RSA cryptosystem

(1)

Topics in Algebra: Cryptography

Univ.-Prof. Dr. Goulnara ARZHANTSEVA

WS 2019

(2)

Cryptography: Overview

Cryptography

I Past: Diffie–Hellman (1976) andRivest-Shamir-Adleman(1977)

II Nowadays: Blockchain ([1991], 2008)

III Future: Quantum ([1927, 1982], 1983) and Post-quantum cryptography (1994,1996)

(3)

RSA cryptosystem

Definition: RSA cryptosystem

Letn=pq, wherep,qare primes. LetP =C=Z/nZand K ={(n,p,q,d,e) : de= 1 mod φ(n)}

Fork = (n,p,q,d,e), we define

E_k(x) =x^e mod n and D_k(c) =c^d modn.

Public-key is (n,e) and private-key is (p,q,d).

Here,x is a plaintext.

Euler’s functionφ(n) = the number of positive integers less thannand relatively prime ton.

(4)

RSA cryptosystem

Encryption and decryption are inverse operations.

n=pq ⇒φ(n) = (p−1)(q−1)

We have thatde= 1 mod φ(n), i.e. de=tφ(n) + 1 for somet ∈Z.

(1) Suppose thatx ∈(Z/nZ)^×, then

(x^e)^d =x^tφ(n)+1 modn= (x^φ(n))^tx modn= 1^tx mod n=x modn.

(2) Ifx 6∈(Z/nZ)^×, thenx = 0 modporx = 0 modq.

Ifx = 0 mod p, then (x^e)^d = 0 mod pas well. If the same holds for mod qwe are done by the Chinese remainder theorem.

Otherwise,x 6= 0 mod q. Then, byFermat’s little theorem,

(x^e)^d =x^ed−1x =x^t^{(p−1)(q−1)}x = (x^q−1)^t^(p−1)x=1^t^(p−1)x modq=x mod q.We conclude by the Chinese remainder theorem.

(5)

RSA cryptosystem

n=pq ⇒φ(n) = (p−1)(q−1)

We have thatde= 1 mod φ(n), i.e. de=tφ(n) + 1 for somet ∈Z. (1) Suppose thatx ∈(Z/nZ)^×, then

Ifx = 0 mod p, then (x^e)^d = 0 mod pas well. If the same holds for mod qwe are done by the Chinese remainder theorem.

(6)

RSA cryptosystem

n=pq ⇒φ(n) = (p−1)(q−1)

Ifx = 0 mod p, then (x^e)^d = 0 modp as well. If the same holds for mod qwe are done by the Chinese remainder theorem.

(7)

RSA cryptosystem

n=pq ⇒φ(n) = (p−1)(q−1)

Ifx = 0 mod p, then (x^e)^d = 0 modp as well. If the same holds for mod qwe are done by the Chinese remainder theorem.

(x^e)^d =x^ed−1x =x^t^{(p−1)(q−1)}x = (x^q−1)^t^(p−1)x=1^t^(p−1)x mod q=x mod q.We conclude by the Chinese remainder theorem.

(8)

Reminder: Cryptosystem: basic model for secrecy

Definition: Cryptosystem is a 5 -tuple (P,C,K,E,D) satisfying:

P is a finite set of possibleplaintexts;

Cis a finite set of possibleciphertexts;

K, thekeyspace, is a finite set of possiblekeys;

E ={E_k :k ∈ K}consists ofencryption functionsE_k:P → C;

D={D_k :k ∈ K}consists ofdecryption functionsD_k:C → P;

For alle∈ Kthere existsd ∈ Ksuch that for all plaintextsp∈ P we have:

D_d(Ee(p)) =p Symmetric cryptosystem: d =e

Public-key cryptosystem:d cannot be derived fromein a computationally feasible way

(9)

RSA cryptosystem parameters

Algorithm: RSA parameter generation

1. Generate two large primes,pandq, such thatp6=q 2. n←pq andφ(n)←(p−1)(q−1)

3. Choose a randomewith 1<e< φ(n) such thatgcd(e, φ(n)) = 1 4. d ←e⁻¹ mod φ(n)

5. The public key is(n,e)and the private key is(p,q,d).

(10)

Reminder: Breaking encryption algorithms

•A practical method of determining thedecryption keyis found.

