In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Similar documents
Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

RSA RSA public key cryptosystem

The security of RSA (part 1) The security of RSA (part 1)

CSE 521: Design and Analysis of Algorithms I

COMP4109 : Applied Cryptography

CIS 551 / TCOM 401 Computer and Network Security

On the Security of Multi-prime RSA

Cryptanalysis via Lattice Techniques

Cryptography. pieces from work by Gordon Royle

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

CPSC 467b: Cryptography and Computer Security

Lecture 22: RSA Encryption. RSA Encryption

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Partial Key Exposure: Generalized Framework to Attack RSA

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Introduction to Public-Key Cryptosystems:

Elementary Number Theory MARUCO. Summer, 2018

Iterated Encryption and Wiener s attack on RSA

Lecture Notes, Week 6

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Numbers. Çetin Kaya Koç Winter / 18

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

CRYPTOGRAPHY AND NUMBER THEORY

CPSC 467b: Cryptography and Computer Security

Public-Key Cryptosystems CHAPTER 4

RSA. Ramki Thurimella

Algorithmic Number Theory and Public-key Cryptography

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

ASSIGNMENT Use mathematical induction to show that the sum of the cubes of three consecutive non-negative integers is divisible by 9.

One can use elliptic curves to factor integers, although probably not RSA moduli.

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Discrete Mathematics GCD, LCM, RSA Algorithm

Attacks on RSA & Using Asymmetric Crypto

Introduction to Modern Cryptography. Benny Chor

Exercise Sheet Cryptography 1, 2011

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

A New Attack on RSA with Two or Three Decryption Exponents

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Applications of Lattice Reduction in Cryptography

New Partial Key Exposure Attacks on RSA Revisited

Public Key Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Week 7 An Application to Cryptography

THE RSA CRYPTOSYSTEM

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

5199/IOC5063 Theory of Cryptology, 2014 Fall

10 Public Key Cryptography : RSA

Mathematics of Cryptography

1 Number Theory Basics

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Introduction to Cybersecurity Cryptography (Part 5)

8.1 Principles of Public-Key Cryptosystems

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

CPSC 467b: Cryptography and Computer Security

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Lecture 6: Introducing Complexity

Question: Total Points: Score:

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

A new attack on RSA with a composed decryption exponent

A new security notion for asymmetric encryption Draft #12

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography: Joining the RSA Cryptosystem

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

9 Knapsack Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Public Key Algorithms

Topics in Cryptography. Lecture 5: Basic Number Theory

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

RSA Encryption. Computer Science 52. Encryption: A Quick Overview. Spring Semester, 2017

CPSC 467: Cryptography and Computer Security

Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

New attacks on RSA with Moduli N = p r q

Introduction to Cryptography. Lecture 6

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Mathematics of Public Key Cryptography

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Cryptography IV: Asymmetric Ciphers

Clock Arithmetic and Euclid s Algorithm

Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Lecture 1: Introduction to Public key cryptography

Basic elements of number theory

14 Diffie-Hellman Key Agreement

Basic elements of number theory

2 More on Congruences

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

Number Theory and Algebra: A Brief Introduction

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Transcription:

Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is N, e. Private key is d. Encipher m as c = m e mod N. Decipher c as m = c d mod N. 1. RSA problem: Given N, e, c, find m. 2. Compute d: Given N, e, find d. 3. Factor N: Given N, find p and q. Clearly, 3 2 1. In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer. 1

Relax the problems. Assume we know some hint about p or q or d, either because they are limited or we have an oracle for them.. Coppersmith proved that if f(x) is a monic polynomial and p is an unknown factor of a given integer N, then one can find all small solutions x to f(x) 0 (mod p) quickly via LLL. 2

Let N = pq, where p > q. Suppose we know N and a bit more than half of the high-order bits of p. (Oracle or limit on p.) Specifically, suppose we are give p with p p < N 1/4. Let f(x) = x + p. Then x 0 = p p is a small zero of f(x) 0 (mod p) so we can find it with Coppersmith s method. Define polynomials for i = 0 to h-1 by f i (x) = N h i f i (x) = N h i (x+ p) i f h+i (x) = x i f h (x) = x i (x+ p) h. Then p h divides all f i (x 0 ), i = 0, 1,..., 2h 1. Let X = N 1/4 ǫ. 3

The coefficient vector of a polynomial h(x) = a 0 + a 1 x + a 2 x 2 + a n x n is the vector v = (a 0,a 1,...,a n ). Define a lattice L of dimension 2h by the basis of coefficient vectors of f i (xx). Apply LLL to get a reduced basis, including a shortest vector v = the coefficient vector of a polynomial g(xx). We have g(x 0 ) < p h and p h divides g(x 0 ). Therefore, g(x 0 ) = 0. Solve g(x) = 0 in integer x. Then p = x 0 + p. 4

Another result of Coppersmith is that one can find all of a message m, provided one knows 2/3 of its bits and e = 3. This might happen when m is a standard message, like, The password for today is wxyz. We are given N, c = m 3 mod N and m with m m < N 1/3. We must find m. Write m = m + x 0, where x 0 < N 1/3. Then we must find a small root (x = x 0 ) of f(x) = (( m+x) 3 m 3 ) mod N. This is done with the same technique just discussed. 5

