06 Rsa
06 Rsa
06 Rsa
Cryptography
Chester Rebeiro
IIT Madras
CR STINSON : chapter 5, 6
Ciphers
Symmetric Algorithms
Encryption and Decryption use the same key
i.e. KE = KD
Examples:
Block Ciphers : DES, AES, PRESENT, etc.
Stream Ciphers : A5, Grain, etc.
Asymmetric Algorithms
Encryption and Decryption keys are different
KE KD
Examples:
RSA
ECC
CR 2
Asymmetric Key Algorithms
KE KD
CR 3
One Way Functions
Easy to compute in one direction
Once done, it is difficult to inverse
CR 4
Trapdoor One Way Function
One way function with a trapdoor
Trapdoor is a special function that if possessed can be used to
easily invert the one way
trapdoor
Locked
(difficult to unlock) Easily Unlocked
CR 5
Public Key Cryptography
(An Anology)
Alice puts message into box and locks it
Only Bob, who has the key to the lock can open it and read
the message
CR 6
Mathematical Trapdoor One way
functions
Examples
Factorization of two primes
Given P, Q are two primes
and N = P * Q
It is easy to compute N
However given N it is difficult to factorize into P and Q
Used in cryptosystems like RSA
Discrete Log Problem
Consider b and g are elements in a finite group and bk = g, for some k
Given b and k it is easy to compute g
Given b and g it is difficult to determine k
Used in cryptosystems like Diffie-Hellman
A variant used in ECC based crypto-systems
CR 7
Applications of Public key
Cryptography
Encryption
Digital Signature :
Is this message really from Alice?
Alice signs by encrypting with private key
Anyone can verify signature by decrypting with Alices public key
Why it works?
Only Alice, who owns the private key could have signed
CR 8
Applications of Public key
Cryptography Diffie-Hellman
Key Exchange
Key Establishment :
Alice and Bob want to use a block cipher for encryption. How
do they agree upon the secret key
Alice and Bob agree upon a prime p and a generator g.
This is public information
B A
Compute K = Ba mod p Compute K = Ab mod p
CR 9
RSA
Mathematical Background
CR 11
RSA : Key Generation
Bob first creates a pair of keys (one public the other private)
CR 12
RSA Encryption & Decryption
Encryption Decryption
eK ( x) = y = x b mod n
d K ( x) = y a mod n
where x Z n
CR 13
RSA Example
Message x = 12345
encryption : y = 1234513 mod 572681 536754
decryption : x = 536754395413 mod 572681 12345
CR 14
Correctness
when x Z n and gcd( x , n ) = 1
Encryption
Decryption
eK ( x) = y = x mod n
b
where x Z n d K ( x) = y a mod n
y a ( x b ) a mod n ab 1 mod ( n )
ab 1 = t ( n )
( x ab ) mod n ab = t ( n ) + 1
( x t ( n ) +1 ) mod n
From Fermats theorem
t ( n )
(x x) mod n
CR x 15
Correctness
when x Z n and gcd( x , n ) 1
Since n = pq , gcd( x , n ) = p or gcd( x , n ) = q
Assume gcd( n, x) = p
If
=> p | x => pk = x
xx ab
mod p LHS : x mod p pk mod p 0
xx ab
mod q RHS : x ab mod p 0
=> x x ab mod n Q gcd( p, x) = p it implies gcd( q, x) = 1
(by CRT ) x ab mod q x t ( n ) +1 mod q
x t ( p ) ( q ) +1 mod q
( x ( q ) ) t ( p ) x mod q
CR (1) t ( p ) x mod q x 16
RSA Implementation
y = x c mod n
i ei z
4 1 12* x = x
3 0 x2
c = 23 = (10111)2 2 1 x4 * x = x 5
1 1 X10 * x = x11
0 1 x22 * x = x23
CR 17
RSA Implementation in Software
(Multi-precision Arithmetic)
RSA requires arithmetic in 1024 or 2048 bit numbers
Modern processors have ALUs that are 8, 16, 32, 64 bit
Typically can perform arithmetic on 8/16/32/64 bit numbers
solution: multi-precision arithmetic (gmp library)
CR 1024 bits 18
Multi-precision Addition
ADD : a = 9876543210 = (2, 76, 176, 22, 234)256
b = 1357902468 = (80, 239, 242, 132)256
base = 8 bit (256)
a*b=
(0 85 241 247 25 195 102)256
= 99447721140070
CR 21
Multi-precision Multiplication
(Karatsuba Multiplication)
Let a, b be two multiprecision integers with n B ary words.
