Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA, Probabilistic Encryption, Provable Security Against Efficiency of RSA 2 Passive Attacks Security of RSA 3 Mathematical Security of RSA Renate Scheidler Multiplicative Attacks Department of Mathematics & Statistics RSA – Conclusion 4 Department of Computer Science University of Calgary Probabilistic Encryption 5 El Gamal PKC Week 9 Provable Security Against Passive Attacks 6 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 1 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 2 / 28 Review of RSA Review of RSA Idea of Public-Key Cryptography RSA Setup (Key Generation) The designer 1 Selects two distinct large primes p and q (each around 2 1536 ≈ 10 463 ) 2 Computes n = pq and φ ( n ) = ( p − 1)( q − 1) . 3 Selects a random integer e ∈ Z ∗ φ ( n ) (so 1 ≤ e < φ ( n ) and gcd( e , φ ( n )) = 1). 4 Solves the linear congruence de ≡ 1 (mod φ ( n )) for d ∈ Z ∗ φ ( n ) via the Extended Euclidean Algorithm. 5 Keeps d , p , q secret and makes n and e public: the public key is K 1 = ( e , n ) the private key is K 2 = { d } (or ( d , p , q ); see Assignment 3). Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 3 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 4 / 28
Review of RSA Efficiency of RSA RSA Encryption and Decryption Efficiency of RSA Encryption: Messages for the designer are integers in Z ∗ n if a message exceeds n , block it into less-than- n size blocks Set-up (need only be done once): To send M encrypted, compute and send Prime generation uses a pseudo-random number generator (PRNG), C ≡ M e (mod n ) where 0 < C < n . followed by a probable primality test (like the Fermat test). Generating e again requires a PRNG and one gcd calculation (EA) – or just pick your favourite e . Decryption: To decrypt C , the designer computes Computing n and φ ( n ) is negligible. M ≡ C d (mod n ) where 0 < M < n . Computing d requires finding a modular inverse (EEA) Encryption and Decryption: modular exponentiation (like Diffie-Hellman). Both encryption and decryption can be done efficiently using binary exponentiation Correctness of the system is proved via Euler’s Theorem Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 5 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 6 / 28 Security of RSA Security of RSA Mathematical Security of RSA Security of RSA Total Breaks of RSA The following approaches break RSA (assume ( e , n ) is known): RSA Problem (extracting e -th roots modulo n ): n with M e ≡ C (mod n ). Given e , n and C ∈ Z ∗ n , find M ∈ Z ∗ Factoring n , i.e. finding p , q ⇑ Solve x 2 − ( n − φ ( n ) + 1) x + n = 0 for x ⇓ φ ( n ) = ( p − 1)( q − 1) Integer Factorization Problem (IFP): Finding φ ( n ) Given an integer N > 1, find a non-trivial factor of N . ⇓ Solve ed ≡ 1 (mod φ ( n )) ⇑ See Algorithm 6.10 in Stinson-Paterson Finding the private key d If an adversary can solve an instance of the IFP, she can solve the RSA problem (by factoring n and finding the private key d in the same way as the designer). Note: It is unknown if there are ways of solving the RSA problem without The quadratic equation above has two solutions, namely p and q . factoring (or solving one of the other equivalent problem listed below). There is an efficient algorithm that given any multiple of φ ( n ) finds φ ( n ) with high probability. Note that ed − 1 is such a multiple. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 7 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 8 / 28
Security of RSA Mathematical Security of RSA Security of RSA Mathematical Security of RSA Total Breaks of RSA, cont. Factoring Record – Hot off the Press! The fastest known factoring algorithm is again the Number Field Sieve All three approaches on the previous slide are computationally equivalent: (slightly different from the DLP NFS, but invented first). Run time: if one can be achieved, any of the other two one can be achieved with � c (log n ) 1 / 3 (log log n ) 2 / 3 � = n c (log log n / log n ) 2 / 3 very little computational overhead. exp so there are three equally good trapdoors here: { p , q } , φ ( n ) and d . with � 3 c = 64 / 9 = 1 . 