Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Transcription

1 Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

2 RSA history Public-key system introduced in 1978 by Rivest, Shamir and Adleman from left to right : Adleman, Shamir and Rivest Based on the diculty to factor numbers, eg = = Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

3 RSA keys Private key p and q two large prime numbers (with some conditions) An integer d coprime to (p 1)(q 1) These data are strictly condential Public key n = p q e the inverse of d modulo (p 1)(q 1) (ie an integer such that e d = 1 mod (p 1)(q 1)) These data are public and must be divulged The public key is easy to deduce from the private key (extended euclidean algorithm) but given e and n, it is very dicult to recover d, p or q Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

4 RSA Encryption/Decryption We assume that B wants to send a message m (which is an integer in the range [1, n]) to A Encryption B gets (on A's web page or on the Certication Authority server) n and e which compose A's public key B computes the ciphertext c = m e mod n B sends c to A Decryption A recovers the plaintext m computing c d mod n A (and its government because of key escrow) is the only person able to decrypt c since nobody else knows or can compute d One-way function : x x e mod n Trapdoor : d Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

5 Mathematical tools for the proof of RSA Euler's theorem Let ϕ(n) denote the number of integers in [1, n] coprime to n. Let a be an integer coprime to n. We have a ϕ(n) = 1 mod n n = p, with p prime a p 1 = 1 mod p (Fermat's little theorem) n = pq, with p, q prime a (p 1)(q 1) = 1 mod n Chinese remainder theorem (CRT) Let m 1 and m 2 be coprime integers. Let a 1 and a 2 be integers. The system { x = a 1 mod m 1 x = a 2 mod m 2 has exactly one solution modulo m 1 m 2 which is a 1 n 1 m 2 + a 2 n 2 m 1 where n 2 is the inverse of m 1 modulo m 2 and n 1 is the inverse of m 2 modulo m 1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

6 RSA proof We want to prove that c d = m ed = m mod n RSA proof if m coprime to n e is the inverse of d mod (p 1)(q 1) ed = 1 + k(p 1)(q 1) for some integer k. Thus m ed = m 1+k(p 1)(q 1) = m Conclude using Euler's theorem (m (p 1)(q 1)) k RSA proof if m not coprime to n (eg q divides m) We have trivially m ed = m mod q (both are 0) Fermat's little theorem implies that m ed = m mod p { x = m mod p So the equation x = m mod q has m and med as solutions. CRT m = m ed mod pq Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

7 Ecient decryption It is possible to speed up decryption using p and q Usual decryption : computes c d mod n Ecient decryption Speed-up Compute c d = c dp mod p with d p = d mod p 1 Compute c q = c dq mod q with d q = d mod q 1 Recover c d mod n using chinese remainder theorem p is half the length of n. Simple implementations of multiplication take quadratic time multiplication modulo p is 4 times faster than modulo n. d p is half the length of d computing c dp mod p is 8 times faster than computing c d mod n. The running time of the last CRT step is negligible. Overall decryption time is reduced by a factor of 4. Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

8 Ecient implementation : exponentiation algorithms Both for encryption and decryption, modular exponentiation is the central operation We assume that algorithms for modular multiplication are known Not the subject of this course Can be found in books given in bibliography or in Knuth's Art of Computer Programming vol. 2 Provided by numerous, very ecient multiprecision libraries (as GMP) Naive method g e = g g g g requires e 1 multiplications exponential complexity in the size of the exponent Binary methods Based on binary representation of the exponent linear complexity in the size of the exponent Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

9 Square and multiply method It is clear that g 2s left-to-right square and multiply can be obtained with only s squarings Given g and e = (e t 1 e 0 ) 2, the following computes g e h 1 and i t 1 while i 0 do return h h h 2 if e i = 1 then h h g i i 1 Proof : Related to Horner's rule Very old method (more than 2000 years) Very ecient (t squarings and t multiplications in average) 2 Often the only one given in books Impossible to reduce the number of squarings Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

10 2 k -ary method Example in base 4 : 00 ( ) 2 h 2 = h 4 01 ( ) 2 h 2 g = h 4 g 10 ( 2 h g) 2 = h 4 g 2 11 ( 2 h g) 2 g = h 4 g 3 Left-to-right 2 k -ary (or window method with window size k) Precompute g i = g i for i [1, 2 k 1] h 1 and i t 1 while i 0 do return h h h 2k h h g (ei e i k+1 )2 i i k Precomputations can be divided by 2 Requires around t(2k 1) multiplications in average k 2 k Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

