Lecture 6: Cryptanalysis of public-key algorithms.,

Similar documents
1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Discrete Logarithm Problem

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

CPSC 467b: Cryptography and Computer Security

Lecture Notes, Week 6

Lecture 1: Introduction to Public key cryptography

Introduction to Elliptic Curve Cryptography. Anupam Datta

Introduction to Cybersecurity Cryptography (Part 4)

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Cryptography IV: Asymmetric Ciphers

Applied Cryptography and Computer Security CSE 664 Spring 2018

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

COMP4109 : Applied Cryptography

Public Key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Information Security

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

8 Elliptic Curve Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Introduction to Modern Cryptography. Benny Chor

CIS 551 / TCOM 401 Computer and Network Security

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Number Theory. Modular Arithmetic

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Primality Testing- Is Randomization worth Practicing?

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Computational Number Theory. Adam O Neill Based on

ENHANCING THE PERFORMANCE OF FACTORING ALGORITHMS

Discrete Math, Fourteenth Problem Set (July 18)

CPSC 467b: Cryptography and Computer Security

CS March 17, 2009

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

CSC 5930/9010 Modern Cryptography: Number Theory

CPSC 467b: Cryptography and Computer Security

Mathematical Foundations of Public-Key Cryptography

Ti Secured communications

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Public Key Algorithms

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Public Key Encryption

CPSC 467: Cryptography and Computer Security

Factorization & Primality Testing

Cryptography. Number Theory with AN INTRODUCTION TO. James S. Kraft. Lawrence C. Washington. CRC Press

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Mathematics of Public Key Cryptography

Basic Algorithms in Number Theory

Elementary factoring algorithms

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Security II: Cryptography exercises

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 14: Hardness Assumptions

Dixon s Factorization method

One can use elliptic curves to factor integers, although probably not RSA moduli.

CSc 466/566. Computer Security. 5 : Cryptography Basics

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

1 Number Theory Basics

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Elementary Number Theory

9 Knapsack Cryptography

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Introduction to Cryptography. Lecture 8

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Asymmetric Encryption

Part VIII. Elliptic curves cryptography and factorization

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Number Theory in Cryptology

Introduction to Cryptography. Lecture 6

basics of security/cryptography

19. Coding for Secrecy

Lecture 6: Introducing Complexity

Analysis of the RSA Encryption Algorithm

Discrete Logarithm Computation in Hyperelliptic Function Fields

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Primes and Factorization

ELLIPTIC CURVES CRYPTOGRAPHY and FACTORIZATION. Part VIII. Elliptic curves cryptography and factorization HISTORICAL COMMENTS

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Arithmétique et Cryptographie Asymétrique

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

Transcription:

T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1

Outline Computational complexity Reminder about basic number theory Factoring Discrete logarithm Elliptic curve discrete logarithm (Some items are partially repeat of the last lecture) 2

Computational complexity I will give asymptotic estimates for the complexity of many of the algorithms. Remember: Most complexity numbers in cryptology are actually conjectures (i.e. educated guesses). The complexity measurements are often based on experimentation and heuristics, and simply give an estimate of the expected running time. Most of these algorithms are not deterministic; they can be expected to work in most cases but there may be pathological cases where they in fact do not terminate. However, if you re trying to break a cipher, it doesn t matter what you use as long as it WORKS! 3

Basic complexities Modular multiplication: Schoolboy method, roughly O(l 2 ) (although faster methods exist, based on Karatsuba s method, FFT, etc). Greatest common divisor (gcd): Euclid s method, roughly O(l 3 ). Modular inversion: Extended Euclid s method, roughly O(l 3 ). Modular exponentiation: Square-and-multiply, roughly O(l 3 ). Elliptic curve addition: with clever programming, O(l 2 ). 4

Elementary number theory The fundamental theorem of arithmetic (Euclid) states that any positive integer can be represented in exactly one way as a product of prime numbers (if we ignore the order). e.g. 6 = 2 3, 48 = 2 4 3. The first primes are 2, 3, 5, 7, 11, 13, 19, Density of primes around n is roughly 1/ ln(n) ("Prime number theorem"). This means that if we are looking for, say, 1024-bit prime, there is a probability of 1/ ln(2 1024 ) = 1/709.8 that a random number is a prime. Hence we must test about 500 candidates before we can truly find a prime (of course we can sieve out even numbers etc, which will speed up the search). 5

Fermat s "little" theorem Let p be a prime which does not divide the integer a, then a p 1 1 (mod p). The inverse is almost true; there is an extremely high probability (for large n) that if 2 n 1 1 (mod n), then n is a prime. For cryptology probable primes are perfectly acceptable, and e.g. only this Fermat test is used in search of primes. Complexity of deterministic primality test has been recently proved to be Polynomial (Agrawal, Kayal, Saxena: "PRIMES is in P", 2002). However, this O(l 7.5 ) algorithm has little practical effect to cryptography. 6

A Group A finite group is a set of elements together with a binary operation (group operation) that satisfies: Closure: a + b is in the set if a and b are in the set. Associativity: (a + b) + c = a + (b + c). Identity: There exists an element o that satisfies a + o = o + a = a. Inverse: Every element has an inverse a a = o. 7

Examples of a group Elements 0 and 1 together with XOR operation. Addition modulo n, where n is any positive integer. Multiplication modulo p, where p is a prime number. Group formed by an elliptic curve together with the addition rule (previous lecture). 8

Factoring The task of splitting a number n into its prime components n = pq. "The problem of distinguishing prime numbers from composites and of resolving composite numbers into their prime factors, is one of the most important and useful in all of arithmetic.... The dignity of science seems to demand that every aid to the solution of such an elegant and celebrated problem be zealously cultivated." C.F. Gauss, Disquisitiones Arithmeticae, Article 329 (1801) 9

Factoring and RSA It is clear that if the public modulus n can be factored, then RSA is broken. However it has not been proved that if a method exists to solve the RSA problem, it can also be used to factor numbers. Hence the RSA problem is not equivalent to factoring!.. but it seems that factoring algorithms are the easiest method of breaking RSA (other than implementation attacks). 10

Trial division Even the greatest mathematicians of 1800 s still used trial division to factor numbers. "Mr. Landry, at the age of 82, after several months work in 1880 obtained the following result: 2 64 + 1 = 274177 67280421310721". Édouard Lucas, Récrétaions Mathématiques (1891) He may have used some tools to speed up his hand computation but the complexity of his method was still O( n). 11

Pollard s ρ factoring 1. x random number 2 n 1, y x, k 1 2. for i = 1, 2, 3, do: 3. x (x 2 1) mod n 4. d gcd(y x, n). 5. if d 1 and d n print d 6. if i = k then y x, k 2k. 12

Pollard s ρ factoring complexity The choice of polynomial x 2 1 is arbitrary (but e.g. x 1 or x 2 wouldn t work). This is an Heuristic method based on the birthday paradox. If a "match" occurs mod mod p, then it is caught by the gcd. Complexity O(n 1/4 ) non-deterministic. The best known deterministic factoring algorithms have the same complexity as this extremely simple algorithm! 13

First sub-exponential algorithms Most modern factoring algorithms attempt to find integers x and y such that x 2 y 2 (mod n) In case there s a 50 % chance that gcd(n, x y) will yield a factor of n. The algorithms generally consist of two stages. 1. Sieving step: Find "relations" (easily distributable) 2. Matrix step: Linear algebra phase (not easily distributable) 14

Factoring algorithms The development has followed the following path: CFRAC: Continued fraction algorithm (mid 70s) MPQS: Multiple Polynomial Quadratic Sieve (mid 80s) GNFS: General Number Field Sieve (mid 90s) GNFS is the current champion. There is no guarantee that it is the best possible algorithm! 15

GNFS complexity Current heuristic estimates place the complexity of GNFS at: O(e (1.9229+O(1)) ln(n)1/3 ln(ln(n)) 2/3 ) Where n is the number to be factored and we assume that it is a product of two large primes ("RSA number"). Note1: It is much easier to factor a random number than it is to factor a RSA number. With non-neglible probability it will be a prime and no factorization is necessary! Note2: GNFS starts to beat MPQS only after n > 2 500! 16

Elliptic Curve Method (ECM) A different approach is taken by the ECM algorithm, which is based on elliptic curves. Its complexity is: O(e ln(p) ln(ln(p))(1+o(1)) Where p n is the smallest factor. In other words, the complexity of ECM is related to the size of the component, not the size of the whole composite n. A good policy for factoring large random numbers is to start with ECM and then move to MPQS when we expect the remaining unfactored part to consist of large primes... 17

Discrete logarithm (DL) The task of finding the index of an element in a finite group. Example: in the multiplicative group of numbers modulo p, given a and the generator g, find the index x that satisfies g x a (mod p) If g is indeed the generator of the group, such x will always exist and is unique. Numerous public key algorithms are based on discrete log problem: Diffie- Hellman, ElGamal, DSA, ECDSA, etc.. 18

DL Example g = 3 is the smallest generator when p = 7. 3 0 = 1 mod 7 3 1 = 3 mod 7 3 2 = 2 mod 7 3 3 = 6 mod 7 3 4 = 4 mod 7 3 5 = 5 mod 7 3 6 = 1 mod 7 We see that the discrete logarithm of 6 with generator 3 is 3. 19

DL properties Discrete logs satisfy all the normal properties of logarithms: g a g b g a+b (1) g a /g b g a b (2) (g a ) b = (g b ) a g ab (3) g a g a 1 (4) Observation 3 is in fact at the heart of Diffie-Hellman key exchange.. 20

DL for groups The obvious trial division algorithm for a general group has O(n) complexity and is clearly not acceptable. However, a version exists of Pollard s ρ method which can be used to compute discrete logs in O( n) time. This is relatively straight-forward to derive. The method is (again) based on the birthday paradox. In fact Shoup proved in 1997 that no algorithm can be faster than this, if it is not allowed to utilize properties of the representation of the group. 21

Pollard s ρ DL The group G is partitioned into three sets S 1, S 2, S 3 of roughly equal size. We define a sequence x 1, x 2, as: x i+1 = β x i when x i S 1 x 2 i when x i S 2 α x i when x i S 3 Here α is the generator and β is the number of which discrete logarithm we are trying to determine. This sequence then defines two sequences of integers a i and b i satisfying x i = α a iβ b i. 22

Pollard s ρ DL (2) a i+1 = a i mod n when a i S 1 2a i mod n when a i S 2 a i + 1 mod n when a i S 3 and b i+1 = b i + 1 mod n when b i S 1 2b i mod n when b i S 2 b i mod n when b i S 3 Here n is the group size and a 0 = b 0 = 0. 23

Pollard s ρ DL (3) We use Floyd s cycle-finding algorithm (lecture 4) to find two group elements x i and x 2i such that x i = x 2i. Hence α a iβ b i = α a 2iβ b 2i, and it follows that β b i b 2i = α a 2i a i. Taking logs we get: (b i b 2i ) log α β (a 2i a i ) (mod n) This equation the quickly yields the discrete logarithm log α β. 24

More on Discrete Logs The problem of finding discrete logarithms in an elliptic curve group (ECDL) appears to be as hard as DL in general group; O( n) algorithms are the best known ones. However, this has not been proved. For the problem of finding DL in the group of integers modulo p more efficient methods exist, and they are based on the representation of the group. The methods (Index Calculus method, Number Field Sieve DL) are analogous to the best known factorization methods and their complexity roughly the same. Some algorithms (most notably DSA) are based on subgroup discrete logarithm method, where it is possible to use the general all-purpose DL algorithms in the subgroup, but also utilize the representation. DSA is designed to make the security margin against both of these attacks similar (1024-bit p, 160-bit subgroup). 25

Putting it all together Symmetric Hashes RSA Elliptic curve 56 112 417 112 64 128 682 128 80 160 1464 160 100 200 3137 200 Key sizes in each row correspond to each other in terms of security. Currently a 2048-bit RSA key, 128-bit AES key, 256-bit SHA256 hash and 256-bit elliptic curve fields are considered secure for all foreseeable future. Note: The security of the cryptosystem (as a whole) = the security of the weakest component. 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback