Tutorial on Public Key Cryptography RSA Eli Biham - May 3, 2005 c - PowerPoint PPT Presentation

Tutorial on Public Key Cryptography – RSA � Eli Biham - May 3, 2005 c 386 Tutorial on Public Key Cryptography – RSA (14)

RSA – the Key Generation – Example 1. Randomly choose two prime numbers p and q . We choose p = 11 and q = 13. 2. Compute n = pq . We compute n = pq = 11 · 13 = 143. 3. Randomly choose an odd number e in the range 1 < e < ϕ ( n ) which is coprime to ϕ ( n ) (i.e., e ∈ Z ∗ ϕ ( n ) ). ϕ ( n ) = ϕ ( p ) · ϕ ( q ) = 10 · 12 = 120. Thus, we choose e = 7 ( e ∈ Z ∗ 120 ). 4. Compute d ≡ e − 1 (mod ϕ ( n )) by Euclid’s algorithm. Thus, de ≡ 1 (mod ϕ ( n )). We compute d ≡ e − 1 ≡ 7 − 1 ≡ 103 (mod ϕ (143) = 120). Check that 120 | 7 ∗ 103 − 1 = 721 − 1 = 720. � Eli Biham - May 3, 2005 c 387 Tutorial on Public Key Cryptography – RSA (14)

RSA – the Key Generation – Example (cont.) 5. Publish ( n, e ) as the public key, and keep d secret as the secret key. We publish ( n, e ) = (143 , 7) as the public key, and keeps d = 103 secret as the secret key. � Eli Biham - May 3, 2005 c 388 Tutorial on Public Key Cryptography – RSA (14)

RSA – Encryption/Decryption – Example The encryption algorithm E : Everybody can encrypt messages m (0 ≤ m < n A ) to user A by c = E A ( m ) = m e A mod n A . The ciphertext c (0 ≤ c < n A ) can be sent to A , and only A can decrypt. Encrypt m = 3: E A ( m ) ≡ m e A ≡ 3 7 ≡ 42 (mod 143) � Eli Biham - May 3, 2005 c 389 Tutorial on Public Key Cryptography – RSA (14)

RSA – Encryption/Decryption – Example (cont.) The decryption algorithm D : Only A knows his secret key d A and can decrypt: m = D A ( c ) = c d A mod n A . Decrypt c = 42: D A ( c ) ≡ c d A ≡ 42 103 ≡ 3 (mod 143) Decrypt c = 2: D A ( c ) ≡ c d A ≡ 2 103 ≡ 63 (mod 143) � Eli Biham - May 3, 2005 c 390 Tutorial on Public Key Cryptography – RSA (14)

Existential Forgery of an RSA Signature Given a public key ( n A , e A ) of user A, can another user B create a message m and a signature D A ( m ) ≡ m d A (mod n A )? User B can forge a signature in the following way: B Chooses y ∈ Z n and calculates x ≡ E A ( y ) = y e A (mod n A ). Now B can claim that y ≡ x d A (mod n A ) is A’s signature on x . � Eli Biham - May 3, 2005 c 391 Tutorial on Public Key Cryptography – RSA (14)

Multiplication Property of RSA Multiplication Property : Given a public key ( n A , e A ) of user A, and m 1 , m 2 ∈ Z n then E A ( m 1 · m 2 ) ≡ E A ( m 1 ) · E A ( m 2 ) (mod n ) Proof : E A ( m 1 ) ≡ m e A (mod n A ) 1 E A ( m 2 ) ≡ m e A (mod n A ) 2 and, E A ( m 1 · m 2 ) ≡ ( m 1 · m 2 ) e A ≡ m e A 1 · m e A 2 ≡ E A ( m 1 ) · E A ( m 2 ) (mod n A ) QED � Eli Biham - May 3, 2005 c 392 Tutorial on Public Key Cryptography – RSA (14)

Random Self Reducibility of RSA Problem : Given a public key ( n A , e A ) of user A: Assume we are given an algorithm, called ALG, which given E A ( m ) ≡ m e A 1 (mod n A ) can find the message m for 100 of the possible cryptograms. Show a polynomial random algorithm which given E A ( m ) ≡ m e A (mod n A ) finds the message m with probability ≥ 1 2 for every cryptogram in Z ∗ n A . � Eli Biham - May 3, 2005 c 393 Tutorial on Public Key Cryptography – RSA (14)

Random Self Reducibility of RSA (cont.) The Algorithm : Make t iterations of the following: 1. Randomly Choose z ∈ Z ∗ n A . 2. Calculate z e A (mod n a ). 3. Let x = ALG( m e A z e A (mod n A )). 4. If x e A ≡ m e A z e A (mod n A ) then output x · z − 1 (mod n A ) and finish. � Eli Biham - May 3, 2005 c 394 Tutorial on Public Key Cryptography – RSA (14)

Random Self Reducibility of RSA (cont.) Correctness : If algorithm ALG succeeds, i.e., outputs x such that x e A ≡ ( mz ) e A ≡ m e A · z e A (mod n A ) Then, m ≡ x · z − 1 (mod n A ). For z ∈ Z ∗ n { z · x : x ∈ Z n } = z · Z n = Z n because if for x 1 , x 2 we have: z · x 1 ≡ z · x 2 (mod n ) which implies x 1 ≡ z − 1 · z · x 1 ≡ z − 1 · z · x 2 ≡ x 2 (mod n ) � Eli Biham - May 3, 2005 c 395 Tutorial on Public Key Cryptography – RSA (14)