11 Sliding window method Idea : skip consecutive zeros Exemple : 334 = ( ) 2 3 multiplications with 2 3 -ary Example : 334 = ( ) 2 only 2 multiplications required Sliding window method with window size k Precompute g 3, g 5, g 7,, g 2k 1 h 1 and i t 1 While i 0 do return h Requires around if e i = 0 then h h 2 and i i 1 else s max(i k + 1, 0) while e s = 0 do s s + 1 repeat i s + 1 times h h 2 h h g (e i e s ) 2 i s 1 t multiplications k+1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

12 Recoding the exponent coding exponent with many zeros less multiplications Example 31 = (11111) 2 but 31 = (100001) (with 1 = 1) g 31 = g 32 g 1 : faster if g 1 precomputed Denition : w-naf Every integer e has a unique representation e = t 1 e i=0 i 2 i where each e i is zero or odd e i < 2 w 1 among any w consecutive coecients, at most one is nonzero Example above is with w = 2 Exponentiation algorithms must be adapted Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

13 Recoding the exponent w is such that w bits are necessary to represent all coecient Example : w = 3 e i < 2 2, 7 possibilities for e i Algorithm to compute w-naf expansion is very easy Computation of the w-naf expansion of e i 0 While e > 0 do if e is odd then e i e mod 2 w e e e i else e i 0 e e/2 and i i + 1 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

14 Key generation What do we need? Find two large prime numbers p and q Find an integer d coprime to (p 1)(q 1) easy : compute gcd(d, (p 1)(q 1)) Find the inverse of d modulo (p 1)(q 1) easy : ext eulidean algorithm How can we nd large prime numbers Pick random numbers until nding a prime number requires primality tests The number of prime numbers less than n is known to be around n/log(n) (prime number theorem) Primality tests are relatively slow Compositeness tests are faster but do not prove primality Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

15 Compositeness tests : Fermat's test Based on the Fermat's little theorem : if p prime then a p 1 = 1 mod p Fermat primality test of n Repeat several times Choose a random integer a [2, n 2] Compute r = a n 1 mod n If r 1 then return "composite" If the n succeed this test, it might be prime Unfortunately, there exists an innite number of composite numbers that succeed Fermat's test for every a (Carmichael numbers). Hopefully, they are very rare Most of compositeness test or primality test are based on analogs of Fermat's test but use more complicated mathematical tools than Z/pZ Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

16 Compositeness tests : Rabin-Miller test Modication of Fermat's little theorem Let p be a prime number, a an integer coprime to p. Denote s the largest integer such that 2 s divides p 1 and d = p 1, then 2 s either a d = 1 mod p or r [0, s 1] with a 2r d = 1 mod p An integer which does not verify one of these properties is said to be a witness for the compositeness of n Central theorem If n is composite, there are least 3(n 1) 4 witnesses for its compositeness Consequences No Carmichael-like numbers It's bad luck if a random choice of a do not provide a witness If the property is satised for more than n 1 values of a, n is proved 4 to be prime Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

17 Miller-Rabin test of n Write n 1 = 2 s d with d odd and repeat t times Choose a random integer a [2, n 2] Compute y = a d mod n If y ±1 then do r 1 while r < s and y 1 do y y 2 mod n r r + 1 If y 1 then return "composite" Return "prime with an error probability less than 1 4 t " Probabilistic Very ecient Considered as sucient for common cryptographic use (only 1 chance over to mistake with t = 20 in theory, even better in practice) Do not prove the primality (in polynomial time) Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

18 Primality test or primality proving There exists very fast algorithms for specic numbers (Mersenne numbers, n such that n 1 can be factored) but no interest in cryptography Jacobi sum test ECPP AKS Uses an analog of Fermat's little theorem in cyclotomic ring Probabilistic with almost polynomial complexity (O(log(n) c log(log(log(n))) )) Uses ellitic curves Probabilistic algorithm with polynomial complexity (O(log(n) 4 )) Provide a "certicate of primality" which can be easily veried Uses polynomial analog of Fermat's little theorem Proves that primality P (Deterministic polynomial complexity) Inecient in practice even if O(log(n) 4 ) Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

