Cryptography – BCS 2 Public-Key Cryptography – RSA
Pierre-Alain Fouque
Université de Rennes 1
September, 24 2020
Agenda
1 Euler Totient Function
2 Euler Theorem
3 RSA
Euler Totient Function
Definition
For alln≥1, the integer ϕ(n) is the number of integers between 1 andn, and coprime with n.
ϕ(n) =
1≤k ≤n: gcd(k,n) =1 Lemma
For all primep and integer r ≥1, we get ϕ(pr) =pr −pr−1
Lemma
Letn≥1. An integeraanda¯its class mod nZ. Then, a¯is invertible inZ/nZiff gcd(a,n) =1.
Euler Totient Function
Corollary (The order of(Z/nZ)∗ is ϕ(n).) The ringZ/nZis a field iffn is prime.
Corollary
Letm andn two non-negative coprime integers. We get ϕ(mn) =ϕ(m)ϕ(n)
Theorem
ϕ(n) =nY
p|n
1− 1
p
Euler Theorem
Theorem (Euler, 1760)
Letn a non-negative integer. For all integer acoprime with n, aϕ(n) =1modn
Proposition
LetG an abelian group of order n, with identity elemente.
For allx ∈G, we havexn=e.
Corollary (Fermat Little Theorem)
Letp be a prime number. For all integer anon divisible by p, ap−1 =1modp
RSA
Plaintext RSA Cryptosystem
pk = (e,N) s.t.gcd(e, ϕ(N)) =1 sk = (d,N) s.t. ed=1modϕ(N) Encryption :Epk(m) =me modN Decryption :Dsk(c) =cd modN Problems and Solution with Plaintext RSA
PK useful to encrypt secret key k of 128 bits :ke modN? Deterministic encryption
Padding PKCS #1 v1.5 : (02kNon−Zero Random byteskm) as long as the bitsize ofN
Bleichenbacher Attack on TLS-RSA : decryption failure oracle
Some Attacks on RSA
Factorization
Complexity best known algorithm (Number Field Sieve) : exp 3
q64 9
(lnn)13(ln lnn)23
current academic Record : 2019 RSA-240 (240 digits ≈795 bits) – 900 core-years
RSA-1024 estimated to 500 times more (expected 280) – RSA-2048 safer
Other techniques to factor : ρ-Pollard, p−1-method, p+1-method, ECM, ...
Broadcast-RSA : e =3 and same message sent to 3 different people(e,N1),(e,N2),(e,N3):c1=m3modN1,
c2=m3 modN2,c3 =m3modN3, then
crt =crt(c ,c ,c ,N ,N ,N ) =M3modN N N .As
IND-CCA-2 security : Toward a correct definition of security
1 Mix of a goal(what Atries to do ?) and means(what information he has access to ?)
2 Goals :
Key recovery (KR) of the secret key given the public-key ? Plaintext recovery given the ciphertext ? (OW : One-Way) Not always sufficient : e.g. voting scheme : Recovery of any bit of information on the plaintext ? (Goldwasser-Micali ’84) Probabilistic encryption is better than Deterministic encryption Indistinguishability of ciphertext (IND) : it should be hard for Ato distinguish a ciphertext ofM0from a ciphertext ofM1 3 Means :
ciphertext only attack
known message attack (KMA) : access to(M,C)for knownM chosen plaintext attack (CPA) :Acan chooseM of her choice : always possible in a PK setting
chosen ciphertext attack (CCA) :Acan chooseC to decrypt Lunch-time attack (CCA1) vs. CCA2
IND-CPA Security game
Notion useful only for randomized ciphers
RSA-OAEP is CCA2 secure
In 2001, we know how to encrypt securely with RSA
G,H are mask generation functions : generate random bits k1 : 128 bits to be checked at decryption OAEP is a bijection (s,t) is the message to be encrypted with RSA