public key cryptography and rsa - computer science and...
TRANSCRIPT
![Page 1: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/1.jpg)
Public‐Key Cryptography and RSA
CSE 651: Introduction to Network Security
![Page 2: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/2.jpg)
Abstract
• We will discuss– The concept of public-key cryptography
– RSA algorithm
– Attacks on RSA
• Suggested reading: – Sections 4.2, 4.3, 8.1, 8.2, 8.4
– Chapter 9
2
![Page 3: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/3.jpg)
Public-Key Cryptography
• Also known as asymmetric-key cryptography.• Each user has a pair of keys: a public key and
a private key.• The public key is used for encryption.
– The key is known to the public.
• The private key is used for decryption.– The key is only known to the owner.
3
![Page 4: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/4.jpg)
4
Bob Alice
![Page 5: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/5.jpg)
Why Public-Key Cryptography?
• Developed to address two main issues:– key distribution– digital signatures
• Invented by Whitfield Diffie & Martin Hellman 1976.
5
![Page 6: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/6.jpg)
6
1
1
trapdoor
Easy:
Hard:
Easy:
Use as the private key.
Many public-key cryptosystems are based on trapdoor one-way fu
trapdoor
One-way function with trapdoorf
f
f
x y
x y
x y
−
−
⎯⎯→
←⎯⎯
←⎯⎯⎯
•nctions.
![Page 7: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/7.jpg)
Modular Arithmetic
Mathematics used in RSA(Sections 4.2, 4.3, 8.1, 8.2, 8.4)
![Page 8: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/8.jpg)
| : divides , is a divisor of . gcd( , ): greatest common divisor of and . Coprime or relatively prime: gcd( , ) 1. Euclid's algorithm: computes gcd( , ). Extented Eucl
Integersa b a b a b
a b a ba ba b
••• =•• id's algorithm: computes integers and such that gcd( , ).x y ax by a b+ =
![Page 9: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/9.jpg)
0
1
1
1 1
Comment: compute gcd( , ), where 1.
:
:
for : 1, 2, until = 0
: mod
return ( )
Euclidean Algorithm
n
i i i
n
a b a b
r a
r b
i r
r r r
r
+
+ −
> >
=
=
=
=
…
![Page 10: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/10.jpg)
1 782 65
1 13
6
299 221221 7878 65
5 5 13 0
gcd(229,221) 13( 2 ) 3
3 (299 221) 221
299 2
78 6578 221 78 78 22
2114
1
3
Extended Euclidean Algorithm:Example
gcd(299,221) ?= ⋅ += ⋅ += ⋅ += ⋅ +
= = −= − − ⋅ = ⋅ −= ⋅ − ⋅ −= ⋅ − ⋅
=
![Page 11: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/11.jpg)
id
A group, denoted by ( , ), is a set with a binary operation : such that 1. ( ) ( ) (associative) 2. s.t. , ( ) 3. , s.t.
entity
GroupG G
G G Ga b c a b c
e G x G x x xx G y G x y y x
e e
•× →
=∃ ∈ ∀ ∈ = =∀ ∈ ∃ ∈ = = ( )
A group ( , ) is if , , .
Examples: ( ,
abel
), ( , ), ( \ {0}, ), ( ,
inver
), ( \ {0}
ian
s
, ).
ee
G x y G x y y x
Z Q Q RR
• ∀ ∈ =
• + + × +×
![Page 12: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/12.jpg)
Let 2 be an integer.
Def: is congruent to modulo , written
mod , if | ( ), i.e., and have the
same remainder when d
m
ivided by .
Note: dod an
Integers modulo n
a b n
a b n n a b a b
n
a b n
n•
•
• ≡
≥
≡ −
{ } are different.
Def: [ ] all integers congruent to modulo .
[ ] is called a residue calss modulo , and is a
representati
mod
ve of that class.
n
n
a b
a a n
a n a
n
•
=
=
•
![Page 13: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/13.jpg)
[ ] [ ] if and only if mod .
