Define the (G, E, D):
G: randomize algorithm to generate key pairs (pk, sk).
E(pk, m) takes m ∈ M m\in M m ∈ M and output c ∈ C c\in C c ∈ C .
D(sk, c) takes c ∈ C c \in C c ∈ C and outputs m ∈ M m \in M m ∈ M or ⊥ \perp ⊥ .
Define Trapdoor function(TDF)
G: randomize algorithm to generate key pairs (pk, sk).
F ( p k , ⋅ ) F(pk, \cdot) F ( p k , ⋅ ) maps X → Y X \to Y X → Y .
F − 1 ( p k , ⋅ ) F^{-1}(pk, \cdot) F − 1 ( p k , ⋅ ) maps Y → X Y \to X Y → X , that inverts F ( p k , ⋅ ) F(pk, \cdot) F ( p k , ⋅ ) .
TDF is secure if F ( p k , ⋅ ) F(pk, \cdot) F ( p k , ⋅ ) can be evaluated, but cannot be inverted without sk.
Use secure TDF, symmetric auth encryption defined over (K, M, C) and hash function H → K H \to K H → K (also called random oracle ):
x ← X x \leftarrow X x ← X , y ← F ( p k , x ) y \leftarrow F(pk, x) y ← F ( p k , x )
k ← H ( x ) k \leftarrow H(x) k ← H ( x ) , c ← E ( k , m ) c \leftarrow E(k, m) c ← E ( k , m )
output (y, c)
x ← F − 1 ( s k , y ) x \leftarrow F^{-1}(sk, y) x ← F − 1 ( s k , y )
k ← H ( x ) k \leftarrow H(x) k ← H ( x ) , m ← D ( k , c ) m \leftarrow D(k, c) m ← D ( k , c )
output m
Never use TDF to encrypt the message directly!
G G G : choose random p , q ≈ 1024 b i t s p, q \approx 1024 bits p , q ≈ 1024 bi t s , set N = p ⋅ q N = p \cdot q N = p ⋅ q .
choose integers e , d e, d e , d , such that e ⋅ d = 1 ( m o d ϕ ( N ) ) e \cdot d = 1 (mod \ \phi(N)) e ⋅ d = 1 ( m o d ϕ ( N )) .
output p k = ( N , e ) pk = (N, e) p k = ( N , e ) , s k = ( N , d ) sk = (N, d) s k = ( N , d ) .
F ( p k , x ) : R S A ( x ) = x e ∈ Z n F(pk, x): RSA(x) = x^e \in Z_n F ( p k , x ) : RS A ( x ) = x e ∈ Z n
F − 1 ( s k , y ) = y d = R S A ( x ) d = x e d = x k ϕ ( N ) + 1 = ( x ϕ ( N ) ) k ⋅ x = x F^{-1}(sk, y) = y^d = RSA(x)^d = x^{ed} = x^{k\phi(N) + 1} = (x^{\phi(N)})^k \cdot x = x F − 1 ( s k , y ) = y d = RS A ( x ) d = x e d = x k ϕ ( N ) + 1 = ( x ϕ ( N ) ) k ⋅ x = x
E, D: symmetric encryption. H: Z N → K Z_N \to K Z N → K
E ( p k , m ) E(pk, m) E ( p k , m ) :
choose random x in Z N Z_N Z N .
y ← R S A ( x ) = x e , k ← H ( x ) y \leftarrow RSA(x) = x^e, k \leftarrow H(x) y ← RS A ( x ) = x e , k ← H ( x )
output (y, E(k, m))
D ( s k , ( y , c ) ) D(sk, (y, c)) D ( s k , ( y , c )) : output D ( H ( R S A − 1 ( y ) ) , c ) → m D(H(RSA^{-1}(y)), c) \to m D ( H ( RS A − 1 ( y )) , c ) → m .
If we use RSA directly to exchange the session key, k k k , the server send the public key, (e, N), and the client returns c = R S A ( k ) c = RSA(k) c = RS A ( k ) .
Assume k = k 1 , ⋅ k 2 k = k_1, \cdot k_2 k = k 1 , ⋅ k 2 , thus c = k 1 e ⋅ k 2 e → c / k 1 e = k 2 e c = k_1^e \cdot k_2^e \to c/k_1^e = k_2^e c = k 1 e ⋅ k 2 e → c / k 1 e = k 2 e , if k is 64 bit, the chance for k 1 , k 2 < 2 3 4 k_1, k_2 < 2^34 k 1 , k 2 < 2 3 4 is roughly 20%. The attacker can build a lookup table to enumerate k 1 , k 2 k_1, k_2 k 1 , k 2 from 1 to 2 34 2^{34} 2 34 for a mid-way attack!
The PKCS1 v1.5 mode 2, used in HTTPS:
PKCS1
The random pad does not contain FF.
Bleichenbacher 1998 attack:
choose r ∈ Z N r \in Z_N r ∈ Z N , computer c ′ ← r e ⋅ c = ( r ⋅ P K C S 1 ( m ) ) e c\prime \leftarrow r^e \cdot c = (r \cdot PKCS1(m))^e c ′ ← r e ⋅ c = ( r ⋅ P K CS 1 ( m ) ) e
send c’ to web server.l
The attacker can recover m with many trials.
/
HTTPS Defence(RFC 5246) treats the incorrect formated messages indistinguishable from correctly formatted RSA blocks.
