RSA and Public Key Cryptography
Chester Rebeiro IIT Madras
CR STINSON : chapter 5, 6 Ciphers
• Symmetric Algorithms – Encryption and Decryption use the same key
– i.e. K E = K D – Examples: • Block Ciphers : DES, AES, PRESENT, etc. • Stream Ciphers : A5, Grain, etc. • Asymmetric Algorithms – Encryption and Decryption keys are different
– KE ≠ K D – Examples: • RSA • ECC
CR 2 Asymmetric Key Algorithms
KE KD
untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” Plaintext encryption (ciphertext) decryption “Attack at Dawn!!”
The Key K is a secret
Encryption Key K E not same as decryption key K D Advantage : No need of secure KE known as Bob’s public key ; K is Bob’s private key key exchange between Alice and D Bob
Asymmetric key algorithms based on trapdoor one-way functions
CR 3 One Way Functions
• Easy to compute in one direction • Once done, it is difficult to inverse
Press to lock Once locked it is (can be easily done) difficult to unlock without a key
CR 4 Trapdoor One Way Function
• One way function with a trapdoor • Trapdoor is a special function that if possessed can be used to easily invert the one way
trapdoor
Locked (difficult to unlock) Easily Unlocked
CR 5 Public Key Cryptography (An Anology) • Alice puts message into box and locks it • Only Bob, who has the key to the lock can open it and read the message
CR 6 Mathematical Trapdoor One way functions • Examples – Factorization of two primes • Given P, Q are two primes • and N = P * Q – It is easy to compute N – However given N it is difficult to factorize into P and Q • Used in cryptosystems like RSA – Discrete Log Problem • Consider b and g are elements in a finite group and bk = g, for some k • Given b and k it is easy to compute g • Given b and g it is difficult to determine k • Used in cryptosystems like Diffie-Hellman • A variant used in ECC based crypto-systems
CR 7 Applications of Public key Cryptography • Encryption • Digital Signature : “Is this message really from Alice?” • Alice signs by ‘encrypting’ with private key • Anyone can verify signature by ‘decrypting’ with Alice’s public key • Why it works? – Only Alice, who owns the private key could have signed
CR 8 Applications of Public key
Cryptography Diffie-Hellman Key Exchange • Key Establishment : “Alice and Bob want to use a block cipher for encryption. How do they agree upon the secret key”
Alice and Bob agree upon a prime p and a generator g. This is public information
choose a secret a choose a secret b compute A = ga mod p compute B = gb mod p
B A Compute K = Ba mod p Compute K = Ab mod p
Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p
CR 9 RSA
Shamir, Rivest, Adleman (1977)
CR 10 More Number Theory
Mathematical Background
CR 11 RSA : Key Generation
Bob first creates a pair of keys (one public the other private)
.1 Generatetwolargeprimes p,q ( p ≠ q) .2 Computen = p× q and φ(n) = ( p −1)(q − )1 .3 Choosea randomb 1( < b < φ(n))and gcd(b,φ(n)) =1 4.Computea = b−1 mod(φ(n))
Given the private key it is easy the Bob's public keyis (n,b) public key Bob's private keyis ( p,q,a) Given the public key it is difficult to derive the private key
CR 12 RSA Encryption & Decryption
Encryption Decryption
b eK (x) = y = x mod n a d K (x) = y mod n where x ∈ Zn
CR 13 RSA Example
1. Take two primesp = 653and q = 877 2. n = 653×877 = 572681; φ(n) = 652×876 = 571152 3. Choose public key b =13; note that gcd(13,571152) =1 4. Privatekey a = 395413 =13 1- mod571152
Message x =12345 encryption : y =1234513 mod572681 ≡ 536754 decryption : x = 536754395413 mod 572681 ≡12345
CR 14 Correctness
when x ∈ Z n and gcd( x, n) = 1
