Date post: | 05-Jan-2016 |
Category: |
Documents |
Upload: | sabrina-hines |
View: | 217 times |
Download: | 3 times |
From the previous lectureโฆ
p, q, n:=pq
๐ (๐) ,๐ ,๐ ,๐
B
๐ ,๐
Secret ๐ ๐=๐๐(๐๐๐๐) ๐=๐๐(๐๐๐๐)
Cristina Onete || 25/09/2014 || 2
๐ ,๐
Textbook RSA (V)
Security:
โข Is encryption secure?
๐=๐๐(๐๐๐๐)
โข Can we recover the secret key ?Key recovery as hard as factorizing
โข Can we recover in any other way ?
Values are long-term
Each maps to unique Deterministic
Cristina Onete || 25/09/2014 || 3
Textbook RSA (VI)
Security:
โข Plaintext recovery: canโt find from
โข IND-CPA/IND-CCA: canโt say anything about
Encryption is deterministic:Can always distinguish m from mโ
Not guaranteed if few possible messagesTry out all alternatives โ find plaintext
OK if chosen at random from large set
โข Not very secure; but we can improve it
Cristina Onete || 25/09/2014 || 4
Textbook RSA ++
Improving Textbook RSA:
Secret pre-processing RSAencryption
pre-processing
Security will depend on this step
Cristina Onete || 25/09/2014 || 5
PKCS and Bleichenbacher
Preprocessing with PKCS1, mode 2
โข Pad with random number (make it probabilistic)
02 random pad FF message
1024 bits
โข Bleichenbacher โ98: use the regularity of the ciphertext (they must start with โ00|02โ) to recover plaintext!
00
Cristina Onete || 25/09/2014 || 6
PKCS and Bleichenbacher (II)
Core idea
Ciphertext
DecryptDoes m start with โ00|02โ?
Continue
ERROR!
Attacker starts with ciphertext โข Re-randomize it: โข Is it PKCS? Repeat until you know rM starts with 00|02 โข Move to next part of message ciphertexts
Cristina Onete || 25/09/2014 || 7
Cristina Onete || 25/09/2014 || 8
Contents
Pre-processingโข How OAEP works
โข Improvements on OAEPโข Hash Functions; Random Oracles (brief)
Attacks on factoring โ genericโข Pollardโs โข Pollard-
Unsafe modes for RSA
โข Small sk: Wienerโs attackSome physical attacks
โข Small pk and related ciphertexts
The OAEP Function
A new pre-processing function: OAEPโข OAEP = Optimal Asymmetric Encryption Paddingโข By Bellare & Rogaway, 1994; in RFC 2437
Cristina Onete || 25/09/2014 || 9
m pad r
G
H
YX
bits bits bits
K = size of n=pq
= parameters (to be set)G,H = hash functions
= bit XOR
Cristina Onete || 25/09/2014 || 10
The OAEP Function
In detail: OAEP
m pad r
G
Hash functions
โข A box with input of any size, and output of fixed sizeIn this case: input is bits, output is
โข Collision-resistance: canโt find with โข Random oracles: always outputs new string
Outputs consistently: consistent
Cristina Onete || 25/09/2014 || 11
The OAEP Function
In detail: OAEP
m pad r
G
How it works:
r
bits
G ๐ผ 0
m pad ๐ผ 0 ๐=
bitsrandom
Cristina Onete || 25/09/2014 || 12
The OAEP Function
In detail: OAEP
How it works:
bits
H ๐ผ 1
bits
๐ผ 1 ๐=
H
r๐
๐
r
random
Cristina Onete || 25/09/2014 || 13
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt:
m pad r
G
H
YX
Cristina Onete || 25/09/2014 || 14
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
H ๐ผ 1
๐ผ 1 ๐=
๐
r
๐ป ( ๐ )=๐ผ 1
๐ ๐ผ 1=๐
๐ ๐ป (๐ )=๐
Decrypt:
๐=๐ป ( ๐ )๐
Cristina Onete || 25/09/2014 || 15
RSA-OAEP Decryption
are random oracles Hard to invertHow do we decrypt?Go in reverse: receive
Decrypt: Recover:
m pad r
G
H
YX
Cristina Onete || 25/09/2014 || 16
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt: Recover:
r G ๐ผ 0
m pad ๐ผ 0 ๐=
๐บ (๐ )=๐ผ 0
๐โจ๐๐๐ ๐ผ 0=๐
๐โจ๐๐๐๐บ (๐ )=๐๐โจ๐๐๐=๐บ (๐ ) ๐
Cristina Onete || 25/09/2014 || 17
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt: Recover:
Retrieve:
Check: pad has the right format
Cristina Onete || 25/09/2014 || 18
The OAEP Function
In detail: OAEP
โข Functions are random oracles: that is, they give random output. In practice: use SHA-1
โข Randomness chosen freshly every timeโข How about the padding?
