Download - Security Attacks on RSA

Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack

Security Attacks on RSAA Computational Number Theoretic Approach

Pratik Poddar

Department of Computer Science and EngineeringIIT Bombay

April 10, 2009


Contents

1 IntroductionIntroduction to RSA CryptosystemIntroduction to RSA SignaturesBasic Ideas of RSA

2 Factoring AttacksSome Factoring AlgorithmsBreaking RSA v/s FactoringExposing d v/s FactoringGuessing φ(N) v/s FactoringAre Strong Primes Needed?Conclusion

3 Elementary AttacksDictionary AttackCommon Modulus AttackBlinding Attack

4 Low Private Exponent AttackTheory of Continued FractionsWiener’s AttackAvoiding Wiener’s Attack


RSA

Adi Shamir, Ron Rivest, Len Adleman in 1977


The Math behind RSA

p and q are two distinct large prime numbers

N = pq and φ(N) = (p − 1)(q − 1)

Choose a large random number d > 1 such thatgcd(d , φ(N)) = 1 and compute the number e, 1 < e < φ(N)satisfying the congruence

ed ≡ 1 mod φ(N)

The numbers N, e, d are referred to as the modulus,encryption exponent and decryption exponent respectively.

The public key is the pair (N, e) and the secret trapdoor is d .


Introduction to RSA Cryptosystem

Simplified Model of RSA Cryptosystem

Why it it simplified?Difference between RSA cryptosystem and RSA function


Introduction to RSA Signatures

Simplified Model of RSA Signatures


Basic Ideas of RSA

Based on the idea that . . . Factorization is difficult

But . . .

There is no formal proof that

1 Factorization is difficult

2 Factorization is needed for cryptanalysis of RSA


Contents






Factoring Algorithm 1: Fermat’s Factorization Method

First improvement over the√

n trial-division method

Every odd composite number can be represented as a difference of twosquares

n = cd

n =

»c + d

2

–2

−»c − d

2

–2

Start from k =√

n, go on incrementing k till k2 − n is a perfect square

Might be worse than trial division . . .

Effect on RSA . . . Special case p − q ≤ 4n14


Factoring Algorithm 2: Euler’s Factorization Method

Based upon representing a positive integer n as the sum of two squares intwo different ways

n = a2 + b2 = c2 + d2

If n can be represented as a sum of two squares in two different ways, itcan be factorized!!

(a− c)(a + c) = (d − b)(d + b)

Let k be the gcd of a− c and d − b, so that a− c = kl and d − b = km.

l(a + c) = m(d + b) and a + c = mr and d + b = lr (Why?)

n =h`

k2

´2+`

r2

´2i · (m2 + l2) (Are k and r always even?)

Start from k =p

n2

, go on decrementing k till n − k2 is a perfect square

Historically important!! Flaws!!


Factoring Algorithm 3: Pollard’s p − 1 Method

Basic idea

Effect on RSA



Pollard’s p − 1 algorithm

Require: A composite integer NEnsure: A non-trivial factor of N or failure

B ⇐ Chosen Smoothness Bounda⇐ Random number coprime to Nfor q = 1 to B do

if q is prime then

e ←—

log Nlog q

�a← aqe

mod Nend if

end for



Pollard’s p − 1 algorithm

g ← gcd (a− 1,N)if 1 < g < N then

return gelse if g = 1 then

Select a higher B and go to step 2 or return failureelse

Go to step 2 or return failureend if



Example... Factorize 5917

Say B = 5, we make α = 2133856

So, β = 2α − 1

gcd(β, 5917) = 61 !!


Factoring Algorithm 4: Pollard’s ρ Method

Ideas:

Birthday Paradox

Floyd’s cycle finding algorithm


Factoring Algorithm 4: Pollard’s ρ Method

Pollard’s ρ algorithm

Require: n, the integer to be factored; x1, such that 0 ≤ x1 ≤ n; and f (x), apseudo-random function modulo n.

