Tutorial on Public Key Cryptography RSA. c Eli Biham - May 3, Tutorial on Public Key Cryptography RSA (14)

Similar documents
Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

The application of prime numbers to RSA encryption

Digital Signatures. Prof. Zeph Grunschlag

CIS 5371 Cryptography. 8. Encryption --

Lecture 13 - Basic Number Theory.

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Public Key Cryptography: RSA and Lots of Number Theory

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Advanced Cryptography

Introduction to Cryptography CS 355

CSCE 465 Computer & Network Security

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

How To Know If A Message Is From A Person Or A Machine

Cryptography: Authentication, Blind Signatures, and Digital Cash

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Lecture 13: Factoring Integers

RSA and Primality Testing

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

An Introduction to the RSA Encryption Method

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

The Mathematics of the RSA Public-Key Cryptosystem

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

Public Key (asymmetric) Cryptography

1 Signatures vs. MACs

Public Key Cryptography and RSA. Review: Number Theory Basics

Crittografia e sicurezza delle reti. Digital signatures- DSA

Cryptography and Network Security Chapter 9

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Lecture 6 - Cryptography

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Computer Security: Principles and Practice

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

An Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm

Notes on Network Security Prof. Hemant K. Soni

Introduction. Digital Signature

Index Calculation Attacks on RSA Signature and Encryption

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Improved Online/Offline Signature Schemes

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Overview of Public-Key Cryptography

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Cryptography and Network Security

1 Domain Extension for MACs

Digital signatures. Informal properties

DIGITAL SIGNATURES 1/1

RSA Encryption. Tom Davis October 10, 2003

Cryptographic Hash Functions Message Authentication Digital Signatures

Public Key Cryptography Overview

Software Tool for Implementing RSA Algorithm

Part VII. Digital signatures

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Symmetric Key cryptosystem

Number Theory and Cryptography using PARI/GP

Elements of Applied Cryptography Public key encryption

Lukasz Pater CMMS Administrator and Developer

Cryptography and Network Security Chapter 10

CS 758: Cryptography / Network Security

Shor s algorithm and secret sharing

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Computing exponents modulo a number: Repeated squaring

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

On Factoring Integers and Evaluating Discrete Logarithms

Primes, Factoring, and RSA A Return to Cryptography. Table of contents

Digital Signature. Raj Jain. Washington University in St. Louis

Cryptography and Network Security

Introduction to Computer Security

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

CRYPTOGRAPHY IN NETWORK SECURITY

Lecture 25: Pairing-Based Cryptography

1 Message Authentication

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

A Method for Obtaining Digital Signatures and Public-Key Cryptosystems

Signature Schemes. CSG 252 Fall Riccardo Pucella

Chapter. Number Theory and Cryptography. Contents

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

Number Theory and the RSA Public Key Cryptosystem

Paillier Threshold Encryption Toolbox

Cryptography and Network Security

Primality Testing and Factorization Methods

Cryptography: RSA and Factoring; Digital Signatures; Ssh

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

Computer Science A Cryptography and Data Security. Claude Crépeau

EXAM questions for the course TTM Information Security May Part 1

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Basic Algorithms In Computer Algebra

Cryptography and Network Security Number Theory

An Approach to Shorten Digital Signature Length

Transcription:

Tutorial on Public Key Cryptography RSA c Eli Biham - May 3, 2005 386 Tutorial on Public Key Cryptography RSA (14)

RSA the Key Generation Example 1. Randomly choose two prime numbers p and q. We choose p = 11 and q = 13. 2. Compute n = pq. We compute n = pq = 11 13 = 143. 3. Randomly choose an odd number e in the range 1 < e < ϕ(n) which is coprime to ϕ(n) (i.e., e Z ϕ(n)). ϕ(n) = ϕ(p) ϕ(q) = 10 12 = 120. Thus, we choose e = 7 (e Z 120). 4. Compute d e 1 (mod ϕ(n)) by Euclid s algorithm. Thus, de 1 (mod ϕ(n)). We compute d e 1 7 1 103 (mod ϕ(143) = 120). Check that 120 7 103 1 = 721 1 = 720. c Eli Biham - May 3, 2005 387 Tutorial on Public Key Cryptography RSA (14)

RSA the Key Generation Example (cont.) 5. Publish (n, e) as the public key, and keep d secret as the secret key. We publish (n, e) = (143, 7) as the public key, and keeps d = 103 secret as the secret key. c Eli Biham - May 3, 2005 388 Tutorial on Public Key Cryptography RSA (14)

