Lecture 12: Public Key Cryptography Part 1

Question 1

What is a one-way function?

Answer 1

A function is one-way if f(x) = y is easily computed given x, but f^(-1)(f) = x is computationally hard to compute given y

Question 2

What are two functions that are believe to be one-way?

Answer 2

1) Multiplication of large primes: the inverse function is integer factorisation
2) Exponentiation: the inverse function takes discrete logarithms

Question 3

What is a trapdoor one-way function?

Answer 3

function f is a one-way function s.t. f^(-1)(y) is earliy computed given additional information, called trapdoor

Question 4

Explain how modular squaring is a trapdoor one-way function

Answer 4

Given n = pq where p, q are 2 large primes, f(x) = x^2 mod n

If an algorithm takes square roots (i.e. computes f^(-1)) then it can be used to factorise n

The trapdoor is the factorisation of n

If the trapdoor is known the an efficient algorithm finds the square root

Question 5

What is a public key cryptosystem design by using?

Answer 5

A trapdoor one-way function where the trapdoor is the decryption key

Question 6

What are public key cryptosystems also know as?

Answer 6

asymmetric cryptography

Question 7

Define what asymmetric means in asymmetric cryptography

Answer 7

encryption and decryption keys are different

Question 8

Who knows the encryption key in asymmetric cryptography?

Answer 8

Known by anybody

Question 9

What is the encryption key also called in asymmetric cryptography?

Answer 9

public key

Question 10

Who knows the decryption key in asymmetric cryptography?

Answer 10

known ONLY to its owner

Question 11

What is the decryption key also called in asymmetric cryptography?

Answer 11

private key

Question 12

Comment on the needed hardness of finding the private key from the knowledge of the public key

Answer 12

MUST be a computationally hard problem

Question 13

What are the pros of public key cryptography (in comparison to shared keys/symmetric cryptograpgy)

Answer 13

1) key management is simplified
- -> keys do not need to be transported confidentially

2) digital signatures can be obtained

Question 14

In a public cipher, can encryption keys be made public?

Answer 14

yes

Question 15

In practice, where does Alice store her public keys? What are the consequences of this?

Answer 15

Stores keys in public directory

–> anyone can obtain her public key and use it to form an encrypted message to Alice

–> since Alice has the private key (associated with her public key), she can decrypt and recover the message

Question 16

What are RSA algorithms based on?

Answer 16

integer factorization problem

Question 17

At a high level, what is RSA?

Answer 17

public key cryptosystem and digital signature scheme

Question 18

Explain key generation for RSA algorithms

Answer 18

See slide 13, set 12

Question 19

What is the encryption process for RSA?

Answer 19

See slide 14, set 12

Question 20

What is the decryption process for RSA?

Answer 20

See slide 14, set 12

Question 21

Explain the numerical example of key generation, encryption and decryption for RSA on slide 15 of set 38

Answer 21

See slide 15, set 12

Question 22

Eplain the RSA proof of encryption correctness on slides 16-19 in set 12

Answer 22

See slide 16-19, set 12

Question 23

What are four of the applications of RSA?

Answer 23

1) message encryption
2) digital signatures
3) distributed of a shared key for symmetric key encryption (hybrid encryption)
4) user authentication by proving knowledge of the private key corresponding to an authenticated public key

Question 24

What are some challenges with RSA in terms of trying to optimise it?

Answer 24

key generation
–> generating large primes p, q and choice of e

encryption and decryption
–> fast exponentiation and faster decryption using CTR

data formatting
–> padding

Question 25

What is the requirements for primes p, q i.t.o RSA?

Answer 25

should be random of a chosen length –> one at least 1024 bits

Question 26

What is the simple algorithm for generating large primes p,q for RSA?

Answer 26

1) select a random odd number r of the required length

2) check whether r is prime:
- > if so, the output r and halt
- > otherwise, increment r by 2 and go to step 2

Question 27

What is a fast way to check primality?

Answer 27

Miller-Rabin test

Question 28

How should public exponent e for RSA be chosen?

Answer 28

chosen at random for best security

Question 29

What kind of value for e is used in practice for the public exponent i.t.o RSA?

Answer 29

small e value

Question 30

Why must the public exponent e be small in practice i.t.o RSA?

Answer 30

has large effect on efficiency

Question 31

What is the smallest possible value of e public exponent i.t.o RSA?

Answer 31

e = 3

–> sometimes used by has security problems!

Question 32

What is a popular choice for the public exponent e i.t.o RSA?

Answer 32

e = 2^(16) + 1

Question 33

What is an alternative to having a small public exponent e i.t.o RSA?

Answer 33

a smaller than average value for private exponent d is also possible

BUT at least √n to avoid known attacks

Question 34

How can we do fast exponentiation for encryption and decryption for RSA?

