RSA Flashcards

1
Q

Kerkhoff’s Principle

A

encryption and decryption are known only keys k1, k2, are secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Group Definition

A

A group is strucute G= (G, o, *^-1, 1) such that:

  • o is associative
  • For all g in G. 1 o g = g=g o 1 (neutral element)
  • for all g in G. g o g^-1 = 1 = g^-1 (inverse)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Abelian Group

A

If in addition to being a group o is commutative we call G an abelian group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

commutative

A

changing the order does not change the result

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

associative

A

the grouping of inputs will never change the result

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Ring

A

A ring is a structure R= (R, +, . , -(*), 0) such that :

  • (R, +, -(*), 0) is abelian group
  • . is associative
  • distributive laws
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Field

A

a field is a structure K= (K, +, . , -(x), (x)^-1, 0, 1) such that:

  • (K, +, . , -(x), (x)^-1, 0, 1) is a commutative ring with 1
  • (K\ {0}, . , (*)^-1, 1) is a group
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Theorem (Extended Euclidian Algorithm)

A

For all a, b ∈ Z there are λ, µ ∈ Z such that
λa + µb = gcd(a, b)

def EEA(a,b):
    if b == 0: return (a,1,0)
    d,s,t = EEA(b, a % b)
    return (d, t, s - (a//b) * t)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Theorem (Chinese Remainder Theorem (CRT))

A
Let ni ∈ Z (pairwise) coprime, ai ∈ Z arbitrary for i = 1, . . . , k. Then
the system
ai ≡ x mod ni
i = 1, . . . , k
has a unique solution 0 ≤ x <
Sum n_i
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Fermat’s Little Theorem

A

Let P prime, a arbitrary then a^p = a mod p

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fermat’s littler theorem - alternative formulation

A

p prime, a coprime to p (i.e. no multiple), then a

p−1 ≡ 1 mod p

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Theorem (Prime-Number-Theorem)

A

Let π(n) denote the number of primes up to n. Then π(n)∼n/ln(n)
.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

RSA Set up

A
  • p,q primes
  • n= p* q => p(n)= (p-1) (q-1)
  • choose e coprime to p(n)
  • d= e^-1 mod p(n) (extended Euclidean Algorithm)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

RSA Keys

A

public key = (n, e)

private key = (n, d), possibly p,q, p(n)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

RSA Usage

A

encrypt c = m^e mod n

decrypt m= c^d mod n

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Modular Exponentiation in RSA

A
Need to compute a
b mod n
Naive approach 
-b multiplications, one modulo
-huge intermediate results, size b · log a instead of log n

speed up with square and multiply algorithm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An addition chain

A

An addition chain for integer n of length l is a sequence
1 = a0, a1, . . . , al = n
such that every entry is a sum of 2 previous ones

18
Q

Theorem (Downey, Leong, Seth, 1981)

A

Given a1, . . . , ak , find smallest chain containing them all is
NP-complete.

19
Q

RSA parameter size

A
  • strength of key given in bit size of n
  • ssh-keygen currently has default 2048
  • secure key should have 4096 more threatened by quantum Computers, than classical factoring
  • p,q should have same bitlength
  • e often equals 65537
20
Q

coprime

A

two numbers are co-prime if they no common factor other than 1

21
Q

Partial Key Exposure

A

Given one entry of the private key (p, q, p(n), d) and the public key,
we can efficiently compute the full private key.

22
Q

Partial key exposure corollary

A

If d is known, it is not sufficient to just replace e and d.

23
Q

Insecure Special cases of RSA

A
  • e is small: find m
  • same n but different e : find m
  • m is very small: find m
  • d is small: find d, thus everything
  • p,q are too close: factor n, thus everything

Standard to avoid all of these
Public Key Cryptography Standard (PKCS)

24
Q

Padding

A

Artificially enlarge message to m0 = Pad (m), such that m0 ≈ n.

25
RSA is multiplicative
If we know enc (m), then we also know enc (x · m) for any x.
26
Theorem (Coppersmith, 1996
``` Let f ∈ Z[x] normalised, e = deg f . Then we can compute all x0 ∈ Z with f (x0) ≡ 0 mod n and |x0| ≤ √e n in polynomial time. ```
27
Coppersmith Corollary (Application in RSA)
If m has (significantly) fewer than log(n)/e bits, and we have any fixed padding, we can compute m.
28
H˚astad Broadcast
If a message is encrypted with the same exponent e but e different moduli ni , we can recover the message (Scenario send an invitation to an event)
29
Any fixed padding
Any fixed padding scheme becomes dangerous, given enough | messages. Use randomised padding
30
Franklin-Reiter-Related-Message-Attack
Theorem If two messages are related via m2 = f (m1) for some known polynomial f , we often can recover them from ci = me i mod n. The time is O((e · deg f )^2) arithmetic operations. If f is linear and e = 3 the attack is guaranteed to work
31
Common Modulus of e
If we have keys (n, e1) and (n, e2) with gcd(e1, e2) = 1, then we can read any message sent to both.
32
common modulus corolarry
Every key needs is own modulus n , i.e its own primes
33
Fixes for RSA problems
-randomised padding and sufficiently long | - same modulus allowed reading every message Fix delete second key just use first both can read both messages anyway
34
Theorem (Wiener, 1989) - small private Exponent d
``` Assume q < p < 2q, e < ϕ(n) and d <1/3n^1/4 . Then we can compute d from (n, e) in O(log(n)^2)arithmetic steps . ```
35
Extension to Wiener’s Attack
via lattice methods breakable for d < n ^0.292 assumed to work up to d
36
Digital Signatures
Authentication: sender only has to convince recipient Signature: recipient can also convince ”judge“ must depend both on sender and message if not message: use old signature from other message if not sender: recipient can forge
37
Signature Oracle Attack
``` Assumptions Assume we sign with plain-RSA want to forge signature for message m Have access to online oracle, that signs any m0 6= m (or some restricted subset) ``` Attack factor m = m1 . . . mk mod n such that all mi accepted by oracle (not necessarily prime factors) e.g. pick some m1 < n and put m2 := m · m −1 1 mod n get si = md i mod n for i = 1, . . . ,k have signature s = Q sifor m
38
Signature Attack Scenarios, What does eve know
No Message, just public key Signatures, Eve has some message - signature pairs (m_i, s_i), e.g observing traffic Chosen Message: Eve can choose messages m_i to be signed impersonating authentication server
39
Attack scenarios, what is success?
Total break: find private key Universal Forgeability: forge signature for every message Selective Forgeability: Forge signature m given by Alice Existential Forgeability: forge signature for m chosen by Eve
40
Strongest Security for Signatures (GOAL)
EUF_CMA Existential Unforgeability under Chosen message Attack Eve may request signatures s_i for m-1, ... m_k forges signatures s for some m not in {m_1, m_k} sEUF-CMA strong EUF-CMA Eve may request signatures s_i = sign (m_i) forges pair (m,s ) not in {(m_i, s_i): i =1,.....} i.e m may be among requested messages but must find different valid signature
41
Improved plain RSA signature
Alice computes s= sign (m, (n,d))= m^d mod n send(m,s) to Bob Bob gets (m', s') checks m'=s'^e mod n, if yes he accepts