m pad r
โข Original OAEP: ([BR94])โข OAEP+: with W a random oracle ([S01])
Cristina Onete || 25/09/2014 || 19
Improving OAEP: SAEP
m W(m,r) r
H
YX
bits bits bits
โข No need for function โข Function is random oracle. Input size: bits. Output
size: bits
Cristina Onete || 25/09/2014 || 20
Contents
Pre-processingโข How OAEP works
โข Improvements on OAEPโข Hash Functions; Random Oracles (brief)
Generic attacks on factoringโข Small Small or โข Pollard-
Unsafe modes for RSA
โข Small sk: Wienerโs attackSome physical attacks
โข Small pk and related ciphertexts
Cristina Onete || 25/09/2014 || 21
Attacks on RSA
For the remainder of this lecture
We =
1st goal:
โข Given something of the form , find Strategies:โข Generic: factor . Given , easy to recover โข Specific: retrieve plaintext without factoring
Cristina Onete || 25/09/2014 || 22
Small
Easy case: we are given and
โข If are prime, then โข Given and
Calculate: This gives:
Also:
So:
and: ยฟโโ(๐โ๐ (๐)+1)2โ4๐
Factorization: and
Cristina Onete || 25/09/2014 || 23
Small
Hard case: we are given only Try to guess Use: Then:
Algorithm SmallDiff: Input Complexity parameter Write Let .
Note: are odd. Thus: and are even
IF is a square (it is equal to for a positive integer )
THEN: if and are prime, Output and
ELSE:
While DO
Cristina Onete || 25/09/2014 || 24
Small or : Pollardโs
Attack on factoring โ bad (p-1)
โข Vulnerability: with one small prime โข Pollardโs-(p-1) factors in steps if smallest factor
If is small, then this method is fast
โข Idea: if is prime, then is not
Since all are odd (impair), is even
We are hoping has only small factors and we will try to retrieve them all
Obviously will have 2 as a factor
All in the same set
Cristina Onete || 25/09/2014 || 25
Small or : Pollardโs
Attack on factoring โ bad (p-1)
โข Vulnerability: with one small prime โข Supposition:
โข How large can be for each ?
Well, for any , so
โข Start with definite upper bound:
As , any divides . So divides
1โค๐<๐ :๐๐โ 1=1(๐๐๐๐) So
Cristina Onete || 25/09/2014 || 26
Small or : Pollardโs
Attack on factoring โ bad (p-1)
โข Vulnerability: with one small prime
As , any divides . So divides
1โค๐<๐ :๐๐โ 1=1(๐๐๐๐) So
Pick random Check that
๐ divides๐๐ โ1
โข If : then . Hooray!
โข If and With high probability
Then Else, pick a new a
Cristina Onete || 25/09/2014 || 27
Exercise time!
Write pseudocode for Pollardโs
Cristina Onete || 25/09/2014 || 28
So far
Small
โข Given and : calculate Take:
Factorization: and
โข Given : verify values of for integer
For each check if is integer
If so, if are prime then:Output
Else, next and repeat procedure
Cristina Onete || 25/09/2014 || 29
So far
Small
Pick random Check that โข If : then . Hooray!
โข If and With high probability
Then
Else, pick a new a and repeat
Cristina Onete || 25/09/2014 || 30
Pollardโs
General factorization attack (are we lucky?)
โข Strategy: find specific small such that Most likely then,
โข Imagine we could calculate Say we had:
โข Suppose we find such that , then:
๐๐ขโ๐๐ฃ=0(๐๐๐๐) divides
Then with high probability
โข But, we donโt know . We do this .
