06 Rsa

Download as pdf or txt
Download as pdf or txt
You are on page 1of 104

RSA and Public Key

Cryptography
Chester Rebeiro
IIT Madras

CR STINSON : chapter 5, 6
Ciphers
Symmetric Algorithms
Encryption and Decryption use the same key
i.e. KE = KD
Examples:
Block Ciphers : DES, AES, PRESENT, etc.
Stream Ciphers : A5, Grain, etc.
Asymmetric Algorithms
Encryption and Decryption keys are different
KE KD
Examples:
RSA
ECC

CR 2
Asymmetric Key Algorithms

KE KD

Alice untrusted communication link Bob


E D
#%AR3Xf34^$ Attack at Dawn!!
Plaintext encryption (ciphertext) decryption
Attack at Dawn!!

The Key K is a secret


Encryption Key KE not same as decryption key KD
Advantage : No need of secure
KE known as Bobs public key;
KD is Bobs private key
key exchange between Alice and
Bob
Asymmetric key algorithms based on trapdoor one-way functions

CR 3
One Way Functions
Easy to compute in one direction
Once done, it is difficult to inverse

Press to lock Once locked it is


(can be easily done) difficult to unlock
without a key

CR 4
Trapdoor One Way Function
One way function with a trapdoor
Trapdoor is a special function that if possessed can be used to
easily invert the one way

trapdoor

Locked
(difficult to unlock) Easily Unlocked

CR 5
Public Key Cryptography
(An Anology)
Alice puts message into box and locks it
Only Bob, who has the key to the lock can open it and read
the message

CR 6
Mathematical Trapdoor One way
functions
Examples
Factorization of two primes
Given P, Q are two primes
and N = P * Q
It is easy to compute N
However given N it is difficult to factorize into P and Q
Used in cryptosystems like RSA
Discrete Log Problem
Consider b and g are elements in a finite group and bk = g, for some k
Given b and k it is easy to compute g
Given b and g it is difficult to determine k
Used in cryptosystems like Diffie-Hellman
A variant used in ECC based crypto-systems

CR 7
Applications of Public key
Cryptography
Encryption
Digital Signature :
Is this message really from Alice?
Alice signs by encrypting with private key
Anyone can verify signature by decrypting with Alices public key
Why it works?
Only Alice, who owns the private key could have signed

CR 8
Applications of Public key
Cryptography Diffie-Hellman
Key Exchange
Key Establishment :
Alice and Bob want to use a block cipher for encryption. How
do they agree upon the secret key
Alice and Bob agree upon a prime p and a generator g.
This is public information

choose a secret a choose a secret b


compute A = ga mod p compute B = gb mod p

B A
Compute K = Ba mod p Compute K = Ab mod p

Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p

CR 9
RSA

Shamir, Rivest, Adleman (1977)


CR 10
More Number Theory

Mathematical Background

CR 11
RSA : Key Generation
Bob first creates a pair of keys (one public the other private)

1. Generate two large primes p , q ( p q)


2. Compute n = p q and ( n) = ( p 1)(q 1)
3. Choose a random b (1 < b < ( n)) and gcd(b, ( n)) = 1
4. Compute a = b 1 mod( (n))

Given the private key it is easy the


Bob' s public key is (n, b) public key
Bob' s private key is ( p, q, a )
Given the public key it is difficult to
derive the private key

CR 12
RSA Encryption & Decryption

Encryption Decryption

eK ( x) = y = x b mod n
d K ( x) = y a mod n
where x Z n

CR 13
RSA Example

1. Take two primes p = 653 and q = 877


2. n = 653 877 = 572681; (n) = 652 876 = 571152
3. Choose public key b = 13; note that gcd(13, 571152) = 1
4. Private key a = 395413 = 13-1 mod 571152

Message x = 12345
encryption : y = 1234513 mod 572681 536754
decryption : x = 536754395413 mod 572681 12345

CR 14
Correctness
when x Z n and gcd( x , n ) = 1
Encryption
Decryption
eK ( x) = y = x mod n
b

where x Z n d K ( x) = y a mod n

y a ( x b ) a mod n ab 1 mod ( n )
ab 1 = t ( n )
( x ab ) mod n ab = t ( n ) + 1
( x t ( n ) +1 ) mod n
From Fermats theorem
t ( n )
(x x) mod n
CR x 15
Correctness
when x Z n and gcd( x , n ) 1
Since n = pq , gcd( x , n ) = p or gcd( x , n ) = q
Assume gcd( n, x) = p
If
=> p | x => pk = x
xx ab
mod p LHS : x mod p pk mod p 0
xx ab
mod q RHS : x ab mod p 0
=> x x ab mod n Q gcd( p, x) = p it implies gcd( q, x) = 1
(by CRT ) x ab mod q x t ( n ) +1 mod q
x t ( p ) ( q ) +1 mod q
( x ( q ) ) t ( p ) x mod q
CR (1) t ( p ) x mod q x 16
RSA Implementation

y = x c mod n

i ei z
4 1 12* x = x
3 0 x2
c = 23 = (10111)2 2 1 x4 * x = x 5
1 1 X10 * x = x11
0 1 x22 * x = x23

