Upcoming SlideShare
×

# Security Attacks on RSA

7,524 views
7,393 views

Published on

Security attacks on RSA Cryptosystem

Published in: News & Politics, Technology
5 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
7,524
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
274
0
Likes
5
Embeds 0
No embeds

No notes for slide

### Security Attacks on RSA

1. 1. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Security Attacks on RSA A Computational Number Theoretic Approach Pratik Poddar Department of Computer Science and Engineering IIT Bombay April 10, 2009
2. 2. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Contents 1 Introduction Introduction to RSA Cryptosystem Introduction to RSA Signatures Basic Ideas of RSA 2 Factoring Attacks Some Factoring Algorithms Breaking RSA v/s Factoring Exposing d v/s Factoring Guessing φ(N) v/s Factoring Are Strong Primes Needed? Conclusion 3 Elementary Attacks Dictionary Attack Common Modulus Attack Blinding Attack 4 Low Private Exponent Attack Theory of Continued Fractions Wiener’s Attack Avoiding Wiener’s Attack
3. 3. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack RSA Adi Shamir, Ron Rivest, Len Adleman in 1977
4. 4. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack The Math behind RSA p and q are two distinct large prime numbers N = pq and φ(N) = (p − 1)(q − 1) Choose a large random number d > 1 such that gcd(d, φ(N)) = 1 and compute the number e, 1 < e < φ(N) satisfying the congruence ed ≡ 1 mod φ(N) The numbers N, e, d are referred to as the modulus, encryption exponent and decryption exponent respectively. The public key is the pair (N, e) and the secret trapdoor is d.
5. 5. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Introduction to RSA Cryptosystem Simpliﬁed Model of RSA Cryptosystem Why it it simpliﬁed? Diﬀerence between RSA cryptosystem and RSA function
6. 6. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Introduction to RSA Signatures Simpliﬁed Model of RSA Signatures
7. 7. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Basic Ideas of RSA Based on the idea that . . . Factorization is diﬃcult But . . . There is no formal proof that 1 Factorization is diﬃcult 2 Factorization is needed for cryptanalysis of RSA
8. 8. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Contents 1 Introduction Introduction to RSA Cryptosystem Introduction to RSA Signatures Basic Ideas of RSA 2 Factoring Attacks Some Factoring Algorithms Breaking RSA v/s Factoring Exposing d v/s Factoring Guessing φ(N) v/s Factoring Are Strong Primes Needed? Conclusion 3 Elementary Attacks Dictionary Attack Common Modulus Attack Blinding Attack 4 Low Private Exponent Attack Theory of Continued Fractions Wiener’s Attack Avoiding Wiener’s Attack
9. 9. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 1: Fermat’s Factorization Method √ First improvement over the n trial-division method Every odd composite number can be represented as a diﬀerence of two squares n = cd » –2 » –2 c +d c −d n= − 2 2 √ Start from k = n, go on incrementing k till k 2 − n is a perfect square Might be worse than trial division . . . 1 Eﬀect on RSA . . . Special case p − q ≤ 4n 4
10. 10. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 2: Euler’s Factorization Method Based upon representing a positive integer n as the sum of two squares in two diﬀerent ways n = a2 + b 2 = c 2 + d 2 If n can be represented as a sum of two squares in two diﬀerent ways, it can be factorized!! (a − c)(a + c) = (d − b)(d + b) Let k be the gcd of a − c and d − b, so that a − c = kl and d − b = km. l(a + c) = m(d + b) and a + c = mr and d + b = lr (Why?) h` ´ ` r ´2 i 2 n= k + 2 2 · (m2 + l 2 ) (Are k and r always even?) , go on decrementing k till n − k 2 is a perfect square pn Start from k = 2 Historically important!! Flaws!!
11. 11. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 3: Pollard’s p − 1 Method Basic idea Eﬀect on RSA
12. 12. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 3: Pollard’s p − 1 Method Pollard’s p − 1 algorithm Require: A composite integer N Ensure: A non-trivial factor of N or failure B ⇐ Chosen Smoothness Bound a ⇐ Random number coprime to N for q = 1 to B do if q is prime then — log N e← log q e a ← aq mod N end if end for
13. 13. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 3: Pollard’s p − 1 Method Pollard’s p − 1 algorithm g ← gcd (a − 1, N) if 1 < g < N then return g else if g = 1 then Select a higher B and go to step 2 or return failure else Go to step 2 or return failure end if
14. 14. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 3: Pollard’s p − 1 Method Example... Factorize 5917 Say B = 5, we make α = 213 38 56 So, β = 2α − 1 gcd(β, 5917) = 61 !!
15. 15. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 4: Pollard’s ρ Method Ideas: Birthday Paradox Floyd’s cycle ﬁnding algorithm
16. 16. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 4: Pollard’s ρ Method Pollard’s ρ algorithm Require: n, the integer to be factored; x1 , such that 0 ≤ x1 ≤ n; and f (x), a pseudo-random function modulo n. Ensure: A non-trivial factor of n or failure i ⇐ 1; y ⇐ x1 ; k ⇐ 2 loop i ⇐i +1 2 xi ⇐ (xi−1 − 1) mod n d ⇐ gcd(y − xi , n) if d = 1 and d = n then return d end if if i = k then y ⇐ xi k ⇐ 2k end if end loop Example... Factorize 1387
17. 17. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 4: Pollard’s ρ Method .. Example Example... Factorize 1387
18. 18. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Factoring Algorithm 4: Pollard’s ρ Method .. Example Example... Factorize 1387 Take x1 = 2 and f (x) = x 2 − 1 mod 1387 i xi gcd(xi − y , 1387) y 1 2 - 2 2 3 gcd(3 − 2, 1387) = 1 3 3 8 gcd(8 − 3, 1387) = 1 4 63 gcd(63 − 3, 1387) = 1 63 5 1194 gcd(1194 − 63, 1387) = 1 6 1186 gcd(1186 − 83, 1387) = 1 7 177 gcd(177 − 63, 1387) = 19 8 814 gcd(814 − 63, 1387) 814 9 996 gcd(996 − 814, 1387) Complexity??
19. 19. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Breaking RSA v/s Factoring Breaking RSA ≤ Factoring (Obvious!) Open Problem: Factoring ≤ Breaking RSA?? Expectation: No!!! Factoring is expected to be strictly > Breaking RSA
20. 20. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring Theorem Exposing the private key d and factoring N are equivalent Proof Determining d ≤ Factoring N (Why??) Determining d ≥ Factoring N (Non-obvious algorithm) We will now present a randomized algorithm by which knowing d, factors of N can be easily determined.
21. 21. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . Miller Rabin Test Miller Rabin Test Randomized primality testing algorithm Miller version · · · Rabin version
22. 22. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . Miller Rabin Test Miller Rabin Test Require: n > 2, an odd integer to be tested for primality Ensure: Composite if n is composite, otherwise probably Prime Write n − 1 as 2s d with d odd a ⇐ Random number between 1 and n − 1 x0 ⇐ ad mod n if x = 1 OR x = n − 1 then return Probably Prime end if
23. 23. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . Miller Rabin Test Miller Rabin Test for i = 1 to s − 1 do 2 xi ⇐ xi−1 mod n if xi = 1 and xi−1 = 1 and xi−1 = n − 1 then return Composite end if end for if xt = 1 then return Composite else return Probably Prime end if
24. 24. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . Miller Rabin Test Miller Rabin Error Rate Analysis If n is a composite number, then the number of witnesses to the compositeness of n is at least n−1 . 2 Proof n−1 Prove that number of non-witnesses is at most 2 Creating a subgroup B, which is a subgroup of Z∗ , which n contains all the non-witnesses Show the existence of an element in Z∗ − B, n n−1 n−1 Order of B ≤ 2 . Number of non-witnesses ≤ 2 We break the proof into two cases.
