From the previous lectureβ¦
p, q, n:=pq
π (π) ,π ,π ,π
B
π ,π
Secret π π=ππ(ππππ) π=ππ(ππππ)
Cristina Onete || 25/09/2014 || 2
π ,π
Textbook RSA (V)
Security:
β’ Is encryption secure?
π=ππ(ππππ)
β’ Can we recover the secret key ?Key recovery as hard as factorizing
β’ Can we recover in any other way ?
Values are long-term
Each maps to unique Deterministic
Cristina Onete || 25/09/2014 || 3
Textbook RSA (VI)
Security:
β’ Plaintext recovery: canβt find from
β’ IND-CPA/IND-CCA: canβt say anything about
Encryption is deterministic:Can always distinguish m from mβ
Not guaranteed if few possible messagesTry out all alternatives β find plaintext
OK if chosen at random from large set
β’ Not very secure; but we can improve it
Cristina Onete || 25/09/2014 || 4
Textbook RSA ++
Improving Textbook RSA:
Secret pre-processing RSAencryption
pre-processing
Security will depend on this step
Cristina Onete || 25/09/2014 || 5
PKCS and Bleichenbacher
Preprocessing with PKCS1, mode 2
β’ Pad with random number (make it probabilistic)
02 random pad FF message
1024 bits
β’ Bleichenbacher β98: use the regularity of the ciphertext (they must start with β00|02β) to recover plaintext!
00
Cristina Onete || 25/09/2014 || 6
PKCS and Bleichenbacher (II)
Core idea
Ciphertext
DecryptDoes m start with β00|02β?
Continue
ERROR!
Attacker starts with ciphertext β’ Re-randomize it: β’ Is it PKCS? Repeat until you know rM starts with 00|02 β’ Move to next part of message ciphertexts
Cristina Onete || 25/09/2014 || 7
Cristina Onete || 25/09/2014 || 8
Contents
Pre-processingβ’ How OAEP works
β’ Improvements on OAEPβ’ Hash Functions; Random Oracles (brief)
Attacks on factoring β genericβ’ Pollardβs β’ Pollard-
Unsafe modes for RSA
β’ Small sk: Wienerβs attackSome physical attacks
β’ Small pk and related ciphertexts
The OAEP Function
A new pre-processing function: OAEPβ’ OAEP = Optimal Asymmetric Encryption Paddingβ’ By Bellare & Rogaway, 1994; in RFC 2437
Cristina Onete || 25/09/2014 || 9
m pad r
G
H
YX
bits bits bits
K = size of n=pq
= parameters (to be set)G,H = hash functions
= bit XOR
Cristina Onete || 25/09/2014 || 10
The OAEP Function
In detail: OAEP
m pad r
G
Hash functions
β’ A box with input of any size, and output of fixed sizeIn this case: input is bits, output is
β’ Collision-resistance: canβt find with β’ Random oracles: always outputs new string
Outputs consistently: consistent
Cristina Onete || 25/09/2014 || 11
The OAEP Function
In detail: OAEP
m pad r
G
How it works:
r
bits
G πΌ 0
m pad πΌ 0 π=
bitsrandom
Cristina Onete || 25/09/2014 || 12
The OAEP Function
In detail: OAEP
How it works:
bits
H πΌ 1
bits
πΌ 1 π=
H
rπ
π
r
random
Cristina Onete || 25/09/2014 || 13
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt:
m pad r
G
H
YX
Cristina Onete || 25/09/2014 || 14
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
H πΌ 1
πΌ 1 π=
π
r
π» ( π )=πΌ 1
π πΌ 1=π
π π» (π )=π
Decrypt:
π=π» ( π )π
Cristina Onete || 25/09/2014 || 15
RSA-OAEP Decryption
are random oracles Hard to invertHow do we decrypt?Go in reverse: receive
Decrypt: Recover:
m pad r
G
H
YX
Cristina Onete || 25/09/2014 || 16
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt: Recover:
r G πΌ 0
m pad πΌ 0 π=
πΊ (π )=πΌ 0
πβ¨πππ πΌ 0=π
πβ¨ππππΊ (π )=ππβ¨πππ=πΊ (π ) π
Cristina Onete || 25/09/2014 || 17
RSA-OAEP Decryption
are random oracles Hard to invert
How do we decrypt?Go in reverse: receive
Decrypt: Recover:
Retrieve:
Check: pad has the right format
Cristina Onete || 25/09/2014 || 18
The OAEP Function
In detail: OAEP
β’ Functions are random oracles: that is, they give random output. In practice: use SHA-1
β’ Randomness chosen freshly every timeβ’ How about the padding?
m pad r
β’ Original OAEP: ([BR94])β’ OAEP+: with W a random oracle ([S01])
Cristina Onete || 25/09/2014 || 19
Improving OAEP: SAEP
m W(m,r) r
H
YX
bits bits bits
β’ No need for function β’ Function is random oracle. Input size: bits. Output
size: bits
Cristina Onete || 25/09/2014 || 20
Contents
Pre-processingβ’ How OAEP works
β’ Improvements on OAEPβ’ Hash Functions; Random Oracles (brief)
Generic attacks on factoringβ’ Small Small or β’ Pollard-
Unsafe modes for RSA
β’ Small sk: Wienerβs attackSome physical attacks
β’ Small pk and related ciphertexts
Cristina Onete || 25/09/2014 || 21
Attacks on RSA
For the remainder of this lecture
We =
1st goal:
β’ Given something of the form , find Strategies:β’ Generic: factor . Given , easy to recover β’ Specific: retrieve plaintext without factoring
Cristina Onete || 25/09/2014 || 22
Small
Easy case: we are given and
β’ If are prime, then β’ Given and
Calculate: This gives:
Also:
So:
and: ΒΏββ(πβπ (π)+1)2β4π
Factorization: and
Cristina Onete || 25/09/2014 || 23
Small
Hard case: we are given only Try to guess Use: Then:
Algorithm SmallDiff: Input Complexity parameter Write Let .
Note: are odd. Thus: and are even
IF is a square (it is equal to for a positive integer )
THEN: if and are prime, Output and
ELSE:
While DO
Cristina Onete || 25/09/2014 || 24
Small or : Pollardβs
Attack on factoring β bad (p-1)
β’ Vulnerability: with one small prime β’ Pollardβs-(p-1) factors in steps if smallest factor
If is small, then this method is fast
β’ Idea: if is prime, then is not
Since all are odd (impair), is even
We are hoping has only small factors and we will try to retrieve them all
Obviously will have 2 as a factor
All in the same set
Cristina Onete || 25/09/2014 || 25
Small or : Pollardβs
Attack on factoring β bad (p-1)
β’ Vulnerability: with one small prime β’ Supposition:
β’ How large can be for each ?
Well, for any , so
β’ Start with definite upper bound:
As , any divides . So divides
1β€π<π :ππβ 1=1(ππππ) So
Cristina Onete || 25/09/2014 || 26
Small or : Pollardβs
Attack on factoring β bad (p-1)
β’ Vulnerability: with one small prime
As , any divides . So divides
1β€π<π :ππβ 1=1(ππππ) So
Pick random Check that
π dividesππ β1
β’ If : then . Hooray!
β’ If and With high probability
Then Else, pick a new a
Cristina Onete || 25/09/2014 || 27
Exercise time!
Write pseudocode for Pollardβs
Cristina Onete || 25/09/2014 || 28
So far
Small
β’ Given and : calculate Take:
Factorization: and
β’ Given : verify values of for integer
For each check if is integer
If so, if are prime then:Output
Else, next and repeat procedure
Cristina Onete || 25/09/2014 || 29
So far
Small
Pick random Check that β’ If : then . Hooray!
β’ If and With high probability
Then
Else, pick a new a and repeat
Cristina Onete || 25/09/2014 || 30
Pollardβs
General factorization attack (are we lucky?)