CR 17
RSA Implementation in Software
(Multi-precision Arithmetic)
RSA requires arithmetic in 1024 or 2048 bit numbers
Modern processors have ALUs that are 8, 16, 32, 64 bit
Typically can perform arithmetic on 8/16/32/64 bit numbers
solution: multi-precision arithmetic (gmp library)

base : 2b, where b = 64/32/16/8 bits

CR 1024 bits 18
Multi-precision Addition
ADD : a = 9876543210 = (2, 76, 176, 22, 234)256
b = 1357902468 = (80, 239, 242, 132)256
base = 8 bit (256)

i ai bi cin ai+bi+cin(mod 256) Carry? cout


0 234 132 0 110 (110 < 234)? 1
1 22 242 1 9 (9 < 22)? 1
2 176 239 1 160 (160 176)? 1
3 76 80 1 157 (157 76)? 0
4 2 0 0 2 (2 2)? 0

a + b = (2, 157, 160, 9, 110)256


= 11234445678
CR Computational Number Theory, Abhijit Das, CRC Press 19
Multi-precision Subtraction
SUB : a = 9876543210 = (2, 76, 176, 22, 234)256
b = 1357902468 = (80, 239, 242, 132)256
base = 256 (8 bit)

i ai bi Cin Borrow? Cout ai-bi-cin(mod 256)


0 234 132 0 (234 < 132)? 0 102
1 22 242 0 (22 < 242)? 1 36
2 176 239 1 (176 < 239)? 1 192
3 76 80 1 (76 < 80)? 1 251
4 2 0 1 (2 < 0)? 0 1

a - b = (1, 251, 192, 36, 102)256


= 8658640742
CR 20
Multi-precision Multiplication
(Classical Multiplication)
MUL : a = 1234567 = (18, 214, 135)256
b = 76543210 = (4, 143, 244, 234)256
base = 8 bit (256)

a*b=
(0 85 241 247 25 195 102)256
= 99447721140070

CR 21
Multi-precision Multiplication
(Karatsuba Multiplication)
Let a, b be two multiprecision integers with n B ary words.
Let m = n / 2
a = ah B m + al
b = bh B m + bl
a b = (ah bh ) B 2 m + (ah bl + al bh ) B m + al bl
= (ahbh ) B 2 m + (ah bh + al bl + (ah al )(bh bl ) )B m + al bl

using (ah al )(bh bl ) = ah bh ah bl al bh + al bl

Karatsuba multiplication converts n bit multiplications into 3 multiplications of n/2 bits


The penalty is an increased number of additions

CR 22
Multi-precision Multiplication
(Karatsuba Multiplication)
B = 256; ahbh = (1, 176, 254, 234)256
a = 123456789 = (7, 91, 205, 21)256
b = 987654321 = (58, 222, 104, 177)256 albl = (83, 222, 83, 133)256
ah - bh = -(197, 186)256
n=4; m=2 al - bl = -(45, 211)256
ah = (7, 91); al = (205, 21)
(ah - bh) (al - bb)l) = (35, 100, 170, 78)256
a = (7, 91)2562 + (205, 21)
ahbl + albh
bh = (58, 222); bl = (104, 177) = ahbh+ albl - (ah - bh) (al - bl)
b = (58, 222)2562 + (104, 177) = (50, 42, 168, 33)256

1 176 254 234


50 42 168 33
83 222 83 133
1 177 49 20 251 255 83 133 ab
CR 23
Speeding RSA decryption with CRT
Decryption is done as follows :
x = ya mod n
Bob can also decrypt by using CRT
x = ya mod p
x = ya mod q
(since he knows the factors of n, i.e. p,q)
CRT turns out to be much faster since the size (in
bits) of p and q is about that of n

CR 24
Multi-precision libraries
GMP : GNU Multi-precision library
Make use of Intels SSE/AVX instructions
These are SIMD instructions that have large
registers (128, 256, 512 bit)
Crypto libraries
OpenSSL, PolarSSL, NaCL, etc.