There are exactly residue classes modulo :
[0], [1], [2], , [ 1].
If [ ], [ ], then [ ] and [ ].
Define addition and multiplication
n na b a b n
n n
n
x a y b x y a b x y a b
= ≡
−
∈ ∈ + ∈
•
+• ⋅
•
•
∈ ⋅
…
for residue classes:
[ ] [ ] [ ]
[ ] [ ] [ ].
a b a b
a b a b
+ = +
⋅ = ⋅
![Page 14: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/14.jpg)
{ }
{ }
( )
Define [0], [1], ..., [ 1] .
Or, more conveniently, 0, 1, ..., 1 .
, forms an abelian additive group.
For , ,
( ) mod . (Or, [ ] [ ] [ ] [ mod ].)
0 is th
n
n
n
n
Z n
Z n
Z
a b Za b a b n a b a b a b n
= −
= −
+
∈+
•
= + + =
•
•+ =
•
+ii
10
e identity element. The inverse of , denoted by , is .
When doing addition/substraction in , just do the regular addition/substraction and reduce the result modulo .
In , 5
n
a a n a
Zn
Z
•
− −i
i 5 9 4 6 2 8 3 ?+ + + + + + + =
![Page 15: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/15.jpg)
( )
( )
1
1
1
, is not a group, because 0 does not exist.
Even if we exclude 0 and consider only \ {0},
, is not necessarily a group; some may not exist.
For , exists if and on
n
n n
n
n
Z
Z Z
Z a
a Z a
−
+
+ −
−
•
•
•
∗
=
∗
∈ ly if gcd( , ) 1.
gcd( , ) 1 1 for some integers and
[ ] [ ] [ ] [ ] [1] in
[ ] [ ] [1] in
[
n
n
a n
a n ax ny x y
a x n y Z
a x Z
=
= ⇔ + =
⇔ ⋅ + ⋅ =
⇔ =
⇔
•
⋅1] [ ] in na x Z− =
![Page 16: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/16.jpg)
{ }
( )
*
*
1
Let : gcd( , ) 1 .
, is an abelian multiplicative group.
mod .
mod . 1 is the identity element. The inverse of , written , can be computated
n n
n
Z a Z a n
Z
a b ab n
a b ab n
a a −
= ∈ =
∗
∗ =
∗
•
•
=
•
iii
{ }*12
*
by the Extended Euclidean Algorithm.
For example, 1,5,
Q: How many
7,11 . 5
ele
7 35 mod12 11.
ments are t here in ? nZ
Z = ∗•
•
= =
![Page 17: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/17.jpg)
{ }
*
*
( ) : 1 , gcd( ,
Euler's totient function:
Facts:
) 1
1. ( ) ( 1) for prime .
2. ( ) ( ) ( ) if gcd( , ) 1.
How many elements are there in ?
n
n
n Z a a n a n
p p p
pq p q p q
Z
ϕ
ϕ
ϕ ϕ ϕ
•
= = ≤ ≤ =
= −
=
•
=
![Page 18: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/18.jpg)
Let be a (multiplicative) finite group. The order of , written , is the smallest
p ( , identity elos emitiv ent.e integer such that . The order of ,
ord( )
ord( , is the number )
)
t
a
Ge
Ga G
t a eG
•• ∈
=•
*15
* *15 15
2
3 2
of elements in . Example: Consider
ord( ) (15)
ord(8) 4, since 8 64 mod15 4 8 (8 8) mod15 (4 8) mod15 2
GZ
Z Z ϕ
•
= =
= = =
= ⋅ = ⋅ =
i
i
4 2 2 8 (8 8 ) mod15 (4 4) mod15 1= ⋅ = ⋅ =
![Page 19: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/19.jpg)
{ }*15
*15
*15
* (15) 815
= 1, 2, 4, 7, 8, 11, 13, 14
(15) (3) (5) 2 4 8
: 1 2 4 7 8 11 13 14ord( ) : 1 4 2 4 4 2 4 2
For all , we have 1
Example: 15Z
Z
a Za
a Z a a
n
ϕ
ϕ ϕ ϕ
•
•
•
•
= = × = × =
∈
∈ = =
=
![Page 20: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/20.jpg)
( ) 1
ord( )
*
Theorem: For any element , ord( ) | ord( ).