Encryption Decryption b eK (x) = y = x mod n d (x) = y a mod n where x ∈ Zn K y a ≡ (xb )a mod n ab ≡ 1mod ϕ (n) ab −1 = tϕ (n) ab ≡(x ) mod n ab = tϕ (n) + 1 ≡(xtφ (n)+1) mod n From Fermat’s theorem ≡ (xtφ (n) x) mod n ≡ x CR 15 Correctness
when x ∈ Z n and gcd( x, n) ≠ 1 Since n = pq, gcd( x, n) = p or gcd( x, n) = q Assume gcd(n, x) = p If = p | x = pk = x ab > > x ≡ x mod p LHS : x mod p ≡ pk mod p ≡ 0 ab x ≡ x mod q RHS : xab mod p ≡ 0 = x ≡ x ab mod n > Qgcd( p, x) = pit implies gcd(q, x) =1 (by CRT ) xab mod q ≡ xtφ (n)+1 mod q ≡ xtφ ( p)φ (q)+1 mod q ≡ (xφ (q) )tϕ ( p) ⋅ x mod q tϕ ( p) CR ≡ (1) ⋅ x mod q ≡ x 16 RSA Implementation
y = xc mod n
i ei z 4 1 12* x = x 3 0 x2 2 1 x4 * x = x 5 c = 23 = (10111) 2 1 1 X10 * x = x 11 0 1 x22 * x = x 23
CR 17 RSA Implementation in Software (Multi-precision Arithmetic) • RSA requires arithmetic in 1024 or 2048 bit numbers • Modern processors have ALUs that are 8, 16, 32, 64 bit – Typically can perform arithmetic on 8/16/32/64 bit numbers • solution: multi-precision arithmetic (gmp library)
base : 2 b, where b = 64/32/16/8 bits
CR 1024 bits 18 Multi-precision Addition
• ADD : a = 9876543210 = (2, 76, 176, 22, 234) 256
b = 1357902468 = (80, 239, 242, 132) 256 base = 8 bit (256)
i ai bi cin ai+b i+c in (mod 256) Carry? cout 0 234 132 0 110 (110 < 234)? 1 1 22 242 1 9 (9 < 22)? 1 2 176 239 1 160 (160 ≤ 176)? 1 3 76 80 1 157 (157 ≤ 76)? 0 42 0 0 2 (2 ≤ 2)? 0
a + b = (2, 157, 160, 9, 110) 256 = 11234445678
CR “Computational Number Theory”, Abhijit Das, CRC Press 19 Multi-precision Subtraction
• SUB : a = 9876543210 = (2, 76, 176, 22, 234) 256
b = 1357902468 = (80, 239, 242, 132) 256 base = 256 (8 bit)
i ai bi Cin Borrow? Cout ai-bi-cin (mod 256) 0 234 132 0 (234 < 132)? 0 102 1 22 242 0 (22 < 242)? 1 36 2 176 239 1 (176 < 239)? 1 192 3 76 80 1 (76 < 80)? 1 251 42 0 1 (2 < 0)? 0 1
a - b = (1, 251, 192, 36, 102) 256 = 8658640742
CR 20 Multi-precision Multiplication (Classical Multiplication)
• MUL : a = 1234567 = (18, 214, 135) 256
b = 76543210 = (4, 143, 244, 234) 256 base = 8 bit (256)
a * b =
(0 85 241 247 25 195 102) 256 = 99447721140070
CR 21 Multi-precision Multiplication (Karatsuba Multiplication)
Let a,b be two multiprecision integers with n B − ary words. Let m = n 2/ m a = ah B + al m b = bh B + bl 2m m a×b = (ahbh )B + (a blh + a bhl )B + a bll 2m m = (ahbh )B + ()ahbh + a bll + (ah − al )(bh − bl ) B + a bll
using (ah − al )(bh − bl ) = ahbh − a blh − a bhl + a bll
Karatsuba multiplication converts n bit multiplications into 3 multiplications of n/2 bits The penalty is an increased number of additions
CR 22 Multi-precision Multiplication (Karatsuba Multiplication)
B = 256; ahbh = (1, 176, 254, 234) 256 a = 123456789 = (7, 91, 205, 21) 256 albl = (83, 222, 83, 133) 256 b = 987654321 = (58, 222, 104, 177) 256 ah - bh = -(197, 186) 256 n=4; m=2 al - bl = -(45, 211) 256 a = (7, 91); a = (205, 21) h l (a b ) (a b) = (35, 100, 170, 78) a = (7, 91)256 2 + (205, 21) h - h l - l 256 ahbl + albh = a b + ab - (a - b ) (a - b) bh = (58, 222); bl = (104, 177) h h l l h h l l 2 b = (58, 222)256 + (104, 177) = (50, 42, 168, 33) 256 1 176 254 234 50 42 168 33 83 222 83 133 1 177 49 20 251 255 83 133 ab
CR 23 Speeding RSA decryption with CRT
• Decryption is done as follows : x = ya mod n • Bob can also decrypt by using CRT x = ya mod p x = ya mod q (since he knows the factors of n, i.e. p,q) • CRT turns out to be much faster since the size (in bits) of p and q is about ½ that of n
CR 24 Multi-precision libraries
• GMP : GNU Multi-precision library • Make use of Intel’s SSE/AVX instructions – These are SIMD instructions that have large registers (128, 256, 512 bit) • Crypto libraries – OpenSSL, PolarSSL, NaCL, etc.