CR 25
Finding Primes

CR 26
Test for Primes
How to generate large primes?
Select a random large number
Test whether or not the number is prime
What is the probability that the chosen number is a
prime?
Let (N) be the number of primes < N
From number theory, (N) N/ln N
Therefore probability of a random number (< N) being a
prime is 1/ln N
As N increases, it becomes increasingly difficult to find large
primes

CR 27
GIMPS
There are infinite prime numbers (proved by Euclid)
Finding them becomes increasingly difficult as N
increases
GIMPS : Great Internet Mersenne Prime Search
Mersenne Prime has the form 2n 1
Largest known prime (found in 2016) has 22 million digits
2274,207,281 1
$3000 to beat this

CR https://en.wikipedia.org/wiki/Largest_known_prime_number 28
Primality Tests with Trial Division
School book methods (trial division)
Find if N divides any number from 2 to N-1
find if N divides any number from 2 to N1/2
Find if N divides any prime number from 2 to N1/2
Too slow!!!
Need to divide by N-1 numbers
Need to divide by N1/2 numbers
Need to divide by (N/lnN)1/2 primes
For example, if n is approx 21024, then need to check around 2507
numbers
Need something better for large primes
Randomized algorithms

CR 29
Randomized Algorithms for
Primality Testing
Monte-carlo Randomized Algorithms
Always runs in polynomial time
May produce incorrect results with bounded probablity

Yes-based Monte-carlo method


Answer YES is always correct, but answer NO may be wrong
No-based Monte-carlo method
Answer NO is always correct, but answer YES may be wrong

CR 30
Finding Large Primes
(using Fermats Theorem)

is _ prime ( n ){ If n is prime, then a n 1 1 mod n


is true for any a
pick a Z n
n 1
If n is composite a 1 mod n
if ( a n 1 1 mod n ) is false but may be true for some
values of a.
return TRUE
For example: n = 221 and a = 38
else 38220 mod 221 1.
return FALSE We need to increase our confidence
with more values of a
}

CR 31
Fermats Primality Test
Increasing confidence with multiple bases

primality _ test ( n ){
c=0
for (i = 0; i < 1000 ; + + i ){
if (is _ prime ( n ) == FALSE )
return COMPOSITE
}
return probably PRIME
}

CR 32
Flaw in the Fermats Primality Test

Some composites act as primes.


Irrespective of the a chosen, the test a n1 1 mod n
passes.

for example Carmichael numbers are composite numbers which


satisfy Fermats little theorem irrespective of the value of a.

CR 33
Strong probable-primality test
If n is prime, the square root of an-1 is either
+1 or -1
a 2 1 mod n
a 2 1 mod n
(a + 1)(a 1) 0 mod n
either (a + 1) 0 mod n or (a 1) 0 mod n

CR 34
Miller-Rabin Primality Test
Yes-base primality test for composites
Does not suffer due to Carmichael numbers
Write n-1 = 2sd
where d is odd and s is non-negative
n is a composite if
d 2r
a 1 mod n and (a ) 1 mod n
d

for all number r less than s

CR 35
Proof of Miller-Rabin test
Write n-1 = 2sd
d 2r
a 1 mod n and (a ) 1 mod n
d

for all number r less than s


Proof: We prove the contra-positive. We will assume n to be
prime. Thus,
d 2r
a 1 mod n or (a ) 1 mod n
d

for some number r less than s

CR 36
Proof of Miller-Rabin test
Proof: We prove the contra-positive. We will assume n to be
prime. Thus we prove,
d 2r
a 1 mod n or (a ) 1 mod n
d

for some number r less than s


Consider the sequence : 1 (Fermat s)

d 21 d 22 d 23 d 2s d
a ,a ,a ,a ,LL , a
The roots of x2 = 1 mod n is either +1 or -1
In the sequence, if ad is 1, then all elements in the sequence will be 1
If ad is not 1, then there should be some element in the sequence
which is -1, in order to have the final element as 1
CR 37
Miller-Rabin Algorithm
(test for composites)
Input n
T 1 . Find an odd integer d such that n 1 = 2 s d
T 2 . Select at random a nonzero a Z n
T 3 . Compute b = a d mod n
If b = 1, return ' n is prime '
i
T 4 . For i = 1, L , r 1, calculate c b 2 mod n
If c = 1, return ' n is prime '
T 5 . Otherwise return ' n is composite '

CR 38
Quadratic Residues

Example : m=13, square elements in Z13.


