how to fake an rsa signature by encoding modular root finding as a sat problem

How to fake an RSA signature by encoding modular root finding as a SAT problem

By Claudia Fiorini, Enrico Martinelli, Fabio Massacci

Discrete Applied Mathematics 130 (2003) 101-127

Presented by Yunho KimProvable Software Lab, KAIST

Contents

How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 2/27

• Introduction

• Logical cryptanalysis of RSA

• Encoding modular exponentiation into SAT

• Experimental analysis

• Cryptography is the practice and study of hid-ing information

• Cryptography consists of two parts encryption and decryption– Encryption is the process of plaintext into unintelligible

text and decryption is the reverse.– The detailed operations of a cipher is controlled both by

the algorithm and, in each instance, by a key

• There are two types of cryptography– Symmetric-key cryptography– Asymmetric-key cryptography

IntroductionCryptography


From Wikipedia http://en.wikipedia.org/wiki/Cryptog-raphy

• Symmetric-key cryptography uses identical cryp-tographic keys for both decryption and encryption

IntroductionSymmetric-key


Encryptionalgorithm

Plaintext

Cipher-text

Secret key

Decryptionalgorithm

Ciphertext

Plaintext

Secret keyIdenti-

calkeys

• Asymmetric-key cryptography uses different cryptographic keys for decryption and encryption

IntroductionAsymmetric-key


Encryptionalgorithm

Plaintext

Cipher-text

Encryption key differ-

entkeys

Decryptionalgorithm

Ciphertext

Plaintext

Decryption key

• RSA is an algorithm for asymmetric cryptog-raphy developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977.

• RSA consists of a cipher algorithm for encryp-tion and decryption and a key generation algo-rithm

• The key generation algorithm generates public-key and private-key – The public-key should be distributed to others but the

private-key must be kept in secret

IntroductionRSA


• RSA key generation algorithm

The totient Á(n) of a positive integer n is defined to be the num-ber of positive integers less than or equal to n that are co-prime to n

• RSA cipher algorithms– Let m < n be a original message

IntroductionRSA key generation


1. Choose two distinct large random prime numbers p and q2. Compute n = pq3. Compute the totient: Á(n) = (p – 1)(q – 1) where n is a multiplica-

tion of two primes p and q4. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are co-

prime5. Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n));

i.e. de = 1 + k Á(n) for some integer k.6. <n, e> is the public key and <n, d> is the private key

Encryption c = md mod n

Decryption m = ce mod n

• RSA example

c = 1232753 mod 3233 = 2746 m = 274617 mod 3233 = 123

IntroductionRSA example


1. Choose two distinct large random prime numbers p and qp = 61 and q = 53

2. Compute n = pq n = 61 * 53 = 32333. Compute the totient: Á(n) = (p – 1)(q – 1) Á(n) = (61 – 1)(53 - 1) = 31204. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are co-

prime e = 175. Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n)); i.e. de = 1 + k Á(n) for some integer k. d = 2753, 17 * 2753 = 46801 = 1 + 15 * 31206. <3233, 17> is the public key and <3233, 2753> is the private key

Contents


• Introduction




Logical cryptanalysisoverview


Constraints

Known plaintext +

Known ciphertext +

Exposed variables

Logical analysis/Implication en-

gine

Theorem prover,Satisfiability

solver, ….

Plaintext P

Ciphertext CCircuit de-scription

Secret key K

Secret Key

From slides of Nachiketh Potlapallyhttp://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18

Logical cryptanalysisSAT-based analysis


Constraints

Ψ(P, C, K)

Set plaintext and ciphertext

values inΨ(P, C, K)

SATsolver

Time-out

Set val-ues

of ex-posed

variables in

Ψ (P, C, K)

(z+x+y) (z+x+y) (z+x+y) (z+x+y)(z+x) (z+y) (z+x+y)…

.(z+x) (z+y) (z+x+y) Ψ (P, C, K)

CNF formula ofcryptographic

algorithm,

Plaintext P Secret key K

Ciphertext C

CNF conversion

Constraints

From slides of Nachiketh Potlapallyhttp://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18 K =

110..1(consistent with the values set)

Logical cryptanalysislogical analysis of RSA


• For a symmetric cipher, the choice of the crypto-graphic transformation is almost obvious– It uses deterministic algorithms for encryption and de-

cryption– The unknown variable is only the key

• For RSA, we have three known values e, n and m and a number of equations to choose from – n = pq– c = md mod n– m = ce mod n

• What is a suitable equation for SAT-based analy-sis?