CR 25 Finding Primes
CR 26 Test for Primes
• How to generate large primes? – Select a random large number – Test whether or not the number is prime • What is the probability that the chosen number is a prime? – Let π(N) be the number of primes < N – From number theory, π(N) ≈ N/ln N – Therefore probability of a random number (< N) being a prime is 1/ln N • As N increases, it becomes increasingly difficult to find large primes
CR 27 GIMPS
• There are infinite prime numbers (proved by Euclid) • Finding them becomes increasingly difficult as N increases • GIMPS : Great Internet Mersenne Prime Search – Mersenne Prime has the form 2 n – 1 – Largest known prime (found in 2016) has 22 million digits 2274,207,281 − 1 • $3000 to beat this ☺
https://en.wikipedia.org/wiki/Largest_known_prime_number CR 28 Primality Tests with Trial Division
• School book methods (trial division) – Find if N divides any number from 2 to N-1 – find if N divides any number from 2 to N 1/2 – Find if N divides any prime number from 2 to N 1/2 – Too slow!!! • Need to divide by N-1 numbers • Need to divide by N 1/2 numbers • Need to divide by (N/lnN)1/2 primes – For example, if n is approx 2 1024 , then need to check around 2 507 numbers • Need something better for large primes – Randomized algorithms
CR 29 Randomized Algorithms for Primality Testing • Monte-carlo Randomized Algorithms – Always runs in polynomial time – May produce incorrect results with bounded probablity
– Yes-based Monte-carlo method • Answer YES is always correct, but answer NO may be wrong – No-based Monte-carlo method • Answer NO is always correct, but answer YES may be wrong
CR 30 Finding Large Primes (using Fermat’s Theorem)
n−1 is _ prime (n){ If n is prime, then a ≡ 1 mod n is true for any ‘a’ pick a ← Z n n−1 n−1 If n is composite a ≡1mod n if (a ≡ 1mod n) is false but may be true for some values of a. return TRUE For example: n = 221 and a = 38 else 38 220 mod 221 ≡ 1.
return FALSE We need to increase our confidence } with more values of a
CR 31 Fermat’s Primality Test
• Increasing confidence with multiple bases
primality _ test (n){ c = 0 for (i = 0;i < 1000; + +i){ if (is _ prime (n) == FALSE ) return COMPOSITE } return probably PRIME }
CR 32 Flaw in the Fermat’s Primality Test
Some composites act as primes. Irrespective of the ‘a’ chosen, the test an−1 ≡1mod n passes.
for example Carmichael numbers are composite numbers which satisfy Fermat’s little theorem irrespective of the value of a.
CR 33 Strong probable-primality test
• If n is prime, the square root of a n-1 is either +1 or -1
a2 ≡1mod n a2 −1 ≡ mod n (a +1)(a −1) ≡ 0mod n either (a +1) ≡ 0mod n or (a −1) ≡ 0mod n
CR 34 Miller-Rabin Primality Test
• Yes-base primality test for composites • Does not suffer due to Carmichael numbers • Write n-1 = 2 sd – where d is odd and s is non -negative – n is a composite if r ad ≠ 1mod n and (ad )2 ≠ −1mod n for all number r lessthan s
CR 35 Proof of Miller-Rabin test
• Write n-1 = 2 sd r ad ≠ 1mod n and (ad )2 ≠ −1mod n for all number r lessthan s
• Proof: We prove the contra -positive. We will assume n to be prime. Thus, r ad ≡1mod n or (ad )2 ≡ −1mod n for some number r lessthan s
CR 36 Proof of Miller-Rabin test
Proof: We prove the contra-positive. We will assume n to be prime. Thus we prove,
r ad ≡1mod n or (ad )2 ≡ −1mod n for somenumber r lessthan s • Consider the sequence : 1 (Fermat ‘s) d 21 d 2 2 d 23 d 2 s d a , a , a , a ,LL, a – The roots of x 2 = 1 mod n is either +1 or -1 – In the sequence, if a d is 1, then all elements in the sequence will be 1 – If a d is not 1, then there should be some element in the sequence which is -1, in order to have the final element as 1
CR 37 Miller-Rabin Algorithm (test for composites)
Input n T .1 Find an odd integer d such that n −1 = 2 s d
T .2 Select at random a nonzero a ∈ Z n T .3 Compute b = a d mod n If b = ±1, return ' n is prime '
2i T .4 For i = ,1 L, r − ,1 calculate c ≡ b mod n If c = − ,1 return 'n is prime ' T .5 Otherwise return ' n is composite '
CR 38 Quadratic Residues
• Example : m=13, square elements in Z 13 . 1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1
The quadratic residues Z 13 are therefore {1, 4, 3, 9, 10, 12}
If an element is not a quadratic resiidue, then it is a quadratic non-residue
quadratic non-residues in Z 13 are {2, 5, 6, 7, 8, 11}
CR 39 Legendre Symbol
0 if p | a a = 1 if ais aQR mod p p −1 if ais aQNR mod p
Given p is an odd prime
CR 40 Euler’s Criteria
A result from Euler
p−1 a 2 ≡ a mod p p
when a is a QR , ∃x ∈ Z s t.. a ≡ x 2 mod p when p | a p p −1 ( p − )1 2 p −1 = a 2 ≡ x 2 mod p a 2 ≡ 0 mod p > ≡ x p −1 mod p ≡1
CR 41 when Quadratic Non Residue
2 when a is a QNR , no such x ∈ Z p exists s.t. a ≡ x mod p p −1 consider : a 2 mod p (note p −1 is even ,if p is an odd prime ) squaring : a p −1 mod p ≡1 2 p −1 2 so, a ≡1mod p p −1 Thus , a 2 ≡ ± 1mod p p −1 a 2 ≠1mod p, since a is not a QR p −1 Thus a 2 ≡ −1mod p
CR 42 Examples Congurence
p−1 a 2 n isan primeodd ≡ a mod p 4 is aQR mod13
p 13−1 alwaysholdswhen 4 2 mod13 ≡ 46 mod13 ≡1 5is aQNR mod13 56 mod13 ≡12mod13 ≡ −1 n isan primeodd ogrnemayCongurence
15−1 ormaynothold Euler’s Witness 2 7
7 mod15 ≡ 7 mod15 ≡ −2 when
Euler’s Liar 15−1 14 2 mod15 ≡147 mod15 ≡ −1
CR 43 Solovay Strassen Primality Test
SOLOVAYSTRASSEN(n){ choosea randominteger asuch that 1 ≤ a ≤ n-1 a compute x = n How to compute if (x = 0) returnCOMPOSITE Legendre’s symbol n−1 compute y = a 2 mod n if (x ≡ y mod n) return possiblyPRIME else returnCOMPOSITE }
error probability is at most ½ after k invocations of this algorithm,
CR 44 Jacobi Symbol
• Jacobi Symbol is a generalization of the Legendre symbol • Let n be any positive odd integer and a>=0 any integer. The Jacobi symbol is defined as:
Suppose n is an odd positive integer with prime factorizat ion
e1 e2 e3 e4 n = p1 × p 2 × p3 × p 4 ... T
Then,
e e e3 e a a 1 a 2 a a 4 = × × × × L n p1 p2 p3 p4
CR 45 Jacobi Properties
a b P .1 If a ≡ b mod n then = n n 2 1 if n ≡ ±1mod8 P .2 = n −1 if n ≡ ±3mod8 ab a b P3. = n n n k a 2 t P .4 if ais even, a = 2k t, = n n n P .5 if ais odd, n − if n ≡ a ≡ 3mod 4 a a = n n otherwise a CR 46 Computing Jacobi
From the theorem P5, P1, then P2
P5, P1, P5, P1, P3, P2
P5, P1 and 1 is a QR mod 13
CR 47 Factoring Algorithms
CR 48 Factorization to get the private key
• Public information (n, b) • If Mallory can factorize n into p and q then, • She can compute φ(n) = (p-1)(q-1) • She can then computethe private key by finding a ≡ b -1 mod φ(n)
How to factorize n?
CR 49 Trial Division
Fundamental theorem of arithmetic Any integer number (greater than 1) is either prime or a product of prime powers e1 e2 e3 ek n = p1 p2 p3 L pk
prime generation algorithm
Prime factors of n cannot be greater than n
n = n / p : remove this factor from n
Running Time of algorithm order of π(2 n/2 )
CR 50 Pollard p-1 Factorization
n = p× q
1 choose a random integer a 1( < a < n). If gcd(a,n) ≠ ,1 then a is a prime factor. However, this is most likely not the case as gcd(a,n) = .1 4 2 Supposewemagically getan Lsuch that p-1|L. How to find the magic L? Weuse L tocompute(aL −1). No easy way, trial and error!! p − |1 L => ( p − )1 k = L Factorials have a lot of divisors. So that aL ≡ a( p− )1 k ≡1mod p (by Fermat'sLittleTheorem) is a nice way. So, take L as a factorial of some L Thus, p | a −1 number r. 3 Now compute gcd(a L − ,1 n) Since, p | n and p | a L − ,1 gcd(a L − ,1 n) is either p and may also be n. Thus if gcd(a L − ,1 n) ≠ n, then we have found a factor of n. if gcd(a L -1, n) = n, then q | a L −1 also. Cannot conclude anything.
CR 51 Pollard p-1 Factorization
Pollard p-1 factorization for n. S1. a ← 2 S2. if gcd(a, n) > ,1 then this gcd is a prime factor of n, we are done. S3. computed ← gcd(ar!-1, n) if d = n, start again from S1 with next value of a else if d =1 , increment r and repeat S3 else d is the prime factor of n; we are done!
r = 2,3, 4, �..
Will the algorithm terminate?
