RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Similar documents
Applied Cryptography and Computer Security CSE 664 Spring 2018

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Key Exchange. Secure Software Systems

Public Key Algorithms

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

RSA. Public Key CryptoSystem

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Public-key encipherment concept

Chapter 9 Public Key Cryptography. WANG YANG

Chapter 9. Public Key Cryptography, RSA And Key Management

Public key encryption: definitions and security

CS408 Cryptography & Internet Security

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Introduction to Cryptography Lecture 7

ASYMMETRIC CRYPTOGRAPHY

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

Lecture 2 Applied Cryptography (Part 2)

Chapter 11 : Private-Key Encryption

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Lecture 15: Public Key Encryption: I

Public-Key Cryptography

Overview. Public Key Algorithms I

A Tour of Classical and Modern Cryptography

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

CS61A Lecture #39: Cryptography

An overview and Cryptographic Challenges of RSA Bhawana

CS 161 Computer Security

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

CSC 474/574 Information Systems Security

Part VI. Public-key cryptography

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

CS 161 Computer Security

What did we talk about last time? Public key cryptography A little number theory

Cryptography. Andreas Hülsing. 6 September 2016

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Symmetric Encryption 2: Integrity

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Security of Cryptosystems

CS 161 Computer Security

Homework 3: Solution

CSE 127: Computer Security Cryptography. Kirill Levchenko

Public Key Cryptography

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Introduction to Public-Key Cryptography

Public Key Cryptography and the RSA Cryptosystem

Chapter 3 Public Key Cryptography

Introduction to Cryptography. Vasil Slavov William Jewell College

CS 161 Computer Security

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Introduction to Cryptography Lecture 7

1 Identification protocols

Encrypted Data Deduplication in Cloud Storage

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

ECEN 5022 Cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

2.1 Basic Cryptography Concepts

Public Key Algorithms

IND-CCA2 secure cryptosystems, Dan Bogdanov

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Kurose & Ross, Chapters (5 th ed.)

Secure Multiparty Computation

Channel Coding and Cryptography Part II: Introduction to Cryptography

RSA (algorithm) History

Uzzah and the Ark of the Covenant

Other Topics in Cryptography. Truong Tuan Anh

2 Secure Communication in Private Key Setting

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Spring 2010: CS419 Computer Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Chapter 10 : Private-Key Management and the Public-Key Revolution

Cryptography III Want to make a billion dollars? Just factor this one number!

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Crypto CS 485/ECE 440/CS 585 Fall 2017

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Key Establishment and Authentication Protocols EECE 412

Computer Security: Principles and Practice

Public Key Cryptography

CS 161 Computer Security

1.264 Lecture 28. Cryptography: Asymmetric keys

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Public-key Cryptography: Theory and Practice

ISA 562: Information Security, Theory and Practice. Lecture 1

Feedback Week 4 - Problem Set

Transcription:

RSA Cryptography in the Textbook and in the Field Gregory Quenell 1

In the beginning... 2

In the beginning... Diffie and Hellman 1976: A one-way function can be used to pass secret information over an insecure channel. x 7 g x(mod p) is easy; finding discrete logarithms is hard. Rivest, Shamir, and Adleman 1977: A trap-door function can be used to implement public-key cryptography. x 7 xe(mod N ) is easy; the inverse mapping is hard unless you know φ(n ). 3

Textbook RSA Choose two large primes p and q. Set N = pq. M, the message space and C, the ciphertext space, are both Z N. Choose an encryption exponent e that is relatively prime to φ(n) = (p 1)(q 1). Use the Euclidean algorithm to find d e 1 (mod φ(n)). Encryption: For m M, define c = Enc(m) = m e mod N Decryption: For c C, define Dec(c) = c d mod N. Then it is easy to check that Dec(Enc(m)) (m e ) d m ed m kφ(n)+1 m (mod N). 4

Textbook RSA: Public-key encryption Bob selects p, q, and e. He computes N and d. Bob makes N and e public. This is the encryption key. Alice has a message m. She computes c = m e mod N and sends c to Bob. Bob knows the value of d, so he can compute c d mod N, and thus recover the value of m. Eve, who traditionally listens in on all conversations between Bob and Alice, knows the values of N and e, and she sees the ciphertext c, (which is equal to m e ). Can she find m? 5

Textbook RSA: Textbook security Eve can recover m from c = m e... if... she can compute d = e 1, which she can do if... she knows the value of φ(n), which she can find if... she can factor N. 6

Textbook RSA: Textbook security Eve can recover m from c = m e... if... she can compute d = e 1, which she can do if... she knows the value of φ(n), which she can find if... she can factor N. So security is related to the difficulty of factoring N... 7

Textbook RSA: Textbook security Eve can recover m from c = m e... if ( ) she can compute d = e 1, which she can do if ( ) she knows the value of φ(n), which she can find if ( ) she can factor N. So security is related to the difficulty of factoring N...... but the arrows go the wrong way. If factoring N is easy, then Eve can easily break RSA. If factoring N is not easy, then?? This is what we believe. 8

