COMP4109 : Applied Cryptography€¦ · public-key cryptography ... • chosen-message attack: a...

COMP4109 : Applied Cryptography

Fall 2013

M. Jason HinekCarleton University

Applied Cryptography

Day 13

public-key cryptography

· rsa padding

· digital signatures

2

RSA cryptosystem

textbook RSA

· choose random primes p, q , let N = pq

· P = C = Z∗N (plaintext-space and ciphertext-space)

· choose e, d such that ed ≡ 1 mod φ(N)

Public key is pk = (e,N)Private key is sk = (p, q, d)

Encrypt to encrypt plaintext m

ENCpk(m) = me mod N = c

Decrypt given ciphertext c

DECsk(c) = cd mod N = m

3

Padding

textbook RSA is insecure, we need to pre-process the plaintext beforeencrypting

· PKCS1-v1 5· m′ = 000216||r ||0016||m

· RSA-OAEP· x = (m||0 · · · 0)⊕ G(r)· m′ = x ||(H(x)⊕ r)

· Random padding· m′ = r ||m

4

Digital Signatures

digital signatures consist of three algorithms

· key generation· generate public/private key pair 〈pk, sk〉 = KeyGen(1k)· public (verification) key pk

private (signing) key sk

· signing algorithm· computes a signature σ = Sigsk(m) for a message m

· signature verification algorithm· Verpk(m, σ) = True iff σ is a valid signature for m

5

Digital Signatures

digital signatures versus MACs

· digital signatures provide

· data origin authentication to anyone· data integrity to anyone· non-repudiation

· MACs provide

· data origin authentication to other party with secret key· data integrity to other party with secret key· fast computations (compared to digital signatures)

6

Digital Signatures

adversarial goals wrt some valid key pair 〈pk, sk〉

· total break: obtaining the private (signing) key

· universal forgery: ability for create a forged signature for anyspecified message

· selective forgery: ability to forge signatures for some selectedsubset of messages

· existential forgery: ability to forge a signature for some message(message may be meaningless)

7

Digital Signatures

adversarial interactions

· key-only attack: the only information known is a public(verification) key

· known-message attack: some message/signature pairs are known

· chosen-message attack: a signing oracle is available to generatemessage/signature pairs for any messages (chosen by adversary)

8

Digital Signatures

security of digital signature schemes

a digital signature scheme is secure, if it is existentially unforgeable by acomputationally bounded adversary who mounts an adaptivechosen-message attack

an alternate definition of security that is often used (not only for digitalsignatures) looks something like

a digital signature scheme is said to be (t, q, ε)-secure if an adversary cancreate a forged signature with probability ε in time t using at most qqueries to the signing oracle

9

Digital Signatures

RSA for signatures

· key generation: same as for RSA encryption scheme

· N = pq, ed ≡ 1 mod φ(N)· public (verification) key is pk = 〈N, e〉· private (signing) key is sk = 〈p, q, d〉

· signature generation σ = Sigsk(m)

· compute M = H(m)· compute σ = Md mod N· signature for m is σ

· verification algorithm Verpk(m, σ)

· given m, σ· compute M = H(m)· compute M ′ = Me mod N· accept (m, σ) as valid message/signature pair iff M ′ = M

10

Digital Signatures

what about the hash function? (σ = H(m)d mod N)

· preimage resistance:· choose s ∈ ZN

· compute M = se mod N· find m that that H(m) = M· (m, s) is a valid forgery

· second preimage resistance:· given valid (m, σ)· find m′ 6= m such that H(m′) = H(m)· (m′, σ) is a valid forgery

· collision resistance:· find m′,m such that H(m′) = H(m)· ask for signature of m (σ)· (m′, σ) is valid forgery

11

Digital Signatures

RSA-FDH : Full Domain Hash RSA

· H : {0, 1}∗ → ZN

· Bellare & Rogaway (’96)

· if RSA assumption holds and H is a random function then RSA-FDHis a secure signature scheme

12

Digital Signatures

ElGamal signature scheme

p is a large prime, g is a generator for Z∗p, H is a hash function

· key generation· choose x ∈R

· compute y = g x mod p· output 〈pk, sk〉 = 〈(p, g , y), x〉

· signature generation

· choose k ∈R Z∗p with gcd(k, p − 1) = 1· compute r = g k mod p

· compute s = k−1(H(m)− xr

)mod p − 1 (start over if s = 0)

· output signature σ = (r , s)

· signature verification

· if 0 < r < p and 0 < s < p − 1 proceed, otherwise reject signature· check if gH(m) ≡ y r r s mod p

13

Digital Signatures

DSA - digital signature algorithm

p is a large prime, q|(p − 1) is a prime, g ∈ Z∗p has order q

H is a hash function· key generation

· choose random 0 < x < q and compute y = g x mod p· output 〈pk, sk〉 = 〈(p, q, g , y), x〉

· signature generation· choose random 0 < k < q

· compute r =(g k mod p

)mod q (start again if r = 0)

· compute s = k−1(H(m) + xr

)mod q (start over if s = 0)

· output signature σ = (r , s)

· signature verification· if 0 < r < p and 0 < s < p − 1 proceed, otherwise reject signature· compute u1 = H(m)s−1 mod q· compute u2 = rs−1 mod q

