SlideShare a Scribd company logo
The Factoring Dead
Preparing for the Cryptopocalypse
Thomas Ptacek, Matasano
Tom Ritter, iSEC Partners
Javed Samuel, iSEC Partners
Alex Stamos, Artemis Internet
Agenda
Introduction
The Math
New
Advances
The Impact
• There is a significant disconnect between theory and reality
in security.
• Lots of great, continuous academic research in cryptography.
• Few engineers get beyond Applied Cryptography before
shipping code.
• In the 2010's, it is no longer acceptable to just use standard
libraries and claim ignorance.
• We wanted to see if we could bridge this gap a bit.
• We certainly are not the only ones to do so.
Why are we here?
• Numerous attacks on the currentTLS infrastructure.
• BEAST 1
• CRIME 2
• Lucky 13 3
• RC4 Bias 4
• Even a new compression oracle attack here at BlackHat
USA 2013! 5
• Were any of these attacks really unpredictable to people
paying attention? (Hint: no6)
RecentTLS Problems
[1] http://vnhacker.blogspot.com/2011/09/beast.htm
[2] https://www.isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx l
[3] http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
[4] http://infoscience.epfl.ch/record/152526/files/RC4_1.pdf
[5] http://www.blackhat.com/us-13/briefings.html#Prado
[6] John Kelsey. Compression and information leakage of plaintext. Fast Software Encryption, 9th International Workshop, February 2002!
• 1998 – EFF Deep Crack defeats DES in 56 hours
• 2005 - Pre-image attacks against MD5 discussed
• 2008- Applebaum, Sotirov et. al. use MD5 attack against
CA
• 2011 - CA/Browser Forum forbids MD5
• 2012 - Somebody (cough) uses related attack against
Microsoft for FLAME
• SIM Card Attack at BlackHat 2013 using DES
Comparison to AcademicTime Line
• Most systems are not designed for cryptographic agility
• Cryptography is an ecosystem
• Few companies employ full-time cryptographers
• Hard for InfoSec practitioners to keep up-to-speed
• Lots of momentum in the professional consulting core.
We have failed as an industry
to address these structural problems.
Why such a disconnect?
• Looking for the next crypto black swan.
• Our thesis:
• Last six months has seen huge leaps in solving the DLP
• These leaps have parallels to the past.
• There is a small but real chance that both RSA and non-
ECC DH will soon become unusable.
• Ecosystem currently cannot support a quick pivot to ECC
We want this room to become the seed of change
Why are we here?
Agenda
Introduction
The Math
New
Advances
The Impact
• Key part of modern cryptosystems
Why Asymmetric Cryptography?
• We need a “trap-door” function, something that is easy
to do but hard to undo
• We also need a way to cheat with more information
• Rarely is the difficulty of this function proved, only
assumed
How does asymmetric crypto work?
• Diffie-Hellman - 1976 - Secure key exchange
• RSA - 1977 - Encryption, signing
• Elliptic Curve Cryptography
• Suite B - 2007 - Key exchange, signing and encryption
• GOST - 2010 - Key exchange, signing and encryption
What are the common primitives?
• First published byWhitfield Diffie and Martin Hellman in
1976
• Establishes shared secret by exchanging data over a
public network.
• Security relies on the hardness of the discrete logarithm
problem.
Diffe HellmanOverview
• Solve the discrete logarithm problem:
• Suppose h = gx for some g in the finite field and secret
integer x.
• The discrete logarithm problem is to find the element x,
when only g and h are known.
• Also how you attack El-Gamal and DSA
How do I attack DH?
• Key Generation to compute public and private key
exponent (e, d)
• Encryption by raising the message to public key
exponent e
• Decryption by raising the message to private key d
• Security relies on the hardness of factoring.
RSA Overview
• Factoring!
• Find the p & q such that p*q = N
• Factoring an RSA modulus allows an attacker to
compute the secret d and thus figure out the private key.
How do I attack RSA?
• An elliptic curve E over R real numbers is defined by a
Weierstrass equation eg y2 = x3 - 3x + 5
• Cryptographic schemes require fast and accurate arithmetic and
use one of the following elliptic fields.
• Prime Field Fp where p is a prime for software applications.
• Binary Field F2m where m is a positive integer for hardware applications.
Elliptic Curve Cryptography Overview
•
EllipticCurve Cryptography
ECC v RSA key sizes
NIST Recommended Key Sizes
Symmetric DH or RSA ECC
56 512 112
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 521
Agenda
Introduction
The Math
New
Advances
The Impact
• Generic algorithms (for any G)
• Example: Pohlig-Hellman
• Shows that discrete logarithm can be solved by breaking
up the groups into subgroups of prime order.
• Generic algorithms are exponential time algorithms.
• Specific algorithms which make use of group
representation
• Example: Index calculus algorithms
• They leverage particular properties of the group
• Result in sub-exponential running time
Discrete LogarithmAlgorithms
L(1) – Exponential
WayToo Slow
Exponential vs Polynomial
L(0) – Polynomial
Fast enough to scare you
Linear running time plot Logarithmic running time plot
Exponential vs Polynomial
L(0)
L(1/2) – 1979 L(1) – current
fastest ECDLP
algorithms
Exponential vs Polynomial
L(0)
L(1/2) – 1979 L(1) – current
fastest ECDLP
algorithmsL(1/3) – 1984
Factoring and Discrete Logs stay here for the next 30 years
Exponential vs Polynomial
L(0)
L(1/2) – 1979 L(1) – current
fastest ECCDLP
algorithmsL(1/3) – 1984
Factoring
L(1/4) for Discrete Logs with restrictions on the types of group - 2013
Exponential vs Polynomial
L(0)
L(1/2) – 1979 L(1) - current
fastest ECC
algorithmsL(1/3) – 1984
Factoring
L(1/4) - 2013
L(0) for discrete logs with restrictions on the types of groups – 2013
• Rapid progress in DL research in past 6 months
• February 20, 2013: Joux published a L( 1/4 ) algorithm to
solve DLP in small characteristic fields.
• April 6, 2013: Barbulescu et al solve the DLP in of F2
809
using the Function Field Sieve algorithm (FFS)
• June 18, 2013: Barbulescu, Gaudry, Joux,Thomé publish a
quasi-polynomial algorithm for DLP in finite fields of small
characteristic.
New Developments in 2013
• Uses judicious change of variables to find multiplicative
relations easier.
• Uses a specific polynomial with linear factors to simplify
the computation.
• Uses a new descent algorithm to expresses arbitrary
elements in the finite field.
• Complexity is L( 1/4 + o(1)) which is considerably faster
than any discrete logarithm algorithm published before.
Joux’s New Discrete Log Algorithm (Feb 2013)
• Quasi-polynomial algorithm for DL in finite fields of small
characteristic.
• Improves Joux’s February 2013 algorithm using special matrix
properties.
• Fastest discrete logarithm has been improved significantly in
the past 6 months after marginal progress in 25 years.
• However; no clear jump to more practical implementations
which use finite fields with larger characteristicYET!
More Improvements
June 2013, Barbulescu, Gaudry, Joux,Thomé
• Pairing based cryptography (PBC) over small
characteristics is no longer secure.
• PBC can be used for identity-based encryption, keyword
searchable encryption where traditional public key
cryptography may be unsuitable.
• Currently used mainly in academic circle.
• Improves the Function Field Sieve (FFS) in most cases.
• The function field sieve currently can be used to solve for
small to medium characteristics fields.
Implications of Discrete Log Progress
Why Should I Care?
• Function Field Sieve has Four Steps
• Choose a Polynomial
• Relation Filtering
• Linear Algebra
• The Descent
• In the last 6 months, all of them have been improved
• More likely something can be used on something we care about
• His record setting calculation, in May, took 550 Hours
• 512 Bit RSA takes 652 Hours
Function Field Sieve
• Joux has attacked fields of a small characteristic
• We use fields of a large characteristic
• Joux’s…
• Polynomial choice probably would not help
• Sieving Improvements may help
• Descent Algorithm needs tweaking, but definitely helps
• Renewed interest could result in further improvements.
Attacking DH, DSA, ElGamal
• Factoring advances tend to lead to advances in Discrete Log
• Discrete Log advances tend to lead to advances in Factoring
• Degrees of difficulty of both problems are closely linked.
Attacking RSA
• 1975 Pollard's Rho in Factoring -> 1978 Pollard's Rho in
Discrete Log.
• 1984 Quadratic Sieve Factoring -> 1987 improvements in
Discrete Log Index Calculus Algorithms.
• 1993/4 Discrete Log Number & Function Field Sieves -> 1994
General Number Field Sieve for Factoring.
