Lect14 C
Lect14 C
Lecture 14-c
Fall 2004/Lecture 14 1
Summary of Number Theory Results
Covered
• Zp* is a cyclic group
– has generators
• QR and QNR in Zp* can be easily determined by
computing the Legendre symbol
• Jacobi symbol (generalizes Legendre symbol to
composites)
– can be computed without factoring n
– Jacobi symbol does not determine QR in Zn*
– QR in Zn* is hard
• Primality Testing
– Solovay-Strassen
– Rabin-Miller
Fall 2004/Lecture 14 2
Lecture Outline
• Attacks on RSA
• Rabin encryption scheme
Fall 2004/Lecture 14 3
Attacks on RSA
• Goals:
– recover secret key d
• Brute force key search
– infeasible
• Timing attacks
• Mathematical attacks
– decrypt one message
– learn information from the cipher texts
Fall 2004/Lecture 14 4
Factoring Large Numbers
Fall 2004/Lecture 14 5
Factoring when knowing e and d
• Fact: if n=pq, then x2≡1 (mod n) has four solutions that
are <n.
– x2≡1 (mod n) if and only if
both x2≡1 (mod p) and x2≡1 (mod q)
– Two trivial solutions: 1 and n-1
• 1 is solution to x ≡ 1 (mod p) and x ≡ 1 (mod q)
• n-1 is solution to x ≡ -1 (mod p) and x ≡ -1 (mod q)
– Two other solutions
• solution to x ≡ 1 (mod p) and x ≡ -1 (mod q)
• solution to x ≡ -1 (mod p) and x ≡ 1 (mod q)
– E.g., n=3×5=15, then x2≡1 (mod 15) has the following solutions:
1, 4, 11, 14
Fall 2004/Lecture 14 6
Factoring when knowing e and d
Fall 2004/Lecture 14 7
Factoring when knowing e and d
Fall 2004/Lecture 14 8
Example: Factoring n given d
Fall 2004/Lecture 14 9
Summary of Key Recovery Math-
based Attacks on RSA
• Three possible approaches:
1. Factor n = pq
2. Determine Φ(n)
3. Find the private key d directly
• All are equivalent
– finding out d implies factoring n
– if factoring is hard, so is finding out d
• Should never have different users share one common
modulus
– (why?)
Fall 2004/Lecture 14 10
Decryption attacks on RSA
Fall 2004/Lecture 14 11
Other Decryption Attacks on RSA
Small encryption exponent e
• When e=3, Alice sends the encryption of message m to
three people (public keys (e, n1), (e, n2), (e,n3))
– C1 = M3 mod n1, C2 = M3 mod n2, C3 = M3 mod n3,
• An attacker can compute a solution to the following
system
x ≡ c1 mod n1
x ≡ c 2 mod n 2
x ≡ c 3 mod n 3
Fall 2004/Lecture 14 12
Other Attacks on RSA
Forward Search Attack
• If the message space is small, the attacker can
create a dictionary of encrypted messages
(public key known, encrypt all possible
messages and store them)
• When the attacker ‘sees’ a message on the
network, compares the encrypted
messages, so he finds out what QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Fall 2004/Lecture 14 13
Other Attacks on RSA
Fall 2004/Lecture 14 14
The Rabin Encryption Scheme
• Motivation: The security of RSA encryption depends on
the difficulty of computing the e’th root modulo n, i.e.,
given C, it is difficult to find M s.t. Me=C mod n.
• It is not known that this encryption is as difficult as
factoring.
• The Rabin encryption scheme is provably “secure” if
factoring is hard
– here “secure” means to recover the plaintext from a ciphertext
• Idea: rather than using an odd prime as e, uses 2
– f(x)=x2 mod n
– this is not a special case of RSA as this function is not 1-to-1.
Fall 2004/Lecture 14 15
The Rabin Encryption Scheme
• Public key: n
• Privacy key: p, q s.t. n=pq
• Encryption: compute c=m2 mod n
• Decryption: compute the square roots of c.
– how many are there?
• Fact:
– when p≡q≡3 (mod 4), deterministic algorithms exist to compute
the square roots
– otherwise, efficient randomized algorithms exist to compute the
square roots
Fall 2004/Lecture 14 16
Computing Square Roots is as hard as
Factoring
• Given an algorithm A that can compute one
square root of a number a modulo n,
• One can use A to factor n as follows
– randomly pick x, compute z = x2 mod n
– ask A to compute the square root of z, A returns y
– if y=x or y=n–x, then try again, otherwise, compute
gcd(x,y) gives us a prime factor of n
– as A has no way to tell which x we’ve picked, with
prob. ½, A returns a square root that allows us to
factor n
Fall 2004/Lecture 14 17
Pragmatic Considerations for the Rabin
Encryption Scheme
• Normally, one picks p≡q≡3 (mod 4)
• Redundency is used to ensure that only one
square root is a legitimate message
• Encryption very fast, only one exponentiation
• Decryption comparable to RSA decryption
Fall 2004/Lecture 14 18
Summary
• Efficient probabilistic
algorithms for primality
testing exist
• The following are equivalent
– factoring n
– computing φ(n)
– find d for the corresponding e
• The Rabin cryptosystem is
“provably secure”
Fall 2004/Lecture 14 19
Next …
Fall 2004/Lecture 14 20