Answer 34

Using square-and-multiply modular exponentiation

Question 35

Explain how the square-and-multiply modular exponentiation algorithm works

Answer 35

See slides 25-26 in set 12

Question 36

Comment on the number of squarings the square-and-multiply modular exponentiation algorithm uses

Answer 36

If 2^k <= e <= 2^(k+1), then the algorithm uses k squarings

–> if b of ei bits are ‘1’ then the alg uses b - 1 multiplications

–> 1st computation z

Question 37

In terms of the square-and-multiply modular exponentiation algorithm, how many bits is the modulus n and what does this mean for the number of bits of e?

Answer 37

n is a 2048-bit modulus and so e is of at most 2048 bits

Question 38

When computing M^e mod n i.t.o. the square-and-multiply modular exponentiation algorithm, how many modular squarings and multiplications are required AT MOST?

Answer 38

2048 modular squarings

2048 modular multiplications

Question 39

I.t.o the square-and-multiply modular exponentiation algorithm, on average how many bit ei are ‘1’?

What is the consequence of this on the number of multiplications?

Answer 39

only half

so only 1024 multiplications

Question 40

What is important to remember about the square-and-multiply modular exponentiation algorithm?

Answer 40

reducing modulo n after every operation

Question 41

Explain slide 28 in set 12 about faster decryption using CTR i.t.o RSA

Answer 41

See slide 28 in set 12

Question 42

Explain the example of using CTR to decrypt C w.r.t. p, q separately on slide 29 in set 12

Answer 42

See slide 29 in set 12

Question 43

I.t.o decryption with CTR for RSA, compare the length of exponents d mod (p-1) and d mod (q-1) with d

Answer 43

exponents d mod (p-1) and d mod (q-1) are about half the length of d

Question 44

How much much does the exponentiation (with square-and-multiply) increase i.t.o decryption with CTR?

Answer 44

increases with the cube of the input length

–> computing Mp and Mq each uses 1/2^3 = 1/8 of computation for M = C^d mod n

Question 45

How much less computation is required for decryption with CTR i.t.o RSA?

Answer 45

~ 4 times less computation

–> If Mp and Mq can be computed in parallel, then the time is up to 8 times faster

Question 46

Because decryption with CTR for RSA is faster, what is a good reason to store with d?

Answer 46

p and q

follow up on –> slide 30 in set 12

Question 47

Why is encrypting directly on message encoded as a number is a weak cryptosystem?

Answer 47

Vulnerable to attacks such as:

1) building up a dictionary of known plaintexts
2) guessing the plaintext and checking if it encrypts to the ciphertext
3) Håstad’s attack

Question 48

I.t.o. RSA, what must the padding mechanised be used for?

Answer 48

used to prepare message for encryption –> must include redundancy and randomness

Question 49

Explain Håstad’s attack

Answer 49

See slide 32 in set 12

Question 50

How can we find M in Håstad’s attack?

Answer 50

by taking a cube root

Question 51

Briefly outline the padding type PKCS #1

Answer 51

simple, ad-hoc design for encryption and digital signatures

Question 52

What are the padding types for RSA implementation?

Answer 52

1) PKCS #1

2) Optimal asymmetric encryption padding (OAEP)

Question 53

What standard is OAEP in?

Answer 53

IEEE P1363 Standard specifications for public key cryptography

Question 54

What does OAEP stand for?

Answer 54

optimal asymmetric encryption padding

Question 55

How are most of the existing attacks on RSA avoided?

Answer 55

By using standardised padding mechanisms

Question 56

Comment on attacks on factorisation of the modulus n i.t.o RSA security

Answer 56

Factorisation is believed to be a hard problem

Factorisation can be prevented by choosing n large enough

Question 57

Comment on attacks on finding d from n and e i.t.o RSA security

Answer 57

Finding d is as hard for the adversary as factorising the modulus n

Question 58

What is the equivalence with factorisation problem?

Answer 58

an attacker factorises n into its prime factors p, q, and thus record d

Question 59

Is breaking RSA harder than the factorisation problem?

Answer 59

no!

Question 60

Comment on how breaking RSA is shown to be as hard as the RSA problem

Answer 60

It is unknown if RSA problem is as hard as the factorisation problem

It is also unknown if factorisation is really computationally hard

Question 61

I.t.o RSA’s security, can we find d without factorising the modulus n?

Answer 61

NO!

Question 62

What is Miller’s theorem?

Answer 62

determine d from e, n is as hard as factorising n

Question 63

What are two other attacks on RSA?

Answer 63

1) quantum computers

2) timing analysis

Question 64

Comment on quantum computer attacks on RSA

Answer 64

not existing yet (at least commercially)

–> Shor’s theoretical alg can factorise n in polynomial time

Question 65

Comment on timing analysis attacks on RSA

Answer 65

using time of decryptino process to obtain info about d

–> demonstrated in practice for RSA in smart cards

–> avoided by randomising decryption process

Question 66

What are some practical problems with key generation?

Answer 66

See slide 38 in set 12