A Survey of the Security of RSACryptosystem

1
A Survey of the Security of RSACryptosystem
OUTLINE
1. Introduction C Me mod N
2. Attack N
3. Attack C
4. Attack e
5. Attack Protocol
6. RSA????
7. Conclusions
2
1. Introduction
It is conjectured that the security of RSA
depends on the problem of factoring large
numbers. Schneier 96
C Me mod N
????
(1) get M (2) get secret key p, q or d
3
1. Introduction (cont.)
2. Attack N (1) general factoring
methods (2) condition Rivest
Shanir 85, Coppersmith 96 3. Attack C
cycling attack Simmon Norris 77 4. Attack
e (1) e/N Wiener 90, Chen et al.
96 (2) e, Ci Hastad attack (in
network) Hastad 88 (3) e, Ci
random paddingCoppersmith 96 (4)
e, Cirelated messageCoppersmith 96 5. Attack
protocol (1) timing attackKocher
96 (2) fault-based attackBonch
97 6. RSA???? 7. conclusions
4
2. Attack N (cont.)
Year
160
Franke
2003
Cowie
130
Chen
1995
Atkins
129
Buhler
1993
Denny
120
GNFS
Lenstra
1990
Lenstra
107
Silverman
Lenstra
NFS
Lenstra
1987
100
MPQS
1982
Pomerance
(digit)
QS
1981
Dixon
Monte Carlo
1975
Pollard
Morrison
63bit subexponential
1974
Pollard
Lehmann
P-1
Lehmer
1931
Modern
Implementation
Old
5
(No Transcript)
6
(No Transcript)
7
Factorization (cont.)
Fastest factoring method -Number Field Sieve
Each bit operation was estimated as 10-9 seconds.
8
Factorization (cont.)
Fermat factorization
If N ab then N x2 - y2 , where x (ab)/2
and y (a-b)/2.
Therefore, x2 - N will be square.
To factor N, we search for a square among the
sequence of integers
t2 - N, (t1)2 - N, (t2)2 - N, , ((N1)/2)2 - N
where t is the smallest integer greater than
N1/2.
9
Factorization (cont.)
Fermat factorization
EX Let N 6077. Then t ? 60771/2 ? 78.
782 - 6077 7 792 - 6077 164 802 - 6077
323 812 - 6077 484 222
Since 6077 812 - 222, we see that 6077
(81-22)(8122) 59103.
Worst case need to check (N1)/2 -N1/2 integers
10
3. Attack C
??????? cycling attackSimmon Norris 77
C0 Me mod N Ck Ck-1e mod N
If Ck C0 , then M Ck-1.
Ck-1 Mek mod N M
ek 1 mod O(M), where
O(M)
(N) (l.c.m.(p-1,q-1))
k is small
why?
(1) the order of e modulo (N) is small (2)
O(M) of the message is small
11
3. Attack C
RSA????????????????????(3, 55),
????????????????C23,,????????
Ans M 12
12
4. Attack e
(1) e/N continued fraction method

• Continued Fraction

2, 3, 2, 3
2, 3
2, 3, 2, 3
2, 3, 2
2
2
13
4. Attack e

• Continued Fraction

• Continued Fraction

2, 3, 2, 3,
2, 3, 2, 2
2, 3
2, 3, 2, 2
2, 3, 2, 3
2, 3, 2
2
2
14
4. Attack e
(1) e/N continued fraction method
ed 1 mod l.c.m.(p-1,q-1)
If d lt N1/4, then d can be discovered. Wiener 90
If (N) - N1/4 lt d lt (N), then d can be
discovered. Chen et al. 96
15
4. Attack e (cont.)
(2) Hastad attackHastad 88
k3 and e3
(3, N1)
C1 M3 mod N1
C C1 mod N1 C2 mod N2 C3 mod N3
C2 M3 mod N2
(3, N2)
CRT
M
C lt N1N2N3
C3 M3 mod N3
(3, N3)
M C1/3
If k gt e(e-1)/2 then M can be discovered. Hastad
88 If k gt e then M can be discovered. Shimizu
96
Ref. Joye 97
16
4. Attack e (cont.)
(2) Hastad attackHastad 88
??????
Define?n1,n2,,nt?????????,? Nn1n2nt.
????????,x a1 mod n1 , x a2 mod n2 ,x
at mod nt,??0,N-1?????.
Proof??n1,n2,,nt?????????.?? i0,1,2,,t.
????yi,??(N/ni) yi1 mod ni. ??(N/ni) yi1 mod
nj,? j i, (N/ ni) ?nj???.