Textbook RSA: Textbook security Eve can recover m from c = m e... if ( ) she can compute d = e 1, which she can do if ( ) she knows the value of φ(n), which she can find she can factor N. Reversing arrow #3: If Eve knows N and φ(n), can she factor N? Yes: N = pq and N + 1 φ(n) = p + q. 9

Textbook RSA: Textbook security Eve can recover m from c = m e... if ( ) she can compute d = e 1, which she can do she knows the value of φ(n), which she can find she can factor N. Reversing arrow #3: If Eve knows N and φ(n), can she factor N? Yes: N = pq and N + 1 φ(n) = p + q. Reversing arrow #2: If Eve knows N and e and can find a number d such that x ed x (mod N) for all x, can she find φ(n)? Yes, though this is less obvious. 10

Textbook RSA: Textbook security Eve can recover m from c = m e... if ( ) she can compute d = e 1, which she can do she knows the value of φ(n), which she can find she can factor N. Reversing arrow #3: If Eve knows N and φ(n), can she factor N? Yes: N = pq and N + 1 φ(n) = p + q. Reversing arrow #2: If Eve knows N and e and can find a number d such that x ed x (mod N) for all x, can she find φ(n)? Yes, though this is less obvious. Reversing arrow #1: If Eve knows how to find e th roots in Z N, can she find the inverse of e modulo φ(n)? Unknown. 11

Textbook RSA: Textbook security Result: For RSA security, we have to believe that 1. Factoring is hard and 2. Eve has no efficient way to extract e th roots in Z N. 12

Textbook RSA: Textbook security Result: For RSA security, we have to believe that 1. Factoring is hard and 2. Eve has no efficient way to extract e th roots in Z N. This is the RSA Assumption. 13

Cryptographic Security Definitions Goals: Does she want to... read m? alter m? forge a new m? gain partial information about m? These depend on the attacker s Capabilities: Can she... see just the ciphertext? intercept and alter the ciphertext? use the encryption machinery? use the decryption machinery (just temporarily)? 14

Cryptographic Security Definitions These depend on the attacker s Goals: Does she want to... read m? alter m? forge a new m? gain partial information about m? Capabilities: Can she... see just the ciphertext? intercept and alter the ciphertext? use the encryption machinery? use the decryption machinery (just temporarily)? Most security definitions are presented as games. - We give the attacker a goal and a set of powers. - If the attacker can reach the goal in a reasonable amount of time, she wins, and the system is insecure. - If no attacker can win the game, the system is secure. 15

Cryptographic Security Definitions An appropriate security definition for RSA is Semantic Security under a Chosen-Plaintext Attack In a chosen-plaintext attack (CPA), the attacker gets free use of the encryption machinery in the first part of the game. The attacker wins a semantic security (SS) game if she can learn anything about an encrypted message, apart from its length. 16

Cryptographic Security Definitions An appropriate security definition for RSA is Semantic Security under a Chosen-Plaintext Attack The SS-CPA Game 0. The defender sets up the encryption machinery. (In this case, he chooses N and e). 1. The attacker submits a message m and receives its encryption c. She may repeat this as many times as she likes. 2. The attacker submits two messages, m 0 and m 1, of equal length. The defender flips a 0/1 coin to obtain a random bit b. He returns the encryption of m b to the attacker. 3. The attacker tries to guess whether she has been given the encryption of m 0 or m 1. If she can guess correctly with probability significantly greater than 1 2, she wins. 17

Cryptographic Security Definitions Is textbook RSA semantically secure? 18

Cryptographic Security Definitions Is textbook RSA semantically secure? The attacker can win every time: 1. The attacker submits a single message m 0 and receives its encryption c 0. 2. The attacker submits m 0 and some m 1 m 0 of the same length. The defender returns an encryption c. 3. If c = c 0, the attacker says b = 0; otherwise, she says b = 1. She is correct with probability 1. No! 19

Cryptographic Security Definitions Is textbook RSA semantically secure? The attacker can win every time: 1. The attacker submits a single message m 0 and receives its encryption c 0. 2. The attacker submits m 0 and some m 1 m 0 of the same length. The defender returns an encryption c. 3. If c = c 0, the attacker says b = 0; otherwise, she says b = 1. She is correct with probability 1. Reasonable Question: How can any system be CPA semantically secure? Answer: As long as Enc( ) is a function, it can t. No! 20

Cryptographic Security Definitions Is textbook RSA semantically secure? The attacker can win every time: 1. The attacker submits a single message m 0 and receives its encryption c 0. 2. The attacker submits m 0 and some m 1 m 0 of the same length. The defender returns an encryption c. 3. If c = c 0, the attacker says b = 0; otherwise, she says b = 1. She is correct with probability 1. Reasonable Question: How can any system be CPA semantically secure? deterministic Answer: As long as Enc( ) is a function, it can t. We need Enc( ) to be a randomized function. No! 21

Randomized Encryption What? M C M Enc( ) Dec( ) In deterministic encryption, Enc( ) is a one-to-one function, and Dec( ) is its inverse. 22

