# RSA Public Key CryptoSystem One way Trapdoor Functions

### Pages to are hidden for

"RSA Public Key CryptoSystem One way Trapdoor Functions"

RSA Public Key CryptoSystem
One way Trapdoor Functions
Diffie and Hellman (76)
“New Directions in Cryptography”
Split the Bob’s secret key K to two parts:

• KE , to be used for encrypting messages
to Bob.
• KD , to be used for decrypting messages
by Bob.
(public key cryptography,
assymetric cryptography)
Integer Multiplication & Factoring
as a One Way Function.

easy

p,q                    N=pq
hard

Q.: Can a public key system be based
on this observation ?????
Excerpts from RSA paper (CACM, 1978)
The era of “electronic mail” may soon be upon us; we must
ensure that two important properties of the current “paper
mail” system are preserved: (a) messages are private, and (b)
messages can be signed. We demonstrate in this paper how
to build these capabilities into an electronic mail system.

At the heart of our proposal is a new encryption method.
This method provides an implementation of a “public-key
cryptosystem,” an elegant concept invented by Diffie and
Hellman. Their article motivated our research, since they
presented the concept but not any practical implementation
of such system.
The Multiplicative Group Zpq*

Let p and q be two large primes and N=pq be their
product.
The multiplicative group ZM* =Zpq* contains
all integers in the range [1,pq-1] that are
relatively prime to both p and q.

The size of the group is
φ(pq) = (p-1) (q-1) = N - (p+q) + 1,
so for every x ∈ Zpq*, x(p-1)(q-1) = 1.
Exponentiation in Zpq*

Motivation: We want to exponentiation for
encryption.
Note that not all integers in {1,2,..,pq-1} belong to
Zpq*. These elements do not have an inverse in
Zpq* (therefore multiplication in Zpq* is not a one-
to-one mapping)

However the choice of e implies
Let e be an integer, 1 < e < (p-1) (q-1).

Question: When is exponentiation to the eth
power, x --> xe, a one-to-one op in Zpq* ?
Exponentiation in Zpq*

Claim: If e is relatively prime to (p-1)(q-1)
then x --> xe is a one-to-one op in Zpq*

Constructive proof: Since gcd(e, (p-1)(q-1))=1,
e has a multiplicative inverse mod (p-1)(q-1).
Denote it by d, then ed=1 + C(p-1)(q-1).

Let y=xe, then yd =(xe)d=x1+C(p-1)(q-1) =x
meaning y --> yd is the inverse of x-->xe       QED
RSA Public Key Cryptosystem
• Let N=pq be the product of two primes
• Choose e such that gcd(e,φ(N))=1
• Let d be such that de≡1 mod φ(N)
• The public key is (N,e)
• The private key is d
• Encryption of M∈ZN* by C=E(M)=Me mod N
• Decryption of C∈ZN* by M=D(C)=Cd mod N

“The above mentioned method should not be confused with the
exponentiation technique presented by Diffie and Hellman to solve
the key distribution problem”.
Constructing an instance of RSA PKC
• Alice first picks at random two large primes, p
and q.
• Alice then picks at random a large d that is
relatively prime to (p-1)(q-1) ( gcd(d,φ(N))=1 ).
• Alice computes e such that de≡1 mod φ(N)

• Let N=pq be the product of p and q.
• Alice publishes the public key (N,e).
• Alice keeps the private key d, as well as the
primes p, q and the number φ(N), in a safe place.
A Small Example
• Let p=47, q=59, N=pq=2773. φ(N)=
46*58=2668.
Pick d=157, then 157*17 - 2668 =1, so e=17 is
the inverse of 157 mod 2668.
For N =2773 we can encode two letters per
Block, using a two digit number per letter:
blank=00, A=01,B=02,…,Z=26.
Message: ITS ALL GREEK TO ME is encoded
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500
A Small Example
N=2773, e=17 (10001 in binary).
ITS ALL GREEK TO ME is encoded as
0920 1900 0112 1200 0718 0505 1100 2015 0013 0500