92 . . . There is no proof that RSA is secure! Current RSA modulus factoring record: RSA-250 (250 decimal digits, 831 No proof that factoring is hard bits): Boudot-Gaudry-Guillevic-Heninger-Thom´ e-Zimmerman (February Not proven that other methods to solve the RSA problem exist which 2020, people as the DLP record) do not rely on factoring (i.e. not known whether breaking RSA is equivalent to factoring n ) 21403246502407449612644230728393335630086147151447550177977549208814180234471401366433455190958046796109928518724709145876873 96261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937 = 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367 ∗ 33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711 In any case, we need to design RSA systems such that n = pq cannot be 2700 core years with Intel Xeon Gold 6130 CPUs 2.1GHz as reference factored easily. See https://en.wikipedia.org/wiki/RSA_Factoring_Challenge Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 9 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 10 / 28 Security of RSA Mathematical Security of RSA Security of RSA Mathematical Security of RSA Choice of RSA Parameters Choice of RSA Parameters, cont. Requirements for p and q : 1 Probable primes with high probability (say 2 − 100 ) — use a good Requirement for e : probabilistic primality test. For efficiency reasons, e is often chosen small; a popular choice is e = 2 16 + 1 = 65537 (great for binary exponentiation, only two ‘1’ 2 Large: at least 2 1536 ≈ 10 463 (so n is 3072 bits) bits). 3 Not too close together; | p − q | > 2 128 for p , q ≈ 2 1536 Beware of really small e for certain applications! 4 p and q must be strong primes, i.e. p − 1 , q − 1 , p + 1 , q + 1 all have In practice, can use e = 3 , but only when RSA is used in conjunction a large prime factor (see p. 291 of the Handbook of Applied with a secure padding mechanism (eg. OAEP — next week!) Cryptography ). E.g. pick a Sophie Germain prime p ′ (so p = 2 p ′ + 1 is a safe prime) so that ( p + 1) / 4 = ( p ′ + 1) / 2 is prime or has a large prime factor; Requirement for d : same for q . d > n 0 . 25 / 3 (Wiener, 1990, see Section 6.7.3 of Stinson-Paterson) Choosing random p , q may be sufficient (Rivest-Silverman 1999) d > n 0 . 292 (Boneh & Durfee 2000, extension of Wiener’s attack) 5 p / q should not be near the ratio of two small (relatively prime) integers a / b (say a , b ≤ 100). Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 11 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 12 / 28
Security of RSA Multiplicative Attacks Security of RSA Multiplicative Attacks Multiplicative Attacks on RSA Adaptive CCA on RSA An attacker wishing the decryption M of some RSA ciphertext C proceeds as follows: “Textbook” RSA is not secure against multiplicative attacks. n with X e �≡ 1 (mod n ). 1 Generates X ∈ Z ∗ Multiplicative (or homomorphic ) property of RSA: 2 Computes C ′ ≡ CX e (mod n ) (this is the chosen ciphertext; note ( M 1 M 2 ) e ≡ M e 1 M e 2 ≡ C 1 C 2 (mod n ) that C ′ � = C ). 3 Obtains the corresponding plaintext i.e. the encryption of a product is the same as the product of the encryptions. M ′ ≡ ( C ′ ) d ≡ C d ( X e ) d ≡ MX (mod n ) This means that a factorization of the plaintext implies one of the corresponding ciphertext, which can be exploited in two attacks. 4 Computes M ≡ M ′ X − 1 (mod n ), where X − 1 is the inverse of X (mod n ) Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 13 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 14 / 28 Security of RSA Multiplicative Attacks Security of RSA Multiplicative Attacks Meet-in-the-Middle Attack on RSA (Passive) Example Application of Meet-in-the-Middle If M ≈ 2 k for some bit length k , then with non-negligible probability, M is composite and satisfies M = M 1 M 2 with M 1 , M 2 ≈ 2 k / 2 . The probability that a number of 40 − 64 bits factors into equal-size Hybrid encryption: consider the case where 2048-bit RSA modulus is used factors is between 18 and 50 percent (see Table 1 of “Why textbook to encrypt a 56-bit DES key. El Gamal and RSA encryption are insecure (extended abstract)” by Here, k = 56 and each i e (mod n ) takes about log 2 ( n ) ≈ 2048 bits of Boneh, Joux, and Nguyen, in ASIACRYPT 2000)). storage The list requires 2 28 · 2048 = 2 39 bits of storage (about 64 GB) The adversary builds a list { 1 e , 2 e (mod n ) , . . . , ⌊ 2 k / 2 ⌋ e (mod n ) } and Requires 2 29 modular exponentiations. their inverses (mod n ). She then searches for a match Ci − e (mod n ) in the list ( i − e is the This is easily done on a PC. modular inverse of i e ). If Ci − e ≡ j e (mod n ) for some j , then M ≡ ij (mod n ). Requires 2 · 2 k / 2 modular exponentiations (rest is negligible). Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 15 / 28 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 9 16 / 28
Recommend
More recommend