RSA Encryption/Decryption Example The encryption algorithm E: Everybody can encrypt messages m (0 m < n A ) to user A by c = E A (m) = m e A mod n A. The ciphertext c (0 c < n A ) can be sent to A, and only A can decrypt. Encrypt m = 3: E A (m) m e A 3 7 42 (mod 143) c Eli Biham - May 3, 2005 389 Tutorial on Public Key Cryptography RSA (14)

RSA Encryption/Decryption Example (cont.) The decryption algorithm D: Only A knows his secret key d A and can decrypt: m = D A (c) = c d A mod n A. Decrypt c = 42: D A (c) c d A 42 103 3 (mod 143) Decrypt c = 2: D A (c) c d A 2 103 63 (mod 143) c Eli Biham - May 3, 2005 390 Tutorial on Public Key Cryptography RSA (14)

Existential Forgery of an RSA Signature Given a public key (n A, e A ) of user A, can another user B create a message m and a signature D A (m) m d A (mod n A )? User B can forge a signature in the following way: B Chooses y Z n and calculates x E A (y) = y e A (mod n A ). Now B can claim that y x d A (mod n A ) is A s signature on x. c Eli Biham - May 3, 2005 391 Tutorial on Public Key Cryptography RSA (14)

Multiplication Property of RSA Multiplication Property: Given a public key (n A, e A ) of user A, and m 1, m 2 Z n then E A (m 1 m 2 ) E A (m 1 ) E A (m 2 ) (mod n) Proof: and, E A (m 1 ) m e A 1 (mod n A ) E A (m 2 ) m e A 2 (mod n A ) E A (m 1 m 2 ) (m 1 m 2 ) e A m e A 1 m e A 2 E A (m 1 ) E A (m 2 ) (mod n A ) QED c Eli Biham - May 3, 2005 392 Tutorial on Public Key Cryptography RSA (14)

Problem: Random Self Reducibility of RSA Given a public key (n A, e A ) of user A: Assume we are given an algorithm, called ALG, which given E A (m) m e A 1 (mod n A ) can find the message m for 100 of the possible cryptograms. Show a polynomial random algorithm which given E A (m) m e A (mod n A ) finds the message m with probability 1 2 for every cryptogram in Z n A. c Eli Biham - May 3, 2005 393 Tutorial on Public Key Cryptography RSA (14)

Random Self Reducibility of RSA (cont.) The Algorithm: Make t iterations of the following: 1. Randomly Choose z Zn A. 2. Calculate z e A (mod n a ). 3. Let x = ALG(m e Az e A (mod n A )). 4. If x e A m e Az e A (mod n A ) then output x z 1 (mod n A ) and finish. c Eli Biham - May 3, 2005 394 Tutorial on Public Key Cryptography RSA (14)

Random Self Reducibility of RSA (cont.) Correctness: If algorithm ALG succeeds, i.e., outputs x such that x e A (mz) e A m ea z e A (mod n A ) Then, m x z 1 (mod n A ). For z Zn {z x : x Z n } = z Z n = Z n because if for x 1, x 2 we have: z x 1 z x 2 (mod n) which implies x 1 z 1 z x 1 z 1 z x 2 x 2 (mod n) c Eli Biham - May 3, 2005 395 Tutorial on Public Key Cryptography RSA (14)

Random Self Reducibility of RSA (cont.) Thus, for every iteration we have 1 probability of success, thus in order to 100 find m with probability 1 2, t must satisfy: Thus, t 69 suffices. t log t 99 1 100 2 99 log 1 100 2 Note: Can we find the message when E A (m) Z n A? When the cryptogram E A (m) Z n, we can find either p or q. Thus, we can find d and then m. c Eli Biham - May 3, 2005 396 Tutorial on Public Key Cryptography RSA (14)

Note: Random Self Reducibility of RSA (cont.) Let p be a prime and g be a generator of Z p. Thus, for a Zp there exists z such that g z a (mod p). This z is called the discrete logarithm or index of a, modulo p, to the base of g. We denote this value as ind p,g (a) or DLOG p,g (a). DLOG is also random self reducible given a generator g of Z p. c Eli Biham - May 3, 2005 397 Tutorial on Public Key Cryptography RSA (14)

Blind Signatures Usually when we sign a document we check its contents. But we might want people to sign documents without ever seeing them. For example, Bob is a notary. Alice wants him to sign a document, but does not want him to have any idea what he is signing. Bob doesn t care what the document says, he is just certifying that he notarized it at a certain time. 1. Alice takes the document and uses a blinding factor. 2. Alice sends the blinded document to Bob. 3. Bob signs the blinded document. 4. Alice computes the signature on the original document. c Eli Biham - May 3, 2005 398 Tutorial on Public Key Cryptography RSA (14)

