Professional Documents
Culture Documents
Win Test Encrypt 123r3.RSA
Win Test Encrypt 123r3.RSA
= M1.(1)k = M1 = M mod n
(provided M and n coprime (still OK if not))
RSA Example - Key Setup RSA Example - En/Decryption
1. Select primes: p = 17 ; q = 11 • sample RSA encryption/decryption is:
2. Calculate n = pq = 17 x 11 = 187 • given message M = 88 (NB. 88 < 187)
3. Calculate ø(n) = (p–1)(q-1) = 16x10 = 160
• encryption:
4. Select e: GCD(e,160) = 1 ; choose e = 7
C = 887 mod 187 = 11
5. Derive d: de = 1 mod 160 and d < 160
Get d = 23 since 23x7 = 161 = 10x160+1 • decryption:
6. Publish public key: PU = {7,187} M = 1123 mod 187 = 88
7. Keep private key secret: PR = {23,187}
Exponentiation Exponentiation
• can use the Square and Multiply Algorithm Computing ab mod n
• a fast, efficient algorithm for exponentiation f = 1
• concept is based on repeatedly squaring base for i = k downto 0
• and multiplying in the ones that are needed to do f = (f x f) mod n
compute the result if bi == 1 then
• look at binary representation of exponent f = (f x a) mod n
• only takes O(log2 n) multiples for number n return f
– eg. 75 = 74.71 = 3.7 = 10 mod 11
– eg. 3129 = 3128.31 = 5.3 = 4 mod 11 Here, integer b is the bitstring bkbk-1…b0
Efficient Encryption Efficient Decryption
• encryption uses exponentiation to power e • decryption uses exponentiation to power d
• hence if e small, this will be faster – this is likely large, insecure if not
– often choose e = 65537 (216 - 1) • can use the Chinese Remainder Theorem
– also see choices of e = 3 or e = 17 (CRT) to compute mod p and mod q
• but if e too small (eg. e = 3) can attack separately; then combine to get answer
– using Chinese remainder theorem and 3 – approx 4 times faster than doing it directly
messages with different moduli • only owner of private key who knows
• if e fixed must ensure GCD(e,ø(n)) = 1 values of p and q can use this technique
– ie reject any p or q where p-1 or q-1 are not
relatively prime to e
Timing Attacks
• developed by Paul Kocher in mid-1990’s
• exploit timing variations in operations
Progress – eg. multiplying by small vs. large number
– or varying which instructions executed
in • infer operand size based on time taken
Factoring • For RSA, exploits time taken for exponentiation
• countermeasures
– use constant exponentiation time
– add random delays
– blind values used in calculations
Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen Ciphertext
Attack (CCA)
Optimal
• based on C(P1 x P2) = C(P1) x C(P2) Asymmetric
• attacker chooses ciphertexts and gets
decrypted plaintext back Encryption
• choose ciphertext to exploit properties of Padding
RSA to provide info to help cryptanalysis
• can counter with random pad of plaintext (OASP)
• or use Optimal Asymmetric Encryption
Padding (OASP)