The RSA cryptosystem and its pitfallss1251909/talks/PG Colloquia/PG_colloquium_R… · The RSA...

transcript

RSA algorithm The pitfalls

The RSA cryptosystemand its pitfalls

Marco Vitturi

School of Mathematics

PG Colloquium - September 24th 2014

The RSA cryptosystem and its pitfalls

Figure: Pointless stock photo returned by a Google Images query for the word ”cryptography”

Private Key vs. Public key

Private Key: both parties know the shared secret key (same forboth), and they use to encrypt and decrypt

Figure: Ferguson, Schneier, Kohno c©

Communication is only secret as long as the password stays secret.The parties have to exchange the key safely at an earlier time.

Private Key vs. Public key

Public Key: Bob’s public key is known to everyone (you can findit on a phonebook, so to say), and allows encryption of messagesto Bob

Figure: Ferguson, Schneier, Kohno c©

Decryption requires a different, private key, known to Bob alone.No exchange of keys is required.

Fermat’s Little Theorem

Let N be a natural number, andφ(N) := #{n < N s.t. gcd(n,N) = 1} the Euler’s totientfunction. Then, for every a coprime with N, it is

aφ(N) ≡ 1 mod N.

It’s easy to calculate φ(N) from the prime factorizationN = pα1

1 · · ·pαrr :

φ(N) = N

(p1 − 1

)· · ·

(pr − 1

)⇒ if N = pq then φ(N) = (p− 1)(q− 1).

aφ(N) ≡ 1 mod N.

1 · · ·pαrr :

φ(N) = N

(p1 − 1

)· · ·

(pr − 1

⇒ if N = pq then φ(N) = (p− 1)(q− 1).

aφ(N) ≡ 1 mod N.

1 · · ·pαrr :

φ(N) = N

(p1 − 1

)· · ·

(pr − 1

)⇒ if N = pq then φ(N) = (p− 1)(q− 1).

RSA algorithm

Pick primes p,q and form N = pq (2048 or 4096 bits)

Pick e and d s.t. e · d ≡ 1 mod (p− 1)(q− 1)

Public key = (N, e)Private key = (N,d)

Encryption: message m is encrypted by Alice to

c := me mod N

Decryption: ciphertext c is decrypted by Bob by performing

cd mod N,

thus recovering the message m

RSA algorithm

c := me mod N

cd mod N,

RSA algorithm

Public key = (N, e)

Private key = (N,d)

c := me mod N

cd mod N,

RSA algorithm

c := me mod N

cd mod N,

RSA algorithm

c := me mod N

cd mod N,

RSA algorithm

c := me mod N

cd mod N,

RSA algorithm: the math

Since e and d are inverses mod (p− 1)(q− 1) = φ(N), onehas

ed = kφ(N) + 1

by Fermat’s Little theorem

cd ≡ med ≡ mkφ(N)+1 ≡ 1 ·m = m mod N

Efficiency

Exponentiations mod N are efficient: xn mod N only requiresO(logn) exponentiations altogether, by repeated squaring.

ed = kφ(N) + 1

Efficiency

ed = kφ(N) + 1

Efficiency

Strength of RSA: decryption strategies

By factoring N you get p,q, from which you calculate φ(N) andthen calculate d = e−1 mod φ(N) (by Euclid’s algorithm)B but integer factorization is a hard problem

Another possibility is to extract the discrete e-th root mod N ofc, thus recovering m directly. This is believed to be just as hard asfactoring, at least.

Still, these aren’t the only attacks. RSA can easily be broken ifused naively.

There are plenty of non-mathematical attacks on RSA.

Figure: c©Xkcd

We concentrate on mathematical attacks, though. Specifically,those that do not attempt to solve the factorization problem.

There are plenty of non-mathematical attacks on RSA.

Figure: c©Xkcd

We concentrate on mathematical attacks, though. Specifically,those that do not attempt to solve the factorization problem.