Randomized Encryption What? M C M Enc( ) Dec( ) In randomized encryption, Enc(m) chooses a random point in Dec 1 (m). Consequences of this: Enc( ) isn t really a function. Dec( ) is a many-to-one function. The ciphertext space C is bigger than the message space M. 23

Randomized Encryption Why? (1) Semantic Security in World War II May 20, 1942: Cryptanalysts at Pearl Harbor partially decrypt a radio transmission from Admiral Yamamoto. It appears to be an order to attack location af. Prior intercepts suggest that af is Midway Island, but Admiral Nimitz is unwilling to send defense forces to Midway without more evidence. The Pearl Harbor cryptanalysts instruct the Allied garrison at Midway to broadcast, in the clear, a message saying that the Midway fresh-water distillation plant has broken down. Two days later, in the intercepts of Japanese radio traffic, Allied Intelligence finds the message Location af is short of water. Admiral Nimitz is satisfied, and orders defense forces to Midway. 24

Randomized Encryption Why? (2) Deterministic Encryption Leaks Information Original message Deterministic encryption 25

Randomized Encryption Why? (2) Deterministic Encryption Leaks Information Original message Randomized encryption 26

Randomized Encryption Why? (2) Deterministic Encryption Leaks Information Where are we? 27

Randomized Encryption Why? (3) Deterministic Encryption Doesn t Work with Small Message Spaces Bob sends Alice his Social-Security number m using deterministic RSA: c = m e mod N Eve intercepts c. She knows e and N, so she can just compute x e mod N for all 10 9 values x = d 1 d 2 d 3 d 4 d 5 d 6 d 7 d 8 d 9. When x e matches c, Eve has found Bob s secret. Even better (or worse), if Bob acquired his SSN before 2011 and Eve knows where he lived at the time, her search space is reduced to only 10 6 or 10 7 numbers. 28

Randomized encryption How? A document called ISO/IEC 18033-2 contains a standard protocol for using RSA encryption in a semantically-secure way. The protocol requires: A symmetric-key encryption scheme For each k in a keyspace K, we have Enc k : M C; Dec k = Enc 1 k Each function Enc k should be indistinguishable from a random (invertible) function M C. A hash function H : Z N K Anyone can query H as an oracle, but no one knows its inner workings. For any set S Z N, knowing the values of H(x) for all x S should give no information about the value of H(y) for any y / S. 29

RSA KEM/DEM (ISO/IEC) Encryption: Bob generates a random pre-key x Z N. He feeds x to a (public) hash function to produce a symmetric key k, which he uses to encrypt the message m. Decryption: Alice decrypts y to get the pre-key x. She then uses the public hash function to recover the symmetric key k, and decrypts c to recover m. He sends Alice the (symmetric-key) encryption c of m, and the RSA (public-key) encryption y of x. x Z N RSA y = x e [y] RSA x = y d k =H(x) k =H(x) m Enc k ( ) [c = Enc k (m)] Dec k ( ) m 30

RSA KEM/DEM (ISO/IEC) Eavesdropping: The message is protected by k. If H is a good hash function, then Eve cannot find k without first knowing x. By the RSA assumption, Eve cannot recover x from y. This system is randomized, so it can be semantically secure. Furthermore, since the message is protected by k and H, a partial break of the RSA branch will not give Eve any information about m. x Z N RSA y = x e [y] RSA x = y d k =H(x) k =H(x) m Enc k ( ) [c = Enc k (m)] Dec k ( ) m 31

RSA ISO/IEC KEM/DEM in SSL/TLS (OMG... ) Public-key encryption is much slower than private-key encryption, so it s typically used only at the beginning of a session to enchange the keys that will be used for encrypting the real stuff. Client Hello? Server? [If the CA says OK, then... ] Server Hi! Here s my public encryption key: pk, and here s a note from my CA. Here s a random pmk. I ll send it to you using the RSA KEM/DEM scheme from the previous slide. [Calculates AES keys from pmk] Got it. Now we both know pmk. [Calculates AES keys from pmk] 32

RSA ISO/IEC KEM/DEM in SSL/TLS (OMG... ) Public-key encryption is much slower than private-key encryption, so it s typically used only at the beginning of a session to enchange the keys that will be used for encrypting the real stuff. Client Hello? Server? [If the CA says OK, then... ] Server Hi! Here s my public encryption key: pk, and here s a note from my CA. Here s a random pmk. I ll send it to you using the RSA KEM/DEM scheme from the previous slide. [Calculates AES keys from pmk] AES high-speed machinery Got it. Now we both know pmk. [Calculates AES keys from pmk] AES high-speed machinery 33

References Dan Boneh and Victor Shoup, A Graduate Course in Applied Cryptography, prepublication version 0.4, 2017. Whitfield Diffie and Martin E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, IT-22, November 1976. David Kahn, The Codebreakers, Scribner, 1967. Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography, second edition, CRC Press, 2015. Neal Koblitz, A Course in Number Theory and Cryptography, second edition, Springer-Verlag, 2006. Neal Stephenson, REAMDE, William Morrow, 2011. Douglas R. Stinson, Cryptography: Theory and Practice, second edition, CRC Press, 2002. 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback