Your SlideShare is downloading. ×
A comparative analysis of the possible attacks on rsa cryptosystem
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

A comparative analysis of the possible attacks on rsa cryptosystem

408
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
408
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. International Journal of Electronics and JOURNALEngineering & Technology (IJECET), ISSN 0976 INTERNATIONAL Communication OF ELECTRONICS AND– 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)ISSN 0976 – 6464(Print)ISSN 0976 – 6472(Online)Volume 3, Issue 1, January- June (2012), pp. 92-97 IJECET© IAEME: www.iaeme.com/ijecet.htmlJournal Impact Factor (2011): 0.8500 (Calculated by GISI) ©IAEMEwww.jifactor.com A COMPARATIVE ANALYSIS OF THE POSSIBLE ATTACKS ON RSA CRYPTOSYSTEM Varun Shukla*, Abhishek Choubey#, * Research Scholar, RKDF-IST, RGPV,Bhopal # Head of Department of Electronics and Communication RKDF-IST, RGPV, Bhopal 1 abhishekchoubey84@gmail.com 2 varun.shuklaa@gmail.comABSTRACTIn public-key or asymmetric cryptography, each individual has a pair of keys, (e, d),where e is the public key, and d is the private key. The public key is used to encrypt themessage sent, and the private key is used to decrypt the ciphertext (for the verificationpurpose).RSA[6] is frequently used in applications such as e-mail, e-banking, etc, wheresecurity of digital data is vital. Over years, numerous attacks on RSA illustrating RSA’spresent and potential vulnerability have brought our attention to the security issues ofRSA cryptosystem. We will investigate some attacks and will propose a new possibleattack.Here is how RSA encryption and decryption works. To encrypt a message M (<N),one must perform: C := Me mod N and also M:= Cd = M(ed) = mod N ,Using the aboveproperty, breaking RSA means inverting RSA function without any notion of d.Keywords: RSA, Private, Public, Remainder, ciphertext, plaintextINTRODUCTIONTwo Categories of Attacks on RSA:There is a fundamental method, to enumerate all element in the multiplicative group of Nuntil M is found, but these methods results in an exponential running time, O(ne).Therefore, we prefer efficient algorithms with a comparative lower running time. Duringthe past years of attacking on RSA, such efficient algorithms can be classified mainlyinto two categories: Mathematical Attacks and Implementation Attacks. 92
  • 2. International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976– 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEMEMathematical Attacks on RSA: Mainly, mathematical attacks focus on attacking the structure of RSA function. The firstintuitive attack is the attempt to factor the modulus N. Because knowing the factorizationof N, one may easily obtain Φ(N), from which d can be determined by d = 1/e mod Φ(N).However, at present, the best fastest factoring algorithm runs in exponential time. Ourobjective is to survey RSA attacks that decrypts message without directly factoring N.Elementary attacks:Elementary attacks tell us about the misuse of RSA. For example, selecting commonmodulus N to serve multiple users. Let’s assume the same N is shared by all users, andAlice is sending a message M to Bob, which has been encrypted by the RSA function, C= M(eb)mod N. It looks like that other person can not decrypt C but other is able to use hisown keys, em and dm, to factor N, and in turn recover Bob’s private key, db. So theresulting overall system is not secure.Small Private Key attacks:To improve the RSA decryption performance for the running-time aspect, Alice mighttend to use a small value of da, rather than a large random number. A small private keyindeed will improve performance dramatically, but unfortunately, a attack posed byM.Wiener[5] shows that a small d leads to a total collapse of RSA cryptosystem. Thisbreak of RSA is base on Wiener’s Theorem, which in general provides a lower constraintfor d. So this idea is not feasible at all.Using Chinese Remainder Theorem:Suppose one chooses d such that both dp = d mod (p − 1) and dq = d mod (q − 1) aresmall, then a fast decryption of C can be carried out as follows: first compute Mp = Cdpmod p and Mq = Cdq mod q. Then use the CRT to compute the unique value MєZNsatisfying M = Mp mod p and M = Mq mod q.Small Public Key Attacks:Similar to the private key preferences, to reduce encryption time, it is essential to use asmall public key (e), but unlike the previous situation, attacks on small e turn out to bemuch less effective. The most powerful attacks on small e are based on Coppersmith’sTheorem[3]. This theorem provides an algorithm for efficiently finding all roots of N thatare less than x = N(1/d). One example of applications based on this theorem is known as“Hastad’s Broadcast Attack”[4],[1].Hastad’s Broadcast Attack:Suppose Bob wishes to send an encrypted message M to a number of parties P1; P2;…;Pk. Each party has its own RSA key, < Ni, ei >. Hastad showed that a linear-padding toM prior to encryption is insecure, and further more, by eavesdropping one learns Ci = fi 93
