Presentation is loading. Please wait.

Presentation is loading. Please wait.

The RSA Cryptosystem Dan Boneh Stanford University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The RSA Cryptosystem Dan Boneh Stanford University."— Presentation transcript:

1 The RSA Cryptosystem Dan Boneh Stanford University

2 Page 2 The RSA cryptosystem  First published: Scientific American, Aug. 1977. (after some censorship entanglements)  Currently the “work horse” of Internet security: Most Public Key Infrastructure (PKI) products. SSL/TLS: Certificates and key-exchange. Secure e-mail: PGP, Outlook, …

3 Page 3 The RSA trapdoor 1-to-1 function  Parameters: N=pq. N  1024 bits. p,q  512 bits. e – encryption exponent. gcd(e,  (N) ) = 1.  1-to-1 function: RSA(M) = M e (mod N) where M  Z N *  Trapdoor: d – decryption exponent. Where e  d = 1 (mod  (N) )  Inversion: RSA(M) d = M ed = M k  ( N )+ 1 = M (mod N)  (n,e,t,  )-RSA Assumption: For any t-time alg. A: Pr [ A(N,e,x) = x 1/e (N) : ] <  p,q  n-bit primes, N  pq, x  Z N * R R

4 Page 4 Textbook RSA is insecure  Textbook RSA encryption: public key: (N,e)Encrypt: C = M e (mod N) private key: dDecrypt: C d = M (mod N) (M  Z N * )  Completely insecure cryptosystem: Does not satisfy basic definitions of security. Many attacks exist.  The RSA trapdoor permutation is not a cryptosystem !

5 Page 5 A simple attack on textbook RSA  Session-key K is 64 bits. View K  {0,…,2 64 } Eavesdropper sees: C = K e (mod N).  Suppose K = K 1  K 2 where K 1, K 2 < 2 34. (prob.  20%) Then: C/K 1 e = K 2 e (mod N)  Build table: C/1 e, C/2 e, C/3 e, …, C/2 34e. time: 2 34 For K 2 = 0,…, 2 34 test if K 2 e is in table. time: 2 34  34  Attack time:  2 40 << 2 64 Web Browser Web Server CLIENT HELLO SERVER HELLO (e,N) d C=RSA(K) Rando m session- key K

6 Page 6 Common RSA encryption  Never use textbook RSA.  RSA in practice:  Main question: How should the preprocessing be done? Can we argue about security of resulting system? msg Preprocessing ciphertext RSA

7 Page 7 PKCS1 V1.5  PKCS1 mode 2:(encryption)  Resulting value is RSA encrypted.  Widely deployed in web servers and browsers.  No security analysis !! 02random padFFmsg 1024 bits 16 bits

8 Page 8 Attack on PKCS1  Bleichenbacher 98. Chosen-ciphertext attack.  PKCS1 used in SSL:  attacker can test if 16 MSBs of plaintext = ’02’.  Attack: to decrypt a given ciphertext C do: Pick random r  Z N. Compute C’ = r e  C = (rM) e. Send C’ to web server and use response. Attacker Web Server d Is this PKCS1? ciphertext C= C Yes: continue No: error 02

9 Page 9 Chosen ciphertext security (CCS)  No efficient attacker can win the following game: (with non-negligible advantage) AttackerChallenger M 0, M 1 b’  Attacker wins if b=b’ C=E(M b ) b  R  Challenge Decryption oracle CC

10 Page 10 PKCS1 V2.0 - OAEP  New preprocessing function: OAEP (BR94).  Thm: RSA is trap-door permutation  OAEP is CCS when H,G are “random oracles”.  In practice: use SHA-1 or MD5 for H and G. H + G + Plaintext to encryptwith RSA rand.M0100..0 Check pad on decryption. Reject CT if invalid.  {0,1} n-1

11 Page 11 OAEP Improvements  OAEP+: (Shoup’01)  trap-door permutation F F-OAEP+ is CCS when H,G,W are “random oracles”.  SAEP+: (B’01) RSA trap-door perm  RSA-SAEP+ is CCS when H,W are “random oracle”. R H + G + MW(M,R)R H + M

12 Page 12 Subtleties in implementing OAEP [M ’00] OAEP- decrypt(C) { error = 0; if ( RSA -1 (C) > 2 n-1 ) { error =1; goto exit; } if ( pad(OAEP -1 (RSA -1 (C))) != “01000” ) { error = 1; goto exit; } }  Problem:timing information leaks type of error.  Attacker can decrypt any ciphertext C.  Lesson: Don’t implement RSA-OAEP yourself …

13 Part II: Is RSA a One-Way Function?

14 Page 14 Is RSA a one-way permutation?  To invert the RSA one-way function (without d) attacker must compute: M from C = M e (mod N).  How hard is computing e’th roots modulo N ??  Best known algorithm: Step 1: factor N. (hard) Step 2: Find e’th roots modulo p and q. (easy)

15 Page 15 Shortcuts?  Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring?  To prove no shortcut exists show a reduction: Efficient algorithm for e’th roots mod N  efficient algorithm for factoring N. Oldest problem in public key cryptography.  Evidence no reduction exists: (BV’98) “Algebraic” reduction  factoring is easy. Unlike Diffie-Hellman ( Maurer’94 ).

16 Page 16 Improving RSA’s performance  To speed up RSA decryption use small private key d.C d = M (mod N) Wiener87:if d < N 0.25 then RSA is insecure. BD’98:if d < N 0.292 then RSA is insecure (open: d < N 0.5 ) Insecure: priv. key d can be found from (N,e). Small d should never be used.

17 Page 17 Wiener’s attack  Recall:e  d = 1 (mod  (N) )  k  Z : e  d = k  (N) + 1   (N) = N-p-q+1  |N-  (N)|  p+q  3  N d  N 0.25 /3  Continued fraction expansion of e/N gives k/d. e  d = 1 (mod k)  gcd(d,k)=1 e  (N) k dk d -  1 d  (N) e Ne N k dk d -  1 2d 2

18 Page 18 RSA With Low public exponent  To speed up RSA encryption (and sig. verify) use a small e.C = M e (mod N)  Minimal value: e=3( gcd(e,  (N) ) = 1)  Recommended value: e=65537=2 16 +1 Encryption: 17 mod. multiplies.  Several weak attacks. Non known on RSA-OAEP.  Asymmetry of RSA: fast enc. / slow dec. ElGamal: approx. same time for both.

19 Page 19 Implementation attacks  Attack the implementation of RSA.  Timing attack: (Kocher 97) The time it takes to compute C d (mod N) can expose d.  Power attack: (Kocher 99) The power consumption of a smartcard while it is computing C d (mod N) can expose d.  Faults attack: (BDL 97) A computer error during C d (mod N) can expose d. OpenSSL defense: check output. 5% slowdown.

20 Page 20 Key lengths  Security of public key system should be comparable to security of block cipher. NIST: Cipher key-sizeModulus size  64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES)15360 bits  High security  very large moduli. Not necessary with Elliptic Curve Cryptography.

Download ppt "The RSA Cryptosystem Dan Boneh Stanford University."

Similar presentations

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern,

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,

Similar presentations

Ads by Google