Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 5-6 The RSA and Rabin Algorithms. The possibility of the public key cryptosystem was first publicly suggested by Diffie and Hellman. However,

Published byDerick Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 5-6 The RSA and Rabin Algorithms. The possibility of the public key cryptosystem was first publicly suggested by Diffie and Hellman. However,"— Presentation transcript:

1 Lecture 5-6 The RSA and Rabin Algorithms

2 The possibility of the public key cryptosystem was first publicly suggested by Diffie and Hellman. However, they did not present a practical implementation. In next few years, several methods were proposed. The most successful, based on the idea that factorization of integers into their prime factors is hard, was proposed by Rivest, Shamir, and Adleman in 1977 and is known as the RSA algorithm.

3 Although the cryptanalysis neither proved nor disproved RSA ’ s security, it does suggest a confidence level in the algorithm. Rabin developed a public-key cryptosystem based on the difficulty of computing a square root modulo a composite integer. Rabin ’ s work has a theoretic importance, since the security of the Rabin cryptosystem is exactly the intractability of the integer factorization problem.

4 The primary objective of an adversary who wishes to ‘ attack ’ a public-key encryption scheme is to systematically recover plaintext from ciphertext intended for some other entity. If this is achieved, the encryption scheme is informally said to have been broken. A more ambitious objective is key private recovery. A considerable attack is a chosen-ciphertext attack where an adversary selects ciphertext of its choice, and then obtains by some means the corresponding plaintext. (1) The (indifferent) chosen-ciphertext attack. (2) The adaptive chosen-ciphertext attack.

5 The public-key encryption schemes described in this lecture that there is a means for the sender of a message to obtain an authentic copy of the intended receiver ’ s public key. There are many techniques in practice by which authentic public keys can be distributed, including exchanging keys over a trusted channel, using a trusted public file, using an on-line trusted server, and using an off-line server and certificates.

6 Some of the public-key encryption schemes described in this lecture assume that the message to be encrypted is, at most, some fixed size (bit-length). Plaintext messages longer than this maximum must be broken into blocks, each of the appropriate size. To provide protection against manipulation (e.g., re-ordering) of the blocks, the Cipher Block Chaining (CBC) mode may be used.

7 Outline  RSA Encryption Algorithm  Implementation of RSA Encryption  Security of RSA Encryption  RSA Encryption in Practice  Rabin Encryption Algorithm  Implementation of Rabin Encryption  Security of Rabin Encryption  Summary of Public Key Encryption

8 1 RSA Encryption Algorithm 1.1 Description

9 1.1 Description (Continued)

10

11

12

13 1.2 Example

14 2 Implementation of RSA Encryption 2.1 Primality Testing It might be surprising, but factorization and primality testing are not the same. It is much easier to prove a number is composite than it is to factor it. There are many large integers that are known to be composite but that have not been factored.

15 2.1 Primality Testing (Continued)

16 2.2 Modular Exponentiation

17 3 Security of RSA Encryption 3.1 Security Parameters , d  p, q

18 3.1 Security Parameters , d  p, q (Continued)

19 3.2 Relation to Factoring

20 3.2.1 Exponent Factorization Method

21 3.2.1 Exponent Factorization Method (Continued)

22

23

24 3.2.2 Pollard ’ s p  1 Algorithm

25 3.2.2 Pollard ’ s p  1 Algorithm (Continued)

26

27

28 3.2.3 Quadratic Sieve

29 3.2.3 Quadratic Sieve (Continued)

30 3.2.4 Advance in Factoring

31 3.3 Small Encryption Exponent e

32 3.3 Small Encryption Exponent e (Continued)

33 3.4 Small Decryption Exponent d

34 3.5 Multiplicative Properties

35 3.5 Multiplicative Properties (Continued)

36

37 3.6 Common Modulus Attack

38 3.7 Partial Key Exposure Attacks

39 3.7 Partial Key Exposure Attacks (Continued)

40 3.8 Cycling Attacks

41 3.8 Cycling Attacks (Continued)

42

43 3.9 Message Concealing

44 3.9 Message Concealing (Continued)

45 3.10 Forward Search Attack

46 3.11 RSA-OAEP

47 3.11 RSA-OAEP (Continued)

48

49 3.12 Timing Attacks The implementation of a cryptographic algorithm can have weaknesses that were unanticipated by the designers of the algorithm. Adversaries can exploit these weaknesses to circumvent the security of the underlying cryptographic algorithm. Attacks on the implementations of cryptographic systems are a great concern to operators and users of secure systems.

