COMP4109 : Applied Cryptography€¦ · public-key cryptography ... • chosen-message attack: a...
Transcript of COMP4109 : Applied Cryptography€¦ · public-key cryptography ... • chosen-message attack: a...
COMP4109 : Applied Cryptography
Fall 2013
M. Jason HinekCarleton University
Applied Cryptography
Day 13
public-key cryptography
· rsa padding
· digital signatures
2
RSA cryptosystem
textbook RSA
· choose random primes p, q , let N = pq
· P = C = Z∗N (plaintext-space and ciphertext-space)
· choose e, d such that ed ≡ 1 mod φ(N)
Public key is pk = (e,N)Private key is sk = (p, q, d)
Encrypt to encrypt plaintext m
ENCpk(m) = me mod N = c
Decrypt given ciphertext c
DECsk(c) = cd mod N = m
3
Padding
textbook RSA is insecure, we need to pre-process the plaintext beforeencrypting
· PKCS1-v1 5· m′ = 000216||r ||0016||m
· RSA-OAEP· x = (m||0 · · · 0)⊕ G(r)· m′ = x ||(H(x)⊕ r)
· Random padding· m′ = r ||m
4
Digital Signatures
digital signatures consist of three algorithms
· key generation· generate public/private key pair 〈pk, sk〉 = KeyGen(1k)· public (verification) key pk
private (signing) key sk
· signing algorithm· computes a signature σ = Sigsk(m) for a message m
· signature verification algorithm· Verpk(m, σ) = True iff σ is a valid signature for m
5
Digital Signatures
digital signatures versus MACs
· digital signatures provide
· data origin authentication to anyone· data integrity to anyone· non-repudiation
· MACs provide
· data origin authentication to other party with secret key· data integrity to other party with secret key· fast computations (compared to digital signatures)
6
Digital Signatures
digital signatures versus MACs
· digital signatures provide
· data origin authentication to anyone· data integrity to anyone· non-repudiation
· MACs provide
· data origin authentication to other party with secret key· data integrity to other party with secret key· fast computations (compared to digital signatures)
6
Digital Signatures
digital signatures versus MACs
· digital signatures provide
· data origin authentication to anyone· data integrity to anyone· non-repudiation
· MACs provide
· data origin authentication to other party with secret key· data integrity to other party with secret key· fast computations (compared to digital signatures)
6
Digital Signatures
digital signatures versus MACs
· digital signatures provide
· data origin authentication to anyone· data integrity to anyone· non-repudiation
· MACs provide
· data origin authentication to other party with secret key· data integrity to other party with secret key· fast computations (compared to digital signatures)
6
Digital Signatures
adversarial goals wrt some valid key pair 〈pk, sk〉
· total break: obtaining the private (signing) key
· universal forgery: ability for create a forged signature for anyspecified message
· selective forgery: ability to forge signatures for some selectedsubset of messages
· existential forgery: ability to forge a signature for some message(message may be meaningless)
7
Digital Signatures
adversarial interactions
· key-only attack: the only information known is a public(verification) key
· known-message attack: some message/signature pairs are known
· chosen-message attack: a signing oracle is available to generatemessage/signature pairs for any messages (chosen by adversary)
8
Digital Signatures
security of digital signature schemes
a digital signature scheme is secure, if it is existentially unforgeable by acomputationally bounded adversary who mounts an adaptivechosen-message attack
an alternate definition of security that is often used (not only for digitalsignatures) looks something like
a digital signature scheme is said to be (t, q, ε)-secure if an adversary cancreate a forged signature with probability ε in time t using at most qqueries to the signing oracle
9
Digital Signatures
RSA for signatures
· key generation: same as for RSA encryption scheme
· N = pq, ed ≡ 1 mod φ(N)· public (verification) key is pk = 〈N, e〉· private (signing) key is sk = 〈p, q, d〉
· signature generation σ = Sigsk(m)
· compute M = H(m)· compute σ = Md mod N· signature for m is σ
· verification algorithm Verpk(m, σ)
· given m, σ· compute M = H(m)· compute M ′ = Me mod N· accept (m, σ) as valid message/signature pair iff M ′ = M
10
Digital Signatures
what about the hash function? (σ = H(m)d mod N)
· preimage resistance:· choose s ∈ ZN
· compute M = se mod N· find m that that H(m) = M· (m, s) is a valid forgery
· second preimage resistance:· given valid (m, σ)· find m′ 6= m such that H(m′) = H(m)· (m′, σ) is a valid forgery
· collision resistance:· find m′,m such that H(m′) = H(m)· ask for signature of m (σ)· (m′, σ) is valid forgery
11
Digital Signatures
RSA-FDH : Full Domain Hash RSA
· H : {0, 1}∗ → ZN
· Bellare & Rogaway (’96)
