rennes, 02/10/2014 cristina onete [email protected] attacks on rsa. safe modes
TRANSCRIPT
From the previous lecture…
p, q, n:=pq
𝜑 (𝑛) ,𝑛 ,𝑒 ,𝑑
B
𝑛 ,𝑒
Secret 𝑚 𝑐=𝑚𝑒(𝑚𝑜𝑑𝑛) 𝑚=𝑐𝑑(𝑚𝑜𝑑𝑛)
Cristina Onete || 25/09/2014 || 2
𝑛 ,𝑒
Textbook RSA (V)
Security:
• Is encryption secure?
𝑐=𝑚𝑒(𝑚𝑜𝑑𝑛)
• Can we recover the secret key ?Key recovery as hard as factorizing
• Can we recover in any other way ?
Values are long-term
Each maps to unique Deterministic
Cristina Onete || 25/09/2014 || 3
Textbook RSA (VI)
Security:
• Plaintext recovery: can’t find from
• IND-CPA/IND-CCA: can’t say anything about
Encryption is deterministic:Can always distinguish m from m’
Not guaranteed if few possible messagesTry out all alternatives – find plaintext
OK if chosen at random from large set
• Not very secure; but we can improve it
Cristina Onete || 25/09/2014 || 4
Textbook RSA ++
Improving Textbook RSA:
Secret pre-processing RSAencryption
pre-processing
Security will depend on this step
Cristina Onete || 25/09/2014 || 5
PKCS and Bleichenbacher
Preprocessing with PKCS1, mode 2
• Pad with random number (make it probabilistic)
02 random pad FF message
1024 bits
• Bleichenbacher ’98: use the regularity of the ciphertext (they must start with “00|02”) to recover plaintext!
00
Cristina Onete || 25/09/2014 || 6
PKCS and Bleichenbacher (II)
Core idea
Ciphertext
DecryptDoes m start with “00|02”?
Continue
ERROR!
Attacker starts with ciphertext • Re-randomize it: • Is it PKCS? Repeat until you know rM starts with 00|02 • Move to next part of message ciphertexts
Cristina Onete || 25/09/2014 || 7
Cristina Onete || 25/09/2014 || 8
Contents
Pre-processing• How OAEP works
• Improvements on OAEP• Hash Functions; Random Oracles (brief)
Attacks on factoring – generic• Pollard’s • Pollard-
Unsafe modes for RSA
• Small sk: Wiener’s attackSome physical attacks
• Small pk and related ciphertexts
The OAEP Function
A new pre-processing function: OAEP• OAEP = Optimal Asymmetric Encryption Padding• By Bellare & Rogaway, 1994; in RFC 2437
Cristina Onete || 25/09/2014 || 9
m pad r
G
H
YX
bits bits bits
K = size of n=pq
= parameters (to be set)G,H = hash functions
= bit XOR
Cristina Onete || 25/09/2014 || 10
The OAEP Function
In detail: OAEP
m pad r
G
Hash functions
• A box with input of any size, and output of fixed sizeIn this case: input is bits, output is
• Collision-resistance: can’t find with • Random oracles: always outputs new string
Outputs consistently: consistent
Cristina Onete || 25/09/2014 || 11
The OAEP Function
In detail: OAEP
m pad r
G
How it works:
r
bits
G 𝐼 0
m pad 𝐼 0 𝑋=
bitsrandom
Cristina Onete || 25/09/2014 || 12
The OAEP Function
In detail: OAEP
How it works:
bits
H 𝐼 1
bits
𝐼 1 𝑌=
H
r𝑋
𝑋
r
random
Cristina Onete || 25/09/2014 || 13
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt:
m pad r
G
H
YX
Cristina Onete || 25/09/2014 || 14
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
H 𝐼 1
𝐼 1 𝑌=
𝑋
r
𝐻 ( 𝑋 )=𝐼 1
𝑟 𝐼 1=𝑌
𝑟 𝐻 (𝑋 )=𝑌
Decrypt:
𝑟=𝐻 ( 𝑋 )𝑌
Cristina Onete || 25/09/2014 || 15
RSA-OAEP Decryption
are random oracles Hard to invertHow do we decrypt?Go in reverse: receive
Decrypt: Recover:
m pad r
G
H
YX
Cristina Onete || 25/09/2014 || 16
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt: Recover:
r G 𝐼 0
m pad 𝐼 0 𝑋=
𝐺 (𝑟 )=𝐼 0
𝑚∨𝑝𝑎𝑑 𝐼 0=𝑋
𝑚∨𝑝𝑎𝑑𝐺 (𝑟 )=𝑋𝑚∨𝑝𝑎𝑑=𝐺 (𝑟 ) 𝑋
Cristina Onete || 25/09/2014 || 17
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt: Recover:
Retrieve:
Check: pad has the right format
Cristina Onete || 25/09/2014 || 18
The OAEP Function
In detail: OAEP
• Functions are random oracles: that is, they give random output. In practice: use SHA-1
• Randomness chosen freshly every time• How about the padding?