50 3.12 Timing Attacks (Continued) Implementation attacks include timing attacks, power analysis attacks, fault insertion attacks, and electromagnetic emission attacks. We refer to them as side-channel attacks. The term side- channel is used to describe the leakage of unintended information from a supposedly tamper-resistant device, such as a smartcard.

51 3.12 Timing Attacks (Continued) In a timing attacks the side-channel is the device ’ s time required to perform private key operations. An adversary can carefully measure the operation of time of a vulnerable system to learn the secrets contained inside the device and break the entire system ’ s security. Actual systems are potentially at risk, including cryptographic tokens, network- based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements.

52 3.12 Timing Attacks (Continued) Assumption environment. The adversary can observe the system decrypts several ciphertexts g. He also knows the hardware being used to calculate and can use this information to calculate the computation times for various steps that potentially occur in the process. In addition, let g d (mod n) is computed by the Algorithm 4.

53 3.12 Timing Attacks (Continued)

54

55

56

57 4 RSA Encryption in Practice 4.1 Recommended Size of Modulus Given the latest progress in algorithms for factoring integers, special number field sieve factoring algorithms, a modulus n of at least 1024 bits is recommended. For long term security, 2048-bit or larger moduli should be used.

58 4.2 Selecting Primes (1) The primes p and q should be selected so that factoring n = p  q is computationally infeasible. The major restriction on p and q in order to avoid the elliptic curve factoring algorithm is that p and q should be about the same bit-length, and sufficiently large. For example, if a 1024-bit modulus n is to be used, then each of p and q should be about 512 bits in length.

59 4.2 Selecting Primes (Continued) (2) Another restriction on the primes p and q is that the difference p  q should not be too small. If p and q are chosen at random, then p  q will be appropriately large with overwhelming probability.

60 4.2 Selecting Primes (Continued) (3) Many authors have recommended that p and q be strong primes. A prime p is said to be a strong prime if the following three conditions are satisfied: * p  1 has a large prime factor, denoted r; ** p+1 has a large prime factor; *** r  1 has a large prime factor.

61 The reason for the first condition is to foil Pollard ’ s p  1 factoring algorithm which is efficient only if n has a prime factor p such that p  1 is smooth. The second condition foils the p  1 factoring algorithm, which is efficient only if n has a prime factor p such that p  1 is smooth. Finally, the third condition ensures that the cycling attacks will fail.

62 If the prime p is randomly chosen and is sufficiently large, then both p  1 and p+1 can be expected to have large prime factors. Additionally, it has been shown that the chances of a cycling attack succeeding are negligible if p and q are randomly chosen. Thus, strong primes offer little protection beyond that offered by random primes. Given the current state of knowledge of factoring algorithms, there is no compelling reason for requiring the use of strong primes in RSA key generation. On the other hand, they require only minimal additional running time to compute. Thus there is little real additional cost in using them.

63 4.3 Exponents (1) If the encryption exponent e is chosen at random, then RSA encryption using the Algorithm 4 takes k modular squarings and an expected k/2 modular multiplications, where k is the bit-length of the modulus n. Encryption can be sped up by selecting e to be small and/or by selecting e with a small number of 1 ’ s in its binary representation.

64 (2) The encryption exponent e=3 is commonly used in practice. In this case, it is necessary that neither p  1 nor q  1 be divisible by 3. This results in a very fast encryption operation since encryption only requires 1 multiplication and 1 squaring. Another encryption exponent used in practice is e=2 16 +1=65537. This number has only two 1 ’ s in its binary representation, and so encryption using the Algorithm 4 requires only 16 squarings and 1 multiplication. The encryption exponent e=2 16 +1 has the advantage over e=3, since it is unlikely the same message will be sent to 2 16 +1 recipients.

65 (3) Due to small decryption exponent attack, it requires the secret exponent d >n 0.292. Although Boneh and Durfee cannot state their attack as a theorem, since they cannot prove that it always succeeds. But experiments that they carried out demonstrate its effectiveness. They were not able to find a single example where the attack fails.

66 5 Rabin Encryption Algorithm 5.1 Description

67 5.1 Description (Continued)

68

69

70

71

72 6 Implementation of Rabin Encryption 6.1 Finding Square Roots

73 6.2 About Efficiency Rabin encryption is an extremely fast operation as it only involves a single modular squaring. By comparison, RSA encryption with e=3 takes one modular multiplication and one modular squaring. Rabin decryption is slower than encryption, but comparable in speed to RSA decryption.

