1. CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

2. CS470, A.SelcukRSA2 First successful public key system (Rivest, Shamir, Adleman, 1977). Q: Would a DH-like PKC as x e mod p work? RSA: –Alice chooses large primes p, q; n = pq. –e, such that gcd(e,  (n)) = 1. –d = e -1 mod  (n) –n, e public. d is the private key. –Encryption: E(x) = x e mod n Decryption: D(x) = x d mod n

3. CS470, A.SelcukRSA3 RSA Encryption Encryption: y = E(x) = x e mod n, Decryption: D(y) = y d mod n. Why does it work? D(y) = (x e ) d mod n = x ed mod n = x k  (n) + 1 mod n, for some k = (x  (n) ) k x mod n = x, if x  Z n * (what if not?)

4. CS470, A.SelcukRSA4 Generation of RSA Parameters p, q can be generated randomly.  (n) = (p-1)(q-1) choosing e, gcd(e,  (n)) = 1: –Take e to be a prime. –Generate p, q, such that e ∤ (p – 1), e ∤ (q – 1). Compute d = e -1 mod  (n) by ext. Euclid’s. Popular: e = 3, e = 65537. Randomness of d: due to n.

5. CS470, A.SelcukRSA5 Security of RSA Based on difficulty of factoring large integers. NFS: e (1.923 + O(1)) ((ln n)^(1/3)) ((ln ln n)^(2/3)) (btw, factoring is reducible to DLP in Z p * ) Computing d is equivalent to factoring n. (i.e., given d and e, one can find p and q.) RSA problem: Given n, e, x e mod n, what is x? (conjecture: It is equivalent to factoring n.) Bit Security of RSA: Computing LSB(x) is equivalent to computing the whole x.

6. CS470, A.SelcukRSA6 Signing with RSA Signature:y = S(x) = x d mod n Verification:y e mod n = x ? Some problems: “Existential Forgery”: x = y e mod n (solution?) Distributiveness: Given (x 1,S(x 1 )), (x 2,S(x 2 )), attacker can compute: S(x 1 x 2 ) = S(x 1 )S(x 2 ). Or, similarly, S(x 1 /x 2 ) or any S(x 1 i x 2 j ) can be computed. “Smooth numbers” threat: This may be significant when messages to be signed are small. (solution?)

7. CS470, A.SelcukRSA7 Optimizing RSA Private Key Op.s Instead of x d mod n, compute x d mod p x d mod q and obtain x d mod n by the CRT. For d p = d mod (p – 1), d q = d mod (q – 1), x d ≡ x d p (mod p) x d ≡ x d q (mod q) hence, halving the size of the modulus & the exponents. Approximately 2-3 times speedup. Q: Can this be utilized for the public key operations as well?

8. CS470, A.SelcukRSA8 e = 3 Issues Cube root problem: Encryption: If a small msg (i.e. x < n 1/3 ) is encrypted, attacker can solve x from x 3 mod n. Signature: If short msg.s are padded randomly at LSBs, attacker can sign any short msg x: –attacker pads x with 0s on the LSBs, –computes its cube root, –rounds up to the nearest integer r, –take the padded message as r 3.

9. CS470, A.SelcukRSA9 e = 3 Issues (cont.) Broadcast problem: Bob, Bart, Bert all use e = 3 with mods n 1, n 2, n 3. Alice sends the same message x to all: x 3 mod n 1 x 3 mod n 2 x 3 mod n 3 Eve computes y = x 3 mod n 1 n 2 n 3 by the CRT. Which is y = x 3, since x < n 1, n 2, n 3, and x is the cube root of y.

10. CS470, A.SelcukRSA10 PKCS Solutions (RSA Labs) Encryption: (PKCS #1 v1.5, RFC 2313) first 0: to guarantee x < n 2: indicates encryption second 0: indicates end of padding Protects against: guessable message attacks (e.g., a yes/no message) cube root problem, for e = 3 broadcast problem, for e = 3 random non-zero octets020data 1 byte each 1 byte≥ 8 bytes

11. CS470, A.SelcukRSA11 PKCS (cont.) Signature: (PKCS #1 v1.5) Why not random padding? Why include the hash type? octets of (ff) 16 010hash type & hash 1 byte each 1 byte≥ 8 bytes

12. CS470, A.SelcukRSA12 PKCS v2 Encryption: Optimal Asymmetric Encryption Padding (OAEP) Bellare & Rogaway, 1994. Adopted for PKCS #1 v2 (RFC 3447). Message m, padded with 0s and random r, passes through a Feistel-like structure and is then encrypted with RSA. Padding is provably secure assuming that hash fnc. G & H behave randomly.

13. CS470, A.SelcukRSA13 PKCS v2 (cont.) Signature: Probabilistic Signature Scheme (PSS) Bellare & Rogaway, 1996. Provably secure (~OAEP) assuming hash functions produce random outputs. (“Random oracle” assumption) Adopted for PKCS #1 v2.1.