Ensure: A non-trivial factor of n or failure

i ⇐ 1; y ⇐ x1; k ⇐ 2loop

i ⇐ i + 1xi ⇐ (x2

i−1 − 1) mod n

d ⇐ gcd(y − xi , n)if d 6= 1 and d 6= n then

return dend ifif i = k then

y ⇐ xi

k ⇐ 2kend if

end loop



Factoring Algorithm 4: Pollard’s ρ Method .. Example



Factoring Algorithm 4: Pollard’s ρ Method .. Example

Example... Factorize 1387 Take x1 = 2 andf (x) = x2 − 1 mod 1387i xi gcd(xi − y , 1387) y

1 2 - 22 3 gcd(3− 2, 1387) = 1 33 8 gcd(8− 3, 1387) = 14 63 gcd(63− 3, 1387) = 1 635 1194 gcd(1194− 63, 1387) = 16 1186 gcd(1186− 83, 1387) = 17 177 gcd(177− 63, 1387) = 198 814 gcd(814− 63, 1387) 8149 996 gcd(996− 814, 1387)

Complexity??


Breaking RSA v/s Factoring

Breaking RSA ≤ Factoring (Obvious!)

Open Problem: Factoring ≤ Breaking RSA??

Expectation: No!!! Factoring is expected to be strictly > Breaking RSA


Exposing d v/s Factoring

Theorem

Exposing the private key d and factoring N are equivalent

Proof

Determining d ≤ Factoring N (Why??)

Determining d ≥ Factoring N (Non-obvious algorithm)

We will now present a randomized algorithm by which knowing d ,factors of N can be easily determined.


Exposing d v/s Factoring . . . Miller Rabin Test

Miller Rabin Test

Randomized primality testing algorithm

Miller version · · · Rabin version



Miller Rabin Test

Require: n > 2, an odd integer to be tested for primalityEnsure: Composite if n is composite, otherwise probably Prime

Write n − 1 as 2sd with d odda⇐ Random number between 1 and n − 1x0 ⇐ ad mod nif x = 1 OR x = n − 1 then

return Probably Primeend if



Miller Rabin Test

for i = 1 to s − 1 doxi ⇐ x2

i−1 mod nif xi = 1 and xi−1 6= 1 and xi−1 6= n − 1 then

return Compositeend if

end forif xt 6= 1 then

return Compositeelse

return Probably Primeend if



Miller Rabin Error Rate Analysis

If n is a composite number, then the number of witnesses to thecompositeness of n is at least n−1

2 .

Proof

Prove that number of non-witnesses is at most n−12

Creating a subgroup B, which is a subgroup of Z∗n , which contains all thenon-witnesses

Show the existence of an element in Z∗n − B,

Order of B ≤ n−12

. Number of non-witnesses ≤ n−12

We break the proof into two cases.



Case 1: There exists an x ∈ Z∗n such that xn−1 6≡ 1 mod n

Let B = {b ∈ Z∗n : bn−1 ≡ 1 (mod n)}Since there exists an element x for which xn−1 6≡ 1 mod n, Z∗n − B isnon-empty

Number of non-witnesses ≤ n−12



Case 2: For all x ∈ Z∗n, xn−1 ≡ 1 mod n

Represent n as n1n2 where n1 and n2 are relatively primeNote that n − 1 = 2su and for input a, we can compute the following sequence

modulo n: au , a2u , a22u , a23u , a24u · · · a2su

Let us call a pair of integers (v , j) acceptable if v ∈ Z∗n , j = 0, 1, 2, · · · , s and

v2ju ≡ −1 (mod n)

Set of acceptable pairs contains (n − 1, 0). So, the set is non-empty.Pick the largest possible j for which there exists an v such that (v , j) is an acceptablepair. We will use this j in the proof.

B = {x ∈ Z∗n : x2ju ≡ ±1 (mod n)}

Clearly, B is a subgroup of Z∗n . Also note that the sequence produced by anon-witness must be either all 1’s or contain −1 no later than the jth position (due tomaximality of j). So, every non-witness belongs to B.



Case 2: For all x ∈ Z∗n, xn−1 ≡ 1 mod n

To complete the proof, we have to prove that Z∗n − B is non-empty. Note that thereexists a w such that

w ≡ v (mod n1) and w ≡ 1 (mod n2)

where v is an element in B such that v2ju ≡ −1 (mod n). So,

w2ju ≡ −1 (mod n1) and w2ju ≡ 1 (mod n2)

This implies w2ju 6≡ −1 (mod n) and w2ju 6≡ 1 (mod n). So, w /∈ B.All we need to prove is that w ∈ Z∗n . Since v ∈ Z∗n , gcd(v , n) = 1, which impliesgcd(v , n1) = 1. Since gcd(w , n1) = gcd(v , n1), gcd(w , n1) = 1. By construction of w ,gcd(w , n2) = 1. So, gcd(w , n1n2) = gcd(w , n) = 1.


