Lecture 12: Public Key Cryptography Part 1 Flashcards
What is a one-way function?
A function is one-way if f(x) = y is easily computed given x, but f^(-1)(f) = x is computationally hard to compute given y
What are two functions that are believe to be one-way?
1) Multiplication of large primes: the inverse function is integer factorisation
2) Exponentiation: the inverse function takes discrete logarithms
What is a trapdoor one-way function?
function f is a one-way function s.t. f^(-1)(y) is earliy computed given additional information, called trapdoor
Explain how modular squaring is a trapdoor one-way function
Given n = pq where p, q are 2 large primes, f(x) = x^2 mod n
If an algorithm takes square roots (i.e. computes f^(-1)) then it can be used to factorise n
The trapdoor is the factorisation of n
If the trapdoor is known the an efficient algorithm finds the square root
What is a public key cryptosystem design by using?
A trapdoor one-way function where the trapdoor is the decryption key
What are public key cryptosystems also know as?
asymmetric cryptography
Define what asymmetric means in asymmetric cryptography
encryption and decryption keys are different
Who knows the encryption key in asymmetric cryptography?
Known by anybody
What is the encryption key also called in asymmetric cryptography?
public key
Who knows the decryption key in asymmetric cryptography?
known ONLY to its owner
What is the decryption key also called in asymmetric cryptography?
private key
Comment on the needed hardness of finding the private key from the knowledge of the public key
MUST be a computationally hard problem
What are the pros of public key cryptography (in comparison to shared keys/symmetric cryptograpgy)
1) key management is simplified
- -> keys do not need to be transported confidentially
2) digital signatures can be obtained
In a public cipher, can encryption keys be made public?
yes
In practice, where does Alice store her public keys? What are the consequences of this?
Stores keys in public directory
–> anyone can obtain her public key and use it to form an encrypted message to Alice
–> since Alice has the private key (associated with her public key), she can decrypt and recover the message
What are RSA algorithms based on?
integer factorization problem
At a high level, what is RSA?
public key cryptosystem and digital signature scheme
Explain key generation for RSA algorithms
See slide 13, set 12
What is the encryption process for RSA?
See slide 14, set 12
What is the decryption process for RSA?
See slide 14, set 12
Explain the numerical example of key generation, encryption and decryption for RSA on slide 15 of set 38
See slide 15, set 12
Eplain the RSA proof of encryption correctness on slides 16-19 in set 12
See slide 16-19, set 12
What are four of the applications of RSA?
1) message encryption
2) digital signatures
3) distributed of a shared key for symmetric key encryption (hybrid encryption)
4) user authentication by proving knowledge of the private key corresponding to an authenticated public key
What are some challenges with RSA in terms of trying to optimise it?
key generation
–> generating large primes p, q and choice of e
encryption and decryption
–> fast exponentiation and faster decryption using CTR
data formatting
–> padding
What is the requirements for primes p, q i.t.o RSA?
should be random of a chosen length –> one at least 1024 bits
What is the simple algorithm for generating large primes p,q for RSA?
1) select a random odd number r of the required length
2) check whether r is prime:
- > if so, the output r and halt
- > otherwise, increment r by 2 and go to step 2
What is a fast way to check primality?
Miller-Rabin test
How should public exponent e for RSA be chosen?
chosen at random for best security
What kind of value for e is used in practice for the public exponent i.t.o RSA?
small e value
Why must the public exponent e be small in practice i.t.o RSA?
has large effect on efficiency
What is the smallest possible value of e public exponent i.t.o RSA?
e = 3
–> sometimes used by has security problems!
What is a popular choice for the public exponent e i.t.o RSA?
e = 2^(16) + 1
What is an alternative to having a small public exponent e i.t.o RSA?
a smaller than average value for private exponent d is also possible
BUT at least √n to avoid known attacks
How can we do fast exponentiation for encryption and decryption for RSA?
