Lecture 5-6 The RSA and Rabin Algorithms

The possibility of the public key cryptosystem was first publicly suggested by Diffie and Hellman. However, they did not present a practical implementation. In next few years, several methods were proposed. The most successful, based on the idea that factorization of integers into their prime factors is hard, was proposed by Rivest, Shamir, and Adleman in 1977 and is known as the RSA algorithm.

Although the cryptanalysis neither proved nor disproved RSA ’ s security, it does suggest a confidence level in the algorithm. Rabin developed a public-key cryptosystem based on the difficulty of computing a square root modulo a composite integer. Rabin ’ s work has a theoretic importance, since the security of the Rabin cryptosystem is exactly the intractability of the integer factorization problem.

The primary objective of an adversary who wishes to ‘ attack ’ a public-key encryption scheme is to systematically recover plaintext from ciphertext intended for some other entity. If this is achieved, the encryption scheme is informally said to have been broken. A more ambitious objective is key private recovery. A considerable attack is a chosen-ciphertext attack where an adversary selects ciphertext of its choice, and then obtains by some means the corresponding plaintext. (1) The (indifferent) chosen-ciphertext attack. (2) The adaptive chosen-ciphertext attack.

The public-key encryption schemes described in this lecture that there is a means for the sender of a message to obtain an authentic copy of the intended receiver ’ s public key. There are many techniques in practice by which authentic public keys can be distributed, including exchanging keys over a trusted channel, using a trusted public file, using an on-line trusted server, and using an off-line server and certificates.

Some of the public-key encryption schemes described in this lecture assume that the message to be encrypted is, at most, some fixed size (bit-length). Plaintext messages longer than this maximum must be broken into blocks, each of the appropriate size. To provide protection against manipulation (e.g., re-ordering) of the blocks, the Cipher Block Chaining (CBC) mode may be used.

Outline  RSA Encryption Algorithm  Implementation of RSA Encryption  Security of RSA Encryption  RSA Encryption in Practice  Rabin Encryption Algorithm  Implementation of Rabin Encryption  Security of Rabin Encryption  Summary of Public Key Encryption

1 RSA Encryption Algorithm 1.1 Description

1.1 Description (Continued)

1.2 Example

2 Implementation of RSA Encryption 2.1 Primality Testing It might be surprising, but factorization and primality testing are not the same. It is much easier to prove a number is composite than it is to factor it. There are many large integers that are known to be composite but that have not been factored.

2.1 Primality Testing (Continued)

2.2 Modular Exponentiation

3 Security of RSA Encryption 3.1 Security Parameters , d  p, q

3.1 Security Parameters , d  p, q (Continued)

3.2 Relation to Factoring

3.2.1 Exponent Factorization Method

3.2.1 Exponent Factorization Method (Continued)

3.2.2 Pollard ’ s p  1 Algorithm

3.2.2 Pollard ’ s p  1 Algorithm (Continued)

3.2.3 Quadratic Sieve

3.2.3 Quadratic Sieve (Continued)

3.2.4 Advance in Factoring

3.3 Small Encryption Exponent e

3.3 Small Encryption Exponent e (Continued)

3.4 Small Decryption Exponent d

3.5 Multiplicative Properties

3.5 Multiplicative Properties (Continued)

3.6 Common Modulus Attack

3.7 Partial Key Exposure Attacks

3.7 Partial Key Exposure Attacks (Continued)

3.8 Cycling Attacks

3.8 Cycling Attacks (Continued)

3.9 Message Concealing

3.9 Message Concealing (Continued)

3.10 Forward Search Attack

3.11 RSA-OAEP

3.11 RSA-OAEP (Continued)

3.12 Timing Attacks The implementation of a cryptographic algorithm can have weaknesses that were unanticipated by the designers of the algorithm. Adversaries can exploit these weaknesses to circumvent the security of the underlying cryptographic algorithm. Attacks on the implementations of cryptographic systems are a great concern to operators and users of secure systems.

