Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Lecture 3.3: Public Key Cryptography III
CS 436/636/736 Spring 2012
Nitesh Saxena
Course Administration
• HW1 – due at 11am on Feb 06• Any questions, or help needed?
2
Outline of Today’s Lecture
• The RSA Cryptosystem (Encryption)
3
“Textbook” RSA: KeyGen• Alice wants people to be able to send her encrypted
messages.• She chooses two (large) prime numbers, p and q and
computes n=pq and . [“large” = 1024 bits +]• She chooses a number e such that e is relatively prime to
and computes d, the inverse of e in , i.e., ed =1 mod • She publicizes the pair (e,n) as her public key. (e is called RSA
exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and
• Plaintext and ciphertext messages are elements of Zn and e is the encryption key.
4
)(n)(n
)(nZ
)(n
)(n
RSA: Encryption
• Bob wants to send a message x (an element of Zn
*) to Alice.
• He looks up her encryption key, (e,n), in a directory.
• The encrypted message is
• Bob sends y to Alice.5
nxxEy e mod)(
RSA: Decryption
• To decrypt the message
she’s received from Bob, Alice computes
Claim: D(y) = x6
nyyD d mod)(
nxxEy e mod)(
RSA: why does it all work• Need to show
D[E[x]] = x E[x] and D[y] can be computed efficiently if keys
are known E-1[y] cannot be computed efficiently without
knowledge of the (private) decryption key d.
• Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so
efficiency requirements are less stringent.7
E and D are Inverses
8
nxnx
nxx
nx
nx
nx
nnx
nyyD
t
tn
nt
ed
de
de
d
modmod1
mod)(
mod
mod
mod)(
mod)mod(
mod)(
)(
1)(
Because
From Euler’s Theorem
)(mod1 ned
Tiny RSA example.
• Let p = 7, q = 11. Then n = 77 and
• Choose e = 13. Then d = 13-1 mod 60 = 37.• Let message = 2.• E(2) = 213 mod 77 = 30.• D(30) = 3037 mod 77=2
9
60)( n
Slightly Larger RSA example.
• Let p = 47, q = 71. Then n = 3337 and
• Choose e = 79. Then d = 79-1 mod 3220 = 1019.• Let message = 688232… Break it into 3 digit
blocks to encrypt.• E(688) = 68879 mod 3337 = 1570. E(232) = 23279 mod 3337 = 2756• D(1570) = 15701019 mod 3337 = 688. D(2756) = 27561019 mod 3337 = 232.
10
322070*46)( pq
Security of RSA: RSA assumption• Suppose Oscar intercepts the encrypted
message y that Bob has sent to Alice.• Oscar can look up (e,n) in the public directory
(just as Bob did when he encrypted the message)
• If Oscar can compute d = e-1 mod then he can use to recover the plaintext x.
• If Oscar can compute , he can compute d (the same way Alice did). 11
xnyyD d mod)(
)(n
)(n
Security of RSA: factoring
• Oscar knows that n is the product of two primes
• If he can factor n, he can compute • But factoring large numbers is very difficult:– Grade school method takes divisions.– Prohibitive for large n, such as 160 bits– Better factorization algorithms exist, but they are
still too slow for large n– Lower bound for factorization is an open problem
12
)(n
)( nO
How big should n be?
• Today we need n to be at least 1024-bits– This is equivalent to security provided by 80-bit
long keys in private-key crypto
• No other attack on RSA known– Except some side channel attacks, based on
timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem!
13
Key selection
• To select keys we need efficient algorithms to– Select large primes• Primes are dense so choose randomly.• Probabilistic primality testing methods known. Work in
logarithmic time.
– Compute multiplicative inverses• Extended Euclidean algorithm
14
RSA in Practice
• Textbook RSA is insecure– Known-plaintext?– CPA?– CCA?
• In practice, we use a “randomized” version of RSA, called RSA-OAEP– Use PKCS#1 standard for RSA encryptionhttp://www.rsa.com/rsalabs/node.asp?id=2125– Interested in details of OAEP: refer to (section 3.1 of)
http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf
15
Some questions
• c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). – What is RSA_Enc(m1m2)?
• Homomorphic property
– What is RSA_Enc(2m1)?• Malleability (not a good property!)
• Is it possible to find inverses mod n (RSA modulus)?
16
Some Questions
• RSA stands for Robust Security Algorithm, right?• If e is small (such as 3)
– Encryption is faster than decryption or the other way round?
• Private key crypto has key distribution problem and Public key crypto is slow– How about a hybrid approach?– Do you know how ssl/ssh works?
17
Some Questions
• Key generation in RSA is -------- than in DL-based schemes (El Gamal/DSS)
• I encrypt m with Alice’s RSA PK, I get c– I encryt m again, I get --?– What does this mean?
• What if I do the above with DES?
18
Some Questions
• Find x such that– x = 4 (mod 5)– x = 7 (mod 8)– x = 3 (mod 9)
19
Further Reading
• Section 8.2 of HAC• Section 9 of Stallings
20
Related Documents
