Lecture 3: One-Way Encryption, RSA Example



Similar documents
CIS 5371 Cryptography. 8. Encryption --

Overview of Public-Key Cryptography

Advanced Cryptography

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Introduction. Digital Signature

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

The application of prime numbers to RSA encryption

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

1 Message Authentication

Symmetric Key cryptosystem

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

1 Signatures vs. MACs

1 Construction of CCA-secure encryption

Applied Cryptography Public Key Algorithms

Elements of Applied Cryptography Public key encryption

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptography and Network Security Chapter 9

The Mathematics of the RSA Public-Key Cryptosystem

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Lukasz Pater CMMS Administrator and Developer

An Introduction to the RSA Encryption Method

Lecture 9 - Message Authentication Codes

Post-Quantum Cryptography #4

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Introduction to Cryptography CS 355

Talk announcement please consider attending!

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

CryptoVerif Tutorial

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Identity-Based Encryption from the Weil Pairing

Improved Online/Offline Signature Schemes

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Cryptography and Network Security

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Communications security

Chapter 12. Digital signatures Digital signature schemes

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Lecture 6 - Cryptography

Proofs in Cryptography

Cryptography and Network Security Chapter 10

DIGITAL SIGNATURES 1/1

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Lecture 13: Factoring Integers

Digital Signatures. Prof. Zeph Grunschlag

Public Key Cryptography: RSA and Lots of Number Theory

CS 758: Cryptography / Network Security

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Primality Testing and Factorization Methods

Lecture 5 - CPA security, Pseudorandom functions

Network Security: Cryptography CS/SS G513 S.K. Sahay

Quantum Computing Lecture 7. Quantum Factoring. Anuj Dawar

Lecture 13 - Basic Number Theory.

CSCE 465 Computer & Network Security

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Network Security Technology Network Management

Department Informatik. Privacy-Preserving Forensics. Technical Reports / ISSN Frederik Armknecht, Andreas Dewald

Lecture 2: Complexity Theory Review and Interactive Proofs

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Signature Schemes. CSG 252 Fall Riccardo Pucella

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Table of Contents. Bibliografische Informationen digitalisiert durch

Introduction to Computer Security

Public-Key Cryptanalysis

Yale University Department of Computer Science

SFWR ENG 4C03 - Computer Networks & Computer Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Study of algorithms for factoring integers and computing discrete logarithms

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Public Key Cryptography and RSA. Review: Number Theory Basics

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public Key (asymmetric) Cryptography

Homomorphic Encryption Method Applied to Cloud Computing

Chosen-Ciphertext Security from Identity-Based Encryption

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

On Factoring Integers and Evaluating Discrete Logarithms

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Basic Algorithms In Computer Algebra

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Lecture 13: Message Authentication Codes

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Security in Distributed Systems. Network Security

Capture Resilient ElGamal Signature Protocols

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

An Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm

Lecture 17: Re-encryption

Transcription:

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require of encryption, namely one-way security. The notion is natural and seems like a minimal requirement on an encryption scheme. It makes sense for both symmetric and public-key encryption schemes. To make the discussion more concrete, we look at the so-called textbook variant of the RSA encryption, and see how to pick keys in relation to the security parameter so that the best algorithms that invert RSA are either inefficient or have only negligible advantage. We will also see that while the textbook RSA can plausibly be oneway secure, it is definitely not secure in the sense of indistinguishabibility (this security property of encryption schemes was defined in the last class). This shows us that one-wayness is a weaker notion than indistinguishability. 2 One-Way Security for Encryption In the last lecture we developed the computational version (relaxation) of the perfect secrecy security property for encryption schemes, which we called indistinguishability of encryption. This notion is pretty strong, and today we ll look at a weaker notion of security for encryption, namely one-way security. In essence, we say that an encryption scheme is one-way secure if it is infeasible to decrypt ciphertexts of random plaintexts (i.e. randomly chosen from a big-enough message space). Here is the formal definition, first for the case of symmetric encryption schemes: Definition 1 (one-way secure (symmetric) encryption) We call a (symmetric) encryption scheme Σ = (KGen,Enc,Dec) one-way secure for (family of) message spaces {M τ } τ=1,2,... if for all PPT algorithms A, the following holds: Adv A (τ) = Prob[A(c) = m k KGen(1 τ );m M τ ;c Enc(k,m)] negl(τ) And here is the corresponding definition for public-key encryption schemes. The only real difference is that here the adversary sees the public key used to encrypt messages: Definition 2 (one-way secure (public key) encryption) We call a (public-key) encryption scheme Σ = (KGen,Enc,Dec) one-way secure for (family of) message spaces {M τ } τ=1,2,... if for all PPT algorithms A, the following holds: Adv A (τ) = Prob[A(PK,c) = m (SK,PK) KGen(1 τ );m M τ ;c Enc(PK,m)] negl(τ) L3-1

