Katz, Lindell
Introduction to Modern Cryptrography
Slides Chapter 11, part 2
Markus Bläser, Saarland University
Plain RSA
Algorithm 11.12: RSA key generation
Input: security parameter 1n
Output: N, e, d with ed = 1 mod φ(N)
I
(N, p, q) ← GenModulus(1n )
// p and q are primes with N = pq.
I
φ(N) := (p − 1)(q − 1)
I
choose e > 0 such that gcd(e, φ(N)) = 1
I
compute d := e−1 mod φ(N)
// Using the extended Euclid algorithm
I
return N, e, d.
Plain RSA (2)
Construction 11.16
I
Gen: on input 1n , run GenRSA(1n ) to obtain N, e, d. The
public key is (N, e) and the private key is (N, d).
I
Enc: on input a public key pk = (N, e) and a message
m ∈ Z∗N , compute the ciphertext c := me mod N.
I
Dec: on input a private key sk = (N, d) and a ciphertext
c ∈ Z∗N , return the message m := cd mod N.
It works, since
cd = (me )d = med = m
Plain RSA is not CPA-secure!
mod N.
Attacks on Plain RSA
Algorithm 11.28
Input: Public key (N, e), ciphertext c
Output: m < 2n such that me = c mod N
I
T := 2αn
I
for r := 1 to T do
I
xr := c/re mod N
I
sort the pairs (r, xr ), r = 1, . . . , T , by their second component
I
for s = 1 to T do
I
I
if xr = se mod N for some r
return rs mod N
Padded RSA
Construction 11.30
I
I
I
Gen: is the same as in plain RSA
Enc: on input (N, e) and m ∈ {0, 1}||N||−`(n)−2 , choose
r ∈ {0, 1}`(n) and let m
^ = r||m (as an element of Z∗N ). Output
e
c := m
^ mod N.
Dec: on input (N, d) and c ∈ Z∗N compute m
^ := cd mod N
and output ||N|| − `(n) − 2 least significant bits of m.
^
RSA PKCS #1 v1.5
I
pk = (N, e)
I
k its length in bytes, that is, 28(k−1) ≤ N < 28k .
I
message length between 1 and k − 11 bytes
I
If m is D bytes long, then it is encrypted as
(0x00||0x02||r||0x00||m)e
mod N
where r is a k − D − 3 bytes long random string not
containing 0x00.
I
Not CPA-secure, since the padding is too short.
I
Not CCA-secure
Was replaced by newer versions.
Hard-core predicate for RSA
RSA hard-core predicate experiment RSA-lsbA,GenRSA (n):
1. Run GenRSA(1n ) to obtain (N, e, d).
2. Choose a uniform x ∈ Z∗N and compute y := xe mod N.
3. A is given N, e, y and outputs a bit b.
4. The output of the experiment is 1 if the least significant bit of
x is b. Otherwise, it is 0.
Theorem (11.31)
If RSA is hard relative to GenRSA, then for all ppt A ,
Pr[RSA-lsbA,GenRSA (n) = 1] ≤
“Lsb is hardcore bit.”
1
2
+ negl(n).
CPA-secure encryption
Construction 11.32
I
Gen: on input 1n , run GenRSA(1n ) to obtain (N, e, d).
Output pk = (N, e) and sk = (N, d).
I
Enc: On input pk and m ∈ {0, 1} choose a uniform r ∈ Z∗N
such that lsb(r) = m. Output c := re mod N.
I
Dec: On input sk and ciphertext c, compute r := cd mod N
and output lsb(r).
Theorem
If RSA is hard relative to GenRSA, then Construction 11.32 is
CPA-secure.
RSA-based KEM
Construction 11.34
I
I
Gen: Run GenRSA(1n ) to obtain (N, e, d). Compute
d 0 := dn mod φ(N). Output pk = (N, e) and sk = (N, d 0 ).
Encaps: on input pk and 1n , choose a uniform c1 ∈ Z∗N . Then
for i = 1, . . . , n do:
1. ki := lsb(ci )
2. ci+1 := cei mod N
I
Output the ciphertext cn+1 and the key k = k1 . . . kn .
Decaps: on input sk = (N, d 0 ) and ciphertext c, compute
0
c1 := cd mod N. For i = 1, . . . , n do:
1. ki := lsb(ci )
2. ci+1 := cei mod N
Output k = k1 . . . kn .
