Download - Security Attacks on RSA
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Security Attacks on RSAA Computational Number Theoretic Approach
Pratik Poddar
Department of Computer Science and EngineeringIIT Bombay
April 10, 2009
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 IntroductionIntroduction to RSA CryptosystemIntroduction to RSA SignaturesBasic Ideas of RSA
2 Factoring AttacksSome Factoring AlgorithmsBreaking RSA v/s FactoringExposing d v/s FactoringGuessing φ(N) v/s FactoringAre Strong Primes Needed?Conclusion
3 Elementary AttacksDictionary AttackCommon Modulus AttackBlinding Attack
4 Low Private Exponent AttackTheory of Continued FractionsWiener’s AttackAvoiding Wiener’s Attack
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
RSA
Adi Shamir, Ron Rivest, Len Adleman in 1977
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
The Math behind RSA
p and q are two distinct large prime numbers
N = pq and φ(N) = (p − 1)(q − 1)
Choose a large random number d > 1 such thatgcd(d , φ(N)) = 1 and compute the number e, 1 < e < φ(N)satisfying the congruence
ed ≡ 1 mod φ(N)
The numbers N, e, d are referred to as the modulus,encryption exponent and decryption exponent respectively.
The public key is the pair (N, e) and the secret trapdoor is d .
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Introduction to RSA Cryptosystem
Simplified Model of RSA Cryptosystem
Why it it simplified?Difference between RSA cryptosystem and RSA function
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Introduction to RSA Signatures
Simplified Model of RSA Signatures
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Basic Ideas of RSA
Based on the idea that . . . Factorization is difficult
But . . .
There is no formal proof that
1 Factorization is difficult
2 Factorization is needed for cryptanalysis of RSA
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 IntroductionIntroduction to RSA CryptosystemIntroduction to RSA SignaturesBasic Ideas of RSA
2 Factoring AttacksSome Factoring AlgorithmsBreaking RSA v/s FactoringExposing d v/s FactoringGuessing φ(N) v/s FactoringAre Strong Primes Needed?Conclusion
3 Elementary AttacksDictionary AttackCommon Modulus AttackBlinding Attack
4 Low Private Exponent AttackTheory of Continued FractionsWiener’s AttackAvoiding Wiener’s Attack
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 1: Fermat’s Factorization Method
First improvement over the√
n trial-division method
Every odd composite number can be represented as a difference of twosquares
n = cd
n =
»c + d
2
–2
−»c − d
2
–2
Start from k =√
n, go on incrementing k till k2 − n is a perfect square
Might be worse than trial division . . .
Effect on RSA . . . Special case p − q ≤ 4n14
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 2: Euler’s Factorization Method
Based upon representing a positive integer n as the sum of two squares intwo different ways
n = a2 + b2 = c2 + d2
If n can be represented as a sum of two squares in two different ways, itcan be factorized!!
(a− c)(a + c) = (d − b)(d + b)
Let k be the gcd of a− c and d − b, so that a− c = kl and d − b = km.
l(a + c) = m(d + b) and a + c = mr and d + b = lr (Why?)
n =h`
k2
´2+`
r2
´2i · (m2 + l2) (Are k and r always even?)
Start from k =p
n2
, go on decrementing k till n − k2 is a perfect square
Historically important!! Flaws!!
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Basic idea
Effect on RSA
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Pollard’s p − 1 algorithm
Require: A composite integer NEnsure: A non-trivial factor of N or failure
B ⇐ Chosen Smoothness Bounda⇐ Random number coprime to Nfor q = 1 to B do
if q is prime then
e ←—
log Nlog q
�a← aqe
mod Nend if
end for
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Pollard’s p − 1 algorithm
g ← gcd (a− 1,N)if 1 < g < N then
return gelse if g = 1 then
Select a higher B and go to step 2 or return failureelse
Go to step 2 or return failureend if
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Example... Factorize 5917
Say B = 5, we make α = 2133856
So, β = 2α − 1
gcd(β, 5917) = 61 !!
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 4: Pollard’s ρ Method
Ideas:
Birthday Paradox
Floyd’s cycle finding algorithm
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 4: Pollard’s ρ Method
Pollard’s ρ algorithm
Require: n, the integer to be factored; x1, such that 0 ≤ x1 ≤ n; and f (x), apseudo-random function modulo n.
