Chap' 9 PublicKey Cryptography and RSA

1
Chap. 9Public-Key Cryptography and RSA
2
Public Key Cryptography

• Principles of Public-Key Cryptosystems
• The RSA Algorithm

3
Public Key Cryptography
Principles of PKC

• Radical departure from conventional cryptography
• Asymmetric, or two key, cipher
• Public key for encryption
• Private key for decryption
• Based on mathematical functions rather than on
  substitution and permutation
• Misconceptions concerning public-key cryptography
• Public-key cryptography is more secure than
  symmetric cryptography
• Public-key cryptography is general-purpose
  technique that has made symmetric cryptography
  obsolete
• Key distribution is trivial when using public-key
  cryptography, compared with the rather cumbersome
  handshaking involved with KDCs for symmetric
  cryptography

4
Public-Key Cryptosystems
Principles of PKC

• Concept of public-key cryptography evolved from
  an attempt to attack two of the most difficult
  problems associated with the symmetric encryption
• Key distribution
• Digital signatures
• Diffie and Hellman first publicly introduced the
  concepts of public-key cryptography in 1976
• Public-key algorithm rely on one key for
  encryption and a different but related key for
  decryption
• Requirement
• It is computationally infeasible to determine the
  decryption key given the encryption key
• Optional feature
• Either of two related keys can be used for
  encryption, with the other used for decryption

5
Public-Key Encryption
Principles of PKC
6
Public-Key Authentication
Principles of PKC
7
Conventional and Public-Key Encryption
Principles of PKC

• Conventional (Symmetric)
• Same algorithm and key used
• for encryption and decryption
• Parties share algorithm and key
• Key must be kept secret
• Cipher must be strong
• Plaintext/ciphertext pairs must
• not weaken the security of the key

• Public-Key (Asymmetric)
• Same algorithm but different keys
• used for encryption and decryption
• Parties share algorithm but each has
• one key from a matched pair
• One key must be kept secret
• Cipher must be strong
• Plaintext/ciphertext pairs plus one of
• the keys must not weaken the other
• key

8
Principles of PKC
PKC Secrecy
Y EPUb(X) X DPRb(Y)
PUb Bs public key PRb Bs private key
9
Principles of PKC
PKC Authentication
Y EPRb(X) X DPUb(Y)
No protection of confidentiality
10
Principles of PKC
PKC Secrecy and Authentication
Z EPUbEPRa(X) X DPUaDPRb(Z)
11
Requirements for PKC
Principles of PKC

• By Diffie and Hellman, in 1976
• Key pair generation is computationally easy
• Encryption is computationally easy
• Decryption is computationally easy
• Computationally infeasible for an adversary to
  determine private key given public key
• Computationally infeasible for an adversary to
  recover plaintext given public key and ciphertext
• Encryption and decryption functions can be
  applied in either order
• M DPUbEPRb(M) DPRbEPUb(M)

12
One-way and Trap-door Functions
Principles of PKC

• One-way function
• Y f(X) easy (polynomial time)
• X f-1(Y) infeasible (non-polynomial time)
• Trap-door one-way functions
• Family of invertible functions, one for each k
• Y fk(X) easy, given k and X
• X fk-1(Y) easy, given k and Y
• X fk-1(Y) infeasible if Y is known but k is
  unknown

13
RSA Algorithm
RSA Algorithm

• Developed in 1977 by Ron Rivest, Adi Shamir, and
  Len Adleman
• Block cipher block size is log2(n), for some
  integer n
• Encryption C Me mod n
• Public Key PU e, n
• Decryption M Cd mod n Med mod n
• Private Key PR d, n
• Requirements
• Find values of e, d, and n s.t. Med ? M (mod n)
  for all M lt n
• Relatively easy to compute Me (mod n) and Cd (mod
  n)
• Infeasible to determine d given e and n

14
RSA
RSA Algorithm

• Need to find a relationship of the form
• Med ? M mod n
• Can use the corollary of Eulers theorem
• Given two primes p and q, and two integers, n and
  M, s.t. n pq and 0 lt M lt n, the following
  relationship holds
• Mk?(n)1 ? M mod n
• where ?(n) is the Eulers phi function
• ?(n) ?(pq) (p-1)(q-1)
• Can achieve the desired relationship if ed
  k?(n)1
• Equivalent to saying that ed ? 1 mod ?(n) or d ?
  e-1 mod ?(n)
• That is, e and d are multiplicative inverses
  modulo ?(n)
• This is true only if d (and therefore e) is
  relatively to prime to ?(n)

