1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography

2 RSA Cryptosystem (1)  Page 258

3 RSA Cryptosystem (2)

4 RSA Cryptosystem  1977 by Ron Rivest, Adi Shamir, and Len Adleman (MIT)  The first “ secure ” & “ practical ” public key cryptosystem  A block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n

5 The RSA Algorithm (1/2)

6 The RSA Algorithm (2/2)

7 RSA Example

8 N=119 = p*q =7*17 e=5; e*d =1 mod 6*16 d=77

9 Active attacks on cryptosystems (1)  Chosen-plaintext attack (CPA)  Chosen-ciphertext attack (CCA)

10 Active attacks on cryptosystems (2)  Adaptive chosen-ciphertext attack (CCA2)

11 Attack Scenarios

12 The RSA Problem and Assumption

13 Insecurity of the Textbook RSA Encryption  Theorem 8.1 The RSA cryptosystem is “ all-or-nothing ” secure against CPA if and only if the RSA assumption holds.

14 Meet-in-the-middle attack (1)  The multiplicative property of the RSA function  Space cost: 2 length/2 logN bits  Time cost: O B (2 length/2 +1 (length/2+log 3 N))

15 Meet-in-the-middle attack (2)

16 Inadequacy of the CPA security of the RSA (1) Blind attack

17 Inadequacy of the CPA security of the RSA (2)

18 Common modulus protocol failure (1) outsider attack  Description

19 Common modulus protocol failure (2) outsider attack

20 Common modulus protocol failure (3) insider attack  A square root of 1 mod M

21 Common modulus protocol failure (4) insider attack  Finding a nontrivial square root of 1 mod M

22 Common modulus protocol failure (5) insider attack  Given a public key e 1, the holder of of an encryption/decryption pair e 2, d 2 can generate the private key of another user.

23 The low exponent protocol failure (1)  Use a small exponent for RSA public key in order to make the calculations for encryption fast and inexpensive to perform.  Problem description

24 The low exponent protocol failure (2) salvaging  Never send exactly the same message

25 Other attacks (1)  GCD attack Franklin and Reiter Coopersmith, Franklin and Patarin (Eurocrypt ’ 96)

26 Other attacks (2)  The Wiener ’ s attack Wiener pointed out that if the secret key d was chosen too small, then it might be recovered

27 Constraints of RSA  Key Requirement Key size in the range of 1024 to 2018 bits p and q should differ in length by only a few digits. Thus, both p and q should be on the order of to Both (p-1) and (q-1) should contain a large prime factor gcd(p-1,q-1) should be small

28 Factorization Techniques  Fermat Factorization  Monte Carlo Factorization  The Pollard p-1 method of Factorization [239]

29 Fermat Factorization (1)

30 Fermat Factorization (2)

31 Fermat Factorization (3) Example

32 Monte Carlo Factorization (1)

33 Monte Carlo Factorization (2)

34 Monte Carlo Factorization (3) Example [1]

35 Monte Carlo Factorization (4) Example [2]

36 The Pollard p-1 method of Factorization (1)

37 The Pollard p-1 method of Factorization (2) Example

38 Optimal Asymmetric Encryption Padding (OAEP)  Page 508 RSA-OAEP & Rabin-OAEP The plaintext message encrypted inside the RSA- OAEP scheme can have a length up to 84% of the length of the modulus. PKCS#1, IEEE P1363 & SET

39 Optimal Asymmetric Encryption Padding (OAEP)  RSA-OAEP (page 503)

40 OAEP — Mixing of different algebraic structures

41 RSA-OAEP Algorithm (1) Page 324

42 RSA-OAEP Algorithm (2)

43 RSA-OAEP Algorithm (3)

44 OAEP Property  Plaintext Randomization A padding scheme like OAEP has a random input value which adds the randomness to the distribution of the padding result.  Data Integrity Protection Provides the decryption end with a mechanism to check data integrity.