Ensure: A non-trivial factor of n or failure
i ⇐ 1; y ⇐ x1; k ⇐ 2loop
i ⇐ i + 1xi ⇐ (x2
i−1 − 1) mod n
d ⇐ gcd(y − xi , n)if d 6= 1 and d 6= n then
return dend ifif i = k then
y ⇐ xi
k ⇐ 2kend if
end loop
Example... Factorize 1387
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 4: Pollard’s ρ Method .. Example
Example... Factorize 1387
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 4: Pollard’s ρ Method .. Example
Example... Factorize 1387 Take x1 = 2 andf (x) = x2 − 1 mod 1387i xi gcd(xi − y , 1387) y
1 2 - 22 3 gcd(3− 2, 1387) = 1 33 8 gcd(8− 3, 1387) = 14 63 gcd(63− 3, 1387) = 1 635 1194 gcd(1194− 63, 1387) = 16 1186 gcd(1186− 83, 1387) = 17 177 gcd(177− 63, 1387) = 198 814 gcd(814− 63, 1387) 8149 996 gcd(996− 814, 1387)
Complexity??
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Breaking RSA v/s Factoring
Breaking RSA ≤ Factoring (Obvious!)
Open Problem: Factoring ≤ Breaking RSA??
Expectation: No!!! Factoring is expected to be strictly > Breaking RSA
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring
Theorem
Exposing the private key d and factoring N are equivalent
Proof
Determining d ≤ Factoring N (Why??)
Determining d ≥ Factoring N (Non-obvious algorithm)
We will now present a randomized algorithm by which knowing d ,factors of N can be easily determined.
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Test
Randomized primality testing algorithm
Miller version · · · Rabin version
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Test
Require: n > 2, an odd integer to be tested for primalityEnsure: Composite if n is composite, otherwise probably Prime
Write n − 1 as 2sd with d odda⇐ Random number between 1 and n − 1x0 ⇐ ad mod nif x = 1 OR x = n − 1 then
return Probably Primeend if
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Test
for i = 1 to s − 1 doxi ⇐ x2
i−1 mod nif xi = 1 and xi−1 6= 1 and xi−1 6= n − 1 then
return Compositeend if
end forif xt 6= 1 then
return Compositeelse
return Probably Primeend if
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Error Rate Analysis
If n is a composite number, then the number of witnesses to thecompositeness of n is at least n−1
2 .
Proof
Prove that number of non-witnesses is at most n−12
Creating a subgroup B, which is a subgroup of Z∗n , which contains all thenon-witnesses
Show the existence of an element in Z∗n − B,
Order of B ≤ n−12
. Number of non-witnesses ≤ n−12
We break the proof into two cases.
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Case 1: There exists an x ∈ Z∗n such that xn−1 6≡ 1 mod n
Let B = {b ∈ Z∗n : bn−1 ≡ 1 (mod n)}Since there exists an element x for which xn−1 6≡ 1 mod n, Z∗n − B isnon-empty
Number of non-witnesses ≤ n−12
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Case 2: For all x ∈ Z∗n, xn−1 ≡ 1 mod n
Represent n as n1n2 where n1 and n2 are relatively primeNote that n − 1 = 2su and for input a, we can compute the following sequence
modulo n: au , a2u , a22u , a23u , a24u · · · a2su
Let us call a pair of integers (v , j) acceptable if v ∈ Z∗n , j = 0, 1, 2, · · · , s and
v2ju ≡ −1 (mod n)
Set of acceptable pairs contains (n − 1, 0). So, the set is non-empty.Pick the largest possible j for which there exists an v such that (v , j) is an acceptablepair. We will use this j in the proof.
B = {x ∈ Z∗n : x2ju ≡ ±1 (mod n)}
Clearly, B is a subgroup of Z∗n . Also note that the sequence produced by anon-witness must be either all 1’s or contain −1 no later than the jth position (due tomaximality of j). So, every non-witness belongs to B.
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Case 2: For all x ∈ Z∗n, xn−1 ≡ 1 mod n
To complete the proof, we have to prove that Z∗n − B is non-empty. Note that thereexists a w such that
w ≡ v (mod n1) and w ≡ 1 (mod n2)
where v is an element in B such that v2ju ≡ −1 (mod n). So,
w2ju ≡ −1 (mod n1) and w2ju ≡ 1 (mod n2)
This implies w2ju 6≡ −1 (mod n) and w2ju 6≡ 1 (mod n). So, w /∈ B.All we need to prove is that w ∈ Z∗n . Since v ∈ Z∗n , gcd(v , n) = 1, which impliesgcd(v , n1) = 1. Since gcd(w , n1) = gcd(v , n1), gcd(w , n1) = 1. By construction of w ,gcd(w , n2) = 1. So, gcd(w , n1n2) = gcd(w , n) = 1.