  • 3. International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976– 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME(M)ei mod Ni for i = 1..k, if enough parties are involved, one can recover the plaintext Mifrom all the ciphertext . His discovery stands on the mathematical analysis on solvingsystem of equations: gi (M) = 0 mod Ni (1). He proved that a system of univariateequations modulo relatively prime composites, such as (1), could be efficiently solved ifsufficiently many such equations are provided.Implementation Attacks on RSASecurely implementing RSA is not a trivial task. Attacks falling into this category take onthe implementation pitfalls of RSA cryptosystems. A clever attack posed by Kocher,known as “Timing Attacks”[2], is a typical example of attacks on the RSAimplementation.Suppose a smartcard that stores a private RSA key is used, and somebody may not beable to examine its contents and expose the key. However, by precisely measuring thetime it takes the smartcard to perform an RSA decryption, one can quickly discover theprivate decryption exponent d. This is referred to as “Timing Attacks”. One can attackagainst a simple implementation of RSA using the “repeated squaring algorithm”.The algorithm works as follows:Let d = dndn−1, …,d0Set z equal to M and C equal to 1.For (i = 0 to n) do these steps: 1. If di = 1, set C equal to Cz mod N. 2. Set z equal to z2 mod N. At the end, C has the value Md mod N.To mount the attack, Marvin asks the smartcard to generate signatures on a large numberof random messages M1….Mk є multiplicative group of N, and measures the time Ti ittakes the card to generate each of the signatures.The attack recovers bits of d one at a time. Since we knew that d is prime, d must be oddnumber, thus the least significant bit d0 must be 1. The following description illustrateshow Marvin can actually find out what d is bit-by-bit.One begins with the least significant bit, d0 = 1For i = 2 to nIf the measure on {ti} and {Ti} are correlateddi = 1 94
  • 4. International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976– 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEMEelse di = 0Finally, One can recover all di, where i =1,…,nTHE NEW PROPOSED ATTACK ALGORITHM:Here we address the million dollar question: is there a possible attack on the RSAcryptosystem other than factoring n? The answer is yes, there are few methods that attackthe RSA scheme that does not involve finding the factoring of the modulus n but most ofthem carrying some deficiencies.We will now prove the very interesting result that, as long as the exponent key e isknown, then n can be factored in polynomial time by means of a randomized algorithm.Therefore we can say that computing this method is no easier than factoring n . However,this does not rule out the possibility of breaking the RSA cryptosystem without involvinge . Notice that this result is of much more than theoretical interest.In this paper we proposed a method that breaking the RSA scheme based on the knowingpublic key (e, n) . This method will work efficiently if the exponent key e . It is possibleto recover the entire private exponent d and therefore factor the modulus n .Algorithm: The steps are in this manner 1. Find entity public key A (e,n) 2. Change the modules n into its binary equivalent 3. Number of bits in n is equal to b. 4. Calculate d = b / 4 5. Find ed≡1+k(n-s-1)mod 2b 6. Repeat k from 1 to e until P2 –s*p+n≡ 0 mod 2b is true And calculate ed≡1+k(n-s+1)mod 2d Also calculate p2 –s*p+n≡0 mod 2d 7. Find p0≡p mod 2d 8. Find q0*p0≡n mod 2d 9. Find θ(n) by computing: n≡ (2d *x+p0 )*(2d *y+q0 ) p=(2d *x+p0 ), q=(2d *x+q0 ) So θ(n)= (p-1)(q-1) 10. Finally d=e*d-k* θ(n)=1Example 95
  • 5. International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976– 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME 1. Suppose that the public key (e=23, n=1633) 2. Convert n into its binary equivalent i.e. (11001100001)2 3. b=11 4. d= 11 / 4 =3 5. (e= 23*d=d) ≡1+k(n=1633-s+1) mod (2b=8) 69≡1+k(1634-s)(mod 8) 69 mod 8=5 Now, 5≡1+k(1634-s)(mod 8) 4≡k(1634-s)(mod 8) 6. For k=1 to 23 do (a) 4≡1(1634-s)(mod 8) s≡ (1634-4)(mod 8) s=1630 mod 8 s=6 (b) p2-(s=6)*p+(n=1633) ≡0 mod (2d=8) p2-6p+1633≡0 mod 8 p2-6p≡ -1633 mod 8 p2-6p≡ 7 mod 8 72-6*7≡ 7 mod 8 49-42≡ 7 mod 8 7 mod 8≡ 7 mod 8 So p=7 It means p2-(s=6)*p+(n=1633) ≡ (0 mod 2b=8) holds true So as a result, loop must be stopped. 7. p0≡ (p=7)(mod 2d≡8) p0≡7 8. q0 *( p0=7) ≡ (n=1633 mod 2d =8) 7q0≡1633 mod 8 96
  • 6. International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976– 6464(Print), ISSN 0976 – 6472(Online) Volume 3, Issue 1, January- June (2012), © IAEME 7q0≡1 mod 8, inverse of 7 mod 8 is 7 q0≡7 mod 8 So q0≡7 9. Find θ(n) n≡ (2d *x+p0)*(2d *y+q0) 1633≡ (8*x+7)(8y+7) 1633≡ (8*2+7)(8*8+7) 1633≡ (23) (71) 1633≡1633 S0 x=2 and y=8 That means p=23, q=71 θ(n)=(23-1) (71-1) θ(n)=1540 10. (e=23*d-(k=1)*( θ(n)=1540) ≡ 1 23d≡1541 d= 67 (By multiplicative inverse method)REFERENCES[1]M. BELLARE and P. ROGAWAY, Optimal asymmetric encryption, EUROCRYPT’94, Lecture Notes in Computer Science, vol. 950, Springer-Verlag, Berlin and NewYork, 1994, pp. 92-111. .[2]P. KOCHER, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, andother systems, CRYPTO ’96, Lecture Notes in Computer Science, vol. 1109, Springer-Verlag, 1996, pp. 104–113.[3]D. Boneh, Twenty Years of Attacks on the RSA Cryptosystem,http://www.ams.org/notices/199902/boneh.pdf[4]J. HASTAD, Solving simultaneous modular equations of low degree, SIAM J.Comput. 17 (1988), 336–341.[5]M. WIENER, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform.Theory 36 (1990).[6]C. KAUFMAN, R. PERLMAN, “Network Security −private communication in apublic world”, 2nd edition, Prince Hall PTR, 2002. 97

×