PKCS1 v2.0: OAEP
PKCS
Assume H, and G are random oracles, typically use SHA-256
Use d ≈ 2 128 d \approx 2^{128} d ≈ 2 128 :
Weiner ‘87: if d < N 0.25 d < N^{0.25} d < N 0.25 , RSA is insecure.
BD’98: if d < N 0.292 d < N^{0.292} d < N 0.292 , RSA is insecure. 0.292 = 1 − 1 2 0.292 = 1 - \frac{1}{\sqrt{2}} 0.292 = 1 − 2 1
e ⋅ d = 1 ( m o d ϕ ( N ) ) → e ⋅ d = k ⋅ ϕ ( N ) + 1 e \cdot d = 1 (\ mod\ \phi(N)) \to e \cdot d = k \cdot \phi(N) + 1 e ⋅ d = 1 ( m o d ϕ ( N )) → e ⋅ d = k ⋅ ϕ ( N ) + 1 .
thus : ∣ e ϕ ( N ) − k d ∣ = 1 d ⋅ ϕ ( N ) < 1 N |\frac{e}{\phi(N)} - \frac{k}{d}| = \frac{1}{d\cdot \phi(N)} < \frac{1}{\sqrt{N}} ∣ ϕ ( N ) e − d k ∣ = d ⋅ ϕ ( N ) 1 < N 1 .
∣ N − ϕ ( N ) ∣ ≤ p + q ≤ 3 N |N -\phi(N)| \le p + q \le 3 \sqrt{N} ∣ N − ϕ ( N ) ∣ ≤ p + q ≤ 3 N .
Also:
∣ e N − k d ∣ ≤ ∣ e N − e ϕ ( N ) ∣ + ∣ e ϕ ( N ) − k d ∣ ≤ ∣ e ⋅ 3 N N ϕ ( N ) ∣ + 1 N ≤ 3 N + 1 N ≤ 1 2 d 2 − 1 N + 1 N = 1 2 d 2 \begin{align*}
| \frac{e}{N} - \frac{k}{d} | & \le |\frac{e}{N} - \frac{e}{\phi(N)}| + |\frac{e}{\phi(N)} - \frac{k}{d}| \\
& \le |\frac{e \cdot 3 \sqrt{N}}{N \phi(N)}| + \frac{1}{\sqrt{N}} \\
& \le \frac{3}{\sqrt{N}} + \frac{1}{\sqrt{N}} \\
& \le \frac{1}{2d^2} - \frac{1}{\sqrt{N}} + \frac{1}{\sqrt{N}} \\
& = \frac{1}{2d^2}
\end{align*} ∣ N e − d k ∣ ≤ ∣ N e − ϕ ( N ) e ∣ + ∣ ϕ ( N ) e − d k ∣ ≤ ∣ Nϕ ( N ) e ⋅ 3 N ∣ + N 1 ≤ N 3 + N 1 ≤ 2 d 2 1 − N 1 + N 1 = 2 d 2 1
When decrypting RSA, we can gain 4x speedup with:
Decrypt mod p x p = c d ∈ Z p x_p = c^d \in Zp x p = c d ∈ Zp
Decrypt mod q x q = c d ∈ Z p x_q = c^d \in Z_p x q = c d ∈ Z p
then combine them to get x = c d ∈ Z N x = c^d \in Z_N x = c d ∈ Z N .
Suppose error occurs when computing x q x_q x q , but not in x p x_p x p , the output is x ′ x\prime x ′ , and
g c d ( ( x ′ ) e − c , N ) = p gcd((x\prime)^e -c, N) = p g c d (( x ′ ) e − c , N ) = p , thus we can recover p.
Bad random generate may get the same p, different q, then g c d ( N 1 , N 2 ) = p gcd(N_1, N_2) = p g c d ( N 1 , N 2 ) = p to recover the p.
We can use Diffie-Hellman protocol to build public key. Intuitively:
Use A as public key: A = g a A = g^a A = g a
Bob sends B=g b g^b g b || message encrypted with k = g a b k = g^{ab} k = g ab .
Key generator:
choose random geneator g in G, and random a in Z n Z_n Z n .
output sk = a, pk = (g, h = g a h=g^a h = g a ).
H: G 2 → K G^2 \to K G 2 → K , a hash function.
Encryption:
E ( p k = ( g , h ) , m ) E(pk=(g, h), m) E ( p k = ( g , h ) , m ) :
b ∈ Z N , u ← g b , v ← h b b \in Z_N, u \leftarrow g^b, v \leftarrow h^b b ∈ Z N , u ← g b , v ← h b
k ← H ( u , v ) , c ← E ( k , m ) k \leftarrow H(u, v), c \leftarrow E(k, m) k ← H ( u , v ) , c ← E ( k , m )
output (u, c)
Decryption:
v ← u a v \leftarrow u^a v ← u a
k ← H ( u , v ) , m ← D ( k , c ) k \leftarrow H(u, v), m \leftarrow D(k, c) k ← H ( u , v ) , m ← D ( k , c )
output m
Encryption is 3x expensive as decryption, while RSA decryption is more expensive.
Twin ElGamal, use ( a 1 , a 2 ) ∈ Z N (a_1, a_2) \in Z_N ( a 1 , a 2 ) ∈ Z N for the private keys.
Review