# security attacks on rsa

Post on 18-May-2015

6.240 views

Embed Size (px)

DESCRIPTION

Security attacks on RSA CryptosystemTRANSCRIPT

- 1. Introduction Factoring AttacksElementary AttacksLow Private Exponent AttackSecurity Attacks on RSAA Computational Number Theoretic ApproachPratik PoddarDepartment of Computer Science and Engineering IIT Bombay April 10, 2009

2. IntroductionFactoring AttacksElementary Attacks Low Private Exponent AttackContents1 IntroductionIntroduction to RSA CryptosystemIntroduction to RSA SignaturesBasic Ideas of RSA2 Factoring AttacksSome Factoring AlgorithmsBreaking RSA v/s FactoringExposing d v/s FactoringGuessing (N) v/s FactoringAre Strong Primes Needed?Conclusion3 Elementary AttacksDictionary AttackCommon Modulus AttackBlinding Attack4 Low Private Exponent AttackTheory of Continued FractionsWieners AttackAvoiding Wieners Attack 3. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackRSAAdi Shamir, Ron Rivest, Len Adleman in 1977 4. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackThe Math behind RSA p and q are two distinct large prime numbers N = pq and (N) = (p 1)(q 1) Choose a large random number d > 1 such thatgcd(d, (N)) = 1 and compute the number e, 1 < e < (N)satisfying the congruenceed 1 mod (N) The numbers N, e, d are referred to as the modulus,encryption exponent and decryption exponent respectively.The public key is the pair (N, e) and the secret trapdoor is d. 5. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackIntroduction to RSA CryptosystemSimplied Model of RSA CryptosystemWhy it it simplied?Dierence between RSA cryptosystem and RSA function 6. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackIntroduction to RSA SignaturesSimplied Model of RSA Signatures 7. Introduction Factoring Attacks Elementary Attacks Low Private Exponent AttackBasic Ideas of RSABased on the idea that . . . Factorization is dicult But . . . There is no formal proof that 1 Factorization is dicult2 Factorization is needed for cryptanalysis of RSA 8. IntroductionFactoring AttacksElementary Attacks Low Private Exponent AttackContents1 IntroductionIntroduction to RSA CryptosystemIntroduction to RSA SignaturesBasic Ideas of RSA2 Factoring AttacksSome Factoring AlgorithmsBreaking RSA v/s FactoringExposing d v/s FactoringGuessing (N) v/s FactoringAre Strong Primes Needed?Conclusion3 Elementary AttacksDictionary AttackCommon Modulus AttackBlinding Attack4 Low Private Exponent AttackTheory of Continued FractionsWieners AttackAvoiding Wieners Attack 9. IntroductionFactoring Attacks Elementary AttacksLow Private Exponent AttackFactoring Algorithm 1: Fermats Factorization MethodFirst improvement over then trial-division methodEvery odd composite number can be represented as a dierence of twosquaresn = cd 2 2c +dc d n=2 2Start from k =n, go on incrementing k till k 2 n is a perfect squareMight be worse than trial division . . . 1Eect on RSA . . . Special case p q 4n 4 10. IntroductionFactoring Attacks Elementary AttacksLow Private Exponent AttackFactoring Algorithm 2: Eulers Factorization MethodBased upon representing a positive integer n as the sum of two squares intwo dierent waysn = a2 + b 2 = c 2 + d 2If n can be represented as a sum of two squares in two dierent ways, itcan be factorized!!(a c)(a + c) = (d b)(d + b)Let k be the gcd of a c and d b, so that a c = kl and d b = km.l(a + c) = m(d + b) and a + c = mr and d + b = lr (Why?)h` ` r 2 i 2n= k + 2 2 (m2 + l 2 ) (Are k and r always even?) , go on decrementing k till n k 2 is a perfect squarepnStart from k =2Historically important!! Flaws!! 11. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackFactoring Algorithm 3: Pollards p 1 MethodBasic ideaEect on RSA 12. Introduction Factoring Attacks Elementary Attacks Low Private Exponent AttackFactoring Algorithm 3: Pollards p 1 MethodPollards p 1 algorithmRequire: A composite integer NEnsure: A non-trivial factor of N or failureB Chosen Smoothness Bounda Random number coprime to Nfor q = 1 to B do if q is prime then log Ne log qe a aq mod Nend ifend for 13. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackFactoring Algorithm 3: Pollards p 1 Method Pollards p 1 algorithmg gcd (a 1, N)if 1 < g < N then return gelse if g = 1 then Select a higher B and go to step 2 or return failureelse Go to step 2 or return failureend if 14. IntroductionFactoring AttacksElementary Attacks Low Private Exponent AttackFactoring Algorithm 3: Pollards p 1 MethodExample... Factorize 5917Say B = 5, we make = 213 38 56So, = 2 1gcd(, 5917) = 61 !! 15. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackFactoring Algorithm 4: Pollards MethodIdeas: Birthday ParadoxFloyds cycle nding algorithm 16. IntroductionFactoring Attacks Elementary AttacksLow Private Exponent AttackFactoring Algorithm 4: Pollards Method Pollards algorithmRequire: n, the integer to be factored; x1 , such that 0 x1 n; and f (x), a pseudo-random function modulo n.Ensure: A non-trivial factor of n or failurei 1; y x1 ; k 2loop i i +12 xi (xi1 1) mod n d gcd(y xi , n) if d = 1 and d = n then return d end if if i = k then y xi k 2k end ifend loop Example... Factorize 1387 17. Introduction Factoring Attacks Elementary Attacks Low Private Exponent AttackFactoring Algorithm 4: Pollards Method .. ExampleExample... Factorize 1387 18. Introduction Factoring Attacks Elementary AttacksLow Private Exponent AttackFactoring Algorithm 4: Pollards Method .. ExampleExample... Factorize 1387 Take x1 = 2 andf (x) = x 2 1 mod 1387ixi gcd(xi y , 1387) y12-223gcd(3 2, 1387) = 1 338gcd(8 3, 1387) = 1463 gcd(63 3, 1387) = 16351194 gcd(1194 63, 1387) = 161186 gcd(1186 83, 1387) = 17177gcd(177 63, 1387) = 198814gcd(814 63, 1387)8149996gcd(996 814, 1387) Complexity?? 19. Introduction Factoring AttacksElementary Attacks Low Private Exponent AttackBreaking RSA v/s FactoringBreaking RSA Factoring (Obvious!)Open Problem: Factoring Breaking RSA??Expectation: No!!! Factoring is expected to be strictly > Breaking RSA 20. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackExposing d v/s FactoringTheoremExposing the private key d and factoring N are equivalentProof Determining d Factoring N (Why??)Determining d Factoring N (Non-obvious algorithm) We will now present a randomized algorithm by which knowing d,factors of N can be easily determined. 21. Introduction Factoring AttacksElementary Attacks Low Private Exponent AttackExposing d v/s Factoring . . . Miller Rabin TestMiller Rabin TestRandomized primality testing algorithmMiller version Rabin version 22. Introduction Factoring Attacks Elementary AttacksLow Private Exponent AttackExposing d v/s Factoring . . . Miller Rabin TestMiller Rabin TestRequire: n > 2, an odd integer to be tested for primalityEnsure: Composite if n is composite, otherwise probably PrimeWrite n 1 as 2s d with d odda Random number between 1 and n 1x0 ad mod nif x = 1 OR x = n 1 then return Probably Primeend if 23. Introduction Factoring AttacksElementary Attacks Low Private Exponent AttackExposing d v/s Factoring . . . Miller Rabin Test Miller Rabin Testfor i = 1 to s 1 do2xi xi1 mod nif xi = 1 and xi1 = 1 and xi1 = n 1 thenreturn Compositeend ifend forif xt = 1 thenreturn Compositeelsereturn Probably Primeend if 24. IntroductionFactoring Attacks Elementary Attacks Low Private Exponent AttackExposing d v/s Factoring . . . Miller Rabin Test Miller Rabin Error Rate AnalysisIf n is a composite number, then the number of witnesses to thecompositeness of n is at least n1 .2Proofn1Prove that number of non-witnesses is at most2Creating a subgroup B, which is a subgroup of Z , which n contains all thenon-witnessesShow the existence of an element in Z B, n n1n1Order of B 2 . Number of non-witnesses 2 We break the proof into two cases. 25. IntroductionFactoring Attacks Elementary AttacksLow Private Exponent AttackExposing d v/s Factoring . . . Miller Rabin TestCase 1: There exists an x Z such that x n1 1 mod n n Let B = {b Z : b n1 1 (mod n)}nSince there exists an element x for which x n1 1 mod n, Z B isnnon-empty n1Number of non-witnesses 2 26. Introduction Factoring Attacks Elementary Attacks Low Private Exponent AttackExposing d v/s Factoring . . . Miller Rabin Test Case 2: For all x Z , x n1 1 mod n nRepresent n as n1 n2 where n1 and n2 are relatively primeNote that n 1 = 2s u and for input a, we can compute the following sequence 234smodulo n: au , a2u , a2 u , a2 u , a2 u a2 uLet us call a pair of integers (v , j) acceptable if v Z , j = 0, 1, 2, , s andn jv 2 u 1 (mod n) Set of acceptable pairs contains (n 1, 0). So, the set is non-empty.Pick the largest possible j for which there exists an v such that (v , j) is an acceptablepair. We will use this j in the proof. jB = {x Z : x 2 u 1n (mod n)} Clearly, B is a subgroup of Z . Also note that the sequence produced by a nnon-witness must be either all 1s or contain 1 no later than the jth position (due tomaximality of j). So, every non-witness belongs to B. 27. Introduction Factoring Attacks Elementary Attacks Low Private Exponent AttackExposing d v/s Factoring . . . Miller Rabin TestCase 2: For all x Z , x n1 1 mod n nTo complete the proof, we have to prove that Z B is non-empty. Note that therenexists a w such that w v(mod n1 ) and w 1(mod n2 ) jwhere v is an element in B such that v 2 u 1 (mod n). So, j j w 2 u 1 (mod n1 ) and w 2 u 1(mod n2 ) j jThis implies w 2 u 1 (mod n) and w 2 u 1 (mod n). So, w B. /All we need to prove is that w Z . Since v Z , gcd(v , n) = 1, which impliesnngcd(v , n1 ) = 1. Since gcd(w , n1 ) = gcd(v , n1 ), gcd(w , n1 ) = 1. By construction of w ,gcd(w , n2 ) = 1. So, gcd(w , n1 n2 ) = gcd(w , n) = 1. 28. Introduction Factoring Attacks Elementary AttacksLow Private Exponent AttackExposin