Fermat's little theorem: If ( a prime), th
Corollary: For any element ,
en 1.
Euler's theorem:
.
If
pp
p
G
a G a G
a p a
a G a e
a
a
Z ϕ −
• ∈
•
•
∈ = =
•
∈ =
∈ ( ) *
(
*
)
, then 1. ( ord( ) ( ).)
That is, for any integer relatively prime to , 1 mod .
nnn
n
a Z n
a na
Z
n
ϕ
ϕ
ϕ= =
≡
∵
![Page 21: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/21.jpg)
The Chinese Remainder Problem• A problem described in an ancient Chinese
arithmetic book.• Problem: We have a number of things, but we
do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many things are there?
[ ] [ ] [ ] [ ]3 5 7 105
2mod3, 3mod5, 2mod7? All integers 2 3 2 23 .
x x xx x≡ ≡ ≡
= ∈ =∩ ∩
![Page 22: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/22.jpg)
( )
1
1 1
2 2
10
If integers , , are pairwise coprime, then the system of congruences
modmod
modhas a unique solution in :
mod
Chinese remainder theorem
k
k k
N
i i i i
n n
x a nx a n
x a nZ
x a N N n−
≡⎧⎪ ≡⎪⎨⎪⎪ ≡⎩
=
…
[ ]
1
1 2
0
mod
where , and .
Furthermore, every integer is a solution.
k
i
k i i
N
N
N n n n N N n
x x
=
= =
∈
∑…
![Page 23: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/23.jpg)
1 1 1
1 1 1
Suppose 1 mod 3 6 mod 7 8 mod 10By the Chinese remainer theorem, the solution is:
1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10) 1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 mod10)
xxx
x − − −
− − −
≡≡≡
≡ × × + × × + × ×
≡ × × + × × + × × 1 70 1 6 30 4 8 21 1 mod 210
958 mod 210 118 mod 210
≡ × × + × × + × ×≡≡
Example: Chinese remainder theorem
![Page 24: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/24.jpg)
( )( )
1 1 2
1 2
* * *
1
(the numbers are pairwise coprime) There is a one-to-one correspondence :
also,
, , , where
Chinese remainder theorem (another version)
k
k i
N n n N n n
k N
N n n n n
Z Z Z Z Z Z
A a a A Z
• =•
↔ × × ↔ × ×
↔ ∈…
( )1
and mod ? ? , ,
i i
k
a A nA
a a
=
• →
• ← …
![Page 25: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/25.jpg)
( )
( )( )
1
1
1
1
1 1
One-to-one correspondence :
, ,
Operations in can be performed individually in each .
, , If
, ,
then, ,
k
i
N n n
k
N n
k
k
Z Z Z
A a aZ Z
A a aB b b
A B a b
•↔ × ×
↔
•
↔⎧⎨ ↔⎩
± ↔ ±
…
……
…( )( )( )
1 1*
1
1 1
, ,
, , if
mod mo d mod
k k
k k
k k N
k
a bA B a b a bA B a b a
N n n
b B Z
±× ↔ × ×÷ ↔ ÷ ÷↑ ↑
∈↑
……
![Page 26: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/26.jpg)
( )( )( )
15
* * *15 3 5 15 3 5
Suppose we want to compute 8 11 in .