Using square-and-multiply modular exponentiation
Explain how the square-and-multiply modular exponentiation algorithm works
See slides 25-26 in set 12
Comment on the number of squarings the square-and-multiply modular exponentiation algorithm uses
If 2^k <= e <= 2^(k+1), then the algorithm uses k squarings
–> if b of ei bits are ‘1’ then the alg uses b - 1 multiplications
–> 1st computation z
In terms of the square-and-multiply modular exponentiation algorithm, how many bits is the modulus n and what does this mean for the number of bits of e?
n is a 2048-bit modulus and so e is of at most 2048 bits
When computing M^e mod n i.t.o. the square-and-multiply modular exponentiation algorithm, how many modular squarings and multiplications are required AT MOST?
2048 modular squarings
2048 modular multiplications
I.t.o the square-and-multiply modular exponentiation algorithm, on average how many bit ei are ‘1’?
What is the consequence of this on the number of multiplications?
only half
so only 1024 multiplications
What is important to remember about the square-and-multiply modular exponentiation algorithm?
reducing modulo n after every operation
Explain slide 28 in set 12 about faster decryption using CTR i.t.o RSA
See slide 28 in set 12
Explain the example of using CTR to decrypt C w.r.t. p, q separately on slide 29 in set 12
See slide 29 in set 12
I.t.o decryption with CTR for RSA, compare the length of exponents d mod (p-1) and d mod (q-1) with d
exponents d mod (p-1) and d mod (q-1) are about half the length of d
How much much does the exponentiation (with square-and-multiply) increase i.t.o decryption with CTR?
increases with the cube of the input length
–> computing Mp and Mq each uses 1/2^3 = 1/8 of computation for M = C^d mod n
How much less computation is required for decryption with CTR i.t.o RSA?
~ 4 times less computation
–> If Mp and Mq can be computed in parallel, then the time is up to 8 times faster
Because decryption with CTR for RSA is faster, what is a good reason to store with d?
p and q
follow up on –> slide 30 in set 12
Why is encrypting directly on message encoded as a number is a weak cryptosystem?
Vulnerable to attacks such as:
1) building up a dictionary of known plaintexts
2) guessing the plaintext and checking if it encrypts to the ciphertext
3) Håstad’s attack
I.t.o. RSA, what must the padding mechanised be used for?
used to prepare message for encryption –> must include redundancy and randomness
Explain Håstad’s attack
See slide 32 in set 12
How can we find M in Håstad’s attack?
by taking a cube root
Briefly outline the padding type PKCS #1
simple, ad-hoc design for encryption and digital signatures
What are the padding types for RSA implementation?
1) PKCS #1
2) Optimal asymmetric encryption padding (OAEP)
What standard is OAEP in?
IEEE P1363 Standard specifications for public key cryptography
What does OAEP stand for?
optimal asymmetric encryption padding
How are most of the existing attacks on RSA avoided?
By using standardised padding mechanisms
Comment on attacks on factorisation of the modulus n i.t.o RSA security
Factorisation is believed to be a hard problem
Factorisation can be prevented by choosing n large enough
Comment on attacks on finding d from n and e i.t.o RSA security
Finding d is as hard for the adversary as factorising the modulus n
What is the equivalence with factorisation problem?
an attacker factorises n into its prime factors p, q, and thus record d
Is breaking RSA harder than the factorisation problem?
no!
Comment on how breaking RSA is shown to be as hard as the RSA problem
It is unknown if RSA problem is as hard as the factorisation problem
It is also unknown if factorisation is really computationally hard
I.t.o RSA’s security, can we find d without factorising the modulus n?
NO!
What is Miller’s theorem?
determine d from e, n is as hard as factorising n
What are two other attacks on RSA?
1) quantum computers
2) timing analysis
Comment on quantum computer attacks on RSA
not existing yet (at least commercially)
–> Shor’s theoretical alg can factorise n in polynomial time
Comment on timing analysis attacks on RSA
using time of decryptino process to obtain info about d
–> demonstrated in practice for RSA in smart cards
–> avoided by randomising decryption process
What are some practical problems with key generation?
See slide 38 in set 12
