5 RSA Public Key Cryptography
5 RSA Public Key Cryptography
5 RSA Public Key Cryptography
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Basic <strong>Cryptography</strong><br />
Chap.5-1<br />
5 <strong>RSA</strong> <strong>Public</strong> <strong>Key</strong> <strong>Cryptography</strong><br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-2<br />
Symmetric vs Asymmetric Cryptosystems<br />
Definition 5.1 A cryptosystem is called<br />
• symmetric-key if for each encryption key e ∈ K it is “computationally<br />
easy” to determine a corresponding decryption key d ∈ K<br />
to give a key-pair (e, d), and vice versa to determine e from d. In<br />
practice, mostly, e = d.<br />
• asymmetric-key if for all encryption keys e ∈ K it is “computationally<br />
infeasible” to compute a corresponding decryption key<br />
d ∈ K for a key-pair (e, d).<br />
In an asymmetric cryptosystem, also called public-key crypto<br />
system, e is the public key and d private key. Sometimes one uses<br />
two different keyspaces K, K ′ for encryption and decryption.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-3<br />
Symmetric <strong>Key</strong> Encryption<br />
Examples<br />
• DES (Data Encryption Standard), AES (Advanced Encryption<br />
Standard, “Rijndael”), IDEA<br />
Remarks<br />
• Very efficient hardware implementation, good for large volume<br />
traffic.<br />
• All participants must share the same secret key, which makes key<br />
distribution difficult, in particular if key life time is to be limited<br />
for security reasons.<br />
• Ameliorated by (a hierarchy) Trusted Third Parties that act<br />
as key servers to distribute symmetric session keys.<br />
Exercise: Find out about DES and AES in the literature!<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-4<br />
Asymmetric <strong>Key</strong> Cryptosystems<br />
Inventors:<br />
• W. Diffie, M.E. Hellman (1976) developed the original idea<br />
• R. Rivest, A. Shamir, L. Adleman (1978) found the first concrete<br />
realisation. This first and most widely used public key system,<br />
<strong>RSA</strong>, is named after them.<br />
<strong>RSA</strong> is used in many applications:<br />
<strong>Public</strong> <strong>Key</strong> <strong>Cryptography</strong> Standards (PKCS), Pretty Good Privacy<br />
(PGP), Privacy Enhanced Mail (PEM), Society for Worldwide<br />
Interbank Financial Telecommunications (SWIFT), Secure Socket<br />
Layer (SSL), ...<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-5<br />
The New Picture<br />
Eve<br />
Eve<br />
m<br />
E<br />
c<br />
D<br />
m<br />
m<br />
E<br />
c<br />
D<br />
m<br />
e<br />
d<br />
secret region<br />
d<br />
key generator<br />
secret region<br />
e<br />
key generator<br />
secret region<br />
Symmetric Cryptosystem<br />
<strong>Public</strong> Data<br />
Private Data<br />
Asymmetric Cryptosystem<br />
Symmetric Crypto E, D, c e, m, d<br />
Asymmetric Crypto E, D, c, e m, d<br />
What does this difference buy us? ...<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-6<br />
The Big Innovation Leap I<br />
Breakthrough features of public-key cryptography:<br />
• No need for shared keys!<br />
• Instant secret communication for principals that have never<br />
met!<br />
• Simple key distribution: For n principals to communicate with<br />
each other, we only need to distribute n public keys as opposed<br />
to 1 2n(n − 1) shared keys in the symmetric case!<br />
• Digital Signatures: For given c only Bob can produce m such<br />
that E e (m) = c, since only he knows the inverse D d . So, m can<br />
act as Bob’s signature for message c.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-7<br />
Where is the catch?<br />
The Big Innovation Leap II<br />
• The sender or verifier, Alice, must be sure she holds an authentic<br />
public key of Bob<br />
• The receiver or signatory, Bob, must be sure he receives an<br />
authentic message from Alice<br />
Beware the Man-in-the-Middle!<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-8<br />
Secrecy of Asymmetric Cryptosystems<br />
• Secrecy = No information about private data leaks from public<br />
data<br />
• Adversary = “Inverting” function from public to private data<br />
EASY<br />
secrecy plateau<br />
m<br />
D<br />
m<br />
secrecy plateau<br />
d<br />
key generator<br />
E<br />
c<br />
e<br />
HARD<br />
public domain<br />
Eve<br />
⇒ the public encryption function E e : M → C, which is known to<br />
Eve, must not be easily invertible.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-9<br />
But wait, ...<br />
... usually encryption E e : M → C is injective:<br />
• For each ciphertext c the original message m with c = E e (m) is<br />
uniquely determined.<br />
• Information-theoretically, the adversary Eve has full information<br />
about m as soon as she sees c (⇒ perfect secrecy impossible!).<br />
• Does this not mean Eve can compute m?<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-10<br />
Platonic vs Computational Existence<br />
• The fact that a function f : M → C is efficiently computable,<br />
does not mean that its inverse f −1 : C → M is!<br />
⇒ Such functions are called one-way functions.<br />
Analogy<br />
It is easy to show that there must be two people living in New<br />
York that have exactly the same number of hair on their head<br />
(mathematical existence). Yet, this does not mean we can efficiently<br />
find them (computational existence)!<br />
• Even if there exists an efficient algorithm for f −1 (mathematical<br />
existence) there is no reason why it should be possible to build<br />
this algorithm efficiently (computational existence)!<br />
⇒ Such functions are called trap-door one-way functions.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-11<br />
Recall: In symmetric crypto (in particular perfect) secrecy is achieved<br />
by the fact that for given c, in general, there are many possible pairs<br />
(k, m) with c = E(k, m).<br />
But consider what happens if keys are reused and either ...<br />
• Eve has full access to the encryption device, say the machine code,<br />
implementing some unknown encryption function Code : M → C<br />
for fixed but unknown key, or<br />
• Messages are not independent, so that after some number n of<br />
encryptions E n : K × M n → C n the cryptograms (c 1 , c 2 , . . .,c n )<br />
uniquely determine both the key and the messages?<br />
Here, too, secrecy must be based on the mere computational<br />
difficulty of inverting a function such as Code or E n .<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-12<br />
Computational Secrecy<br />
Definition 5.2 (Informal) A cryptosystem with public information<br />
Pub and secret information Sec is computationally secret if<br />
no probabilistic polynomial time (PPT) adversary can gain any<br />
information about Sec from Pub with more than only negligible<br />
probability.<br />
Alternative Choices of Adversary<br />
• Nondeterministic poly-time (NP): Simple guess-and-check<br />
can invert any polynomial encryption Sec → Pub ⇒ too strong!<br />
• Deterministic poly-time (P): Admits only brute force exhaustive<br />
searching, no guessing at all. ⇒ too weak!<br />
Note: PPT lies between P and NP. Hence, computational secrecy<br />
depends on P ≠ NP! Yet, PPT refers to probabilistic average case<br />
not just the worst case as in ordinary complexity theory (O-notation).<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-13<br />
Basic Notions of Secrecy<br />
increasing "guessing" power of adversary<br />
Non−determinism<br />
all−mighty, breaks−it−all adversary<br />
complexity class NP<br />
Probabilistic<br />
Computational Secrecy<br />
Perfect Secrecy<br />
Deterministic<br />
weak adversaries<br />
complexity class P<br />
polytime<br />
arbitrary<br />
increasing computational power of adversary<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-14<br />
How Do We Get Trap-door One-way Functions?<br />
Modern cryptography is concerned with encryption of numeric data<br />
(of any kind, e.g, coded natural langage texts. Encryption amounts<br />
to sophisticated algebraic manipulations of<br />
• Bits and bytes ⇒ bit-level arithmetics<br />
Bit-arithmetics is heavily used in symmetric cryptosystems since<br />
it can be quite efficient, in particular with hardware support. It<br />
is more difficult to produce convincing one-way functions in this<br />
way.<br />
• Integers ⇒ number theory<br />
Number theory is less efficient in implementation but offers<br />
sophisticated one-way functions that are easy to describe and<br />
investigate.<br />
Let us look at the second kind ...<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-15<br />
A convenient choice is to encypt information coded in the residue<br />
class ring Z n = {0, 1, . . .,n − 1} of integers modulo n.<br />
What kind of Z n arithmetics is good for encryption?<br />
• Linear operations E k (m) = k ·m mod n define a permutation of<br />
Z n for certain k. This might seem like encryption, but is a BAD<br />
CHOICE. Linear operations are not one-way, they can be easily<br />
cryptanalysed (even if key unknown).<br />
• Nonlinear operations such as E k (m) = m k mod n or E k (m) =<br />