MutualAdvances over the years
Factoring
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. Square Root
Discrete Logs
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. The Descent
Factoring vs Discrete Logs
Factoring
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. Square Root
Discrete Logs
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. The Descent
Factoring vs Discrete Logs
NotThat
Slow
Constant
Time
Factoring
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. Square Root
Discrete Logs
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. The Descent
Factoring vs Discrete Logs
Easy to
Parallelize
NotThat
Slow
Constant
Time
Factoring
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. Square Root
Discrete Logs
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. The Descent
Factoring vs Discrete Logs
Slow & Difficult to
Parallelize
Easy to
Parallelize
NotThat
Slow
Constant
Time
Factoring
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. Square Root
Discrete Logs
1. Polynomial Selection
2. Sieving
3. Linear Algebra
4. The Descent
Factoring vs Discrete Logs
Very SlowVery Fast
Slow & Difficult to
Parallelize
Easy to
Parralellize
NotThat
Slow
Constant
Time
• No obvious technique right now from Joux’s improved
discrete logarithm algorithm that applies directly to
factoring.
• But I’m not a mathematician, I just play one on stage – I
wouldn’t bet the farm on that
• Public colloquium and publications seem to indicate that
NSA/NIST may also already be very concerned.
Attacking RSA
• MSIEVE
• http://sourceforge.net/projects/msieve/
• CADO-NFS
• http://cado-nfs.gforge.inria.fr/
• GGNFS
• http://www.math.ttu.edu/~cmonico/software/ggnfs/
• Tutorials
• http://github.com/tomrittervg/cloud-and-control
Public Implementations &Tutorials
• ECC is still standing - still requires exponential time
algorithms
• If Joux or others hits upon a general purpose discrete
logarithm algorithm as fast his special purpose one...
• Diffie-Hellman, DSA, and El-Gamal are toast
• If that leaps to factoring - RSA is toast
• Technically not dead, but…
• RSA key sizes may have to go up to 16,384 bits
• Wildly impractical for actual use, never mind that nothing
supports keysizes that large
Implications
Agenda
Introduction
The Math
New
Advances
The Impact
• Widespread active and passive attacks against live and
recordedTLS.
• PFS not necessarily the panacea
• Failure of code-signing and update mechanisms
• How do you fix your software
• Failure of PGP, S/MIME and most end-to-end encryption
• Almost total failure of trust in the Internet
What Happens If DH or RSA Fails Now?
• We need to move to ECC, rather quickly
• Alex says that ECC is perfectly secure,YAY!
• Not really
• <30 years of research versus 400:
• Uses some of the same ideas
• Right now it’s all we have
• Long-term, we need more research into alternatives
• RSA was 1977, RC4 was 1984. Give Rivest a break.
So, what now?
• Lots of push from academia and government into ECC
• DH/RSA are here and they are easily understood
• Legal risks have slowed ECC adoption
• ECC had compatibility problems, but NIST has specified
15 standard curves
Why has ECC uptake been so slow?
• In 2005, the NSA released the Suite B set of
interoperable standards
• Suite B specifies:
• The encryption algorithm (AES-256)
• The key exchange algorithm (Elliptic Curve DH)
• The digital signature algorithm (Elliptic Curve DSA)
• The hashing algorithms (SHA-256 and SHA-384)
Hmm, what’s missing?
Overview of Suite B
• The patent issue for elliptic curve cryptosystems is the
opposite of that for RSA and Diffie-Hellman.
• RSA and Diffie-Hellman had patents for the cryptosystems but
not the implementation.
• Several important ECC patents owned by Certicom
(Blackberry)
• Efficient GF(2n) multiplication in normal basis representation.
• Technique of validating key exchange messages to prevent a
man-in-the-middle attack.
• Technique for compressing elliptic curve point representations.
ECC Patents
• NSA purchased from Certicom (now Blackberry) a license that
covers all of their intellectual property in a restricted field of use.
• License is limited to implementations that were for national
security uses and certified under FIPS 140-2 or were approved by
NSA.
• Commercial vendors may receive a license from NSA provided
their products fit within the field of use of NSA’s license.
• Commercial vendors may contact Blackberry for a license for the
same 26 patents.
ECC and Suite B
MaybeCerticom is cool about this?
Table :Windows and OSX ECC Support
ECC Support on Operating Systems
OS Library ECDH ECDSA Others Version
OSX/IOS ssl-36800 Yes Yes None 10.6
OSX/IOS smime-
36873
Yes Yes None 10.6
Windows CNG Yes Yes None Vista
Windows TLS Yes Yes None Vista
Windows Suite B Yes Yes None Vista SP1,
Windows 7
Android ECC Support
ECC Support on Android
OS Library ECDH ECDSA Others Version
Android Bouncy
Castle
Yes Yes None 4.0
Android TLS Yes Yes None 3.2.4
Android CyaSSL Yes Yes None 2.4.6
Android NSS Yes Yes NTRU 3.11
Programming Languages ECC Support
ECC Support on Programing Languages
Programming
Language
Library ECDH ECDSA Others Version
Python PyECC Yes Yes ECIES 2.4
C OpenSSL Yes Yes None 3.2.4
Java SE6 Bouncy
Castle
Yes Yes None Java 6
Java SE7 Native Yes Yes ECIES,
ECDSA,
ECHR
Java 7
Ruby OpenSSL Yes Yes None 1.8
• Windows Code Signing
• Default is RSA
• ECC is supported through CSPs but not default
• AndroidCode Signing
• Both DSA and RSA are currently supported.
• iOS code Signing
• Uses CMS
• Supports ECDH and ECDSA.
Code Signing
• TLSv1.2 is the first to include ECC options
• Only TLS_RSA_WITH_AES_128_CBC_SHA is
required
• BeforeTLS 1.2, CA and Cert had to match.
• With 1.2 you can cross-sign
• Can use DH_DSS, DH_RSA, ECDH_ECDSA, and
ECDH_RSA with either ECC or RSA
• TLS 1.1 supports ECDH(E) for PFS
Transport Encryption
• ECC roots exist, buying a cert is not so easy
• There would significant work required in the transition form
RSA to ECC certificates.
• Thawte Root Certificate6 - Root CA is not used today.
Intended for use in the future for SSL certificates.
• Verisign/Symantec Root Certificate7 - ECC root certificate for
5 years; just begun offering commercial certificate this year.
• Entrust ECC Certificate8 - No global root certificate currently
available today.Will use a Public ECC-256 Root.
• Comodo9 - 384 bit ECC Root certificate.
PKI Infrastructure
• Current Root KSK generated in 2010
(algorithm 8)
• Standard specifies rotated “when
necessary” or at five years
• IANA,Verisign, ICANN SSAC looking
at options
• ECC being considered
• Helps with Zone File size
• Interesting enough, check out .ru
DNSSEC
• BlackBerry uses ECC extensively
• OpenVPN uses OpenSSL which includes ECC support,
doesn’t seem to work
• IPSEC - Cisco, Shiva and Nortel gateways support ECDH
IKE.
• OpenSSH has ECC support, not the default.
Other Popular Applications
What do you do now?
• Make ECC easy to use
• See NaCl’s box() and unbox()
• Update documentation to push developers away from
RSA
• Get aggressive about compatibility testing
• Eat your own dogfood
If you are a… OS or language vendor
• TLS 1.2 needs to be a P1 feature
• Only IE 11 and Chrome 29 support (both pre-release)
• Push at CA/B Forum for standardized process for cross-
signed certificates
If you are… a browser vendor
• You need to supportTLS 1.2 on endpoints
• Build systems with pluggable primitives
• Versioning
• Handshake and negotiation
• If this sounds too hard useTLS 1.2
• Use ECC for any new cryptosystems
• Retrofit old mechanisms using wrapping
• ECC signed binary inside of legacy RSA signature
If you are a… software maker
• Make it easy to buy an ECC cert
• Change documentation to include ECC CSR instructions
• The CA/Browser Forum should promulgate standards
pushing this
If you are a… CertificateAuthority
• Make the world a safer place…
• License the ECC patents
openly to any implementation
of Suite B, regardless of use
If you are… BlackBerry
• Use ECC certificates where possible
• Bug vendors forTLS 1.2 and ECC support
• Turn on ECDHE PFS today!
• Survey your exposure, so when the cryptopocalypse comes
you are like this guy:
If you are… just a normal company
• Current cryptosystems depend on discrete logarithm
and factoring which has seen some major new
developments in the past 6 months.
• We need to move to stronger cryptosystems that
leverage more difficult mathematical problems such as
ECC.
• There is a huge amount of work to be done, so please
get started now.
Summary
• JasonP
• Antonie Joux
• Dan Boneh
• RyanWinkelmaier (iSEC Partners intern)
ThankYou