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . The Randomized Algorithm
The Algorithm. . . knowing d , factors of N can be easily determined
Let k = ed − 1
If g is chosen at random from Z∗n, the with probability at least12 , one of the elements in the sequence
gk/2, gk/4, gk/8, ..., gk/2tmod N is a witness for the
compositeness of N
A witness of compositeness of Miller Rabin test reveals afactor of N as square roots of 1 mod N (other than 1 and -1)would be x and −x where x ≡ 1 mod p and x ≡ −1 mod q
gcd(x − 1,N) would get the factor of N
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Guessing φ(N) v/s Factoring
Guessing φ(N) and factoring N are equivalent
Guessing φ(N) ≥ Factoring (Obvious!)
Factoring ≥ Guessing φ(N) (Why??)
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Strong Primes
What are strong primes?
A prime p is considered to be a “strong prime” if it satifies the followingconditions:
p is a large prime (say |p| ≥ 256)
The largest prime factor of p − 1, say p−, is large (say |p−| ≥ 100)
The largest prime factor of p− − 1, say p−−, is large (say |p−−| ≥ 100)
The largest prime factor of p + 1, say p+, is large (say |p+| ≥ 100)
A prime is
p−-strong if p− is large
p−−-strong if p−− is large
p+-strong if p+ is large
(p−, p+)-strong if both p− and p+ are large
strong if all p−, p−− and p+ are large
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Are Strong Primes Needed?
Believed that p and q in RSA have to be strong
Original RSA paper, Cycling Attack, X .509 Standard
Rivest and Silverman proved that use of strong primes is unnecessary
PKCS#1 v2.1 does not recommend strong primes
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Conclusion
We discussed about the factoring algorithms present at thetime of RSA publication
How those factorization algorithms affected RSA paper
We discussed various other ways to attempt RSA breakingand compared them to factoring
The myth of RSA needing strong primes
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 IntroductionIntroduction to RSA CryptosystemIntroduction to RSA SignaturesBasic Ideas of RSA
2 Factoring AttacksSome Factoring AlgorithmsBreaking RSA v/s FactoringExposing d v/s FactoringGuessing φ(N) v/s FactoringAre Strong Primes Needed?Conclusion
3 Elementary AttacksDictionary AttackCommon Modulus AttackBlinding Attack
4 Low Private Exponent AttackTheory of Continued FractionsWiener’s AttackAvoiding Wiener’s Attack
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Elementary Attack 1: Dictionary Attack
One-to-one mapping between ciphertext and plaintext : vulnerable toDictionary Attack
Security measure: Random Padding (PKCS#1 v1.5)
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Elementary Attack 2: Common Modulus Attack
RSA modulus should not be used by more than one entity
Alice recieves the ciphertext C = Mea mod N
Mallory does not have da, but using eb and db, Mallory can factor N
da can be calculated and Mallory can decrypt the message intended forAlice
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Elementary Attack 3: Blinding Attack
Attack specific to RSA signatures
Suppose attacker A wants to get a document M signed by B
A needs Md mod N · · · A sends r eM mod N for B to sign
Signing the sent message gives
r edMd mod N = rMd mod N
Security measure: Random Padding, Signing Hash
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 IntroductionIntroduction to RSA CryptosystemIntroduction to RSA SignaturesBasic Ideas of RSA
2 Factoring AttacksSome Factoring AlgorithmsBreaking RSA v/s FactoringExposing d v/s FactoringGuessing φ(N) v/s FactoringAre Strong Primes Needed?Conclusion
3 Elementary AttacksDictionary AttackCommon Modulus AttackBlinding Attack
4 Low Private Exponent AttackTheory of Continued FractionsWiener’s AttackAvoiding Wiener’s Attack
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Low Private Exponent Attack
Wiener’s Attack
Let N = pq with p and q approximately of the same size, i.e.q < p < 2q. Let d < 1
3N1/4. Given (N, e) with ed ≡ 1 mod φ(N),the attacker can easily recover d .
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions
Definition
The function of n + 1 variables
a0 +1
a1 +1
a2 +1
a3 + · · · 1
an
or[a0, a1, a2, a3 · · · , an]
is defined as a continued fraction. We consider only simple andpositive continued fractions, i.e. all a′i s are integral and positive.[a0, a1, a2, a3 · · · , ai ], 0 ≤ i ≤ n are said to be the convergents of[a0, a1, a2, a3 · · · , an].
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Theorem 1
The continued fraction
[a0, a1, a2, · · · , an] = [a0, a1, · · · , am−1, [am, · · · an]]
Theorem 2
The continued fraction
[a0, a1, a2, · · · , am−1, am] =pm
qm=
ampm−1 + pm−2
amqm−1 + qm−2
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Theorem 3
Continued Fraction Algorithm: Any rational number x can be represented as asimple finite continued fraction.