25. 25. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . Miller Rabin Test Case 1: There exists an x ∈ Z∗ such that x n−1 ≡ 1 mod n n Let B = {b ∈ Z∗ : b n−1 ≡ 1 (mod n)} n Since there exists an element x for which x n−1 ≡ 1 mod n, Z∗ − B is n non-empty n−1 Number of non-witnesses ≤ 2
26. 26. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . Miller Rabin Test Case 2: For all x ∈ Z∗ , x n−1 ≡ 1 mod n n Represent n as n1 n2 where n1 and n2 are relatively prime Note that n − 1 = 2s u and for input a, we can compute the following sequence 2 3 4 s modulo n: au , a2u , a2 u , a2 u , a2 u · · · a2 u Let us call a pair of integers (v , j) acceptable if v ∈ Z∗ , j = 0, 1, 2, · · · , s and n j v 2 u ≡ −1 (mod n) Set of acceptable pairs contains (n − 1, 0). So, the set is non-empty. Pick the largest possible j for which there exists an v such that (v , j) is an acceptable pair. We will use this j in the proof. j B = {x ∈ Z∗ : x 2 u ≡ ±1 n (mod n)} Clearly, B is a subgroup of Z∗ . Also note that the sequence produced by a n non-witness must be either all 1’s or contain −1 no later than the jth position (due to maximality of j). So, every non-witness belongs to B.
27. 27. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . Miller Rabin Test Case 2: For all x ∈ Z∗ , x n−1 ≡ 1 mod n n To complete the proof, we have to prove that Z∗ − B is non-empty. Note that there n exists a w such that w ≡v (mod n1 ) and w ≡ 1 (mod n2 ) j where v is an element in B such that v 2 u ≡ −1 (mod n). So, j j w 2 u ≡ −1 (mod n1 ) and w 2 u ≡ 1 (mod n2 ) j j This implies w 2 u ≡ −1 (mod n) and w 2 u ≡ 1 (mod n). So, w ∈ B. / All we need to prove is that w ∈ Z∗ . Since v ∈ Z∗ , gcd(v , n) = 1, which implies n n gcd(v , n1 ) = 1. Since gcd(w , n1 ) = gcd(v , n1 ), gcd(w , n1 ) = 1. By construction of w , gcd(w , n2 ) = 1. So, gcd(w , n1 n2 ) = gcd(w , n) = 1.
28. 28. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Exposing d v/s Factoring . . . The Randomized Algorithm The Algorithm. . . knowing d, factors of N can be easily determined Let k = ed − 1 If g is chosen at random from Z∗ , the with probability at least n 1 2 , one of the elements in the sequence t g k/2 , g k/4 , g k/8 , ..., g k/2 mod N is a witness for the compositeness of N A witness of compositeness of Miller Rabin test reveals a factor of N as square roots of 1 mod N (other than 1 and -1) would be x and −x where x ≡ 1 mod p and x ≡ −1 mod q gcd(x − 1, N) would get the factor of N
29. 29. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Guessing φ(N) v/s Factoring Guessing φ(N) and factoring N are equivalent Guessing φ(N) ≥ Factoring (Obvious!) Factoring ≥ Guessing φ(N) (Why??)