Common N

N should be unique for every user.

This is because, given e,d it is easy to factor N, and thus findφ(N) and calculate other users’ secret keys.

We know ed− 1 = kφ(N) =:M, then for a coprime with N

aM ≡ 1 mod N.

φ(N) is even, thus M = 2nt, and therefore aM/2 is a square rootof 1 mod N. There are 4 such square roots, ±1,±x, where{

x ≡ 1 mod p,

x ≡ −1 mod q.

For a chosen at random, with high probability one amongstaM/2,aM/4, . . . is ±x, and gcd(x± 1,N) gives a factor of N.

Common N

N should be unique for every user.This is because, given e,d it is easy to factor N, and thus findφ(N) and calculate other users’ secret keys.

aM ≡ 1 mod N.

x ≡ 1 mod p,

x ≡ −1 mod q.

Common N

aM ≡ 1 mod N.

x ≡ 1 mod p,

x ≡ −1 mod q.

Common N

aM ≡ 1 mod N.

x ≡ 1 mod p,

x ≡ −1 mod q.

Common N

aM ≡ 1 mod N.

x ≡ 1 mod p,

x ≡ −1 mod q.

Small private key d

If d is too small, we run into troubles: d can be recovered

Theorem 1 (M. J. Wiener).

Let N = pq, q < p < 2q, and suppose d < 13N

1/4. Then, givenpublic key (N, e), one can recover d in O(logN) time.

By comparison, factoring N takes

((logN)c0(

logNlog logN)

with the fastest known algorithm.B The vulnerability here is the existence of good approximations torationals with continued fractions

Small private key d

((logN)c0(

logNlog logN)

with the fastest known algorithm.

B The vulnerability here is the existence of good approximations torationals with continued fractions

Small private key d

((logN)c0(

logNlog logN)

with the fastest known algorithm.B The vulnerability here is the existence of good approximations torationals with continued fractions

Small private key d: proof

Since ed = kφ(N) + 1, we have∣∣∣ eφ(N) −

∣∣∣ = 1dφ(N) .

Given the magnitude, N−1 ≈ φ(N)−1

Consider then e/N as an approximation instead:∣∣∣∣ eN −k

∣∣∣∣ = ∣∣∣∣ edNd −Nk

Nd+kφ(N)

Nd−kφ(N)

∣∣∣∣=

∣∣∣∣ 1

Nd− k

N− φ(N)

∣∣∣∣but φ(N) = (p− 1)(q− 1) = N− p− q+ 1

then we can bound N− φ(N) = p+ q− 1 < 3N1/2

∣∣∣ = 1dφ(N) .

∣∣∣∣ = ∣∣∣∣ edNd −Nk

Nd+kφ(N)

Nd−kφ(N)

∣∣∣∣=

∣∣∣∣ 1

Nd− k

N− φ(N)

∣∣∣∣but φ(N) = (p− 1)(q− 1) = N− p− q+ 1

∣∣∣ = 1dφ(N) .

∣∣∣∣ = ∣∣∣∣ edNd −Nk

Nd+kφ(N)

Nd−kφ(N)

∣∣∣∣

∣∣∣∣ 1

Nd− k

N− φ(N)

∣∣∣∣but φ(N) = (p− 1)(q− 1) = N− p− q+ 1

∣∣∣ = 1dφ(N) .

∣∣∣∣ = ∣∣∣∣ edNd −Nk

Nd+kφ(N)

Nd−kφ(N)

∣∣∣∣=

∣∣∣∣ 1

Nd− k

N− φ(N)

∣∣∣∣

but φ(N) = (p− 1)(q− 1) = N− p− q+ 1

∣∣∣ = 1dφ(N) .

∣∣∣∣ = ∣∣∣∣ edNd −Nk

Nd+kφ(N)

Nd−kφ(N)

∣∣∣∣=

∣∣∣∣ 1

Nd− k

N− φ(N)

∣∣∣∣but φ(N) = (p− 1)(q− 1) = N− p− q+ 1

∣∣∣ = 1dφ(N) .