CR 52 Pollard Rho Algorithm
• Form a sequence S1 by selecting randomly (with replacement)
from the set Z n x0 ≡ x mod p S1 = x0 , x1, x2 , x3 , x4 ,L 0
• Also assume we magically find a x1 ≡ x1 mod p new sequence S2 comprising of x2 ≡ x2 mod p S2 = x 0 , x1, x2 , x3 , x4 ,L where x3 ≡ x3 mod p
• If we keep adding elements to x4 ≡ x4 mod p
S1, we will eventually find an x i and xj (i≠j) such that xi = x j When this happens,
p | (xi − x j )
Q p | n also, gcd((xi − x j ),n)is p.We found a factor of n !! CR 53 Doing without magic
• Form a sequence S1 by selecting randomly (with replacement)
from the set Z n
S1 = x0 , x1, x2 , x3 , x4 ,L
• For every pair i,j in the sequence compute
d ← gcd((xi − x j ,n)
• If d > 1 then it is a factor of n
CR 54 Selecting elements of S1
To choose the next element of S1, Pollard suggests
using a function f : Zn → Zn with requirement that the output looks random.
Example : f (x) = x2 +1mod n
x where x is chosenrandomly from Z 0 0 n S1 = xi i > 0 and xi = f (xi−1)
CR 55 Example
This column is just • N= 82123, x = 631, f(x) = x 2 + 1 for understanding. 0 In reality we will not know this
Drawback� Large number of GCD computations. In this case 55.
Can we reduce the number of gcd computations ?
Given x i mod N, we compute gcds of every pair until we find a gcd greater than 1
gcd(x3 − x10 , N) = gcd(63222,82123) = 41 A factor of N
CR 56 The Rho in Pollard-Rho
• N= 82123, x = 631, f(x) = x 2 + 1 0 21 26
5 32
2 0 40 1
11
16
xt = xt+l mod p • The smallest value of t and l, for which the above congruence holds is t=3, l=7 • For l=7, all values of t > 3 satisfy the congruence • This leads to a cycle as shown in the figure (and a shape like the Greek letter rho) x j = x j+l mod p t ≥ 3
CR 57 Reducing gcd computations
• GCD computations can be expensive. • Use Floyd’s cycle detection algorithm to reduce the number of 21 GCD computations. 26
5 32
choose a random x 0 = y 0 ∈ Z n 2 0 xi = f ( xi −1 ) 40 1 y i = x 2 i = f ( f ( y i −1 )) 11 loop
If d = gcd( xi − y i , N ) > ,0 return d 16
l claim : The first time x i = yi mod p occurs when i ≤ t +
CR 58 The first time xi = yi mod p occurs is when i ≤ t + l • l is the number of points in the cycle
• t is the smallest value of i such that xi ≡ yi mod N
xi and yi meet at the same point in the cycle Therefore, yi must have traversed (some) cycles more
xi ≡ yi mod N consider (k + 1)l xi ≡ x2i mod N l | (2i − i) = kl + l ≤ t + l l | i => lk = i
CR 59 Expected number of operations before a collision • Can be obtained from Birthday paradox to be p
CR 60 Congruences of Squares
• Given N=p x q, we need to find p and q • Suppose we find an x and y such that x 2 ≡ y 2 mod N • Then, 2 2 N | ( x − y ) = > N | ( x − y )( x + y ) • This implies, gcd( N , ( x − y)) or gcd( N , ( x + y)) factors N
CR 61 Example
• Consider N = 91
102 ≡ 32 mod91 342 ≡ 82 mod91 91| (10 − 3)(10 + 3) 91| (34 + 8)(34 −8) 91| (7×13) 91| 42× 26 gcd(91,13) =13 gcd(91,26) =13 gcd(91, )7 = 7 gcd(91,42) = 7
So� we can use x and y to factorize N. x 2 ≡ y 2 mod N But how do we find such pairs?
CR 62 Another Example
• N = 1649
412 ≡ 32mod1649 32 and 200 are not perfect squares. However (32x200 = 6400) = 80 2 432 ≡ 200mod1649 is a perfect square (41× 43)2 ≡ (32× 200) mod1649 ≡ 802 mod1649
Thus, it is possible to combine non-squares to form a prefect square
the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/) CR 63 Forming Perfect Squares
Recall, Fundamental theorem of arithmetic Any integer number (greater than 1) is either prime or a product of prime powers e1 e2 e3 ek n = p1 p2 p3 L pk
Thus, a number is a perfect square if it prime factors have even powers.