19 RSA and Factorization The main attack of RSA is factorization of n Brute force Try to divide n by all integers smaller than n Eratosthene sieve If 2 does not divide n, it is not necessary to test even numbers Quadratic sieve (QS) Use quadratic number elds (from number theory) to nd x and y such that x 2 = y 2 mod n gcd(x y, n) divides n Subexponential complexity : e log(n) 1 2 log(log(n)) 1 2 Number eld sieve (NFS) Generalisation of QS using higher degree number elds to nd x and y Subexponential complexity : e ( 64 9 ) 1 3 log(n) 1 3 log(log(n)) 2 3 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

20 RSA and Factorization : the p 1 method smooth numbers An integer s is said to be B-smooth if q α s with q prime, q α B. Assume p n with p 1 B-smooth and let a be an integer coprime to p If k = q α then a k 1 = 0 mod p q α B gcd(a k 1, n) is a factor of n Pseudo-algorithm Choose a reasonnable bound B pick a random a and compute b = a k 1 mod n Compute g = gcd(b, n) If g 1 return g If g = 1, choose a larger B or cancel Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

21 RSA and Factorization : the Pollard-ρ method Let u k+1 = f (u k ) mod n be a random walk. Idea : if p n and u i = u j mod p, then gcd(u i u j, n) is a factor of n Algorithm Repeat the following Compute u k+1 = f (u k ) mod n Compute g = gcd(u k+1 u i, n) i k If g 1 return g Drawback : requires a lot of memory and gcd computations. Variant (Floyd cycles) Stock only the u k such that k = 2 a. Much less memory and gcd computations (log(i) instead of i) Only double the number of steps O( (p) steps are necessary Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

22 RSA and Factorization History of RSA factorization Using NFS (number eld sieve) Size (in decimal digits) of n Date of factorization Much faster than Moore's law algorithm improvements Here are p and q for the last one p= q= Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

23 RSA and Factorization History of RSA factorization Using NFS (number eld sieve) Size (in decimal digits) of n Date of factorization Much faster than Moore's law algorithm improvements Lot of progress in factorization : is RSA really secure? Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

24 RSA and factorization Solving factorization Solving RSA What about? We don't know but we know that Finding p and q nding d Again, is trivial, but is not : k = ed 1 multiple of (p 1)(q 1) g Z/nZ we have g k = 1 g k/2 is a square root of 1 There are 4 square roots of 1 in Z/nZ : 1, -1 and x and x such that { x = 1 mod p x = 1 mod q If g k/2 = ±1 then choose another g else gcd(x 1, n) gives a factor of n. For a random chosen g there is 1/2 chance that g k/2 = ±1 very fast Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

25 Choice of p and q Pollard p 1 If p 1 is B-smooth, factorization is easy p and q too close We have trivially that (p + q) 2 /4 n = (p q) 2 /4 Let x be the rst integer greater than n If x 2 n is a perfect square y 2 then p = x + y and q = x y else x x + 1 Central idea of sieving methods for factorization (nd such equality not in Z but in more complex rings (number elds)) In practice random prime numbers are never weak for these attacks Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

26 Small encryption exponent e For eciency of public key operations (encryption, signature verication), it is attractive to choose e as small as possile : e = 3 Attack on e = 3 Assume A wants to send the same message m to 3 dierent persons (with 3 dierent public moduli n 1, n 2 and n 3 ) who choose e = 3. Of course m < n i An eavesdropper Eve can observe c i = m 3 mod n i and can easily solve the system x = c 1 mod n 1 x = c 2 mod n 2 x = c 3 mod n 3 Hence Eve knows m 3 mod n 1 n 2 n 3 (unicity of the solution). But m 3 < n 1 n 2 n 3 as an integer Eve knows m 3 It is then easy to recover m by taking the (real) third root of m 3 Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

27 Protection against small exponent attacks Trivial protection Take a random public exponent (ie a large one) Never send the same message to dierent persons Not satisfactory In practice we want a small public exponent Use e = = is a good compromise Good performance (50 times faster than random exponent) and very rare to send the same message to so many people Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