1,4,9, 3, 12, 10, 10, 12, 3, 9, 4, 1
The quadratic residues Z13 are therefore
{1, 4, 3, 9, 10, 12}

If an element is not a quadratic resiidue, then it is a quadratic non-residue

quadratic non-residues in Z13 are {2, 5, 6, 7, 8, 11}

CR 39
Legendre Symbol

0 if p | a
a
= 1 if a is a QR mod p
p 1 if a is a QNR mod p

Given p is an odd prime

CR 40
Eulers Criteria

A result from Euler


p 1
a
a 2 mod p
p

when a is a QR , x Z p s.t . a x 2 mod p


when p | a
p 1 ( p 1 )
p 1 2
=> a 2
x 2
mod p
a 2
0 mod p
x p 1 mod p
1

CR 41
when Quadratic Non Residue
when a is a QNR , no such x Z p exists s.t . a x 2 mod p
p 1
consider : a 2
mod p ( note p 1 is even , if p is an odd prime )
squaring : a p 1 mod p 1
p 1 2

so , a 2 1 mod p


p 1
Thus , a 2
1 mod p
p 1
a 2
1 mod p , since a is not a QR
p 1
Thus a 2
1 mod p

CR 42
Examples

Congurence always holds when


p 1
a
a 2
mod p 4 is a QR mod 13

n is an odd prime
p 131
4 mod 13 46 mod 13 1
2

5 is a QNR mod 13
56 mod 13 12 mod 13 1

15 1

n is an odd prime

Congurence may
or may not hold
Eulers Witness
7 2
mod 15 7 7 mod 15 2

when
Eulers Liar 15 1
14 2
mod 15 14 7 mod 15 1
CR 43
Solovay Strassen Primality Test
SOLOVAYSTRASSEN (n){
choose a random integer a such that 1 a n-1
a
compute x =
n
How to compute
if ( x = 0) return COMPOSITE
Legendres symbol n 1
compute y = a 2
mod n
if ( x y mod n) return possiblyPRIME
else return COMPOSITE
}

error probability is at most


after k invocations of this algorithm,
CR 44
Jacobi Symbol
Jacobi Symbol is a generalization of the Legendre symbol
Let n be any positive odd integer and a>=0 any integer. The
Jacobi symbol is defined as:

Suppose n is an odd positive integer with prime factorizat ion


n = p1e1 p e22 p 3e 3 p e44 ...
T

Then,
e1 e2 e3 e4
a a a a a
=




L
n p1 p2 p3 p4

CR 45
Jacobi Properties
a b
P1. If a b mod n then =
n n
2 1 if n 1 mod 8
P 2. =
n 1 if n 3 mod 8
ab a b
P3. =
n n n
k
a 2 t
P 4. if a is even, a = 2 k t , =
n n n
P5. if a is odd ,
n
if n a 3 mod 4
a a
=
n n
otherwise
a
CR 46
Computing Jacobi

From the theorem

P5, P1, then P2

P5, P1, P5, P1, P3, P2

P5, P1
and 1 is a QR mod 13

CR 47
Factoring Algorithms

CR 48
Factorization to get the private key
Public information (n, b)
If Mallory can factorize n into p and q then,
She can compute (n) = (p-1)(q-1)
She can then computethe private key by nding a b-1 mod (n)

How to factorize n?

CR 49
Trial Division
Fundamental theorem of arithmetic
Any integer number (greater than 1) is either prime or a product of prime
powers
n = p1e1 p2e2 p3e3 L pkek

prime generation algorithm

Prime factors of n cannot be



greater than n

n = n / p : remove this factor from n

Running Time of algorithm order of (2n/2)

CR 50
Pollard p-1 Factorization
n = pq

1 choose a random integer a (1 < a < n).


If gcd(a, n) 1, then a is a prime factor.
However, this is most likely not the case as gcd (a,n) = 1.
4
2 Suppose we magically get an L such that p -1| L.
How to find the magic L?
We use L to compute (a 1).L

No easy way, trial and error!!


p 1 | L => ( p 1)k = L Factorials have a lot of divisors. So that
a L a ( p 1) k 1 mod p (by Fermat' sLittle Theorem) is a nice way.
So, take L as a factorial of some
Thus, p | a L 1 number r.
3
Now compute gcd( a L 1, n )
Since , p | n and p | a L 1,
gcd( a L 1, n ) is either p and may also be n.
Thus if gcd( a L 1, n ) n, then we have found a factor of n.
if gcd(a L - 1, n) = n, then q | a L 1 also. Cannot conclude anything.

CR 51
Pollard p-1 Factorization
Pollard p-1 factorization for n.
S1. a 2
S 2. if gcd (a, n) > 1, then this gcd is a prime factor of n, we are done.
S 3. compute d gcd (a r! -1, n)
if d = n, start again from S1 with next value of a
else if d = 1 , increment r and repeat S 3
else d is the prime factor of n; we are done!

r = 2,3, 4, H..

Will the algorithm terminate?

