RSA Public Key CryptoSystemOne way Trapdoor Functions

Diffie and Hellman (76)“New Directions in Cryptography”

Split the Bob’s secret key K to two parts:

• KE , to be used for encrypting messages to Bob.• KD , to be used for decrypting messages by Bob.KE can be made public (public key cryptography, assymetric cryptography)

Integer Multiplication & Factoring as a One Way Function.

p,q N=pqhard

easy

Q.: Can a public key system be basedon this observation ?????

Excerpts from RSA paper (CACM, 1978)The era of “electronic mail” may soon be upon us; we mustensure that two important properties of the current “papermail” system are preserved: (a) messages are private, and (b)messages can be signed. We demonstrate in this paper howto build these capabilities into an electronic mail system.

At the heart of our proposal is a new encryption method.This method provides an implementation of a “public-keycryptosystem,” an elegant concept invented by Diffie andHellman. Their article motivated our research, since theypresented the concept but not any practical implementationof such system.

The Multiplicative Group Zpq*

Let p and q be two large primes and N=pq be theirproduct.

The multiplicative group ZM* =Zpq* containsall integers in the range [1,pq-1] that arerelatively prime to both p and q.

The size of the group isφ(pq) = (p-1) (q-1) = N - (p+q) + 1,so for every x ∈∈ Zpq*, x(p-1)(q-1) = 1.

Exponentiation in Zpq*

Motivation: We want to exponentiation forencryption.Note that not all integers in {1,2,..,pq-1} belong to

Zpq*. These elements do not have an inverse inZpq* (therefore multiplication in Zpq* is not a one-to-one mapping)

However the choice of e impliesLet e be an integer, 1 < e < (p-1) (q-1).

Question: When is exponentiation to the eth

power, x --> xe, a one-to-one op in Zpq* ?

Exponentiation in Zpq*

Claim: If e is relatively prime to (p-1)(q-1)then x --> xe is a one-to-one op in Zpq*

Constructive proof: Since gcd(e, (p-1)(q-1))=1,e has a multiplicative inverse mod (p-1)(q-1).Denote it by d, then ed=1 + C(p-1)(q-1).

Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =xmeaning y --> yd is the inverse of x-->xe QED

RSA Public Key Cryptosystem• Let N=pq be the product of two primes• Choose e such that gcd(e,φ(N))=1• Let d be such that de≡1 mod φ(N)• The public key is (N,e)• The private key is d• Encryption of M∈ZN* by C=E(M)=Me mod N• Decryption of C∈ZN* by M=D(C)=Cd mod N

“The above mentioned method should not be confused with the exponentiation technique presented by Diffie and Hellman to solve the key distribution problem”.

Constructing an instance of RSA PKC• Alice first picks at random two large primes, p

and q.• Alice then picks at random a large d that is

relatively prime to (p-1)(q-1) ( gcd(d,φ(N))=1 ).• Alice computes e such that de≡1 mod φ(N)

• Let N=pq be the product of p and q.• Alice publishes the public key (N,e).• Alice keeps the private key d, as well as the

primes p, q and the number φ(N), in a safe place.

A Small Example• Let p=47, q=59, N=pq=2773. φ(N)=

46*58=2668.

Pick d=157, then 157*17 - 2668 =1, so e=17 isthe inverse of 157 mod 2668.For N =2773 we can encode two letters perBlock, using a two digit number per letter:blank=00, A=01,B=02,…,Z=26.Message: ITS ALL GREEK TO ME is encoded0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

A Small Example

N=2773, e=17 (10001 in binary).ITS ALL GREEK TO ME is encoded as0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

First block M=0920 encrypts to

Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)The whole message (10 blocks) is encrypted as0948 2342 1084 1444 2663 2390 0778 0774 0219 1655

Indeed 0948d=0948157=920 (mod 2773), etc.

RSA: implementation

1. Finda large prime numbers (random)Algorithm:

- randomly choose a random odd integer i- check whether i is prime (we’ll see soon)

Note:- Prime numbers are frequent (between Nand

2N there are ≈ N/log N prime numbers)- Hence by randomly choosing an odd you

expect to find a prime every log N attempts

RSA: implementation2. Coding algorithm (compute exponentiation) Algoritmo per

ottenere una codifica veloceCompute power by repeated squaring (so computing power of

2, 4, 8,..) and then executing multiplication (based on binarynotation of the exponent e)

- No. Of operation required: O(log N)- Constant no. of operations if e is small and its binary

reprensetation has few onesexample:- e= 3, compute M^2 mod N,

M^3 mod N = ((M mod N) * (M^2 mod N)) mod N- e= 65537 (2^16 + 1), compute M^2 mod N,M^4 mod N, M^8

mod N, M^16 mod N ... M^65536 mod Ncomplete by computing M* M^65536 - total 5 multiplicat.

RSA as a One Way Trapdoor Function.

x xe mod Nhard

easy

Easy with trapdoor info ( d )

Trap-Door OWF

• Definition: f:D→R is a trap-door one wayfunction if there is a trap-door s suchthat:– Without knowledge of s, the function f is a one

way function– Given s, inverting f is easy

• Example: fg,p(x) = gx mod p is not a trap-door one way function.

• Example: RSA is a trap-door OWF.

RSA as a collection of Trap-doorOWF

Note: RSA is a method that depends on the parameter givenby the key

Def.: Let I be a set of indices and D a finite set. A collectionof trap-door one way function is a set of function F

fi:Di→Ri such that for all i in I fi is a trap-door one wayfunction

Idea: We need an algorithm that given a security parameterselect a random function fi in F together with a trapdoor tiinformation

Security of RSA vs computing factors

• Fact 1: given n, e, p and q it is easy to compute d• Fact 2: given n, e,

– If you factor n then you can compute φ(n)– If you factor n then you can compute d

• Conclusion:– If you factor n then you invert RSA– OPEN QUESTION: if you invert RSA can you factor n?