74 6.3 Redundancy Problem A drawback of the Rabin public-key scheme is that the receiver is faced with the task of selecting the correct plaintext from among four possibilities. This ambiguity in decryption can easily be overcome in practice by adding pre- specified redundancy to the original plaintext prior to encryption. (For example, the last 64 bits of the message may be replicated.) Then, with high probability, exactly one of the four square roots of a legitimate ciphertext will possess this redundancy. If none of the square roots possesses this redundancy, then the receiver should reject the ciphertext as fraudulent.

75 (1) The Rabin public-key encryption scheme is susceptible to attacks similar to those on RSA described about small encryption exponent and forward search problems. It can be circumvented by salting the plaintext message. 7 Security of Rabin Encryption

76 (2) The task faced by a passive adversary is to recover plaintext m from the corresponding ciphertext c. This is precisely the SQROOT problem. The problems of factoring n and computing square roots modulo n are computationally equivalent. Hence, assuming that factoring n is computationally intractable, the Rabin public-key encryption scheme is provably secure against a passive adversary.

77 Justification. Suppose that one has a polynomial- time algorithm R for solving the SQROOT problem. This algorithm can then be used to factor a given composite integer n as follows. Select an integer x at random with gcd(x, n)=1, and compute a  x 2 (mod n). Next, algorithm R is run with inputs a and n, and a square root y of a modulo n is returned. If y  x (mod n), then the trial fails, and the above procedure is repeated with a new x chosen at random. Otherwise, then gcd(x  y, n) is guaranteed to be a non-trivial factor of n, namely, p or q. Since a has four square roots modulo n, the probability of success for each attempt is 1/2.

78 (3) While secure against an active adversary, the Rabin public-key encryption scheme succumbs to a chosen-ciphertext attack. Such an attack can be mounted as follows. The adversary selects a random integer m and computes c  m 2 (mod n). The adversary then presents c to A ’ s decryption machine, which decrypts c and returns some plaintext y. Since A does not know m, and m is randomly chosen, the plaintext y is not necessarily the same as m. With probability 1/2, y is not equal to  m (mod n), in which case gcd(m  y, n) is one of the prime factors of n. Otherwise, then the attack is repeated with a new m.

79 (4) If redundancy is used as above, the Rabin public-key encryption scheme is no longer susceptible to the chosen ciphertext attack. If an adversary selects a message m having the required redundancy and gives c  m 2 (mod n) to A's decryption machine, with very high probability the machine will return the plaintext m itself to the adversary (since the other three square roots of c will most likely not contain the required redundancy), providing no new information.

80 (4) (Continued) On the other hand, if the adversary selects a message m which does not contain the required redundancy, then with high probability none of the four square roots will possess the required redundancy. In this case, the decryption machine will fail to decrypt c and thus will not provide a response to the adversary. Hence, Rabin public-key encryption, suitably modified by adding redundancy, is of great practical interest.

81 8 Summary of Public Key Encryption 8.1 Requirements for Public Key Encryption In a public key system, the message set M, the key set K, and the encryption/decryption function E/D, must satisfy the following requirements: (1) E k (D k (m))=m and D k (E k (m))=m for every m  M. (2) For every m and every k, the values of E k (m) and D k (m) are easy to compute.

82 8.1 Requirements for Public Key Encryption (Continued) (3) For almost every k  K, if someone knows only the function E k, it is computationally infeasible to find an algorithm to compute D k. (4) Given k  K, it is easy to find the functions E k and D k.

83 8.1 Requirements for Public Key Encryption (Continued)

84 8.2 About Authentication and Non-Repudiation (1) In a symmetric system, authentication is easy but non-repudiation is not. (2) In an asymmetric system, authentication and non-repudiation are not. However, the goals are easily accomplished. For example, compute and send the message E kb (S ka (m))= E kb (D ka (m)) for the RSA algorithm.

85 8.3 Trapdoor Functions and Collections

86 8.3 Trapdoor Functions and Collections (Continued)

87 Thank you !

Download ppt "Lecture 5-6 The RSA and Rabin Algorithms. The possibility of the public key cryptosystem was first publicly suggested by Diffie and Hellman. However,"

Similar presentations

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
7. Asymmetric encryption-

7. Asymmetric encryption-
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.

Similar presentations

Ads by Google