In a similar way, one can find d, given N and e provided d is small, say, 0 < d < N 1/4. Write ed = 1+kφ(N). Since φ(n) = N (p+ q)+1, we can write φ(n) = N z with z < a small multiple of N. This leads to ed kn kz 1 = 0. Since kz is much smaller than ed or kn, we have e/n k/d. Continued fractions allow us to recover k and d from e and N when d < N 1/4. Rewrite ed kn kz 1 = 0 as kn + kz + 1 0 (mod e). A variation of Coppersmith s method using lattices and LLL lets one find solutions to this congruence with z near N and k near N α for α up to about 0.29. 6

Now suppose that the same message is encrypted with RSA and sent to k receivers, each with different RSA moduli, but with the same (small) enciphering exponent e. An eavesdropper would know the k public moduli N 1,..., N k and the k ciphertexts c i = m e mod N i for 1 i k. If two N i were not relatively prime, then the eavesdropper could factor both of them (since they could have only one of their two prime factors in common), compute both d and decipher c to get m. And if every pair of N i were relatively prime, then the eavesdropper could use the CRT to compute m e modulo the product of all k moduli. If the value of m e is less than this product, then it can be computed. Finally, m can be computed by taking the e-th root of the integer m e. A special case is e = 3. 7

We now show that computing d in RSA is equivalent to factoring N. Clearly, one can compute d quickly given the factors of N. It is easy to see that we can factor N given N and φ(n) by solving a quadratic equation. We show that one can find φ(n) quickly from N, e and d. Since φ(n) = N (p + q) + 1 and p q, the polynomial f(x) = N x mod φ(n) has a root x 0 = p + q 1 of size 2N 1/2. We don t know φ(n), but we do know that it divides M = ed 1 and that M < N 2. The LLL algorithm quickly computes all roots x 0 with x 0 < 2N 1/2. 8

Here is a simpler way to see that one can factor N given e and d. Recall that ed 1 (mod φ(n)). Therefore, ed 1 = kφ(n) for some integer k. If we let r = ed 1, then whenever gcd(a,n) = 1 we have a r = a ed 1 = ( a φ(n)) k 1 (mod N) by Euler s theorem. Note that r is even because φ(n) is even for n > 2. Now write r = 2 s d with d odd. Choose a random a in 1 < a < N 1. If gcd(a,n) > 1, then N has been factored and we are done. Otherwise, compute b i = a 2id mod N for 0 i s. We know that b s = a r mod N = 1 by the congruence above. 9

If for some 0 < i s we have b i = 1 but b i 1 ±1 (mod N), then gcd(b i 1 1,N) is a proper factor of N. If there is no such i, try a different random a. The reason this works is that b 2 i 1 1 (mod N), but b i 1 ±1 (mod N), so gcd(b i 1 1,N) is a proper factor of N by an earlier theorem. In fact, each random a leads to a factorization of N with probability at least 1/2. 10

Timing Attack on RSA This insidious attack was discovered by Kocher and apply to nearly all cryptographic algorithms whose execution time depends on the input value. In order to perform the attack, you must be able to observe a cipher program running on your computer and make precise measurements of the time it takes to run on various inputs. You must also know the input value and the parameters of the cryptographic algorithm other than the secret key. Someone with an account on the victim s machine and who could observe incoming packets could easily obtain the required information. 11

Let us use RSA as a simple example of a timing attack. The victim has modulus n, enciphering exponent e and deciphering exponent d. The latter is secret, while n and e are public. The victim receives ciphertext messages C and deciphers them by computing M = C d mod n. Let d = k i=0 b i 2 i be the binary representation of d. The attacker records many ciphertexts C j and the time t j needed to decipher each. He deduces d one bit at a time, from b 0 to b k. This is the order in which the bits are used in the fast exponentiation algorithm. Assume that the first r bits have been computed. 12

[Fast Exponentiation for RSA Deciphering] Input: A modulus n, an exponent d 0 and a ciphertext C. Output: The value M = C d. t = d M = 1 z = C while (t > 0) { if (t is odd) M = Mz mod n z = z 2 mod n t = t/2 } return M 13

Let us suppose that the operation M = Mz mod n takes longer for some pairs M,z than for other pairs and that the attacker can measure the execution time of the algorithm accurately enough to notice the difference. Because the first r bits of d have been computed, the attacker can perform the first r iterations of the while loop for input C j and measure its time c j precisely. The attacker can also measure the precise time d j the operation M = Mz mod n would take, if it were done. He knows whether this particular modular multiplication is fast or slow compared to the time for average pairs M,z. 14

Using a formula from statistics, he can predict whether b r is 0 or 1. He compares the two variances v 1 = Var(t j c j ) and v 2 = Var(t j c j d j ). If v 1 > v 2, the bit b r is probably 1; but if v 1 < v 2, then b r is probably 0. For if the multiplication occurs, it is reasonable to assume that the time d j it takes and the time t j c j d j for the part of the fast exponentiation after it are mutually independent, so v 1 = Var(t j c j ) = Var(t j c j d j )+Var(d j ) v 1 > Var(t j c j d j ) = v 2. But if the multiplication does not occur, then the time d j it takes and the time t j c j for the part of the fast exponentiation after it are mutually independent, so v 2 = Var(t j c j d j ) = Var(t j c j )+Var( d j ) v 2 > Var(t j c j ) = v 1. 15

If a mistake is made, then no further significant differences between v 1 and v 2 will appear for larger r. In that case, the attacker will notice the error, back up and correct it. 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback