attacking rsa brian winant [email protected]. reference “twenty years of attacks on the rsa...
TRANSCRIPT
Attacking RSA
Brian [email protected]
Reference
“Twenty Years of Attacks on the RSA Cryptosystem”
By Dan BonehIn Notices of the American
Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999
Introduction
RSA introduced August 1977 R = Ron Rivest S = Adi Shamir A = Len Adleman
Subject to two+ decades of cryptanalysis No serious attacks found Most known attacks based on
implementation weaknesses
RSA Review - Modulus
Let pq = N N is n bits long p, q are large primes of length n/2 In practice N is at least 1024 bits
1024 bits = 309 decimal digits
RSA Review - Keys
Choose exponents e and d Such that ed = 1 mod (N) (N) is the Euler phi function Since N=pq, (N) = (p – 1)(q – 1) (N) is the order of the multiplicative group
ZN*
(N, e), (N, d) are the public/private keys Doesn’t matter which is which
RSA Review - Encryption
Plaintext M ZN*
Ciphertext C ZN*
Encryption fk(M) = C = Me mod N
Decryption gk(C) = Cd mod N Med mod N = M
Trapdoors
fk(M) is a one-way trapdoor function
Exponent d is the trapdoor Makes inverting fk(M) easy
How hard is it to invert fk(M) without the trapdoor? No known mechanism to easily invert
fk(M) However, not proven to be impossible
Breaking RSA
Goal Invert fk(M) without knowing d
Formally Given (N, e, C) Assume the factorization of N is
unknown How hard is it to compute the eth root
of C mod N?
Naïve Approach
ZN* is finite
Try all M ZN*
Runtime is exponentialInterested only in efficient algorithms O(nc) where
n = log2 N c is a small constant (< 5)
Theory vs. Implementation
Difference between the function and the cryptosystemCryptosystem is not semantically secure Given (N, e, C) it is possible to recover
some information about M Example: Jacobi symbol of M over N Fixed by padding M with random bits
Types of Attacks
FactoringElementaryLow Private ExponentLow Public ExponentImplementation
Factoring
If N can be factored p,q are known (N) can be computed d = e-1 mod (N) easily computed using
Euclid’s method
State of the art factoring algorithms still exponential log N General Number Field Sieve
Largest factored modulus: 576 bits 174 decimal digits
More Factoring
For some N, factoring is easyPollard’s p – 1 algorithm p – 1 is a product of primes less than
B N can be factored O(B3)
Some RSA implementations reject such p
Breaking RSA vs. Factoring
If an efficient factoring algorithm exists, RSA is insecureOpen Problem: Is converse true? Must N be factored in order to
efficiently compute eth roots mod N? Is breaking RSA as hard as factoring?
Open Problem: Definition
Given N, e = gcd(e, (N)) = 1Define fe,N: ZN* -> ZN
* = x1/e mod N
Given an oracle that evaluates f in unit timeIs there a polynomial-time algorithm A that computes factorization of N?
Open Problem: Answer?
Probably not Evidence that for small e, answer may be no
There may not exist a polynomial-time reduction from factoring to breaking RSA However, not proven
Negative answered probably preferred over positive answer
Elementary Attacks
Due to misuse of RSAMany exist Modulus Reuse Blinding
Modulus Reuse
To save time, why not reuse N?Trusted authority can provide user i with keys (N, ei), (N, di)
Attacker can use own ea, da to factor N
Once N is factored, recovering di easy
Do not reuse N
BlindingFool Bob into signing an arbitrary M e,d are Bob’s public and private keys
Choose random r ZN*
Let M’ = reM mod NHave Bob sign S’ = (M’)d mod N
Blinding
Compute S = S’/r mod N Se = (S’)e/re = (M’)ed/re = (reM)ed/re =
reM/re = M
Attacker now has signature on M
Blinding: Defense
In practice, attack not feasible Prevented by first hashing M before
signing
An attack, but required for anonymous digital cash
Low Private Exponent
Reduce decryption time by using small dIf d < (1/3)N1/4, d can be recovered Approximation method based on continued
fractions
Small d can still be chosen using Chinese Remainder Theorem in a possibly secure manner Ensure d mod (N) is still large
Open Problem: How small can d be?
