Communications security

(1)

Andrea Baiocchi, DIET, Università di Roma “Sapienza” - “Sicurezza nelle Comunicazioni” - A.A. 2013-2014 1

Communications security

Lecturer: Andrea Baiocchi

DIET - University of Roma “La Sapienza” E-mail: [email protected]

URL: http://net.infocom.uniroma1.it/corsi/index.htm

University of Roma “Sapienza” DIET

Lecture 12

Attacks on RSA

[Sti02], Cap. 5 (155-225)

About algorithms

and code

…

Creati un esercito di servi perfetti, capaci di eseguire per tuo

conto compiti ingrati, e sarai il padrone del mondo.

[N. Tartaglia, Il general trattato di numeri et misure, 1556-1560]

Microprogramming an inefficient algorithm does not make it

efficient.

[Rausher’s law]

Question: what is the difference between c++ and c?

Answer: one.

(2)

RSA

security

!

All public key cryptography can offer is

computational

security

!

We cover the following RSA security issues:

Choice of RSA algorithm parameters (exponents a and b);

RSA pitfalls tied to the mathematical structure of RSA algorithm;

Attacks on RSA algorithm based on factorization of the modulus n (key only attack);

Making RSA encryption semantically secure (OAEP = Optimal Asymmetric Encryptio Padding).

!

As with other cryptosystems, timing and/or power analysis

attacks on RSA implementations are possible.

The public

exponent

b

_b

!

Any number 1<b<

!

(n) is in principle acceptable, provided it can

be inverted modulo

_!

(n), i.e. gcd(b,

_!

(n))=1.

So, b must be odd and !3

!

It is possible to choose a fixed value of

b, then to generate

random primes p and q with the constraint gcd(b,(p–1)(q–1))=1

Possible good choices of b are 3, 5, 17= 24_{+1, 2}16₊₁

!

A fixed value of b=3 can be taken

Pros

Low complexity of encryption and signature verification Easier distribution of public key info

Cons

To make b prime with (p–1)(q–1), p and q have to be chosen so that p and q

are equal to 2 mod 3 (it can’t be p or q = 0 mod 3 !); this can be done by generating a random number x and testing if 6x+5 is prime

(3)

Problems with

public

exponent

b

!

“Low exponent attack”

The attack works if a message m is encrypted b times using b co-prime RSA moduli n_i, 1"i"b; let c_i=mb_mod_n

i, 1"i"b.

The attack proceeds as follows

Compute c satisfying c=c_i mod n_i, 1"i"b, and 0"c< n₁·…· n_b with the CRT The message m equals the b-th root of c in Z.

The attack works because c’=mb_{satisfies the same constraints as}_c_and

the CRT solution is unique (mod n) and mb_<_n_{(why?); it is made possible}

since m is the same for all recipients and it is practical if b is “low” (not the order of n)

!

It is essential that the public key be different for any different

instance and use of RSA

E.g. if RSA is used for signing messages and for encryption, two different values of b shall be chosen for these two functions

The private

exponent

a

_a

!

Given the public key (n,b), any one of p, q,

!

(n), a is sufficient to

recover all others

Given p (q) the other prime is found immediately as q=n/p (p=n/q); then !

(n) is trivially computed and a is found as the multiplicative inverse of b

modulo !(n)

Given !(n), we have n–!(n)+1=p+q=s; then it is easily seen that p and q

are the roots of the equation x2_–_xs₊_n_=0;_a_{can be computed as above}

Given a, a Las Vegas kind of algorithm can be conceived to attempt the factorization of n with average-case success probability at least 1/2 (see [STIN02] p. 197; [BUCH04] p. 172)

In practice, if b is a sufficiently low integer, since a<!(n), ab–1 is only a small factor times !(n); the attacker can just try to guess such small factor m, compute !(n) as (ab–1)/m and then proceed as in the previous case

(4)

Problems with

private

exponent

a

!

Given the decryption exponent of RSA, a, it is possible to factor

n by means of a randomized algorithm

This implies that computing a is essentially no easier than factoring n

More importantly, from the practical side this tells us that if a is ever compromised, it is NOT sufficient to define a different private key; also n

and hence the whole set of RSA parameters MUST be generated anew

!

M. Wiener has shown that a polynomial time algorithm can be

defined to factor an RSA modulus

n provided

a<n

1/4

_{/3 and}

q<p<2q.

