Lecture 5-6 The RSA and Rabin Algorithms.
A considerable attack is a chosen-ciphertext attack where an adversary selects ciphertext of its choice, and then obtains by some means the corresponding plaintext.
(1) The (indifferent) chosen-ciphertext attack.
(2) The adaptive chosen-ciphertext attack.
2.1 Primality Testing
It might be surprising, but factorization and primality testing are not the same. It is much easier to prove a number is composite than it is to factor it. There are many large integers that are known to be composite but that have not been factored.
3.1 Security Parameters , d p, q
The implementation of a cryptographic algorithm can have weaknesses that were unanticipated by the designers of the algorithm. Adversaries can exploit these weaknesses to circumvent the security of the underlying cryptographic algorithm. Attacks on the implementations of cryptographic systems are a great concern to operators and users of secure systems.
Implementation attacks include timing attacks, power analysis attacks, fault insertion attacks, and electromagnetic emission attacks. We refer to them as side-channel attacks. The term side-channel is used to describe the leakage of unintended information from a supposedly tamper-resistant device, such as a smartcard.
In a timing attacks the side-channel is the device’s time required to perform private key operations. An adversary can carefully measure the operation of time of a vulnerable system to learn the secrets contained inside the device and break the entire system’s security. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements.
Assumption environment. The adversary can observe the system decrypts several ciphertexts g. He also knows the hardware being used to calculate and can use this information to calculate the computation times for various steps that potentially occur in the process. In addition, let gd(mod n) is computed by the Algorithm 4.
4.1 Recommended Size of Modulus
Given the latest progress in algorithms for factoring integers, special number field sieve factoring algorithms, a modulus n of at least 1024 bits is recommended. For long term security, 2048-bit or larger moduli should be used.
(1) The primes p and q should be selected so that factoring n = pq is computationally infeasible. The major restriction on p and q in order to avoid the elliptic curve factoring algorithm is that p and q should be about the same bit-length, and sufficiently large. For example, if a 1024-bit modulus n is to be used, then each of p and q should be about 512 bits in length.
(2) Another restriction on the primes p and q is that the difference p-q should not be too small. If p and q are chosen at random, then p-q will be appropriately large with overwhelming probability.
(3) Many authors have recommended that p and q be strong primes. A prime p is said to be a strong prime if the following three conditions are satisfied:
* p-1 has a large prime factor, denoted r;
** p+1 has a large prime factor;
*** r-1 has a large prime factor.
(1) If the encryption exponent e is chosen at random, then RSA encryption using the Algorithm 4 takes k modular squarings and an expected k/2 modular multiplications, where k is the bit-length of the modulus n. Encryption can be sped up by selecting e to be small and/or by selecting e with a small number of 1’s in its binary representation.
6.1 Finding Square Roots
Rabin encryption is an extremely fast operation as it only involves a single modular squaring. By comparison, RSA encryption with e=3 takes one modular multiplication and one modular squaring.
Rabin decryption is slower than encryption, but comparable in speed to RSA decryption.
A drawback of the Rabin public-key scheme is that the receiver is faced with the task of selecting the correct plaintext from among four possibilities. This ambiguity in decryption can easily be overcome in practice by adding pre-specified redundancy to the original plaintext prior to encryption. (For example, the last 64 bits of the message may be replicated.) Then, with high probability, exactly one of the four square roots of a legitimate ciphertext will possess this redundancy. If none of the square roots possesses this redundancy, then the receiver should reject the ciphertext as fraudulent.
(1) The Rabin public-key encryption scheme is susceptible to attacks similar to those on RSA described about small encryption exponent and forward search problems. It can be circumvented by salting the plaintext message.
8.1 Requirements for Public Key Encryption
In a public key system, the message set M, the key set K, and the encryption/decryption function E/D, must satisfy the following requirements:
(1) Ek(Dk(m))=m and Dk(Ek(m))=m for every
(2) For every m and every k, the values of Ek(m) and Dk(m) are easy to compute.
(3) For almost every kK, if someone knows only the function Ek, it is computationally infeasible to find an algorithm to compute Dk.
(4) Given kK, it is easy to find the functions Ek and Dk.
8.1 Requirements for Public Key Encryption (Continued)
(1) In a symmetric system, authentication is easy but non-repudiation is not.
(2) In an asymmetric system, authentication and non-repudiation are not. However, the goals are easily accomplished. For example, compute and send the message Ekb(Ska(m))=Ekb(Dka(m)) for the RSA algorithm.
8.2 About Authentication and Non-Repudiation