Exposing d v/s Factoring . . . The Randomized Algorithm

The Algorithm. . . knowing d , factors of N can be easily determined

Let k = ed − 1

If g is chosen at random from Z∗n, the with probability at least12 , one of the elements in the sequence

gk/2, gk/4, gk/8, ..., gk/2tmod N is a witness for the

compositeness of N

A witness of compositeness of Miller Rabin test reveals afactor of N as square roots of 1 mod N (other than 1 and -1)would be x and −x where x ≡ 1 mod p and x ≡ −1 mod q

gcd(x − 1,N) would get the factor of N


Guessing φ(N) v/s Factoring

Guessing φ(N) and factoring N are equivalent

Guessing φ(N) ≥ Factoring (Obvious!)

Factoring ≥ Guessing φ(N) (Why??)


Strong Primes

What are strong primes?

A prime p is considered to be a “strong prime” if it satifies the followingconditions:

p is a large prime (say |p| ≥ 256)

The largest prime factor of p − 1, say p−, is large (say |p−| ≥ 100)

The largest prime factor of p− − 1, say p−−, is large (say |p−−| ≥ 100)

The largest prime factor of p + 1, say p+, is large (say |p+| ≥ 100)

A prime is

p−-strong if p− is large

p−−-strong if p−− is large

p+-strong if p+ is large

(p−, p+)-strong if both p− and p+ are large

strong if all p−, p−− and p+ are large


Are Strong Primes Needed?

Believed that p and q in RSA have to be strong

Original RSA paper, Cycling Attack, X .509 Standard

Rivest and Silverman proved that use of strong primes is unnecessary

PKCS#1 v2.1 does not recommend strong primes


Conclusion

We discussed about the factoring algorithms present at thetime of RSA publication

How those factorization algorithms affected RSA paper

We discussed various other ways to attempt RSA breakingand compared them to factoring

The myth of RSA needing strong primes


Contents






Elementary Attack 1: Dictionary Attack

One-to-one mapping between ciphertext and plaintext : vulnerable toDictionary Attack

Security measure: Random Padding (PKCS#1 v1.5)


Elementary Attack 2: Common Modulus Attack

RSA modulus should not be used by more than one entity

Alice recieves the ciphertext C = Mea mod N

Mallory does not have da, but using eb and db, Mallory can factor N

da can be calculated and Mallory can decrypt the message intended forAlice


Elementary Attack 3: Blinding Attack

Attack specific to RSA signatures

Suppose attacker A wants to get a document M signed by B

A needs Md mod N · · · A sends r eM mod N for B to sign

Signing the sent message gives

r edMd mod N = rMd mod N

Security measure: Random Padding, Signing Hash


Contents






Low Private Exponent Attack

Wiener’s Attack

Let N = pq with p and q approximately of the same size, i.e.q < p < 2q. Let d < 1

3N1/4. Given (N, e) with ed ≡ 1 mod φ(N),the attacker can easily recover d .


Continued Fractions

Definition

The function of n + 1 variables

a0 +1

a1 +1

a2 +1

a3 + · · · 1

an

or[a0, a1, a2, a3 · · · , an]

is defined as a continued fraction. We consider only simple andpositive continued fractions, i.e. all a′i s are integral and positive.[a0, a1, a2, a3 · · · , ai ], 0 ≤ i ≤ n are said to be the convergents of[a0, a1, a2, a3 · · · , an].


Continued Fractions · · · Theorems

Theorem 1

The continued fraction

[a0, a1, a2, · · · , an] = [a0, a1, · · · , am−1, [am, · · · an]]

Theorem 2

The continued fraction

[a0, a1, a2, · · · , am−1, am] =pm

qm=

ampm−1 + pm−2

amqm−1 + qm−2



Theorem 3

Continued Fraction Algorithm: Any rational number x can be represented as asimple finite continued fraction.