k m mod n also generate permutations for certain k. These are<br />
MUCH BETTER, as they are hard to invert (given today’s<br />
knowledge).<br />
We’ll study some functions of the second kind. First, we need ...<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-16<br />
Some Basic Facts About Z n<br />
Proposition 5.3 An element a ∈ Z n has a multiplicative inverse a −1<br />
such that a · a −1 = 1 mod n iff gcd(a, n) = 1.<br />
The set Z ∗ n := {1 ≤ x ≤ n − 1 | gcd(x, n) = 1} ⊂ Z n of numbers<br />
relatively prime to n is the multiplicative group of Z n . Its size<br />
φ(n) := |Z ∗ n| is known as Euler’s totient function. The elements<br />
u ∈ Z ∗ n are called units.<br />
Proposition 5.4 If n = ∏ k<br />
i=1 pr i<br />
i is the prime factorisation of n,<br />
then φ(n) = ∏ k<br />
i=1 pr i−1<br />
i (p i − 1).<br />
Here is why φ(n) is relevant:<br />
Theorem 5.5 (Euler’s Theorem) ∀a ∈ Z ∗ n. a φ(n) = 1 mod n.<br />
From this it follows that for all a ∈ Z n , a φ(n)+1 = a mod n. This gives<br />
us ...<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-17<br />
Naive <strong>RSA</strong> Encryption Scheme<br />
Alice wants to send Bob a confidential message.<br />
• <strong>Key</strong> Generation<br />
– Bob generates two (large ≥ 1024 bit) distinct primes p, q and<br />
computes n = p · q.<br />
– Bob selects e ∈ Z ∗ φ(n) (i.e., relatively prime to φ(n)) and computes<br />
its inverse d = e −1 mod φ(n) (Extended Euclid).<br />
– Bob publishes (n, e) as his public key and retains (n, d) as his<br />
private key.<br />
• Encryption with public key (n, e)<br />
– Alice represents her message as an integer m ∈ Z n (if necessary<br />
broken into blocks).<br />
– Alice computes c = m e mod n and sends c to Bob.<br />
• Decryption with private key (n, d): Bob retrieves m = c d mod n.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-18<br />
Naive <strong>RSA</strong> Signature Scheme<br />
Alice wants Bob to sign a message.<br />
• <strong>Key</strong> Generation<br />
As before, Bob publishes public key (n, e) and keeps private key<br />
(n, d).<br />
• Signing with secret key (n, d)<br />
Alice sends Bob the message m, from which he computes the<br />
signed message (m, σ) with signature σ = m d mod n. Bob<br />
publishes (m, σ).<br />
• Verifying with public key (n, e)<br />
Alice, and in fact anyone, may verify Bob has signed (m, σ) by<br />
checking that m = σ e mod n.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-19<br />
• Computing d from (n, e)<br />
<strong>RSA</strong> Security<br />
– As difficult as factoring integers: if we can factor n = p · q we<br />
also have φ(n) and thus e −1 mod φ(n), and vice versa, if we<br />
have d we can get p, q efficiently.<br />
– No poly-time algorithm for factoring known, believed to be<br />
PPT intractable.<br />
• Computing m from (n, e) and c<br />
– Amounts to computing e√ c mod n.<br />
– Not known if this as hard as computing d, i.e., factoring n, but<br />
believed to be PPT intractable.<br />
Security is a statistical property. Even average computational<br />
difficulty does not rule out special threat situations ...<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-20<br />
<strong>RSA</strong> Weak Messages Attack<br />
• Messages must be chosen from the subset Z ∗ n, otherwise <strong>RSA</strong> can<br />
be broken completely.<br />
Suppose that gcd(m, n) ≠ 1, i.e., m is a multiple of one of n’s factors,<br />
say m = a · p.<br />
Then, its encryption<br />
c = m e mod n = (a · p) e mod n = (a · p) e mod p · q<br />
also is a multiple of p.<br />
Now both p = gcd(c, n) and q = n/p can be easily computed from<br />
public data.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-21<br />
<strong>RSA</strong> Common Modulus Attack<br />
• Plaintext information is not protected when sent to two users<br />
with same modulus n and relatively prime encryption exponents.<br />
Suppose Bob and Bridget have public keys (n, e 1 ) and (n, e 2 ),<br />
respectively, such that gcd(e 1 , e 2 ) = 1. Then there are integers r 1 , r 2<br />
such that r 1 e 1 + r 2 e 2 = 1. These can be obtained with Extended<br />
Euclid. We may assume r 1 < 0, otherwise interchange r 1 and r 2 .<br />
Suppose, message m is encrypted for both Bob and Bridget, i.e.,<br />
c 1 = m e 1<br />
mod n, c 2 = m e 2<br />
mod n.<br />
Everybody can now retrieve m as follows:<br />
m = m r 1e 1 +r 2 e 2<br />
mod n = (m e 1<br />
) r1 · (m e 2<br />
) r 2<br />
mod n = c r 1<br />
1 cr 2<br />
2<br />
mod n,<br />
where we assume c 1 ∈ Z ∗ n (otherwise, Weak Messages Attack possible).<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-22<br />
