attacking rsa
DESCRIPTION
Attacking RSA. Brian Winant [email protected]. Reference. “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999. Introduction. RSA introduced August 1977 R = Ron Rivest S = Adi Shamir - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/2.jpg)
Reference
“Twenty Years of Attacks on the RSA Cryptosystem”
By Dan BonehIn Notices of the American
Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999
![Page 3: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/3.jpg)
Introduction
RSA introduced August 1977 R = Ron Rivest S = Adi Shamir A = Len Adleman
Subject to two+ decades of cryptanalysis No serious attacks found Most known attacks based on
implementation weaknesses
![Page 4: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/4.jpg)
RSA Review - Modulus
Let pq = N N is n bits long p, q are large primes of length n/2 In practice N is at least 1024 bits
1024 bits = 309 decimal digits
![Page 5: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/5.jpg)
RSA Review - Keys
Choose exponents e and d Such that ed = 1 mod (N) (N) is the Euler phi function Since N=pq, (N) = (p – 1)(q – 1) (N) is the order of the multiplicative group
ZN*
(N, e), (N, d) are the public/private keys Doesn’t matter which is which
![Page 6: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/6.jpg)
RSA Review - Encryption
Plaintext M ZN*
Ciphertext C ZN*
Encryption fk(M) = C = Me mod N
Decryption gk(C) = Cd mod N Med mod N = M
![Page 7: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/7.jpg)
Trapdoors
fk(M) is a one-way trapdoor function
Exponent d is the trapdoor Makes inverting fk(M) easy
How hard is it to invert fk(M) without the trapdoor? No known mechanism to easily invert
fk(M) However, not proven to be impossible
![Page 8: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/8.jpg)
Breaking RSA
Goal Invert fk(M) without knowing d
Formally Given (N, e, C) Assume the factorization of N is
unknown How hard is it to compute the eth root
of C mod N?
![Page 9: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/9.jpg)
Naïve Approach
ZN* is finite
Try all M ZN*
Runtime is exponentialInterested only in efficient algorithms O(nc) where
n = log2 N c is a small constant (< 5)
![Page 10: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/10.jpg)
Theory vs. Implementation
Difference between the function and the cryptosystemCryptosystem is not semantically secure Given (N, e, C) it is possible to recover
some information about M Example: Jacobi symbol of M over N Fixed by padding M with random bits
![Page 11: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/11.jpg)
Types of Attacks
FactoringElementaryLow Private ExponentLow Public ExponentImplementation
![Page 12: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/12.jpg)
Factoring
If N can be factored p,q are known (N) can be computed d = e-1 mod (N) easily computed using
Euclid’s method
State of the art factoring algorithms still exponential log N General Number Field Sieve
Largest factored modulus: 576 bits 174 decimal digits
![Page 13: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/13.jpg)
More Factoring
For some N, factoring is easyPollard’s p – 1 algorithm p – 1 is a product of primes less than
B N can be factored O(B3)
Some RSA implementations reject such p
![Page 14: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/14.jpg)
Breaking RSA vs. Factoring
If an efficient factoring algorithm exists, RSA is insecureOpen Problem: Is converse true? Must N be factored in order to
efficiently compute eth roots mod N? Is breaking RSA as hard as factoring?
![Page 15: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/15.jpg)
Open Problem: Definition
Given N, e = gcd(e, (N)) = 1Define fe,N: ZN* -> ZN
* = x1/e mod N
Given an oracle that evaluates f in unit timeIs there a polynomial-time algorithm A that computes factorization of N?
![Page 16: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/16.jpg)
Open Problem: Answer?
Probably not Evidence that for small e, answer may be no
There may not exist a polynomial-time reduction from factoring to breaking RSA However, not proven
Negative answered probably preferred over positive answer
![Page 17: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/17.jpg)
Elementary Attacks
Due to misuse of RSAMany exist Modulus Reuse Blinding
![Page 18: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/18.jpg)
Modulus Reuse
To save time, why not reuse N?Trusted authority can provide user i with keys (N, ei), (N, di)
Attacker can use own ea, da to factor N
Once N is factored, recovering di easy
Do not reuse N
![Page 19: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/19.jpg)
BlindingFool Bob into signing an arbitrary M e,d are Bob’s public and private keys
Choose random r ZN*
Let M’ = reM mod NHave Bob sign S’ = (M’)d mod N
![Page 20: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/20.jpg)
Blinding
Compute S = S’/r mod N Se = (S’)e/re = (M’)ed/re = (reM)ed/re =
reM/re = M
Attacker now has signature on M
![Page 21: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/21.jpg)
Blinding: Defense
In practice, attack not feasible Prevented by first hashing M before
signing
An attack, but required for anonymous digital cash
![Page 22: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/22.jpg)
Low Private Exponent
Reduce decryption time by using small dIf d < (1/3)N1/4, d can be recovered Approximation method based on continued
fractions
Small d can still be chosen using Chinese Remainder Theorem in a possibly secure manner Ensure d mod (N) is still large
Open Problem: How small can d be?