3.12 Timing Attacks (Continued) Implementation attacks include timing attacks, power analysis attacks, fault insertion attacks, and electromagnetic emission attacks. We refer to them as side-channel attacks. The term side- channel is used to describe the leakage of unintended information from a supposedly tamper-resistant device, such as a smartcard.

3.12 Timing Attacks (Continued) In a timing attacks the side-channel is the device ’ s time required to perform private key operations. An adversary can carefully measure the operation of time of a vulnerable system to learn the secrets contained inside the device and break the entire system ’ s security. Actual systems are potentially at risk, including cryptographic tokens, network- based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements.

3.12 Timing Attacks (Continued) Assumption environment. The adversary can observe the system decrypts several ciphertexts g. He also knows the hardware being used to calculate and can use this information to calculate the computation times for various steps that potentially occur in the process. In addition, let g d (mod n) is computed by the Algorithm 4.

3.12 Timing Attacks (Continued)

4 RSA Encryption in Practice 4.1 Recommended Size of Modulus Given the latest progress in algorithms for factoring integers, special number field sieve factoring algorithms, a modulus n of at least 1024 bits is recommended. For long term security, 2048-bit or larger moduli should be used.

4.2 Selecting Primes (1) The primes p and q should be selected so that factoring n = p  q is computationally infeasible. The major restriction on p and q in order to avoid the elliptic curve factoring algorithm is that p and q should be about the same bit-length, and sufficiently large. For example, if a 1024-bit modulus n is to be used, then each of p and q should be about 512 bits in length.

4.2 Selecting Primes (Continued) (2) Another restriction on the primes p and q is that the difference p  q should not be too small. If p and q are chosen at random, then p  q will be appropriately large with overwhelming probability.

4.2 Selecting Primes (Continued) (3) Many authors have recommended that p and q be strong primes. A prime p is said to be a strong prime if the following three conditions are satisfied: * p  1 has a large prime factor, denoted r; ** p+1 has a large prime factor; *** r  1 has a large prime factor.

The reason for the first condition is to foil Pollard ’ s p  1 factoring algorithm which is efficient only if n has a prime factor p such that p  1 is smooth. The second condition foils the p  1 factoring algorithm, which is efficient only if n has a prime factor p such that p  1 is smooth. Finally, the third condition ensures that the cycling attacks will fail.

If the prime p is randomly chosen and is sufficiently large, then both p  1 and p+1 can be expected to have large prime factors. Additionally, it has been shown that the chances of a cycling attack succeeding are negligible if p and q are randomly chosen. Thus, strong primes offer little protection beyond that offered by random primes. Given the current state of knowledge of factoring algorithms, there is no compelling reason for requiring the use of strong primes in RSA key generation. On the other hand, they require only minimal additional running time to compute. Thus there is little real additional cost in using them.

4.3 Exponents (1) If the encryption exponent e is chosen at random, then RSA encryption using the Algorithm 4 takes k modular squarings and an expected k/2 modular multiplications, where k is the bit-length of the modulus n. Encryption can be sped up by selecting e to be small and/or by selecting e with a small number of 1 ’ s in its binary representation.

(2) The encryption exponent e=3 is commonly used in practice. In this case, it is necessary that neither p  1 nor q  1 be divisible by 3. This results in a very fast encryption operation since encryption only requires 1 multiplication and 1 squaring. Another encryption exponent used in practice is e= = This number has only two 1 ’ s in its binary representation, and so encryption using the Algorithm 4 requires only 16 squarings and 1 multiplication. The encryption exponent e= has the advantage over e=3, since it is unlikely the same message will be sent to recipients.

(3) Due to small decryption exponent attack, it requires the secret exponent d >n Although Boneh and Durfee cannot state their attack as a theorem, since they cannot prove that it always succeeds. But experiments that they carried out demonstrate its effectiveness. They were not able to find a single example where the attack fails.

5 Rabin Encryption Algorithm 5.1 Description

5.1 Description (Continued)

6 Implementation of Rabin Encryption 6.1 Finding Square Roots

6.2 About Efficiency Rabin encryption is an extremely fast operation as it only involves a single modular squaring. By comparison, RSA encryption with e=3 takes one modular multiplication and one modular squaring. Rabin decryption is slower than encryption, but comparable in speed to RSA decryption.