RSA: Find the private key(p,q,d), knowing the public key(n,e)

•A weakness in the encryption algorithm leads to aplaintext.

RSA: Invert the RSA encryption function

(11)

Reminder: Breaking encryption algorithms

•A practical method of determining thedecryption keyis found.

RSA: Find the private key(p,q,d), knowing the public key(n,e)

•A weakness in the encryption algorithm leads to aplaintext.

RSA: Invert the RSA encryption function

(12)

One-way function

A function that is easy to compute on every input, butalmost always hard to invert: apolynomial-timeinterceptor will fail to invert the function, except withnegligibleprobability.

Definition: Properties of an algorithm

An algorithm isdeterministicif the output only depends on the input.

Otherwise, it is calledprobabilisticorrandomized.

An algorithm is apolynomialalgorithm if the number of operations when executed by a multitape Turing machine isO(n^k) for somek ∈N on input of sizen.

(13)

Turing machine Turing (1936)

Atapeis an infinite one-directional line of cells

Definition: thek-tape Turing machineis a tripleM = (A,Q, τ) satisfying:

Ais a finitealphabetthat thek tapes contain:A={,,0,1};

Qis a finite set ofstates:qstart,qhalt ∈Q;

τ:Q×A^k →Q×A^k−1× {L,S,R}^k is thetransition functionofM.

1stinputtape,k −1worktapes,kthoutputtape theblanksymbol,thestartsymbol

qstart,qhalt thestartandhaltingstates Aregistercontains a current state

Atape headreads/write symbols, moves Left, Right or Stays

(14)

Turing machine

A 3-tape Turing machine [image: Arora & Barak’s book on Complexity]

(15)

Computing with Turing machine

Startconfiguration:

Input tape: , the input (afinitenon-blank string), the blank symbs k −1 tapes: , the blank symbols

All heads start at the left

Stepof computation: applyτ:Q×A^k →Q×A^k−1× {L,S,R}^k Halting:M halts when it entersqhalt

T:N→Nis the running time

Definition: Mcomputesf:{0,1}^∗ → {0,1}^∗inT(n)-time

For every inputx ∈ {0,1}^∗,Mhalts after at mostT(|x|) steps, with outputf(x).

(16)

Computing with Turing machine

Startconfiguration:

Input tape: , the input (afinitenon-blank string), the blank symbs k −1 tapes: , the blank symbols

All heads start at the left

Stepof computation: applyτ:Q×A^k →Q×A^k−1× {L,S,R}^k Halting:M halts when it entersqhalt

T:N→Nis the running time

Definition: Mcomputesf:{0,1}^∗ → {0,1}^∗inT(n)-time

For every inputx ∈ {0,1}^∗,Mhalts after at mostT(|x|) steps, with outputf(x).

(17)

Example: a Turing machine for the unary addition

Transition function for addition [image: geeksforgeeks.org]

Unary format using 0’s: 4 = 0 0 0 0 , 3= 0 0 0 B =andc,x ∈A,Q₀=qstart,Q₅=qhalt.

(18)

Turing machine: variants

deterministic: see above

non-deterministic: can be>1 move for a given state and tape probabilistic: a non-deterministic Turing machine which choses moves according to a probability distribution

(19)

Turing machine: decision

Lis alanguage, i.e. L⊆A^∗ for a finite alphabetA

Definition: Mdecideswhether an inputx ∈L There is a deterministic Turing machine computing

χ_L(x) =

( 1 x ∈L 0 x 6∈L Lisdecidableorrecursive.