mod N
17
4. Attack e (cont.)
(2) Hastad attackHastad 88
??????
EX To solve the system x 1 (mod 3), x 2
(mod 5), x 3(mod 7)

Sol N357105, N1 105/3, N2
105/521, N3 105/715. 35y1 1 (mod 3)
y1 2 (mod 3) 21y2 1 (mod 3)
y2 1 (mod 3) 15y3 1 (mod 3) y3
1 (mod 3)

x 135222113151 157 52 (mod
105)
18
4. Attack e (cont.)
(2) Hastad attackHastad 88
RSA??????3 users????????(e1, N1)(3, 87), (e2,
N2)(3, 115), (e3, N3)(3, 187),
??????????????users??????C182, C2113,
C3156,????????
Ans M 7
19
4. Attack e (cont.)
(3) e, Ci
??????? Coppersmith 96
?? p(x) 0 mod N, degree(p(x))k If
there is a root x0ltN1/k , then x0 can
be discovered by LLL algorithm from
polynomials qij(x)xi p(x)j mod Nj
??RSA with random padding ??M???
C1 (2hMt1)3 mod N m3 mod N C2 (2hMt2)3
mod N (mt)3 mod N
??? Resultantm (m3 - C1 , (mt)3 - C2)
t9 (3C1- 3C2)t6 (3C1221C1C23C22)t3 (C1-
C2)3 0 mod N
get M
If t lt N1/9 , get t.
20
4. Attack e (cont.)
(4) e, Ci
??????? Coppersmith 96
?? e, N, k ciphertexts and polynomial
relationship among the messages
?? all messages
??Franklin Reiter 95
k2, e3, M1?M2??? M2AM1B
?? e, N, A, B, C1 M13 mod N, C2 M23 mod N
???
B(C2 2A3C1 -B3)/A(C2 - A3C1 2B3) (
3A3BM133A2B2M12 3AB3M1)/ (3A3BM123A2B2M1
3AB3) M1
21
5. Attack Protocol
(1)???????
???RSA??N,???????(ei, di),??eidi 1 mod
?(N),???????????N????p?q?
????????????reblocking??? ??????
? ???????????????,??????????
??????M???????????U1?U2,?????????C1 Me1 mod
N?C2 Me2 mod N???????????C1?C2??e1?e2,??e1?e2??,
????????????????x?y??xe1 ye2
1,????????????,????? C1xC2y Mxe1ye2 M mod N,
22
5. Attack Protocol
(1)???????
? ????????????,??????N
?????????????,????????N???????????
?????U1?????????(e1, d1),???e1d1 1
k?(N),??k?????????U1???????U2?????d2,?????g
gcd(e2, e1d1 - 1),????f (e1d1 -
1)/g,???(N)??(e1d1 - 1),??f??(N)???????????????d2?
e2?f??????
23
5. Attack Protocol
(2)????? Timing Attack Kocher 96
M Cd mod N / k the length of d /
????
S0 1 for i 0 to k-1 do begin if di
1 then R SiC mod N else
R Si Si R2 mod N end
Note If di 1, needs more time. If di
0, needs less time.
????C??????d?
24
5. Attack Protocol (cont.)
????
lt1gtall operations have same time lt2gterror timing
measurement randomly add useless
operations lt3gt blinding
hard
randomness disappears for more Cs
find a pair (u, v) such that v (u-1)e mod N
Encryption C vMe mod N Decryption M
u(C)d mod N
25
5. Attack Protocol (cont.)
(3)???????? Fault-Based Attack Boneh 97
??random hardware faults?? ?CRT???RSA signature
a 1 mod p and b 0 mod p where Npq
0 mod q 1 mod q
??
Compute S (M)d mod N
lt1gt S1 Md mod p lt2gt S2 Md mod q lt3gt S aS1
bS2 mod N
?????????S (M)d mod N?
26
5. Attack Protocol (cont.)
????
lt1gt signature ?? ????? S1 or S2 error,
say S1
S aS1 bS2 mod N ----- correct S
aS1 bS2 mod N ----- error S - S a(S1
- S1) mod p implies g.c.d.(S-S, N) q
lt2gt signature ??
because (S)e mod N M
g.c.d.(M - (S)e , N) q
???? ??signature ???????????
27
7. Conclusions
It is conjectured that the security of RSA
depends on the problem of factoring large
numbers. Schneier 96
Breaking RSA may not be equivalent to factoring
Boneh Venkatesan