1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept. 2012 Part I:...
-
Upload
hector-kennedy -
Category
Documents
-
view
221 -
download
0
Transcript of 1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept. 2012 Part I:...
1
Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA
Chih-Hung Wang
Sept. 2012
Part I: Introduction to Number TheoryPart II: Advanced Cryptography
4
RSA Cryptosystem 1977 by Ron Rivest, Adi Shamir, and Len
Adleman (MIT) The first “secure” & “practical” public key
cryptosystem A block cipher in which the plaintext and
ciphertext are integers between 0 and n-1 for some n
7
RSA Example
Receiver Sender
Public Key PKA(e,N)
Acquire(e,n)
C ¡× M e mod nSecret key
M=Cd mod n
Secret key d, p,q
13
Insecurity of the Textbook RSA Encryption Theorem 8.1
The RSA cryptosystem is “all-or-nothing” secure against CPA if and only if the RSA assumption holds.
14
Meet-in-the-middle attack (1)
The multiplicative property of the RSA function
Space cost: 2length/2logN bits Time cost: OB(2length/2 +1(length/2+log3N))
22
Common modulus protocol failure (5) insider attack Given a public key e1, the holder of of an
encryption/decryption pair e2, d2 can generate the private key of another user.
23
The low exponent protocol failure (1)
Use a small exponent for RSA public key in order to make the calculations for encryption fast and inexpensive to perform.
Problem description
25
Other attacks (1) GCD attack
Franklin and Reiter Coopersmith, Franklin and Patarin (Eurocrypt’96)
26
Other attacks (2) The Wiener’s attack
Wiener pointed out that if the secret key d was chosen too small, then it might be recovered
27
Constraints of RSA Key Requirement
Key size in the range of 1024 to 2018 bits p and q should differ in length by only a few
digits. Thus, both p and q should be on the order of 1075 to 10100.
Both (p-1) and (q-1) should contain a large prime factor
gcd(p-1,q-1) should be small
28
Factorization Techniques Fermat Factorization Monte Carlo Factorization The Pollard p-1 method of Factorization [239]
38
Optimal Asymmetric Encryption Padding (OAEP) Page 508
RSA-OAEP & Rabin-OAEP The plaintext message encrypted inside the RSA-
OAEP scheme can have a length up to 84% of the length of the modulus.
PKCS#1, IEEE P1363 & SET