Cryptography

(1)

Cryptography – BCS 2 Public-Key Cryptography – RSA

Pierre-Alain Fouque

Université de Rennes 1

September, 24 2020

(2)

Agenda

1 Euler Totient Function

2 Euler Theorem

3 RSA

(3)

Euler Totient Function

Definition

For alln≥1, the integer ϕ(n) is the number of integers between 1 andn, and coprime with n.

ϕ(n) =

1≤k ≤n: gcd(k,n) =1 Lemma

For all primep and integer r ≥1, we get ϕ(p^r) =p^r −p^r⁻¹

Lemma

Letn≥1. An integeraanda¯its class mod nZ. Then, a¯is invertible inZ/nZiff gcd(a,n) =1.

(4)

Euler Totient Function

Corollary (The order of(Z/nZ)^∗ is ϕ(n).) The ringZ/nZis a field iffn is prime.

Corollary

Letm andn two non-negative coprime integers. We get ϕ(mn) =ϕ(m)ϕ(n)

Theorem

ϕ(n) =nY

p|n

1− 1

p

(5)

Euler Theorem

Theorem (Euler, 1760)

Letn a non-negative integer. For all integer acoprime with n, a^ϕ(n) =1modn

Proposition

LetG an abelian group of order n, with identity elemente.

For allx ∈G, we havexⁿ=e.

Corollary (Fermat Little Theorem)

Letp be a prime number. For all integer anon divisible by p, a^p−1 =1modp

(6)

RSA

Plaintext RSA Cryptosystem

pk = (e,N) s.t.gcd(e, ϕ(N)) =1 sk = (d,N) s.t. ed=1modϕ(N) Encryption :E_pk(m) =m^e modN Decryption :Dsk(c) =c^d modN Problems and Solution with Plaintext RSA

PK useful to encrypt secret key k of 128 bits :k^e modN? Deterministic encryption

Padding PKCS #1 v1.5 : (02kNon−Zero Random byteskm) as long as the bitsize ofN

Bleichenbacher Attack on TLS-RSA : decryption failure oracle

(7)

Some Attacks on RSA

Factorization

Complexity best known algorithm (Number Field Sieve) : exp ³

q64 9

(lnn)¹³(ln lnn)²³

current academic Record : 2019 RSA-240 (240 digits ≈795 bits) – 900 core-years

RSA-1024 estimated to 500 times more (expected 2⁸⁰) – RSA-2048 safer

Other techniques to factor : ρ-Pollard, p−1-method, p+1-method, ECM, ...

Broadcast-RSA : e =3 and same message sent to 3 different people(e,N₁),(e,N₂),(e,N₃):c₁=m³modN₁,

c2=m³ modN2,c3 =m³modN3, then

crt =crt(c ,c ,c ,N ,N ,N ) =M³modN N N .As

(8)

IND-CCA-2 security : Toward a correct definition of security

1 Mix of a goal(what Atries to do ?) and means(what information he has access to ?)

2 Goals :

Key recovery (KR) of the secret key given the public-key ? Plaintext recovery given the ciphertext ? (OW : One-Way) Not always sufficient : e.g. voting scheme : Recovery of any bit of information on the plaintext ? (Goldwasser-Micali ’84) Probabilistic encryption is better than Deterministic encryption Indistinguishability of ciphertext (IND) : it should be hard for Ato distinguish a ciphertext ofM0from a ciphertext ofM1 3 Means :

ciphertext only attack

known message attack (KMA) : access to(M,C)for knownM chosen plaintext attack (CPA) :Acan chooseM of her choice : always possible in a PK setting

chosen ciphertext attack (CCA) :Acan chooseC to decrypt Lunch-time attack (CCA1) vs. CCA2

(9)

IND-CPA Security game

Notion useful only for randomized ciphers

(10)

RSA-OAEP is CCA2 secure

In 2001, we know how to encrypt securely with RSA

G,H are mask generation functions : generate random bits k1 : 128 bits to be checked at decryption OAEP is a bijection (s,t) is the message to be encrypted with RSA