Crypto lecture PDF

385 views
309 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
385
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Crypto lecture PDF

  1. 1. Cryptography and attacks(or how to start WWIII with your home computer) Ari Trachtenberg
  2. 2. Alice BobDear Bob, blah, blah, blah,... gushy romantic nonsense... Marvin serious demands... you look like Superman... Alice
  3. 3. • Caesar cipher a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C h => g e => f• al-Kalka-shandi (1412): transposition, substitution l => q o => r hello -> gfqqr• German enigma machine (WWII)• Number theoretic schemes: “It is not possible to justify the life of any genuine professional mathematician on the ground of the utility of his work.” -G.H. Hardy, A Mathematician’s Apology
  4. 4. • Rot-13 hello → uryyb• Permutation h => g e l => => f q hello → gfqqr o => r• Binary XOR h e l l o 01000 00101 01100 01100 01111 10010 10111 00010 10101 00111 <= Random 11010 10010 01110 11001 01000 <= Result z r n y h
  5. 5. •  shift cipher•  substitution cipher•  Vignere cipher•  DES•  Triple DES
  6. 6. Table of Contents•  Introduction –  review of number theory –  review of RSA –  Security of RSA basis•  Computational attacks –  “Intuitively obvious” attacks –  Bad choice of primes –  Netscape’s bug•  Implementation attacks –  Timing attacks –  Random faults (to err is not computer-like)•  Conclusions –  How to implement a “secure” RSA cryptosystem
  7. 7. (the basis of RSA)
  8. 8. 6 people: 15 keys!10,000 people: 49 million keys!
  9. 9. BOB BOB BOB BOB BOB Alice BobDear Bob, BOB blah, blah, blah,... BOB BOB do you like cs... what is 0.5 in binary... let’s go out... BOB Alice
  10. 10. Modulo 3 ≡ 15 ≡ 27 …   (mod  12 ) a ≡ b   (mod m) ⇔ ∃k   s.t.   a + km = bInverses 3 ⋅ 7 ≡ 1     (mod 10 ) aa−1 ≡ 1   (mod m ) ⇒ ∃k   aa−1 + km = 1Euler’s phi function φ (n) =#   of  integers   <  n   that   are  relatively  prime  with  n ⎛ 1 ⎞ φ (n ) = n∏ ⎜1 − ⎟ φ (p) = d n ⎝ d ⎠ φ ( pq) =
  11. 11. Order ord(a) (mod n) smallest t s.t. at ≡ 1(mod n ) ord(3) (mod 10) =4Euler’s theorem φ (n ) ∀a,   a ≡ 1   (mod n )Euclid’s algorithm Given x and y, we can find A and B such that: Ax+By = gcd(x,y)Discrete logarithm theorem x y g ≡ g (mod n ) ⇔ x ≡ y (mod φ (n ))
  12. 12. Given n=n1n2n3... nk, there is a one-to-one correspondence: a ↔ (a1 , a2 , a3 ,…, ak ) a ∈ Ζn ai ≡ a (mod ni ), ai ∈ Ζ niExample: 63 (mod 13) 11 (mod 13) 63 (mod 390) → 63 (mod 10 ) → 3 (mod 10 ) 63 (mod 3) 0 (mod 3) 11 (mod 13) m1 = 10 ⋅ 3 = 30 m1−1 ≡ 10 3 (mod 10 ) → m2 = 13 ⋅ 3 = 39 → m2 1 ≡ 9 − 0 (mod 3) m3 = 13 ⋅10 = 130 m3 1 ≡ 1 − 11 ⋅ 30 ⋅10 = 3300 → 3 ⋅ 39 ⋅ 9 = 1053 → 3300 + 1053 + 0 ≡ 63 (mod 390 ) 0 ⋅130 ⋅1 = 0
  13. 13. Bob’s Initialization:• pick NBob=pq• pick public key eBob• finds secret key dBob eBob d Bob ≡ 1 Alice: Bob: (mod( p − 1)(q − 1)) • message M • decodes:• public info: • encodes: C = M eBob (mod N ) C d Bob ≡ M eBobd Bob (mod N ) (eBob , N Bob ) (or signs): ≡ M (mod N ) • (or checks signature):• private info: S = PAlice ( M ) S e Alice ≡ M d Alice e Alice d Bob ≡ M dAlice ( mod N ) ≡ M (mod N )
  14. 14. Basis for RSA security (be afraid…be very afraid) 1. Factoring N=pq is hard to do or else can compute (p-1)(q-1) and use Euclidean algorithm to get d and M 2. Getting the private key d is hard or else, given Me can compute Med ≡ M (mod N) 3. Discrete logarithm is hard Given e and Me (mod N), can we compute M?
  15. 15. Basis for RSA security (=>) Factoring is as hard as computing “d” • Given p, q, N=pq: φ (N ) = ( p −1)(q −1) • By the Euclidean algorithm, we can solve for d, K: de + Kφ (N ) = gcd(e, φ (N )) = 1 ed ≡ 1 (mod φ (N )) 16
  16. 16. Basis for RSA security (<=) Computing “d” is as hard as factoring Given <N,e> and d, we can factor N=pq “efficiently” using a probabilistic Las Vegas algorithm1. Compute k = ed − 1, So that ed ≡ 1 (mod φ (N )) ⇒ φ (N ) k ⇒ ∀a, a k ≡ 1 (mod N )2. N has four square roots of 1 by CRT : 1 (mod p ) 1 (mod q ) ⇒ 1 (mod N ) 1 (mod p ) − 1 (mod q ) ⇒ x (mod N ) − 1 (mod p ) 1 (mod q ) ⇒ − x (mod N ) − 1 (mod p ) − 1 (mod q ) ⇒ − 1 (mod N )3. gcd(x − 1, N ) = p 17