Open Problem
Let N = pqLet d < N0.5
Let e <(N)ed = 1 mod (N)If attacker is given (N, e), can d be recovered efficiently?
Low Public Exponent
In practice, small public keys are used Reduces encryption, signature-verification
time
Smallest e = 3Recommended e = 216 + 1 For signature-verification:
Requires 17 multiplications Approx. 1000 when random e used
Small public keys are not as dangerous as small private keys
Low Public Exponent Attacks
Broadcast AttackRelated Message AttackShort Pad AttackPartial Key Exposure Attack
Broadcast Attack
Bob sends M to parties P1 … PK
Pi has public key (Ni, ei)
M < Ni for all i
Bob encrypts M with key for each Pi
Attacker can collect all k ciphertexts and recover M if k e
Broadcast Attack: Simplified
Assume ei = 3 for all i
Attacker collects C1, C2, C3
C1 = M3 mod N1
C2 = M3 mod N2
C3 = M3 mod N3
Chinese Remainder Theorem C’ = M3 mod N1N2N3
Broadcast Attack: Simplified
Since M < all Ni, M3 < N1N2N3
So C’ = M3
Recover M by calculating cube root of C’
Broadcast Attack: Defense
Pad M with random bitsPadding M with non-random bits allows other attacks
Related Message Attack
Bob sends Alice related messages using same modulus(N, e) is Alice’s public keyM1 M2 ZN
*
M1 = f(M2) mod N f is a publicly known polynomial mod N f(x) = ax + b mod N, b
Given (N, e, C1, C2, f) attacker can recover M1, M2 in quadratic time log N
Related Message Attack
Works by computing GCD of two polynomials g1(x) = f(x)e – C1
g1(x) = xe – C2
For large e, computing GCD too expensive
Short Pad Attack
Exploit naïve random paddings of M Add random bits to one end of M
Requires knowledge of two ciphertexts corresponding to the same message
Short Pad Attack
|N| = nm = floor(n/e2) Relationship between pad and key lengths
|M| = n – mM1 = 2mM + r1
M2 = 2mM + r2
0 r1, r2 < 2m
Given (N, e, C1, C2), M can be efficiently recovered
Partial Key Exposure Attack
If a portion of d is exposed, can all of d be recovered? Yes, if e is small
e < sqrt(N) Need ceil(n/4) least significant bits of
d
Implementation Attacks
Attack the implementation of RSA, not the underlying mathematical structureTimingRandom FaultsPCKS 1
Timing Attack
Smartcard attackBased on timing the efficient modulo exponentiation algorithm Can recover bits based on whether or
not the squaring step is performed
Similar attack based on monitoring power consumption
Timing Attack: Defense
Add delayUse blinding on itself Adds randomness to ciphertext Less correlation between input and
key bits Approach due to Rivest
Random FaultsMany RSA implementations use Chinese Remainder Theorem Speed up computation of Md mod N Let a = d mod (p – 1) Let b = d mod (q – 1) Ca = Ma
mod p Cb = Mb
mod q C = T1Ca + T2C2 mod N
Faster since less exponentiation is needed
Random Faults
Suppose computer glitch causes an incorrect bitEither Ca or Cb will be incorrectCan detect the incorrect result C Ce = M mod p Ce M mod q
Exposes a factor of N, but requires knowledge of M
Random Faults: Defense
Requires M to not be padded Add random bits
Check before sending You’re doing this anyway, right?
PKCS 1 Attack
Possible in older version of standardImplementations will raise error if C does not contain 16 bit “02”Equals an oracle which can reveal whether the most significant 16 bits of C equals 02
Conclusion
RSA function susceptible to mathematical trickeryExploits are not practical Easy to defend against Would never occur in reality
Requires correct and secure implementationNo known dangerous attacks against properly implemented RSA