<strong>RSA</strong> Common Factor Attack<br />
• Different users must not share prime factors.<br />
Suppose Bob and Bert share the same prime factor p for different q i ,<br />
i.e., n 1 = p · q 1 and n 2 = p · q 2 .<br />
Then, anyone can compute p = gcd(n 1 , n 2 ) and q i = n i /p from public<br />
data.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-23<br />
<strong>RSA</strong> Attack: Small Message Space<br />
• The message space may have small areas of unsafe messages.<br />
Eve can pre-tabulate any finite number of possible input-output pairs<br />
E approx = {(m 1 , c 1 ), (m 2 , c 2 ), . . .,(m N , c N )}<br />
of the real encryption function E.<br />
When she picks up a cryptogram c she simply tries to look up a<br />
corresponding m in E approx .<br />
To prevent this attack messages should be padded with random “salt”<br />
to avoid repeating previous or otherwise predictable message patterns.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-24<br />
<strong>RSA</strong> Attack: Disclosed Garbage<br />
• Even garbage messages may leak information.<br />
1. Alice sends Bob a secret message m, encrypted as c = m e mod n.<br />
2. Eve intercepts c and somehow decomposes c = c 1 · c 2 .<br />
3. Eve gets Bob to accept the “secret” messages c 1 and c 2 from her,<br />
which he decrypts as m 1 = c d 1 and m 2 = c d 2.<br />
4. Since m 1 , m 2 seem garbage to him and of no value he throws them<br />
away, thereby revealing them to Eve.<br />
5. Eve picks up m 1 , m 2 and computes Alice’s original message<br />
m = m 1 m 2 = c d 1c d 2 = (c 1 c 2 ) d = c d = m ed .<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-25<br />
<strong>RSA</strong> Attack: Common Low Encryption Exponents<br />
• Messages sent to many users with the same low encryption<br />
exponent are not protected.<br />
Bob, Bridget, Bert have public keys (n 1 , e), (n 2 , e), (n 3 , e). Suppose<br />
m is sent to all three and m e < n := n 1 · n 2 · n 3 , which happens when<br />
e is relatively small compared to each n i .<br />
Eve picks up all ciphers c i = m e mod n i , i.e., the remainders of the<br />
same integer m e with respect to three different moduli. Assuming the<br />
n i are relatively prime to each other, she can exploit the Chinese<br />
Remainder Theorem to compute a unique residue class c such that<br />
c = m e mod n. Since m e < n, in fact, we have c = m e . Hence, Eve<br />
simply computes m = e√ c in Z, which can be done efficiently.<br />
Exercise: Look up Chinese Remainder Theorem in textbooks!<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-26<br />
<strong>RSA</strong> Attack: Encryption and Signing with Same <strong>Key</strong>s<br />
• Don’t use the same key for both encryption and signing.<br />
Here is why:<br />
1. Alice sends Bob a secret message m and Eve intercepts the<br />
cryptogram c = m e formed with Bob’s public key (n, e).<br />
2. Eve selects a random integer r ∈ Z ∗ n and computes<br />
x = c · r e mod n = m e · r e mod n = (mr) e mod n.<br />
3. Eve has Bob sign the now random looking x to get his signature<br />
σ = x d involving Bob’s secret key (n, d).<br />
4. Eve retrieves the “secret” message m = σr −1 mod n.<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-27<br />
Other Attacks<br />
• Low Private <strong>Key</strong> Exponent:<br />
Suppose, n = p · q with q < p < 2q, e < φ(n), and d < 1 4√<br />
3 n. Then, d<br />
can be computed efficiently from (n, e). [M.J.Wiener, 1990] (prevented<br />
by replacing e with e + l · φ(n).)<br />
• Iterated Encryption:<br />
If e ∈ Z ∗ φ(n) has a small order, i.e. e k = 1 mod φ(n) for small k. Then,<br />
c = (c ek−1 ) e mod n and hence m = c ek−1 mod n.<br />
• Partial <strong>Key</strong> Exposure:<br />
Suppose n has k bits and k = 0 mod 4. If we know the k/4 least<br />
significant bits of private key d, n can be factored efficiently. [D.<br />
Coppersmith]<br />
• Brute force: The 1999 512-bit <strong>RSA</strong> Factorisation Challenge has been<br />
solved in 3.7 months on a network of ≈ 300 PCs and workstations.<br />
[http://www.rsasecurity.com/rsalabs/challenges/factoring/rsa155.html]<br />
Michael Mendler<br />
Information Security
Basic <strong>Cryptography</strong><br />
Chap.5-28<br />
So, How Can <strong>RSA</strong> Work?<br />
The secure application of <strong>RSA</strong> Encryption requires<br />
• Careful <strong>Key</strong> Generation<br />
• Careful Message Processing<br />
– Padding<br />
– Pseudorandom Bit Generators<br />
– Hash Functions<br />
Exercise: Look up practically secure <strong>RSA</strong> techniques in textbooks!<br />
Michael Mendler<br />
Information Security