Post on 17-Jul-2015
Cryptography and attacks
(or how to start WWIII with your home computer)
Ari Trachtenberg
Alice Bob
Marvin
Dear Bob,
Alice
blah, blah, blah,... gushy romantic nonsense... serious demands... you look like Superman...
• Number theoretic schemes:
• Caesar cipher a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
• al-Kalka-shandi (1412): transposition, substitution
• German enigma machine (WWII)
h => g e => f l => q o => r
hello -> gfqqr
“It is not possible to justify the life of any genuine professional mathematician on the ground of the 'utility' of his work.” -G.H. Hardy, A Mathematician’s Apology
• Rot-13
• Permutation
• Binary XOR
uryybhello →
h => g e => f l => q o => r
gfqqrhello →
h e l l o 01000 00101 01100 01100 01111 10010 10111 00010 10101 00111 <= Random 11010 10010 01110 11001 01000 <= Result z r n y h
• shift cipher • substitution cipher • Vignere cipher • DES • Triple DES
Table of Contents • Introduction
– review of number theory – review of RSA – Security of RSA basis
• Computational attacks – “Intuitively obvious” attacks – Bad choice of primes – Netscape’s bug
• Implementation attacks – Timing attacks – Random faults (to err is not computer-like)
• Conclusions – How to implement a “secure” RSA cryptosystem
(the basis of RSA)
6 people: 15 keys! 10,000 people: 49 million keys!
Alice Bob
BOB
BOB
Dear Bob,
Alice
blah, blah, blah,... do you like cs... what is 0.5 in binary... let’s go out...
BOB
BOB BOB
BOB
BOB
BOB
BOB
Modulo Inverses Euler’s phi function
( )12 mod 27153 …≡≡ ( ) bkmakmba =+∃⇔≡ s.t. mod
( ) 1 mod 1 11 =+∃⇒≡ −− kmaakmaa( )10mod 173 ≡⋅
( ) n withprime relatively arethat n integers of# <=nφ
( ) ∏ ⎟⎠⎞
⎜⎝⎛ −=
nd dnn 11φ ( ) =pφ
( )=pqφ
Order ord(a) (mod n) smallest t s.t. ord(3) (mod 10) =4
Euler’s theorem Euclid’s algorithm Discrete logarithm theorem
( )nat mod1≡
( ) ( )naa n mod 1 , ≡∀ φ
( ) ( )( )nyxngg yx φmodmod ≡⇔≡
Given x and y, we can find A and B such that: Ax+By = gcd(x,y)
Given n=n1n2n3... nk, there is a one-to-one correspondence:
( )kaaaaa ,,,, 321 …↔
na Ζ∈ ( )iniii anaa Ζ∈≡ ,mod
( )( )( )( )
( )( )( )3 mod 0
10 mod 313 mod 11
3 mod 6310 mod 6313 mod 63
093 mod 63 →→
Example:
( )( )( )
( )903 mod 63010533300011300
105393933300103011
1910
13010133931330310
3 mod 010 mod 313 mod 11
13
12
11
3
2
1
≡++→
=⋅⋅
=⋅⋅
=⋅⋅
→
≡
≡
≡
→
=⋅=
=⋅=
=⋅=
→−
−
−
mmm
mmm
Bob’s Initialization: • pick NBob=pq • pick public key eBob • finds secret key dBob • public info: • private info:
( )( )( )11mod 1BobBob
−−
≡
qpde
( )BobBob , Ne
Bobd
Alice: • message M • encodes:
Bob: • decodes:
( )NMC Bobe mod = ( )) (mod
mod NM
NMC BobBobBob ded
≡
≡
(or signs): S = PAlice M( )
≡MdAlice mod N( )
• (or checks signature):
( )NMMS AliceAliceAlice ede
mod ≡
≡
Basis for RSA security (be afraid…be very afraid)
1. Factoring N=pq is hard to do
or else can compute (p-1)(q-1)
and use Euclidean algorithm to get d and M
2. Getting the private key d is hard
or else, given Me can compute Med ≡ M (mod N)
3. Discrete logarithm is hard
Given e and Me (mod N), can we compute M?
16
Basis for RSA security (=>) Factoring is as hard as computing “d”
• Given p, q, N=pq:
• By the Euclidean algorithm, we can solve for d, K:
( ) )1)(1( −−= qpNφ
( ) ( )( )( )( )NedNeNKdeφ
φφ
mod 11,gcd
≡
==+
17
( )( ) ( ) ( )
( ) ( ) ( )( ) ( ) ( )( ) ( ) ( )( ) ( ) ( )
( ) pNx
NqpNxqpNxqpNqp
N
NaakNNededk
k
=−
−⇒−−−⇒−
⇒−⇒
≡∀⇒⇒≡
−=
,1gcd.3
mod 1 mod 1 mod 1 mod mod 1 mod 1 mod mod 1 mod 1 mod 1 mod 1 mod 1
:CRTby 1 of roots squarefour has .2
mod 1 , mod 1 that So,1 Compute.1
φφ
Given <N,e> and d, we can factor N=pq “efficiently” using a probabilistic Las Vegas algorithm
Basis for RSA security (<=) Computing “d” is as hard as factoring
18
Basis for RSA security (<=) Computing “x” with a Las Vegas algorithm)
To compute x: (expected run time is O((log N)3)) With probability 0.5, an exponent of g equals x:
number odd4k
2kk
*
g, ,g ,g ,g
:Compute. random a Choose
…
Ng Z∈
(recall: k = ed-1)
1,,1
, 1, 1, 1, ≠−……
x
Computational attacks
1) No bit padding (common sense)
C = 2347809AE8 => Attack at midnight!
