Partial Key Exposure: Generalized Framework to Attack RSA

Similar documents
Algorithmic Number Theory and Public-key Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

A New Attack on RSA with Two or Three Decryption Exponents

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

A new attack on RSA with a composed decryption exponent

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

New attacks on RSA with Moduli N = p r q

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions

Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side

Fault Attacks Against emv Signatures

On the Security of Multi-prime RSA

New Partial Key Exposure Attacks on RSA

New Partial Key Exposure Attacks on RSA

Protecting RSA Against Fault Attacks: The Embedding Method

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

PSS Is Secure against Random Fault Attacks

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

Efficient RSA Cryptosystem with Key Generation using Matrix

RSA. Ramki Thurimella

Practical Fault Countermeasures for Chinese Remaindering Based RSA

Better Algorithms for MSB-side RSA Reconstruction

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

Lattice-Based Fault Attacks on RSA Signatures

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Partial Key Exposure Attacks on RSA Up to Full Size Exponents

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture V : Public Key Cryptography

Cryptography. pieces from work by Gordon Royle

dit-upm RSA Cybersecurity Cryptography

Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem

RSA RSA public key cryptosystem

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Discrete Mathematics GCD, LCM, RSA Algorithm

Public Key Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

RSA Cryptosystem and Factorization

Public Key Algorithms

Encryption: The RSA Public Key Cipher

CS March 17, 2009

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

An Approach Towards Rebalanced RSA-CRT with Short Public Exponent

COMP4109 : Applied Cryptography

Public Key Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Math 412: Number Theory Lecture 13 Applications of

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Another Generalization of Wiener s Attack on RSA

Asymmetric Encryption

PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS

Introduction to Modern Cryptography. Benny Chor

Further Results on Implicit Factoring in Polynomial Time

The security of RSA (part 1) The security of RSA (part 1)

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Number Theory & Modern Cryptography

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

New RSA Vulnerabilities Using Lattice Reduction Methods

Twenty Years of Attacks on the RSA Cryptosystem

Cryptanalysis via Lattice Techniques

A Partial Key Exposure Attack on RSA Using a 2-Dimensional Lattice

ICS141: Discrete Mathematics for Computer Science I

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

New Partial Key Exposure Attacks on RSA Revisited

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Correcting Errors in Private Keys Obtained from Cold Boot Attacks

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

How to Generalize RSA Cryptanalyses

THE RSA CRYPTOSYSTEM

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Public Key Perturbation of Randomized RSA Implementations

An Overview of Homomorphic Encryption

Applications of Lattice Reduction in Cryptography

Comparing With RSA. 1 ucl Crypto Group

Introduction to Public-Key Cryptosystems:

Mathematics of Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

A new lattice construction for partial key exposure attack for RSA

Gurgen Khachatrian Martun Karapetyan

Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

10 Public Key Cryptography : RSA

Public Key Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Partial Hiding in Public-Key Cryptography

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Transcription:

Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011

Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure attacks on RSA and Factorization 3 Our Work on partial key exposure attack 4 ISO/IEC 9796-2 standard signature scheme 5 Analysis of ISO/IEC 9796-2 standard signature scheme

RSA Public Key Cryptosystem Invented by Rivest, Shamir and Adleman in 1977 Most popular public key cryptosystem Used in various Electronic commerce protocols

RSA in a Nutshell Key Generation Choose big primes p,q at random (generally the primes are considered to be of same bit size) Compute RSA modulus N = pq, and φ(n) = (p 1)(q 1) Find a pair e,d such that ed = 1 + kφ(n) with k 1 Publish N, e and keep d private Encryption: C M e mod N Decryption: M C d mod N

Partial Key Exposure Attacks In Crypto 1996, Kocher proposed timing attack on RSA. Given d = t=? {}}{ 10010101... 001010......010010101001001, find the bound on t such that knowing t bits of d yields the factors of N.

Partial Key Exposure Principle: The fault does not lie in the RSA algorithm, but may reside within its implementation! Currently known techniques: Timing attacks Power monitoring attacks TEMPEST (or radiation monitoring) attacks Acoustic cryptanalysis Differential fault analysis Observation, Sneaking, Reflection attacks

Factorization: Existing Results Rivest and Shamir (Eurocrypt 1985) N can be factored given 2/3 of the LSBs of a prime 1001010100 10100100101010010011 {}}{ Coppersmith (Eurocrypt 1996) N can be factored given 1/2 of the MSBs of a prime {}}{ 100101010010100 100101010010011 Boneh et al. (Asiacrypt 1998) N can be factored given 1/2 of the LSBs of a prime 100101010010100 { 100101010010011 }}{ Herrmann and May (Asiacrypt 2008) N can be factored given a random subset of the bits (small contiguous blocks) in one of the primes 100 1010100 {}}{ 10100 { 1001010100 }}{ 10011

Partial Key Exposure Attacks on RSA Boneh et al (Asiacrypt 1998) studied how many bits of d need to be known to factor the RSA modulus N. [The constraint in the work of Boneh et al was e < N] In Crypto 2003, Blömer and May improved the bound: e < N 0.725 Ernst et al (Eurocrypt 2005) further improved the bound: e may be of size O(N)

Question What if few contiguous blocks of the d are unknown? t 1 =? {}}{{}}{ d = 1001... 011001101... 1010 10...... 01001 0101... 1001 t 2

