### Cryptography – BCS 2 Public-Key Cryptography – RSA

Pierre-Alain Fouque

Université de Rennes 1

September, 24 2020

### Agenda

1 Euler Totient Function

2 Euler Theorem

3 RSA

### Euler Totient Function

Definition

For alln≥1, the integer ϕ(n) is the number of integers between 1 andn, and coprime with n.

ϕ(n) =

1≤k ≤n: gcd(k,n) =1 Lemma

For all primep and integer r ≥1, we get
ϕ(p^{r}) =p^{r} −p^{r}^{−1}

Lemma

Letn≥1. An integeraanda¯its class mod nZ. Then, a¯is invertible inZ/nZiff gcd(a,n) =1.

### Euler Totient Function

Corollary (The order of(Z/nZ)^{∗} is ϕ(n).)
The ringZ/nZis a field iffn is prime.

Corollary

Letm andn two non-negative coprime integers. We get ϕ(mn) =ϕ(m)ϕ(n)

Theorem

ϕ(n) =nY

p|n

1− 1

p

### Euler Theorem

Theorem (Euler, 1760)

Letn a non-negative integer. For all integer acoprime with n,
a^{ϕ(n)} =1modn

Proposition

LetG an abelian group of order n, with identity elemente.

For allx ∈G, we havex^{n}=e.

Corollary (Fermat Little Theorem)

Letp be a prime number. For all integer anon divisible by p,
a^{p−1} =1modp

### RSA

Plaintext RSA Cryptosystem

pk = (e,N) s.t.gcd(e, ϕ(N)) =1
sk = (d,N) s.t. ed=1modϕ(N)
Encryption :E_{pk}(m) =m^{e} modN
Decryption :Dsk(c) =c^{d} modN
Problems and Solution with Plaintext RSA

PK useful to encrypt secret key k of 128 bits :k^{e} modN?
Deterministic encryption

Padding PKCS #1 v1.5 : (02kNon−Zero Random byteskm) as long as the bitsize ofN

Bleichenbacher Attack on TLS-RSA : decryption failure oracle

### Some Attacks on RSA

Factorization

Complexity best known algorithm (Number Field Sieve) :
exp ^{3}

q64 9

(lnn)^{1}^{3}(ln lnn)^{2}^{3}

current academic Record : 2019 RSA-240 (240 digits ≈795 bits) – 900 core-years

RSA-1024 estimated to 500 times more (expected 2^{80}) –
RSA-2048 safer

Other techniques to factor : ρ-Pollard, p−1-method, p+1-method, ECM, ...

Broadcast-RSA : e =3 and same message sent to 3 different
people(e,N_{1}),(e,N_{2}),(e,N_{3}):c_{1}=m^{3}modN_{1},

c2=m^{3} modN2,c3 =m^{3}modN3, then

crt =crt(c ,c ,c ,N ,N ,N ) =M^{3}modN N N .As

### IND-CCA-2 security : Toward a correct definition of security

1 Mix of a goal(what Atries to do ?) and means(what information he has access to ?)

2 Goals :

Key recovery (KR) of the secret key given the public-key ? Plaintext recovery given the ciphertext ? (OW : One-Way) Not always sufficient : e.g. voting scheme : Recovery of any bit of information on the plaintext ? (Goldwasser-Micali ’84) Probabilistic encryption is better than Deterministic encryption Indistinguishability of ciphertext (IND) : it should be hard for Ato distinguish a ciphertext ofM0from a ciphertext ofM1 3 Means :

ciphertext only attack

known message attack (KMA) : access to(M,C)for knownM chosen plaintext attack (CPA) :Acan chooseM of her choice : always possible in a PK setting

chosen ciphertext attack (CCA) :Acan chooseC to decrypt Lunch-time attack (CCA1) vs. CCA2

### IND-CPA Security game

Notion useful only for randomized ciphers

### RSA-OAEP is CCA2 secure

In 2001, we know how to encrypt securely with RSA

G,H are mask generation functions : generate random bits k1 : 128 bits to be checked at decryption OAEP is a bijection (s,t) is the message to be encrypted with RSA