Proof

x =h0

k0

Comparing x with [a0, a1, a2, · · · , aN , aN+1],

x = a0 + ξ0 where ξ0 < 1 i .e. h0 = a0k0 + ξ0k0

If ξ0 6= 01

ξ0=

k0

h0 − a0k0

Let k1 = h0 − a0k0, (since, k1 = ξ0k0, we have k1 < k0)

k0

k1= a1 + ξ1 and k0 = a1k1 + ξ1k1



Proof Contd · · ·Doing this repeatedly gives a system of equations

h0 = a0k0 + k1 , k0 = a1k1 + k2

h1 = a1k1 + k2 , k1 = a2k2 + k3

· · ·as long as kN+1 6= 0.

Equations same as when executing Euclid’s extended algorithm to compute gcdof h0 and k0.

So, Continued fraction algorithm terminates and the number of convergents forx is Θ(min(log h0, log k0)).



Theorem 4

If ˛̨̨̨p

q− x

˛̨̨̨≤ 1

2q2

thenp

qis a convergent of continued fraction expansion of x .

Proof

Assuming that the statement is true, then

p

q− x =

εθ

q2

where ε = ±1 and 0 < θ < 12. Let pn

qnand

pn−1

qn−1be the last and second last

convergents of continued fraction of pq

. Note that pnqn

= pq

. We can write, forsome ω,

x =ωpn + pn−1

ωqn + qn−1



Proof Contd · · ·

θ =qn

ωqn + qn−1and ω =

1

θ− qn−1

qn

Note that since θ < 12, we have, ω > 1

Letp

q= [a0, a1, · · · am1]

Let ω = [b0, b1, b2 · · · bm2]

[a0, a1, a2 · · · am1, ω] = [a0, a1, a2 · · · am1, [b0, b1, b2 · · · bm2]]

=ωpm + pm−1

ωqm + qm−1= x

So, x = [a0, a1, a2 · · · am1, b0, b1, · · · bm2].So, by construction, we have proved that p

qis a convergent of continued

fraction expansion of x .


Wiener’s Attack

Attack by Wiener, 1990

Let N = pq with p and q approximately of the same size, i.e. q < p < 2q. Letd < 1

3N1/4. Given (N, e) with ed ≡ 1 mod φ(N), the attacker can easily

recover d .

Proof

There exists k such that ed − kφ(N) = 1. We will first show that that kd

is an

approximation of eN

. Also note that N − φ(N) < 3√

N.˛̨̨̨e

N− k

d

˛̨̨̨=

˛̨̨̨1− k(N − φ(N))

Nd

˛̨̨̨˛̨̨̨e

N− k

d

˛̨̨̨≤ 3k

d√

N

Also, since kφ(N) = ed − 1 < ed and e < φ(N), we have k < d . In the casewhen d < 1

3N1/4, we obtain k < d < 1

3N1/4 and so˛̨̨̨

e

N− k

d

˛̨̨̨≤ 1

d 4√

N≤ 1

3d2<

1

2d2


Wiener’s Attack

Proof Contd· · ·

kd

is a convergent of continued fraction expansion of eN

Number of fractions to be checked for kd

is bounded by Θ(log N)

One of the Θ(log N) convergents of continued fraction for eN

is kd

kd

is a reduced fraction

We have Θ(log N) available options for d


Avoiding Wiener’s Attack

Method 1: Large e

Instead of using e < N, use e′ = e + tφ(N) for a large t

This would mean e′ > N

Large e′ would mean a large k which would counter Wiener’s attack

If e′ > N1.5, Wiener’s attack is not possible even for very small d


Avoiding Wiener’s Attack

Method 2: Using CRT

Use CRT to reduce the decryption time (and signing time) even whileusing large d

Choose d such that dp = d mod (p−1) and dq = d mod (q−1) are small

For decryption, compute Mp = C dp mod p and Mq = C dq mod q

Then using CRT, compute M satisfyingM ∈ Zn

M = Mp mod p andM = Mq mod qNote that here M = C d mod N


References

D. Boneh. “Twenty Years of Attacks on the RSACryptosystem.” Notices of the American MathematicalSociety, 46(2):203–213, 1999.

M. Wiener. “Cryptanalysis of short RSA secret exponents.”IEEE Transactions on Information Theory, 36:553 558, 1990

Ron Rivest and Robert Silverman. “Are ‘Strong’ PrimesNeeded for RSA?”, Cryptology ePrint Archive: Report2001/007

Rivest, R.; A. Shamir; L. Adleman. “A Method for ObtainingDigital Signatures and Public-Key Cryptosystems”.Communications of the ACM 21 (2): pp.120-126.

Download - Security Attacks on RSA

Top Related