Lis computable byMor the decision problem is solvable byM

(20)

Turing machine: verification

Definition: Mverifieswhether an inputx ∈L

There is a deterministic Turing machine computingν_Lsuch that for eachgivencertificatec∈A^∗,

ν_L(x,c) =

( 1 x ∈L

0 x 6∈Lorx ∈Landc is wrong Lisrecognizableorrecursively enumerable.

M verifies whethercis a valid proof ofx ∈L

(21)

Complexity classes

A problem instancex lies in the complexity class

P ifx is solvable by a polynomialdeterministicalgorithm.

BPP ifx is solvable by a polynomialprobabilisticalgorithm.

BQPifx is solvable by a polynomial deterministic algorithm on a quantumcomputer.

NP ifx isverifiableby a polynomial deterministic algorithm.

Known:P ⊆NP,P ⊆BPP, Factorisation and Discrete logarithm problem are inNP∩BQP.

Conjectures: P=BPP, Factorisation and Discrete logarithm problem are not inNP∩BPP.

Open Problem: Is therex ∈NP\BQP?

(22)

Complexity classes

A problem instancex lies in the complexity class

P ifx is solvable by a polynomialdeterministicalgorithm.

BPP ifx is solvable by a polynomialprobabilisticalgorithm.

BQPifx is solvable by a polynomial deterministic algorithm on a quantumcomputer.

NP ifx isverifiableby a polynomial deterministic algorithm.

Known:P ⊆NP,P ⊆BPP, Factorisation and Discrete logarithm problem are inNP∩BQP.

Conjectures: P=BPP, Factorisation and Discrete logarithm problem are not inNP∩BPP.

Open Problem: Is therex ∈NP\BQP?

(23)

One-way function

Definition: Negligible function

A functionf:N→Risnegligibleif for each positive polynomialp,

∃n₀∈Nsuch that|f(n)|< _p(n)¹ for alln>n₀

Example: f = 2⁻ⁿ Non-example: f =n⁻⁴

Notation: {0,1}^∗ = set of all finite binary strings ({0,1}^∗, concatenation) is a semi-group

(24)

One-way function

Definition: Negligible function

A functionf:N→Risnegligibleif for each positive polynomialp,

∃n₀∈Nsuch that|f(n)|< _p(n)¹ for alln>n₀

Example: f = 2⁻ⁿ Non-example: f =n⁻⁴ Notation: {0,1}^∗ = set of all finite binary strings

({0,1}^∗, concatenation) is a semi-group

(25)

One-way function

Definition: One-way function

A functionf:{0,1}^∗ → {0,1}^∗is aone-way functionif

1 for all inputx ∈ {0,1}^∗there is a polynomial deterministic algorithm that outputsf(x);

2 for all polynomial probabilistic algorithmA:{0,1}^∗ → {0,1}^∗ there is a negligible function negl such that

Pr[A(f(x))∈f⁻¹(f(x))]6negl(n),

where the probability is over the choice ofx according to the uniform distribution on{0,1}ⁿ, and the randomness ofA.

Hard to invert when the input is uniformly distributed. In particular, hard to invert in theaverage-case(not in the worst-case sense =NP-hard). Hard to invert forlong enough inputs.

(26)

One-way function

Definition: One-way function

A functionf:{0,1}^∗ → {0,1}^∗is aone-way functionif

1 for all inputx ∈ {0,1}^∗there is a polynomial deterministic algorithm that outputsf(x);

2 for all polynomial probabilistic algorithmA:{0,1}^∗ → {0,1}^∗ there is a negligible function negl such that

Pr[A(f(x))∈f⁻¹(f(x))]6negl(n),

where the probability is over the choice ofx according to the uniform distribution on{0,1}ⁿ, and the randomness ofA.

Hard to invert when the input is uniformly distributed. In particular, hard to invert in theaverage-case(not in the worst-case sense =NP-hard).

Hard to invert forlong enough inputs.

(27)

One-way function

We are interested in existence of injectivetrapdoorone-way functions, i.e. those easy to invert with the knowledge of a trapdoor (e.g. with a private-key).

Open problem: Do one-way functions exist?

Open problem: Is breaking RSA as hard as factoring integers?

(28)

One-way function

(29)

One-way function

(30)

RSA keys vs Factoring

Theorem: RSA keys vs Factoring

If the Factoring is not in BPP, then the Asymmetry of RSA is not in BPP.

Asymmetryproblem = compute the private key from the public key Here: computed (and not, in additionpandq), knowing (n,e).

Theorem: One-way⇔Pseudorandom

The existence of one-way functions is aminimal assumptionthat is both necessary and sufficient for constructions ofpseudorandom generatorsand functions.

(31)

RSA keys vs Factoring

Theorem: RSA keys vs Factoring

If the Factoring is not in BPP, then the Asymmetry of RSA is not in BPP.

Asymmetryproblem = compute the private key from the public key Here: computed (and not, in additionpandq), knowing (n,e).

Theorem: One-way⇔Pseudorandom

The existence of one-way functions is aminimal assumptionthat is both necessary and sufficient for constructions ofpseudorandom generatorsand functions.

(32)

Cryptanalysis of RSA: Weakness of the RSA primitive

If the interceptor can factor the modulusnin polynomial-time, then the private key can be efficiently calculated.

Integer factorisation methods Trial division

Pollard’sp−1 method

Elliptic curve factoring method

Quadratic sieve and Number field sieve . . .

A 768-bit number factored, two years of computations in 2007-2009.

So, 512-bit keys are ‘sufficient’.

In practice, RSA keys are typically 1024- to2048-bits long.

(33)

Cryptanalysis of RSA: Factoring

Ifnis composite, then it has a prime factorp6√ n

Trial division

Exhaustive search over all successive primes until√ n.

Complexity of such attacks allow to derive lower bounds on RSA parameters (key size etc.)

(34)

Test questions

Question 6

What is the complexity of the RSA parameter generation?

Question 7

Letf be a one-way function. Isf(f(x)) necessarily a one-way function?

Question 8

What is the worst-case / average-case complexities of trial division?

Question 9

Design an algorithm computing the square root of a positive integer.

What about its complexity? What about its modular variant and its complexity?

(35)

Cryptanalysis of RSA: The RSA parameters

Attacks on the RSA function Loweord attack

Partiald exposure attack

(36)

Cryptanalysis of RSA: Implementation attacks

Side-channel attacks

Time analysis: a correlation betweeneand the runtime of the cryptographic operation (Solution: delay / blinding)

Power analysis: monitoring power consumption (Solution:

engineering)

Fault analysis: exploiting errors in cryptographic operations (Solution: verify withe)

. . .

(37)

Remainder: RSA cryptosystem parameters

Algorithm: RSA parameter generation

1. Generate two large primes,pandq, such thatp6=q 2. n←pq andφ(n)←(p−1)(q−1)

3. Choose arandomewith 1<e< φ(n) such thatgcd(e, φ(n)) = 1 4. d ←e⁻¹ mod φ(n)

5. The public key is(n,e)and the private key is(p,q,d).

Randomness of the encryption key is to resist aninformed exhaustive plaintext search attack. This contrasts the symmetric key encryption.

(38)

Cryptanalysis of RSA: practice

Key choice

1024- to 2048-bits long

Strong primes vs Random primes

Multi-prime RSA

More than two primespandq, hence, primes are smaller for a bign, the encryption is faster.

(39)

Cryptanalysis of RSA: practice

Encoding of plaintext = Padding schemes

Plaintext is preprocessed using a probabilistic encoding: same plaintext with the sameegives a different ciphertext.

Goal: resist to theinformed exhaustive plaintext search attack.

Definition: Hash function

A one-way functionh:{0,1}^∗ → {0,1}^k for somek ∈N. Hash: data of arbitrary size is mapped to data of fixed size.