CR 52
Pollard Rho Algorithm
Form a sequence S1 by selecting randomly (with replacement)
from the set Zn
S1 = x0 , x1 , x2 , x3 , x4 , L x 0 x0 mod p
Also assume we magically find a x1 x1 mod p
new sequence S2 comprising of x 2 x2 mod p
S 2 = x 0 , x1 , x 2 , x 3 , x 4 , L where x x mod p
3 3

If we keep adding elements to x 4 x4 mod p


S1, we will eventually find an xi and xj (ij) such that x i = x j
When this happens,
p | ( xi x j )
Q p | n also, gcd(( xi x j ), n) is p.We found a factor of n!!
CR 53
Doing without magic
Form a sequence S1 by selecting randomly (with replacement)
from the set Zn
S1 = x0 , x1 , x2 , x3 , x4 , L

For every pair i,j in the sequence compute

d gcd(( xi x j , n)

If d > 1 then it is a factor of n

CR 54
Selecting elements of S1
To choose the next element of S1, Pollard suggests
using a function f : Z n Z n
with requirement that the output looks random.
Example : f ( x) = x 2 + 1 mod n

x0 where x0 is chosen randomly from Z n


S1 =
xi i > 0 and xi = f ( xi 1 )

CR 55
Example
This column is just
N= 82123, x0 = 631, f(x) = x2 + 1 for understanding.
In reality we will not know this

DrawbackH
Large number of GCD
computations. In this case
55.

Can we reduce the number


of gcd computations?

Given xi mod N, we compute gcds of every pair until we find a gcd greater
than 1
gcd( x3 x10 , N ) = gcd(63222, 82123) = 41 A factor of N

CR 56
The Rho in Pollard-Rho
N= 82123, x0 = 631, f(x) = x2 + 1 21
26
5 32

2 0
40 1

11

16

x t = x t +l mod p
The smallest value of t and l, for which the above congruence holds is t=3, l=7
For l=7, all values of t > 3 satisfy the congruence
This leads to a cycle as shown in the figure
(and a shape like the Greek letter rho) x j = x j +l mod p t 3
CR 57
Reducing gcd computations
GCD computations can be expensive.
Use Floyds cycle detection algorithm to reduce the number of
21
GCD computations. 26
5 32
choose a random x 0 = y 0 Z n
2 0
x i = f ( x i 1 ) 1
40
y i = x 2 i = f ( f ( y i 1 ))
loop

11
If d = gcd( x i y i , N ) > 0 , return d
16

claim : The first time xi = yi mod p occurs when i t + l

CR 58
The first time xi = yi mod p occurs
is when i t + l
l is the number of points in the cycle
t is the smallest value of i such that xi yi mod N
xi and yi meet at the same point in the cycle
Therefore, yi must have traversed (some) cycles more

xi yi mod N
xi x2i mod N consider ( k + 1) l
l | (2i i ) = kl + l t + l
l | i => lk = i

CR 59
Expected number of operations
before a collision
Can be obtained from Birthday paradox
to be p

CR 60
Congruences of Squares
Given N=p x q, we need to find p and q
Suppose we find an x and y such that x 2 y 2 mod N
Then,
N | ( x 2 y 2 ) = > N | ( x y )( x + y )
This implies,
gcd( N , ( x y )) or gcd( N , ( x + y )) factors N

CR 61
Example
Consider N = 91
10 2 32 mod 91 34 2 82 mod 91
91 | (10 3)(10 + 3) 91 | (34 + 8)(34 8)
91 | (7 13) 91 | 42 26
gcd(91,13) = 13 gcd(91, 26) =13
gcd(91, 7) = 7 gcd(91, 42) = 7

SoH we can use x and y to factorize N.


x 2 y 2 mod N
But how do we find such pairs?

CR 62
Another Example
N = 1649
32 and 200 are not perfect squares.
412 32 mod1649 However (32x200 = 6400) = 802
432 200 mod 1649 is a perfect square

( 41 43) 2 (32 200) mod 1649


80 2 mod 1649

Thus, it is possible to combine non-squares to form


a prefect square

CR the examples are borrowed from Mark Stamp (http://cs.sjsu.edu/faculty/stamp/)


63
Forming Perfect Squares
Recall, Fundamental theorem of arithmetic
Any integer number (greater than 1) is either prime or a product of prime
powers
n = p1e1 p2e2 p3e3 L pkek
Thus, a number is a perfect square if it prime factors have even powers.

e1 , e2 , e3 ,... is even
Thus,
32 = 2550 not a perfect square
200 = 2352 not a perfect square
(32x200) = 2550 x 2352 = 2852 = (2451)2 is a prefect square

CR 64
Dixons Random Squares
Algorithm
1. Choose a set B comprising of b smallest primes. Add -1 to
this set.
(A number is said to be b-smooth, if its factors are in this set)
2. Select an r at random
Compute y = r mod N
2

Test if y factors completely in the set B.