  17. 17. Basis for RSA security (<=) Computing “x” with a Las Vegas algorithm)To compute x: (expected run time is O((log N)3)) * Choose a random g ∈ Z . N Compute : k k g , g 2 , g 4 , …, g odd number k (recall: k = ed-1)With probability 0.5, an exponent of g equals x: x 1, 1, 1, …, , …, ≠ 1 −1 18
  18. 18. Computational attacks1) No bit padding (common sense) C = 2347809AE8 => Attack at midnight! 59820BCE84 2347809AE8 684930EFFF2) p and q are too close N = pq = p (p-c) => p2-cp-N=0. Solve using quadratic theorem! In general, bad when (for some constant k): k p−q < p (log p )
  19. 19. 3) Netscape’s bug: generating p,q N If we know SEED, Random Number we know p,q SEED 88*7 (mod 13) 44*7 (mod 13) 2 p2*7 (mod 13) 11*7 (mod 13) 7 q7*7 (mod 13) 1010*7 (mod 13) 5
  20. 20. Computational attacks4) p-1 is the product of small primes<=B (Pollard ‘74) B 5 34 a ≡ 22 = 2 B! (mod N) ⇒ a ≡ 2 B! ≡ 2(p -1)k ≡ 1k ≡ 1 (mod p ) ⇒ p gcd(a − 1, N )5) Common modulus (Simmons): Fix N for all users; different keys e and d. thesis6) Blinding: Get advisor to sign “innocent” M’=reM: signed thesis! d d ( S = (M ) = r M e ) = r ed M d ≡ rM d (mod N ) 21
  21. 21. More computational attacks6) Low private exponent d 1Theorem: Assume q < p < 2q and d < 1 N 4 and e < φ (N ).(Wiener ‘90) 3 Given N , e , Marvin can recover d .Proof: ed ≡ 1 (modφ (N )) ⇒ ed − kφ (N ) = 1 e k 1 ⇒ − = φ (N ) d dφ (N ) e k 1 ⇒ − ≤ 2 N d dRunning time: Compute convergents of continued fraction in linear time! Fixes: 1. use e > N1.5 22 2. Use CRT with big d and small (mod p-1) and (mod q-1)
  22. 22. Implementation Attacks 1.  Timing attack (Kocher ’96)Long method: Repeated squaring: 2 2 322 = 2 2 2 2 2 2 2 2 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⎛ (( ) ) ⎞⎟⎠ ⎞⎟⎟ 232 = ⎜ ⎛ 2 ⎜ ⎜ 2 2 2 ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⎝ ⎝ ⎠ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 2 2 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 ⋅ 2 233 ⎜ ⎝ (( ) ) ⎛ ⎛ 2 = 2 ⋅ ⎜ ⎜ 2 2 2 ⎞ ⎞ ⎟ ⎟ ⎠ ⎟ ⎝ ⎠ 2 239 = 100111 in binary 239 ⎛ ⎛ = 2 ⋅ ⎜ 2 ⋅ ⎜ 2 ⋅ 2 2 ⎜ ⎝ (( ) ) 2 2 ⎞ ⎞ ⎟ ⎟ ⎠ ⎟ ⎝ ⎠Computation time is correlated with number of 1’s in exponent
  23. 23. 2. Random faults (Boneh, DeMillo, Lipton ‘97) xy (mod pq ) x y + error (mod p) xy (mod q ) x y + error ⋅ p (mod pq) gcd(error ⋅ p, pq) p One error can lead to a factorization of p. Two errors are ok.
  24. 24. Fancier attacks (mathematical basis) LLL: Let L be a lattice spanned by w bases. Given these bases as input, LLL outputs v in L satisfying: w 1 v ≤2 4 det(L ) w Theorem: Take N and poly. f(x) of degree d. Take X=N1/d-s for(Coppersmith, ‘97) some s>=0. Given <N,f>, Marvin can efficiently find all integers |x0|<X satisfying f(x0)=0 (mod N). Lemma: Take poly. h(x) of degree d and pos. integer X. Suppose ||h(xX)||<N/sqrt(d). If |x0 |<X satisfies h(x0 )=0 (mod N), then h(x0 )=0 holds over integers. 25
  25. 25. Fancier attacks1. Hastad’s Broadcast Attack ‘88 (low public exponent)2. Franklin-Reiter Related Message Attack ‘963. Coppersmith’s Short Pad Attack4. Partial Key Exposure (BDF ‘98) Theorem: For N=pq of size n bits, revealing the n/4 least-significant or n/4 most-siginificant bits is enough 26 to factor N efficiently.
  26. 26. How to built a safe RSA cryptosystem (as of 2000)1. Use long, random padding of messages2. Use large secret key d (256 bits)3. Use large public key e (65,537 is recommended)4. Use primes p,q that are not too close and not 1+ product of small factors5. Do not reveal any part of your key.
  27. 27. References•  Twenty Years of Attacks on the RSA Cryptosystem by DanBoneh, Notices of the AMS, February 1999.• Cryptography: Theory and Practice by Douglas R. Stinson,CRC Press , 1995.• Cryptanalysis of Short RSA Secret Exponents by Michael J.Wiener, IEEE Transactions on Information Theory, May1990.• Sphere Packings, Lattices and Groups by J.H. Conway andN.J.A. Sloane, Springer-Verlag 1993.
  28. 28. (the basis of RSA)

×