Recovering Private Keys Generated With Weak PRNGs

Transcription

1 Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

2 About this talk "Generating secure public keys in the real world is challenging" (Lenstra et al. 2012) "We discovered that insecure RNGs are in widespread use" (Heninger et al. 2012) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

3 About this talk "Generating secure public keys in the real world is challenging" (Lenstra et al. 2012) "We discovered that insecure RNGs are in widespread use" (Heninger et al. 2012) A public-key scheme based on the hardness of the discrete logarithm problem the factorization Known values: the public key a Linear Congruential Generator (LCG) used to generate the secret key Question: Is it secure? Related Work: Bellare et al. (1997) show that using a LCG for computing the nonces in DSA does seriously break security Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

4 Linear Congruential Generator is weak Heavily studied: Stern (1987), Frieze et al. (1988), Boyar (1989), Joux and Stern (1998), Contini and Shparlinski (2005) Advantages: efficient, very small footprint, easy to implement, good statistical properties... Drawback: cryptographically insecure: from some outputs, possibility to recover the seed and the parameters LCG outputs Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

5 Is this scheme weak? Reality: no access to the outputs of the LCG LCG out r... out 1 secret key crypto public key, parameters of the LCG Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

6 Is this scheme weak? Reality: no access to the outputs of the LCG LCG out r... out 1 secret key crypto public key, parameters of the LCG Cryptanalysis: search of the m-bit seed of the LCG Exhaustive search: complexity in O(2 m ) Our work: Time/Memory tradeoff: complexity between O(2 m/2 ) and O(2 m ) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

7 Linear Congruential Generator M: known integer a, b < M: known integers s < M: secret seed seed s output v 1 = as + b mod M output v 2 = av 1 + b mod M v i+1 = a v i + b mod M The LCG outputs the k least (or most) significant bits o i of v i Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

8 Overview of our cryptanalysis (1) v i+1 = a v i + b mod M v i = a i s + b (1 + a + + a i 1 ) = a i s + b i mod M constants b i publicly computable b = 0 v i = a i s mod M secret key x = o k o (r 1)k o r 1 with o i = lsb k (v i ) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

9 Overview of our cryptanalysis (1) v i+1 = a v i + b mod M v i = a i s + b (1 + a + + a i 1 ) = a i s + b i mod M constants b i publicly computable b = 0 v i = a i s mod M Main idea of the attack: secret key x = o k o (r 1)k o r 1 with o i = lsb k (v i ) split the m-bit seed into two part s = u + 2 m/2 v write the secret key as x = U + V U depends only on the m 2 -bit value u V depends only on the m 2 -bit value v take carries and overflows into account Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

10 Overview of our cryptanalysis (2): v u seed s Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

11 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x V U Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

12 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x 1 bit V U o i = a i s mod 2 k = a i u mod 2 k + 2 k/2 (a i v mod 2 k/2 ) ɛ i 2 k o r 1 o r 1 2 o r 1 2 o 0 carries (M = 2 k ) Y Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

13 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x 1 bit V U o i = a i s mod 2 k = a i u mod 2 k + 2 k/2 (a i v mod 2 k/2 ) ɛ i 2 k o r 1 o r 1 2 o r 1 2 o 0 carries (M = 2 k ) Z W Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

14 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x V x = U + V W Z U 1 bit o r 1 Z o r 1 2 o r 1 2 W o 0 carries (M = 2 k ) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

15 Results on the discrete logarithm case: Introduction Discrete logarithm problem: cyclic group G of prime order q and generator g (G, q, g) public parameters secret key: x Z q public key: h = g x Hard to retrieve x from h x = o k o (r 1)k o r 1 We consider the following cases: use of a non-truncated LCG: M = 2 k use of a truncated LCG: M > 2 k (see paper) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

16 Discrete logarithm case with a non-truncated LCG (1) where: r 1 U = 2 ik (a i u mod 2 k ) i=0 r 1 V = 2 ik+k/2 (a i v mod 2 k/2 ) i=0 i=0 x = U + V W Z r 1 2 r 1 Y = 2 (i+1)k ε i = 2 (i+1)k ε i + i=0 } {{ } W r 1 2 i= r 1 2 (i+1)k ε i } {{ } Z ε i {0, 1} g U Z = h g W V Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

17 Discrete logarithm case with a non-truncated LCG (2) g U Z = h g W V Collision search U (resp. V ) depends only on the k 2 -bit value u (resp. v) 2 k/2 possible values U i and 2 k/2 possible values V s W and Z take carries and overflows into account 2 r/2 possible values W t and 2 r/2 possible values Z j (k: size of the seed, r: number of used outputs) Attack: Compute the hash table H by storing i, j at H(g U i Z j ) O(2 k+r 2 ) in memory For each (V s, W t ) do: O(2 k+r 2 ) in time if H(h g Wt Vs ) exists then return x U i + V s Z j W t Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

18 Concretly Secret size Modulus Attack complexity Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

19 Results on the factorization case: Introduction Factorization problem: p, q two large primes Given N = pq, retrieve p and q p = o k o (r 1)k o r 1 We consider the following cases: basic prime generation use of a non-truncated LCG: M = 2 k use of a truncated LCG: M > 2 k (see paper) PRIMEINC method (see paper) use of a non-truncated LCG: M = 2 k use of a truncated LCG: M > 2 k Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

20 Factorization case with a non-truncated LCG (1) Point of view of an attacker: 2 k+r 2 possible values A i,j p = } U {{ Z } + V } {{ W } A B 2 k+r 2 possible values B s,t How to find the correct value A and B? if q c, then gcd(c(a + B), N) = p Use of the Multipoint evaluation of univariate polynomials: P(x) Z N [x] a polynomial of degree d Evaluate P at d distinct points Quasi-linear complexity Õ(d) using divide-and-conquer approach Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

21 Factorization case with a non-truncated LCG (2) Attack: Compute the polynomial of degree 2 k+r 2 : P(X ) = (X + B s,t ) mod N s,t Õ(2 k+r 2 ) in memory Multi-evaluate P at the points A i,j k+r Õ(2 2 ) in time For each point A i,j do: if gcd(p(a i,j ), N) 1 then return gcd(p(a i,j ), N) For the correct value A: with c = s,t B s,t B (A + B s,t) P(A) = c(a + B) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

22 Conclusion Discrete logarithm-based and factorization-based schemes treated LCG out r... out 1 secret key crypto public key, parameters of the LCG Exhaustive search: complexity in O(2 m ) Our Time/Memory tradeoff: complexity between O(2 m/2 ) and O(2 m ) Open Questions: What if the parameters of the LCG are unknown Generalization to other PRNG Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16

23 Thank you for your attention Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16