m pad r
• Original OAEP: ([BR94])• OAEP+: with W a random oracle ([S01])
Cristina Onete || 25/09/2014 || 19
Improving OAEP: SAEP
m W(m,r) r
H
YX
bits bits bits
• No need for function • Function is random oracle. Input size: bits. Output
size: bits
Cristina Onete || 25/09/2014 || 20
Contents
Pre-processing• How OAEP works
• Improvements on OAEP• Hash Functions; Random Oracles (brief)
Generic attacks on factoring• Small Small or • Pollard-
Unsafe modes for RSA
• Small sk: Wiener’s attackSome physical attacks
• Small pk and related ciphertexts
Cristina Onete || 25/09/2014 || 21
Attacks on RSA
For the remainder of this lecture
We =
1st goal:
• Given something of the form , find Strategies:• Generic: factor . Given , easy to recover • Specific: retrieve plaintext without factoring
Cristina Onete || 25/09/2014 || 22
Small
Easy case: we are given and
• If are prime, then • Given and
Calculate: This gives:
Also:
So:
and: ¿∓√(𝑛−𝜑 (𝑛)+1)2−4𝑛
Factorization: and
Cristina Onete || 25/09/2014 || 23
Small
Hard case: we are given only Try to guess Use: Then:
Algorithm SmallDiff: Input Complexity parameter Write Let .
Note: are odd. Thus: and are even
IF is a square (it is equal to for a positive integer )
THEN: if and are prime, Output and
ELSE:
While DO
Cristina Onete || 25/09/2014 || 24
Small or : Pollard’s
Attack on factoring – bad (p-1)
• Vulnerability: with one small prime • Pollard’s-(p-1) factors in steps if smallest factor
If is small, then this method is fast
• Idea: if is prime, then is not
Since all are odd (impair), is even
We are hoping has only small factors and we will try to retrieve them all
Obviously will have 2 as a factor
All in the same set
Cristina Onete || 25/09/2014 || 25
Small or : Pollard’s
Attack on factoring – bad (p-1)
• Vulnerability: with one small prime • Supposition:
• How large can be for each ?
Well, for any , so
• Start with definite upper bound:
As , any divides . So divides
1≤𝑎<𝑝 :𝑎𝑝− 1=1(𝑚𝑜𝑑𝑝) So
Cristina Onete || 25/09/2014 || 26
Small or : Pollard’s
Attack on factoring – bad (p-1)
• Vulnerability: with one small prime
As , any divides . So divides
1≤𝑎<𝑝 :𝑎𝑝− 1=1(𝑚𝑜𝑑𝑝) So
Pick random Check that
𝑝 divides𝑎𝑅−1
• If : then . Hooray!
• If and With high probability
Then Else, pick a new a
Cristina Onete || 25/09/2014 || 27
Exercise time!
Write pseudocode for Pollard’s
Cristina Onete || 25/09/2014 || 28
So far
Small
• Given and : calculate Take:
Factorization: and
• Given : verify values of for integer
For each check if is integer
If so, if are prime then:Output
Else, next and repeat procedure
Cristina Onete || 25/09/2014 || 29
So far
Small
Pick random Check that • If : then . Hooray!
• If and With high probability
Then
Else, pick a new a and repeat
Cristina Onete || 25/09/2014 || 30
Pollard’s
General factorization attack (are we lucky?)
• Strategy: find specific small such that Most likely then,
• Imagine we could calculate Say we had:
• Suppose we find such that , then:
𝑎𝑢−𝑎𝑣=0(𝑚𝑜𝑑𝑝) divides
Then with high probability
• But, we don’t know . We do this .
Cristina Onete || 25/09/2014 || 31
Pollard’s
• Strategy: we compute:
• Choice: speed vs. storage
• Find: such that • With high probability
• Storage: method as above. Need to store all • Speed: Floyd’s cycle finding algorithm:
• and • Mod n:
Only checking pairs at a time
Cristina Onete || 25/09/2014 || 32
Floyd’s Cycle-Finding Alg.