Discussion. The one-wayness of encryption seems to be a pretty minimal requirement needed of an encryption scheme. Suppose, on the contrary, that an encryption scheme is not one-way. This would mean that there exists an efficient algorithm A which has a non-negligible chance of success in decrypting an encryption of a random message. Notice that in any application of an encryption scheme, the encryption/decryption keys are going to be picked by a (random) run of the KGen(1 τ ) algorithm, which is just like in the one-wayness game the adversary plays with an encryption scheme in the above definition(s). So if A s advantage in this game is sizable, i.e. larger than negligible (larger than 1/p(τ) for some polynomial p( )), this could mean one of the following things, each of them pretty bad for any application using such encryption: It could be that for every message m M and every c = Enc(k,m), there is about 1/p(τ) chance that A decrypts c as m, where the probability is taken over the random coins of A. This case is the worst, because in this case we could run A over an over on the same input c, and after τ p(τ) trials, the probability that in none of these trials A ends up decrypting c is only Prob[A fails in all τ p(τ) trials] (1 1/p(τ)) τ p(τ) (1/e) τ < (1/2) τ = 2 τ Note also that the time taken by this new attack is τ p(τ) Time A (τ) which is poly(τ) because Time A (τ) is polynomial in τ. So such A leads to an efficient attack which decrypts every message except for a negligible probability 2 τ. However, it could also be that the above is true only for some messages m M. For example, it could be that A decrypts with probability almost 1 on any encryptions of all messages in some subset M M which contains 1/p(τ) fraction of messages, i.e. M / M = 1/p(τ), but on encryptions of messages m M it fails. Why would such an attack be so bad? First of all, for many encryption schemes, an attack which succeeds well on some fraction of messages can be used to succeed on all messages. (We ll see that on the RSA example below!) Second, even if there was no way of transforming such attack into decrypting any message, this is still not good because the application would have to make sure that messages in M are avoided. Whatever message space M = M \ M an application needs to use, it needs to know that the encryption scheme is at least one-way secure for the message space M. The inverter A could work in yet another way. For example, maybe A has a good chance of inverting a particular class of ciphertexts, but fails to invert if the ciphertext does not fall into this class? This type of attack usually leads to an attack against any ciphertext too (similarly to the case above). An example of this in in problem 3 on homework 2. You ll see there that if there is an attack A which inverts ElGamal ciphertext only if they have some special (although common-enough) form, you can use A to construct an attack which actually inverts any ElGamal ciphertext. 3 Example: RSA cryptosystem To understand the RSA cryptosystem, for now all you need to know is that Z n = {0,...,n 1}. To understand it more more deeply, you should read the handouts on modular arithmetics (first the L3-2

handout on primes and then the one on composites). You ll see there what Z n is, where did φ(n) = (p 1)(q 1) come from, and why equation (2) below holds for all m Z n if ed = 1 mod φ(n). But at first you can just assume that d = e 1 mod φ(n) is easy to compute and that equation (2) does hold. The scheme below is called a textbook RSA cryptosystem, because it uses the RSA setting in the most basic way possible. KGen(1 τ ) generates two prime numbers p,q of length p = q 1 2c 3 τ 3 where c is a small constant, c 8 (the actual formula for the good prime size is a little more complex but this is a good approximation, and we ll see later today how this is the choice is made!). Then KGen computes a n = p q, picks some small prime number e 3 (in most applications e = 3 is used because the speed of encryption depends on the size of e, so the smallest possible e is picked), then computes number d = e 1 mod φ(n) where φ(n) = (p 1)(q 1) (computing modular inverses is efficient via the Euclidean algorithm), and outputs PK = (n,e) and SK = (p,q,n,e,d). Enc(PK,m) for m {0,1} first divides m into m /( n 1) blocks m = [m (1) m (2)...] of n 1 bits each (the last block can be padded with zeroes to make it n 1 bit long). This way each m (i) is in Z n, and in fact it is almost always an element of Z n too.1 Then for each block m (assumed in Z n ), Enc computes c = (m)e mod n. Then it collects the resulting ciphertext blocks and outputs c = [c (1) c (2)...]. The decryption Dec(SK, c) goes block-by-block as well, where the block m of plaintext is computed from the corresponding ciphertext block c as m = (c) d mod n. The reason that RSA encryption can work at all is the following fact, which holds for any n: m Z n, m φ(n) = 1 mod n (1) From this equation it follows that for any e,d s.t. ed = 1 mod φ(n) we have: m Z n, m e d = m mod n (2) It follows because if m φ(n) = 1 mod n and ed = iφ(n) + 1 for some integer i (because ed = 1 mod φ(n)), then m ed = m iφ(n)+1 = (m φ(n) ) i m 1 = 1 m = m mod n. Equation (2) implies, taking m Z n for notation simplicity, that Dec(SK,Enc(PK,m)) = ((m e mod n) d mod n) = (m e d mod n) = m. 3.1 The RSA Assumption: Textbook RSA is a One-Way Encryption The so-called RSA assumption is basically exactly what the definition (2) states where Σ = (KGen, Enc, Dec) is the above textbook RSA scheme and the message space M is chosen as Z n (equivalently, one can assume RSA one-wayness on message space M τ = {0,1} τ3 /c 3 1 ). In other words: 1 We can treat any element in 1,..., n 1 as most likely an element of Z n because finding elements m in Z n \ Z n actually leads to factoring of n. The reason is that if n Z n then it must be that gcd(n,m) 1, but since n = pq and m < n then gcd(n, m) is either p or q, so you find a prime factor of n if you find m Z n. Therefore finding such m must be unlikely if the factoring problem is hard. L3-3