If the number of bits of n is k, this attack will succeed provided the binary representation of a has less than k/4–1 bit and p and q are not too far apart

RSA

pitfalls

!

A basic problem of RSA is mathematical structure, that lends

itself to a number of attacks

!

One problem is the

multiplicative property

of RSA: if c

_i

(i=1,2)

is the ciphertext of the plaintext

m

_i

, then the ciphertext of the

new plaintext m=m

₁

m

₂

is just c=c

₁

c

₂

.

We’ll see how this opens some possible avenues of attack specific of RSA

!

Another problem arises if

m

b

<n; then, no modulo reduction

takes place ever, so that the plaintext can be recovered by just

taking the b-th root of the ciphertext

If a 128 bit AES key is being encrypted with RSA and b=3, the resulting exponential is a 384 bit number, well below a typical choice of n

(5)

Attacking

RSA

algorithm

!

Security of RSA algorithm relies on the fact that modular

exponentiation as used in RSA is

deemed to be a one-way

function

!

This ultimately relies on two facts:

computing a implies factoring n (i.e. no simpler means exist to recover a)

This is not proved!

there is no efficient algorithm for factoring integer n=pq.

Complexity of best known algorithms to date is subexponential, yet superpolynomial, i.e. O(elog(n)!·log(log(n))"₎

!

The main attack on RSA focuses on factoring n

To make this securely unfeasible with current and foreseeable technology and techniques, n should be at least a 1024 bit integer; therefore p and q must be at least 512 bit prime integers

Integer factoring

!

By factoring of an integer

n we mean to find any factor of

n

(either prime or not)

Complete factorization can be obtained iteratively, if needed

Factorization can be trivially pursued by trial division with all primes

"# (n)

If n is not prime, n=p·q and one of the two factors must be no greater than

#(n), so that there must be at least one prime factor of n that is "#(n).

!

There are many algorithms to factor integers, none efficient,

except special characteristics of n are given.

!

Most used factoring algorithms are quadratic sieve and, more

recently, the number field sieve; their complexity is

Quadratic sieve : O(exp((1+o(1))·# ( log(n)·log(log(n)))))

(6)

Pollard

p

–

1

1 algorithm

algorithm

!

One of the simplest factoring algorithms

!

Assumes that

n has a prime divisor

p so that all prime powers

dividing p–1 are not greater than a given B

It is easily checked that then (p–1) | B!

We compute a=2B!_(mod_n_{), then}_a₌₂B!₌₂m(p–1)_{=1 (mod}_p_{) (first equality}

since p is a factor of n; last one from little Fermat theorem)

Therefore p|(a–1) and p|n, hence p|d=gcd(a–1,n); d is clearly a non trivial factor of n

!

The algorithm just sets

B, computes

a=2

B!

(mod

n) and checks

whether gcd(a–1,n)>1; if that is the case, a factor of n is found

a# 2; for j=2:B do a# aj (mod n); endfor; d # gcd(a–1,n)

Practical issues

!

Computational complexity of Pollard p–1 algorithm

The algorithm requires B–1 modular exponentiations each requiring

O(log₂B) modular moltiplications

The gcd can be computed in time O((log₂n)3₎

Overall complexity is O(B·log₂B·(log₂n)2_{+ (log}

2n)3); if B is O((log2n)i) for

some i, the algorithm has polynomial time

!

The penalizing trade-off of the Pollard

p–1 algorithm is that for

“small” values of

B it can hardly succeed, whereas for

B in the

order of

#

(

n) its complexity is no more polynomial

!

It gives a useful indication though: an RSA modulus should not

have a prime factor p so that p–1 has only small prime factors

(7)

Factoring

in

practice

! Early factoring:

By exploiting quadratic sieve, a 69-digit number was factored in 1983; A 106-digit number was factored in 1989 with distributed computations;

In 1994 RSA-129 was factored, requiring 5000 MIPS-year donated by over 600 researchers around the world.

! RSA factoring challenge (ended 2007) and beyond:

RSA-576, 174 decimal digita (December 2003); RSA-640, 193 decimal digits (November 2005); RSA-696, 210 decimal digits (September 2013); RSA-704, 212 decimal digits (July 2012);

RSA-768, 232 decimal digits (December 2009).

! 1024 bit integers can be expected to be factored before 2020

…unless quantum computing comes to reality first!

Semantic security

!