More Related Content

What's hot

Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptography
zahid-mian
 
block ciphers
block ciphersblock ciphers
block ciphers
Asad Ali
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
Srilal Buddika
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Göktuğ Serez
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
Sam Bowne
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
anusachu .
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
Samdish Arora
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptography
Barani Tharan
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
Shafaan Khaliq Bhatti
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
Sam Bowne
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
Indra97065
 
The Diffie-Hellman Algorithm
The Diffie-Hellman AlgorithmThe Diffie-Hellman Algorithm
The Diffie-Hellman Algorithm
Jay Nagar
 
Substitution cipher and Its Cryptanalysis
Substitution cipher and Its CryptanalysisSubstitution cipher and Its Cryptanalysis
Substitution cipher and Its Cryptanalysis
Sunil Meena
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
Komal Singh
 
Ecc2
Ecc2Ecc2
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
Mohamed Loey
 
DES
DESDES
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
Arpana shree
 
Elliptic Curves in Cryptography
Elliptic Curves in CryptographyElliptic Curves in Cryptography
Elliptic Curves in Cryptography
CSNP
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)
SAurabh PRajapati
 

What's hot (20)

Intro to modern cryptography
Intro to modern cryptographyIntro to modern cryptography
Intro to modern cryptography
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
 
Cryptography using rsa cryptosystem
Cryptography using rsa cryptosystemCryptography using rsa cryptosystem
Cryptography using rsa cryptosystem
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptography
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
 
The Diffie-Hellman Algorithm
The Diffie-Hellman AlgorithmThe Diffie-Hellman Algorithm
The Diffie-Hellman Algorithm
 
Substitution cipher and Its Cryptanalysis
Substitution cipher and Its CryptanalysisSubstitution cipher and Its Cryptanalysis
Substitution cipher and Its Cryptanalysis
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Ecc2
Ecc2Ecc2
Ecc2
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
 
DES
DESDES
DES
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Elliptic Curves in Cryptography
Elliptic Curves in CryptographyElliptic Curves in Cryptography
Elliptic Curves in Cryptography
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)
 

Similar to The Factoring Dead: Preparing for the Cryptopocalypse

TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...
TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...
TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...
Seldon
 
Provenance for Data Munging Environments
Provenance for Data Munging EnvironmentsProvenance for Data Munging Environments
Provenance for Data Munging Environments
Paul Groth
 
From Pipelines to Refineries: Scaling Big Data Applications
From Pipelines to Refineries: Scaling Big Data ApplicationsFrom Pipelines to Refineries: Scaling Big Data Applications
From Pipelines to Refineries: Scaling Big Data Applications
Databricks
 
Building a Database for the End of the World
Building a Database for the End of the WorldBuilding a Database for the End of the World
Building a Database for the End of the World
jhugg
 
Maths behind every it operation. (development and management)
Maths behind every it operation. (development and management)Maths behind every it operation. (development and management)
Maths behind every it operation. (development and management)
Swapnil Kotwal
 
Distributed Decision Tree Learning for Mining Big Data Streams
Distributed Decision Tree Learning for Mining Big Data StreamsDistributed Decision Tree Learning for Mining Big Data Streams
Distributed Decision Tree Learning for Mining Big Data Streams
Arinto Murdopo
 
201411203 goto night on graphs for fraud detection
201411203 goto night on graphs for fraud detection201411203 goto night on graphs for fraud detection
201411203 goto night on graphs for fraud detection
Rik Van Bruggen
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
Rajagopal Nagarajan
 
04 accelerating dl inference with (open)capi and posit numbers
04 accelerating dl inference with (open)capi and posit numbers04 accelerating dl inference with (open)capi and posit numbers
04 accelerating dl inference with (open)capi and posit numbers
Yutaka Kawai
 
