Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 25.

Published byAubrey Laurel Eaton Modified over 4 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 25."— Presentation transcript:

1 Cryptography Lecture 25

2 RSA-based PKE

3 Recall… Let p, q be random, equal-length primes Compute modulus N=pq
Choose e, d such that e · d = 1 mod (N) The eth root of x modulo N is [xd mod N] I.e., easy to compute given p, q (or d) RSA assumption: given N, e only, it is hard to compute the eth root of a uniform c  ℤN*

4 This suggests a public-key encryption scheme!

5 “Plain” RSA encryption
N, e c (N, e, d)  RSAGen(1n) pk = (N, e) sk = d c = [me mod N] m = [cd mod N]

6 Is this scheme secure?

7 Plain RSA should never be used!
Security? This scheme is deterministic Cannot be CPA-secure! RSA assumption only refers to hardness of computing the eth root of a uniform c c is not uniform unless m is Why would m be uniform? Easy to compute eth root of c = [me mod N] when m is small RSA assumption only refers to hardness of computing the eth root of c in its entirety Partial information about the eth root may be leaked (In fact, this is the case) Plain RSA should never be used!

8 Chosen-ciphertext attacks
(Of course, plain RSA cannot be CCA-secure since it is not even CPA-secure… …but chosen-ciphertext attacks are devastating here) Given ciphertext c for unknown message m, can compute c’ = [e  c mod N] What does this decrypt to?

9 How to fix plain RSA? One approach: use a randomized encoding
I.e., to encrypt m First compute some reversible, randomized mapping M = E(m) Then set c := [Me mod N] To decrypt c Compute M := [cd mod N] Recover m from M

10 PKCS #1 v1.5 Standard issued by RSA labs in 1993
Idea: introduce random padding E(m) = r|m I.e., to encrypt m Choose random r Compute the ciphertext c := [ (r|m)e mod N] Issues: No proof of CPA-security (unless m is very short) Chosen-plaintext attacks are known if r is too short Chosen-ciphertext attacks possible

11 PKCS #1 v2.0 Optimal asymmetric encryption padding (OAEP) applied to message first This padding introduces redundancy, so that not every c  ℤ*N is a valid ciphertext Need to check for proper format upon decryption Return error if not properly formatted

12 OAEP m | 0…0 r G H e c = s t mod N

13 Security? RSA-OAEP can be proven CCA-secure under the RSA assumption, if G and H are modeled as random oracles Widely used in practice…

14 RSA-based KEM Idea: use plain RSA as before…
…but on a random value! Then use that random value to derive a key

15 RSA-based KEM Encaps: Decaps(c) Choose uniform r  ℤ*N
Ciphertext is c = [re mod N] Key is k = H(r) Decaps(c) Compute r = [cd mod N] Compute the shared key k = H(r)

16 Security? This KEM can be proven CCA-secure under the RSA assumption, if H is modeled as a random oracle

17 Comparison to RSA-OAEP?
The RSA-KEM must be used with a symmetric-key encryption scheme For very short messages (< 1500 bits), RSA-OAEP will have shorter ciphertexts For anything longer, ciphertexts will be the same length; RSA-KEM is simpler

18 Digital signatures

19 Digital signatures Provide integrity in the public-key setting
Analogous to message authentication codes, but some key differences…

20 Digital signatures pk pk pk m,  pk pk, sk 1 = Vrfypk(m, ) ?
 = Signsk(m)

21 Public-key encryption
pk pk pk c pk pk, sk c  Encpk(m) m = Decsk(c)

22 Security (informal) Even after observing signatures on multiple messages, an attacker should be unable to forge a valid signature on a new message

23 Prototypical application
pk patch’, ’ patch,  pk, sk pk  = Signsk(patch) pk

24 Comparison to MACs? t’ = Mack(patch’) k patch’, t’ patch, t k k

25 Comparison to MACs? patch, t1 k1 patch, t2 k1, k2, k3 patch, t3 k2
t1 = Mack1(patch) t2 = Mack2(patch) t3 = Mack3(patch) k3

26 Comparison to MACs? Public verifiability Transferability
“Anyone” can verify a signature (Only a holder of the key can verify a MAC tag) Transferability Can forward a signature to someone else… Non-repudiation

27 Non-repudiation Signer cannot (easily) deny issuing a signature
Crucial for legal applications Judge can verify signature using public copy of pk MACs cannot provide this functionality! Without access to the key, no way to verify a tag Even if receiver gives key to judge, how can the judge verify that the key is correct? Even if key is correct, receiver could have generated the tag also!

Download ppt "Cryptography Lecture 25."

Similar presentations

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
8. Data Integrity Techniques

8. Data Integrity Techniques
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski www.dziembowski.net MIM UW 14.12.12ver 1.0.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski

Cryptography Lecture 9 Stefan Dziembowski

Similar presentations

Ads by Google