0% found this document useful (0 votes)
54 views

Lect14 C

Attacks on RSA and Rabin encryption scheme fall 2004 / Lecture 14. - recover secret key d Brute force key search - infeasible Timing attacks - decrypt one message - learn information from the cipher texts.

Uploaded by

k29vn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
54 views

Lect14 C

Attacks on RSA and Rabin encryption scheme fall 2004 / Lecture 14. - recover secret key d Brute force key search - infeasible Timing attacks - decrypt one message - learn information from the cipher texts.

Uploaded by

k29vn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Cryptography CS 555

Lecture 14-c

Attacks on RSA and Rabin Encryption

Fall 2004/Lecture 14 1
Summary of Number Theory Results
Covered
• Zp* is a cyclic group
– has generators
• QR and QNR in Zp* can be easily determined by
computing the Legendre symbol
• Jacobi symbol (generalizes Legendre symbol to
composites)
– can be computed without factoring n
– Jacobi symbol does not determine QR in Zn*
– QR in Zn* is hard
• Primality Testing
– Solovay-Strassen
– Rabin-Miller

Fall 2004/Lecture 14 2
Lecture Outline

• Attacks on RSA
• Rabin encryption scheme

Fall 2004/Lecture 14 3
Attacks on RSA

• Goals:
– recover secret key d
• Brute force key search
– infeasible
• Timing attacks
• Mathematical attacks
– decrypt one message
– learn information from the cipher texts

Fall 2004/Lecture 14 4
Factoring Large Numbers

• One idea many factoring algorithms use:


– Suppose one find x2≡y2 (mod n) such that x≠y (mod n)
and x≠-y (mod n). Then n | (x-y)(x+y). Neither (x-y)
or (x+y) is divisible by n; thus, gcd(x-y,n) has a non-
trivial factor of n

Fall 2004/Lecture 14 5
Factoring when knowing e and d
• Fact: if n=pq, then x2≡1 (mod n) has four solutions that
are <n.
– x2≡1 (mod n) if and only if
both x2≡1 (mod p) and x2≡1 (mod q)
– Two trivial solutions: 1 and n-1
• 1 is solution to x ≡ 1 (mod p) and x ≡ 1 (mod q)
• n-1 is solution to x ≡ -1 (mod p) and x ≡ -1 (mod q)
– Two other solutions
• solution to x ≡ 1 (mod p) and x ≡ -1 (mod q)
• solution to x ≡ -1 (mod p) and x ≡ 1 (mod q)
– E.g., n=3×5=15, then x2≡1 (mod 15) has the following solutions:
1, 4, 11, 14

Fall 2004/Lecture 14 6
Factoring when knowing e and d

• Knowing a nontrivial solution to x2≡1 (mod n)


– compute gcd(x+1,n) and gcd(x-1,n)
• E.g., 4 and 11 are solution to x2≡1 (mod 15)
– gcd(4+1,15) = 5
– gcd(4-1,15) = 3
– gcd(11+1,15) = 3
– gcd(11-1, 15) = 5

Fall 2004/Lecture 14 7
Factoring when knowing e and d

• Knowing ed such that ed ≡ 1 (mod Φ(n))


write ed – 1 = 2s r (r odd)
choose w at random such that 1<w<n-1
if w not relative prime to n then return gcd(w,n)
(if gcd(w,n)=1, what value is (w2^s r mod n)?)
compute wr, w2r, w4r, …, by successive
squaring until find w2^t r ≡ 1 (mod n)
Fails when wr≡ 1 (mod n) or w2^t r≡ -1 (mod n)
Failure probability is less than ½ (Proof is complicated)

Fall 2004/Lecture 14 8
Example: Factoring n given d

• Input: n=2773, e=17, d=157


• ed-1=2668=22•667 (r=667)
• Pick random w, compute wr mod n
– w=7, 7667=1 no good
– w=8, 8667=471, and 4712=1, so 471 is a nontrivial
square root of 1 mod 2773
– compute gcd(471+1, 2773)=59
– gcd(471-1, 2773)=47.
– 2773=59•47

Fall 2004/Lecture 14 9
Summary of Key Recovery Math-
based Attacks on RSA
• Three possible approaches:
1. Factor n = pq
2. Determine Φ(n)
3. Find the private key d directly
• All are equivalent
– finding out d implies factoring n
– if factoring is hard, so is finding out d
• Should never have different users share one common
modulus
– (why?)