e1,e2 ,e3 ,... is even Thus, 32 = 2 550 not a perfect square 200 = 2 352 not a perfect square (32x200) = 2 550 x 2 352 = 2 852 = (2 451)2 is a prefect square
CR 64 Dixon’s Random Squares Algorithm 1. Choose a set B comprising of ‘b’ smallest primes. Add -1 to this set. (A number is said to be b-smooth, if its factors are in this set) 2. Select an r at random – Compute y = r 2 mod N – Test if y factors completely in the set B. – If NO, then discard. ELSE save (y, r) (these are called B-smooth numbers ) 3. Repeat step 2, until we have b+1 such (y,r) pairs 4. Solve the system of linear congruencies
CR 65 Example
• N = 1829 • b = 6 B = {-1, 2,3,5,7,11,13} • Choose random values of r, square and factorize
All numbers are B-smooth except 60 and 75. Leave these and consider all others
CR 66 Check Exponents
-1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0
CR 67 Check Exponents
-1 2 3 5 7 11 13 -65 1 0 0 1 0 0 1 20 0 2 0 1 0 0 0 63 0 0 2 0 1 0 0 -11 1 0 0 0 0 1 0 -91 1 0 0 0 1 0 1 80 0 4 0 1 0 0 0
Find rows where exponents sum is even -65, 20, 63, -91
sum 2 2 2 2 2 0 2 (42× 43×61×85)2 ≡ (−1× 2×3×5×7×13)2 mod1829 14592 ≡ 9012 mod1829
CR 68 Final Steps
(42× 43×61×85)2 ≡ (−1× 2×3×5×7×13)2 mod1829 14592 ≡ 9012 mod1829
1829 (| 1459 + 901)(1459 − 901) =>1829 | 2360 gcd(1829,2360) = 59 =>1829 | 558 gcd(1829,558) = 31
Thus 1829 = 59×31
CR 69 State of the Art Factorization Techniques • Quadratic Sieve – Fastest for less than 100 digits • General Number field Sieve – Fastest technique known so far for greater than 100 digits – Open source code (google GGNFS) • RSA factoring challenge – Best so far is 768 bit factorization – Current challenges 896 bits (reward $75,000), 1024 bit ($100,000)
https://en.wikipedia.org/wiki/RSA_Factoring_Challenge CR 70 RSA Attacks
attacks that don’t require factorization algorithms
CR 71 Φ(n) leaks
• If an attacker gets Φ(n) then n can be factored
n = pq q = n / p φ(n) = ( p −1)(q − )1 = pq − ( p + q) +1 n φ(n) = n − ( p + ) +1 p p2 − (n −φ(n) + )1 p + n = 0
Solve to get p (a factor of n)
CR 72 square roots of 1 mod n There are two trivial and two non-trivial solutions for y 2 ≡1mod n The trivial solutions are +1 and -1 By CRT, these congruences are equivalent y ≡1mod p 2 y ≡ −1mod p 2 y ≡1mod p y ≡1mod n 〈=〉 2 y ≡1mod q y ≡1mod q y ≡ −1mod q
To get the non-trivial solutions solve using CRT
y ≡ +1mod p y ≡ −1mod p y ≡ −1mod q y ≡ +1mod q
CR 73 Example
• n=403 = 13 x 31 • To get the non-trivial solutions of y 2 ≡ 1 mod n solve using CRT
y ≡ +1mod p y ≡ −1mod p y ≡ −1mod q y ≡ +1mod q
(31⋅31−1 mod13−13⋅13−1 mod31) mod 403 (31⋅8 −13⋅12) mod 403 ≡ 92 403 − 91 = 311
2 2 The non-trivial solutions are 92 and 311 Note: 92 ≡ 311 ≡1mod 403
What happens when we solve y ≡ +1mod p y ≡ +1mod q
CR 74 Decryption exponent leaks
• If the decryption exponent ‘a’ leaks, then n can be factored • The attacker can then compute ab ab ≡1modφ(n) kφ(n) = (ab −1) • Now, for any message x ≠ 0 xab−1 ≡1mod n ab−1 • Attack Plan , take square root : y ≡ x 2 mod n i.e. , y 2 ≡1 mod n = n | (y 2 −1) > However we need => n | (y −1)(y +1) y ≠ ±1 gcd( n, y − 1) is a factor of n to have a non- trivial result CR 75 The Attack (basic idea) we assume we know the private key a
ab ≡1modφ(n) .1 given a computeab −1 kφ(n) = ab −1
ab −1 ab−1 .2 Represent t = 2 2 y1 = x ≡1mod n 2 .3 chooseany message x thus (, y1 − )1 ≡ 0mod n 4.put y = xt mod n n | (y +1)(y −1) .5 computed ← gcd(y − ,1 n) This will only work if y ≠±1 mod n. .6 if d ≠ ,1 return a" factor of n is ;"d exit If y = ±1 mod n. then goto step 7 .7 if (t is even) t = t ;2/ goto step 4 else return" failure"
Probability of success of the attack is at-least 1/2
CR 76 Example
• N=403, b=23, a=47 t = ab −1 =1080 x = 2 1080 loop :1 t = = 540 y ≡ xt mod 403 = 2540 mod 403 ≡1 2 540 loop2 : t = = 270 y ≡ xt mod 403 = 2270 mod 403 ≡ 311 2 gcd(310,403) = 31 (a factor of n)
t = ab −1 =1080 x = 9 1080 loop :1 t = = 540 y ≡ xt mod 403 = 9540 mod 403 ≡1 2 540 loop :2 t = = 270 y ≡ xt mod 403 = 9270 mod 403 ≡1 2 270 loop :3 t = =135 y ≡ xt mod 403 = 9135 mod 403 ≡1 2 can’t divide 135 further. failure
CR 77 Small Encryption Exponent
• In order to improve efficiency of encryption, a small encryption exponent is preferred • However, this can lead to a vulnerability
CR 78 Small Encryption Exponent
3 c1 Alice m mod N 1 m 3 c2 m mod N 2
3 c3 m mod N 2
Insecure channel • Consider, Alice sending the same message x to 3 different people.