Our first result Theorem Let e be O(N) and d N δ. Suppose the bits of d are exposed except n many blocks, each of size γ i log N bits for 1 i n. Then one can factor N in polynomial in log N but exponential in n time if n 1 γ i < 1 2(n + 2) n + 1 4δ + 1 + 4δ 2(n + 2) n + 1. i=1

Idea of the proof d is unknown for n many blocks One can write d = a 0 + a 1 y 1 +... + a n y n, where y 1,y 2,...,y n are unknown ed = 1 + k(n + 1 p q) ea 0 + ea 1 y 1 +... + ea n y n 1 k(n + 1 p q) = 0 We are interested to find the root of the polynomial f (x 1,...,x n+1,x n+2 ) = ea 0 + ea 1 x 1 +... + ea n x n 1 + Nx n+1 + x n+1 x n+2. f (y 1,...,y n, k,1 p q) = 0

Numerical value δ n = 1 n = 2 n = 3 n = 4 0.30 0.275 0.270 0.267 0.266 0.35 0.246 0.240 0.237 0.234 0.40 0.219 0.211 0.207 0.205 0.45 0.192 0.183 0.179 0.176 0.50 0.167 0.157 0.152 0.148 0.55 0.142 0.131 0.125 0.122 0.60 0.118 0.106 0.100 0.096 0.65 0.095 0.082 0.075 0.071 0.70 0.073 0.059 0.051 0.047 0.75 0.051 0.036 0.028 0.023 0.80 0.030 0.014 0.005 0.000 Table: Numerical upper bound of unknown bits of d for different n.

Asymptotic Case Lemma Let e be full bit size and d N δ with δ < 0.75. Then knowledge of ( ) 1 + 4δ δ + 1 log N 2 many bits of d is sufficient to factor N in time polynomial in log N and exponential in number of unknown blocks of d.

Asymptotic Case 1.0 0.8 Value of f(δ). 0.6 0.4 0.2 0.0 0.30 0.35 0.40 0.45 0.50 0.55 0.60 0.65 0.70 0.75 Value of δ. Figure: Partial Key Exposure Attack for d. Plot of f (δ) = 1 + 1+4δ 2δ vs. values of δ. 1 δ

Experimental Results n δ n γ i LD Time (Sec.) i=1 2 0.30 0.200 55 99.69 2 0.35 0.145 55 107.94 2 0.40 0.095 55 114.12 2 0.45 0.060 55 122.82 2 0.50 0.045 55 114.23 2 0.55 0.010 55 99.68 3 0.30 0.195 91 911.31 3 0.35 0.140 91 901.11 3 0.40 0.090 91 1002.15 3 0.45 0.040 91 914.22 Table: Experimental results for n = 2 and n = 3 with 1024 bit N.

Partial information of k When d 0 known, ed = 1 + k(n + 1 p q) and d = d 0 + d 1 We can estimate for k as: k 0 = ed 0 1 N Accuracy: If d d 0 < N γ, we will have k k 0 < 4N λ where λ = max{γ,δ 1 2 }. We use partial information of k in our second result

Numerical values λ = 0.25 δ γ 1 2 i=1 γ i 3 i=1 0.30 0.1424 0.1408 0.1400 0.40 0.1424 0.1408 0.1400 0.60 0.1424 0.1408 0.1400 0.75 0.1424 0.1408 0.1400 0.80 0.1101 0.1092 0.1087 0.85 0.802 0.0797 0.0794 0.90 0.0521 0.0519 0.0518 0.95 0.0255 0.0254 0.0254 Table: Numerical upper bound of unknown bits of d for different n using the partial knowledge of k. γ i

Signature scheme: CRT-RSA CRT-RSA is used to devise one of the most popular digital signature schemes 1 s p = m dp mod p 2 s q = m dq mod q Signature s can be computed using CRT with s p and s q Fault in s q gcd(s e m,n) = p

ISO/IEC 9796-2 signature scheme Encoded message: µ(m) = 6A 16 m[1] H(m) BC 16, where m = m[1] m[2] is split into two parts, m[2] is data Signature: ( µ(m) d mod N,m[2] ) Faulty signatures s such that 1 s e = µ(m) mod p 2 s e µ(m) mod q Coron et al. (CHES 2010): Unknown part is small, one can factor N They also consider two faulty signatures occur for two different primes

Our Result: Two faulty signature Two faulty signatures s 1,s 2 such that 1 s e 1 = µ(m 1) mod p and s e 1 µ(m 1) mod q 2 s e 2 µ(m 2) mod p and s e 2 = µ(m 2) mod q We get the upper bound N 0.30 of unknownn part Coron et al. obtained the upper bound N 0.167

Experimental Results log N Unknown: m[1] H(m) LD Time (Sec) 1024 74 160 36 21.71 2048 278 160 36 98.18 2048 180 256 36 95.05 Table: Experimental results when two faults occur with p and q. In first two case previous bound was 12 and 182.

Summary We consider the partial key exposure attack on RSA Existing results: single contiguous block of unknown bits of the secret exponent we study partial key exposure attacks on RSA where the number of unexposed blocks in the decryption exponent is more than one We also study an ISO/IEC 9796-2 standard signature scheme with two faulty signatures for different primes

Open Problem Need to study the factorization of N with more than 2 signatures, some are faulty modulo p and others faulty modulo q

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback