RSARabin encryption is deterministic - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

RSARabin encryption is deterministic

Description:

Chosen Ciphertext Attack (CCA) Decryption oracle. ciphertext C. Information based on C,d ... Algorithm CCA-PKCS (Bleichenbacher) Input c, n, e, Output cd mod n ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 11
Provided by: cdcInform
Category:

less

Transcript and Presenter's Notes

Title: RSARabin encryption is deterministic


1
RSA/Rabin encryption is deterministic
We can check whether M is the message of C by
CMe mod n.
Attack example C (PIN)e mod n, where PIN is
4-digit number. We can find M by a brute force
attack within several 10 seconds.
gt We need a semantically secure cryptosystem!
Semantically secure For two messages M0, M1, and
C Mb2 mod n, attackers can not guess whether C
is encryption of Mb (b0,1).
An easy way is to pad M with random integer R
like MR, but no security proof!
2
Chosen Ciphertext Attack (CCA)
Decryption oracle
ciphertext C
d
Information based on C,d
  • An attack example
  • (0) We assume the decryption oracle computes Ad
    mod n for a request.
  • (1) Attacker computes A ReC mod n for a random
    R in Zn, and sends A to the decryption oracle.
  • Decryption oracle computes B Ad mod n and send
    B back to the attacker.
  • The attacker computes B/R M mod n and get the
    message M.

There are several models, which are secure
against the chosen ciphertext attack
3
Side Channel Attacks
Algorithm Binary exponentiation Input a in G,
exponent d (d0,d1,,dl-1) (dl is the most
significant bit) Output c ad in G 1. c
a 2. For i 1-2 down to 0 3.
c c2 4. If di 1 then c ca
5. Return c
The time or the power to execute c2 and ca are
different (side channel information).
Algorithm Corons exponentiation Input a in G,
exponent d (d0,d1,,dl-1) Output c ad in
G 1. c0 1 2. For i 1-2 down to
0 3. c0 c02 4. c1
c0a 5. c0 cdi 6. Return
c0
4
Differential Fault Attack (DFA)
An attacker obtains a decryption which is
computed in a wrong way.
M Cd mod n
n
dq d mod (q-1) Mq Cdq mod q v (Mq
Mp) p-1 mod q,
dp d mod (p-1) Mp Cdp mod p
p
q
M Mp pv mod n.
n
In the RSA using the CRT, if an attacker can
break the computation of v (as v0), then he/she
can factor n by computing gcd(M-Mp,n)p.
5
Klima-Rosa attack against PGP
PGP dose not encrypt the key file which includes
n.
Decryption oracle
integer X
d, n
Xd mod n
An attacker can change the public key n to n
The attacker can obtain Xd mod n for changed
n. He/she can recover d by Silver-Pohlig-Hellman
algorithm
6
A small example
(1)An attacker changes n to n 65537 ( 2161),
n is a prime integer and the order of Fn is
216. (2)The attacker knows X and Xd mod n. X
55555, YXd mod n 18793, (X is a generator
of Fn) (3)The attacker finds d0,d1,,d15 for d
d020d121d15215. (3.0) to find d0
(n-1)/2 215, Y215 Xd 215 Xd0215 -1 gt d0
1. (3.1) to find d1 Y Y X-d020, Y214
Xd1215 1 gt d1 0. . (3.15) to find
d1 Y Y X-d14214, Y2 Xd15215 1 gt d15
0. (4) The attacker recovers d 120021
0215 12345.
7
Bleichenbachers CCA
Decryption oracle
any integer C mod n
d
Cd ? PKCS-format or not
PKCS-Format for a message m
most significant byte
least significant byte
00
02
random padding
00
message m
at least 8 bytes
Theorem (Bleichenbacher) Let n be a 1024-bit RSA
modus. For a given C, the value Cd mod n can be
computed by about 220 accesses to the decryption
oracle, where d is the secret key.
8
SSL Version 3.0
Client
Server
ltClient.hellogt
Random, Ciphersuites
ltServer.hellogt
Random, Ciphersuites, PK, Cert
chose PreMaster Secret (PMS)
ltClient Key Exchangegt
PMSPK
PMSPK
decrypt
error alert
if padding is incorrect
ltClient.finishedgt
compute master secret (MS)
hash(MS, ...)
compute (MS) verify hash(MS, ...)
ltServer.finishedgt
(This slide is quoted from the presentation file
of Bleichenbacher)
9
Details of Bleichenbachers attack
  • Algorithm CCA-PKCS (Bleichenbacher)
  • Input c, n, e,
  • Output cd mod n
  • Find s0 s.t. cs0e ?PKCS ccs0e
  • Find s1gt n/(3B) s.t. cs1e?PKCS
  • 3. Generate M1 ?r0,1,..,s1
    (2Bnr)/s1,(3B-1nr)/s1
  • Find the smallest s2gts1 s.t. cs1e?PKCS
  • Generate M2 ?r0,1,..,s2 (2Bnr)/s2,(3B-1nr)/s2
  • Let M3 a,b M1nM2 (only one interval)
  • i2
  • Repeat
  • ii1
  • find ri ,si s.t. ri gt 2(bsi-1-B)/n,
  • (2bnri)/bltsilt(3B-1nri)/a
    , csie?PKCS
  • 11. Let Mi1 Min (2bnr)/si,(3B-1nr)/si
  • for (asi-3B1)/n ltrlt
    (bsi-2B)/n
  • Until ab
  • Return as0-1 mod n

Let 8(k-1) lt n lt 8k, B 8(k-2)
PrM?ZnM ?PKCS gt 1/219
M ?PKCS ? 2B ?M mod n ?3B-1.
cse mod n ?PKCS for s ?M?(2bnr)/s,(3B-1nr)/s
for r 0,1,s-1
Heuristic (Bleichenbacher) M1nM2 is only one
interval with high probability.
ri gt 2 ri-1 and Mi1ltMi/2 hold for r gt2.
10
References of Chapter 1
Bon98 D. Boneh, Survey of RSA attacks,
Buc00 J. Buchmann, Eifuerhrung in die
Kryptographie, Springer, 2000. Ble98 D.
Bleichenbacher, Chosen-ciphertext attacks
against protocols based on the RSA
encryption standard PKCS 1, Crypto98,
1998. JQT01 M. Joye, J.-J. Quisquater, and T.
Takagi, How to choose secret parameter
for RSA and its extension to elliptic curves,
DCC, 2001. KJJ99 C.Kocher, J.Jaffe, and
B.Jun, Differential power analysis,
Crypto'99, 1999.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "RSARabin encryption is deterministic" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!