• Each having a different N (say N 1, N 2, N 3) • But same public key b (say 3)
CR 79 Small Encryption Exponent
3 c1 Alice m mod N 1 m c ≡ m3 mod N 3 c2 1 1 m mod N 2 3 c2 ≡ m mod N2 3 3 c3 c3 ≡ m mod N3 m mod N 2
Insecure channel • Consider, Alice sending the same message x to 3 different people.
• Each having a different N (say N 1, N 2, N 3) • But same public key b (say 3) • This allows Mallory to snoop in and get 3 ciphertexts
CR 80 Small Encryption Exponent
By CRT
3 c1 ≡ m mod N1 3 3 c2 ≡ m mod N2 〈=〉 X ≡ m mod(N1 ⋅ N2 ⋅ N3 ) 3 c3 ≡ m mod N3 • Thus, Mallory can compute X
• Since m < N 1, m
It is tempting to have small private and public keys, so that encryption or decryption may be carried out efficiently. However you would do this at the cost of security!!
CR 81 Low Decryption Exponent
• The attack applies when the private key a is 4 n small, a < 3
• In such a case ‘a’ can be computed efficiently
CR 82 Partial Information of Plaintexts
Computing Jacobi of the plaintext y ≡ xb mod n y is theciphertext; x the message bis the public key and gcd(b, φ(n)) =1 Thus, gcd(b, (p-1)(q-1)) =1 ( p −1)(q − )1 is even, therefore b must beodd consider Jacobi y = ±1 n b y x x = = n n n sincebisodd
x thus, RSA encryption leaks the value of the Jacobi symbol n
CR 83 Partial Information of Plaintexts first half or second half? • given y = xbmod n, – is it possible to determine if (0 ≤ x < n/2) or (n/2 ≤ x < n-1) first half second half
• We prove that RSA does not leak this information • If there exists an efficient algorithm that can determine if x is in the first or second half then, the entire plaintext can be obtained
CR 84 Binary Search Trees on x
Consider this function [0,13) n 0 if 0 ≤ x < 0 HALF(x) = 2 n [0-6.5) [6.5,13) 1 if ≤ x < n −1 2 0 example [0,3.25) x = 3mod13 HALF(x) = 0 [0,1.625) 1 2x ≡ 6mod13 HALF 2( x) = 0 4x ≡12mod13 HALF 4( x) =1 [1.625,3.25) 8x ≡11mod13 HALF 8( x) =1 16x ≡ 9mod13 HALF(16x) =1 3
CR 85 Partial Information of Plaintexts (first or second half proof) • Assume a hypothetical oracle called HALF as follows n 0 if 0 ≤ x < HALF(n,b, y) = 2 n y ≡ xb mod n 1 if ≤ x < n −1 2 2b ⋅ y ≡ 2( x)b mod n b b n 4 ⋅ y ≡ (4x) mod n HALF(y) = 0 = x ∈[0, ) > 2 8b ⋅ y ≡ 8( x)b mod n 16b ⋅ y ≡ (16x)b mod n n n n HALF 2( b y) = 0 = x ∈[ ,0 ) HALF 2( b y) =1 = x ∈[ , ) > 4 > 4 2
n n n HALF 2( 2b y) = 0 = x ∈[ ,0 ) HALF 2( 2b y) = 0 = x ∈[ , ) > 8 > 8 4
CR 86 Example
n=1457, b=779, y=722
hi 1 0 1 0 1 1 1 1 1 0 0
Thus, if we have an efficient function HALF, we can recover the plaintext message.