Let m = n / 2
a = ah B m + al
b = bh B m + bl
a b = (ah bh ) B 2 m + (ah bl + al bh ) B m + al bl
= (ahbh ) B 2 m + (ah bh + al bl + (ah al )(bh bl ) )B m + al bl
CR 22
Multi-precision Multiplication
(Karatsuba Multiplication)
B = 256; ahbh = (1, 176, 254, 234)256
a = 123456789 = (7, 91, 205, 21)256
b = 987654321 = (58, 222, 104, 177)256 albl = (83, 222, 83, 133)256
ah - bh = -(197, 186)256
n=4; m=2 al - bl = -(45, 211)256
ah = (7, 91); al = (205, 21)
(ah - bh) (al - bb)l) = (35, 100, 170, 78)256
a = (7, 91)2562 + (205, 21)
ahbl + albh
bh = (58, 222); bl = (104, 177) = ahbh+ albl - (ah - bh) (al - bl)
b = (58, 222)2562 + (104, 177) = (50, 42, 168, 33)256
CR 24
Multi-precision libraries
GMP : GNU Multi-precision library
Make use of Intels SSE/AVX instructions
These are SIMD instructions that have large
registers (128, 256, 512 bit)
Crypto libraries
OpenSSL, PolarSSL, NaCL, etc.
CR 25
Finding Primes
CR 26
Test for Primes
How to generate large primes?
Select a random large number
Test whether or not the number is prime
What is the probability that the chosen number is a
prime?
Let (N) be the number of primes < N
From number theory, (N) N/ln N
Therefore probability of a random number (< N) being a
prime is 1/ln N
As N increases, it becomes increasingly difficult to find large
primes
CR 27
GIMPS
There are infinite prime numbers (proved by Euclid)
Finding them becomes increasingly difficult as N
increases
GIMPS : Great Internet Mersenne Prime Search
Mersenne Prime has the form 2n 1
Largest known prime (found in 2016) has 22 million digits
2274,207,281 1
$3000 to beat this
CR https://en.wikipedia.org/wiki/Largest_known_prime_number 28
Primality Tests with Trial Division
School book methods (trial division)
Find if N divides any number from 2 to N-1
find if N divides any number from 2 to N1/2
Find if N divides any prime number from 2 to N1/2
Too slow!!!
Need to divide by N-1 numbers
Need to divide by N1/2 numbers
Need to divide by (N/lnN)1/2 primes
For example, if n is approx 21024, then need to check around 2507
numbers
Need something better for large primes
Randomized algorithms
CR 29
Randomized Algorithms for
Primality Testing
Monte-carlo Randomized Algorithms
Always runs in polynomial time
May produce incorrect results with bounded probablity
CR 30
Finding Large Primes
(using Fermats Theorem)
CR 31
Fermats Primality Test
Increasing confidence with multiple bases
primality _ test ( n ){
c=0
for (i = 0; i < 1000 ; + + i ){
if (is _ prime ( n ) == FALSE )
return COMPOSITE
}
return probably PRIME
}
CR 32
Flaw in the Fermats Primality Test
CR 33
Strong probable-primality test
If n is prime, the square root of an-1 is either
+1 or -1
a 2 1 mod n
a 2 1 mod n
(a + 1)(a 1) 0 mod n
either (a + 1) 0 mod n or (a 1) 0 mod n
CR 34
Miller-Rabin Primality Test
Yes-base primality test for composites
Does not suffer due to Carmichael numbers
Write n-1 = 2sd
where d is odd and s is non-negative
n is a composite if
d 2r
a 1 mod n and (a ) 1 mod n
d
CR 35
Proof of Miller-Rabin test
Write n-1 = 2sd
d 2r
a 1 mod n and (a ) 1 mod n
d
CR 36
Proof of Miller-Rabin test
Proof: We prove the contra-positive. We will assume n to be