Source:http://home.online.no/~vlaenen/
Cristina Onete || 25/09/2014 || 33
Exercise time!
Put the method (with Floyd’s cycle-finding algorithm) in pseudocode/algorithm form!
Cristina Onete || 25/09/2014 || 34
Contents
Pre-processing• How OAEP works
• Improvements on OAEP• Hash Functions; Random Oracles (brief)
Generic attacks on factoring• Small Small or • Pollard-
Unsafe modes for RSA
• Small sk: Wiener’s attackSome physical attacks
• Small pk and related ciphertexts
Cristina Onete || 25/09/2014 || 35
Unsafe Modes for RSA
Small public key• More receivers with same small (different )• Same plaintext is sent to users
𝑚𝑒
𝑚𝑒(𝑚𝑜𝑑𝑁 1)
𝑚𝑒(𝑚𝑜𝑑𝑁 2)
𝑚𝑒(𝑚𝑜𝑑𝑁 1)
𝑚𝑒(𝑚𝑜𝑑𝑁 1)
𝑚
Cristina Onete || 25/09/2014 || 36
Unsafe Modes for RSA
Small public key• One receiver with small (different )• Two related plaintexts: and
• If knows the relationship of the messages,
she can use polynomial multiplication to find
Recommended
• e =
• This leads to fast encryption
Cristina Onete || 25/09/2014 || 37
More Unsafe Modes
Small secret key• Better for decryption: makes it more efficient
𝑒𝑑=1(𝑚𝑜𝑑𝜑 (𝑁 )) 𝑒𝑑=1(𝑚𝑜𝑑(𝐿𝐶𝑀 (𝑝−1 ,𝑞−1)))
Math “magic”
→• Use: least common multiple LCM
𝐿𝐶𝑀 (𝑝−1 ,𝑞−1 )= (𝑝−1)(𝑞−1)𝐺𝐶𝐷(𝑝−1 ,𝑞−1) 𝐺
𝑒𝑑=1+𝐾𝐺
(𝑝𝑞−𝑝−𝑞+1)→
Divide by dpq
𝑒𝑝𝑞
=1
𝑑𝑝𝑞+𝐾𝑑𝐺
−𝐾
𝑑𝐺𝑞−
𝐾𝑑𝐺𝑝
+𝐾
𝑑𝐺𝑝𝑞
𝑒𝑝𝑞−
1𝑑𝑝𝑞
+ 𝐾𝑑𝐺 ( 1𝑞 + 1
𝑝−1𝑝𝑞 )= 𝐾
𝑑𝐺
Cristina Onete || 25/09/2014 || 38
More Unsafe Modes
Small secret key• If is small, then .
𝐾𝑑𝐺
= 𝑒𝑝𝑞−
1𝑑𝑝𝑞
+ 𝐾𝑑𝐺 ( 1𝑞 + 1
𝑝−1𝑝𝑞 )
• If is small, then .Tend to 0
≅𝑒𝑛≅ 1
| 𝐾𝑑𝐺− 𝑒𝑝𝑞|=| 𝐾𝑑𝐺 ( 1𝑞+ 1
𝑝−1𝑝𝑞 )− 1
𝑑𝑝𝑞|≤ 1
√𝑝𝑞< 1
2(𝑑𝐺)2
• This means that converges towards
• Continued fractions and some trial and error gives d
Cristina Onete || 25/09/2014 || 39
Physical Attacks
Implementation: Square and Multiply
𝑚=𝑐𝑑(𝑚𝑜𝑑𝑛)• Standard way to do exponentiation
• Write in binary []. Set For DO:
• If then set • Else, set
Square AND Multiply
Square
• Example:
i 7 6 5 4 3 2 1 0
m
Cristina Onete || 25/09/2014 || 40
Physical Attacks
Implementation: Square and Multiply
𝑚=𝑐𝑑(𝑚𝑜𝑑𝑛)
• Time the operation and write out the order of ops
Timing attack: multiply takes longer than square
M, Sq, Sq, M, Sq, Sq, M, Sq, M, Sq, Sq, M
• Retrieve key from inverse Square and Multiply
Power attack: multiply burns more than square
• Retrieve for smartcards
Source: http://www.dbs.com.hk/
CIDRE
Thanks!