8 (2, 3) 8mod3, 8mod5
11 (2, 1) 11mod3, 11mod5 8 11 (2 2, 3 1) (1, 3). (1, 3)
Example: Chinese remainder theorem
Z
Z Z Z Z Z Z
x
• ×
• ↔ × ↔ ×
↔ =
↔ =
× ↔ × × =• ↔
1mod3 Solve 13
3mod5x
xx≡⎧
• ⇒ =⎨ ≡⎩
![Page 27: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/27.jpg)
1
3
gcd( , ),
mod ,
mod
Can be done in (log ) time.
Important Problems
k
a b
a n
a n
O n
−
•
•
•
•
![Page 28: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/28.jpg)
1
1 *
1
Compute in .
exists if and only if gcd( , ) 1. Use extended Euclidean algorithm to find ,
such that gcd( , ) 1 1 (beca
mod ?How to compute na Z
a a nx y
ax ny a na
a
x
n
−
−
−•
• =•
+ = =⇒ =
1
use 0 in )
. Note: every computation is reduced modulo .
nny Z
a xn
−
=
⇒ =•
![Page 29: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/29.jpg)
1 Compute 15 mod 47. 47 15 3 (divide 47 by 15; remainder 2) 15 2 7 (divide 15 by 2; remainder 1) 1 15 7 (mod 47) 1
21
25 ( ) 7 (mod 47)47 15 3
Example−•
= × + == × + == − ×= − ×− ×
1
15 22 47 7 (mod 47) 15 22 (mod 47) 15 mod 47 22−
= × − ×= ×
=
![Page 30: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/30.jpg)
30
By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the one-way property
of mo
R S
du
lar powering:
A
assumed
The RSA Cryptosystem•••
1
: mod (easy)
: mod (hard)
e
e
f x x n
f y y n−
→
→
![Page 31: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/31.jpg)
1
RSA
RSA
*
Encryption (easy):
Decryption (hard):
Looking for a trapdoor: ( ) .If is a number such that 1mod ( ), then
( )
It works in group
1
.
Idea behind RSA
e
e
e d
n
x x
x x
x xd ed n
e n
Z
d kϕ
ϕ
−
⎯⎯⎯→
←⎯⎯⎯
=≡
= +
( )( ) 1 ( )
for some , and
( ) 1 .ke ed n nd k
k
x x x x x x xϕ ϕ+= = = ⋅ = ⋅ =
![Page 32: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/32.jpg)
Setting up an RSA Cryptosystem
• A user wishing to set up an RSA cryptosystem will:– Choose a pair of public/private keys: (PU, PR).– Publish the public (encryption) key.– Keep secret the private (decryption) key.
32
![Page 33: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/33.jpg)
*( )
Select two large primes and at random. Compute . Note: ( ) ( 1)( 1). Select an encryption key satisfying 1 ( ) and
gcd( , ( )) 1. (i.e., , 1.)
Co
RSA Key Setup
n
p qn pq n p q
e e ne n e Z eϕ
ϕϕ
ϕ
= = − −< <
∈ ≠
•
•
=
••
1mpute the descryption key: mod ( ). 1 mod ( ). is the inverse of mod ( ). Public key: . Private key: . Important: , , and ( ) must be kep
( , ) ( ,t sec
e .)
r tPU n e P
d e ned nd e n
np
dn
Rq
ϕϕ
ϕ
ϕ
−
••
=
=
≡
=
ii
![Page 34: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/34.jpg)
Alice
Suppose Bob is to send a secret message to Alice. To encrypt, Bob will
obtain Alice's public key { , }.
encrypt as mod . Note:
RSA Encryption and Decryption
e
m
PU e n
m c m nm
••
=
=
iii *
Alice
. To decrypt the ciphertext , Alice will compute
mod , using her private key { , }. What key will Alice use to encrypt
her reply to Bob?
n
d
Zc
m c n PR d n•
•
∈
= =i
![Page 35: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/35.jpg)
( )
{ }
*
*
*
* *
The settig of RSA is the group , :
Plaintexts and ciphertexts are elements in .