NOTE: factoring large numbers is an open problemsince thousands of years…

Attacks on RSA

NOTE: RSA robustness does not imply it is robust always.In fact1. Factor N=pq. This is believed hard unless p, q have some

“bad” properties. To Avoid such primes, it isrecommended to

• Take p, q large enough (100 digits each).• Make sure p, q are not too close together.• Make sure both (p-1), (q-1) have large prime factors

(otherwise there is a good factoring algorithm).2. Some messages might be easy to decode

Properties of RSA

• The requirement (e,ϕ(n))=1 is important foruniqueness

• Finding d, given p and q is easy. Finding d givenonly n and e is assumed to be hard (the RSAassumption)

• The public exponent e may be small. Typically itsvalue is either 3 (problematic) or 216+1

• Each encryption involves several modularmultiplications. Decryption is longer.

RSA: Attacks

Factor N=pq: RSA challenges (sfide)RSA Security publics challenges for factoring:- RSA 426 bit, 129 digit:

- published 1977- factored in 1994 (8 months using 1600 computer in internet

(10000 Mips))- RSA 576 bit, 173 digit: factored in dec. 2003, 10000 $- RSA 640 (prize 20K$), RSA 1024 (100K$), RSA 2048

(200K$)

RSA: AttacksFactoring is difficult in general• BUT there are cases in which decoding

RSA is easy• Easy messages: eg m= 0,1,n-1 then RSA(m)

= m: SOLUT: rare messages, use salt• If m is small and e is small (eg e=3) then it

may happen that m^3 < n; thereforem^3 mod n = m^3

adversary computes cubic root SOLUT.Add random bytes at the beginning of themessage to avoid these cases

RSA - Attacks

Small value of e (eg e=3)• If adevrsary has two encoding of similar

messages, eg m and (m+1)c1= m^3 mod n and c2= (m+1)^3 mod n

• in this case we havem = (c2+ 2 c2 -1)/ (c2 - c1 +2)

• Similar problem if the two mess. are m and(am + b)

SOLUT.: choose large e / add random bits -to avoid similar messages

RSA - Attacks

• If messages space is small then the adversary cancompute all possible encodingsexample: adevrsary knows encoded messages andknows that m is either

m1=10101010 o m2=01010101adversary code m1 and m2 using public key andthen checks the correct messages

• SOLUT: add random string to increase messagespace

•

RSA - Attacks

• If two users have same n (even different e and d)then sysem is weak

SOLUT: choose your own n (there are primenumbers; so the probability you choose the samen is very very small)

Important: we need algorithms to cchoose randomnumbers

RSA : Attacks

chosen ciphertext attack using multiplicativeproperty of RSA:– Adversary knows c = Me mod n– Adversary randomly chooses X and computes

c’ = c Xe mod n– Adversary ask Alice to decode c’– Alice computes (c’)d = c d (X e) d = M X mod n !!– Adversary knows X and computes M !!!

• Solution: messages should be strucutured (Adoes not decode if M does verify requiredstructure)

RSA - implementation attacks

Known attacks:• Timing: uses time used for computing Cd

(small time implies small d)Analougously• Energy: analyses how much energy is

required by a smart card to compute Cd

RSA- attacks: conclusion

Textbook implementation of RSA is NOT safe• Does not guarantee basic security properties for

all messagesTherefore you must use a STANDARD version• Given a message M before encoding• preproces M to obtain M’ and then apply RSA M’

(M and M’ have the same semantic)M M’ CRSA

Public-Key Crypto. Standard (PKCS)Standard to use RSA and cryptography protocols• Many versions (1-15).• PKCS-1: standard to encode messages (byte)

m= 0||2||at least 8 non zero byte || 0|| M(M message to be sent)• first byte 0 implies m< n • second byte (2 = 00000010) denotes encoding of

a message (1 denotes signature of messages) ; itimplies message is big

• Random bytes imply– Same message sent several times is each time

different;– Adversary that knows message space cannot

encode and verify (adv. Does not know randomnumber used for coding the block)

RSA and Data integrity:OAEPOAEP (also known as PKCS-1 version 2)• codif. c= RSA[M || 0k1 exor G(r)] ||

[(H(RSA[M || 0k1 exor G(r)]) exor r]• k0, k1 known constants; G,H known hash function;

r random string of k0 bit (chosen by the sender);• Decode; let c, c= s||t, be decoded text (t last k0

bits); u=t exorH(s); v=s exor G(u); ACCEPT if v =m || 0k1; OTHERWISE REJECT

• Random r implies that OAEP is robust also in thecase of chosen ciphertext (we assume H and Gare cryptographic strong hash functions)

Basic Scheme of Public key Crypt.

• A public key encryption scheme includesthe following elements:– A private key k– A public key k’– An encryption algorithm, which is a trap door

OWF. The trap-door info is the private key• Public key is published• Encryption uses the public key (anyone can

encrypt)• Decryption requires the private key

El-Gamal Encryption

• Constructed by El-Gamal in 1985• Similar to DH• Alice publishes p, g as public parameters• Alice chooses x as a private key and

publishes gx mod p as a public key• Encryption of m∈Zp by sending (gy mod p,

mgxy mod p) or (gy mod p, m+gxy mod p)• Requires two exponentiations per each

block transmitted.

Real World usage

Two words: Key Exchange

In fact: RSA (as other known Public Keyalgorithms) is slow. So it is generally usedto define a secret key (say using Diffieand Hellman).