Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.

Published byTrevor West Modified over 9 years ago

Similar presentations

Presentation on theme: "Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh

2 Dan Boneh Review: trapdoor permutations Three algorithms: (G, F, F -1 ) G: outputs pk, sk. pk defines a function F(pk,  ): X  X F(pk, x): evaluates the function at x F -1 (sk, y): inverts the function at y using sk Secure trapdoor permutation: The function F(pk,  ) is one-way without the trapdoor sk

3 Dan Boneh Review: arithmetic mod composites Let N = p  q where p,q are prime Z N = {0,1,2,…,N-1} ; (Z N ) * = {invertible elements in Z N } Facts: x  Z N is invertible  gcd(x,N) = 1 – Number of elements in (Z N ) * is  (N) = (p-1)(q-1) = N-p-q+1 Euler’s thm:  x  (Z N ) * : x  (N) = 1

4 Dan Boneh The RSA trapdoor permutation First published: Scientific American, Aug. 1977. Very widely used: – SSL/TLS: certificates and key-exchange – Secure e-mail and file systems … many others

5 Dan Boneh The RSA trapdoor permutation G():choose random primes p,q  1024 bits. Set N=pq. choose integers e, d s.t. e ⋅ d = 1 (mod  (N) ) output pk = (N, e), sk = (N, d) F -1 ( sk, y) = y d ; y d = RSA(x) d = x ed = x k  (N)+ 1 = ( x  (N) ) k  x = x F( pk, x ): ; RSA(x) = x e (in Z N )

6 Dan Boneh The RSA assumption RSA assumption: RSA is one-way permutation For all efficient algs. A: Pr [ A(N,e,y) = y 1/e ] < negligible where p,q  n-bit primes, N  pq, y  Z N * R R

7 Dan Boneh Review: RSA pub-key encryption (ISO std) (E s, D s ): symmetric enc. scheme providing auth. encryption. H: Z N  K where K is key space of (E s,D s ) G(): generate RSA params: pk = (N,e), sk = (N,d) E(pk, m):(1) choose random x in Z N (2) y  RSA(x) = x e, k  H(x) (3) output (y, E s (k,m) ) D(sk, (y, c) ): output D s ( H ( RSA -1 (y) ), c )

8 Dan Boneh Textbook RSA is insecure Textbook RSA encryption: – public key: (N,e)Encrypt: c m e (in Z N ) – secret key: (N,d)Decrypt: c d m Insecure cryptosystem !! – Is not semantically secure and many attacks exist ⇒ The RSA trapdoor permutation is not an encryption scheme !

9 Dan Boneh A simple attack on textbook RSA Suppose k is 64 bits: k  {0,…,2 64 }. Eve sees: c= k e in Z N If k = k 1  k 2 where k 1, k 2 < 2 34 (prob.  20%) then c/k 1 e = k 2 e in Z N Step 1: build table: c/1 e, c/2 e, c/3 e, …, c/2 34e. time: 2 34 Step 2: for k 2 = 0,…, 2 34 test if k 2 e is in table. time: 2 34 Output matching (k 1, k 2 ). Total attack time:  2 40 << 2 64 Web Browser Web Server CLIENT HELLO SERVER HELLO (e,N) d c=RSA(k) random session-key k

10 Dan Boneh End of Segment

Download ppt "Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0.

Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW ver 1.0.
Data encryption with big prime numbers

Data encryption with big prime numbers
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google