Recall: : 0 , gcd( , ) 1 .
has ( ) elements. (The group h a
s
Why RSA Works
n
n
n
n n
Z
Z
Z x x n x n
Z n Zϕ
= <
•
< =
ii
i
i
( )
( )
* * ( )
*
order ( ).)
In group , , for any , we have 1.
We have chosen , such that 1 mod ( ), i.e., ( ) 1 for some positive integer .
For ,
nn n
de edn
n
Z x Z x
e d ed ned k n k
x Z x x
ϕ
ϕ
ϕϕ
∈ =
≡= +
∈ =
ii
i
i ( )( ) 1 ( ) .kk n nx x x xϕ ϕ+= = =
![Page 36: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/36.jpg)
Select two primes: 17, 11. Compute the modulus 187. Compute ( ) ( 1)( 1) 160. Select between 0 and 160 such that gcd( ,160) 1.
Let 7. Compute
RSA Example: Key Setupp q
n pqn p q
e ee
d
ϕ
= == =
••• = −
•
==
•− =
1 1mod ( ) 7 mod160 23 (using extended Euclid's algorithm). Public key: . Private k
( ,ey
) (7, 187)( , ) (23: ., 7 18 )
PU e n
e
P n
n
R d
ϕ− −
= == =
=
•
= =
•
![Page 37: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/37.jpg)
7
23
23
23
Suppose 88. Encryption: mod 88 mod187 11. Decryption: mod 11 mod187 88. When computing 11 mod187, we first
compute 11 andd
theo
not
n
RSA Example: Encryption & Decryption
e
d
mc m nm c n
•
•
•
•
=
= = =
= = =
23
reduce it modulo 187. Rather, when conmputing 11 , reduce the intermediate
results modulo 187 whenever they get bigger than 187.•
![Page 38: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/38.jpg)
( )
1 0
2
Comment: compute mod , where in binary.
1 for downto 0 do mod
if 1
then mod
Algorithm: Square-and-Multiply( , , )c
k k
i
x n c c c c
zi k
z z nc
z z x
x c n
−=
←←
←
=
← ×
…
( )
...Note: At
i.e.,
the e
mod
nd of
retu
iteratio
rn
n , .
( )
k
i
i
c
c ci
z z x n
z
z
n
x=
⎫⎪ ← ×⎬⎪⎭
![Page 39: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/39.jpg)
2
2
2
2
3
2
23 10111
1 11 mod 187 11 (square and multiply) mod 187 121 (square) 11 mod 187 44 (square and multiply) 11 mod 187 165 (square and
11 mod187
mu
Example:
b
zz zz zz zz z
=
←
← ⋅ =
← =
← ⋅ =
← ⋅ =2
ltiply) 11 mod 187 88 (square and multiply)z z← ⋅ =
![Page 40: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/40.jpg)
4 16
To speed up encryption, small values are usually used for .
Popular choices are 3, 17 2 1, 65537 2 1. These values have only two 1's in their binary representation.
Encryption Key
e
e
= + = +
•
•
• There is an interesting attack on small .e
![Page 41: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/41.jpg)
A message sent to users who employ the same encryption expo
nent is not protected by RSA.
Say, 3, and Bob sends a message to three receipients encry
Low encryption exponent attackm e
ee m
•
• =
1 2 3
1 3
1 2 3
3 3 31 2 2 3
31
3 3 3
2 3
pted as: mod , mod , mod .
Eve intercepts the three ciphertexts, and recovers : mod , mod , mod .
By CRT, mod for som
m mc n c n c n
mm c n m c n m c n
m c n
m
n n
= = =
≡ ≡ ≡
•
≡
i
i 1 2 3
3 3 31 2 3
e .
Also, . So, , and .
c n n n
m n n n m c m c
<
< = =i
![Page 42: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/42.jpg)
1/4
One may be tempted to use a small to speed up decryption.
Unfortunately, that is risky.