· accept iff r =((

gu1yu2)

mod p)

mod q

14

Digital Signatures

DSS - digital signature standard

FIPS PUB 186-4http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf

· DSA

· RSA

· ECDSA

15

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf

Wiener’s Attack

RSA is completely insecure if the private (decrypting) exponent is chosento be too small

assume that· N = pq, where p and q are random balanced primes

· q < p < 2q < 2N1/2 (balanced primes)

· ed ≡ 1 (mod φ(N)) (key relation)ed = 1 + kφ(N) (key equation)

· d < 16N

1/4 (private exponent is “small”)· 1 < e < φ(N) (e is computed modulo φ(N))

let φ(N) = (p − 1)(q − 1) = N − p − q + 1 = N − Λ, where

Λ = p + q − 1 < 2q + q − 1 < 3q < 3N1/2

Notice that

k =ed − 1

φ(N)=

ed

φ(N)− 1

φ(N)<

ed

φ(N)< d

16

Wiener’s Attack

Notice that

∣∣∣∣ eN − k

d

∣∣∣∣ =

∣∣∣∣ed − kN

dN

∣∣∣∣ =

∣∣∣∣1− kΛ

dN

∣∣∣∣ < 2

∣∣∣∣ kΛ

dN

∣∣∣∣< 2

∣∣∣∣ dΛ

dN

∣∣∣∣ (k < d)

< 2

∣∣∣∣d3N1/2

dN

∣∣∣∣ (Λ < 3N1/2)

<

∣∣∣∣N1/4N1/2

dN

∣∣∣∣ (6d < N1/4)

=1

dN1/4

<1

6d2

(1

N1/4<

1

6d

)<

1

2d2

17

Wiener’s Attack

We then have ∣∣∣∣ eN − k

d

∣∣∣∣ < 1

2d2

and....

18

Mathematical Aside

any rational number can be written as finite (simple) continued fraction

a = q1 +1

q2 + 1q3+

1

q4+···+ 1qm

the continued fraction expansion of a is given by [q1, q2, . . . , qm]

The integers qi can easily be computed by repeated division(Euclidean algorithm)

for example, consider 37/101

37 = 0× 101 + 37

101 = 2× 37 + 27

37 = 1× 27 + 10

27 = 2× 10 + 7

10 = 1× 7 + 3

7 = 2× 4 + 1

3 = 4× 1 + 0

19

Mathematical Aside

for example, consider 37/101

37 = 0× 101 + 37

101 = 2× 37 + 27

37 = 1× 27 + 10

27 = 2× 10 + 7

10 = 1× 7 + 3

7 = 2× 4 + 1

3 = 4× 1 + 0

this corresponds to

37

101= 0 +

1

2 + 11+ 1

2+ 11+ 1

2+ 14

or[0, 2, 1, 2, 1, 2, 4]

20

Mathematical Aside

let a have a continued fraction expansion [q1, q2, . . . , qm]

then Ci = [q1, q2, . . . , qi ] is called the i th convergent of [q1, q2, . . . , qm]

the convergents of a are a sequence of (rational) approximations of a. Ifa is rational, the final convergent is equal to a.

the convergents of 37/101 are given by

C1 = 0

C2 =1

2= 0.5

C3 =1

2 + 1/1=

1

3≈ 0.333333

C4 =1

2 + 11+1/2

=3

8= 0.375000

C5 =1

2 + 1

1+ 12+1/1

=4

11≈ 0.363636

C6 =1

2 + 1

1+ 12+ 1

1+1/2

=11

30≈ 0.366666

C7 =37

101≈ 0.366336

21

Mathematical Aside

C1 = 0

C2 = 0.5

C3 ≈ 0.333333

C4 = 0.375000

C5 ≈ 0.363636

C6 ≈ 0.366666

C7 ≈ 0.366336

the first convergent underestimates a, the next overestimates it, the nextunder, the next over, ...

Cj is a better estimate then Cj−2

22

Mathematical Aside

Theorem: given α ∈ R and c , d ∈ Z such that gcd(c , d) = 1, and∣∣∣α− c

d

∣∣∣ < 1

2d2,

then cd is one of the convergents in the continued fraction expansion of α

Note: when α = a/b is rational, then the number of convergents ispolynomial in log max(a, b).

(computing all the convergents requires polynomial time)

23

Wiener’s Attack

We then have ∣∣∣∣ eN − k

d

∣∣∣∣ < 1

2d2

and so kd is one of the convergents in the continued fraction expansion of

eN (which is known!)

this leads to the following attack

24

Wiener’s Attack

· compute each convergent Ci of e/N

· for each convergent Ci = ci/di , compute

φi :=edi − 1

ci

· if φi is not an integer, go to the next convergent

· otherwise, φi is a candidate for φ(N)

· solve the system

N = xy

φi = (x − 1)(y − 1)

· if φi = φ(N) then x , y reveal the factorization p, q

· otherwise, go to next convergent

25

Wiener’s Attack

RSA with balanced primes and d < N1/4 = N0.25 is insecure!

this attack came out of left field...(it was not anticipated at all! many attacks are like this)

don’t use small d to try and speed up decryption

using lattices and lattice basis reduction, d < N0.292 is insecure(asymptotically)

don’t use small d to try and speed up decryption

26

COMP4109 : Applied Cryptography€¦ · public-key cryptography ... • chosen-message attack: a...

Documents

Transcript of COMP4109 : Applied Cryptography€¦ · public-key cryptography ... • chosen-message attack: a...