• The first possible choice n = pq– If we can factorize n into two primes, we can generate a

private key from p and q– However, the algorithm for integer factorization has sub-

exponential time and space complexity O(2(log N)1/3)– Also, factoring represented as a SAT problem is hard to

solve

• The second possible choice c = md mod n– Since we know only m, n, it has two unknown variables c

and d– For example, if we set <55, 3> as the public key and 9 as

message16 = 94 mod 55 but 9 163 mod 55 = 26



• The last possible choice m = ce mod n– For given e, n, m, we can find the ciphertext c encrypted

with some private key <n, d>without knowing it– We cannot decrypt the ciphertext encrypted with d but

we can generate the ciphertext encrypted with d

• Modular exponentiation is reduced to a sequence of modular multiplicationsm0 = 1,

mi+1 = (mi2 + ei∙c ) mod n

The desired value m is obtained at mb log e c + 1



• Example of a sequence of modular multiplications

Let e = 3 = 11(2), c = 4, n = 35 = 5 * 7m = ce mod n = 43 mod 35 = 64 mod 35 = 29m0 = 1m1 = (1 + 1∙4) mod 35 = 5m2 = (25 + 1∙4) mod 35 = 29

m0 = 1,mi+1 = (mi

2 + ei∙c ) mod nThe desired value m is obtained at mb log e c + 1

Logical cryptanalysisEncoding problem


• The last choice m = ce mod n– For given e, n, m, we can find the ciphertext c encrypted

with some private key <n, d>without knowing it– We cannot decrypt the ciphertext encrypted with d but

we can generate the ciphertext encrypted with d

• Modular exponentiation is reduced to a sequence of modular multiplications

Contents


• Introduction




Encoding


• The size of the problem would become huge even for small bits– If we use the best possible multipliers whose gate com-

plexity is O((log2 n)(log2 (log2 n))), the encoding of the RSA of 100bits would require over 100,000 formulae.

• For the simplicity, we choose the value e = 3– m = (((c∙c) mod n)∙c)mod n

• We need more efficient encoding of modular mul-tiplications

Encoding


• The basic intuition – Let x, y be two 2b bits integers

¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /n c

• Division is a complex operation and it is simpler to compute an approximate value of k and then sub-tract the error.

Contents


• Introduction




Experiments


• Generating satisfiable instances1. Randomly generate a public key <n,e> and signature c2. Compute m = ce mod n3. Transform m, n, e into the corresponding boolean values4. Find a model for c using SAT solver

• Generating unsatisfiable instances1. Randomly generate a public key <n,e> and signature c where e vio-

lates RSA definitione divides either p - 1 or q - 1 if n = pq

2. Compute m = ce mod n3. Transform m, e, n into the corresponding boolean values4. Find a model for c using SAT solver

Experiments


• Three SAT-solver are used– HeerHugo is a stalmark algorithm based SAT solver– eqsatz is a variant of DPLL which includes equational

reasoning for XOR– smodels is an efficient DPLL implementation with stable

model semantics of logic programs

• Three machines are used– Alpha with 256MB memory– PII with 64MB memory– PIII with 512 memory– All machines run Linux

Experiments


Conclusion


• The authors show how to encode the problem of finding an RSA signature for a given message without factoring

• The experiments on SAT solvers show that SAT solvers are well behind number theoretic algo-rithms

Reference


• How to fake an RSA signature by encoding modular root find-ing as a SAT problemBy Claudia Fiorini, Enrico Martinelli, Fabio MassacciIn Discrete Applied Mathematics 130 (2003) 101-127

how to fake an rsa signature by encoding modular root finding as a sat problem

Documents

rsa signature

modular root

problemyunho kim

modular exponentiation

software analysis

boolean programs

yunho kimprovable software

asymmetric cryptography