Wiener's attack: If /3 and 2 , then the decryption exponent
Decryption Key d
dd n p q p
d•
•
• < < <can be computed
from ( , ). (The condition 2 often holds in practice.)
CRT can be used to speed up decryption by four times.
n e p q p< <
•
![Page 43: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/43.jpg)
2 Multiplying two numbers of bits takes ( ) time. . 1024-2058 bits. , half the size. Decryption: . Instead of computing
mod direod ctlm
Speeding up Decryption by CRT
d
d
c
k O kn pq n
nc
p
n
q•
= ≈ ≈•
•
•
( ) ( ) 1 2
1 1 2 2
1
2
y, we compute mod and mod
compute mod and mod
mod recover the plaintext b
y solv
ing o
m d
d d
c c p c c q
m c p m c q
x m px m q
= =
= =
≡⎧⎨ ≡⎩
i
i
i
![Page 44: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/44.jpg)
( )
Four categories of attacks on RSA: brute-force key search
infeasible given the large key space math
ematical attacks timing attacks
chosen ciphe r
Security of RSA•i
iii text attacks
![Page 45: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/45.jpg)
1
Then ( ) ( 1)( 1) andmod ( ) can be calculated
Factor into .
Determine ( ) directly
easily.
Equivalent to factoring . Knowing ( ) will enable us to f
.
Mathematical Attacksn p q
d e n
nn
n pq
nϕ
ϕ
ϕ
ϕ
−
= − −
=
•
•actor by solving
( ) ( 1)( 1)
Best known algorithms are not faster than those for factoring . Besides, if is know
Detn,
then can be factored with
erm
hi
ine dir
g
ectly.d
nn pq
n p q
n dn
ϕ=⎧
⎨ = − −
•
⎩
h probability.
![Page 46: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/46.jpg)
A difficult problem, but more and more efficient algorithms have been developed.
In 1977, RSA challenged resea
rchers to decode a ciphertex encrypted with a key ( ) of
Integer Factorization
n
•
•129 digits
(428 bits). Prize: $100. Would take quadrillion years using best algorithms of that time.
In 1991, RSA put forward more challenges, with prizes, to encourage research on f•
actorization.
![Page 47: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/47.jpg)
Each RSA number is a semiprime. (A number is semiprime if it is the product of two primes.) There are two labeling schemes.
by the number of decimal digits: RSA-100, .
RSA Numbers•
•i
.., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, 1024, 1536, 2048.i
![Page 48: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/48.jpg)
RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve. RSA-110 ( bits), 1992, 75 MIPS-year, QS. RSA-120
3323653 ( bits), 1993, 830 MIPS-year, QS.
RSA-129 98
4(
RSA Numbers which have been factored•••• bits), 1994, 5000 MIPS-year, QS. RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS. RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS. RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.
284
314655
RSA-161
0 (2
530
••••
576 6
bits), 2003, Lattice Sieve. RSA- (174 digits), 2003, Lattice Sieve. RSA- (193 digits), 2005, Lattice Sieve. RSA-200 ( bits), 2005, Lattice
40663 Sieve.
•••
![Page 49: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/49.jpg)
49
RSA-200 =
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.
![Page 50: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/50.jpg)
*
In light of current factorization technoligies, RSA recommends that be of 1024-2048 bits.
Encrypting messages \ is insecure. Such an is not relatively prime to , i. e.,
Remarks
n n
n
m Z Zm n
∈
•
•i
*
gcd( , ) 1. By computing gcd( , ), one will be able to factor . gcd( , ) 1 gcd( , ) 1, where mod
Question: what is the probability that \
?
e
n n
m nm n n pq
m n c n c m n
m Z Z
>=
> ⇒ > =
∈•
ii
![Page 51: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/51.jpg)
Paul Kocher in mid-1990’s demonstrated that a snooper can determine a private key by keeping track of how long a computer takes to decipher messages.
RSA decryption: mod .
