CS 470 - PowerPoint PPT Presentation

About This Presentation
Title:

CS 470

Description:

RSA CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk CS470, A.Selcuk RSA * CS470, A.Selcuk RSA * RSA First successful public key system ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 14
Provided by: AliAydi
Category:
Tags:

less

Transcript and Presenter's Notes

Title: CS 470


1
RSA
  • CS 470
  • Introduction to Applied Cryptography
  • Instructor Ali Aydin Selcuk

2
RSA
  • First successful public key system (Rivest,
    Shamir, Adleman, 1977).
  • Q Would a DH-like PKC as xe mod p work?
  • RSA
  • Alice chooses large primes p, q n pq.
  • e, such that gcd(e, ?(n)) 1.
  • d e-1 mod ?(n)
  • n, e public. d is the private key.
  • Encryption E(x) xe mod nDecryption D(x)
    xd mod n

3
RSA Encryption
  • Encryption y E(x) xe mod n,
  • Decryption D(y) yd mod n.
  • Why does it work?
  • D(y) (xe)d mod n xed mod n x k?(n)
    1 mod n, for some k (x?(n))k x mod n
    x, if x ? Zn (what if not?)

4
Generation of RSA Parameters
  • p, q can be generated randomly.
  • ?(n) (p-1)(q-1)
  • choosing e, gcd(e, ?(n)) 1
  • Take e to be a prime.
  • Generate p, q, such that e ? (p 1), e ? (q
    1).
  • Compute d e-1 mod ?(n) by ext. Euclids.
  • Popular e 3, e 65537.
  • Randomness of d due to n.

5
Security of RSA
  • Based on difficulty of factoring large integers.
  • NFS e(1.923 O(1)) ((ln n)(1/3)) ((ln ln
    n)(2/3))(btw, factoring is reducible to DLP in
    Zp)
  • Computing d is equivalent to factoring n. (i.e.,
    given d and e, one can find p and q.)
  • RSA problem Given n, e, xe mod n, what is
    x?(conjecture It is equivalent to factoring n.)
  • Bit Security of RSA Computing LSB(x) is
    equivalent to computing the whole x.

6
Signing with RSA
  • Signature y S(x) xd mod n
  • Verification ye mod n x ?
  • Some problems
  • Existential Forgery x ye mod n(solution?)
  • Distributiveness Given (x1,S(x1)), (x2,S(x2)),
    attacker can compute S(x1x2) S(x1)S(x2).
  • Or, similarly, S(x1/x2) or any S(x1ix2j) can be
    computed.
  • Smooth numbers threat This may be significant
    when messages to be signed are small. (solution?)

7
Optimizing RSA Private Key Op.s
  • Instead of xd mod n, compute xd mod p xd
    mod qand obtain xd mod n by the CRT.
  • For dp d mod (p 1), dq d mod (q 1), xd
    xdp (mod p) xd xdq (mod q)hence, halving
    the size of the modulus the exponents.
  • Approximately 2-3 times speedup.
  • Q Can this be utilized for the public key
    operations as well?

8
e 3 Issues
  • Cube root problem
  • Encryption If a small msg (i.e. x lt n1/3) is
    encrypted, attacker can solve x from x3 mod n.
  • Signature If short msg.s are padded randomly at
    LSBs, attacker can sign any short msg x
  • attacker pads x with 0s on the LSBs,
  • computes its cube root,
  • rounds up to the nearest integer r,
  • take the padded message as r3.

9
e 3 Issues (cont.)
  • Broadcast problem
  • Bob, Bart, Bert all use e 3 with mods n1, n2,
    n3.
  • Alice sends the same message x to all x3 mod
    n1 x3 mod n2 x3 mod n3
  • Eve computes y x3 mod n1n2n3 by the CRT.
  • Which is y x3, since x lt n1, n2, n3, and x is
    the cube root of y.

10
PKCS Solutions(RSA Labs)
  • Encryption (PKCS 1 v1.5, RFC 2313)
  • first 0 to guarantee x lt n
  • 2 indicates encryption
  • second 0 indicates end of padding
  • Protects against
  • guessable message attacks (e.g., a yes/no
    message)
  • cube root problem, for e 3
  • broadcast problem, for e 3

11
PKCS (cont.)
  • Signature (PKCS 1 v1.5)
  • Why not random padding?
  • Why include the hash type?

12
PKCS v2
  • Encryption Optimal Asymmetric Encryption
    Padding (OAEP)
  • Bellare Rogaway, 1994. Adopted for PKCS 1 v2
    (RFC 3447).
  • Message m, padded with 0s and random r, passes
    through a Feistel-like structure and is then
    encrypted with RSA.
  • Padding is provably secure assuming that hash
    fnc. G H behave randomly.

13
PKCS v2 (cont.)
  • Signature Probabilistic Signature Scheme (PSS)
  • Bellare Rogaway, 1996.
  • Provably secure (OAEP) assuming hash functions
    produce random outputs. (Random oracle
    assumption)
  • Adopted for PKCS 1 v2.1.
Write a Comment
User Comments (0)
About PowerShow.com