Cryptography. Course 2: attacks against RSA. Jean-Sébastien Coron. September 26, Université du Luxembourg

Similar documents
Cryptosystem. Diploma Thesis. Mol Petros. July 17, Supervisor: Stathis Zachos

Finding Small Roots of Bivariate Integer Polynomial Equations Revisited

RSA Attacks. By Abdulaziz Alrasheed and Fatima

The Mathematical Cryptography of the RSA Cryptosystem

Factoring N = p r q for Large r

CRYPTANALYSIS OF RSA USING ALGEBRAIC AND LATTICE METHODS

A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers

Dit proefschrift is goedgekeurd door de promotor: prof.dr.ir. H.C.A. van Tilborg Copromotor: dr. B.M.M. de Weger

An Introduction to the RSA Encryption Method

The van Hoeij Algorithm for Factoring Polynomials

Index Calculation Attacks on RSA Signature and Encryption

Public Key Cryptography: RSA and Lots of Number Theory

Factorization Algorithms for Polynomials over Finite Fields

Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses

CIS 5371 Cryptography. 8. Encryption --

Lattice Attacks in Cryptography: A Partial Overview

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Advanced Cryptography

The application of prime numbers to RSA encryption

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

FACTORING SPARSE POLYNOMIALS

Computing exponents modulo a number: Repeated squaring

Solutions to Problem Set 1

Basic Algorithms In Computer Algebra

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

Polynomial Factoring. Ramesh Hariharan

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Factoring Algorithms

1 Lecture: Integration of rational functions by decomposition

Factoring. Factoring 1

Post-Quantum Cryptography #2

Introduction to Hill cipher

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Study of algorithms for factoring integers and computing discrete logarithms

Universal Padding Schemes for RSA

Integer Factorization using the Quadratic Sieve

Number Theoretic SETUPs for RSA Like Factoring Based Algorithms

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Some applications of LLL

Post-Quantum Cryptography #4

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2)

Cryptography and Network Security Chapter 9

The Division Algorithm for Polynomials Handout Monday March 5, 2012

Evaluation Report on the Factoring Problem

References: Adi Shamir, How to Share a Secret, CACM, November 1979.

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Cryptography and Network Security

it is easy to see that α = a

Basics of Polynomial Theory

Factoring Algorithms

PROBLEM SET 6: POLYNOMIALS

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Inner Product Spaces

Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

15. Symmetric polynomials

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

JUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson

On the coefficients of the polynomial in the number field sieve

SECURITY EVALUATION OF ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

SOLVING POLYNOMIAL EQUATIONS

Evaluation of Digital Signature Process

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

The Mathematics of the RSA Public-Key Cryptosystem

A New Generic Digital Signature Algorithm

Factorization Methods: Very Quick Overview

THE FUNDAMENTAL THEOREM OF ALGEBRA VIA PROPER MAPS

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Public-Key Cryptanalysis 1: Introduction and Factoring

1 Message Authentication

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

by the matrix A results in a vector which is a reflection of the given

Quotient Rings and Field Extensions

UNIVERSITY OF PUNE, PUNE BOARD OF STUDIES IN MATHEMATICS SYLLABUS

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Cubic Polynomials in the Number Field Sieve. Ronnie Scott Williams, Jr., B.S. A Thesis. Mathematics and Statistics

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

RSA and Primality Testing

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Public-key cryptography RSA

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

On Efficiently Calculating Small Solutions of Systems of Polynomial Equations

Prime Numbers and Irreducible Polynomials

1.3 Polynomials and Factoring

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

7. Some irreducible polynomials

minimal polyonomial Example

An Overview of Integer Factoring Algorithms. The Problem

Table of Contents. Bibliografische Informationen digitalisiert durch

Hill s Cipher: Linear Algebra in Cryptography

Factoring Polynomials

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

2.3. Finding polynomial functions. An Introduction:

Chapter 1. Search for Good Linear Codes in the Class of Quasi-Cyclic and Related Codes

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

MATH 304 Linear Algebra Lecture 9: Subspaces of vector spaces (continued). Span. Spanning set.

Transcription:

Course 2: attacks against RSA Université du Luxembourg September 26, 2010

Attacks against RSA Factoring Equivalence between factoring and breaking RSA? Mathematical attacks Attacks against plain RSA encryption and signature Heuristic countermeasures Low private / public exponent attacks Provably secure constructions Implementation attacks Timing attacks, power attacks and fault attacks Countermeasures

RSA Key generation: Generate two large distinct primes p and q of same bit-size. Compute n = p q and φ = (p 1)(q 1). Select a random integer e, 1 < e < φ such that gcd(e,φ) = 1 Compute the unique integer d such that e d 1 mod φ using the extended Euclidean algorithm. The public key is (n, e). The private key is d.

RSA encryption Encryption Given a message m [0, n 1] and the recipent s public-key (n, e), compute the ciphertext: c = m e mod n Decryption Given a ciphertext c, to recover m, compute: m = c d mod n

Low private exponent attacks To reduce decryption time, one could use a small d Wiener s attack: recover d if d < N 0.25 Boneh and Durfee s attack (1999) Recover d if d < N 0.29 Based on lattice reduction and Coppersmith s technique Open problem: extend to d < N 0.5 Conclusion: devastating attack Use a full-size d

Low public exponent attack To reduce encryption time, one can use a small e For example e = 3 or e = 2 16 + 1 Coppersmith s theorem : Let N be an integer and f be a polynomial of degree δ. Given N and f, one can recover in polynomial time all x 0 such that f(x 0 ) = 0 mod N and x 0 < N 1/δ. Application: partially known message attack : If c = (B m) 3 mod N, one can recover m if m < N /3 Define f(x) = (B 2 k + x) 3 c mod N. Then f(m) = 0 mod N and apply Coppersmith s theorem to recover m.