Timing Attacks
dc n
•
•
( )
Countermeasures: Use constant decryption time Add a random delay to decryption time modify the ciphertext to
Blin and computeding
mod .
:d
c c
c n
′
′
•iii
![Page 52: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/52.jpg)
1 2 1 2
RSA encryption has a homomorphism property: RSA( ) RSA( ) RSA( ). To decrypt a ciphertext RSA( ):
Generate a random secret mess
ag .
e
Blinding in Some of RSA Products
m
m m m mc m
r
× =•
=•×
i
1
Encrypt as RSA( ). Multiply the two ciphertexts: RSA( ). Decrypting yields a value e
qual to .
Multiplying that value by yields . Note: all calculation
r
mr m r
mr
r c rc c c mr
c mr
r m−
==
•
=iiii
*s are done in (i.e., modulo ).nZ n
![Page 53: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/53.jpg)
RSA's homomorphism property is the basis of a simple chosen-ciphertext attack. The attacker intercepts a ciphertext . An oracle can decrypt ciphertexts, except ,
Chosen-Ciphertext Attacks
m
m
cc
•
•• for you. To launch a chosen-ciphertext attack:
Generate a message, say, 2. Encrypt as RSA( ). Multiply the two ciphertexts: RSA( ). Ask the oracle
to decryp
r
m r
rr c r
c c c mr
=
= =
•
=iiii
1
t , yielding a value equal to . Multiplying that value by yields the plaintext .
c mrr m−i
![Page 54: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/54.jpg)
If the message space is small. The adversary can encrypt all messages and compare them with the intercepted ciphertext.
For inst
ance, if the message is known t
Small message space attack•
• o be a 56-bit DES key, or a social security number.
![Page 55: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/55.jpg)
The RSA we have described is the basic or textbook RSA, susceptible to many attacks.
In real world, RSA is not used that way.
(now in
version 2.1) is a speRSA PK cificati onCS #1
Textbook RSA•
•
• by RSA Labs specifying how to implement RSA.
![Page 56: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/56.jpg)
PKCS: ublic ey ryptography tandard. Let ( , , ) give a pair of RSA keys. Let denote the length of in bytes (e.g., 216). To encrypt a message :
P K C S
Padded RSA as in PKCS #1 v.1.5
n e dk
mk n
••
•=•
i
( ) ( )
pad so that 00 02 00 ( bytes) where 8 or more random bytes 00. original message must be 11 bytes.
the ciphertext is : RSA mo
d . This format makes RSA esis
r
e
r kr
k
c n
m
m
m
mm
m•
==
≤ −
=
′
′
≠
=′
ii
itant to many of the
aforementioned attacks Q: Whic h ones?
![Page 57: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/57.jpg)
A padded message is called PKCS conforming if it has the specified format: 00 02 padding string 00 orig
PKCinal message.
usually send youS #1 implemen
(v.1.5
tati (sons
)RSA PKCS #1•
•1
ender) an error message if RSA ( ) is PKCS conforming. There was a famous chosen-ciphertext attack taking
advantage of these error messages. PKCS #1 (v 2.1) now uses a scheme call
n
e Opt
o
t
d
c−
•
• imal Asymmetric Encryption Padding (OAEP).
![Page 58: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/58.jpg)
A message is called PKCS conforming if it has the specified format: 00 02 padding string 00 original message. PKCS #1 implementations usually
Bleichenbacher's chosen-ciphertext attack•
•1
1
send you (sender) an error message if RSA ( ) is PKCS conforming. It is just like you have an Oracle which, given , answers
whether or not RSA ( ) is PKCS conforming. Bleich
not
enbacher'
cc
c
−
−
•
• s attack takes advange of such an Oracle.
![Page 59: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/59.jpg)
*
Given RSA( ), Eve tries to find . (Assume is PKCS conforming.)