Machine learning for IoT - unpacking the blackbox
Machine learning for IoT - unpacking the blackboxMachine learning for IoT - unpacking the blackbox
Machine learning for IoT - unpacking the blackbox
Ivo Andreev
 
50620130101002
5062013010100250620130101002
50620130101002
IAEME Publication
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
Robert McDermott
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
Robert McDermott
 
L5. Data Transformation and Feature Engineering
L5. Data Transformation and Feature EngineeringL5. Data Transformation and Feature Engineering
L5. Data Transformation and Feature Engineering
Machine Learning Valencia
 
MLSEV. Logistic Regression, Deepnets, and Time Series
MLSEV. Logistic Regression, Deepnets, and Time Series MLSEV. Logistic Regression, Deepnets, and Time Series
MLSEV. Logistic Regression, Deepnets, and Time Series
BigML, Inc
 
From Pipelines to Refineries: scaling big data applications with Tim Hunter
From Pipelines to Refineries: scaling big data applications with Tim HunterFrom Pipelines to Refineries: scaling big data applications with Tim Hunter
From Pipelines to Refineries: scaling big data applications with Tim Hunter
Databricks
 
"erlang, webmail and hibari" at Rakuten tech talk
"erlang, webmail and hibari" at Rakuten tech talk"erlang, webmail and hibari" at Rakuten tech talk
"erlang, webmail and hibari" at Rakuten tech talk
CLOUDIAN KK
 
Data Stream Algorithms in Storm and R
Data Stream Algorithms in Storm and RData Stream Algorithms in Storm and R
Data Stream Algorithms in Storm and R
Radek Maciaszek
 
Solving Large Scale Optimization Problems using CPLEX Optimization Studio
Solving Large Scale Optimization Problems using CPLEX Optimization StudioSolving Large Scale Optimization Problems using CPLEX Optimization Studio
Solving Large Scale Optimization Problems using CPLEX Optimization Studio
optimizatiodirectdirect
 
BSSML17 - Deepnets
BSSML17 - DeepnetsBSSML17 - Deepnets
BSSML17 - Deepnets
BigML, Inc
 

Similar to The Factoring Dead: Preparing for the Cryptopocalypse (20)

TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...
TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...
TensorFlow London 11: Pierre Harvey Richemond 'Trends and Developments in Rei...
 
Provenance for Data Munging Environments
Provenance for Data Munging EnvironmentsProvenance for Data Munging Environments
Provenance for Data Munging Environments
 
From Pipelines to Refineries: Scaling Big Data Applications
From Pipelines to Refineries: Scaling Big Data ApplicationsFrom Pipelines to Refineries: Scaling Big Data Applications
From Pipelines to Refineries: Scaling Big Data Applications
 
Building a Database for the End of the World
Building a Database for the End of the WorldBuilding a Database for the End of the World
Building a Database for the End of the World
 
Maths behind every it operation. (development and management)
Maths behind every it operation. (development and management)Maths behind every it operation. (development and management)
Maths behind every it operation. (development and management)
 
Distributed Decision Tree Learning for Mining Big Data Streams
Distributed Decision Tree Learning for Mining Big Data StreamsDistributed Decision Tree Learning for Mining Big Data Streams
Distributed Decision Tree Learning for Mining Big Data Streams
 
201411203 goto night on graphs for fraud detection
201411203 goto night on graphs for fraud detection201411203 goto night on graphs for fraud detection
201411203 goto night on graphs for fraud detection
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
 
04 accelerating dl inference with (open)capi and posit numbers
04 accelerating dl inference with (open)capi and posit numbers04 accelerating dl inference with (open)capi and posit numbers
04 accelerating dl inference with (open)capi and posit numbers
 
Machine learning for IoT - unpacking the blackbox
Machine learning for IoT - unpacking the blackboxMachine learning for IoT - unpacking the blackbox
Machine learning for IoT - unpacking the blackbox
 
50620130101002
5062013010100250620130101002
50620130101002
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
L5. Data Transformation and Feature Engineering
L5. Data Transformation and Feature EngineeringL5. Data Transformation and Feature Engineering
L5. Data Transformation and Feature Engineering
 
MLSEV. Logistic Regression, Deepnets, and Time Series
MLSEV. Logistic Regression, Deepnets, and Time Series MLSEV. Logistic Regression, Deepnets, and Time Series
MLSEV. Logistic Regression, Deepnets, and Time Series
 
From Pipelines to Refineries: scaling big data applications with Tim Hunter
From Pipelines to Refineries: scaling big data applications with Tim HunterFrom Pipelines to Refineries: scaling big data applications with Tim Hunter
From Pipelines to Refineries: scaling big data applications with Tim Hunter
 
"erlang, webmail and hibari" at Rakuten tech talk
"erlang, webmail and hibari" at Rakuten tech talk"erlang, webmail and hibari" at Rakuten tech talk
"erlang, webmail and hibari" at Rakuten tech talk
 
Data Stream Algorithms in Storm and R
Data Stream Algorithms in Storm and RData Stream Algorithms in Storm and R
Data Stream Algorithms in Storm and R
 
Solving Large Scale Optimization Problems using CPLEX Optimization Studio
Solving Large Scale Optimization Problems using CPLEX Optimization StudioSolving Large Scale Optimization Problems using CPLEX Optimization Studio
Solving Large Scale Optimization Problems using CPLEX Optimization Studio
 
BSSML17 - Deepnets
BSSML17 - DeepnetsBSSML17 - Deepnets
BSSML17 - Deepnets
 

Recently uploaded

A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 

Recently uploaded (20)