CR 87 Man in the Middle Attack
• The process of encryption with a public key cipher
Bob decrypts with his private key
CR 88 Man in the Middle Attack
• The process of encryption with a public key
cipher Man in the middle Intercepts messages
Mallory decrypts with her private key and re- encrypts Bob decrypts with Bob’s with his private public key key
CR 89 Searching the Message Space
• Suppose message space is small, – Mallory can try all possible messages, encrypt them (since she knows Bob’s public key) and check if it matches Alice’s ciphertext
Bob decrypts with his private key
CR 90 Bad Prime Generation Algorithms
• Suppose the prime generation was faulty – So that, primes generated were always from a small subset – Then, RSA can be broken • Pairwise GCD of over a million RSA modulii collected from the Internet showed that – 2 in 1000 have a common prime factor
CR Ron was Wrong, Whit is right, 2012 91 Discrete Log Problem, ElGamal, and Diffie Hellman
CR STINSON : chapter 6 92 Primitive Elements of a Group
Let (G,⋅ )bea group of order n. Let α ∈G, The order of α is the smallest integer m such that α m = 1 α is termed as a primitive element if it has order n. If α is a primitive element then α = {α i : 0 ≤ i ≤ n -1} generates all elements in G
Consider Z * = ,3,2,1{ ,12} 13 L * (Z13 ⋅), formsa groupof order12 Let 7∈ Z * , <7> has order 12 13 and generates all elements in Z. 7 = { ,7 10, ,9,5 11,12, ,8,3,6 ,4 }1,2 Thus, 7 is a primitive element
CR 93 Discrete Log Problem
Let (G ⋅), be a group Letα ∈G bea primitiveelement in thegroup with order n Define theset α = {α i : 0 ≤ i ≤ n − }1
For any uniqueinteger a (0 ≤ a ≤ n −1), let α a = β
Denote a = logα β as thediscretelogarithmof β
Given α and a, it is easy to compute β Given α and β it is computationally difficult to determine what a was
CR 94 ElGamal Public Key Cryptosystem
• Fix a prime p (and group Zp)
• Let α ∈ Z p be a primitive element • Choose a secret ‘a’ and compute β ≡ α a mod p
Public keys : α, β, p Private key : a
Encryption Decryption
choose a random (secret) k ← Z a −1 p dk (x) = y2 (y1 ) mod p e (x) = (y , y ) k ka −1 k 1 2 = x ⋅ β (α ) mod p k where y1 = α mod p, ka ka −1 k = x ⋅α (α ) mod p y2 = x ⋅ β mod p CR ≡ x 95 ElGamal Example
• p = 2579, α = 2 (α is a primitive element mod p) • Choose a random a = 765 • Compute β ≡ 2 765 mod 2579 Encryption of message x = 1299 choose a random key k = 853 853 y1 = 2 mod 2579 = 435 853 y2 = 1299 x 949 = 2396 Decryption of cipher (435, 2396) 2396 x (435 765 )-1 mod p = 1299
CR 96 Finding the Log
β ≡ α a mod p
Given α and β it is computationally difficult to determine what a was • Brute force (compute intensive) compute α,α 2 ,α 3 ,α 4...... (until you reach β) this would definitely work, but not practical if p is large complexity O(p), space complexity O(1) • Memory Intensive precomputeα,α 2 ,α 3 ,α 4...... (all values). Sort and store. For any given β look up the table of stored values. complexity O(1) but space complexity O(n)
CR 97 Shank’s Algorithm (also known as Baby-step Giant-step)
β ≡ α a mod p
Rewrite a as a = mq + r where m = p
β ≡ α mqα r mod p q β ()α −m ≡ α r mod p
We neither know q nor r, so we need to try out several values for q and r until we find a collision
CR 98 Shank’s Algorithm (example) • p= 31 and α=3. Suppose β=6. • What is a? (3−1)6 mod31 = 2 m = 31= 6 α ≡ 3 collision β (α −6 )0 = 6⋅20 = 6 α 2 ≡ 9 β (α −6 )1 = 6⋅21 =12 α 3 ≡ 27 β (α −6 )2 = 6⋅22 = 24 List 1 List 2 List α 4 = 81 ≡19mod31 β (α −6 )3 = 6⋅23 ≡17 mod31 α 5 =19⋅3 ≡ 26mod31 β (α −6 )4 = 6⋅24 ≡ 3mod31
Thus, m=6, q=4, r=1, a= mq+r = 25
CR 99 Shank’s Algorithm
Create List 1
Create List 2
Find collision
CR 100 Complexity of Shank’s Algorithm
O(m) O(mlog m)
O(m) O(mlog m)
O(log m)
O(mlogm) ~ O(m) = O(p 1/2 )
CR 101 Other Discrete Log Algorithms
β ≡ α a mod n
• Pollard-Hellman Algorithm used when n is a composite • Pollard-Rho Algorithm about the same runtime as the Shank’s algorithm, but has much less memory requirements
CR 102 Diffie Hellman Problem
Let (G ⋅), be a group Letα ∈G bea primitiveelement in thegroup with order n Define theset α = {α i : 0 ≤ i ≤ n − }1
a b ab given α and α , find α Computational DH (CDH) given α a ,α b and α c , determineif c ≡ ab mod n Decision DH (DDH)
CR 103 Recall… Diffie Hellman Key Exchange
Alice and Bob agree upon a prime p and a generator g. This is public information
choose a secret a choose a secret b compute A = ga mod p compute B = gb mod p
B A Compute K = Ba mod p Compute K = Ab mod p
Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p
CR 104