RSA

1. RSA CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk RSA

2. RSA • First successful public key system (Rivest, Shamir, Adleman, 1977). • Q: Would a DH-like PKC as xe mod p work? • RSA: • Alice chooses large primes p, q; n = pq. • e, such that gcd(e, (n)) = 1. • d = e-1 mod (n) • n, e public. d is the private key. • Encryption: E(x) = xe mod nDecryption: D(x) = xd mod n RSA

3. RSA Encryption Encryption: y = E(x) = xe mod n, Decryption: D(y) = yd mod n. Why does it work? D(y) = (xe)d mod n = xed mod n = x k(n) + 1 mod n, for some k = (x(n))k x mod n = x, if x  Zn* (what if not?) RSA

4. Generation of RSA Parameters • p, q can be generated randomly. • (n) = (p-1)(q-1) • choosing e, gcd(e, (n)) = 1: • Take e to be a prime. • Generate p, q, such that e ∤(p – 1), e ∤(q – 1). • Compute d = e-1 mod (n) by ext. Euclid’s. • Popular: e = 3, e = 65537. • Randomness of d: due to n. RSA

5. Security of RSA • Based on difficulty of factoring large integers. • NFS: e(1.923 + O(1)) ((ln n)^(1/3)) ((ln ln n)^(2/3))(btw, factoring is reducible to DLP in Zp*) • Computing d is equivalent to factoring n. (i.e., given d and e, one can find p and q.) • RSA problem: Given n, e, xe mod n, what is x?(conjecture: It is equivalent to factoring n.) • Bit Security of RSA: Computing LSB(x) is equivalent to computing the whole x. RSA

6. Signing with RSA Signature: y = S(x) = xd mod n Verification: ye mod n = x ? Some problems: • “Existential Forgery”: x = ye mod n(solution?) • Distributiveness: Given (x1,S(x1)), (x2,S(x2)), attacker can compute: S(x1x2) = S(x1)S(x2). • Or, similarly, S(x1/x2) or any S(x1ix2j) can be computed. • “Smooth numbers” threat: This may be significant when messages to be signed are small. (solution?) RSA

7. Optimizing RSA Private Key Op.s • Instead of xd mod n, compute xd mod p xd mod qand obtain xd mod n by the CRT. • For dp = d mod (p – 1), dq = d mod (q – 1), xd ≡ xdp (mod p) xd ≡ xdq (mod q)hence, halving the size of the modulus & the exponents. • Approximately 2-3 times speedup. • Q: Can this be utilized for the public key operations as well? RSA

8. e = 3 Issues Cube root problem: • Encryption: If a small msg (i.e. x < n1/3) is encrypted, attacker can solve x from x3 mod n. • Signature: If short msg.s are padded randomly at LSBs, attacker can sign any short msg x: • attacker pads x with 0s on the LSBs, • computes its cube root, • rounds up to the nearest integer r, • take the padded message as r3. RSA

9. e = 3 Issues (cont.) Broadcast problem: • Bob, Bart, Bert all use e = 3 with mods n1, n2, n3. • Alice sends the same message x to all: x3 mod n1x3 mod n2x3 mod n3 • Eve computes y = x3 mod n1n2n3 by the CRT. • Which is y = x3, since x < n1, n2, n3, and x is the cube root of y. RSA

10. 0 2 random non-zero octets 0 data 1 byteeach ≥ 8 bytes 1 byte PKCS Solutions(RSA Labs) Encryption: (PKCS #1 v1.5, RFC 2313) • first 0: to guarantee x < n • 2: indicates encryption • second 0: indicates end of padding Protects against: • guessable message attacks (e.g., a yes/no message) • cube root problem, for e = 3 • broadcast problem, for e = 3 RSA

11. 0 1 octets of (ff)16 0 hash type & hash 1 byteeach ≥ 8 bytes 1 byte PKCS (cont.) Signature: (PKCS #1 v1.5) • Why not random padding? • Why include the hash type? RSA

12. PKCS v2 Encryption: Optimal Asymmetric Encryption Padding (OAEP) • Bellare & Rogaway, 1994. Adopted for PKCS #1 v2 (RFC 3447). • Message m, padded with 0s and random r, passes through a Feistel-like structure and is then encrypted with RSA. • Padding is provably secure assuming that hash fnc. G & H behave randomly. RSA

13. PKCS v2 (cont.) Signature: Probabilistic Signature Scheme (PSS) • Bellare & Rogaway, 1996. • Provably secure (~OAEP) assuming hash functions produce random outputs. (“Random oracle” assumption) • Adopted for PKCS #1 v2.1. RSA