A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 

The Factoring Dead: Preparing for the Cryptopocalypse

  • 1. The Factoring Dead Preparing for the Cryptopocalypse Thomas Ptacek, Matasano Tom Ritter, iSEC Partners Javed Samuel, iSEC Partners Alex Stamos, Artemis Internet
  • 3. • There is a significant disconnect between theory and reality in security. • Lots of great, continuous academic research in cryptography. • Few engineers get beyond Applied Cryptography before shipping code. • In the 2010's, it is no longer acceptable to just use standard libraries and claim ignorance. • We wanted to see if we could bridge this gap a bit. • We certainly are not the only ones to do so. Why are we here?
  • 4. • Numerous attacks on the currentTLS infrastructure. • BEAST 1 • CRIME 2 • Lucky 13 3 • RC4 Bias 4 • Even a new compression oracle attack here at BlackHat USA 2013! 5 • Were any of these attacks really unpredictable to people paying attention? (Hint: no6) RecentTLS Problems [1] http://vnhacker.blogspot.com/2011/09/beast.htm [2] https://www.isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx l [3] http://www.isg.rhul.ac.uk/tls/TLStiming.pdf [4] http://infoscience.epfl.ch/record/152526/files/RC4_1.pdf [5] http://www.blackhat.com/us-13/briefings.html#Prado [6] John Kelsey. Compression and information leakage of plaintext. Fast Software Encryption, 9th International Workshop, February 2002!
  • 5. • 1998 – EFF Deep Crack defeats DES in 56 hours • 2005 - Pre-image attacks against MD5 discussed • 2008- Applebaum, Sotirov et. al. use MD5 attack against CA • 2011 - CA/Browser Forum forbids MD5 • 2012 - Somebody (cough) uses related attack against Microsoft for FLAME • SIM Card Attack at BlackHat 2013 using DES Comparison to AcademicTime Line
  • 6. • Most systems are not designed for cryptographic agility • Cryptography is an ecosystem • Few companies employ full-time cryptographers • Hard for InfoSec practitioners to keep up-to-speed • Lots of momentum in the professional consulting core. We have failed as an industry to address these structural problems. Why such a disconnect?
  • 7. • Looking for the next crypto black swan. • Our thesis: • Last six months has seen huge leaps in solving the DLP • These leaps have parallels to the past. • There is a small but real chance that both RSA and non- ECC DH will soon become unusable. • Ecosystem currently cannot support a quick pivot to ECC We want this room to become the seed of change Why are we here?
  • 9. • Key part of modern cryptosystems Why Asymmetric Cryptography?
  • 10. • We need a “trap-door” function, something that is easy to do but hard to undo • We also need a way to cheat with more information • Rarely is the difficulty of this function proved, only assumed How does asymmetric crypto work?
  • 11. • Diffie-Hellman - 1976 - Secure key exchange • RSA - 1977 - Encryption, signing • Elliptic Curve Cryptography • Suite B - 2007 - Key exchange, signing and encryption • GOST - 2010 - Key exchange, signing and encryption What are the common primitives?
  • 12. • First published byWhitfield Diffie and Martin Hellman in 1976 • Establishes shared secret by exchanging data over a public network. • Security relies on the hardness of the discrete logarithm problem. Diffe HellmanOverview
  • 13. • Solve the discrete logarithm problem: • Suppose h = gx for some g in the finite field and secret integer x. • The discrete logarithm problem is to find the element x, when only g and h are known. • Also how you attack El-Gamal and DSA How do I attack DH?
  • 14. • Key Generation to compute public and private key exponent (e, d) • Encryption by raising the message to public key exponent e • Decryption by raising the message to private key d • Security relies on the hardness of factoring. RSA Overview
  • 15. • Factoring! • Find the p & q such that p*q = N • Factoring an RSA modulus allows an attacker to compute the secret d and thus figure out the private key. How do I attack RSA?
  • 16. • An elliptic curve E over R real numbers is defined by a Weierstrass equation eg y2 = x3 - 3x + 5 • Cryptographic schemes require fast and accurate arithmetic and use one of the following elliptic fields. • Prime Field Fp where p is a prime for software applications. • Binary Field F2m where m is a positive integer for hardware applications. Elliptic Curve Cryptography Overview
  • 18. ECC v RSA key sizes NIST Recommended Key Sizes Symmetric DH or RSA ECC 56 512 112 80 1024 160 112 2048 224 128 3072 256 192 7680 384 256 15360 521
  • 20. • Generic algorithms (for any G) • Example: Pohlig-Hellman • Shows that discrete logarithm can be solved by breaking up the groups into subgroups of prime order. • Generic algorithms are exponential time algorithms. • Specific algorithms which make use of group representation • Example: Index calculus algorithms • They leverage particular properties of the group • Result in sub-exponential running time Discrete LogarithmAlgorithms
  • 21. L(1) – Exponential WayToo Slow Exponential vs Polynomial L(0) – Polynomial Fast enough to scare you Linear running time plot Logarithmic running time plot
  • 22. Exponential vs Polynomial L(0) L(1/2) – 1979 L(1) – current fastest ECDLP algorithms
  • 23. Exponential vs Polynomial L(0) L(1/2) – 1979 L(1) – current fastest ECDLP algorithmsL(1/3) – 1984 Factoring and Discrete Logs stay here for the next 30 years
  • 24. Exponential vs Polynomial L(0) L(1/2) – 1979 L(1) – current fastest ECCDLP algorithmsL(1/3) – 1984 Factoring L(1/4) for Discrete Logs with restrictions on the types of group - 2013
  • 25. Exponential vs Polynomial L(0) L(1/2) – 1979 L(1) - current fastest ECC algorithmsL(1/3) – 1984 Factoring L(1/4) - 2013 L(0) for discrete logs with restrictions on the types of groups – 2013
  • 26. • Rapid progress in DL research in past 6 months • February 20, 2013: Joux published a L( 1/4 ) algorithm to solve DLP in small characteristic fields. • April 6, 2013: Barbulescu et al solve the DLP in of F2 809 using the Function Field Sieve algorithm (FFS) • June 18, 2013: Barbulescu, Gaudry, Joux,Thomé publish a quasi-polynomial algorithm for DLP in finite fields of small characteristic. New Developments in 2013
  • 27. • Uses judicious change of variables to find multiplicative relations easier. • Uses a specific polynomial with linear factors to simplify the computation. • Uses a new descent algorithm to expresses arbitrary elements in the finite field. • Complexity is L( 1/4 + o(1)) which is considerably faster than any discrete logarithm algorithm published before. Joux’s New Discrete Log Algorithm (Feb 2013)
  • 28. • Quasi-polynomial algorithm for DL in finite fields of small characteristic. • Improves Joux’s February 2013 algorithm using special matrix properties. • Fastest discrete logarithm has been improved significantly in the past 6 months after marginal progress in 25 years. • However; no clear jump to more practical implementations which use finite fields with larger characteristicYET! More Improvements June 2013, Barbulescu, Gaudry, Joux,Thomé
  • 29. • Pairing based cryptography (PBC) over small characteristics is no longer secure. • PBC can be used for identity-based encryption, keyword searchable encryption where traditional public key cryptography may be unsuitable. • Currently used mainly in academic circle. • Improves the Function Field Sieve (FFS) in most cases. • The function field sieve currently can be used to solve for small to medium characteristics fields. Implications of Discrete Log Progress
  • 30. Why Should I Care?
  • 31. • Function Field Sieve has Four Steps • Choose a Polynomial • Relation Filtering • Linear Algebra • The Descent • In the last 6 months, all of them have been improved • More likely something can be used on something we care about • His record setting calculation, in May, took 550 Hours • 512 Bit RSA takes 652 Hours Function Field Sieve
  • 32. • Joux has attacked fields of a small characteristic • We use fields of a large characteristic • Joux’s… • Polynomial choice probably would not help • Sieving Improvements may help • Descent Algorithm needs tweaking, but definitely helps • Renewed interest could result in further improvements. Attacking DH, DSA, ElGamal
  • 33. • Factoring advances tend to lead to advances in Discrete Log • Discrete Log advances tend to lead to advances in Factoring • Degrees of difficulty of both problems are closely linked. Attacking RSA
