8 11 DE MAYO LA ÚLTIMA REUNIÓN DE MARTÍNEZ DE CAMPOS

Recall that in Shannon’s theory of cryptography we could attain perfect secrecy (at the cost of an extremely long shared key). In simple terms this meant that Eve learnt nothing about the message by seeing the cryptogram.

With public key systems based on trapdoor functions we have dispensed with the need for a shared secret key but our level of security is much lower. In

7.10 Problems with trapdoor systems 165

the trapdoor model Eve learns everything about the message from seeing the cryptogram. The security of the system is based on the assumption that (given her limited computational powers) she has a negligible chance of recovering the message from the cryptogram.

For example given an RSA cryptogramCtogether with the public key (n,e) Eve knows that the message is

M=Cd modn,

whered can in principle be calculated fromnande. So there is no uncertainty about which message has been sent. However, although Eve has all the informa- tion required to findM she cannot because this is computationally infeasible.

There are at least three obvious problems with this model of security. (1) Partial information may leak.Just because Eve has a negligible chance of

recovering the message from the cryptogram does not imply that she learns nothing about the message. Indeed, one-way functions often leak bits of information.

(2) Messages are not random.Our assumption that Eve has a negligible chance of recovering arandommessage is all very well but messages are not random. The structure of the message space may well mean that the system is insecure despite the fact that the trapdoor assumption holds. For example suppose Alice only sends messages of the form:

‘TransferXdollars into my bank account.’

If Eve knows this then (since encryption is public) she can encrypt messages of this form with different values ofX until she finds the unique one that gives the cryptogram she has observed. This allows her to recover the message easily.

(3) Multiple message insecurity.We have already seen that RSA is insecure if the same message is sent more than once using a low exponent key. In general if Alice and Bob use RSA then Eve can tell when Alice sends Bob the same message twice, since she will see the same cryptogram on both occasions. Such information may be extremely useful.

So having outlined some of the problems with trapdoor systems what could we aim for in a definition of security for a public key cryptosystem?

Consider the analogy between encryption and sending letters in sealed envelopes. If Alice sent Bob a letter in a sealed envelope and Eve was not allowed to open it what could she hope to learn about its contents? Well she might well be able to make a reasonable guess as to the length of the letter (by

166 7 Public key cryptography

weighing it or examining the size of the envelope). However, this is essentially all she could expect to learn without actually opening the envelope.

Ideally a cryptosystem should have the same property: Eve should be unable to learn anything about the message except possibly its length.

We will consider a model of security that captures this in Chapter 10:

polynomial indistinguishability. Informally in this model a cryptosystem is secure if for any pair of ‘reasonable’ messages, M1,M2, Eve has no way of

telling which of the two messages has been sent given both messages and the cryptogram.

Clearly any deterministic public key cryptosystem will fail this test since given a pair of messages M1,M2 and a cryptogramC, Eve can easily check

ifC=e(M1) orC=e(M2). So secure cryptography will require probabilistic

encryption.

Problems

7.1a _{Bob has chosen his RSA public modulusn= pq and now wishes to}

choose his public exponente. Compare the complexity of the following algorithms for choosing an RSA public exponente, to be coprime with (p−1)(q−1).

Algorithm A.Choosek-bit odd integers at random and test for primality. When a prime is found check it does not divide (p−1)(q−1).

Algorithm B.Choosek-bit odd integers at random and test whether they are coprime with (p−1)(q−1).

7.2h Recall thatφ(n)=#{1≤a<n|gcd(a,n)=1}. Show that for any integernwe have φ(n)=n p|n 1− 1 p .

7.3b Show that knowledge of an Elgamal user’s public key (p,g,gx_modp) enables an adversary to recover the least significant bit of the private keyx.

7.4b _{Consider the following two problems:}

RSA FACTOR

Input: an integern, the product of two distinct primes p,q. Output:pandq.

RSA PHI

Input: an integern, the product of two distinct primes p,q. Output:φ(n)=#{1≤a <n|gcd(a,n)=1}.

7.10 Problems with trapdoor systems 167

Show that these problems are Turing equivalent (that is they are Turing reducible to each other).

7.5h _{Let n= pq be an RSA public modulus, where p,q both have the}

same bit length. Show that if the public and private exponents sat- isfyed ≤n3/2_{then there is a polynomial time algorithm for factoring} n.

7.6a _{Suppose that in choosing his Elgamal public key Bob choosesgto be an}

arbitrary integer in the range 2≤g≤ p. Will the resulting cryptosystem still work?

7.7a _{Suppose Bob chooses his RSA public modulus as follows. He fixes a}

key lengthkand generates a random oddk-bit integera. He then tests

a,a+2,a+4. . .for primality and stops once he has found two primes

pandq. He then forms the public modulusn= pq. Explain why this method is insecure.