![Page 23: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/23.jpg)
Open Problem
Let N = pqLet d < N0.5
Let e <(N)ed = 1 mod (N)If attacker is given (N, e), can d be recovered efficiently?
![Page 24: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/24.jpg)
Low Public Exponent
In practice, small public keys are used Reduces encryption, signature-verification
time
Smallest e = 3Recommended e = 216 + 1 For signature-verification:
Requires 17 multiplications Approx. 1000 when random e used
Small public keys are not as dangerous as small private keys
![Page 25: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/25.jpg)
Low Public Exponent Attacks
Broadcast AttackRelated Message AttackShort Pad AttackPartial Key Exposure Attack
![Page 26: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/26.jpg)
Broadcast Attack
Bob sends M to parties P1 … PK
Pi has public key (Ni, ei)
M < Ni for all i
Bob encrypts M with key for each Pi
Attacker can collect all k ciphertexts and recover M if k e
![Page 27: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/27.jpg)
Broadcast Attack: Simplified
Assume ei = 3 for all i
Attacker collects C1, C2, C3
C1 = M3 mod N1
C2 = M3 mod N2
C3 = M3 mod N3
Chinese Remainder Theorem C’ = M3 mod N1N2N3
![Page 28: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/28.jpg)
Broadcast Attack: Simplified
Since M < all Ni, M3 < N1N2N3
So C’ = M3
Recover M by calculating cube root of C’
![Page 29: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/29.jpg)
Broadcast Attack: Defense
Pad M with random bitsPadding M with non-random bits allows other attacks
![Page 30: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/30.jpg)
Related Message Attack
Bob sends Alice related messages using same modulus(N, e) is Alice’s public keyM1 M2 ZN
*
M1 = f(M2) mod N f is a publicly known polynomial mod N f(x) = ax + b mod N, b
Given (N, e, C1, C2, f) attacker can recover M1, M2 in quadratic time log N
![Page 31: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/31.jpg)
Related Message Attack
Works by computing GCD of two polynomials g1(x) = f(x)e – C1
g1(x) = xe – C2
For large e, computing GCD too expensive
![Page 32: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/32.jpg)
Short Pad Attack
Exploit naïve random paddings of M Add random bits to one end of M
Requires knowledge of two ciphertexts corresponding to the same message
![Page 33: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/33.jpg)
Short Pad Attack
|N| = nm = floor(n/e2) Relationship between pad and key lengths
|M| = n – mM1 = 2mM + r1
M2 = 2mM + r2
0 r1, r2 < 2m
Given (N, e, C1, C2), M can be efficiently recovered
![Page 34: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/34.jpg)
Partial Key Exposure Attack
If a portion of d is exposed, can all of d be recovered? Yes, if e is small
e < sqrt(N) Need ceil(n/4) least significant bits of
d
![Page 35: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/35.jpg)
Implementation Attacks
Attack the implementation of RSA, not the underlying mathematical structureTimingRandom FaultsPCKS 1
![Page 36: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/36.jpg)
Timing Attack
Smartcard attackBased on timing the efficient modulo exponentiation algorithm Can recover bits based on whether or
not the squaring step is performed
Similar attack based on monitoring power consumption
![Page 37: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/37.jpg)
Timing Attack: Defense
Add delayUse blinding on itself Adds randomness to ciphertext Less correlation between input and
key bits Approach due to Rivest
![Page 38: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/38.jpg)
Random FaultsMany RSA implementations use Chinese Remainder Theorem Speed up computation of Md mod N Let a = d mod (p – 1) Let b = d mod (q – 1) Ca = Ma
mod p Cb = Mb
mod q C = T1Ca + T2C2 mod N
Faster since less exponentiation is needed
![Page 39: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/39.jpg)
Random Faults
Suppose computer glitch causes an incorrect bitEither Ca or Cb will be incorrectCan detect the incorrect result C Ce = M mod p Ce M mod q
Exposes a factor of N, but requires knowledge of M
![Page 40: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/40.jpg)
Random Faults: Defense
Requires M to not be padded Add random bits
Check before sending You’re doing this anyway, right?
![Page 41: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/41.jpg)
PKCS 1 Attack
Possible in older version of standardImplementations will raise error if C does not contain 16 bit “02”Equals an oracle which can reveal whether the most significant 16 bits of C equals 02
![Page 42: Attacking RSA](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5681469c550346895db3b630/html5/thumbnails/42.jpg)
Conclusion
RSA function susceptible to mathematical trickeryExploits are not practical Easy to defend against Would never occur in reality
Requires correct and secure implementationNo known dangerous attacks against properly implemented RSA