Random Self Reducibility of RSA (cont.) 1 Thus, for every iteration we have 100 probability of success, thus in order to find m with probability ≥ 1 2 , t must satisfy: t  99 ≤ 1      100 2  99  ≤ log 1   t log   100 2 Thus, t ≥ 69 suffices. Note : Can we find the message when E A ( m ) �∈ Z ∗ n A ? When the cryptogram E A ( m ) �∈ Z ∗ n , we can find either p or q . Thus, we can find d and then m . � Eli Biham - May 3, 2005 c 396 Tutorial on Public Key Cryptography – RSA (14)

Random Self Reducibility of RSA (cont.) Note : Let p be a prime and g be a generator of Z ∗ p . p there exists z such that g z ≡ a Thus, for a ∈ Z ∗ (mod p ). This z is called the discrete logarithm or index of a , modulo p , to the base of g . We denote this value as ind p,g ( a ) or DLOG p,g ( a ). DLOG is also random self reducible given a generator g of Z ∗ p . � Eli Biham - May 3, 2005 c 397 Tutorial on Public Key Cryptography – RSA (14)

Blind Signatures Usually when we sign a document we check its contents. But we might want people to sign documents without ever seeing them. For example, Bob is a notary. Alice wants him to sign a document, but does not want him to have any idea what he is signing. Bob doesn’t care what the document says, he is just certifying that he notarized it at a certain time. 1. Alice takes the document and uses a “ blinding factor ”. 2. Alice sends the blinded document to Bob. 3. Bob signs the blinded document. 4. Alice computes the signature on the original document. � Eli Biham - May 3, 2005 c 398 Tutorial on Public Key Cryptography – RSA (14)

Blind Signatures using RSA Can Bob, with a public key ( n, e ), sign a message m (actually signs H ( m )) without knowing its contents? Yes. We choose a random α ∈ Z ∗ n and then ask Bob to sign E ( α ) · m ≡ α e · m (mod n ) we get: D ( E ( α ) · m ) ≡ ( E ( α ) · m ) d ≡ ( α e · m ) d ≡ α · m d (mod n ) thus we need only to calculate α − 1 (mod n ): m d ≡ α − 1 · D ( E ( α ) · m ) (mod n ) Note that the function f ( x ) ≡ x e (mod n ) is a permutation of Z n . Moreover, n then α e ∈ Z ∗ if α ∈ Z ∗ n . � Eli Biham - May 3, 2005 c 399 Tutorial on Public Key Cryptography – RSA (14)

An Example of Using Blind Signatures Problem 1 : Alice wants a virtual 100 dollar note. Solution 1 : Alice goes to the bank and asks for such a note. The bank gives Alice a signature on a virtual 100 dollar check. Denote the bank’s public key by ( n, e ) and its secret key by d . � Eli Biham - May 3, 2005 c 400 Tutorial on Public Key Cryptography – RSA (14) †

An Example of Using Blind Signatures (cont.) Problem 2 : The bank can trace this check to Alice. Solution 2 : Use a blind signature. The bank signs a check m by using a blind signature: Alice wants to get m d . Thus, Alice chooses a random α ∈ Z ∗ n and then asks the bank to sign: E ( α ) · m ≡ α e · m (mod n ) now Alice needs only to calculate α − 1 (mod n ): m d ≡ α − 1 · D ( E ( α ) · m ) (mod n ) � Eli Biham - May 3, 2005 c 401 Tutorial on Public Key Cryptography – RSA (14)

An Example of Using Blind Signatures (cont.) Problem 3 : Alice can trick the bank into giving her a check worth more than 100 dollars. Solution 3 : • Alice prepares 100 versions of the check m 1 , . . . , m 100 . • Alice chooses random α 1 , . . . , α 100 ∈ Z ∗ n at random. • Alice gives y i = α e i · m i (mod n ) to the bank. • The bank asks Alice to reveal 99 of the α ’s. Denote the remaining α by α k . • The bank signs y k . • Alice calculates m d ≡ α − 1 k · ( α e k · m ) d (mod n ). � Eli Biham - May 3, 2005 c 402 Tutorial on Public Key Cryptography – RSA (14)

An Example of Using Blind Signatures (cont.) Assume Alice tries to cheat by using one check m j which is worth a million dollars. If the bank does not ask for α j then Alice gets million dollars. On the other hand, if the bank does ask for α j , giving it the real α j exposes her deceit. Alice would prefer to reveal β j such that m ′ j ≡ y j · β − e (mod n ) j where m ′ j is a check on 100 dollars. y j ≡ m j · α e j = m ′ j · β e (mod n ) j thus, β e j ≡ α e j · m j · m ′− 1 (mod n ) j or β j ≡ α j · m d j · m ′− d (mod n ) j Which means we can find ( m j · m ′− 1 ) d . j � Eli Biham - May 3, 2005 c 403 Tutorial on Public Key Cryptography – RSA (14)

An Example of Using Blind Signatures (cont.) Another approach: : The bank will use different public keys for different bill values, i.e., the bank will use ( e 100 , n 100 ) for 100 dollar bills, ( e 20 , n 20 ) for 20 dollar bills, etc. For a bill to be valid, it must be formatted like m =“This is a 100 dollar bill, serial number: x”, where the serial number is a very long random chosen by Alice, and the bill must be signed using the appropriate public key. � Eli Biham - May 3, 2005 c 404 Tutorial on Public Key Cryptography – RSA (14)