If NO, then discard. ELSE save (y, r) (these are called B-smooth
numbers)
3. Repeat step 2, until we have b+1 such (y,r) pairs
4. Solve the system of linear congruencies

CR 65
Example
N = 1829
b=6 B = {-1, 2,3,5,7,11,13}
Choose random values of r, square and factorize

All numbers are B-smooth


except 60 and 75.
Leave these and
consider all others

CR 66
Check Exponents
-1 2 3 5 7 11 13
-65 1 0 0 1 0 0 1
20 0 2 0 1 0 0 0
63 0 0 2 0 1 0 0
-11 1 0 0 0 0 1 0
-91 1 0 0 0 1 0 1
80 0 4 0 1 0 0 0

CR 67
Check Exponents
-1 2 3 5 7 11 13
-65 1 0 0 1 0 0 1
20 0 2 0 1 0 0 0
63 0 0 2 0 1 0 0
-11 1 0 0 0 0 1 0
-91 1 0 0 0 1 0 1
80 0 4 0 1 0 0 0

Find rows where exponents sum is even


-65, 20, 63, -91

sum 2 2 2 2 2 0 2

(42 43 61 85) 2 (1 2 3 5 7 13) 2 mod 1829


1459 2 9012 mod 1829
CR 68
Final Steps
(42 43 61 85) 2 (1 2 3 5 7 13) 2 mod 1829
1459 2 9012 mod 1829

1829 | (1459 + 901)(1459 901)


=> 1829 | 2360 gcd(1829,2360) = 59
=> 1829 | 558 gcd(1829,558) = 31

Thus 1829 = 59 31

CR 69
State of the Art
Factorization Techniques
Quadratic Sieve
Fastest for less than 100 digits
General Number field Sieve
Fastest technique known so far for greater than 100 digits
Open source code (google GGNFS)
RSA factoring challenge
Best so far is 768 bit factorization
Current challenges 896 bits (reward $75,000), 1024 bit ($100,000)

CR https://en.wikipedia.org/wiki/RSA_Factoring_Challenge
70
RSA Attacks

attacks that dont require


factorization algorithms

CR 71
(n) leaks
If an attacker gets (n) then n can be factored

n = pq q = n/ p
(n) = ( p 1)(q 1)
= pq ( p + q ) + 1
n
( n) = n ( p + ) + 1
p
p 2 (n (n) + 1) p + n = 0

Solve to get p (a factor of n)

CR 72
square roots of
1 mod n
There are two trivial and two non-trivial solutions for y 1 mod n
2

The trivial solutions are +1 and -1


By CRT, these congruences
are equivalent y 1 mod p

y 2 1 mod p y 1 mod p
y 1 mod n = 2
2

y 1 mod q
y 1 mod q

y 1 mod q

To get the non-trivial solutions solve using CRT

y +1 mod p y 1 mod p
y 1 mod q y +1 mod q

CR 73
Example
n=403 = 13 x 31
To get the non-trivial solutions of y 1 mod n solve using CRT
2

y +1 mod p y 1 mod p
y 1 mod q y +1 mod q

(31 311 mod 13 13 131 mod 31) mod 403


(31 8 13 12) mod 403 92
403 91 = 311
Note : 92 2 3112 1 mod 403
The non-trivial solutions are 92 and 311

What happens when we solve y +1 mod p


y +1 mod q
CR 74
Decryption exponent leaks
If the decryption exponent a leaks, then n can be factored
The attacker can then compute ab
ab 1 mod (n) k (n) = (ab 1)
Now, for any message x 0
x ab 1 1 mod n
ab 1

Attack Plan, take square root : y x 2


mod n
i.e., y 2
1 mod n => n | ( y 2
1)
However we
=> n | ( y 1)( y + 1) need
y 1
gcd( n , y 1) is a factor of n to have a non-
trivial result
CR 75
The Attack (basic idea)
we assume we know the private
key a

ab 1 mod (n)
1. given a compute ab 1 k (n) = ab 1
ab 1 ab 1
2. Represent t =
2 y1 = x 2
1 mod n
3. choose any message x thus, ( y12 1) 0 mod n
4. put y = x t mod n n | ( y + 1)( y 1)
5. compute d gcd( y 1, n)
This will only work if y 1 mod n.
6. if d 1, return " a factor of n is d" ; exit If y = 1 mod n. then goto step 7
7. if (t is even) t = t / 2; goto step 4
else return " failure"