15
RSA Algorithm
RSA Algorithm
16
RSA Algorithm
RSA Example

• Select two primes, p 17 and q 11
• Calculate n pq 17 ? 11 187
• Calculate ?(n) (p-1)(q-1) 16 ? 10 160
• Select e s.t. e is relatively prime to ?(n) and
  less than ?(n) in this case, e 7
• Determine d s.t. de ? 1 mod 160 and d lt 160. The
  correct value is d 23 (7 ? 23 161 160 1)
• PU 7, 187, PR 23, 187

17
RSA Algorithm
Computational Aspects

• Encryption and Decryption
• Both require modular exponentiation
• Can use the following efficient algorithm to
  compute ab mod n
• Square and multiply
• Key Generation
• Determining two prime numbers, p and q
  (Miller-Rabin Test)
• Selecting either e or d and calculating the other
  (Extended Euclid)

• Modular-Exponentiation(a, b, n)
• d ? 1
• let bkbk-1b0 be the binary representation of b
• for i ? k downto 0 do
• d ? (d ? d) mod n
• if bi 1 then d ? (d ? a) mod n
• return d

18
Efficient Encryption
RSA Algorithm

• Encryption uses exponentiation to power e
• The smaller e, the faster exponentiation
• Often choose e 65537 (216 1)
• Also see choices of e 3 or e 17
• But, very small e (e.g., e 3) can be vulnerable
• Encrypt the same message M with three different
  moduli n1, n2, n3
• C1 M3 mod n1, C2 M3 mod n2, C3 M3 mod n3,
  
• where n1, n2, and n3 are pairwise relatively
  prime
• By CRT, one can compute M3 (mod n1n2n3), where M3
  lt n1n2n3
• Need to only compute the cube root of M3
• Can be countered by padding a unique pseudorandom
  bit string
• If e fixed, must ensure gcd(e, ?(n)) 1
• i.e., reject any p or q not relatively prime to e

19
Efficient Decryption
RSA Algorithm

• Decryption uses exponentiation to power d
• This is likely large, insecure if not
• Can use the CRT to compute mod p q separately,
  then combine to get desired answer
• Vp Cd (mod p-1) mod p, Vq Cd (mod q-1) mod q
• Xp q ? (q-1 mod p), Xq p ? (p-1 mod q)
  (precomputed)
• M (VpXp VqXq) mod n (by CRT)
• Approximately 4 times faster than doing directly
• Only owner of private key who knows values of p
  q can use this technique

20
Attacks on RSA Algorithm
RSA Algorithm

• Brute force (Key space search)
• Try all possible private keys
• Use large keys
• Mathematical Attacks
• Several approaches, all equivalent to factoring
• Timing attacks
• Based on the running time of the decryption
  algorithm
• Chosen ciphertext attacks
• Exploit properties of the RSA
• e.g., multiplicative property f(xy) f(x)?f(y)
  for all x, y

21
Mathematical Attacks on RSA
RSA Algorithm

• Factor n into p and q
• Allows calculation of ?(n), which allows
  determination of d e-1 (mod ?(n))
• Determine ?(n) directly from n
• Equivalent to factoring
• n pq, ?(n) (p-1)(q-1) ? p2 (n ?(n) 1)p
  n 0
• Determine d e-1 (mod ?(n)) directly
• Seems to be as hard as factoring
• Factoring from the decryption exponent
• Las Vegas algorithm with probability at least 1/2
• If run m times, n will be factored with
  probability at least 1- 1/2m

22
Factoring from (e,d)-pair
RSA Algorithm

• Based on the following fact
• X2 ? 1 (mod p) has exactly two solutions, X ? 1
  and -1 (mod p)
• X2 ? 1 (mod n), where n pq, has four solutions
• (trivial solutions) two of these are 1 and -1
  (mod n)
• (non-trivial solutions) the other two solutions
  they are negatives of each other modulo n
• Example
• p 13, q 31 ? n 13 ? 31 403
• X2 ? 1 (mod 403)
• X2 ? 1 (mod 13) ? X ? 1 (mod 13)
• X2 ? 1 (mod 31) ? X ? 1 (mod 31)
• X ? -1 (mod 13), X ? 1 (mod 31) ? by CRT, X ? 92
  (mod 403)
• X2 ? 1 (mod 403) but X ? 1 (mod 403)
• gcd(93, 403) 31, gcd(91, 403) 13

23
Factoring from (e,d)-pair
RSA Algorithm

• RSA-FACTOR (n, e, d)
• Comment we are assuming that ed ? 1 mod ?(n)
• Write ed 1 2sr, r odd
• Choose w at random such that 1 ? w ? n-1
• x ? gcd(w,n)
• if 1 lt x lt n
• then return (x) / x is a factor of n /
• v ? wr mod n
• if v ? 1 (mod n)
• then return (failure)
• while v ? 1 (mod n) do
• v0 ? v
• v ? v2 mod n
• if v0 ? -1 mod n
• then return (failure)
• else x ? gcd(v01, n)
• return (x) / x is a factor of n /