Definition 3 (RSA Assumption) It is infeasible, for large enough τ, to compute m s.t. m e = c mod n on inputs ((n,e),c), where (n,e) are RSA parameters chosen as above, c = m e mod n, and m is picked at random in Z n. First, note that the above assumption indeed states exactly that the textbook RSA is a one-way secure encryption scheme on message space M = Z n. But what rationale do we have to think that the RSA assumption holds, or, equivalently, that the textbook RSA encryption is one-way secure? Let s look at some attempts A to break the one-wayness of the RSA encryption, and see that they all either fail to be polynomial time, e.g. Time A (τ) = 2 τ, or they have only negligigible advantage in breaking the one-wayness property, e.g. Adv A (τ) = 2 τ. Attempt 1. How about a trivial algorithm A which on input ((n,e),c) guesses factor p {0,1} n /2 of n, and if the guess is correct, it computes q = n/p, φ(n) = (p 1)(q 1), d = e 1 mod φ(n), and then decrypts m = c d mod n. While Time A is good because all these operations are efficient, the advantage Adv A of A, i.e. the probability that A decrypts m succesfully is only negligible, because A succeeds if and only if it guesses p correctly, and the chances of that are 2 p = 2 n /2 = 2 τ3 /c 3, which is a negligible function of the security parameter τ. Attempt 2. Alternatively, A could search the whole space of possible p s. Then A would succeed for sure, but since there are 2 n /2 = 2 τ3 /c 3 possible p s, A would be run in exponential time, which is infeasible. Attempt 3. The best known way to invert RSA encryption of random messages is indeed to first factor n and then proceed like the attackers above. However, the best factoring algorithm does it much faster than by searching the space of possible n /2-bit factors of n. The fastest algorithm is called a number-field sieve [NSF], and it takes time Time NSF = O(2 c n 1/3 ). Therefore, since n = (τ/c) 3 and hence c n 1/3 = τ, and the attack time is dominated by the time it takes to factor n, we have Time A (τ) Time NSF = O(2 τ ). Thus again, the time it takes for A to invert an RSA encryption is exponential in τ. This analysis explains why the length of the RSA composite n is chosen in the n = (τ/c) 3 relation to the security parameter τ. It s so that an RSA cryptosystem chosen with security parameter τ indeed takes at least about 2 τ operations to break. 3.2 Textbook RSA is Not an Indistinguishably Secure Encryption It is easy to see that while RSA can be plausibly one-way secure (see the failed attempts 1-3 above to break this assumption), it is not secure in the sense of indistinguishability of encryption. Recall the definition of encryption scheme indistinguishability from lecture 2. To show that the textbook RSA encryption scheme fails this security property, we only need to show two messages m 0 and m 1, and an efficient adversary who distinguishes encryptions of m 0 from encryptions of m 1. But that s easy: Take any m,m Z n s.t. m m, and make m 0 = [m,m] and m 1 = [m,m ]. This way Enc((n,e),m 0 ) = [c,c] for some c while Enc((n,e),m 1 ) = [c,c ] where c c. (This holds because the RSA function y = RSA (n,e) (x) = m e mod n is a permutation in Z n, and hence if x x then y y.) Hence it is trivial to distinguish encryptions of m 0 from encryptions of m 1. L3-4

Why is this so bad? Because it means, for example, that in an application in which someone sometimes send the same message twice, which might very well happen with messages like yes, or no, or snafu, the eavesdropper will be able to distinguish, for any two communicated messages, if they are ciphertexts of the same plaintext. This could very well be insecure and is for sure undesirable. Note that the above argument implies something more general, namely that any deterministic encryption scheme cannot be secure in the sense of indistinguishability. How is RSA used in practice to make it secure then? First of all, randomness is introduced so that to make the encryption non-deterministic. Instead of computing c = m e mod n for message block m Z p, the message is divided into smaller blocks m, about 3 4 n -bits each, the encryption procedure picks a random string r {0,1} 1 4 n, and then pads the message m using randomness r in quite an elaborate way, to create a preimage m = pad(m;r). Encryption then outputs c = (m ) e mod n, while decryption reverses this process, extracting (m,r) from m = c d mod n and outputing m. We ll see later in classs how this padding is done and why. L3-5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information