Cryptography – BCS 2 Public-Key Cryptography – RSA

10  Download (0)

Full text


Cryptography – BCS 2 Public-Key Cryptography – RSA

Pierre-Alain Fouque

Université de Rennes 1

September, 24 2020



1 Euler Totient Function

2 Euler Theorem



Euler Totient Function


For alln≥1, the integer ϕ(n) is the number of integers between 1 andn, and coprime with n.

ϕ(n) =

1≤k ≤n: gcd(k,n) =1 Lemma

For all primep and integer r ≥1, we get ϕ(pr) =pr −pr−1


Letn≥1. An integeraanda¯its class mod nZ. Then, a¯is invertible inZ/nZiff gcd(a,n) =1.


Euler Totient Function

Corollary (The order of(Z/nZ) is ϕ(n).) The ringZ/nZis a field iffn is prime.


Letm andn two non-negative coprime integers. We get ϕ(mn) =ϕ(m)ϕ(n)


ϕ(n) =nY


1− 1



Euler Theorem

Theorem (Euler, 1760)

Letn a non-negative integer. For all integer acoprime with n, aϕ(n) =1modn


LetG an abelian group of order n, with identity elemente.

For allx ∈G, we havexn=e.

Corollary (Fermat Little Theorem)

Letp be a prime number. For all integer anon divisible by p, ap−1 =1modp



Plaintext RSA Cryptosystem

pk = (e,N) s.t.gcd(e, ϕ(N)) =1 sk = (d,N) s.t. ed=1modϕ(N) Encryption :Epk(m) =me modN Decryption :Dsk(c) =cd modN Problems and Solution with Plaintext RSA

PK useful to encrypt secret key k of 128 bits :ke modN? Deterministic encryption

Padding PKCS #1 v1.5 : (02kNon−Zero Random byteskm) as long as the bitsize ofN

Bleichenbacher Attack on TLS-RSA : decryption failure oracle


Some Attacks on RSA


Complexity best known algorithm (Number Field Sieve) : exp 3

q64 9

(lnn)13(ln lnn)23

current academic Record : 2019 RSA-240 (240 digits ≈795 bits) – 900 core-years

RSA-1024 estimated to 500 times more (expected 280) – RSA-2048 safer

Other techniques to factor : ρ-Pollard, p−1-method, p+1-method, ECM, ...

Broadcast-RSA : e =3 and same message sent to 3 different people(e,N1),(e,N2),(e,N3):c1=m3modN1,

c2=m3 modN2,c3 =m3modN3, then

crt =crt(c ,c ,c ,N ,N ,N ) =M3modN N N .As


IND-CCA-2 security : Toward a correct definition of security

1 Mix of a goal(what Atries to do ?) and means(what information he has access to ?)

2 Goals :

Key recovery (KR) of the secret key given the public-key ? Plaintext recovery given the ciphertext ? (OW : One-Way) Not always sufficient : e.g. voting scheme : Recovery of any bit of information on the plaintext ? (Goldwasser-Micali ’84) Probabilistic encryption is better than Deterministic encryption Indistinguishability of ciphertext (IND) : it should be hard for Ato distinguish a ciphertext ofM0from a ciphertext ofM1 3 Means :

ciphertext only attack

known message attack (KMA) : access to(M,C)for knownM chosen plaintext attack (CPA) :Acan chooseM of her choice : always possible in a PK setting

chosen ciphertext attack (CCA) :Acan chooseC to decrypt Lunch-time attack (CCA1) vs. CCA2


IND-CPA Security game

Notion useful only for randomized ciphers


RSA-OAEP is CCA2 secure

In 2001, we know how to encrypt securely with RSA

G,H are mask generation functions : generate random bits k1 : 128 bits to be checked at decryption OAEP is a bijection (s,t) is the message to be encrypted with RSA




Related subjects :