  • 34. • 1975 Pollard's Rho in Factoring -> 1978 Pollard's Rho in Discrete Log. • 1984 Quadratic Sieve Factoring -> 1987 improvements in Discrete Log Index Calculus Algorithms. • 1993/4 Discrete Log Number & Function Field Sieves -> 1994 General Number Field Sieve for Factoring. MutualAdvances over the years
  • 35. Factoring 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs
  • 36. Factoring 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs NotThat Slow Constant Time
  • 37. Factoring 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs Easy to Parallelize NotThat Slow Constant Time
  • 38. Factoring 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs Slow & Difficult to Parallelize Easy to Parallelize NotThat Slow Constant Time
  • 39. Factoring 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. Square Root Discrete Logs 1. Polynomial Selection 2. Sieving 3. Linear Algebra 4. The Descent Factoring vs Discrete Logs Very SlowVery Fast Slow & Difficult to Parallelize Easy to Parralellize NotThat Slow Constant Time
  • 40. • No obvious technique right now from Joux’s improved discrete logarithm algorithm that applies directly to factoring. • But I’m not a mathematician, I just play one on stage – I wouldn’t bet the farm on that • Public colloquium and publications seem to indicate that NSA/NIST may also already be very concerned. Attacking RSA
  • 41. • MSIEVE • http://sourceforge.net/projects/msieve/ • CADO-NFS • http://cado-nfs.gforge.inria.fr/ • GGNFS • http://www.math.ttu.edu/~cmonico/software/ggnfs/ • Tutorials • http://github.com/tomrittervg/cloud-and-control Public Implementations &Tutorials
  • 42. • ECC is still standing - still requires exponential time algorithms • If Joux or others hits upon a general purpose discrete logarithm algorithm as fast his special purpose one... • Diffie-Hellman, DSA, and El-Gamal are toast • If that leaps to factoring - RSA is toast • Technically not dead, but… • RSA key sizes may have to go up to 16,384 bits • Wildly impractical for actual use, never mind that nothing supports keysizes that large Implications
  • 44. • Widespread active and passive attacks against live and recordedTLS. • PFS not necessarily the panacea • Failure of code-signing and update mechanisms • How do you fix your software • Failure of PGP, S/MIME and most end-to-end encryption • Almost total failure of trust in the Internet What Happens If DH or RSA Fails Now?
  • 45. • We need to move to ECC, rather quickly • Alex says that ECC is perfectly secure,YAY! • Not really • <30 years of research versus 400: • Uses some of the same ideas • Right now it’s all we have • Long-term, we need more research into alternatives • RSA was 1977, RC4 was 1984. Give Rivest a break. So, what now?
  • 46. • Lots of push from academia and government into ECC • DH/RSA are here and they are easily understood • Legal risks have slowed ECC adoption • ECC had compatibility problems, but NIST has specified 15 standard curves Why has ECC uptake been so slow?
  • 47. • In 2005, the NSA released the Suite B set of interoperable standards • Suite B specifies: • The encryption algorithm (AES-256) • The key exchange algorithm (Elliptic Curve DH) • The digital signature algorithm (Elliptic Curve DSA) • The hashing algorithms (SHA-256 and SHA-384) Hmm, what’s missing? Overview of Suite B
  • 48. • The patent issue for elliptic curve cryptosystems is the opposite of that for RSA and Diffie-Hellman. • RSA and Diffie-Hellman had patents for the cryptosystems but not the implementation. • Several important ECC patents owned by Certicom (Blackberry) • Efficient GF(2n) multiplication in normal basis representation. • Technique of validating key exchange messages to prevent a man-in-the-middle attack. • Technique for compressing elliptic curve point representations. ECC Patents
  • 49. • NSA purchased from Certicom (now Blackberry) a license that covers all of their intellectual property in a restricted field of use. • License is limited to implementations that were for national security uses and certified under FIPS 140-2 or were approved by NSA. • Commercial vendors may receive a license from NSA provided their products fit within the field of use of NSA’s license. • Commercial vendors may contact Blackberry for a license for the same 26 patents. ECC and Suite B
  • 50. MaybeCerticom is cool about this?
  • 51. Table :Windows and OSX ECC Support ECC Support on Operating Systems OS Library ECDH ECDSA Others Version OSX/IOS ssl-36800 Yes Yes None 10.6 OSX/IOS smime- 36873 Yes Yes None 10.6 Windows CNG Yes Yes None Vista Windows TLS Yes Yes None Vista Windows Suite B Yes Yes None Vista SP1, Windows 7
  • 52. Android ECC Support ECC Support on Android OS Library ECDH ECDSA Others Version Android Bouncy Castle Yes Yes None 4.0 Android TLS Yes Yes None 3.2.4 Android CyaSSL Yes Yes None 2.4.6 Android NSS Yes Yes NTRU 3.11
  • 53. Programming Languages ECC Support ECC Support on Programing Languages Programming Language Library ECDH ECDSA Others Version Python PyECC Yes Yes ECIES 2.4 C OpenSSL Yes Yes None 3.2.4 Java SE6 Bouncy Castle Yes Yes None Java 6 Java SE7 Native Yes Yes ECIES, ECDSA, ECHR Java 7 Ruby OpenSSL Yes Yes None 1.8
  • 54. • Windows Code Signing • Default is RSA • ECC is supported through CSPs but not default • AndroidCode Signing • Both DSA and RSA are currently supported. • iOS code Signing • Uses CMS • Supports ECDH and ECDSA. Code Signing
  • 55. • TLSv1.2 is the first to include ECC options • Only TLS_RSA_WITH_AES_128_CBC_SHA is required • BeforeTLS 1.2, CA and Cert had to match. • With 1.2 you can cross-sign • Can use DH_DSS, DH_RSA, ECDH_ECDSA, and ECDH_RSA with either ECC or RSA • TLS 1.1 supports ECDH(E) for PFS Transport Encryption
  • 56. • ECC roots exist, buying a cert is not so easy • There would significant work required in the transition form RSA to ECC certificates. • Thawte Root Certificate6 - Root CA is not used today. Intended for use in the future for SSL certificates. • Verisign/Symantec Root Certificate7 - ECC root certificate for 5 years; just begun offering commercial certificate this year. • Entrust ECC Certificate8 - No global root certificate currently available today.Will use a Public ECC-256 Root. • Comodo9 - 384 bit ECC Root certificate. PKI Infrastructure
  • 57. • Current Root KSK generated in 2010 (algorithm 8) • Standard specifies rotated “when necessary” or at five years • IANA,Verisign, ICANN SSAC looking at options • ECC being considered • Helps with Zone File size • Interesting enough, check out .ru DNSSEC
  • 58. • BlackBerry uses ECC extensively • OpenVPN uses OpenSSL which includes ECC support, doesn’t seem to work • IPSEC - Cisco, Shiva and Nortel gateways support ECDH IKE. • OpenSSH has ECC support, not the default. Other Popular Applications
  • 59. What do you do now?
  • 60. • Make ECC easy to use • See NaCl’s box() and unbox() • Update documentation to push developers away from RSA • Get aggressive about compatibility testing • Eat your own dogfood If you are a… OS or language vendor
  • 61. • TLS 1.2 needs to be a P1 feature • Only IE 11 and Chrome 29 support (both pre-release) • Push at CA/B Forum for standardized process for cross- signed certificates If you are… a browser vendor
  • 62. • You need to supportTLS 1.2 on endpoints • Build systems with pluggable primitives • Versioning • Handshake and negotiation • If this sounds too hard useTLS 1.2 • Use ECC for any new cryptosystems • Retrofit old mechanisms using wrapping • ECC signed binary inside of legacy RSA signature If you are a… software maker
  • 63. • Make it easy to buy an ECC cert • Change documentation to include ECC CSR instructions • The CA/Browser Forum should promulgate standards pushing this If you are a… CertificateAuthority
  • 64. • Make the world a safer place… • License the ECC patents openly to any implementation of Suite B, regardless of use If you are… BlackBerry
  • 65. • Use ECC certificates where possible • Bug vendors forTLS 1.2 and ECC support • Turn on ECDHE PFS today! • Survey your exposure, so when the cryptopocalypse comes you are like this guy: If you are… just a normal company
  • 66. • Current cryptosystems depend on discrete logarithm and factoring which has seen some major new developments in the past 6 months. • We need to move to stronger cryptosystems that leverage more difficult mathematical problems such as ECC. • There is a huge amount of work to be done, so please get started now. Summary
  • 67. • JasonP • Antonie Joux • Dan Boneh • RyanWinkelmaier (iSEC Partners intern) ThankYou

Editor's Notes

  1. Asymmetric cryptographic is an essential part of all modern cryptosystems.It has allowed us to move from the old Enigma machines used by WWII cryptographers to TLS which is used to secure communication over the internet.I am sure that we have all used TLS and we have asymmetric cryptography to thank for this.
  2. Asymmetric cryptography relies on certain information being computationally hard to compute without a secret. Asymetrix cryptosystems contain public component which can be known by everyone including an adversary. However, it must not be possible to compute the private or secret key from this information. This would completely break the cryptosystem.These mathematical functions are currently computationally difficult but not provably hard. An efficient algorithm may exist and just has not been found. Our cryptosystems rely on that efficient algorithm not being discovered. We will take a closer look at some of these mathematical functions now.
  3. BothDiffie Hellman and RSA were first published in the late 1970’s and are used in almost all of today’s cryptosystems.They are used for a variety of purposes such as secure key exchange, encryption and signing.Elliptic Curve Cryptography was first published in the 1980’s and there was been significant academic interest in Elliptic Curve cryptography but limited use in industry. ECC is performed over a specified curve unlike Diffie Hellman and RSA which are performed over the set of integers.In the recent few years, the NSA published Suite B recommendations and the Russian’s declassified GOST recommendation which recommend use Elliptic curve cryptography. Like Diffie Hellman and RSA, ECC can be used for key exchange, signing and encryption.
  4. Now we will take a closer look at the Diffie Hellman key exchange protocol. This was first published by Diffie and Hellman in 1976.As some of you may know, Diffie Hellman allows one to establish a shared secret by exchanging data over a public untrusted network.This shared secret can then be used in a symmetric cryptosystem.The security of the Diffie Hellman key exchange completely relies on the computational hardness of the discrete logarithm problem.
  5. How does one break Diffie Hellman. Simple, you solve the discrete logarithm problem.Suppose you have h = g^x. The discrete logarithm problem is to find the element x when only g and h are known.This seemingly simple problem is the basis of the Diffie Hellman key exchange protocol.To reiterate an efficient discrete logarithm algorithm will completely break DH.Also, since both El-Gamal and DSA rely on slight modifications of the DLP an efficient generic DL algorithms will break them as well.
  6. The first phase in RSA is to compute an RSA modulus from 2 large primes.From that RSA modulus, a public key exponent (e) and public key (d) are computed that satisfy a particular mathematical relation.This public key is used to encrypt any message sent to the receiver. This is done by raising the message to the recipient&apos;s public key e.The recipient of the message then raises the ciphertext to their private key d.As with Diffie Hellman, the security of RSA relies on a mathematical problem.In this the mathematical problem is factoring.
  7. We attack RSA by attacking the underlying mathematical function which in this case is factoring.Factoring as we can remember from grade school mathematics is a seemingly simple task eg. 35 = 5 * 7…. This is true for small numbers at least. However, there currently exists no efficient algorithm to factor an arbitrary number.Factoring an RSA modulus would allow us to compute the two constituent primes of that modulus and with the user’s public key we would then be able to compute the user’s private key.We can simply use the same mathematical relation which was used to generate it in the first place.To reiterate an efficient factoring algorithm will completely break RSA.
  8. Now let us switch gears a bit and discuss Elliptic Curve Cryptography. As mentioned earlier ECC was first published in the 1980’s and there has continued Work in the field over the past 30 years.An elliptic curve E over the real numbers R is defined by a Weierstrass equation. I have shown an example on the slide.This funky looking curve is special and allows us to build even secure cryptosystems.Generally either a prime field or binary field is used depending on the application.
  9. As with both Diffie Hellman and RSA, ECC also depends on a fundamental mathematical problem.In this case ECC is secure due to the hardness of the Elliptic curve discrete logarithm problem (ECDLP). This should not to be confused with the discrete logarithm problem we just saw.The underlying mathematical problem is given two points on the elliptic curve, P and Q, compute the integer d such that Q = dP.In the diagram on the screen I have shown the simple case where d=2.The key pair (d; Q) can be used for a variety of cryptosystems including signature and encryption/decryption.As with Diffie Hellman and RSA, if an efficient algorithm for solving the underlying mathematical problem then the entire cryptosystem is broken.
  10. Now we show the NIST recommended key sizes for symmetric algorithms, Diffie Hellman and ECC.As can be seen NIST recommends significantly smaller key sizes for ECC. This is due to the increased computational difficulty in solving the ECDLP as opposedto factoring or the regular DLP.Furthermore given current research advances even key sizes in the same rows are not computationally equivalent.
  11. Now we will move on the next section and look at some of the new advances in the academic world.And why we need to be very concerned about this new research progress.
  12. There are two types of discrete logarithm algorithms namely generic algorithms and specific algorithms.Generic algorithms work with a divide and conquer approach by breaking up groups into smaller groups They are very slow and take exponential time. We will discuss the complexity of algorithms in the next slide. Specific algorithms make use of particular group representations and can be much faster. Examples such as the index calculus algorithm currently result in mainly sub-exponential algorithms.They work by leveraging certain properties of the group.
  13. Now let us take a look at algorithmic complexity and why that matters. Algorithmic complexity is simply how fast does a given algorithm run.Discrete Logarithm and Factoring generally use L notation in the literature to indicate their complexity. L(0) indicates that an algorithm is polynomial while L(1) is a fully exponential algorithm. Anything in between is sub-exponential.On the linear running time plot we can see that Exponential time algorithm dominates all other algorithms which can barely be seen on x-axis.The difference in running time can be me more clearly seen in the logarithmic plot where the running time of the exponential continues to grow while for polynomial time it plateaus.
  14. Sporadic progress in DL research for 30+ years1979: Alderman published a sub-exponential L( 1/2 ) algorithm to solve the DLP. Note that this is not half the running the time of an L(1) algorithm.The fastest ECDLP logarithm has been fully exponential for the last 30 years and while there has been progress at the margins there have been no major breakthroughs.
  15. A few later there was a further improvement in academia when an L(1/3) algorithm was published.1984: Odlyzko published a L( 1/3 ) algorithm to solve DLP in finite fields.And then there was little progress in the algorithmic complexity over the past 30 years. There were some improvements at the margin to the constants but there was no substantial progress until this year.
  16. Then suddenly in February 2013 we had a paper released by Antonine Joux where he published an L(1/4) algorithm for Discrete logarithms. Note this is not a generic algorithm and only applies to cases with certain restrictions on the types of group..