Probability of success of the attack is at-least 1/2

CR 76
Example
N=403, b=23, a=47
t = ab 1 = 1080 x=2
1080
loop1 : t = = 540 y x t mod 403 = 2540 mod 403 1
2
540
loop 2 : t = = 270 y x t mod 403 = 2 270 mod 403 311
2
gcd(310, 403) = 31 ( a factor of n)

t = ab 1 = 1080 x=9
1080
loop1 : t = = 540 y x t mod 403 = 9540 mod 403 1
2
540
loop 2 : t = = 270 y x t mod 403 = 9 270 mod 403 1
2
270
loop3 : t = = 135 y x t mod 403 = 9135 mod 403 1
2
cant divide 135 further. failure
CR 77
Small Encryption Exponent
In order to improve efficiency of encryption, a small
encryption exponent is preferred
However, this can lead to a vulnerability

CR 78
Small Encryption Exponent
c1
Alice m3mod N1
m c2
m3mod N2

c3
m3mod N2

Insecure channel
Consider, Alice sending the same message x to 3 different people.
Each having a different N (say N1, N2, N3)
But same public key b (say 3)

CR 79
Small Encryption Exponent
c1
Alice m3mod N1
m c2 c1 m 3 mod N1
m3mod N2
c2 m 3 mod N 2
c3 c3 m 3 mod N 3
m3mod N2

Insecure channel
Consider, Alice sending the same message x to 3 different people.
Each having a different N (say N1, N2, N3)
But same public key b (say 3)
This allows Mallory to snoop in and get 3 ciphertexts

CR 80
Small Encryption Exponent
By CRT

c1 m3 mod N1

c2 m mod N 2 = X m mod( N1 N 2 N 3 )
3 3

c m3 mod N
3 3

Thus, Mallory can compute X


Since m < N1, m<N2, m<N3 => n < ( N1 x N2 x N3)
Thus, X1/3=m
i.e. The message can be decrypted

It is tempting to have small private and public keys, so that encryption or


decryption may be carried out efficiently. However you would do this at
the cost of security!!

CR 81
Low Decryption Exponent
The attack applies when the private key a is
4
n
small, 3
a <

In such a case a can be computed efficiently

CR 82
Partial Information of Plaintexts
Computing Jacobi of the plaintext
y x b mod n y is the ciphertext; x the message
b is the public key and gcd(b, (n)) = 1
Thus, gcd (b, (p-1 )(q-1 )) = 1
( p 1)(q 1) is even, therefore b must be odd
consider Jacobi
y
= 1
n
b
y x x
= =
n n n
since b is odd

x
thus, RSA encryption leaks the value of the Jacobi symbol
n
CR 83
Partial Information of Plaintexts
first half or second half?
given y = xbmod n,
is it possible to determine if
(0 x < n/2) or (n/2 x < n-1)
first half second half

We prove that RSA does not leak this information


If there exists an efficient algorithm that can
determine if x is in the first or second half then,
the entire plaintext can be obtained

CR 84
Binary Search Trees on x
Consider this function
[0,13)
n
0 if 0 x < 0
HALF ( x) = 2
n [0-6.5) [6.5,13)
1 if x < n 1
2 0
example [0,3.25)
x = 3 mod 13 HALF ( x) = 0 1
[0,1.625)
2 x 6 mod 13 HALF (2 x) = 0
4 x 12 mod 13 HALF (4 x) = 1 [1.625,3.25)
8 x 11 mod 13 HALF (8 x) = 1
16 x 9 mod 13 HALF (16 x) = 1 3

CR 85
Partial Information of Plaintexts
(first or second half proof)
Assume a hypothetical oracle called HALF as follows
n
0 if 0 x <
HALF ( n, b, y ) = 2
n
y x b mod n 1 if x < n 1
2
2b y (2 x) b mod n
4b y (4 x) b mod n n
HALF ( y ) = 0 => x [0, )
2
8b y (8 x)b mod n
16b y (16 x) b mod n
n n n
HALF (2b y ) = 0 => x [0, ) HALF (2b y ) = 1 => x [ , )
4 4 2

n n n
HALF (2 2b y ) = 0 => x [0, ) HALF (2 2b y ) = 0 => x [ , )
8 8 4

CR 86
Example
n=1457, b=779, y=722
hi
1
0
1
0
1
1
1
1
1
0
0

Thus, if we have an efficient function HALF, we can recover


the plaintext message.

