1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.
22
1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006
-
date post
20-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.
1
A New Related Message Attack on RSA
Oded Yacobi UCSD
Yacov Yacobi MSR
4/3/2006
2
Motivation
• A new attack on RSA.
• New tools (new in cryptanalysis).
3
Related Messages
number. serial a with edconcatenatcontent
theof composed is messagehat addition tin and recipient, the
teauthenticat doesn' that protocol ain recipient thebe topretends
attacker an ifoccur can relationsknown with messages :Example
4
OAEP
OAEP. avoid to temptedbemay designers some and
ems,cryptosystcompact very require will tagsRFID
OAEP. use not to chooses onereason somefor
casein onsramificati theknow touseful isit ssNeverthele
ended.
-recommhighly are methodsion randomizatsimilar or OAEP
5
OAEP
[MG(r)] || [r H(M G(r))]
6
Previous Result
).messages
on fails method (they probabiliterror small some
with operations-login computecan one
, constantsknown any for ) mod()(
and ) mod( scryptogramRSA given two that show
alet h Coppersmit key. publicRSA thebe ),(Let
:Reiter M. Patarin, J. Franklin, M. h,Coppersmit D.
2
2
e
)O(e
e) ZO(ex
ZbaNbax
Nx
Ne
N
Ne
7
Our Result
instances.many over amortized becan n computatio-pre The
constants.known on theonly depend that operations
)log( doingafter ,operations- )(in compute
tically determiniscan one, constantsknown for
1,...,0for )( scryptogram Given
2 eeOZeOx
Zba
eibxace
N
Nii
eiii
8
A Special Case
case In this .overall operations- )(
in determinecan one 1,...,0for )( If
N
ei
ZeO
xeiibaxc
)mod](2
1)1(
1[)!( 1
1
0
11 Ne
ci
eebbax ie
i
e
i
e
9
Follow your nose…
).( e.prohibitiv becomes
n computatio-pre thebits 50an greater thkey public aFor
. find and Let
).(mod)( ofexpansion binomial theCompute
:problemour solve oapproach t rwardstraightfoA
7log
1
2eO
zxz
Nbxacj
j
eiii
10
Our tool: the divided difference
k
kk
k
ii
iiiiiiiii
ji
jiji
ii
xx
xxxxxxxxx
xx
xxxx
xhx
0
21110
10
],...,[],...,,[],...,,[
][][],[
)(][
:follows as defined is
theamong elements any torelative of difference ided
-div The .for exists )(mod)(such that
of elementsdistinct be ,...,let and ][Let 1
0
i
thji
NnN
x
kh
kjiNxx
ZxxxZh
11
Example
thenlet weand )( If
.)( polynomial RSA the torelative difference
divided heconsider tonly will wepurposesour For
3ii
e
bxxxxh
xxh
)()(33)()(
],[ 2110
2010
2
10
1010 bbbbxbbx
xx
xhxhxx
21010
2110210 3
],[],[],,[ bbbx
xx
xxxxxxx
12
Adopted lemmas
.)('
)(],...,[ .2
.)()('Then.)()(Let .1
010
00
n
j jn
jn
k
jii
ijjk
k
iik
x
xhxxx
xxxxyy
13
A new lemma
: thatshowing down to comes
This ). (recall theoft independen is ],...,[ of
t coefficien leading e that thshowingby thisprove We
.],...,deg[ For :Claim
0
0
iiin
n
bxxbxx
nexxen
1)())(()(
)1(0 110
n
i niiiiii
nii
bbbbbbbb
b
14
A new lemma
scalar. a is where,mod)(
;deg
:for ,polynomialRSA For
110
0
vNvex],...x,x[xii
ne],...,x[x(i)
en
e
n
15
The attack
).(
is complexity theforwardstraight compute weIf
.))0()(( Compute
.],..[)(Let:Method
:Find
1,...1,0for )( and ,,:Given
2
0
1
10
eOi
ewxwx
vexxxxw
x
eibxcNe
e
i
e
eii
16
Algorithm
• Pre-computation
• Real-time computation
.)()('compute1,...,1,0For
1
0
e
ijj
jiini bbxpei
).log( is Complexity . )0( computeThen 21
0
eeOp
bw
e
i i
ei
.)( is Complexity
.))0()(( then and )( Compute
11
0
eO
ewxwxp
cxw
e
i i
i
17
(Reminder: Adopted lemmas)
.)('
)(],...,[ .2
.)()('Then.)()(Let .1
010
00
n
j jn
jn
k
jii
ijjk
k
iik
x
xhxxx
xxxxyy
18
More about the computational complexity of the pre-computation
).log takesDFT that (recall
AHU][ ))log((points,giventheinderivative
theofvaluetheevaluateuslySimultaneo.3
)).((,above theof derivative theCompute.2
)).log((,)()(.1
:do 1,...,0over )()('compute To
2
21
01
1
01
e)O(e
eeOn
eO
eeObyy
eibbx
e
jje
e
ijj
jiie
19
Why is the special case more efficient?
). assume wlg(
:form theof difference finitesimpler much a to
reduces difference divided theWhen
ixx
biaxx
i
i
)(mod)()1()(
:lemma
)()1()(
)(
0
(n)
)1()1()(
)0(
Nixi
nx
xxx
xx
en
i
in
iii
e
20
Finite difference continued…
n.computatio-pre no is thereso
),2
)1(!( form simple a has timeBut this
.!)( compute toformula previous theuse
times,1 difference finite theapplying of Instead
eevv
vxexw
e
21
Compare Results
# of
cryptogram
pre-
comp
real-
time
Coppersmith et al
2 0
Newton e
Our main result e
Our special case
e 0
)( 7log2eO
)log( 2 eeO
)(eO
)log( 2 eeO
)(eO
)(eO
22
Acknowledgments and References?
ACKNOWLEDGEMENTS:
Peter Montgomery
Gideon Yuval
