Attacks on RSA & Using Asymmetric Crypto

Similar documents
Number Theory for Asymmetric Crypto

RSA RSA public key cryptosystem

Lecture 1: Introduction to Public key cryptography

RSA. Ramki Thurimella

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

The security of RSA (part 1) The security of RSA (part 1)

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography. pieces from work by Gordon Royle

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Mathematics of Cryptography

Algorithmic Number Theory and Public-key Cryptography

10 Public Key Cryptography : RSA

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

8.1 Principles of Public-Key Cryptosystems

ECE 646 Lecture 9. RSA: Genesis, operation & security

Implementation Tutorial on RSA

Introduction to Modern Cryptography. Benny Chor

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public Key Algorithms

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Public Key Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

5199/IOC5063 Theory of Cryptology, 2014 Fall

Is It As Easy To Discover As To Verify?

Public Key Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Lecture 22: RSA Encryption. RSA Encryption

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Ti Secured communications

Mathematical Foundations of Public-Key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

ECE297:11 Lecture 12

THE RSA CRYPTOSYSTEM

Week 7 An Application to Cryptography

Public-Key Cryptosystems CHAPTER 4

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Public-Key Encryption: ElGamal, RSA, Rabin

Encryption: The RSA Public Key Cipher

CRYPTOGRAPHY AND NUMBER THEORY

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

dit-upm RSA Cybersecurity Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

10 Modular Arithmetic and Cryptography

Introduction to Modern Cryptography. Benny Chor

CPSC 467b: Cryptography and Computer Security

Number theory (Chapter 4)

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

CPSC 467b: Cryptography and Computer Security

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Introduction to Cybersecurity Cryptography (Part 5)

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Solution to Midterm Examination

An Introduction to Probabilistic Encryption

Asymmetric Encryption

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

1 Number Theory Basics

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

CPSC 467: Cryptography and Computer Security

MATH3302 Cryptography Problem Set 2

Novel Approach to Factorize the RSA Public Key Encryption

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

My brief introduction to cryptography

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Ma/CS 6a Class 3: The RSA Algorithm

Introduction to Public-Key Cryptosystems:

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

COMP424 Computer Security

Carmen s Core Concepts (Math 135)

Elliptic Curve Cryptography

Cryptography IV: Asymmetric Ciphers

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

ECE596C: Handout #11

Practice Assignment 2 Discussion 24/02/ /02/2018

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Number Theory & Modern Cryptography

MATHEMATICS EXTENDED ESSAY

Math.3336: Discrete Mathematics. Mathematical Induction

Cryptography. P. Danziger. Transmit...Bob...

Math/Mthe 418/818. Review Questions

Discrete mathematics I - Number theory

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

Homework 4 for Modular Arithmetic: The RSA Cipher

Transcription:

Attacks on RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney

Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common Attacks Factoring Attack Small Encryption Exponent Attack Small Decryption Exponent & Forward Search Attack 2.3 Homomorphic Properties of RSA 2.4 Size of Modulus in RSA 2.5 Alternative: Rabin Cryptosystem 3. RSA Background and Methods 3.1 Useful Methods Square and Multiply Addition Chains 3.2 Complexity Theory

Crypto-Bulletin

Crypto-Bulletin All from last year New Threat Can Auto-Brick Apple Devices (< ios 9.3.1) http://krebsonsecurity.com/2016/04/new-threat-can-auto-brick-apple-devices/ Microsoft patches much-hyped Badlock bug http://www.itnews.com.au/news/microsoft-patches-much-hyped-badlock-bug-418121 FBI: $2.3 Billion Lost to CEO Email Scams http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/

Breaking RSA

Chinese Remainder Theorem (CRT) The Chinese Remainder Theorem (CRT) can be used to break RSA. Without knowing the factorisation of n = pq, you can use CRT to solve a system of equations: x a 1 mod m 1 x a 2 mod m 2 x a 3 mod m 3 Where gcd(m i, m j ) = 1 (i.e. m i & m j are relatively prime). The CRT states that there exists a simultaneous solution to these equations where any two such solutions are congruent to each other modn, where N = n 1 n 2 n 3

Chinese Remainder Theorem (CRT) For each i, define: M i = M = Π i j m j m i By the Euclidean algorithm, calculate N i such that: N i M i = 1 mod m i The solution to the system of simultaneous equations is: r x = a i M i N i i=1

Chinese Remainder Theorem (CRT): Example Solve the following system of equations: x a 1 mod 7 x a 2 mod 11 x a 3 mod 13