Low public exponent attack Coppersmith s short pad attack Let c 1 = (m r 1 ) 3 mod N and c 2 = (m r 2 ) 3 mod N One can recover m if r 1, r 2 < N 1/9 Let g 1 (x, y) = x 3 c 1 and g 2 (x, y) = (x + y) 3 c 2. g 1 and g 2 have a common root (m r 1, r 2 r 1 ) modulo N. h(y) = Res x (g 1, g 2 ) has a root = r 2 r 1, with deg h = 9. To recover m r 1, take gcd of g 1 (x, ) and g 2 (x, ). Conclusion: Attack only works for particular encryption schemes. Low public exponent is secure when provably secure construction is used. One often takes e = 2 16 + 1.

Solving Modular polynomial equations Solving p(x) = 0 mod N when N is of unknown factorization: hard problem. For p(x) = x 2 a, equivalent to factoring N. For p(x) = x e a, equivalent to inverting RSA. Coppersmith showed (E96) that finding small roots is easy. When deg p = δ, finds in polynomial time all integer x 0 such that p(x 0 ) = 0 mod N and x 0 N 1/δ. Based the LLL lattice reduction algorithm. Can be heuristically extended to more variables.

Applications in cryptography Coppersmith s algorithm has numerous applications in cryptanalysis : Cryptanalysis of plain RSA when some part of the message is known : If c = (B + x 0 ) 3 mod N, let p(x) = (B + x) 3 c and recover x 0 if x 0 < N 1/3. Factoring n = p r q for large r (Boneh and al., C99). Applications in provable security : Improved security proof for RSA-OAEP with low-exponent (Shoup, C01).

Solving p(x) = 0 mod N Find a small linear integer combination h(x) of the polynomials : q ik (x) = x i N l k p k (x) mod N l For some l and 0 i < δ and 0 k l. p(x 0 ) = 0 mod N p k (x 0 ) = 0 mod N k q ik (x 0 ) = 0 mod N l. Then h(x 0 ) = 0 mod N l. If the coefficients of h(x) are small enough : Then h(x 0 ) = 0 holds over Z. x 0 can be found using any standard root-finding algorithm.

Solving x 2 + ax + b = 0 mod N. Illustration with a polynomial of degree 2 : Let p(x) = x 2 + ax + b mod N. We must find x 0 such that p(x 0 ) = 0 mod N and x 0 X. We are interested in finding a small linear integer combination of the polynomials : p(x), Nx and N. Then h(x 0 ) = 0 mod N. If the coefficients of h(x) are small enough : Then h(x 0 ) = 0 also holds over Z, which enables to recover x 0.

Howgrave-Graham lemma Given h(x) = h i x i, let h 2 = h 2 i. Howgrave-Graham lemma : Let h Z[x] be a sum of at most ω monomials. If h(x 0 ) = 0 mod N with x 0 X and h(xx) < N/ ω, then h(x 0 ) = 0 holds over Z. Proof : h(x 0 ) = h i x0 i = ( hi X i x ) i 0 X ( h i X i x ) i 0 hi X i X ω h(xx) < N Since h(x 0 ) = 0 mod N, this gives h(x 0 ) = 0.

Illustration of HG lemma 2N N 0 X

HG lemma The coefficients of h(xx) must be small: h(xx) is a linear integer combination of the polynomials p(xx) = X 2 x 2 + ax x + b q 1 (xx) = NX x q 2 (xx) = N We must find a small integer linear combination of the vectors: [X 2, ax, b], [0, NX, 0] and [0, 0, N] Tool: LLL algorithm.

Lattice and lattice reduction We must find a small linear integer combination h(xx) of the polynomials p(xx), xxn and N. Let L be the corresponding lattice, with a basis of row vectors : X 2 ax b NX N Using LLL, one can find a lattice vector b of norm : b 2(det L) 1/3 2N 2/3 X Then if X < N 1/3 /4, then h(xx) = b < N/2 Howgrave-Graham lemma applies and h(x 0 ) = 0.

Lattice Definition : Let u 1,...,u ω Z n be linearly independent vectors with ω n. The lattice L spanned by the u i s is L = { ω n i u i n i Z } i=1 If L is full rank (ω = n), then det L = det M, where M is the matrix whose rows are the basis vectors u 1,...,u ω. The LLL algorithm : The LLL algorithm, given (u 1,...,u ω ), finds in polynomial time a vector b 1 such that: b 1 2 (ω 1)/4 det(l) 1/ω

Solving p(x) = 0 mod N The previous bound gives x 0 N 1/3 /4. But Coppersmith s bound gives x 0 N 1/2. Technique : work modulo N k instead of N. Let q(x) = (p(x)) 2. Then q(x 0 ) = 0 mod N 2. q(x) = x 4 + a x 3 + b x 2 + c x + d. Find a small linear combination h(x) of the polynomials q(x), Nxp(x), Np(x), N 2 x and N 2. Then h(x 0 ) = 0 mod N 2. If the coefficients of h(x) are small enough, then h(x 0 ) = 0.

Details when working modulo N 2 Lattice basis : X 4 a X 3 b X 2 c X d NX 3 NaX 2 NbX NX 2 NaX Nb N 2 X N 2 Using LLL, one gets : h(xx) 2 (det L) 1/5 2X 2 N 6/5 If X N 2/5 /6, then h(xx) N 2 /3 and h(x 0 ) = 0.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information