First block M=0920 encrypts to
Me= M17 = (((M2)2 )2 )2 * M = 948 (mod 2773)
The whole message (10 blocks) is encrypted as
0948 2342 1084 1444 2663 2390 0778 0774 0219 1655

Indeed 0948 d=0948157=920 (mod 2773), etc.
RSA: implementation
1. Finda large prime numbers (random)
Algorithm:
- randomly choose a random odd integer i
- check whether i is prime (we’ll see soon)
Note:
- Prime numbers are frequent (between Nand
2N there are ≈ N/log N prime numbers)
- Hence by randomly choosing an odd you
expect to find a prime every log N attempts
RSA: implementation
2. Coding algorithm (compute exponentiation) Algoritmo per
ottenere una codifica veloce
Compute power by repeated squaring (so computing power of
2, 4, 8,..) and then executing multiplication (based on binary
notation of the exponent e)
- No. Of operation required: O(log N)
- Constant no. of operations if e is small and its binary
reprensetation has few ones
example:
- e= 3, compute M^2 mod N,
M^3 mod N = ((M mod N) * (M^2 mod N)) mod N
- e= 65537 (2^16 + 1), compute M^2 mod N,M^4 mod N, M^8
mod N, M^16 mod N ... M^65536 mod N
complete by computing M* M^65536 - total 5 multiplicat.
RSA as a One Way Trapdoor Function.

easy

x                 xe mod N
hard

Easy with trapdoor info ( d )
Trap-Door OWF

• Definition: f:D→R is a trap-door one way
function if there is a trap-door s such
that:
– Without knowledge of s, the function f is a one
way function
– Given s, inverting f is easy
• Example: fg,p(x) = gx mod p is not a trap-
door one way function.
• Example: RSA is a trap-door OWF.
RSA as a collection of Trap-door
OWF
Note: RSA is a method that depends on the parameter given
by the key
Def.: Let I be a set of indices and D a finite set. A collection
of trap-door one way function is a set of function F
fi:Di→Ri such that for all i in I fi is a trap-door one way
function

Idea: We need an algorithm that given a security parameter
select a random function fi in F together with a trapdoor ti
information
Security of RSA vs computing factors

• Fact 1: given n, e, p and q it is easy to compute d
• Fact 2: given n, e,
– If you factor n then you can compute   φ(n)
– If you factor n then you can compute d
• Conclusion:
– If you factor n then you invert RSA
– OPEN QUESTION: if you invert RSA can you factor n?

NOTE: factoring large numbers is an open problem
since thousands of years…
Attacks on RSA
NOTE: RSA robustness does not imply it is robust always.
In fact
1.   Factor N=pq. This is believed hard unless p, q have some
“bad” properties. To Avoid such primes, it is
recommended to
•    Take p, q large enough (100 digits each).
•    Make sure p, q are not too close together.
•    Make sure both (p-1), (q-1) have large prime factors
(otherwise there is a good factoring algorithm).
2. Some messages might be easy to decode
Properties of RSA

• The requirement (e,ϕ(n))=1 is important for
uniqueness
• Finding d, given p and q is easy. Finding d given
only n and e is assumed to be hard (the RSA
assumption)
• The public exponent e may be small. Typically its
value is either 3 (problematic) or 216+1
• Each encryption involves several modular
multiplications. Decryption is longer.
RSA: Attacks

Factor N=pq: RSA challenges (sfide)
RSA Security publics challenges for factoring:
- RSA 426 bit, 129 digit:
- published 1977
- factored in 1994 (8 months using 1600 computer in internet
(10000 Mips))
- RSA 576 bit, 173 digit: factored in dec. 2003, 10000 \$
- RSA 640 (prize 20K\$), RSA 1024 (100K\$), RSA 2048
(200K\$)
RSA: Attacks
Factoring is difficult in general
• BUT there are cases in which decoding
RSA is easy
• Easy messages: eg m= 0,1,n-1 then RSA(m)
= m: SOLUT: rare messages, use salt
• If m is small and e is small (eg e=3) then it
may happen that m^3 < n; therefore
m^3 mod n = m^3
Add random bytes at the beginning of the
message to avoid these cases
RSA - Attacks