Chinese Remainder Theorem (CRT): Example Now M = m 1 m 2 m 3 = 7 11 13 = 1001 To find Ns (e.g. for i = 1, N 1 ): N i M i = 1 mod m i where: M 1 = 11 13 N 1 (11 13) = 1 mod 7 where: 11 13 = 3 mod 7 N 1 3 = 1 mod 7 Using Euler s generalisation: x ϕ(n) 1 mod n: So: ϕ(m 1 ) = 7 1 = 6 N 1 = M ϕ(m 1) 1 1 mod m 1 = 3 ϕ 1 mod 7 = 3 5 mod 7 = 5 mod 7

Chinese Remainder Theorem (CRT): Example Solving for other Ns: M 1 = 143 N 1 = 5 (11 13) M 2 = 91 N 1 = 4 (7 13) M 3 = 77 N 3 = 12 (11 7) So: r x = a i M i N i i=1 x = (715a 1 + 364a 2 + 924a 3 ) mod 1001

Chinese Remainder Theorem (CRT): Example Lets say Alice sends the same message (p) to three recipients, whose public keys are: (n 1, e), (n 2, e), (n 3, e) e.g. p = 10 and e = 3 Public keys are: (87, 3), (115, 3), (187, 3) Then: c 1 = p e mod n 1 = 10 3 mod 87 = 43 c 2 = p e mod n 2 = 10 3 mod 115 = 80 c 3 = p e mod n 3 = 10 3 mod 187 = 65

Chinese Remainder Theorem (CRT): Example By the previous method: M 1 = 115 187 = 21505 N 1 = 49 M 2 = 87 187 = 16269 N 2 = 49 M 3 = 87 115 = 10005 N 3 = 2 and: M = 87 115 187 = 1870935 Then: p e mod m i = c i mod m i So: x = c i mod m i x = c i M i N i = (43 21505 49) + (80 16269 49) + (65 10005 2) = 110386165 = 1000 mod 1870935 = m 3 mod M m = 3 x

Common Attacks on RSA Some common attacks on RSA: Factoring Attack Small exponent attacks: Small encryption exponent Small decryption exponent Forward search attack Homomorphic attack Common modulus attack Cycling attack Message concealing (sec. 8.2.2 viii) Small size of the modulus Bad selection of primes

Factoring Attack on RSA The RSA problem is: Recovering m from c = m e mod n with only n and e. Suppose n can be factored into p and q: Then ϕ(n) = (p 1)(q 1) can be computed the Euler s totient function. Therefore d can be computed as: ed 1modϕ(n) Therefore we can recover the message m. Fact The problem of computing the RSA decryption exponent from the public key (n, e), and the problem of factoring n are computationally equivalent. When performing key generation, it is imperative that the primes p and q are selected to make factoring n = pq very difficult e.g. by picking a p and q that are roughly equal size

Small Encryption Exponent Attack (RSA) The small encryption exponent attack, or Coppersmith s attack, exploits a bad choice of encryption exponent. A small encryption exponent is often chosen in order to improve the speed of RSA encryption. e.g. 2 16 + 1 is often used If a group of entities all use the same encryption exponent, it is clear that they must have their own distinct modulus. Otherwise, if they were the same modulus, users could obviously easily calculate the other users private keys (d). Say Alice wishes to send messages to three parties, all with a small encryption exponent: e = 3 c 1 = m 3 mod n 1 c 2 = m 3 mod n 2 c 3 = m 3 mod n 3

Small Encryption Exponent Attack (RSA) Observing c 1, c 2, c 3 and knowing n 1, n 2, n 3, we use the CRT: x = m 3 mod (n 1 n 2 n 3 ) Since m < n i for n (otherwise information would be lost in encryption) x = m 3 m = x 1 3 = 3 x Thus, a small encryption exponent should not be used to send the same message (or the same message with variation) to several entities. Note Salting the plaintext (padding with random bits) can help avoid this attack.

Other Attacks on RSA Small Decryption Exponent (Wiener s Attack) A small decryption exponent should also be avoided (d < N 1 4 3 ). Common mistake in small devices, since a small d makes for efficient decryption. Forward Search Attack Since the encryption key is public, if the message space is small or predictable, an attacker can try to brute force on the message space. Salting the plaintext may help prevent this attack Example: A stock trading system Message format: ``{BUY, SELL} DDDD TICKER'' (only 1000 tickers) M = 2 10000 1000 = 20, 000, 000 possible messages At 1 million guesses / second 20 seconds to guess transmitted message.