30. 30. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Strong Primes What are strong primes? A prime p is considered to be a “strong prime” if it satiﬁes the following conditions: p is a large prime (say |p| ≥ 256) The largest prime factor of p − 1, say p − , is large (say |p − | ≥ 100) The largest prime factor of p − − 1, say p −− , is large (say |p −− | ≥ 100) The largest prime factor of p + 1, say p + , is large (say |p + | ≥ 100) A prime is p − -strong if p − is large p −− -strong if p −− is large p + -strong if p + is large (p − , p + )-strong if both p − and p + are large strong if all p − , p −− and p + are large
31. 31. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Are Strong Primes Needed? Believed that p and q in RSA have to be strong Original RSA paper, Cycling Attack, X .509 Standard Rivest and Silverman proved that use of strong primes is unnecessary PKCS#1 v2.1 does not recommend strong primes
32. 32. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Conclusion We discussed about the factoring algorithms present at the time of RSA publication How those factorization algorithms aﬀected RSA paper We discussed various other ways to attempt RSA breaking and compared them to factoring The myth of RSA needing strong primes
33. 33. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Contents 1 Introduction Introduction to RSA Cryptosystem Introduction to RSA Signatures Basic Ideas of RSA 2 Factoring Attacks Some Factoring Algorithms Breaking RSA v/s Factoring Exposing d v/s Factoring Guessing φ(N) v/s Factoring Are Strong Primes Needed? Conclusion 3 Elementary Attacks Dictionary Attack Common Modulus Attack Blinding Attack 4 Low Private Exponent Attack Theory of Continued Fractions Wiener’s Attack Avoiding Wiener’s Attack
34. 34. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Elementary Attack 1: Dictionary Attack One-to-one mapping between ciphertext and plaintext : vulnerable to Dictionary Attack Security measure: Random Padding (PKCS#1 v1.5)
35. 35. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Elementary Attack 2: Common Modulus Attack RSA modulus should not be used by more than one entity Alice recieves the ciphertext C = M ea mod N Mallory does not have da , but using eb and db , Mallory can factor N da can be calculated and Mallory can decrypt the message intended for Alice
36. 36. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Elementary Attack 3: Blinding Attack Attack speciﬁc to RSA signatures Suppose attacker A wants to get a document M signed by B A needs M d mod N · · · A sends r e M mod N for B to sign Signing the sent message gives r ed M d mod N = rM d mod N Security measure: Random Padding, Signing Hash
37. 37. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Contents 1 Introduction Introduction to RSA Cryptosystem Introduction to RSA Signatures Basic Ideas of RSA 2 Factoring Attacks Some Factoring Algorithms Breaking RSA v/s Factoring Exposing d v/s Factoring Guessing φ(N) v/s Factoring Are Strong Primes Needed? Conclusion 3 Elementary Attacks Dictionary Attack Common Modulus Attack Blinding Attack 4 Low Private Exponent Attack Theory of Continued Fractions Wiener’s Attack Avoiding Wiener’s Attack
38. 38. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Low Private Exponent Attack Wiener’s Attack Let N = pq with p and q approximately of the same size, i.e. 1 q < p < 2q. Let d < 3 N 1/4 . Given (N, e) with ed ≡ 1 mod φ(N), the attacker can easily recover d.
39. 39. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Continued Fractions Deﬁnition The function of n + 1 variables 1 a0 + 1 a1 + 1 a2 + 1 a3 + · · · an or [a0 , a1 , a2 , a3 · · · , an ] is deﬁned as a continued fraction. We consider only simple and positive continued fractions, i.e. all ai s are integral and positive. [a0 , a1 , a2 , a3 · · · , ai ], 0 ≤ i ≤ n are said to be the convergents of [a0 , a1 , a2 , a3 · · · , an ].
40. 40. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Continued Fractions · · · Theorems Theorem 1 The continued fraction [a0 , a1 , a2 , · · · , an ] = [a0 , a1 , · · · , am−1 , [am , · · · an ]] Theorem 2 The continued fraction pm am pm−1 + pm−2 [a0 , a1 , a2 , · · · , am−1 , am ] = = qm am qm−1 + qm−2
41. 41. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Continued Fractions · · · Theorems Theorem 3 Continued Fraction Algorithm: Any rational number x can be represented as a simple ﬁnite continued fraction. Proof h0 x= k0 Comparing x with [a0 , a1 , a2 , · · · , aN , aN+1 ], x = a0 + ξ0 where ξ0 < 1 i.e. h0 = a0 k0 + ξ0 k0 If ξ0 = 0 1 k0 = ξ0 h0 − a0 k0 Let k1 = h0 − a0 k0 , (since, k1 = ξ0 k0 , we have k1 < k0 ) k0 = a1 + ξ1 and k0 = a1 k1 + ξ1 k1 k1
42. 42. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Continued Fractions · · · Theorems Proof Contd · · · Doing this repeatedly gives a system of equations h0 = a0 k0 + k1 , k0 = a1 k1 + k2 h1 = a1 k1 + k2 , k1 = a2 k2 + k3 ··· as long as kN+1 = 0. Equations same as when executing Euclid’s extended algorithm to compute gcd of h0 and k0 . So, Continued fraction algorithm terminates and the number of convergents for x is Θ(min(log h0 , log k0 )).