6.3 Redundancy Problem A drawback of the Rabin public-key scheme is that the receiver is faced with the task of selecting the correct plaintext from among four possibilities. This ambiguity in decryption can easily be overcome in practice by adding pre- specified redundancy to the original plaintext prior to encryption. (For example, the last 64 bits of the message may be replicated.) Then, with high probability, exactly one of the four square roots of a legitimate ciphertext will possess this redundancy. If none of the square roots possesses this redundancy, then the receiver should reject the ciphertext as fraudulent.

(1) The Rabin public-key encryption scheme is susceptible to attacks similar to those on RSA described about small encryption exponent and forward search problems. It can be circumvented by salting the plaintext message. 7 Security of Rabin Encryption

(2) The task faced by a passive adversary is to recover plaintext m from the corresponding ciphertext c. This is precisely the SQROOT problem. The problems of factoring n and computing square roots modulo n are computationally equivalent. Hence, assuming that factoring n is computationally intractable, the Rabin public-key encryption scheme is provably secure against a passive adversary.

Justification. Suppose that one has a polynomial- time algorithm R for solving the SQROOT problem. This algorithm can then be used to factor a given composite integer n as follows. Select an integer x at random with gcd(x, n)=1, and compute a  x 2 (mod n). Next, algorithm R is run with inputs a and n, and a square root y of a modulo n is returned. If y  x (mod n), then the trial fails, and the above procedure is repeated with a new x chosen at random. Otherwise, then gcd(x  y, n) is guaranteed to be a non-trivial factor of n, namely, p or q. Since a has four square roots modulo n, the probability of success for each attempt is 1/2.

(3) While secure against an active adversary, the Rabin public-key encryption scheme succumbs to a chosen-ciphertext attack. Such an attack can be mounted as follows. The adversary selects a random integer m and computes c  m 2 (mod n). The adversary then presents c to A ’ s decryption machine, which decrypts c and returns some plaintext y. Since A does not know m, and m is randomly chosen, the plaintext y is not necessarily the same as m. With probability 1/2, y is not equal to  m (mod n), in which case gcd(m  y, n) is one of the prime factors of n. Otherwise, then the attack is repeated with a new m.

(4) If redundancy is used as above, the Rabin public-key encryption scheme is no longer susceptible to the chosen ciphertext attack. If an adversary selects a message m having the required redundancy and gives c  m 2 (mod n) to A's decryption machine, with very high probability the machine will return the plaintext m itself to the adversary (since the other three square roots of c will most likely not contain the required redundancy), providing no new information.

(4) (Continued) On the other hand, if the adversary selects a message m which does not contain the required redundancy, then with high probability none of the four square roots will possess the required redundancy. In this case, the decryption machine will fail to decrypt c and thus will not provide a response to the adversary. Hence, Rabin public-key encryption, suitably modified by adding redundancy, is of great practical interest.

8 Summary of Public Key Encryption 8.1 Requirements for Public Key Encryption In a public key system, the message set M, the key set K, and the encryption/decryption function E/D, must satisfy the following requirements: (1) E k (D k (m))=m and D k (E k (m))=m for every m  M. (2) For every m and every k, the values of E k (m) and D k (m) are easy to compute.

8.1 Requirements for Public Key Encryption (Continued) (3) For almost every k  K, if someone knows only the function E k, it is computationally infeasible to find an algorithm to compute D k. (4) Given k  K, it is easy to find the functions E k and D k.

8.1 Requirements for Public Key Encryption (Continued)

8.2 About Authentication and Non-Repudiation (1) In a symmetric system, authentication is easy but non-repudiation is not. (2) In an asymmetric system, authentication and non-repudiation are not. However, the goals are easily accomplished. For example, compute and send the message E kb (S ka (m))= E kb (D ka (m)) for the RSA algorithm.

8.3 Trapdoor Functions and Collections

8.3 Trapdoor Functions and Collections (Continued)

Thank you !