β’ Strategy: find specific small such that Most likely then,
β’ Imagine we could calculate Say we had:
β’ Suppose we find such that , then:
ππ’βππ£=0(ππππ) divides
Then with high probability
β’ But, we donβt know . We do this .
Cristina Onete || 25/09/2014 || 31
Pollardβs
β’ Strategy: we compute:
β’ Choice: speed vs. storage
β’ Find: such that β’ With high probability
β’ Storage: method as above. Need to store all β’ Speed: Floydβs cycle finding algorithm:
β’ and β’ Mod n:
Only checking pairs at a time
Cristina Onete || 25/09/2014 || 32
Floydβs Cycle-Finding Alg.
Source:http://home.online.no/~vlaenen/
Cristina Onete || 25/09/2014 || 33
Exercise time!
Put the method (with Floydβs cycle-finding algorithm) in pseudocode/algorithm form!
Cristina Onete || 25/09/2014 || 34
Contents
Pre-processingβ’ How OAEP works
β’ Improvements on OAEPβ’ Hash Functions; Random Oracles (brief)
Generic attacks on factoringβ’ Small Small or β’ Pollard-
Unsafe modes for RSA
β’ Small sk: Wienerβs attackSome physical attacks
β’ Small pk and related ciphertexts
Cristina Onete || 25/09/2014 || 35
Unsafe Modes for RSA
Small public keyβ’ More receivers with same small (different )β’ Same plaintext is sent to users
ππ
ππ(ππππ 1)
ππ(ππππ 2)
ππ(ππππ 1)
ππ(ππππ 1)
π
Cristina Onete || 25/09/2014 || 36
Unsafe Modes for RSA
Small public keyβ’ One receiver with small (different )β’ Two related plaintexts: and
β’ If knows the relationship of the messages,
she can use polynomial multiplication to find
Recommended
β’ e =
β’ This leads to fast encryption
Cristina Onete || 25/09/2014 || 37
More Unsafe Modes
Small secret keyβ’ Better for decryption: makes it more efficient
ππ=1(ππππ (π )) ππ=1(πππ(πΏπΆπ (πβ1 ,πβ1)))
Math βmagicβ
ββ’ Use: least common multiple LCM
πΏπΆπ (πβ1 ,πβ1 )= (πβ1)(πβ1)πΊπΆπ·(πβ1 ,πβ1) πΊ
ππ=1+πΎπΊ
(ππβπβπ+1)β
Divide by dpq
πππ
=1
πππ+πΎππΊ
βπΎ
ππΊπβ
πΎππΊπ
+πΎ
ππΊππ
πππβ
1πππ
+ πΎππΊ ( 1π + 1
πβ1ππ )= πΎ
ππΊ
Cristina Onete || 25/09/2014 || 38
More Unsafe Modes
Small secret keyβ’ If is small, then .
πΎππΊ
= πππβ
1πππ
+ πΎππΊ ( 1π + 1
πβ1ππ )
β’ If is small, then .Tend to 0
β ππβ 1
| πΎππΊβ πππ|=| πΎππΊ ( 1π+ 1
πβ1ππ )β 1
πππ|β€ 1
βππ< 1
2(ππΊ)2
β’ This means that converges towards
β’ Continued fractions and some trial and error gives d
Cristina Onete || 25/09/2014 || 39
Physical Attacks
Implementation: Square and Multiply
π=ππ(ππππ)β’ Standard way to do exponentiation
β’ Write in binary []. Set For DO:
β’ If then set β’ Else, set
Square AND Multiply
Square
β’ Example:
i 7 6 5 4 3 2 1 0
m
Cristina Onete || 25/09/2014 || 40
Physical Attacks
Implementation: Square and Multiply
π=ππ(ππππ)
β’ Time the operation and write out the order of ops
Timing attack: multiply takes longer than square
M, Sq, Sq, M, Sq, Sq, M, Sq, M, Sq, Sq, M
β’ Retrieve key from inverse Square and Multiply
Power attack: multiply burns more than square
β’ Retrieve for smartcards
Source: http://www.dbs.com.hk/
CIDRE
Thanks!
Top Related