Transcript lecture3.3

Lecture 3.3: Public Key
Cryptography III
CS 436/636/736
Spring 2012
Nitesh Saxena
Course Administration
• HW1 – due at 11am on Feb 06
• Any questions, or help needed?
2
Outline of Today’s Lecture
• The RSA Cryptosystem (Encryption)
3
“Textbook” RSA: KeyGen
• Alice wants people to be able to send her encrypted
messages.
• She chooses two (large) prime numbers, p and q and
computes n=pq and  (n). [“large” = 1024 bits +]
• She chooses a number e such that e is relatively prime to  (n)
and computes d, the inverse of e in Z  (n ) , i.e., ed =1 mod  (n)
• She publicizes the pair (e,n) as her public key. (e is called RSA
exponent, n is called RSA modulus). She keeps d secret and
destroys p, q, and  (n)
• Plaintext and ciphertext messages are elements of Zn and e is
the encryption key.
4
RSA: Encryption
• Bob wants to send a message x (an element of
Zn*) to Alice.
• He looks up her encryption key, (e,n), in a
directory.
• The encrypted message is
y  E( x)  xe modn
• Bob sends y to Alice.
5
RSA: Decryption
• To decrypt the message
y  E( x)  x modn
e
she’s received from Bob, Alice computes
D( y)  y modn
d
Claim: D(y) = x
6
RSA: why does it all work
• Need to show
 D[E[x]] = x
 E[x] and D[y] can be computed efficiently if
keys are known
 E-1[y] cannot be computed efficiently without
knowledge of the (private) decryption key d.
• Also, it should be possible to select keys
reasonably efficiently
 This does not have to be done too often, so
efficiency requirements are less stringent.
7
E and D are Inverses
D( y )  y modn
d
 ( x e modn) d modn
 ( x ) modn
e d
 x modn
ed
x
t ( n ) 1
 (x
modn
Because ed  1 mod(n)
(n) t
) x modn
 1t x modn  x modn
From Euler’s Theorem
8
Tiny RSA example.
• Let p = 7, q = 11. Then n = 77 and
(n)  60
•
•
•
•
Choose e = 13. Then d = 13-1 mod 60 = 37.
Let message = 2.
E(2) = 213 mod 77 = 30.
D(30) = 3037 mod 77=2
9
Slightly Larger RSA example.
• Let p = 47, q = 71. Then n = 3337 and
( pq)  46* 70  3220
• Choose e = 79. Then d = 79-1 mod 3220 =
1019.
• Let message = 688232… Break it into 3 digit
blocks to encrypt.
• E(688) = 68879 mod 3337 = 1570.
E(232) = 23279 mod 3337 = 2756
• D(1570) = 15701019 mod 3337 = 688.
D(2756) = 27561019 mod 3337 = 232.
10
Security of RSA: RSA assumption
• Suppose Oscar intercepts the encrypted
message y that Bob has sent to Alice.
• Oscar can look up (e,n) in the public directory
(just as Bob did when he encrypted the
message)
• If Oscar can compute d = e-1 mod  (n) then he
can use D( y)  y d modn  x to recover the
plaintext x.
• If Oscar can compute  (n), he can compute d
(the same way Alice did).
11
Security of RSA: factoring
• Oscar knows that n is the product of two
primes
• If he can factor n, he can compute  (n)
• But factoring large numbers is very difficult:
– Grade school method takes O( n ) divisions.
– Prohibitive for large n, such as 160 bits
– Better factorization algorithms exist, but they are
still too slow for large n
– Lower bound for factorization is an open problem
12
How big should n be?
• Today we need n to be at least 1024-bits
– This is equivalent to security provided by 80-bit
long keys in private-key crypto
• No other attack on RSA known
– Except some side channel attacks, based on
timing, power analysis, etc. But, these exploit
certain physical charactesistics, not a theoretical
weakness in the cryptosystem!
13
Key selection
• To select keys we need efficient algorithms to
– Select large primes
• Primes are dense so choose randomly.
• Probabilistic primality testing methods known. Work in
logarithmic time.
– Compute multiplicative inverses
• Extended Euclidean algorithm
14
RSA in Practice
• Textbook RSA is insecure
– Known-plaintext?
– CPA?
– CCA?
• In practice, we use a “randomized” version of
RSA, called RSA-OAEP
– Use PKCS#1 standard for RSA encryption
http://www.rsa.com/rsalabs/node.asp?id=2125
– Interested in details of OAEP: refer to (section 3.1
of) http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf
15
Some questions
• c1 = RSA_Enc(m1), c2 = RSA_Enc(m2).
– What is RSA_Enc(m1m2)?
• Homomorphic property
– What is RSA_Enc(2m1)?
• Malleability (not a good property!)
• Is it possible to find inverses mod n (RSA modulus)?
16
Some Questions
• RSA stands for Robust Security Algorithm, right?
• If e is small (such as 3)
– Encryption is faster than decryption or the other way round?
• Private key crypto has key distribution problem and Public key
crypto is slow
– How about a hybrid approach?
– Do you know how ssl/ssh works?
17
Some Questions
• Key generation in RSA is -------- than in DLbased schemes (El Gamal/DSS)
• I encrypt m with Alice’s RSA PK, I get c
– I encryt m again, I get --?
– What does this mean?
• What if I do the above with DES?
18
Some Questions
• Find x such that
– x = 4 (mod 5)
– x = 7 (mod 8)
– x = 3 (mod 9)
19
Further Reading
• Section 8.2 of HAC
• Section 9 of Stallings
20