How can Oracle help? Recall that RSA is homomorphic: RSA( ) =RSA( ) RSA( ) (computa
te
d in )
G n
c m mm
a b a b Z
=
⋅
•
•
⋅
i
i
i
*
*iven RSA( ), Eve can compute RSA( ) for any . She can ask the Oracle, Is PKCS conforming? (That is, is PKCS conforming?
)
Whmo
y is this info ed
us fu
n
n
m m s
msn
s
Z
Z
ms
⋅ ∈
∈
•
i
l?
![Page 60: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/60.jpg)
8( 2) 8( 2)
8( 2) 8( 2)
Recall PKCS Format ( bytes): 00 02 padding string 00 original message
Let 00 01 0 2 (as a binary integer) Then,
2 00 02 0 and 3 00 03 0 .
If is PKCS c
o
k k
k k
k
BB B
m
− −
− −
= =
•
•
••
= =
modmo
nforming 2 3 . If, in addition, is PKCS con
dforming
2 3 2 3 for some 2 3 for some
m
ms nms n
msm
B B
B BB tn B tn tB s t n s B s t n s t
⇒ < <
⇒ < <⇒ + < < +⇒ + ⋅
•
⋅ < < +
![Page 61: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/61.jpg)
• • •
• • •
0 n 2n 3n 4n
ns
2B 3B
If is PKCS conforming is in the blue area. If is also PKCS conforming
is in the blue area is in the red areas is in the red lines. Thus, is in the red line
mod
s
m
o
o
d
f t
m mms n
ms nmsm
m
⇒
⇒
•
⇒
•
⇒
•
he blue area.
![Page 62: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/62.jpg)
blue area Let's focus on the blue area, (2B, 3B). If is PKCS conforming is in the . If is also PKCS conforming
mod
red areas/is in If is also PKCS conforming
modline
s
ms
ms nm
m
m
mn
•
•⇒
⇒
•
•⇒
′
purple areas/line is in So, blue red purple
sm• ∈ ∩ ∩
2B 3B
![Page 63: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/63.jpg)
1 2 3
1
So, starting with the fact that is PKCS conforming, Eve finds a sequence of integers , , , ... such that
2 and mod is PKCS conforming.
To find , ra n
i i
i
i
ms s s
s sms n
s
−
•
≤
•
1domly choose an 2 , and ask the oracle whether is PKCS conforming. If not, then try a different .
This way, Eve can repeatedly narrow down the area containing , and even
d
mo
tu
i
mss
m
ns
s
−
•
≥
1 2 3
ally finds . For having 1024 bits, it takes roughly 1 million accesses
to the oracle in order to find , , , ...
mn
s s s•
![Page 64: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/64.jpg)
( ) ( )( )( )
OAEP
RSA
The current version of PKCS #1 (v 2.1) uses a scheme called Optimal Asymmetric Encryption Padding (OAEP).
:
: mod
(v.2
.1
:
)RSA PKCS #1
e
m m m G r r h m G r
c m n
G
′⎯⎯⎯→ = ⊕ ⊕ ⊕
′⎯⎯⎯
•
•
→ =
•
pseudorandom generator : hash function : randomhr
••
![Page 65: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/65.jpg)
Public-Key Applications
• Three categories of applications:– encryption/decryption (provide secrecy)– digital signatures (provide authentication)– key exchange (of session keys)
• Public-key cryptosystems are slower than symmetric-key systems.
• So, mainly used for digital signatures and key exchange.
![Page 66: Public Key Cryptography and RSA - Computer Science and ...web.cse.ohio-state.edu/~lai.1/651/5-RSA.pdf · Public‐Key Cryptography and RSA CSE 651: Introduction to Network Security](https://reader034.vdocument.in/reader034/viewer/2022042108/5e882e422ba34b64d166bbd9/html5/thumbnails/66.jpg)
• RSA: basic RSA, textbook RSA
• Padded-RSA: PKCS #1 v.1.5
• Original message
• Padded message•
66