑 푁 푖푓 푔푐푑 푚, 푁 = 1 푡 푚2 푟 = 1 푚표푑 푁 푖푓 푔푐푑 푚, 푁 = 1
20 Remark: You can further prove that the algorithm Can we only ischoose able to factornew N with푑 probability(and 푒 greater) than ½ for each choice of 푚 if the old one is exposed? (With the same 푁)
• Claim: Given 푒. “Knowing 푑 ⇔ Factoring 푁” • “⇒”: Main idea: find x, 푥2 = 1 푚표푑 푁 Write 푘 = 푑푒 − 1 = 2푡푟, where 푟 is odd
1. Choose 푚 ∈ 2, … , 푁 − 1 at random Say 푔푐푑 푁, 푚 = 1 (why) 2. If 푚푟 = 1 푚표푑 푁 then back to 1.
′ 3. Compute 21푟, 22푟, 23푟, … until 2푡 푟 = 1 푚표푑 푁 first occurs.
푡′−1 4. If m2 푟 = ±1 푚표푑 푁 then back to 1. ′ 5. Else factor by 2푡 −1푟 푁 푔푐푑(푚 ± 1, 푁) 21 Can N be a domain parameter?
• Given 푒. “Knowing 푑 ⇔ Factoring 푁”
• Hence, it’s insecure that a group uses the same composite N
with different 푒𝑖, 푑𝑖
22 Question: Dose the other choice of 푑 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 alter the result?
• Given 푒. “Knowing 푑 ⇔ Factoring 푁”
• 푑푒 = 1 푚표푑 푁 • 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1
23 Example
• (See)
24 This is a Kitten Licking Its Paw!
25 Can 푑 be chosen to be small ? (for speeding up decryption)
• Wiener’s Attack:
1 1 Given 푁, 푒. Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then there is an efficient way of factoring 푁.
• Goal: 푑푒 = 1 푚표푑 휙 푁 ⇔ 푑푒 − 푘휙 푁 = 1 Find 푘/푑
26 Continued Fraction
• 푥 = where 푎0 is an integer and 푎𝑖 is non-negative integer for 푖 ≥ 0
is said to be a continued fraction expression of 푥, denoted [푎0; 푎1, 푎2, … ].
• Any rational number can be written as a continued fraction form 44 2 1 1 = 6 + = 6 + = 6 + = [6; 3,2] Ex. 7 1 7 7 3 + 2 2 1 = 6 + = [6; 3,1,1] 1 3 + 1 27 1 + 1 Convergents
• You can also use the Euclidean algorithm to compute a continued fraction expression
1234 = 567 ∗ 2 + 100 1234 1 = 2 + 567 = 100 ∗ 5 + 67 1 567 5 + 100 = 67 ∗ 1 + 33 1 1 + 1 67 = 33 ∗ 2 + 1 2 + 33
푡ℎ • Let 푥 = [푎0; 푎1, 푎2, … ], 푦 is said to be the 푖 convergent of 푥 if 푦 = [푎0; 푎1, 푎2, … , 푎𝑖 ] 28 Origin : Rational Approximation by Continued Fraction
Theorem. Let 푥 be irrational, and let 푘/푑 be a rational number in lowest terms with 푑 > 0. Suppose that 푘 1 푥 − < . 푑 2푑2
Then 푘/푑 is a convergent in the continued fraction expansion for 푥
29 Origin : Rational Approximation by Continued Fraction
푒 Theorem. Let 푁 푥 be irrational, and let 푘/푑 be a rational number in lowest terms with 푑 > 0. Suppose that 푘 1 푒 푥 − < 2 . 푁 푑 2푑 푒 Then 푘/푑 is a convergent in the continued fraction expansion for 푥 푁
푑푒 = 1 푚표푑 휙 푁 ⇔ 푑푒 − 푘휙 푁 = 1
30 Wiener’s Attack: 1 1 Given 푁, 푒. Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then there is an efficient way of factoring 푁.
