Public-key cryptanalysis: introduction

Nguyen Dinh Thuc University of Science, HCMC [email protected]

outline
Textbook RSA Textbook Elgamal Conclusion

Textbook RSA
Public-key: N=pq where p and q are large primes, and exponent e co-prime with (N)=(p-1)(q-1) Private key: d such that ed1 [mod (N)] RSA is a permutation over N : x xe mod N Trapdoor one-way permutation is inverse RSA: x xd mod N

One-way function
A function f is one-way if when we choose a random input x and publish f(m), an attacker fails to recover x. Clearly, this must be satisfied by the encryption function of a secure asymmetric scheme But this is not enough

Flaws in one-way function

Average-Case assumption A one-way function refers to the uniform distribution over the input space. But message may have a very special distribution making decryption easy For example: we encrypt a 128-bit AES session key using textbook RSA with exponent e=3 and a 1024-bit modulus Hastads broadcast attack is based

Flaws in one-way functions

Information leakage The definition of one-way says nothing about the hardness of recovering partial information on the input RSA is assumed to be one-way, but it also provably leaks one bit of information: the Jacobi symbol of the plaintext. Because e is odd:
e

c m m = = N N N

if encryption was carefully randomized, this leakage would

Deterministic encryption
RSA is a deterministic encryption scheme. Deterministic encryption is not secure: In asymmetric encryption, anyone can encrypt. So if encryption is deterministic, any one can check whether or not a given cipher-text corresponds to a given plaintext This allows brute-force attacks on the message, if the message space is

Textbook Elgamal
Let g be a generator of *p Private key: 0 x < p-1, where p is a large prime Public key: y = gx mod p To encrypt a message m p :
(1) (2)

Select a random k {0,1,,p-2} Cipher text is a pair (gx mod p, myk mod p) *-p x p

Probabilistic encryption
Elgamal is probabilistic encryption scheme. This probabilistic encryption still leaks one bit of information: the Legendre symbol (m/p) of the plaintext More generally, if p-1 = qs where s is smooth, then logm mod s can be recovered

On the discrete logarithm problem

The discrete logarithm problem in a cyclic group of order n is easy if n is: Small: brute-force or square-root attacks A power of a small prime: Pohlig-Hellman Smooth: use CRT It follows that the discrete logarithm modulo any smooth factor of n can easily be computed

Conclusion
Encryption must be made probabilistic But it must be done carefully Defining security for encryption is tricky: it took more or less twenty years to find the right notion!