RSA-based KEM (2)
Theorem (11.35)
If RSA is hard relative to GenRSA, then Construction 11.34 is a
CPA-secure KEM.
RSA-OAEP
Construction 11.36
I
I
I
Let `, k0 , k1 with k0 , k1 = Θ(n) such that ` + k0 + k1 is less
than the minimum bit length of the moduli output by
GenRSA(1n ). Let G : {0, 1}k0 → {0, 1}`+k1 and
H : {0, 1}`+k1 → {0, 1}k0 .
Gen: run GenRSA(1n ) to obtain (N, e, d). pk is (N, e) and
sk is (N, d).
Enc: on input (N, e) and m ∈ {0, 1}` , let m 0 := m||0k1 and
choose a uniform r ∈ {0, 1}k0 . Then compute
s := m 0 ⊕ G(r),
I
t := r ⊕ H(s)
and let m
^ := s||t. Output c := m
^ e mod N:
Dec: on input (N, d) and c, compute m
^ := cd mod N. If
||m|| > ` + k0 + k1 , output ⊥. Otherwise, parse m
^ = s||t with
s ∈ {0, 1}`+k1 and t ∈ {0, 1}k0 . Compute r := H(s) ⊕ t and
m 0 := G(r) ⊕ s. If the least-significant k1 bits of m 0 are not 0,
then output ⊥. Otherwise, output the ` most significant bits.
RSA-OAEP (2)
Theorem
If RSA is hard relative to GenRSA and G and H are modelled as
random oracles, then RSA-OAEP is CCA-secure.
CCA-Secure KEM
Construction 11.37:
I
Gen: run GenRSA(1n ) to obtain (N, e, d). pk is (N, e) and
sk is (N, d). Specify a function H : Z∗N → {0, 1}n .
I
Encaps: Choose uniform r ∈ Z∗N . Output ciphertext c := re
mod N and key k := H(r).
I
Decaps: Given a ciphertext c ∈ Z∗N , compute r := cd mod N
and output k := H(r).
Theorem (11.38)
If RSA is hard relative to GenRSA and H is modelled as a random
oracle, then Construction 11.37 is CCA-secure.
I
part of ISO/IEC 18033-2 standard
I
less efficient than RSA-OAEP, but proof is easier
Proof: KEMcca
A,Π (n)
1. GenRSA(1n ) is run to obtain (N, e, d). A random
H : Z∗n → {0, 1}n is chosen.
2. r ∈ Z∗N is chosen uniformly at random. c := re mod N and
k := H(r) is computed.
^ := k.
3. b ∈ {0, 1} is chosen uniformly at random. If b = 0, set k
n
^ ∈ {0, 1} uniformly at random.
Otherwise choose k
^ A may query H(.) on any input and
4. A is given pk , c and k.
Decapssk (.) on any input except c.
5. A outputs b 0 ∈ {0, 1}. A wins if b = b 0 and looses otherwise.
Proof: Adversary A 0
1. Initialize empty lists LH , LDecaps . Choose a uniform k ∈ {0, 1}n
and store (c, k) in LDecaps .
^ = k.
2. Choose b ∈ {0, 1} uniformly at random. If b = 0, set k
n
^ ∈ {0, 1} uniformly at random. Simulate
Otherwise choose k
^
A on pk , c, and k.
When A queries H(r̃):
I
I
I
If there is an entry (r̃, k) in LH , then return k.
Otherwise, let c̃ = r̃e mod N. If there is an entry (c̃, k) in
LDecaps , then return k and store (r̃, k) in LH .
Otherwise, choose k ∈ {0, 1}n uniformly at random, return k
and store (r̃, k) in LH .
Proof: Adversary A 0
2. When A makes a query Decaps(c̃):
I
I
I
If there is an entry in LDecaps of the form (c̃, k), return k.
Otherwise, for each entry (r̃, k) ∈ LH , check if r̃e = c̃
mod N. If yes, output k.
Otherwise, choose a uniform k ∈ {0, 1}n , return k and store
(c̃, k) in LDecaps .
3. At the end of A’s execution, if there is an entry (r, k) in LH
for which re = c mod N, return r.