1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography
2 RSA Cryptosystem (1) Page 258
3 RSA Cryptosystem (2)
4 RSA Cryptosystem 1977 by Ron Rivest, Adi Shamir, and Len Adleman (MIT) The first “ secure ” & “ practical ” public key cryptosystem A block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n
5 The RSA Algorithm (1/2)
6 The RSA Algorithm (2/2)
7 RSA Example
8 N=119 = p*q =7*17 e=5; e*d =1 mod 6*16 d=77
9 Active attacks on cryptosystems (1) Chosen-plaintext attack (CPA) Chosen-ciphertext attack (CCA)
10 Active attacks on cryptosystems (2) Adaptive chosen-ciphertext attack (CCA2)
11 Attack Scenarios
12 The RSA Problem and Assumption
13 Insecurity of the Textbook RSA Encryption Theorem 8.1 The RSA cryptosystem is “ all-or-nothing ” secure against CPA if and only if the RSA assumption holds.
14 Meet-in-the-middle attack (1) The multiplicative property of the RSA function Space cost: 2 length/2 logN bits Time cost: O B (2 length/2 +1 (length/2+log 3 N))
15 Meet-in-the-middle attack (2)
16 Inadequacy of the CPA security of the RSA (1) Blind attack
17 Inadequacy of the CPA security of the RSA (2)
18 Common modulus protocol failure (1) outsider attack Description
19 Common modulus protocol failure (2) outsider attack
20 Common modulus protocol failure (3) insider attack A square root of 1 mod M
21 Common modulus protocol failure (4) insider attack Finding a nontrivial square root of 1 mod M
22 Common modulus protocol failure (5) insider attack Given a public key e 1, the holder of of an encryption/decryption pair e 2, d 2 can generate the private key of another user.
23 The low exponent protocol failure (1) Use a small exponent for RSA public key in order to make the calculations for encryption fast and inexpensive to perform. Problem description
24 The low exponent protocol failure (2) salvaging Never send exactly the same message
25 Other attacks (1) GCD attack Franklin and Reiter Coopersmith, Franklin and Patarin (Eurocrypt ’ 96)
26 Other attacks (2) The Wiener ’ s attack Wiener pointed out that if the secret key d was chosen too small, then it might be recovered
27 Constraints of RSA Key Requirement Key size in the range of 1024 to 2018 bits p and q should differ in length by only a few digits. Thus, both p and q should be on the order of to Both (p-1) and (q-1) should contain a large prime factor gcd(p-1,q-1) should be small
28 Factorization Techniques Fermat Factorization Monte Carlo Factorization The Pollard p-1 method of Factorization [239]
29 Fermat Factorization (1)
30 Fermat Factorization (2)
31 Fermat Factorization (3) Example
32 Monte Carlo Factorization (1)
33 Monte Carlo Factorization (2)
34 Monte Carlo Factorization (3) Example [1]
35 Monte Carlo Factorization (4) Example [2]
36 The Pollard p-1 method of Factorization (1)
37 The Pollard p-1 method of Factorization (2) Example
38 Optimal Asymmetric Encryption Padding (OAEP) Page 508 RSA-OAEP & Rabin-OAEP The plaintext message encrypted inside the RSA- OAEP scheme can have a length up to 84% of the length of the modulus. PKCS#1, IEEE P1363 & SET
39 Optimal Asymmetric Encryption Padding (OAEP) RSA-OAEP (page 503)
40 OAEP — Mixing of different algebraic structures
41 RSA-OAEP Algorithm (1) Page 324
42 RSA-OAEP Algorithm (2)
43 RSA-OAEP Algorithm (3)
44 OAEP Property Plaintext Randomization A padding scheme like OAEP has a random input value which adds the randomness to the distribution of the padding result. Data Integrity Protection Provides the decryption end with a mechanism to check data integrity.