Proof
x =h0
k0
Comparing x with [a0, a1, a2, · · · , aN , aN+1],
x = a0 + ξ0 where ξ0 < 1 i .e. h0 = a0k0 + ξ0k0
If ξ0 6= 01
ξ0=
k0
h0 − a0k0
Let k1 = h0 − a0k0, (since, k1 = ξ0k0, we have k1 < k0)
k0
k1= a1 + ξ1 and k0 = a1k1 + ξ1k1
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Proof Contd · · ·Doing this repeatedly gives a system of equations
h0 = a0k0 + k1 , k0 = a1k1 + k2
h1 = a1k1 + k2 , k1 = a2k2 + k3
· · ·as long as kN+1 6= 0.
Equations same as when executing Euclid’s extended algorithm to compute gcdof h0 and k0.
So, Continued fraction algorithm terminates and the number of convergents forx is Θ(min(log h0, log k0)).
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Theorem 4
If ˛̨̨̨p
q− x
˛̨̨̨≤ 1
2q2
thenp
qis a convergent of continued fraction expansion of x .
Proof
Assuming that the statement is true, then
p
q− x =
εθ
q2
where ε = ±1 and 0 < θ < 12. Let pn
qnand
pn−1
qn−1be the last and second last
convergents of continued fraction of pq
. Note that pnqn
= pq
. We can write, forsome ω,
x =ωpn + pn−1
ωqn + qn−1
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Proof Contd · · ·
θ =qn
ωqn + qn−1and ω =
1
θ− qn−1
qn
Note that since θ < 12, we have, ω > 1
Letp
q= [a0, a1, · · · am1]
Let ω = [b0, b1, b2 · · · bm2]
[a0, a1, a2 · · · am1, ω] = [a0, a1, a2 · · · am1, [b0, b1, b2 · · · bm2]]
=ωpm + pm−1
ωqm + qm−1= x
So, x = [a0, a1, a2 · · · am1, b0, b1, · · · bm2].So, by construction, we have proved that p
qis a convergent of continued
fraction expansion of x .
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Wiener’s Attack
Attack by Wiener, 1990
Let N = pq with p and q approximately of the same size, i.e. q < p < 2q. Letd < 1
3N1/4. Given (N, e) with ed ≡ 1 mod φ(N), the attacker can easily
recover d .
Proof
There exists k such that ed − kφ(N) = 1. We will first show that that kd
is an
approximation of eN
. Also note that N − φ(N) < 3√
N.˛̨̨̨e
N− k
d
˛̨̨̨=
˛̨̨̨1− k(N − φ(N))
Nd
˛̨̨̨˛̨̨̨e
N− k
d
˛̨̨̨≤ 3k
d√
N
Also, since kφ(N) = ed − 1 < ed and e < φ(N), we have k < d . In the casewhen d < 1
3N1/4, we obtain k < d < 1
3N1/4 and so˛̨̨̨
e
N− k
d
˛̨̨̨≤ 1
d 4√
N≤ 1
3d2<
1
2d2
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Wiener’s Attack
Proof Contd· · ·
kd
is a convergent of continued fraction expansion of eN
Number of fractions to be checked for kd
is bounded by Θ(log N)
One of the Θ(log N) convergents of continued fraction for eN
is kd
kd
is a reduced fraction
We have Θ(log N) available options for d
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Avoiding Wiener’s Attack
Method 1: Large e
Instead of using e < N, use e′ = e + tφ(N) for a large t
This would mean e′ > N
Large e′ would mean a large k which would counter Wiener’s attack
If e′ > N1.5, Wiener’s attack is not possible even for very small d
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Avoiding Wiener’s Attack
Method 2: Using CRT
Use CRT to reduce the decryption time (and signing time) even whileusing large d
Choose d such that dp = d mod (p−1) and dq = d mod (q−1) are small
For decryption, compute Mp = C dp mod p and Mq = C dq mod q
Then using CRT, compute M satisfyingM ∈ Zn
M = Mp mod p andM = Mq mod qNote that here M = C d mod N
Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
References
D. Boneh. “Twenty Years of Attacks on the RSACryptosystem.” Notices of the American MathematicalSociety, 46(2):203–213, 1999.
M. Wiener. “Cryptanalysis of short RSA secret exponents.”IEEE Transactions on Information Theory, 36:553 558, 1990
Ron Rivest and Robert Silverman. “Are ‘Strong’ PrimesNeeded for RSA?”, Cryptology ePrint Archive: Report2001/007
Rivest, R.; A. Shamir; L. Adleman. “A Method for ObtainingDigital Signatures and Public-Key Cryptosystems”.Communications of the ACM 21 (2): pp.120-126.