43. 43. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Continued Fractions · · · Theorems Theorem 4 If ˛ ˛ ˛p ˛ − x˛ ≤ 1 ˛ ˛q ˛ 2q 2 p then is a convergent of continued fraction expansion of x. q Proof Assuming that the statement is true, then p θ −x = 2 q q p where = ±1 and 0 < θ < 1 . Let pn and qn−1 be the last and second last 2 qn n−1 convergents of continued fraction of q . Note that pn = p . We can write, for p qn q some ω, ωpn + pn−1 x= ωqn + qn−1
44. 44. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Continued Fractions · · · Theorems Proof Contd · · · qn 1 qn−1 θ= and ω = − ωqn + qn−1 θ qn Note that since θ < 1 , we have, ω > 1 2 p Let = [a0 , a1 , · · · am1 ] q Let ω = [b0 , b1 , b2 · · · bm2 ] [a0 , a1 , a2 · · · am1 , ω] = [a0 , a1 , a2 · · · am1 , [b0 , b1 , b2 · · · bm2 ]] ωpm + pm−1 = =x ωqm + qm−1 So, x = [a0 , a1 , a2 · · · am1 , b0 , b1 , · · · bm2 ]. p So, by construction, we have proved that q is a convergent of continued fraction expansion of x.
45. 45. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Wiener’s Attack Attack by Wiener, 1990 Let N = pq with p and q approximately of the same size, i.e. q < p < 2q. Let d < 3 N 1/4 . Given (N, e) with ed ≡ 1 mod φ(N), the attacker can easily 1 recover d. Proof k There exists k such that ed − kφ(N) = 1. We will ﬁrst show that that is an e √ d approximation of N . Also note that N − φ(N) < 3 N. ˛ ˛ ˛ ˛ ˛ − k ˛ = ˛ 1 − k(N − φ(N)) ˛ ˛e ˛ ˛ ˛ ˛N d ˛ ˛ Nd ˛ ˛ ˛ ˛e ˛ − k ˛ ≤ 3k ˛ ˛N √ d˛ d N Also, since kφ(N) = ed − 1 < ed and e < φ(N), we have k < d. In the case when d < 1 N 1/4 , we obtain k < d < 1 N 1/4 and so 3 3 ˛ ˛ ˛e ˛ − k˛≤ √ ≤ 1 < 1 1 ˛ ˛N d˛ d 4N 3d 2 2d 2
46. 46. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Wiener’s Attack Proof Contd· · · k e d is a convergent of continued fraction expansion of N k Number of fractions to be checked for d is bounded by Θ(log N) e k One of the Θ(log N) convergents of continued fraction for N is d k d is a reduced fraction We have Θ(log N) available options for d
47. 47. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Avoiding Wiener’s Attack Method 1: Large e Instead of using e < N, use e = e + tφ(N) for a large t This would mean e > N Large e would mean a large k which would counter Wiener’s attack If e > N 1.5 , Wiener’s attack is not possible even for very small d
48. 48. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack Avoiding Wiener’s Attack Method 2: Using CRT Use CRT to reduce the decryption time (and signing time) even while using large d Choose d such that dp = d mod (p − 1) and dq = d mod (q − 1) are small For decryption, compute Mp = C dp mod p and Mq = C dq mod q Then using CRT, compute M satisfying M ∈ Zn M = Mp mod p and M = Mq mod q Note that here M = C d mod N
49. 49. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack References D. Boneh. “Twenty Years of Attacks on the RSA Cryptosystem.” Notices of the American Mathematical Society, 46(2):203–213, 1999. M. Wiener. “Cryptanalysis of short RSA secret exponents.” IEEE Transactions on Information Theory, 36:553 558, 1990 Ron Rivest and Robert Silverman. “Are ‘Strong’ Primes Needed for RSA?”, Cryptology ePrint Archive: Report 2001/007 Rivest, R.; A. Shamir; L. Adleman. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Communications of the ACM 21 (2): pp.120-126.