Blind Signatures using RSA Can Bob, with a public key (n, e), sign a message m (actually signs H(m)) without knowing its contents? Yes. We choose a random α Z n and then ask Bob to sign we get: E(α) m α e m (mod n) D(E(α) m) (E(α) m) d (α e m) d α m d (mod n) thus we need only to calculate α 1 (mod n): m d α 1 D(E(α) m) (mod n) Note that the function f(x) x e if α Zn then α e Zn. (mod n) is a permutation of Z n. Moreover, c Eli Biham - May 3, 2005 399 Tutorial on Public Key Cryptography RSA (14)

Problem 1: An Example of Using Blind Signatures Alice wants a virtual 100 dollar note. Solution 1: Alice goes to the bank and asks for such a note. The bank gives Alice a signature on a virtual 100 dollar check. Denote the bank s public key by (n, e) and its secret key by d. c Eli Biham - May 3, 2005 400 Tutorial on Public Key Cryptography RSA (14)

An Example of Using Blind Signatures (cont.) Problem 2: The bank can trace this check to Alice. Solution 2: Use a blind signature. The bank signs a check m by using a blind signature: Alice wants to get m d. Thus, Alice chooses a random α Z n and then asks the bank to sign: E(α) m α e m (mod n) now Alice needs only to calculate α 1 (mod n): m d α 1 D(E(α) m) (mod n) c Eli Biham - May 3, 2005 401 Tutorial on Public Key Cryptography RSA (14)

An Example of Using Blind Signatures (cont.) Problem 3: Alice can trick the bank into giving her a check worth more than 100 dollars. Solution 3: Alice prepares 100 versions of the check m 1,..., m 100. Alice chooses random α 1,..., α 100 Zn at random. Alice gives y i = α e i m i (mod n) to the bank. The bank asks Alice to reveal 99 of the α s. Denote the remaining α by α k. The bank signs y k. Alice calculates m d α 1 k (α e k m) d (mod n). c Eli Biham - May 3, 2005 402 Tutorial on Public Key Cryptography RSA (14)

An Example of Using Blind Signatures (cont.) Assume Alice tries to cheat by using one check m j which is worth a million dollars. If the bank does not ask for α j then Alice gets million dollars. On the other hand, if the bank does ask for α j, giving it the real α j exposes her deceit. Alice would prefer to reveal β j such that where m j is a check on 100 dollars. thus, or m j y j β e j (mod n) y j m j α e j = m j β e j (mod n) β e j α e j m j m 1 j (mod n) β j α j m d j m d j (mod n) Which means we can find (m j m 1 j ) d. c Eli Biham - May 3, 2005 403 Tutorial on Public Key Cryptography RSA (14)

An Example of Using Blind Signatures (cont.) Another approach:: The bank will use different public keys for different bill values, i.e., the bank will use (e 100, n 100 ) for 100 dollar bills, (e 20, n 20 ) for 20 dollar bills, etc. For a bill to be valid, it must be formatted like m = This is a 100 dollar bill, serial number: x, where the serial number is a very long random chosen by Alice, and the bill must be signed using the appropriate public key. c Eli Biham - May 3, 2005 404 Tutorial on Public Key Cryptography RSA (14)

Question: Examples We are given the following implementation of RSA: A trusted center chooses p and q, and publishes n = pq. Then, n is used by all the users. He gives the i th user a private key d i and a public key e i, such that i j e i e j. Show that if two users, i and j, for which gcd(e i, e j ) = 1, receive the same message m, it is possible to reconstruct m by using n, e i, e j, m e i, m e j. Solution: Thus, gcd(e i, e j ) = 1 x, y xe i + ye j = 1 (m e i ) x (m e j ) y m xe i+ye j m (mod n) Exercise: Show that even one user can reconstruct a message m without cooperation of any other user. c Eli Biham - May 3, 2005 405 Tutorial on Public Key Cryptography RSA (14)

Question: Let p and q be prime, n = pq. Examples (cont.) Alice wishes to send messages to Bob using the RSA cryptosystem. Unwisely she does not choose her own keys, but allows Eve to choose them for her. The only precaution that Alice takes is to check that e 1 (mod ϕ(n)). Show that Eve can still choose a pair of keys e, d such that encryption and decryption can be accomplished, but m e m (mod n), for every m Z n. c Eli Biham - May 3, 2005 406 Tutorial on Public Key Cryptography RSA (14)

Examples (cont.) Solution: Denote l = lcm(p 1, q 1). Thus, m l+1 m a(p 1)+1 1 a m = m (mod p) and m l+1 m b(q 1)+1 1 b m = m (mod q) thus by the Chinese reminder theorem m l+1 m (mod n). c Eli Biham - May 3, 2005 407 Tutorial on Public Key Cryptography RSA (14)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information