(40)

Optimal asymmetric encryption padding (OAEP)

A simplified variant: ignoring the lengths of input / outputs.

Given: x and (n,e), two hashesh₁andh₂, and arandomnumberr. RSA-OAEP encoding

1. Hashr usingh₁and XOR tox:

A=h₁(r)⊕x 2. HashAusingh₂and XOR tor:

B=h₂(A)⊕r 3. Apply RSA to the concatenationAkB:

c= (AkB)^e modn XOR = the exclusive disjunction =⊕= + mod 2

(41)

Optimal asymmetric encryption padding (OAEP)

Bob can decrypt without knowingr. RSA-OAEP decoding

1. Decryptc usingd, getAkB

2. HashAusingh₂and XOR toB, getr:

h₂(A)⊕B=h₂(A)⊕(h₂(A)⊕r) =r 3. Hashr usingh₁and XOR toA, getx:

h₁(r)⊕A=h₁(r)⊕(h₁(r)⊕x) =x Hashes: with trapdoor, given by a polynomial algorithm.

(42)

Discrete Logarithm problem

LetGbe a finite group,g ∈Gan element,hgi6Ga cyclic subgroup it generates,nits order.

Discrete Logarithm Problem = DLP

Givenn,gandy ∈ hgi, find the unique integerd, 06d 6n−1, such that

g^d =y.

d := log_gy is called thediscrete logarithm ofy to baseg.

Example: G= (Z/pZ)^×,g is a primitive element modp,n=p−1 Aprimitiveelement modpis an element of (Z/pZ)^×of orderp−1.

(43)

Cryptosystems based on the DLP: ElGamal cryptosystem

ElGamal’1985 cryptosystem is a cryptosystem based on the Discrete Logarithm problem in (Z/pZ)^×

DLP assumption

1. The DLP in (Z/pZ)^× is not in BPP.

2. The Factoring is not in BPP.

(44)

ElGamal cryptosystem: Parameter generation

ElGamal’1985 cryptosystem is a cryptosystem based on the Discrete Logarithm problem in (Z/pZ)^×

Algorithm: ElGamal parameter generation 1. Generate a large primep.

2. Choose a primitive elementg ∈(Z/pZ)^×. 3. Choose a randomd with 1<d <p−1.

4. y ←g^d mod p

5. The public key is(p,g,y)and the private key isd.

(45)

ElGamal cryptosystem: informally

The encryption of a plaintextx is randomised using a random valuer chosen by Alice inZ/(p−1)Z:

There arep−1 ciphertextscthat are encryptions of the samex.

Randomization ofx:

the plaintextx is ‘masked’ by multiplying it byy^r yieldingc₂.

The valueg^r is also transmitted giving partc₁of the ciphertext (c₁,c₂). Bob, knowing the private keyd, can computey^r fromg^r.

Then he can remove the ‘mask’ by dividingc₂byy^r to obtainx.

(46)

ElGamal cryptosystem: informally

There arep−1 ciphertextscthat are encryptions of the samex. Randomization ofx:

The valueg^r is also transmitted giving partc₁of the ciphertext (c₁,c₂). Bob, knowing the private keyd, can computey^r fromg^r.

Then he can remove the ‘mask’ by dividingc₂byy^r to obtainx.

(47)

ElGamal cryptosystem: informally

The valueg^r is also transmitted giving partc₁of the ciphertext (c₁,c₂).

Bob, knowing the private keyd, can computey^r fromg^r. Then he can remove the ‘mask’ by dividingc₂byy^r to obtainx.

(48)

ElGamal cryptosystem: informally

The valueg^r is also transmitted giving partc₁of the ciphertext (c₁,c₂).

Bob, knowing the private keyd, can computey^r fromg^r. Then he can remove the ‘mask’ by dividingc₂byy^r to obtainx.

(49)

ElGamal cryptosystem

Definition: ElGamal cryptosystem

Letpbe a prime andga primitive element modp.