prime. Thus we prove,
d 2r
a 1 mod n or (a ) 1 mod n
d
d 21 d 22 d 23 d 2s d
a ,a ,a ,a ,LL , a
The roots of x2 = 1 mod n is either +1 or -1
In the sequence, if ad is 1, then all elements in the sequence will be 1
If ad is not 1, then there should be some element in the sequence
which is -1, in order to have the final element as 1
CR 37
Miller-Rabin Algorithm
(test for composites)
Input n
T 1 . Find an odd integer d such that n 1 = 2 s d
T 2 . Select at random a nonzero a Z n
T 3 . Compute b = a d mod n
If b = 1, return ' n is prime '
i
T 4 . For i = 1, L , r 1, calculate c b 2 mod n
If c = 1, return ' n is prime '
T 5 . Otherwise return ' n is composite '
CR 38
Quadratic Residues
CR 39
Legendre Symbol
0 if p | a
a
= 1 if a is a QR mod p
p 1 if a is a QNR mod p
CR 40
Eulers Criteria
CR 41
when Quadratic Non Residue
when a is a QNR , no such x Z p exists s.t . a x 2 mod p
p 1
consider : a 2
mod p ( note p 1 is even , if p is an odd prime )
squaring : a p 1 mod p 1
p 1 2
so , a 2 1 mod p
p 1
Thus , a 2
1 mod p
p 1
a 2
1 mod p , since a is not a QR
p 1
Thus a 2
1 mod p
CR 42
Examples
n is an odd prime
p 131
4 mod 13 46 mod 13 1
2
5 is a QNR mod 13
56 mod 13 12 mod 13 1
15 1
n is an odd prime
Congurence may
or may not hold
Eulers Witness
7 2
mod 15 7 7 mod 15 2
when
Eulers Liar 15 1
14 2
mod 15 14 7 mod 15 1
CR 43
Solovay Strassen Primality Test
SOLOVAYSTRASSEN (n){
choose a random integer a such that 1 a n-1
a
compute x =
n
How to compute
if ( x = 0) return COMPOSITE
Legendres symbol n 1
compute y = a 2
mod n
if ( x y mod n) return possiblyPRIME
else return COMPOSITE
}
Then,
e1 e2 e3 e4
a a a a a
=
L
n p1 p2 p3 p4
CR 45
Jacobi Properties
a b
P1. If a b mod n then =
n n
2 1 if n 1 mod 8
P 2. =
n 1 if n 3 mod 8
ab a b
P3. =
n n n
k
a 2 t
P 4. if a is even, a = 2 k t , =
n n n
P5. if a is odd ,
n
if n a 3 mod 4
a a
=
n n
otherwise
a
CR 46
Computing Jacobi
P5, P1
and 1 is a QR mod 13
CR 47
Factoring Algorithms
CR 48
Factorization to get the private key
Public information (n, b)
If Mallory can factorize n into p and q then,
She can compute (n) = (p-1)(q-1)
She can then computethe private key by nding a b-1 mod (n)
How to factorize n?
CR 49
Trial Division
Fundamental theorem of arithmetic
Any integer number (greater than 1) is either prime or a product of prime
powers
n = p1e1 p2e2 p3e3 L pkek
CR 50
Pollard p-1 Factorization
n = pq
CR 51
Pollard p-1 Factorization
Pollard p-1 factorization for n.
S1. a 2
S 2. if gcd (a, n) > 1, then this gcd is a prime factor of n, we are done.
S 3. compute d gcd (a r! -1, n)
if d = n, start again from S1 with next value of a
else if d = 1 , increment r and repeat S 3
else d is the prime factor of n; we are done!
r = 2,3, 4, H..
CR 52
Pollard Rho Algorithm
Form a sequence S1 by selecting randomly (with replacement)
from the set Zn
S1 = x0 , x1 , x2 , x3 , x4 , L x 0 x0 mod p
Also assume we magically find a x1 x1 mod p
new sequence S2 comprising of x 2 x2 mod p
S 2 = x 0 , x1 , x 2 , x 3 , x 4 , L where x x mod p
3 3
d gcd(( xi x j , n)
CR 54
Selecting elements of S1
To choose the next element of S1, Pollard suggests
using a function f : Z n Z n
with requirement that the output looks random.