Attacks considered up to now aim at recovering the private key

!

The goal of the adversary can be less ambitious; still we would

like the cryptosystem not to leak any information

!

The following are examples

Total break: Oscar is able to determine Bob’s private key

Partial break: with some non negligible probability, Oscar is able to decrypt or gain some information about a previously unseen ciphered plaintext

Distinguishability of ciphertexts: with probability exceeding 1/2 Oscar is able to distinguish between the encryptions of two different plaintexts or between an enciphered plaintext and a random bit string

(8)

Distinguishability

!

Cyphertext distinguishability problem (CDP) statement

Let f be an encryption function on the plaintext set X, f: X $ X; a problem

instance is given by any two distinct plaintexts x₁,x₂%X and a cyphertext

y=f(x_i), i %{1,2}.

The problem is: i=1?

!

A semantically secure cryptosystem is one for which the CDP is

unfeasible

This can be shown to be equivalent to complete semantic security, i.e. nothing can be inferred of the plaintext.

!

A deterministic cryptosystem f is clearly insufficient; we have to

include some randomization element

With a chosen plaintext attack CDP for a deterministic cipher is trivial

Semantically secure cryptosystem

!

Let m and k be positive integers,

F

a family of one-way trapdoor

permutations on {0,1}

k

_{, G: {0,1}}

k

_$

_{0,1}

m

_{be a random oracle.}

!

Then

P

={0,1}

m

,

C

={0,1}

k

x{0,1}

m

and

K

={(f,f

–1

,G): f

%

F

}.

!

For K=(f,f

–1

,G), let r

_%

{0,1}

k

be chosen randomly and let

e

_K

(x) = (y

₁

,y

₂

) = (f(r),G(r)

_&

x)

d

_K

(y

₁

,y

₂

) = G(f

–1

_(y

1

))

&

y

2

!

The private key is (f

–1

); the public key is (f,G).

!

Major drawback: overhead (m+k bit required for m bit plaintext)

(9)

Semantic security proof concept

!

Intuition

The plaintext is “blinded” by means of a random oracle function applied to a random bitstring; since G is a random oracle function, full knowledge of its argument is required to evaluate it; on the other hand, this knowledge can be derived by inverting f, which is assumed to be unfeasible.

!

Proof approach by reduction

Assume there exists an algorithm DISTINGUISH, which can solve correctly the CDP with probability !1/2+' for '>0.

The random oracle function is simulated by a random generator SIMG. It can be shown that there exists an efficient algorithm, exploiting DISTINGUISH and SIMG, that can invert f for a randomly chosen y=f(x) with probability bounded away from 0.

Optimal Asymmetric Encryption Padding

!

Let

m and

k>m be positive integers,

s=k–m,

F

a family of

one-way trapdoor permutations on {0,1}

k

_,

_{G: {0,1}}

s

_$

_{0,1}

m

_and

_H:

{0,1}

m

_$

_{0,1}

s

_{be random functions.}

!

Let

P

={0,1}

m

,

C

={0,1}

k

={0,1}

m+s

and

K

={(f,f

–1

,G,H): f

_%

F

}.

!

For K=(f,f

–1

,G,H), let r

_%

{0,1}

s

be chosen randomly and let

y=e

_K

(x) = f(y

₁

||y

₂

)

with y

₁

=x

_&

G(r) and y

₂

=r

_&

H(x

_&

G(r));

d

_K

(y) = G(z

₂

_&

H(z

₁

))

_&

z

₁

with f

–1

_(y)=z

(10)

Semantically secure

RSA

!

Let

O(2

s

) the desired complexity for the attack and let

m=k–s–1>s, where k=floor(log

₂

(n))

E.g. s=128 (to guarantee unfeasibility) and k=1024.

!

Let us define an expansion function

G: {0,1}

s

_$

{0,1}

m

and a

compression function H: {0,1}

m

_$

_{0,1}

s

They may be constructed by using cryptographic hash functions

!

The plaintext

x is an

m-bit string and

r is an

s-bit random

number

Encryption: y = (2s_·(_x_&_G₍_r₎₎₊₍_r_&_H₍_x_&_G₍_r₎₎₎₎b_mod_n

Decryption: 2s_·_u₊_r_&_H₍_u_{) =}_ya_mod_n₌_z_{, hence}_u₌_z_{div 2}s_and_r_&_H₍_u_{) =}