∣∣∣∣ = ∣∣∣∣ edNd −Nk

Nd+kφ(N)

Nd−kφ(N)

∣∣∣∣=

∣∣∣∣ 1

Nd− k

N− φ(N)

∣∣∣∣but φ(N) = (p− 1)(q− 1) = N− p− q+ 1

Thus we have ∣∣∣∣ eN −k

∣∣∣∣ < 3kN1/2

Since kφ(N) < ed, and e < φ(N), it must be k < d < 13N

1/4∣∣ eN − k

∣∣ < 1N1/4d

< 12d2

(from the theory of continued fractions) there are at mostlog2N fractions with denominator D < N that approximatee/N within error 1/2D2.

they are the convergents of the continued fraction expansionof e/N; one of them will be k/d.

∣∣∣∣ < 3kN1/2

∣∣ eN − k

∣∣ < 1N1/4d

< 12d2

∣∣∣∣ < 3kN1/2

1/4∣∣ eN − k

∣∣ < 1N1/4d

< 12d2

∣∣∣∣ < 3kN1/2

1/4∣∣ eN − k

∣∣ < 1N1/4d

< 12d2

∣∣∣∣ < 3kN1/2

1/4∣∣ eN − k

∣∣ < 1N1/4d

< 12d2

Small public key e

A small public key e isn’t good either: it allows partialbreacking

Theorem 2 (Coppersmith).

Let N ∈ N and P ∈ Z[X] be a monic polynomial of degree d. Fix1/d > ε > 0.Then the roots z0 of P(X) mod N s.t. |z0| < N

1/d−ε can be

calculated in O(min(1ε , logN

)2) time.

In our case N is part of the public key and P(X) = Xe − c.

Allows broadcasting attacks (a message m broadcasted to ahigh number of users can be decoded by a non-recipient)

Small public key e

1/d−ε can be

)2) time.

Small public key e

1/d−ε can be

)2) time.

Small public key e

1/d−ε can be

)2) time.

Small public key e: Coppersmith’s theorem

Sketch of the idea: for P(X) =∑aiX

i ∈ Z[X] define norm‖P‖2 =

∑|ai|

if ‖P‖ is small, then small roots of P mod N are real roots:assume P(z0) ≡ 0 mod N and |z0| < R; if‖P(R·)‖ < N(deg P)−1/2, then P(z0) = 0.

real roots can be approximated efficiently (e.g. Newton’smethod)

need to modify P to reduce its norm, while preserving theroots: e.g. Q(X)P(X) and linear combinations.

Since P(z0)` ≡ 0 mod N`, consider P̃ in basis

gj,k(X) = N`−kXjP(X)k, then you need ‖P̃(N1/d−ε·)‖ < N`

for ` big enough you can do this; can be calculated efficientlyusing the LLL Algorithm

∑|ai|

if ‖P‖ is small, then small roots of P mod N are real roots:

assume P(z0) ≡ 0 mod N and |z0| < R; if‖P(R·)‖ < N(deg P)−1/2, then P(z0) = 0.

∑|ai|

need to modify P to reduce its norm, while preserving theroots:

e.g. Q(X)P(X) and linear combinations.

∑|ai|

Small public key e: key exposure

A small key e can expose up to 50% of the most significantbits of d

As before,

ed = kφ(N) − 1⇒ d ≈ kNe

, k 6 e

Indeed, ∣∣∣∣kNe − d

∣∣∣∣ < ∣∣∣∣k(p+ q)e

∣∣∣∣ < 3kN1/2

e6 3N1/2

B for some k, half the most significant bits of kNe coincide with d.There are at most e possibilities for k.Information leakage: ≈ logN

2 − log e bits.