  17. And then within a few months Antonine Joux and some other researchers improved these algorithm to be quasi-polynomial L(0).Again this only applies to discrete logarithm with particular properties.
  18. As we just saw there has rapid progress in the discrete logarithm field in the past 6 months. While these algorithms are currently limited to only certain circumstances namely small characteristics fields.Now for the math nerds…The characteristics of a field is the number of multiplicative identity elements in a sum needed to compute the additiive identity of the field. Generally practical cryptosystems use large characteristic field.These recent developments will bring more attention to the discrete logarithm problem and this will spur researchers into looking more closely problem most likely resulting in even further improvement in the near future.
  19. Let us know take a brief look at some of the mathematics used in the new discrete logarithm algorithm.The main thing to note is that no new fundamental mathematical technique was required. This did not require the invention of a new branch of mathematics.Instead he used several mathematical tricks to speed up the running time of the algorithm significantly. It is remarkable that such techniques were not seen earlierBy any previous researchers in the area.Some of these techniques include a clever change of variables; a specific polynomial to simplify the computation. And a new descent algorithm to express arbitrary elements in the finite field.This resulted in a discrete logarithm that is much faster than anything published earlier.
  20. And then given these insights, in less than 6 months, other researchers including Joux were able to help and improve this algorithm even further with some more special mathematics. They used special matrix properties which sped up the slowest step and resulted in a quasi-polynomial algorithm for discrete logarithm in certain circumstances.This is a big deal since there was marginal progress for 25+ years but then in 6 months there has been significant progress in discrete logarithm research.Note that is no obvious jump to more practical implementations yet. However, with the renewed interest in the field in academia we could so much more progress in the immediate future.
  21. Some of the current implications of this discrete logarithm research right now is that pairing based cryptography which is used mainly in academic circles is no longer secure when done over small characteristics. There are limited practical implementations of pairing based cryptography though there is a pairing based crypto library maintained by the Stanford cryptography group.Also the function field sieve which will be discussed in more detail by Tom Ritter in the next section is improved by these new developments. The function field sieve is used mainly for small to medium characteristics field.
  22. And now I’ll pass it to Tom Ritter who will discuss how this may apply to factoring.All right, so that’s a lot of Math, let’s talk about how this impacts or doesn’t impact the _algorithms_ we use today, before we talk about how it impacts the _applications_ we use today
  23. The Function Field Sieve, which is what’s used for solving Discrete Logs, has four steps. In the last six months, all of them have been improved. That means it’s way more likely that something will be applicable to an algorithm we care about.And it’s worthwhile to note that the computation times that people are setting records with are not super-computer-worthy. Less than a month on a single core. 652 figure:460 hours for seiving8 core days = 192 hours for linear algebra
  24. So Joux has attacked fields of a small characteristic. But we use fields of a large characteristic in Diffie Hellman, DSA, and ElGamal. Joux’s specific improvements are hit or miss on applying to these types of fields. The polynomial selection probably doesn’t, the sieving might, and the descent algorithm needs some tweaking and further work – but it will definitely lead to improvements.And of course, the simple fact that everyone in the Academic Community is really excited about this stuff means we’ll probably see even more improvements down the pipe.
  25. So what about RSA? Everybody uses RSA, and we use it everywhere. And traditionally, Discrete Logs and Factoring have been very closely linked. When we improve one, we tend to improve the other in short order.
  26. And we’ve seen this over the years. The dates that Javed threw out – those have seen advances right next to each other on the other algorithm. In the 70s, in the 80s, and in the 90s. And while I hate to think we’re going to call this decade the ‘10s, we’ll probably see a reflective paper nonetheless.
  27. But WHY are these two algorithms so closely related? Well, they have about the same steps. They both select a polynomial, sieve for relations, perform a big linear algebra step, and then solve for the specific number you want factor or compute the discrete log of.So if that’s how they’re similar, let me explain how they’re different.
  28. In Factoring, the polynomial selection takes some time, but it’s not that slow.In Discrete Logs, Joux has chosen his polynomial as a constant, based off the type of Group he’s working in.
  29. The Relationship Sieving in both takes time – but it’s trivial to parallelize. In the era of EC2 and Google Compute Engine – any problem that’s embarrassingly parallel and doesn’t require the energy output of the sun tends to just have cores thrown at it.
  30. Now the Linear Algebra for both of them is Slow, and difficult to parallelize. It requires a lot of memory, and a lot of memory bandwidth, plus a lot of CPU time. It’s also harder for Discrete Logs than it is for Factring.
  31. And the most notable difference is that the last step is way more difficult for Discrete Logs. The Descent is extremely painful for Discrete Logs, but the analogous step, the Square Root takes minutes for Factoring.So they’re very closely related, but they’re not exactly homogeneous between the two.
  32. So coming back to RSA – there’s no obvious technique fromJoux’s work to directly apply to the General Number Field Sieve, and factoring RSA public keys.That said, if there’s even a 5% chance, that’s basically a 5% chance to throw every single Certificate Authority, every single SSL session, every single software update mechanism into complete and utter disarray.And based on NIST’s publications and colloquiums it seems like they’re concerned about this too.
  33. And it’s worthwhile to note that running the General Number Field Sieve, and factoring 512-bit, and even 768-bit, RSA keys is within you, the audience members’ grasps. The software used to do it is public and open source, and there are tutorials on how to factor 512-bit keys in under 30 hours.
  34. So right now, ECC is in pretty good shape. But we have to keep in mind that ECC has been around and studied for 30 years, while RSA and DH or more importantly, factoring and discrete logs, have been studied for hundreds.if Joux or others hit upon a general purpose discrete log algorithm – Diffie Hellman and other algorithms we rely on are toastAnd if it leaps to factoring, RSA will be toast to.And if give you an idea what I mean when I say toast, I mean key sizes might have to go from 2048 to 16,384. Besides being wildly impractical for any actual use because it’s way too slow – there’s like, no software that supports keysizes that large.So let me hand it over to Alex to talk about how screwed we all are.
  35. Resources:http://www.lix.polytechnique.fr/~smith/NT-AC/X-June2013.pdfhttp://www.lix.polytechnique.fr/~smith/NT-AC/lix_20130619.pdfhttp://www.lix.polytechnique.fr/cryptologie/workshop-2013https://ellipticnews.wordpress.com/2013/06/21/quasi-polynomial-time-algorithm-for-discrete-logarithm-in-finite-fields-of-smallmedium-characteristic/http://ellipticnews.wordpress.com/2013/05/22/joux-kills-pairings-in-characteristic-2/http://bristolcrypto.blogspot.com.br/2013/02/discrete-logarithms.htmlhttps://twitter.com/pbarreto