Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

Published byMarilynn Cory Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh

2 Dan Boneh RSA With Low public exponent To speed up RSA encryption use a small e: c = m e (mod N) Minimum value: e=3 ( gcd(e,  (N) ) = 1) Recommended value: e=65537=2 16 +1 Encryption: 17 multiplications Asymmetry of RSA: fast enc. / slow dec. – ElGamal (next module) : approx. same time for both.

3 Dan Boneh Key lengths Security of public key system should be comparable to security of symmetric cipher: RSA Cipher key-sizeModulus size 80 bits 1024 bits 128 bits 3072 bits 256 bits (AES) 15360 bits

4 Dan Boneh Implementation attacks Timing attack: [Kocher et al. 1997], [BB’04] The time it takes to compute c d (mod N) can expose d Power attack: [Kocher et al. 1999) The power consumption of a smartcard while it is computing c d (mod N) can expose d. Faults attack: [BDL’97] A computer error during c d (mod N) can expose d. A common defense:: check output. 10% slowdown.

5 Dan Boneh An Example Fault Attack on RSA (CRT) A common implementation of RSA decryption: x = c d in Z N decrypt mod p: x p = c d in Z p decrypt mod q: x q = c d in Z q Suppose error occurs when computing x q, but no error in x p Then: output is x’ where x’ = c d in Z p but x’ ≠ c d in Z q ⇒ (x’) e = c in Z p but (x’) e ≠ c in Z q ⇒ gcd ( (x’) e - c, N ) = p combine to get x = c d in Z N

6 Dan Boneh RSA Key Generation Trouble [Heninger et al./Lenstra et al.] OpenSSL RSA key generation (abstract): Suppose poor entropy at startup: Same p will be generated by multiple devices, but different q N 1, N 2 : RSA keys from different devices ⇒ gcd(N 1,N 2 ) = p prng.seed(seed) p = prng.generate_random_prime() prng.add_randomness(bits) q = prng.generate_random_prime() N = p*q

7 Dan Boneh RSA Key Generation Trouble [Heninger et al./Lenstra et al.] Experiment: factors 0.4% of public HTTPS keys !! Lesson: – Make sure random number generator is properly seeded when generating keys

8 Dan Boneh Further reading Why chosen ciphertext security matters, V. Shoup, 1998 Twenty years of attacks on the RSA cryptosystem, D. Boneh, Notices of the AMS, 1999 OAEP reconsidered, V. Shoup, Crypto 2001 Key lengths, A. Lenstra, 2004

9 Dan Boneh End of Segment

Download ppt "Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
Mid-term Review Network Security. Secure channel SSL SSL (and many others: incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be.

Mid-term Review Network Security. Secure channel SSL SSL (and many others: incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Mid-term Review Network Security. Secure channel SSL (and many others:incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be covered)

Mid-term Review Network Security. Secure channel SSL (and many others:incl. IPSEC) Shared key establishing Trusted party (Kerberos, etc. - to be covered)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google