· if RSA assumption holds and H is a random function then RSA-FDHis a secure signature scheme
12
Digital Signatures
ElGamal signature scheme
p is a large prime, g is a generator for Z∗p, H is a hash function
· key generation· choose x ∈R
· compute y = g x mod p· output 〈pk, sk〉 = 〈(p, g , y), x〉
· signature generation
· choose k ∈R Z∗p with gcd(k, p − 1) = 1· compute r = g k mod p
· compute s = k−1(H(m)− xr
)mod p − 1 (start over if s = 0)
· output signature σ = (r , s)
· signature verification
· if 0 < r < p and 0 < s < p − 1 proceed, otherwise reject signature· check if gH(m) ≡ y r r s mod p
13
Digital Signatures
DSA - digital signature algorithm
p is a large prime, q|(p − 1) is a prime, g ∈ Z∗p has order q
H is a hash function· key generation
· choose random 0 < x < q and compute y = g x mod p· output 〈pk, sk〉 = 〈(p, q, g , y), x〉
· signature generation· choose random 0 < k < q
· compute r =(g k mod p
)mod q (start again if r = 0)
· compute s = k−1(H(m) + xr
)mod q (start over if s = 0)
· output signature σ = (r , s)
· signature verification· if 0 < r < p and 0 < s < p − 1 proceed, otherwise reject signature· compute u1 = H(m)s−1 mod q· compute u2 = rs−1 mod q
· accept iff r =((
gu1yu2)
mod p)
mod q
14
Digital Signatures
DSS - digital signature standard
FIPS PUB 186-4http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
· DSA
· RSA
· ECDSA
15
Wiener’s Attack
RSA is completely insecure if the private (decrypting) exponent is chosento be too small
assume that· N = pq, where p and q are random balanced primes
· q < p < 2q < 2N1/2 (balanced primes)
· ed ≡ 1 (mod φ(N)) (key relation)ed = 1 + kφ(N) (key equation)
· d < 16N
1/4 (private exponent is “small”)· 1 < e < φ(N) (e is computed modulo φ(N))
let φ(N) = (p − 1)(q − 1) = N − p − q + 1 = N − Λ, where
Λ = p + q − 1 < 2q + q − 1 < 3q < 3N1/2
Notice that
k =ed − 1
φ(N)=
ed
φ(N)− 1
φ(N)<
ed
φ(N)< d
16
Wiener’s Attack
Notice that
∣∣∣∣ eN − k
d
∣∣∣∣ =
∣∣∣∣ed − kN
dN
∣∣∣∣ =
∣∣∣∣1− kΛ
dN
∣∣∣∣ < 2
∣∣∣∣ kΛ
dN
∣∣∣∣< 2
∣∣∣∣ dΛ
dN
∣∣∣∣ (k < d)
< 2
∣∣∣∣d3N1/2
dN
∣∣∣∣ (Λ < 3N1/2)
<
∣∣∣∣N1/4N1/2
dN
∣∣∣∣ (6d < N1/4)
=1
dN1/4
<1
6d2
(1
N1/4<
1
6d
)<
1
2d2
17
Wiener’s Attack
We then have ∣∣∣∣ eN − k
d
∣∣∣∣ < 1
2d2
and....
18
Mathematical Aside
any rational number can be written as finite (simple) continued fraction
a = q1 +1
q2 + 1q3+
1
q4+···+ 1qm
the continued fraction expansion of a is given by [q1, q2, . . . , qm]
The integers qi can easily be computed by repeated division(Euclidean algorithm)
for example, consider 37/101
37 = 0× 101 + 37
101 = 2× 37 + 27
37 = 1× 27 + 10
27 = 2× 10 + 7
10 = 1× 7 + 3
7 = 2× 4 + 1
3 = 4× 1 + 0
19
Mathematical Aside
for example, consider 37/101
37 = 0× 101 + 37
101 = 2× 37 + 27
37 = 1× 27 + 10
27 = 2× 10 + 7
10 = 1× 7 + 3
7 = 2× 4 + 1
3 = 4× 1 + 0
this corresponds to
37
101= 0 +
1
2 + 11+ 1
2+ 11+ 1
2+ 14
or[0, 2, 1, 2, 1, 2, 4]
20
Mathematical Aside
let a have a continued fraction expansion [q1, q2, . . . , qm]
then Ci = [q1, q2, . . . , qi ] is called the i th convergent of [q1, q2, . . . , qm]
the convergents of a are a sequence of (rational) approximations of a. Ifa is rational, the final convergent is equal to a.
the convergents of 37/101 are given by
C1 = 0
C2 =1
2= 0.5
C3 =1
2 + 1/1=
1
3≈ 0.333333
C4 =1
2 + 11+1/2
=3
8= 0.375000
C5 =1
2 + 1
1+ 12+1/1
=4
11≈ 0.363636
C6 =1
2 + 1
1+ 12+ 1
1+1/2
=11
30≈ 0.366666
C7 =37
101≈ 0.366336
21
Mathematical Aside
C1 = 0
C2 = 0.5
C3 ≈ 0.333333
C4 = 0.375000
C5 ≈ 0.363636
C6 ≈ 0.366666
C7 ≈ 0.366336
the first convergent underestimates a, the next overestimates it, the nextunder, the next over, ...
Cj is a better estimate then Cj−2
22
Mathematical Aside
Theorem: given α ∈ R and c , d ∈ Z such that gcd(c , d) = 1, and∣∣∣α− c
d
∣∣∣ < 1
2d2,
then cd is one of the convergents in the continued fraction expansion of α
Note: when α = a/b is rational, then the number of convergents ispolynomial in log max(a, b).
(computing all the convergents requires polynomial time)
23
Wiener’s Attack
We then have ∣∣∣∣ eN − k
d
∣∣∣∣ < 1
2d2
and so kd is one of the convergents in the continued fraction expansion of
eN (which is known!)
this leads to the following attack
24
Wiener’s Attack
· compute each convergent Ci of e/N
· for each convergent Ci = ci/di , compute
φi :=edi − 1
ci
· if φi is not an integer, go to the next convergent
· otherwise, φi is a candidate for φ(N)
· solve the system
N = xy
φi = (x − 1)(y − 1)
· if φi = φ(N) then x , y reveal the factorization p, q
· otherwise, go to next convergent
25
Wiener’s Attack
RSA with balanced primes and d < N1/4 = N0.25 is insecure!
this attack came out of left field...(it was not anticipated at all! many attacks are like this)
don’t use small d to try and speed up decryption
using lattices and lattice basis reduction, d < N0.292 is insecure(asymptotically)
don’t use small d to try and speed up decryption
26