LetP = (Z/pZ)^×,C = (Z/pZ)^××(Z/pZ)^×and define K={(p,g,d,y) : y =g^d modp}.

Fork = (p,g,d,y),and for a secrete random numberr ∈Z/(p−1)Z, define

E_k(x;r) = (c₁,c₂), where

c₁=g^r mod p, and c₂=xy^r modp.

Forc₁,c₂∈(Z/pZ)^×, define

D_k(c₁,c₂) =c₂(c₁^d)⁻¹ mod p Public key is (p,g,y) and private key isd.

(50)

ElGamal cryptosystem

Encryption and decryption are inverse operations

c₂(c^d₁)⁻¹=xy^r·((g^r)^d)⁻¹ mod p=x·(g^d)^r·((g^r)^d)⁻¹ mod p=x mod p

Theorem: ElGamal keys vs DLP

If the DLP in (Z/pZ)^× is not in BPP, then the Asymmetry of ElGamal is not in BPP.

(51)

ElGamal Cryptosystem: finite fields etc.

ElGamal is for an arbitrary finite groupG, we had (Z/pZ)^×. Other groups:

1. The multiplicative group of the finite fieldF_p^k

2. The group of an elliptic curve defined over a finite field.

The group has to satisfy the DLP assumption.

(52)

Weierstrass equation

Letkbe a field.

Weierstrass equations

TheaffineWeierstrass equation:

E:y²+a₁xy +a₃y =x³+a₂x²+a₄x+a₆,a_i ∈k.

ThehomogeneousWeierstrass equation:

E^∗:y²z+a₁xyz+a₃yz²=x³+a₂x²z+a₄xz²+a₆z³,a_i ∈k.

Thevanishing set:

E(k) ={(x :y :z)∈P²so thatx,y,z ∈kis a solution ofE^∗} ⊆P²

(53)

Singular points and curves

Thedefining polynomial:

F^∗:y²z+a₁xyz+a₃yz²−(x³+a₂x²z+a₄xz²+a₆z³),a_i ∈k.

Definition: Singular points and curves LetP= (x₀:y₀:z₀)∈E(k).

1. Pis asingularpoint ofE if

∂F^∗

∂x (x₀,y₀,z₀) = ∂F^∗

∂y (x₀,y₀,z₀) = ∂F^∗

∂z (x₀,y₀,z₀) = 0.

2. E issingularif there is a singular pointP ∈E(k), otherwiseE is nonsingularorsmooth.

Example: (0 : 1 : 0) is the only point ofE at infinity, i.e. atz = 0. It has multiplicity 3 asE^∗(x,y,0) :x³= 0.

It is not singular: ^∂F_∂z^∗(0,1,0) = 16= 0.

(54)

Elliptic curves

Definition: Elliptic curve

E isellipticifE is smooth.

Normal forms

1. Ifchark6= 2 then inE substitutey 7→y −^a¹^x+a₂ ³ obtaining y²=x³+a⁰₂x²+a⁰₄x+a⁰₆

2. Ifchark6= 2,3 then substitutex 7→x− ¹₃a⁰₂,a⁰₂=a₂+^a₄²¹ obtaining y²=x³+ax +b

chark6= 2,3 :disc(x³+ax+b) =−16(4a³+ 27b²)

chark6= 2,y²=f(x) =x³+a⁰x²+a⁰x+a⁰ is singular⇐⇒discf = 0

(55)

Elliptic curves

Elliptic curves in normal form [image: Wikipedia]

(56)

Elliptic curve: The group structure (E (k), +)

ka field,kits algebraic closure

Group structure [image: Wikipedia]

(57)

Test questions

Question 10

Which of the following statements are true?

1 If the RSA cryptosystem is breakable, then large numbers can be factored.

2 Breaking the ECC cryptosystem is equivalent to solving the discrete logarithm problem.

3 There is no message expansion in the ECC cryptosystem.

Question 11

Why in practice public-key cryptosystems have longer key lengths than symmetric cryptosystems?