7.8h Alice and Bob are using RSA to communicate but Alice’s copy of Bob’s public exponentehas become corrupted, with a single bit being flipped. Suppose that Alice encrypts a message with this corrupted public exponenteand Bob then realises her mistake and asks her to resend the message, encrypted with the correct public exponente. Show that Eve can recover the message from Bob’s public key and the two cryptograms.

7.9b If (n,e) is an RSA public key then 0≤M ≤n−1 is afixed pointof the cryptosystem iffMe_{=M modn, that is the encryption ofM is itself.} How many fixed points are there for a given RSA public key (n,e), wheren= pq?

7.10h _{Show that if Bob has RSA public key (n,3) and bothMandM+1 are}

sent to Bob by Alice then Eve can recoverMfrom the two cryptograms. 7.11h _{Carol uses Rabin’s cryptosystem to send the same message to both Alice}

and Bob. Show that an adversary can recover the message given only the two cryptograms and the public keys.

7.12h _{Suppose Alice and Bob use Rabin’s cryptosystem and his public key is}

n. If Alice sends a messageMto Bob but he loses his private key before he has a chance to read the message then explain why it is insecure for Bob to simply choose a new public keyn∗>nand ask Alice to resend the message.

7.13a _{Ifπ1(x) andπ3(x) denote the number of primes less than or equal tox}

which are of the form 4k+1 and 4k+3 respectively then lim

x_→∞

π1(x)

168 7 Public key cryptography

Hence show that there is a probabilistic algorithm for generating Blum primes which has polynomial expected running time.

7.14h _{Prove that there are infinitely many Blum primes.}

7.15a Suppose that (an) is a super-increasing sequence with the property that if (bn) is any other super-increasing sequence thenan ≤bn. What isan? 7.16a Suppose a message spaceMconsists ofk-bit binary strings in which no more than 5 entries are non-zero. These are encrypted using the RSA cryptosystem. Prove that an enemy will be able to decrypt any cryptogram in polynomial time. Is the same true if Elgamal is used in place of RSA?

7.17a Alice sends Bob the same message twice using McEliece’s cryptosys- tem with his suggested parameters n=1024, t =50 and k=524. Assuming that she uses different random ‘error’ vectors, z1 andz2,

explain how Eve can detect that the same message has been sent twice just from examining the cryptograms.

Further notes

The presentation of the Cocks–Ellis cryptosystem in Section 7.2 is based on the technical notes of Cocks (1973) which were not released to the public until 1997.

There is a huge research literature on the RSA and Elgamal public key systems. A good account of attacks can be found in Menezes, van Oorschot, and Vanstone (1996) and more recently for RSA in Boneh (1999).

Theorem 7.15 which shows that knowledge of the decryption exponent as well as the public key (n,e) leads to an expected polynomial time algorithm for factoringnwas noted in the original RSA paper.

A harder version of the question whether breaking RSA is as hard as factoring is to ask whether breaking low exponent RSA (LE-RSA) is as hard as factoring. Boneh and Venkatesan (1998) make progress towards showing that any efficient algebraic reduction from factoring to breaking LE-RSA can be converted into an efficient factoring algorithm. This means that breaking LE-RSA cannot be equivalent to factoring under algebraic reductions unless factoring is easy. (An algebraic reduction is restricted to only performing arithmetic operations but, for example, is not allowed to computex⊕y.)

We note that Theorem 7.20 relating the security of Rabin’s cryptosystem to factoring is only true if messages are chosen at random. In particular, if we insist that messages are of a special form so as to enable unique decryption, it is no longer true.

7.10 Problems with trapdoor systems 169

Exercise 7.5 is a special case of H˚astad’s broadcast attack (1988). Problem 7.10 is a special case of an attack due to Coppersmithet al. (1996).

The language SUBSET SUM used in the knapsack cryptosystem was one of the original 21 problems proved to beNP-hard by Karp (1972). The L3_-

algorithm of Lenstra, Lenstra and Lovász (1983) used by Shamir (1983) in breaking the knapsack-based system was a landmark in the theory of NP- hardness. It showed that the problem of factoring polynomials in one variable with rational coefficients and of fixed degree could be achieved in polyno- mial time. Kaltofen (1982 and 1985) extended this to polynomials in any fixed number of variables.

For elementary introductions to the theory of linear codes (as used in McEliece’s cryptosystem) see Hill (1986) or Welsh (1988).

The use of elliptic curves in public key cryptosystems seems to have been first proposed by Koblitz (1987) and Miller (1986) and there is now a huge literature on this topic. However, the mathematical background needed for this is beyond the scope of this book.

8