59820BCE84 2347809AE8 684930EFFF
2) p and q are too close N = pq = p (p-c) => p2-cp-N=0. Solve using quadratic theorem!
In general, bad when (for some constant k): ( )kppqp log<−
3) Netscape’s bug: generating p,q
N Random Number
SEED 8 8*7 (mod 13) 4 4*7 (mod 13) 2 2*7 (mod 13) 1 1*7 (mod 13) 7 7*7 (mod 13) 10 10*7 (mod 13) 5
q
p
If we know SEED, we know p,q
4) p-1 is the product of small primes<=B (Pollard ‘74)
5) Common modulus (Simmons):
Fix N for all users; different keys e and d.
( )( )
( )Na pa
NakB
B
B
,1gcd p mod 112 2
mod 221)k-(p!
!2543
−⇒
≡≡≡≡⇒
=≡
Computational attacks
21
6) Blinding: Get advisor to sign “innocent” M’=reM: ( ) ( ) )(mod '' NrMMrMrMS ddedded ≡===
signed thesis!
thesis
22
More computational attacks
6) Low private exponent d Theorem: (Wiener ‘90)
( ).recover can Marvin , ,Given
.e and 31 and 2 Assume 4
1
deNNNdqpq φ<<<<
Running time: Compute convergents of continued fraction in linear time!
Fixes: 1. use e > N1.5 2. Use CRT with big d and small (mod p-1) and (mod q-1)
( )( ) ( )
( ) ( )
2
1N
1N
1NNmod 1
ddk
Ne
ddke
keded
≤−⇒
=−⇒
=−⇒≡
φφ
φφProof:
Implementation Attacks
1. Timing attack (Kocher ’96) Repeated squaring:
22222222222222222222222222222222232
⋅⋅⋅⋅⋅⋅⋅
⋅⋅⋅⋅⋅⋅⋅
⋅⋅⋅⋅⋅⋅⋅
⋅⋅⋅⋅⋅⋅⋅= ( )( )2222232 22 ⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎠⎞
⎜⎝⎛=
( )( )2222233 222 ⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎠⎞
⎜⎝⎛⋅=
( )( )2222239 22222 ⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎠⎞
⎜⎝⎛ ⋅⋅⋅=39 = 100111 in binary
Long method:
Computation time is correlated with number of 1’s in exponent
2. Random faults (Boneh, DeMillo, Lipton ‘97)
( )pq mod yx
( )p moderror +yx ( )q mod yx
( ) pqp x y moderror ⋅+
ppqp ),errorgcd( ⋅
One error can lead to a factorization of p. Two errors are ok.
25
Fancier attacks (mathematical basis)
Theorem: Take N and poly. f(x) of degree d. Take X=N1/d-s for some s>=0. Given <N,f>, Marvin can efficiently find all integers |x0|<X satisfying f(x0)=0 (mod N).
(Coppersmith, ‘97)
LLL: Let L be a lattice spanned by w bases. Given these bases as input, LLL outputs v in L satisfying:
( ) ww
Lv14 det2≤
Lemma: Take poly. h(x) of degree d and pos. integer X. Suppose ||h(xX)||<N/sqrt(d). If |x0 |<X satisfies h(x0 )=0 (mod N), then h(x0 )=0 holds over integers.
26
Fancier attacks
(low public exponent) 1. Hastad’s Broadcast Attack ‘88 2. Franklin-Reiter Related Message Attack ‘96 3. Coppersmith’s Short Pad Attack 4. Partial Key Exposure (BDF ‘98) Theorem: For N=pq of size n bits, revealing the n/4
least-significant or n/4 most-siginificant bits is enough to factor N efficiently.
How to built a safe RSA cryptosystem (as of 2000)
1. Use long, random padding of messages 2. Use large secret key d (256 bits) 3. Use large public key e (65,537 is recommended) 4. Use primes p,q that are not too close and
not 1+ product of small factors 5. Do not reveal any part of your key.
References • Twenty Years of Attacks on the RSA Cryptosystem by Dan Boneh, Notices of the AMS, February 1999.
• Cryptography: Theory and Practice by Douglas R. Stinson, CRC Press , 1995.
• Cryptanalysis of Short RSA Secret Exponents by Michael J. Wiener, IEEE Transactions on Information Theory, May 1990.
• Sphere Packings, Lattices and Groups by J.H. Conway and N.J.A. Sloane, Springer-Verlag 1993.
(the basis of RSA)