As before,

ed = kφ(N) − 1⇒ d ≈ kNe

, k 6 e

∣∣∣∣ < ∣∣∣∣k(p+ q)e

∣∣∣∣ < 3kN1/2

e6 3N1/2

2 − log e bits.

As before,

ed = kφ(N) − 1⇒ d ≈ kNe

, k 6 e

∣∣∣∣ < ∣∣∣∣k(p+ q)e

∣∣∣∣ < 3kN1/2

e6 3N1/2

2 − log e bits.

As before,

ed = kφ(N) − 1⇒ d ≈ kNe

, k 6 e

∣∣∣∣ < ∣∣∣∣k(p+ q)e

∣∣∣∣ < 3kN1/2

e6 3N1/2

B for some k, half the most significant bits of kNe coincide with d.There are at most e possibilities for k.

Information leakage: ≈ logN2 − log e bits.

As before,

ed = kφ(N) − 1⇒ d ≈ kNe

, k 6 e

∣∣∣∣ < ∣∣∣∣k(p+ q)e

∣∣∣∣ < 3kN1/2

e6 3N1/2

2 − log e bits.

p and q too close

If p are q are too close, then factoring N is easy

Theorem 3 (Fermat’s factorization method).

If |p− q| < cN1/4, then N can be factored in Oc(1) time.

How the factorization works:

If x 6= y are s.t. x2 ≡ y2 mod N, then N | (x+ y)(x− y)and thus N shares a factor with x± y.

starting from d√Ne and incrementing by 1, you need to test

at most Oc(1) numbers to find x2 ≡ y2 mod N s.t.gcd(N, x± y) is a factor of N.

method takes exponential time if instead p and q are not close

p and q too close

p− 1 having small factors

Tricky: If p− 1 has only small factors, N = pq can befactored quickly

Pollard’s p− 1 method

Suppose we have the prime factorization

p− 1 =∏qi|p−1

with qi < B.If we choose βi s.t. qβii 6 N < qβi+1

i , then βi > αi⇒ p− 1 |

∏qβii =: R.

⇒ for random a, aR ≡ 1 mod N, and gcd(aR − 1,N) is a factor.Therefore, given the list of primes up to B, we only have to keepmultiplying R ′ =

∏qi prime6r q

βii until gcd(aR

′− 1,N) returns a

divisor.

p− 1 =∏qi|p−1

with qi < B.

If we choose βi s.t. qβii 6 N < qβi+1i , then βi > αi

⇒ p− 1 |∏qβii =: R.

∏qi prime6r q

βii until gcd(aR

divisor.

p− 1 =∏qi|p−1

i , then βi > αi

⇒ p− 1 |∏qβii =: R.

∏qi prime6r q

βii until gcd(aR

divisor.

p− 1 =∏qi|p−1

∏qβii =: R.

∏qi prime6r q

βii until gcd(aR

divisor.

p− 1 =∏qi|p−1

∏qβii =: R.

⇒ for random a, aR ≡ 1 mod N, and gcd(aR − 1,N) is a factor.

Therefore, given the list of primes up to B, we only have to keepmultiplying R ′ =

∏qi prime6r q

βii until gcd(aR

divisor.

p− 1 =∏qi|p−1

∏qβii =: R.

∏qi prime6r q

βii until gcd(aR

divisor.

Blinding

You can be tricked into signing something that you don’twant to

Signing m means returning s := md mod N (nobody elsehas access to d); se ≡ m mod N, proving to everyone it wasus who signed.

A malicious attacker (Eve) wants us to sign m, which wewon’t agree to.

Instead, Eve picks r coprime with N and asks us to signm ′ := rem mod N, which looks innocent

we sign m ′ by returning Eve s := (m ′)d mod N.

Eve calculates a signature on m by sr−1 mod N

It is indeed a valid signature: s ≡ redmd ≡ rmd mod N.

Blinding

Questions?

The RSA cryptosystem and its pitfallss1251909/talks/PG Colloquia/PG_colloquium_R… · The RSA...

Documents