Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration • HW1 – due at 11am on Feb 06 • Any questions, or help needed? 2 Outline of Today’s Lecture • The RSA Cryptosystem (Encryption) 3 “Textbook” RSA: KeyGen • Alice wants people to be able to send her encrypted messages. • She chooses two (large) prime numbers, p and q and computes n=pq and (n). [“large” = 1024 bits +] • She chooses a number e such that e is relatively prime to (n) and computes d, the inverse of e in Z (n ) , i.e., ed =1 mod (n) • She publicizes the pair (e,n) as her public key. (e is called RSA exponent, n is called RSA modulus). She keeps d secret and destroys p, q, and (n) • Plaintext and ciphertext messages are elements of Zn and e is the encryption key. 4 RSA: Encryption • Bob wants to send a message x (an element of Zn*) to Alice. • He looks up her encryption key, (e,n), in a directory. • The encrypted message is y E( x) xe modn • Bob sends y to Alice. 5 RSA: Decryption • To decrypt the message y E( x) x modn e she’s received from Bob, Alice computes D( y) y modn d Claim: D(y) = x 6 RSA: why does it all work • Need to show D[E[x]] = x E[x] and D[y] can be computed efficiently if keys are known E-1[y] cannot be computed efficiently without knowledge of the (private) decryption key d. • Also, it should be possible to select keys reasonably efficiently This does not have to be done too often, so efficiency requirements are less stringent. 7 E and D are Inverses D( y ) y modn d ( x e modn) d modn ( x ) modn e d x modn ed x t ( n ) 1 (x modn Because ed 1 mod(n) (n) t ) x modn 1t x modn x modn From Euler’s Theorem 8 Tiny RSA example. • Let p = 7, q = 11. Then n = 77 and (n) 60 • • • • Choose e = 13. Then d = 13-1 mod 60 = 37. Let message = 2. E(2) = 213 mod 77 = 30. D(30) = 3037 mod 77=2 9 Slightly Larger RSA example. • Let p = 47, q = 71. Then n = 3337 and ( pq) 46* 70 3220 • Choose e = 79. Then d = 79-1 mod 3220 = 1019. • Let message = 688232… Break it into 3 digit blocks to encrypt. • E(688) = 68879 mod 3337 = 1570. E(232) = 23279 mod 3337 = 2756 • D(1570) = 15701019 mod 3337 = 688. D(2756) = 27561019 mod 3337 = 232. 10 Security of RSA: RSA assumption • Suppose Oscar intercepts the encrypted message y that Bob has sent to Alice. • Oscar can look up (e,n) in the public directory (just as Bob did when he encrypted the message) • If Oscar can compute d = e-1 mod (n) then he can use D( y) y d modn x to recover the plaintext x. • If Oscar can compute (n), he can compute d (the same way Alice did). 11 Security of RSA: factoring • Oscar knows that n is the product of two primes • If he can factor n, he can compute (n) • But factoring large numbers is very difficult: – Grade school method takes O( n ) divisions. – Prohibitive for large n, such as 160 bits – Better factorization algorithms exist, but they are still too slow for large n – Lower bound for factorization is an open problem 12 How big should n be? • Today we need n to be at least 1024-bits – This is equivalent to security provided by 80-bit long keys in private-key crypto • No other attack on RSA known – Except some side channel attacks, based on timing, power analysis, etc. But, these exploit certain physical charactesistics, not a theoretical weakness in the cryptosystem! 13 Key selection • To select keys we need efficient algorithms to – Select large primes • Primes are dense so choose randomly. • Probabilistic primality testing methods known. Work in logarithmic time. – Compute multiplicative inverses • Extended Euclidean algorithm 14 RSA in Practice • Textbook RSA is insecure – Known-plaintext? – CPA? – CCA? • In practice, we use a “randomized” version of RSA, called RSA-OAEP – Use PKCS#1 standard for RSA encryption http://www.rsa.com/rsalabs/node.asp?id=2125 – Interested in details of OAEP: refer to (section 3.1 of) http://isis.poly.edu/courses/cs6903/Lectures/lecture13.pdf 15 Some questions • c1 = RSA_Enc(m1), c2 = RSA_Enc(m2). – What is RSA_Enc(m1m2)? • Homomorphic property – What is RSA_Enc(2m1)? • Malleability (not a good property!) • Is it possible to find inverses mod n (RSA modulus)? 16 Some Questions • RSA stands for Robust Security Algorithm, right? • If e is small (such as 3) – Encryption is faster than decryption or the other way round? • Private key crypto has key distribution problem and Public key crypto is slow – How about a hybrid approach? – Do you know how ssl/ssh works? 17 Some Questions • Key generation in RSA is -------- than in DLbased schemes (El Gamal/DSS) • I encrypt m with Alice’s RSA PK, I get c – I encryt m again, I get --? – What does this mean? • What if I do the above with DES? 18 Some Questions • Find x such that – x = 4 (mod 5) – x = 7 (mod 8) – x = 3 (mod 9) 19 Further Reading • Section 8.2 of HAC • Section 9 of Stallings 20