24
Factoring
RSA Algorithm

• For a large n with large prime factors, factoring
  is a hard problem -
• RSA factoring challenge
• Sponsored by RSA Labs.
• To encourage research into computational number
  theory and the practical difficulty factoring
  large integers
• A cash prize is awarded to the first person to
  factor each challenge number

Progress in Factorization
25
RSA Factoring Challenge
RSA Algorithm

• Latest result is RSA 200 (663 bits)
• Reported May 2005
• Factored with Lattice Sieve
• 55 years on a single 2.2GHz Opteron CPU
• Matrix step 3 months on a cluster of 80 2.2GHz
  Opterons
• Sieving began in late 2003 and matrix step was
  completed in May 2005

26
RSA Factoring Challenge
RSA Algorithm
Numbers are designated RSA-XXXX, where XXXX is
the numbers length in bits Challenge Number
Prize (US) Status RSA-576 (174
Digits) 10,000 Factored (Dec 2003) RSA-640
(193 Digits) 20,000 Factored (Nov 2005) RSA-704
(212 Digits) 30,000 Not Factored RSA-768
(232 Digits) 50,000 Not Factored RSA-896 (270
Digits) 75,000 Not Factored RSA-1024 (309
Digits) 100,000 Not Factored RSA-1536 (463
Digits) 150,000 Not Factored RSA-2048 (617
Digits) 200,000 Not Factored RSA-704 Decimal
Digits 212 74 03756 34795 61712 82804 67960
97429 57314 25931 88889 23128 90849 36232
63897 27650 34028 26627 68919 96419 62511
78439 95894 33050 21275 85370 11896 80982 86733
17327 31089 30900 55250 51168 77063 29907
23963 80786 71008 60969 62537 93465 05637
96359
27
Constraints on p and q
RSA Algorithm

• Suggested constraints on p and q (by RSA
  inventors and researchers)
• Length of p and q should differ by only a few
  digits
• Both p-1 and q-1 should contain a large prime
  factor
• gcd(p-1, q-1) should be small
• d gt n1/4 (Wieners low decryption exponent attack)

28
Timing Attacks
RSA Algorithm

• Big integer multiplication take a long time
• Assume that the target system uses the following
  modular exponentiation algorithm for decryption
• By observing the time taken for modular
  multiplication, it is possible to infer bits in b
• If bi is set, d ? (d ? a) mod n will be executed
  (Will be much slower than the case of bi 0)
• By varying values of a (ciphertext), and
  observing the execution (decryption) times
  carefully, values of bkbk-1b0 (private key) can
  be inferred

• Modular-Exponentiation(a, b, n) / Compute ab
  mod n /
• d ? 1 / let bkbk-1b0 be the binary
  representation of b /
• for i ? k downto 0 do
• d ? (d ? d) mod n
• if bi 1
• then d ? (d ? a) mod n
• return d

29
Timing Attack Countermeasures
RSA Algorithm

• Constant exponentiation time
• Ensure that all exponentiations take the same
  amount of time
• Simple fix, but degrade the performance
• Random delay
• Add a random delay to the exponentiation
  algorithm to confuse the timing attack
• Blinding
• Multiply the ciphertext by a random number before
  performing the exponentiation
• RSA Data Securitys blinding method
• Generate a secret random r, 0 lt r lt n-1
• Compute C Cre mod n, where e is the public
  exponent
• Compute M (C)d mod n with the ordinary RSA
• Compute M M r-1 mod n (Cre)dr-1 mod n Cd
  mod n
• 2 to 10 performance penalty

30
Chosen Ciphertext Attack
RSA Algorithm

• RSA is vulnerable to a chosen ciphertext attack
  (CCA)
• Choose ciphertexts gets decrypted plaintext
  back
• Exploit properties of RSA to provide information
  to help cryptanalysis
• A simple example of a CCA against RSA
• EPU(M1) ? EPU(M2) EPU(M1 ? M2)
• Can decrypt C Me mod n using a CCA
• Compute X (C ? 2e) mod n
• Submit X as a chosen ciphertext and receive back
  Y Xd mod n
• Y Xd mod n (C ? 2e)d mod n Cd ? 2 (mod n)
  2M (mod n)
• Y is even, then M Y / 2
• Y is odd, then M (Y n) / 2
• To counter such CCAs, the plaintext requires
  random padding such as OAEP(Optimal Asymmetric
  Encryption Padding) prior to encryption

31
Encryption Using OAEP
RSA Algorithm
32
Chapter 9 Homework

• Prob. 9.9, 9.10, 9.14, 9.15, 9.18
• Due by June 9, 2006