• Wiener’s Lemma. Given 푁, 푒, where 푁 = 푝푞 and 푑푒 − 푘휙 푁 = 1
1 1 Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then 푒 푘 1 − < . 푁 푑 2푑2 • Corollary. Using the condition above. Then 푘/푑 is a convergent in the continued fraction expansion for 푒 푁
31
푒 푘 1 푑휙 푁 ≥ 푑푒 > 푘휙 푁 − < . ⇒ 푑 > 푘 푁 푑 2푑2
32 Example : Wiener’s Attack
• (see)
33 Take a look at SP800-56B
• (See)
34 Bit Security of RSA Problem Is the least significant bit in the encryption of RSA as secure as the whole? 賴奕甫 RSA Problem
•RSA Problem: Given 푁, e and 푐 = 푚푒 푚표푑 푁 , where 푁 = 푝푞 , 푝, 푞: distinct odd primes 푑푒 = 1 푚표푑 휙 푁
Find (푚 (푚표푑 푁))
36 A Fact:
퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 ≥ RSA 푝푟표푏푙푒푚 is known
퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 ≱ RSA 푝푟표푏푙푒푚 or 퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 = RSA 푝푟표푏푙푒푚 is unknown
37 RSA Problem
• RSA Problem: Given 푁, e , where 푁 = 푝푞 , 푝, 푞: distinct odd primes 푑푒 = 1 푚표푑 휙 푁
푓 푥 = 푥푒 푚표푑 푁 is a 표푛푒-푤푎푦 function
38 •RSA Problem: 푓 푥 = 푥푒 푚표푑 푁 is a 표푛푒-푤푎푦 function
• Even though RSA problem may be hard, that does NOT mean we can know nothing from it. • For example, given 푐 = 푓 푚 = 푚푒 푚표푑 푁, we can know its
푚 푚 푚 푒 푐 Jacobi symbol value , since 푒 is odd. = = 푁 푁 푁 푁
39 The least significant bit secure of RSA Even though I accept 푓 푥 = 푥푚 푚표푑 푁 is a 표푛푒-푤푎푦 function, it only means I accept it’s hard to find the whole inverse element.
Is it still hard to find out the parity (lsb) of the inverse element?
40 In a Simple Usage
ALICE BOB 푒 푖푛푓표푟푚푎푡푖표푛 ║풌║ 푖푛푓표푟푚푎푡푖표푛 푚표푑 푁 RSA-3072 RSA-3072 (Asymmetric) (Asymmetric) AES-128 AES-128 with key 풌 with key 풌 (Symmetric) (Symmetric)
We don’t have to invert whole 푚푒 but recover some bits from 푚푒
Is RSA remain secure in this way?
41 Inverting the LSB ⇔ Solving RSA Problem
• Let 푁 = 푝푞 , 푒 , 푑 represent the RSA parameter
• The following calculation is under ℤ푁 • 푐 = 푚푒,define 1 푖푓 푙푠푏 표푓 푚 푖푠 1 푃푎푟푖푡푦 푐 ≔ 0 푖푓 푙푠푏 표푓 푚 푖푠 0
1 1 푖푓 푚 ∈ [0, 푁) 퐻푎푙푓 푐 ≔ 2 0 표. 푤
42 Inverting the LSB ⇔ Solving RSA Problem
1 1 푖푓 푙푠푏 표푓 푚 푖푠 1 푃푎푟푖푡푦 푐 ≔ 퐻푎푙푓 푐 ≔ 0 푖푓 푚 ∈ [0, 푁) 0 푖푓 푙푠푏 표푓 푚 푖푠 0 2 1 표. 푤
Having an oracle of 퐻푎푙푓 푐 ⇔ Having an oracle of 푃푎푟푖푡푦 푐 (Why?)
43 Inverting the LSB ⇔ Solving RSA Problem
• For 푐 = 푚푒, we have 1 퐻푎푙푓 푐 = 0 ⟺ 푚 ∈ [0, 푁) 2 1 2 3 퐻푎푙푓 2푒푐 = 0 ⟺ 푚 ∈ [0, 푁) ∪ [ 푁, 푁) 4 4 4 ⋮ • It follows that Having an oracle of 퐻푎푙푓 푐 ⇔ Solving RSA Problem. • Since Having an oracle of 퐻푎푙푓 푐 ⇔ Having an oracle of 푃푎푟푖푡푦 푐 , • We know Inverting the LSB ⇔ Solving RSA Problem.
44