Fall 2004/Lecture 14 10
Decryption attacks on RSA

• The RSA Problem: Given a positive integer n that


is a product of two distinct large primes p and q,
a positive integer e such that gcd(e, (p-1)(q-
1))=1, and an integer c, find an integer m such
that me≡c (mod n)
– widely believed that the RSA problem is
computationally equivalent to integer factorization;
however, no proof is known
• The security of RSA encryption’s scheme
depends on the hardness of the RSA problem.

Fall 2004/Lecture 14 11
Other Decryption Attacks on RSA
Small encryption exponent e
• When e=3, Alice sends the encryption of message m to
three people (public keys (e, n1), (e, n2), (e,n3))
– C1 = M3 mod n1, C2 = M3 mod n2, C3 = M3 mod n3,
• An attacker can compute a solution to the following
system
x ≡ c1 mod n1
x ≡ c 2 mod n 2
x ≡ c 3 mod n 3

• The solution x modulo n1n2n3 must be M3


– (No modulus!), one can compute integer cubit root
• Countermeasure: padding required

Fall 2004/Lecture 14 12
Other Attacks on RSA
Forward Search Attack
• If the message space is small, the attacker can
create a dictionary of encrypted messages
(public key known, encrypt all possible
messages and store them)
• When the attacker ‘sees’ a message on the
network, compares the encrypted
messages, so he finds out what QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.

particular message was encrypted

Fall 2004/Lecture 14 13
Other Attacks on RSA

Small decryption exponent d


• Choosing a small exponent helps efficiency BUT
• If size of d is 1/4 size of n (in bits) and gcd(p-1, q-1)
is small, there is a way to compute d only from e
and n.
• Countermeasure: d should be about the same size
as n.

Fall 2004/Lecture 14 14
The Rabin Encryption Scheme
• Motivation: The security of RSA encryption depends on
the difficulty of computing the e’th root modulo n, i.e.,
given C, it is difficult to find M s.t. Me=C mod n.
• It is not known that this encryption is as difficult as
factoring.
• The Rabin encryption scheme is provably “secure” if
factoring is hard
– here “secure” means to recover the plaintext from a ciphertext
• Idea: rather than using an odd prime as e, uses 2
– f(x)=x2 mod n
– this is not a special case of RSA as this function is not 1-to-1.

Fall 2004/Lecture 14 15
The Rabin Encryption Scheme
• Public key: n
• Privacy key: p, q s.t. n=pq
• Encryption: compute c=m2 mod n
• Decryption: compute the square roots of c.
– how many are there?
• Fact:
– when p≡q≡3 (mod 4), deterministic algorithms exist to compute
the square roots
– otherwise, efficient randomized algorithms exist to compute the
square roots

Fall 2004/Lecture 14 16
Computing Square Roots is as hard as
Factoring
• Given an algorithm A that can compute one
square root of a number a modulo n,
• One can use A to factor n as follows
– randomly pick x, compute z = x2 mod n
– ask A to compute the square root of z, A returns y
– if y=x or y=n–x, then try again, otherwise, compute
gcd(x,y) gives us a prime factor of n
– as A has no way to tell which x we’ve picked, with
prob. ½, A returns a square root that allows us to
factor n

Fall 2004/Lecture 14 17
Pragmatic Considerations for the Rabin
Encryption Scheme
• Normally, one picks p≡q≡3 (mod 4)
• Redundency is used to ensure that only one
square root is a legitimate message
• Encryption very fast, only one exponentiation
• Decryption comparable to RSA decryption

Fall 2004/Lecture 14 18
Summary

• Efficient probabilistic
algorithms for primality
testing exist
• The following are equivalent
– factoring n
– computing φ(n)
– find d for the corresponding e
• The Rabin cryptosystem is
“provably secure”

Fall 2004/Lecture 14 19
Next …

• SRA Mental Poker Protocol


• Goldwasser-Micali
Probablistic Encryption
• Semantic Security of RSA
Encryption
• OAEP
• Stinson, Chapter 5.8, 5.9

Fall 2004/Lecture 14 20

You might also like