28 Protection against small exponent attacks Use a padding of the message For each n i, modify the message m so that all sent plaintext are dierent. But sensitive to attacks using the so called Coppersmith's theorem Sending f 1 (m), f 2 (m) and f 3 (m) where f i is a polynomial is not secure (Hastad attack) The messages m i must not be linked (Franklin-Reiter attack), eg if there exist a polynomial f such that f (m 1 ) = m 2 The most natural way to dierentiate messages is to realize a padding (concatenate the message with a random bitstring). Coppersmith's short pad attack breaks such a system if the length of the padding is less than the length of n i divided by e 2 (unpracticable with e = 65537) Padding ecient but use very carefully (uses OAEP) e = most secure Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

29 Small decryption key For eciency of private key operations (decryption, signature), it is attractive to choose d as small as possile Wiener attack Let n = pq be a RSA module with q < p < 2q Assume that d < 1 3 n 1 4 d can be recovered very fast using the continued fraction expansion of e n This attack can be extended to d < n (and n 0.5 is expected) Avoid small private keys Remark If e is chosen small (3 or 65537), d cannot be chosen Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

30 Small messages Forward search attack Small message space or predictable (eg "yes" or "no") encrypt all possible plaintexts and compare with intercepted ciphertext small message and small exponent If m < n 1 e, then m can be recovered by taking the (real) e th -root of the ciphertext Use padding to extend message size Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

31 Common modulus attack Assume that A and B have the same module n and coprime public exponents e A and e B. If C send a message m to both A and B c A = m e A mod n c B = m e B mod n An eavesdropper can recover m : thanks to an extended euclidean algorithm between e A and e B e A u + e B v = 1 Hence c u A c v B = me Au+e B v = m Remark This attack is articial since if A and B have the same keys, A can decrypt B's message and sign in the name of B Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

32 Timing attacks (side channel attacks) Introduced by Kocher on RSA in 1995 : Eve measures decryption times for several known ciphertexts d In 2003, Boneh and Brumley practical attack SSL webserver (uses leaks of CRT decryption) Timing attack protection Ensure that decryption takes a constant amount of time for every ciphertext reduce performance Introduce hazard : blinding technique Choose a random number r for each ciphertext c Computes y = (r e c) d Recover m = yr 1 mod n mod n Decryption time is no longer correlated to c timing attack fails. Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

33 Multiplicative (or homomorphic) properties Let m 1 and m 2 two plaintext messages. We have c 1 = m e 1 mod n, c 2 = m e 2 mod n c 1c 2 = m e 1 me 2 = (m 1 m 2 ) e mod n Adaptative chosen-ciphertext attack Assume that E want to decrypt A's message c = m e mod n E chooses a random x and computes c = cx e mod n E aks A to decrypt c (eg as a challenge for authentication) A computes c d and send it to E E can recover m since c d = c d x ed = mx Protection Do not use the same key for authentication and encryption Impose some structural constraints on plaintext messages (not possible to nd x such that both m and mx have the required structure) Introduce hash function in the encryption process (OAEP) Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

34 Multiplicative (or homomorphic) properties multiplicativity RSA is not semantically secure This means that partial information on plaintext can be recovered But, lot of results like Parity bit If we are able to recover the parity bit of the plaintext then we are able to recover the whole plaintext Proves that RSA does not gives this partial information Bleichenbaker's attack Chosen ciphertext attack on the standard PKCS v1.5 in 1998 Does not need a decryption oracle (its oracle detects only PKCS conformity of ciphertext) realizable in practice New PKCS version use OAEP which is prove to be semantically secure Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

35 Summary of Parameter choice Choose p and q at random such that RSA n as the required security level security level size of n in bits (p and q not too close and p 1, q 1 not smooth) Do not choose d small Do not use common modules Do not encrypt small messages Choose e = 3 (but very carefully) or e = for eciency Use suciently large padding (and no polynomial padding) Use OAEP for more quietness Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35

36 Patents and standards RSA patent expired in 2000 PKCS =// 1 : RSA Cryptography Standard Last version : 2.1 (2002) Recommendations for cryptographic primitives encryption schemes signature schemes syntax for representing keys available at ftp ://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf and http ://etudes.univ-rennes1.fr/master-crypto Master Crypto ( ) Théorie de l'information et codage 20,23 et 27 mars / 35