Homomorphic Properties of RSA RSA encryption is homomorphic. Suppose: c 1 = m e 1 mod n c 2 = m e 2 mod n Then: c 1 c 2 = (m 1 m 2 ) e mod n Using this property, we can attack RSA.

Homomorphic Properties of RSA Suppose we want Alice to reveal the decryption of: c = m e mod n Bob sends alice: (c ) = cx e mod n Where x is a randomly chosen blinding factor. Alice computes: (c ) d = (cx e )d mod n = c d x ed mod n = mx ed mod n = mx mod n If Alice reveals this information, Bob can unblind the message: m = (mx)x 1 mod n

Size of Modulus in RSA Powerful attacks on RSA include using a quadratic sieve and number field sieve factoring algorithms to factor the modulus n = pq. 1977: a 129 digit (426 bit) RSA puzzle was published by Martin Gardner s Mathematical Games in Scientific American. Ron Rivest said RSA-125 would take 40 quadrillion years. In 1993 it was cracked by a team using 1600 computers over 6 months: the magic words are squeamish ossifrage. 1999: a team led by de Riele factored a 512 bit number 2001: Dan Bernstein wrote a paper proposing a circuit-based machine with active processing units (the same density as RAM) that could factor keys roughly 3 times as long with the same computational cost so is 1536 bits insecure?? The premise is that algorithms exist where if you increase the number of processors by n, you decrease the running time by a factor greater than n. Exploits massive parallelism of small circuit level processing units 2009: RSA-768, 232 digits (768 bits), is factored over a span of 2 years.

Size of Modulus in RSA In 2012, a 1061 bit (320 digit) special number (2 1039 1) was factored over 8 months (a special case), using a special number field sieve. Unthinkable in 1990 We have: Developed more powerful computers Come up with better ways to map the algorithm onto the architecture Taken better advantage of cache behaviour Is the writing on the wall for 1024-bit encryption? The answer to that is an unqualified yes Lenstra It is recommended today that 4096 bit keys be used (or at least 2048 bit) and p and q should be about the same bit length (but not too close to each other). Advances in factoring are leaps and bounds over advances in brute force of classical ciphers: http://en.wikipedia.org/wiki/rsa_factoring_challenge

Alternative: Rabin Cryptosystem The Rabin cryptosystem is similar to RSA, but has been proven to be as hard as the integer factorisation problem. Public key: n = pq Private key: p, q (roughly the same size) Encryption: c = m 2 mod n Decryption: Calculate the four square roots: m 1, m 2, m 3, m 4 of c The message sent was one of these roots. The security is based on the fact that finding square roots mod n without knowing the prime factorisation of n is computationally equivalent to factoring.

RSA Background and Methods

Square and Multiply In RSA and Discrete Log, a common operation is exponentiation. i.e. calculating g e where g and e are large numbers ( 300 digits) A simple approach to this is to use square-and-multiply: g 23 = g 16 g 4 g 2 g 1 In this example, we use 7 multiplications (assuming squaring is computationally equivalent to multiplying). In Python:

Addition Chains Using addition chains, we can be a little more efficient: g 1 g 2 g 3 g 5 g 10 g 20 g 23 g 2 g 3 = g 5 etc. This take only 6 multiplications (versus 7 for square-and-multiply). An addition chain is used to minimise the number of multiplications required. The addition chain of length s for exponent e is a sequence of positive integers {u 0,, u s } and associated sequence {w 0,, w s } of pairs of integers w i = (i 1, i 2 ) with the property that: u 0 = 1, u s = e u i = u i1 + u i2

Addition Chains: Example Take e = 15 (i.e. calculate g 15 ). The addition chain can be represented as: g 15 = g (g [g g 2 ] 2 ) 2 g 15 = g 3 ([g 3 ] 2 ) 2 binary - 6 multiplications shortest - 5 multiplications Finding the shortest chain is computationally hard though (NP-hard) It is akin to solving the travelling salesman problem.

Complexity Theory Overview Fact: P NP 1 Unknown: Is P = NP? Example NP problem: Given a positive integer n, is n composite? i.e. are there integers a, b > 1 such that n = ab? If L 1 and L 2 are two decision problems, L 1 is said to polynomial reduce to L 2 (L 1 P L 2 ) if there is an algorithm that solves L 1, which uses an algorithm that solves L 2 as a subroutine, and runs in polynomial time. Two problems are said to be computationally equivalent if: 1 P versus NP L 1 P L 2 and L 2 P L 1

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback