Ross Anderson

Security Engineering


Скачать книгу

mod upper N right-parenthesis"/>

      Whoever knows the private key – the factors p and q of upper N – can easily calculate left-parenthesis mod upper N right-parenthesis. As phi left-parenthesis upper N right-parenthesis equals left-parenthesis p minus 1 right-parenthesis left-parenthesis q minus 1 right-parenthesis and e has no common factors with phi left-parenthesis upper N right-parenthesis, the key's owner can find a number d such that d e identical-to 1 left-parenthesis mod phi left-parenthesis upper N right-parenthesis right-parenthesis – she finds the value of d separately modulo p minus 1 and q minus 1, and combines the answers. <math xmlns="http://www.w3.org/1998/Math/MathML" display="inline" overflow="scroll" alttext=""><mrow><mi></mi></mrow></math> (mod upper N) is now computed as upper C Superscript d (mod upper N), and decryption works because of Fermat's theorem:

upper C Superscript d Baseline identical-to left-brace upper M Superscript e Baseline right-brace Superscript d Baseline identical-to upper M Superscript e d Baseline identical-to upper M Superscript 1 plus k phi left-parenthesis upper N right-parenthesis Baseline identical-to upper M period upper M Superscript k phi left-parenthesis upper N right-parenthesis Baseline identical-to upper M period 1 identical-to upper M left-parenthesis mod upper N right-parenthesis

      Similarly, the owner of a private key can operate on a message with it to produce a signature

upper S i g Subscript d Baseline left-parenthesis upper M right-parenthesis identical-to upper M Superscript d Baseline left-parenthesis mod upper N right-parenthesis

      and this signature can be verified by raising it to the power e mod upper N (thus, using e and upper N as the public signature verification key) and checking that the message upper M is recovered:

upper M identical-to left-parenthesis upper S i g Subscript d Baseline left-parenthesis upper M right-parenthesis right-parenthesis Superscript e Baseline left-parenthesis mod upper N right-parenthesis

      Neither RSA encryption nor signature is safe to use on its own. The reason is that, as encryption is an algebraic process, it preserves certain algebraic properties. For example, if we have a relation such as upper M 1 upper M 2 equals upper M 3 that holds among plaintexts, then the same relationship will hold among ciphertexts upper C 1 upper C 2 equals upper C 3 and signatures upper S i g 1 upper S i g 2 equals upper S i g 3. This property is known as a multiplicative homomorphism; a homomorphism is a function that preserves some mathematical structure. The homomorphic nature of raw RSA means that it doesn't meet the random oracle model definitions of public key encryption or signature.

      Another general problem with public-key encryption is that if the plaintexts are drawn from a small set, such as ‘attack’ or ‘retreat’, and the encryption process is deterministic (as RSA is), then an attacker might just precompute the possible ciphertexts and recognise them when they appear. With RSA, it's also dangerous to use a small exponent e to encrypt the same message to multiple recipients, as this can lead to an algebraic attack. To stop the guessing attack, the low-exponent attack and attacks based on homomorphism, it's sensible to add in some randomness, and some redundancy, into a plaintext block before encrypting it. Every time we encrypt the same short message, say ‘attack’, we want to get a completely different ciphertext, and for these to be indistinguishable from each other as well as from the ciphertexts for ‘retreat’. And there are good ways and bad ways of doing this.

      Crypto theoreticians have wrestled for decades to analyse all the things that can go wrong with asymmetric cryptography, and to find ways to tidy it up. Shafi Goldwasser and Silvio Micali came up with formal models of probabilistic encryption in which we add randomness to the encryption process, and semantic security, which we mentioned already; in this context it means that an attacker cannot get any information at all about a plaintext upper M that was encrypted to a ciphertext upper C, even if he is allowed to request the decryption of any other ciphertext upper C prime not equal to upper C [778]. In other words, we want the encryption to resist chosen-ciphertext attack as well as chosen-plaintext attack. There are a number of constructions that give semantic security, but they tend to be too ungainly for practical use.

      The usual real-world solution is optimal asymmetric encryption padding (OAEP), where we concatenate the message upper M with a random nonce upper N, and use a hash function h to combine them:

StartLayout 1st Row upper C 1 equals upper M circled-plus h left-parenthesis upper N right-parenthesis 2nd Row upper C 2 equals upper N circled-plus h left-parenthesis upper C 1 right-parenthesis EndLayout