CR 87
Man in the Middle Attack
The process of encryption with a public key
cipher

Bob decrypts
with his private
key
CR 88
Man in the Middle Attack
The process of encryption with a public key
cipher Man in the middle
Intercepts messages

Mallory decrypts
with her private
key and re-
encrypts Bob decrypts
with Bobs with his private
public key key
CR 89
Searching the Message Space
Suppose message space is small,
Mallory can try all possible messages, encrypt
them (since she knows Bobs public key) and check
if it matches Alices ciphertext

Bob decrypts
with his private
key
CR 90
Bad Prime Generation Algorithms
Suppose the prime generation was faulty
So that, primes generated were always from a
small subset
Then, RSA can be broken
Pairwise GCD of over a million RSA modulii
collected from the Internet showed that
2 in 1000 have a common prime factor

CR Ron was Wrong, Whit is right, 2012 91


Discrete Log Problem, ElGamal,
and Diffie Hellman

CR STINSON : chapter 6 92
Primitive Elements of a Group
Let (G, ) be a group of order n.
Let G,
The order of is the smallest integer m such that m = 1
is termed as a primitive element if it has order n.
If is a primitive element then
= { i : 0 i n - 1} generates all elements in G

Consider Z 13* = {1,2,3, L ,12}


( Z13* ,) forms a group of order 12
Let 7 Z13* , <7> has order 12
and generates all elements in Z.
7 = {7, 10, 5, 9,11,12, 6, 3, 8, 4, 2,1} Thus, 7 is a primitive element

CR 93
Discrete Log Problem
Let (G,) be a group
Let G be a primitive element in the group with order n
Define the set
= { i : 0 i n 1}

For any unique integer a (0 a n 1),


let a =
Denote a = log as the discrete logarithm of

Given and a, it is easy to compute


Given and it is computationally difficult to determine what a was

CR 94
ElGamal Public Key Cryptosystem
Fix a prime p (and group Zp)
Let Z p be a primitive element
Choose a secret a and compute a mod p
Public keys : , , p Private key : a

Encryption Decryption

choose a random (sec ret ) k Z p d k ( x) = y2 ( y1a ) 1 mod p


ek ( x) = ( y1 , y2 )
= x k ( ka ) 1 mod p
where y1 = k mod p,
= x ka ( ka ) 1 mod p
y2 = x k mod p
CR x 95
ElGamal Example
p = 2579, = 2 ( is a primitive element mod p)
Choose a random a = 765
Compute 2765 mod 2579
Encryption of message x = 1299
choose a random key k = 853
y1 = 2853 mod 2579 = 435
y2 = 1299 x 949853 = 2396

Decryption of cipher (435, 2396)


2396 x (435765)-1 mod p
= 1299
CR 96
Finding the Log
a mod p
Given and it is computationally difficult to determine what a was

Brute force (compute intensive)


compute , 2 , 3 , 4 ...... (until you reach )
this would definitely work, but not practical if p is large
complexity O(p), space complexity O(1)
Memory Intensive
precompute , 2 , 3 , 4 ...... (all values). Sort and store.
For any given look up the table of stored values.
complexity O(1) but space complexity O(n)

CR 97
Shanks Algorithm
(also known as Baby-step Giant-step)

a mod p
Rewrite a as a = mq + r
where m = p
mq r mod p
( m ) r mod p
q

We neither know q nor r, so we need to try out several


values for q and r until we find a collision

CR 98
Shanks Algorithm
(example)
p= 31 and =3. Suppose =6.
What is a?
(31 ) 6 mod 31 = 2
m= 31 = 6
collision
3 ( 6 ) 0 = 6 20 = 6
2 9 ( 6 )1 = 6 21 = 12
List 1

List 2
3 27 ( 6 ) 2 = 6 2 2 = 24
4 = 81 19 mod 31 ( 6 )3 = 6 23 17 mod 31
5 = 19 3 26 mod 31 ( 6 ) 4 = 6 2 4 3 mod 31

Thus, m=6, q=4, r=1, a= mq+r = 25

CR 99
Shanks Algorithm

Create List 1

Create List 2

Find collision

CR 100
Complexity of Shanks Algorithm

O(m)
O(mlog m)

O(m)
O(mlog m)

O(log m)

O(mlogm) ~ O(m) = O(p1/2)

CR 101
Other Discrete Log Algorithms
a mod n

Pollard-Hellman Algorithm
used when n is a composite
Pollard-Rho Algorithm
about the same runtime as the Shanks
algorithm, but has much less memory
requirements

CR 102
Diffie Hellman Problem
Let (G,) be a group
Let G be a primitive element in the group with order n
Define the set
= { i : 0 i n 1}

given a and b , find ab Computational DH (CDH)

given a , b and c , determine if c ab mod n


Decision DH (DDH)

CR 103
Recall
Diffie Hellman Key Exchange
Alice and Bob agree upon a prime p and a generator g.
This is public information

choose a secret a choose a secret b


compute A = ga mod p compute B = gb mod p

B A
Compute K = Ba mod p Compute K = Ab mod p

Ab mod p = (ga)b mod p = (gb)a mod p = Ba mod p

CR 104

You might also like