Cristina Onete || 25/09/2014 || 31
Pollardโs
โข Strategy: we compute:
โข Choice: speed vs. storage
โข Find: such that โข With high probability
โข Storage: method as above. Need to store all โข Speed: Floydโs cycle finding algorithm:
โข and โข Mod n:
Only checking pairs at a time
Cristina Onete || 25/09/2014 || 32
Floydโs Cycle-Finding Alg.
Source:http://home.online.no/~vlaenen/
Cristina Onete || 25/09/2014 || 33
Exercise time!
Put the method (with Floydโs cycle-finding algorithm) in pseudocode/algorithm form!
Cristina Onete || 25/09/2014 || 34
Contents
Pre-processingโข How OAEP works
โข Improvements on OAEPโข Hash Functions; Random Oracles (brief)
Generic attacks on factoringโข Small Small or โข Pollard-
Unsafe modes for RSA
โข Small sk: Wienerโs attackSome physical attacks
โข Small pk and related ciphertexts
Cristina Onete || 25/09/2014 || 35
Unsafe Modes for RSA
Small public keyโข More receivers with same small (different )โข Same plaintext is sent to users
๐๐
๐๐(๐๐๐๐ 1)
๐๐(๐๐๐๐ 2)
๐๐(๐๐๐๐ 1)
๐๐(๐๐๐๐ 1)
๐
Cristina Onete || 25/09/2014 || 36
Unsafe Modes for RSA
Small public keyโข One receiver with small (different )โข Two related plaintexts: and
โข If knows the relationship of the messages,
she can use polynomial multiplication to find
Recommended
โข e =
โข This leads to fast encryption
Cristina Onete || 25/09/2014 || 37
More Unsafe Modes
Small secret keyโข Better for decryption: makes it more efficient
๐๐=1(๐๐๐๐ (๐ )) ๐๐=1(๐๐๐(๐ฟ๐ถ๐ (๐โ1 ,๐โ1)))
Math โmagicโ
โโข Use: least common multiple LCM
๐ฟ๐ถ๐ (๐โ1 ,๐โ1 )= (๐โ1)(๐โ1)๐บ๐ถ๐ท(๐โ1 ,๐โ1) ๐บ
๐๐=1+๐พ๐บ
(๐๐โ๐โ๐+1)โ
Divide by dpq
๐๐๐
=1
๐๐๐+๐พ๐๐บ
โ๐พ
๐๐บ๐โ
๐พ๐๐บ๐
+๐พ
๐๐บ๐๐
๐๐๐โ
1๐๐๐
+ ๐พ๐๐บ ( 1๐ + 1
๐โ1๐๐ )= ๐พ
๐๐บ
Cristina Onete || 25/09/2014 || 38
More Unsafe Modes
Small secret keyโข If is small, then .
๐พ๐๐บ
= ๐๐๐โ
1๐๐๐
+ ๐พ๐๐บ ( 1๐ + 1
๐โ1๐๐ )
โข If is small, then .Tend to 0
โ ๐๐โ 1
| ๐พ๐๐บโ ๐๐๐|=| ๐พ๐๐บ ( 1๐+ 1
๐โ1๐๐ )โ 1
๐๐๐|โค 1
โ๐๐< 1
2(๐๐บ)2
โข This means that converges towards
โข Continued fractions and some trial and error gives d
Cristina Onete || 25/09/2014 || 39
Physical Attacks
Implementation: Square and Multiply
๐=๐๐(๐๐๐๐)โข Standard way to do exponentiation
โข Write in binary []. Set For DO:
โข If then set โข Else, set
Square AND Multiply
Square
โข Example:
i 7 6 5 4 3 2 1 0
m
Cristina Onete || 25/09/2014 || 40
Physical Attacks
Implementation: Square and Multiply
๐=๐๐(๐๐๐๐)
โข Time the operation and write out the order of ops
Timing attack: multiply takes longer than square
M, Sq, Sq, M, Sq, Sq, M, Sq, M, Sq, Sq, M
โข Retrieve key from inverse Square and Multiply
Power attack: multiply burns more than square
โข Retrieve for smartcards
Source: http://www.dbs.com.hk/
CIDRE
Thanks!