how to fake an rsa signature by encoding modular root finding as a sat problem by claudia fiorini,...
TRANSCRIPT
How to fake an RSA signature by encoding modular root finding as a SAT problem
By Claudia Fiorini, Enrico Martinelli, Fabio Massacci
Discrete Applied Mathematics 130 (2003) 101-127
Presented by Yunho KimProvable Software Lab, KAIST
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 2/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
• Cryptography is the practice and study of hid-ing information
• Cryptography consists of two parts encryption and decryption– Encryption is the process of plaintext into unintelligible
text and decryption is the reverse.– The detailed operations of a cipher is controlled both by
the algorithm and, in each instance, by a key
• There are two types of cryptography– Symmetric-key cryptography– Asymmetric-key cryptography
IntroductionCryptography
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 3/27
From Wikipedia http://en.wikipedia.org/wiki/Cryptog-raphy
• Symmetric-key cryptography uses identical cryp-tographic keys for both decryption and encryption
IntroductionSymmetric-key
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 4/27
Encryptionalgorithm
Plaintext
Cipher-text
Secret key
Decryptionalgorithm
Ciphertext
Plaintext
Secret keyIdenti-
calkeys
• Asymmetric-key cryptography uses different cryptographic keys for decryption and encryption
IntroductionAsymmetric-key
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 5/27
Encryptionalgorithm
Plaintext
Cipher-text
Encryption key differ-
entkeys
Decryptionalgorithm
Ciphertext
Plaintext
Decryption key
• RSA is an algorithm for asymmetric cryptog-raphy developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977.
• RSA consists of a cipher algorithm for encryp-tion and decryption and a key generation algo-rithm
• The key generation algorithm generates public-key and private-key – The public-key should be distributed to others but the
private-key must be kept in secret
IntroductionRSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 6/27
• RSA key generation algorithm
The totient Á(n) of a positive integer n is defined to be the num-ber of positive integers less than or equal to n that are co-prime to n
• RSA cipher algorithms– Let m < n be a original message
IntroductionRSA key generation
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 7/27
1. Choose two distinct large random prime numbers p and q2. Compute n = pq3. Compute the totient: Á(n) = (p – 1)(q – 1) where n is a multiplica-
tion of two primes p and q4. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are co-
prime5. Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n));
i.e. de = 1 + k Á(n) for some integer k.6. <n, e> is the public key and <n, d> is the private key
Encryption
c = md mod nDecryption
m = ce mod n
• RSA example
c = 1232753 mod 3233 = 2746 m = 274617 mod 3233 = 123
IntroductionRSA example
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 8/27
1. Choose two distinct large random prime numbers p and qp = 61 and q = 53
2. Compute n = pq n = 61 * 53 = 32333. Compute the totient: Á(n) = (p – 1)(q – 1) Á(n) = (61 – 1)(53 - 1) = 31204. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are co-
prime e = 175. Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n)); i.e. de = 1 + k Á(n) for some integer k. d = 2753, 17 * 2753 = 46801 = 1 + 15 * 31206. <3233, 17> is the public key and <3233, 2753> is the private key
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 9/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
Logical cryptanalysisoverview
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 10/27
Constraints
Known plaintext +
Known ciphertext +
Exposed variables
Logical analysis/Implication en-
gine
Theorem prover,Satisfiability
solver, ….
Plaintext P
Ciphertext C
Circuit de-scription
Secret key K
Secret Key
From slides of Nachiketh Potlapallyhttp://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18
Logical cryptanalysisSAT-based analysis
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 11/27
Constraints
Ψ(P, C, K
)
Set plaintext and ciphertext
values inΨ(P, C, K)
SATsolver
Time-out
Set val-ues
of ex-posed
variables in
Ψ (P, C, K)
(z+x+y) (z+x+y) (z+x+y) (z+x+y)(z+x) (z+y) (z+x+y)…
.(z+x) (z+y) (z+x+y)
Ψ (P, C, K)
CNF formula ofcryptographic
algorithm,
Plaintext P Secret key K
Ciphertext C
CNF conversion
Constraints
From slides of Nachiketh Potlapallyhttp://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18 K =
110..1(consistent with the values set)
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 12/27
• For a symmetric cipher, the choice of the crypto-graphic transformation is almost obvious– It uses deterministic algorithms for encryption and de-
cryption– The unknown variable is only the key
• For RSA, we have three known values e, n and m and a number of equations to choose from – n = pq– c = md mod n– m = ce mod n
• What is a suitable equation for SAT-based analy-sis?
