CS 470

1
RSA

• CS 470
• Introduction to Applied Cryptography
• Instructor Ali Aydin Selcuk

2
RSA

• First successful public key system (Rivest,
  Shamir, Adleman, 1977).
• Q Would a DH-like PKC as xe mod p work?
• RSA
• Alice chooses large primes p, q n pq.
• e, such that gcd(e, ?(n)) 1.
• d e-1 mod ?(n)
• n, e public. d is the private key.
• Encryption E(x) xe mod nDecryption D(x)
  xd mod n

3
RSA Encryption

• Encryption y E(x) xe mod n,
• Decryption D(y) yd mod n.
• Why does it work?
• D(y) (xe)d mod n xed mod n x k?(n)
  1 mod n, for some k (x?(n))k x mod n
  x, if x ? Zn (what if not?)

4
Generation of RSA Parameters

• p, q can be generated randomly.
• ?(n) (p-1)(q-1)
• choosing e, gcd(e, ?(n)) 1
• Take e to be a prime.
• Generate p, q, such that e ? (p 1), e ? (q
  1).
• Compute d e-1 mod ?(n) by ext. Euclids.
• Popular e 3, e 65537.
• Randomness of d due to n.

5
Security of RSA

• Based on difficulty of factoring large integers.
• NFS e(1.923 O(1)) ((ln n)(1/3)) ((ln ln
  n)(2/3))(btw, factoring is reducible to DLP in
  Zp)
• Computing d is equivalent to factoring n. (i.e.,
  given d and e, one can find p and q.)
• RSA problem Given n, e, xe mod n, what is
  x?(conjecture It is equivalent to factoring n.)
• Bit Security of RSA Computing LSB(x) is
  equivalent to computing the whole x.

6
Signing with RSA

• Signature y S(x) xd mod n
• Verification ye mod n x ?
• Some problems
• Existential Forgery x ye mod n(solution?)
• Distributiveness Given (x1,S(x1)), (x2,S(x2)),
  attacker can compute S(x1x2) S(x1)S(x2).
• Or, similarly, S(x1/x2) or any S(x1ix2j) can be
  computed.
• Smooth numbers threat This may be significant
  when messages to be signed are small. (solution?)

7
Optimizing RSA Private Key Op.s

• Instead of xd mod n, compute xd mod p xd
  mod qand obtain xd mod n by the CRT.
• For dp d mod (p 1), dq d mod (q 1), xd
  xdp (mod p) xd xdq (mod q)hence, halving
  the size of the modulus the exponents.
• Approximately 2-3 times speedup.
• Q Can this be utilized for the public key
  operations as well?

8
e 3 Issues

• Cube root problem
• Encryption If a small msg (i.e. x lt n1/3) is
  encrypted, attacker can solve x from x3 mod n.
• Signature If short msg.s are padded randomly at
  LSBs, attacker can sign any short msg x
• attacker pads x with 0s on the LSBs,
• computes its cube root,
• rounds up to the nearest integer r,
• take the padded message as r3.

9
e 3 Issues (cont.)

• Broadcast problem
• Bob, Bart, Bert all use e 3 with mods n1, n2,
  n3.
• Alice sends the same message x to all x3 mod
  n1 x3 mod n2 x3 mod n3
• Eve computes y x3 mod n1n2n3 by the CRT.
• Which is y x3, since x lt n1, n2, n3, and x is
  the cube root of y.

10
PKCS Solutions(RSA Labs)

• Encryption (PKCS 1 v1.5, RFC 2313)
• first 0 to guarantee x lt n
• 2 indicates encryption
• second 0 indicates end of padding
• Protects against
• guessable message attacks (e.g., a yes/no
  message)
• cube root problem, for e 3
• broadcast problem, for e 3

11
PKCS (cont.)

• Signature (PKCS 1 v1.5)
• Why not random padding?
• Why include the hash type?

12
PKCS v2

• Encryption Optimal Asymmetric Encryption
  Padding (OAEP)
• Bellare Rogaway, 1994. Adopted for PKCS 1 v2
  (RFC 3447).
• Message m, padded with 0s and random r, passes
  through a Feistel-like structure and is then
  encrypted with RSA.
• Padding is provably secure assuming that hash
  fnc. G H behave randomly.

13
PKCS v2 (cont.)

• Signature Probabilistic Signature Scheme (PSS)
• Bellare Rogaway, 1996.
• Provably secure (OAEP) assuming hash functions
  produce random outputs. (Random oracle
  assumption)
• Adopted for PKCS 1 v2.1.