• Aucun résultat trouvé

Cryptography – BCS 2 Public-Key Cryptography – RSA

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Cryptography – BCS 2 Public-Key Cryptography – RSA"

Copied!
10
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Cryptography – BCS 2 Public-Key Cryptography – RSA

Pierre-Alain Fouque

Université de Rennes 1

September, 24 2020

(2)

Agenda

1 Euler Totient Function

2 Euler Theorem

3 RSA

(3)

Euler Totient Function

Definition

For alln≥1, the integer ϕ(n) is the number of integers between 1 andn, and coprime with n.

ϕ(n) =

1≤k ≤n: gcd(k,n) =1 Lemma

For all primep and integer r ≥1, we get ϕ(pr) =pr −pr−1

Lemma

Letn≥1. An integeraanda¯its class mod nZ. Then, a¯is invertible inZ/nZiff gcd(a,n) =1.

(4)

Euler Totient Function

Corollary (The order of(Z/nZ) is ϕ(n).) The ringZ/nZis a field iffn is prime.

Corollary

Letm andn two non-negative coprime integers. We get ϕ(mn) =ϕ(m)ϕ(n)

Theorem

ϕ(n) =nY

p|n

1− 1

p

(5)

Euler Theorem

Theorem (Euler, 1760)

Letn a non-negative integer. For all integer acoprime with n, aϕ(n) =1modn

Proposition

LetG an abelian group of order n, with identity elemente.

For allx ∈G, we havexn=e.

Corollary (Fermat Little Theorem)

Letp be a prime number. For all integer anon divisible by p, ap−1 =1modp

(6)

RSA

Plaintext RSA Cryptosystem

pk = (e,N) s.t.gcd(e, ϕ(N)) =1 sk = (d,N) s.t. ed=1modϕ(N) Encryption :Epk(m) =me modN Decryption :Dsk(c) =cd modN Problems and Solution with Plaintext RSA

PK useful to encrypt secret key k of 128 bits :ke modN? Deterministic encryption

Padding PKCS #1 v1.5 : (02kNon−Zero Random byteskm) as long as the bitsize ofN

Bleichenbacher Attack on TLS-RSA : decryption failure oracle

(7)

Some Attacks on RSA

Factorization

Complexity best known algorithm (Number Field Sieve) : exp 3

q64 9

(lnn)13(ln lnn)23

current academic Record : 2019 RSA-240 (240 digits ≈795 bits) – 900 core-years

RSA-1024 estimated to 500 times more (expected 280) – RSA-2048 safer

Other techniques to factor : ρ-Pollard, p−1-method, p+1-method, ECM, ...

Broadcast-RSA : e =3 and same message sent to 3 different people(e,N1),(e,N2),(e,N3):c1=m3modN1,

c2=m3 modN2,c3 =m3modN3, then

crt =crt(c ,c ,c ,N ,N ,N ) =M3modN N N .As

(8)

IND-CCA-2 security : Toward a correct definition of security

1 Mix of a goal(what Atries to do ?) and means(what information he has access to ?)

2 Goals :

Key recovery (KR) of the secret key given the public-key ? Plaintext recovery given the ciphertext ? (OW : One-Way) Not always sufficient : e.g. voting scheme : Recovery of any bit of information on the plaintext ? (Goldwasser-Micali ’84) Probabilistic encryption is better than Deterministic encryption Indistinguishability of ciphertext (IND) : it should be hard for Ato distinguish a ciphertext ofM0from a ciphertext ofM1 3 Means :

ciphertext only attack

known message attack (KMA) : access to(M,C)for knownM chosen plaintext attack (CPA) :Acan chooseM of her choice : always possible in a PK setting

chosen ciphertext attack (CCA) :Acan chooseC to decrypt Lunch-time attack (CCA1) vs. CCA2

(9)

IND-CPA Security game

Notion useful only for randomized ciphers

(10)

RSA-OAEP is CCA2 secure

In 2001, we know how to encrypt securely with RSA

G,H are mask generation functions : generate random bits k1 : 128 bits to be checked at decryption OAEP is a bijection (s,t) is the message to be encrypted with RSA

Références

Télécharger maintenant ( PDF - 10 Page - 282.24 KB )

Documents relatifs

Certiflcateless Public Key Cryptography

It can be shown that BasicCL-PKE is secure in a One-Way Encryption (OWE) model, in which Type I and II adversaries have the same capabilities regarding public and private keys as in

II Private-Key (Symmetric) Cryptography 45

(This encryption scheme is different from the one we defined in Construction 3.25. Nevertheless, using a similar analysis it can be shown to be CPA-secure. In fact, it is

Cryptography: Public Key Cryptography; Mathematical Preliminaries

• The fastest (general-purpose) factoring algorithm to date is the number field sieve algorithm of Buhler, Lenstra, and Pomerance. – For d-bit numbers, the running time is

Using Matrices for Cryptography

In this paper, polyalphabetic cipher messages will be used to encrypt and decrypt a message.. Polyalphabetic means more than one alphabet will

Cryptography: RSA Encryption and Decryption

• A block cipher is a function that takes two inputs, a plaintext block and a key, and produces as output a ciphertext block. – The plaintext and ciphertext blocks are normally of

PKCS #1 v2.1: RSA Cryptography Standard RSA Laboratories June 14, 2002

Another way to implement the signature verification operation is to apply a “decoding” operation (not specified in this document) to the encoded message to recover the underlying

Public Key Cryptography

• All public key cryptosystems are based on the notion of a one-way function, which, depending on the public key, converts plaintext into ciphertext using a relatively small amount

RSA public-key system

Shor’s factorization algorithm based on quantum Fourier transform Quantum error correction (QEC).. Classical error correction QEC