Small value of e (eg e=3)
• If adevrsary has two encoding of similar
messages, eg m and (m+1)
c1= m^3 mod n and c2= (m+1)^3 mod n
• in this case we have
m = (c2+ 2 c2 -1)/ (c2 - c1 +2)
• Similar problem if the two mess. are m and
(am + b)
SOLUT.: choose large e / add random bits -
to avoid similar messages
RSA - Attacks

• If messages space is small then the adversary can
compute all possible encodings
example: adevrsary knows encoded messages and
knows that m is either
m1=10101010 o m2=01010101
adversary code m1 and m2 using public key and
then checks the correct messages

• SOLUT: add random string to increase message
space
•
RSA - Attacks

• If two users have same n (even different e and d)
then sysem is weak

SOLUT: choose your own n (there are prime
numbers; so the probability you choose the same
n is very very small)

Important: we need algorithms to cchoose random
numbers
RSA : Attacks

chosen ciphertext attack using multiplicative
property of RSA:
– Adversary knows c = Me mod n
– Adversary randomly chooses X and computes
c’ = c Xe mod n
– Alice computes (c’)d = c d (X e) d = M X mod n !!
– Adversary knows X and computes M !!!
• Solution: messages should be strucutured (A
does not decode if M does verify required
structure)
RSA - implementation attacks

Known attacks:
• Timing: uses time used for computing Cd
(small time implies small d)
Analougously
• Energy: analyses how much energy is
required by a smart card to compute Cd
RSA- attacks: conclusion

Textbook implementation of RSA is NOT safe
• Does not guarantee basic security properties for
all messages
Therefore you must use a STANDARD version
• Given a message M before encoding
• preproces M to obtain M’ and then apply RSA M’
(M and M’ have the same semantic)
M             M’     RSA     C
Public-Key Crypto. Standard (PKCS)
Standard to use RSA and cryptography protocols
• Many versions (1-15).
• PKCS-1: standard to encode messages (byte)
m= 0||2||at least 8 non zero byte || 0|| M
(M message to be sent)
• first byte 0 implies m< n
• second byte (2 = 00000010) denotes encoding of
a message (1 denotes signature of messages) ; it
implies message is big
• Random bytes imply
– Same message sent several times is each time
different;
– Adversary that knows message space cannot
encode and verify (adv. Does not know random
number used for coding the block)
RSA and Data integrity:OAEP
OAEP (also known as PKCS-1 version 2)
• codif. c= RSA[M || 0k1 exor G(r)] ||
[(H(RSA[M || 0k1 exor G(r)]) exor r]
• k0, k1 known constants; G,H known hash function;
r random string of k0 bit (chosen by the sender);
• Decode; let c, c= s||t, be decoded text (t last k0
bits); u=t exorH(s); v=s exor G(u); ACCEPT if v =
m || 0k1; OTHERWISE REJECT
• Random r implies that OAEP is robust also in the
case of chosen ciphertext (we assume H and G
are cryptographic strong hash functions)
Basic Scheme of Public key Crypt.

• A public key encryption scheme includes
the following elements:
– A private key k
– A public key k’
– An encryption algorithm, which is a trap door
OWF. The trap-door info is the private key
• Public key is published
• Encryption uses the public key (anyone can
encrypt)
• Decryption requires the private key
El-Gamal Encryption

• Constructed by El-Gamal in 1985
• Similar to DH
• Alice publishes p, g as public parameters
• Alice chooses x as a private key and
publishes gx mod p as a public key
• Encryption of m∈Zp by sending (gy mod p,
mgxy mod p) or (gy mod p, m+gxy mod p)
• Requires two exponentiations per each
block transmitted.
Real World usage

Two words:
Key Exchange

In fact: RSA (as other known Public Key
algorithms) is slow. So it is generally used
to define a secret key (say using Diffie
and Hellman).

DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 83 posted: 5/16/2010 language: English pages: 32