Example : f ( x) = x 2 + 1 mod n
CR 55
Example
This column is just
N= 82123, x0 = 631, f(x) = x2 + 1 for understanding.
In reality we will not know this
DrawbackH
Large number of GCD
computations. In this case
55.
Given xi mod N, we compute gcds of every pair until we find a gcd greater
than 1
gcd( x3 x10 , N ) = gcd(63222, 82123) = 41 A factor of N
CR 56
The Rho in Pollard-Rho
N= 82123, x0 = 631, f(x) = x2 + 1 21
26
5 32
2 0
40 1
11
16
x t = x t +l mod p
The smallest value of t and l, for which the above congruence holds is t=3, l=7
For l=7, all values of t > 3 satisfy the congruence
This leads to a cycle as shown in the figure
(and a shape like the Greek letter rho) x j = x j +l mod p t 3
CR 57
Reducing gcd computations
GCD computations can be expensive.
Use Floyds cycle detection algorithm to reduce the number of
21
GCD computations. 26
5 32
choose a random x 0 = y 0 Z n
2 0
x i = f ( x i 1 ) 1
40
y i = x 2 i = f ( f ( y i 1 ))
loop
11
If d = gcd( x i y i , N ) > 0 , return d
16
CR 58
The first time xi = yi mod p occurs
is when i t + l
l is the number of points in the cycle
t is the smallest value of i such that xi yi mod N
xi and yi meet at the same point in the cycle
Therefore, yi must have traversed (some) cycles more
xi yi mod N
xi x2i mod N consider ( k + 1) l
l | (2i i ) = kl + l t + l
l | i => lk = i
CR 59
Expected number of operations
before a collision
Can be obtained from Birthday paradox
to be p
CR 60
Congruences of Squares
Given N=p x q, we need to find p and q
Suppose we find an x and y such that x 2 y 2 mod N
Then,
N | ( x 2 y 2 ) = > N | ( x y )( x + y )
This implies,
gcd( N , ( x y )) or gcd( N , ( x + y )) factors N
CR 61
Example
Consider N = 91
10 2 32 mod 91 34 2 82 mod 91
91 | (10 3)(10 + 3) 91 | (34 + 8)(34 8)
91 | (7 13) 91 | 42 26
gcd(91,13) = 13 gcd(91, 26) =13
gcd(91, 7) = 7 gcd(91, 42) = 7
CR 62
Another Example
N = 1649
32 and 200 are not perfect squares.
412 32 mod1649 However (32x200 = 6400) = 802
432 200 mod 1649 is a perfect square
e1 , e2 , e3 ,... is even
Thus,
32 = 2550 not a perfect square
200 = 2352 not a perfect square
(32x200) = 2550 x 2352 = 2852 = (2451)2 is a prefect square
CR 64
Dixons Random Squares
Algorithm
1. Choose a set B comprising of b smallest primes. Add -1 to
this set.
