1. Cryptography
and attacks
(or how to start WWIII with your home computer)
Ari Trachtenberg
2. Alice Bob
Dear Bob,
blah, blah, blah,...
gushy romantic nonsense...
Marvin
serious demands...
you look like Superman...
Alice
3. • Caesar cipher
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
h => g
e => f
• al-Kalka-shandi (1412): transposition, substitution l => q
o => r
hello -> gfqqr
• German enigma machine (WWII)
• Number theoretic schemes:
“It is not possible to justify the life of any genuine
professional mathematician on the ground of the 'utility' of
his work.” -G.H. Hardy, A Mathematician’s Apology
4. • Rot-13
hello → uryyb
• Permutation
h => g
e
l
=>
=>
f
q
hello → gfqqr
o => r
• Binary XOR
h e l l o
01000 00101 01100 01100 01111
10010 10111 00010 10101 00111 <= Random
11010 10010 01110 11001 01000 <= Result
z r n y h
5. • shift cipher
• substitution cipher
• Vignere cipher
• DES
• Triple DES
6.
7. Table of Contents
• Introduction
– review of number theory
– review of RSA
– Security of RSA basis
• Computational attacks
– “Intuitively obvious” attacks
– Bad choice of primes
– Netscape’s bug
• Implementation attacks
– Timing attacks
– Random faults (to err is not computer-like)
• Conclusions
– How to implement a “secure” RSA cryptosystem
9. 6 people: 15 keys!
10,000 people: 49 million keys!
10. BOB
BOB
BOB
BOB
BOB
Alice Bob
Dear Bob, BOB
blah, blah, blah,...
BOB
BOB
do you like cs...
what is 0.5 in binary...
let’s go out...
BOB
Alice
11. Modulo
3 ≡ 15 ≡ 27 …
(mod
12 ) a ≡ b
(mod m) ⇔ ∃k
s.t.
a + km = b
Inverses
3 ⋅ 7 ≡ 1
(mod 10 ) aa−1 ≡ 1
(mod m ) ⇒ ∃k
aa−1 + km = 1
Euler’s phi function
φ (n) =#
of
integers
<
n
that
are
relatively
prime
with
n
⎛ 1 ⎞
φ (n ) = n∏ ⎜1 − ⎟ φ (p) =
d n ⎝ d ⎠
φ ( pq) =
12. Order
ord(a) (mod n) smallest t s.t. at ≡ 1(mod n )
ord(3) (mod 10) =4
Euler’s theorem
φ (n )
∀a,
a ≡ 1
(mod n )
Euclid’s algorithm
Given x and y, we can find A and B such that:
Ax+By = gcd(x,y)
Discrete logarithm theorem
x y
g ≡ g (mod n ) ⇔ x ≡ y (mod φ (n ))
14. Bob’s Initialization:
• pick NBob=pq
• pick public key eBob
• finds secret key dBob
eBob d Bob ≡ 1
Alice: Bob:
(mod( p − 1)(q − 1))
• message M • decodes:
• public info: • encodes:
C = M eBob
(mod N ) C d Bob ≡ M eBobd Bob (mod N )
(eBob , N Bob ) (or signs): ≡ M (mod N )
• (or checks signature):
• private info: S = PAlice ( M )
S e Alice ≡ M d Alice e Alice
d Bob ≡ M dAlice ( mod N )
≡ M (mod N )
15. Basis for RSA security
(be afraid…be very afraid)
1. Factoring N=pq is hard to do
or else can compute (p-1)(q-1)
and use Euclidean algorithm to get d and M
2. Getting the private key d is hard
or else, given Me can compute Med ≡ M (mod N)
3. Discrete logarithm is hard
Given e and Me (mod N), can we compute M?
16. Basis for RSA security (=>)
Factoring is as hard as computing “d”
• Given p, q, N=pq:
φ (N ) = ( p −1)(q −1)
• By the Euclidean algorithm, we can solve for d, K:
de + Kφ (N ) = gcd(e, φ (N )) = 1
ed ≡ 1 (mod φ (N ))
16
17. Basis for RSA security (<=)
Computing “d” is as hard as factoring
Given <N,e> and d, we can factor N=pq “efficiently” using
a probabilistic Las Vegas algorithm
1. Compute k = ed − 1,
So that ed ≡ 1 (mod φ (N )) ⇒ φ (N ) k ⇒ ∀a, a k ≡ 1 (mod N )
2. N has four square roots of 1 by CRT :
1 (mod p ) 1 (mod q ) ⇒ 1 (mod N )
1 (mod p ) − 1 (mod q ) ⇒ x (mod N )
− 1 (mod p ) 1 (mod q ) ⇒ − x (mod N )
− 1 (mod p ) − 1 (mod q ) ⇒ − 1 (mod N )
3. gcd(x − 1, N ) = p 17
18. Basis for RSA security (<=)
Computing “x” with a Las Vegas algorithm)
To compute x: (expected run time is O((log N)3))
*
Choose a random g ∈ Z . N
Compute :
k k
g , g 2 , g 4 , …, g odd number
k
(recall: k = ed-1)
With probability 0.5, an exponent of g equals x:
x
1, 1, 1, …, , …, ≠ 1
−1 18
19. Computational
attacks
1) No bit padding (common sense)
C = 2347809AE8 => Attack at midnight!
59820BCE84 2347809AE8 684930EFFF
2) p and q are too close
N = pq = p (p-c) => p2-cp-N=0. Solve using quadratic theorem!
In general, bad when (for some constant k):
k
p−q < p (log p )
20. 3) Netscape’s bug: generating p,q
N If we know SEED,
Random Number we know p,q
SEED 8
8*7 (mod 13) 4
4*7 (mod 13) 2 p
2*7 (mod 13) 1
1*7 (mod 13) 7 q
7*7 (mod 13) 10
10*7 (mod 13) 5
21. Computational
attacks
4) p-1 is the product of small primes<=B (Pollard ‘74)
B
5
34
a ≡ 22 = 2 B! (mod N)
⇒ a ≡ 2 B! ≡ 2(p -1)k ≡ 1k ≡ 1 (mod p )
⇒ p gcd(a − 1, N )
5) Common modulus (Simmons):
Fix N for all users; different keys e and d. thesis
6) Blinding: Get advisor to sign “innocent” M’=reM: signed thesis!
d
d
(
S ' = (M ') = r M e
) = r ed M d ≡ rM d (mod N ) 21
22. More computational
attacks
6) Low private exponent d 1
Theorem: Assume q < p < 2q and d < 1 N 4 and e < φ (N ).
(Wiener ‘90)
3
Given N , e , Marvin can recover d .
Proof: ed ≡ 1 (modφ (N )) ⇒ ed − kφ (N ) = 1
e k 1
⇒ − =
φ (N ) d dφ (N )
e k 1
⇒ − ≤ 2
N d d
Running time: Compute convergents of continued fraction in linear time!
Fixes:
1. use e > N1.5 22
2. Use CRT with big d and small (mod p-1) and (mod q-1)
24. 2. Random faults (Boneh, DeMillo, Lipton ‘97)
xy (mod pq )
x y + error (mod p) xy (mod q )
x y + error ⋅ p (mod pq)
gcd(error ⋅ p, pq) p
One error can lead to a factorization of p.
Two errors are ok.
25. Fancier attacks
(mathematical basis)
LLL: Let L be a lattice spanned by w bases. Given these bases
as input, LLL outputs v in L satisfying:
w 1
v ≤2 4
det(L ) w
Theorem: Take N and poly. f(x) of degree d. Take X=N1/d-s for
(Coppersmith, ‘97) some s>=0. Given <N,f>, Marvin can efficiently find
all integers |x0|<X satisfying f(x0)=0 (mod N).
Lemma: Take poly. h(x) of degree d and pos. integer X.
Suppose ||h(xX)||<N/sqrt(d). If |x0 |<X satisfies
h(x0 )=0 (mod N), then h(x0 )=0 holds over integers.
25
26. Fancier
attacks
1. Hastad’s Broadcast Attack ‘88
(low public exponent)
2. Franklin-Reiter Related Message Attack ‘96
3. Coppersmith’s Short Pad Attack
4. Partial Key Exposure (BDF ‘98)
Theorem: For N=pq of size n bits, revealing the n/4
least-significant or n/4 most-siginificant bits is enough
26
to factor N efficiently.
27. How to built a safe RSA
cryptosystem (as of 2000)
1. Use long, random padding of messages
2. Use large secret key d (256 bits)
3. Use large public key e (65,537 is recommended)
4. Use primes p,q that are not too close and
not 1+ product of small factors
5. Do not reveal any part of your key.
28. References
• Twenty Years of Attacks on the RSA Cryptosystem by Dan
Boneh, Notices of the AMS, February 1999.
• Cryptography: Theory and Practice by Douglas R. Stinson,
CRC Press , 1995.
• Cryptanalysis of Short RSA Secret Exponents by Michael J.
Wiener, IEEE Transactions on Information Theory, May
1990.
• Sphere Packings, Lattices and Groups by J.H. Conway and
N.J.A. Sloane, Springer-Verlag 1993.