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 13/27
• The first possible choice n = pq– If we can factorize n into two primes, we can generate a
private key from p and q– However, the algorithm for integer factorization has sub-
exponential time and space complexity O(2(log N)1/3)– Also, factoring represented as a SAT problem is hard to
solve
• The second possible choice c = md mod n– Since we know only m, n, it has two unknown variables c
and d– For example, if we set <55, 3> as the public key and 9 as
message16 = 94 mod 55 but 9 163 mod 55 = 26
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 14/27
• The last possible choice m = ce mod n– For given e, n, m, we can find the ciphertext c encrypted
with some private key <n, d>without knowing it– We cannot decrypt the ciphertext encrypted with d but
we can generate the ciphertext encrypted with d
• Modular exponentiation is reduced to a sequence of modular multiplications
m0 = 1,mi+1 = (mi
2 + ei∙c ) mod nThe desired value m is obtained at mb log e c + 1
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 15/27
• Example of a sequence of modular multiplications
Let e = 3 = 11(2), c = 4, n = 35 = 5 * 7m = ce mod n = 43 mod 35 = 64 mod 35 = 29m0 = 1
m1 = (1 + 1∙4) mod 35 = 5
m2 = (25 + 1∙4) mod 35 = 29
m0 = 1,mi+1 = (mi
2 + ei∙c ) mod nThe desired value m is obtained at mb log e c + 1
Logical cryptanalysisEncoding problem
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 16/27
• The last choice m = ce mod n– For given e, n, m, we can find the ciphertext c encrypted
with some private key <n, d>without knowing it– We cannot decrypt the ciphertext encrypted with d but
we can generate the ciphertext encrypted with d
• Modular exponentiation is reduced to a sequence of modular multiplications
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 17/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
Encoding
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 18/27
• The size of the problem would become huge even for small bits– If we use the best possible multipliers whose gate com-
plexity is O((log2 n)(log2 (log2 n))), the encoding of the RSA of 100bits would require over 100,000 formulae.
• For the simplicity, we choose the value e = 3– m = (((c∙c) mod n)∙c)mod n
• We need more efficient encoding of modular mul-tiplications
Encoding
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 19/27
• The basic intuition – Let x, y be two 2b bits integers
¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /n c
• Division is a complex operation and it is simpler to compute an approximate value of k and then sub-tract the error.
Encoding
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 20/27
• The basic intuition – Let x, y be two 2b bits integers
¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /n c
• Division is a complex operation and it is simpler to compute an approximate value of k and then sub-tract the error.
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 21/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 22/27
• Generating satisfiable instances1. Randomly generate a public key <n,e> and signature c2. Compute m = ce mod n3. Transform m, n, e into the corresponding boolean values4. Find a model for c using SAT solver
• Generating unsatisfiable instances1. Randomly generate a public key <n,e> and signature c where e vio-
lates RSA definitione divides either p - 1 or q - 1 if n = pq
2. Compute m = ce mod n3. Transform m, e, n into the corresponding boolean values4. Find a model for c using SAT solver
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 23/27
• Three SAT-solver are used– HeerHugo is a stalmark algorithm based SAT solver– eqsatz is a variant of DPLL which includes equational
reasoning for XOR– smodels is an efficient DPLL implementation with stable
model semantics of logic programs
• Three machines are used– Alpha with 256MB memory– PII with 64MB memory– PIII with 512 memory– All machines run Linux
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 24/27
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 25/27
Conclusion
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 26/27
• The authors show how to encode the problem of finding an RSA signature for a given message without factoring
• The experiments on SAT solvers show that SAT solvers are well behind number theoretic algo-rithms
Reference
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 27/27
• How to fake an RSA signature by encoding modular root find-ing as a SAT problemBy Claudia Fiorini, Enrico Martinelli, Fabio MassacciIn Discrete Applied Mathematics 130 (2003) 101-127