(A number is said to be b-smooth, if its factors are in this set)
2. Select an r at random
Compute y = r mod N
2
CR 65
Example
N = 1829
b=6 B = {-1, 2,3,5,7,11,13}
Choose random values of r, square and factorize
CR 66
Check Exponents
-1 2 3 5 7 11 13
-65 1 0 0 1 0 0 1
20 0 2 0 1 0 0 0
63 0 0 2 0 1 0 0
-11 1 0 0 0 0 1 0
-91 1 0 0 0 1 0 1
80 0 4 0 1 0 0 0
CR 67
Check Exponents
-1 2 3 5 7 11 13
-65 1 0 0 1 0 0 1
20 0 2 0 1 0 0 0
63 0 0 2 0 1 0 0
-11 1 0 0 0 0 1 0
-91 1 0 0 0 1 0 1
80 0 4 0 1 0 0 0
sum 2 2 2 2 2 0 2
Thus 1829 = 59 31
CR 69
State of the Art
Factorization Techniques
Quadratic Sieve
Fastest for less than 100 digits
General Number field Sieve
Fastest technique known so far for greater than 100 digits
Open source code (google GGNFS)
RSA factoring challenge
Best so far is 768 bit factorization
Current challenges 896 bits (reward $75,000), 1024 bit ($100,000)
CR https://en.wikipedia.org/wiki/RSA_Factoring_Challenge
70
RSA Attacks
CR 71
(n) leaks
If an attacker gets (n) then n can be factored
n = pq q = n/ p
(n) = ( p 1)(q 1)
= pq ( p + q ) + 1
n
( n) = n ( p + ) + 1
p
p 2 (n (n) + 1) p + n = 0
CR 72
square roots of
1 mod n
There are two trivial and two non-trivial solutions for y 1 mod n
2
y 1 mod q
y 1 mod q
y 1 mod q
y +1 mod p y 1 mod p
y 1 mod q y +1 mod q
CR 73
Example
n=403 = 13 x 31
To get the non-trivial solutions of y 1 mod n solve using CRT
2
y +1 mod p y 1 mod p
y 1 mod q y +1 mod q
ab 1 mod (n)
1. given a compute ab 1 k (n) = ab 1
ab 1 ab 1
2. Represent t =
2 y1 = x 2
1 mod n
3. choose any message x thus, ( y12 1) 0 mod n
4. put y = x t mod n n | ( y + 1)( y 1)
5. compute d gcd( y 1, n)
This will only work if y 1 mod n.
6. if d 1, return " a factor of n is d" ; exit If y = 1 mod n. then goto step 7
7. if (t is even) t = t / 2; goto step 4
else return " failure"
CR 76
Example
N=403, b=23, a=47
t = ab 1 = 1080 x=2
1080
loop1 : t = = 540 y x t mod 403 = 2540 mod 403 1
2
540
loop 2 : t = = 270 y x t mod 403 = 2 270 mod 403 311
2
gcd(310, 403) = 31 ( a factor of n)
t = ab 1 = 1080 x=9
1080
loop1 : t = = 540 y x t mod 403 = 9540 mod 403 1
2
540
loop 2 : t = = 270 y x t mod 403 = 9 270 mod 403 1
2
270
loop3 : t = = 135 y x t mod 403 = 9135 mod 403 1
2
cant divide 135 further. failure
CR 77
Small Encryption Exponent
In order to improve efficiency of encryption, a small
encryption exponent is preferred
However, this can lead to a vulnerability
CR 78
Small Encryption Exponent
c1
Alice m3mod N1
m c2
m3mod N2
c3
m3mod N2
Insecure channel
Consider, Alice sending the same message x to 3 different people.
Each having a different N (say N1, N2, N3)
But same public key b (say 3)
CR 79
Small Encryption Exponent
c1
Alice m3mod N1
m c2 c1 m 3 mod N1
m3mod N2
c2 m 3 mod N 2
c3 c3 m 3 mod N 3
m3mod N2
Insecure channel
Consider, Alice sending the same message x to 3 different people.
Each having a different N (say N1, N2, N3)
But same public key b (say 3)
This allows Mallory to snoop in and get 3 ciphertexts
CR 80
Small Encryption Exponent
By CRT
c1 m3 mod N1
c2 m mod N 2 = X m mod( N1 N 2 N 3 )
3 3
c m3 mod N
3 3
CR 81
Low Decryption Exponent
The attack applies when the private key a is
4
n
small, 3
a <
CR 82
Partial Information of Plaintexts
Computing Jacobi of the plaintext
y x b mod n y is the ciphertext; x the message
b is the public key and gcd(b, (n)) = 1
Thus, gcd (b, (p-1 )(q-1 )) = 1
( p 1)(q 1) is even, therefore b must be odd
consider Jacobi
y
= 1
n
b
y x x
= =
n n n
since b is odd
x
thus, RSA encryption leaks the value of the Jacobi symbol
n
CR 83
Partial Information of Plaintexts
first half or second half?
given y = xbmod n,
is it possible to determine if
(0 x < n/2) or (n/2 x < n-1)
first half second half
CR 84
Binary Search Trees on x
Consider this function
[0,13)
n
0 if 0 x < 0
HALF ( x) = 2
n [0-6.5) [6.5,13)
1 if x < n 1
2 0
example [0,3.25)
x = 3 mod 13 HALF ( x) = 0 1
[0,1.625)
2 x 6 mod 13 HALF (2 x) = 0
4 x 12 mod 13 HALF (4 x) = 1 [1.625,3.25)
8 x 11 mod 13 HALF (8 x) = 1
16 x 9 mod 13 HALF (16 x) = 1 3
CR 85
Partial Information of Plaintexts
(first or second half proof)
Assume a hypothetical oracle called HALF as follows
n
0 if 0 x <
HALF ( n, b, y ) = 2
n
y x b mod n 1 if x < n 1
2
2b y (2 x) b mod n
4b y (4 x) b mod n n
HALF ( y ) = 0 => x [0, )
2
8b y (8 x)b mod n
16b y (16 x) b mod n
n n n
HALF (2b y ) = 0 => x [0, ) HALF (2b y ) = 1 => x [ , )
4 4 2
n n n
HALF (2 2b y ) = 0 => x [0, ) HALF (2 2b y ) = 0 => x [ , )
8 8 4
CR 86
Example
n=1457, b=779, y=722
hi
1
0
1
0
1
1
1
1
1
0
0
CR 87
Man in the Middle Attack
The process of encryption with a public key
cipher
Bob decrypts
with his private
key
CR 88
Man in the Middle Attack
The process of encryption with a public key
cipher Man in the middle
Intercepts messages
Mallory decrypts
with her private
key and re-
encrypts Bob decrypts
with Bobs with his private
public key key
CR 89
Searching the Message Space
Suppose message space is small,
Mallory can try all possible messages, encrypt
them (since she knows Bobs public key) and check
if it matches Alices ciphertext
Bob decrypts
with his private
key
CR 90
Bad Prime Generation Algorithms
Suppose the prime generation was faulty
So that, primes generated were always from a
small subset
Then, RSA can be broken
Pairwise GCD of over a million RSA modulii
collected from the Internet showed that
2 in 1000 have a common prime factor
CR STINSON : chapter 6 92
Primitive Elements of a Group
Let (G, ) be a group of order n.
Let G,
The order of is the smallest integer m such that m = 1
is termed as a primitive element if it has order n.
If is a primitive element then
= { i : 0 i n - 1} generates all elements in G
CR 93
Discrete Log Problem
Let (G,) be a group
Let G be a primitive element in the group with order n
Define the set
= { i : 0 i n 1}
CR 94
ElGamal Public Key Cryptosystem
Fix a prime p (and group Zp)
Let Z p be a primitive element
Choose a secret a and compute a mod p
Public keys : , , p Private key : a
Encryption Decryption
CR 97
Shanks Algorithm
(also known as Baby-step Giant-step)
a mod p
Rewrite a as a = mq + r
where m = p
mq r mod p
( m ) r mod p
q
CR 98
Shanks Algorithm
(example)
p= 31 and =3. Suppose =6.
What is a?
(31 ) 6 mod 31 = 2
m= 31 = 6
collision
3 ( 6 ) 0 = 6 20 = 6
2 9 ( 6 )1 = 6 21 = 12
List 1
List 2
3 27 ( 6 ) 2 = 6 2 2 = 24
4 = 81 19 mod 31 ( 6 )3 = 6 23 17 mod 31
5 = 19 3 26 mod 31 ( 6 ) 4 = 6 2 4 3 mod 31
CR 99
Shanks Algorithm
Create List 1
Create List 2
Find collision
CR 100
Complexity of Shanks Algorithm
O(m)
O(mlog m)
O(m)
O(mlog m)
O(log m)
CR 101
Other Discrete Log Algorithms
a mod n
Pollard-Hellman Algorithm
used when n is a composite
Pollard-Rho Algorithm
about the same runtime as the Shanks
algorithm, but has much less memory
requirements
CR 102
Diffie Hellman Problem
Let (G,) be a group
Let G be a primitive element in the group with order n
Define the set
= { i : 0 i n 1}
CR 103
Recall
Diffie Hellman Key Exchange
Alice and Bob agree upon a prime p and a generator g.
This is public information
B A
Compute K = Ba mod p Compute K = Ab mod p
CR 104