Rennes, 02/10/2014

Cristina Onete

maria-cristina.onete@irisa.fr

Attacks on RSA. Safe modes.

From the previous lecture…

p, q, n:=pq

𝜑 (𝑛) ,𝑛 ,𝑒 ,𝑑

B

𝑛 ,𝑒

Secret 𝑚 𝑐=𝑚𝑒(𝑚𝑜𝑑𝑛) 𝑚=𝑐𝑑(𝑚𝑜𝑑𝑛)

Cristina Onete || 25/09/2014 || 2

𝑛 ,𝑒

Textbook RSA (V)

Security:

• Is encryption secure?

𝑐=𝑚𝑒(𝑚𝑜𝑑𝑛)

• Can we recover the secret key ?Key recovery as hard as factorizing

• Can we recover in any other way ?

Values are long-term

Each maps to unique Deterministic

Cristina Onete || 25/09/2014 || 3

Textbook RSA (VI)

Security:

• Plaintext recovery: can’t find from

• IND-CPA/IND-CCA: can’t say anything about

Encryption is deterministic:Can always distinguish m from m’

Not guaranteed if few possible messagesTry out all alternatives – find plaintext

OK if chosen at random from large set

• Not very secure; but we can improve it

Cristina Onete || 25/09/2014 || 4

Textbook RSA ++

Improving Textbook RSA:

Secret pre-processing RSAencryption

pre-processing

Security will depend on this step

Cristina Onete || 25/09/2014 || 5

PKCS and Bleichenbacher

Preprocessing with PKCS1, mode 2

• Pad with random number (make it probabilistic)

02 random pad FF message

1024 bits

• Bleichenbacher ’98: use the regularity of the ciphertext (they must start with “00|02”) to recover plaintext!

00

Cristina Onete || 25/09/2014 || 6

PKCS and Bleichenbacher (II)

Core idea

Ciphertext

DecryptDoes m start with “00|02”?

Continue

ERROR!

Attacker starts with ciphertext • Re-randomize it: • Is it PKCS? Repeat until you know rM starts with 00|02 • Move to next part of message ciphertexts

Cristina Onete || 25/09/2014 || 7

Cristina Onete || 25/09/2014 || 8

Contents

Pre-processing• How OAEP works

• Improvements on OAEP• Hash Functions; Random Oracles (brief)

Attacks on factoring – generic• Pollard’s • Pollard-

Unsafe modes for RSA

• Small sk: Wiener’s attackSome physical attacks

• Small pk and related ciphertexts

The OAEP Function

A new pre-processing function: OAEP• OAEP = Optimal Asymmetric Encryption Padding• By Bellare & Rogaway, 1994; in RFC 2437

Cristina Onete || 25/09/2014 || 9

m pad r

G

H

YX

bits bits bits

K = size of n=pq

= parameters (to be set)G,H = hash functions

= bit XOR

Cristina Onete || 25/09/2014 || 10

The OAEP Function

In detail: OAEP

m pad r

G

Hash functions

• A box with input of any size, and output of fixed sizeIn this case: input is bits, output is

• Collision-resistance: can’t find with • Random oracles: always outputs new string

Outputs consistently: consistent

Cristina Onete || 25/09/2014 || 11

The OAEP Function

In detail: OAEP

m pad r

G

How it works:

r

bits

G 𝐼 0

m pad 𝐼 0 𝑋=

bitsrandom

Cristina Onete || 25/09/2014 || 12

The OAEP Function

In detail: OAEP

How it works:

bits

H 𝐼 1

bits

𝐼 1 𝑌=

H

r𝑋

𝑋

r

random

Cristina Onete || 25/09/2014 || 13

RSA-OAEP Decryption

are random oracles Hard to invert

How do we decrypt?Go in reverse: receive

Decrypt:

m pad r

G

H

YX

Cristina Onete || 25/09/2014 || 14

RSA-OAEP Decryption

are random oracles Hard to invert

How do we decrypt?Go in reverse: receive

H 𝐼 1

𝐼 1 𝑌=

𝑋

r

𝐻 ( 𝑋 )=𝐼 1

𝑟 𝐼 1=𝑌

𝑟 𝐻 (𝑋 )=𝑌

Decrypt:

𝑟=𝐻 ( 𝑋 )𝑌

Cristina Onete || 25/09/2014 || 15

RSA-OAEP Decryption

are random oracles Hard to invertHow do we decrypt?Go in reverse: receive

Decrypt: Recover:

m pad r

G

H

YX

Cristina Onete || 25/09/2014 || 16

RSA-OAEP Decryption

are random oracles Hard to invert

How do we decrypt?Go in reverse: receive

Decrypt: Recover:

r G 𝐼 0

m pad 𝐼 0 𝑋=

𝐺 (𝑟 )=𝐼 0

𝑚∨𝑝𝑎𝑑 𝐼 0=𝑋

𝑚∨𝑝𝑎𝑑𝐺 (𝑟 )=𝑋𝑚∨𝑝𝑎𝑑=𝐺 (𝑟 ) 𝑋

Cristina Onete || 25/09/2014 || 17

RSA-OAEP Decryption

are random oracles Hard to invert

How do we decrypt?Go in reverse: receive

Decrypt: Recover:

Retrieve:

Check: pad has the right format

Cristina Onete || 25/09/2014 || 18

The OAEP Function

In detail: OAEP

• Functions are random oracles: that is, they give random output. In practice: use SHA-1

• Randomness chosen freshly every time• How about the padding?

m pad r

• Original OAEP: ([BR94])• OAEP+: with W a random oracle ([S01])

Cristina Onete || 25/09/2014 || 19

Improving OAEP: SAEP

m W(m,r) r

H

YX

bits bits bits

• No need for function • Function is random oracle. Input size: bits. Output

size: bits

Cristina Onete || 25/09/2014 || 20

Contents

Pre-processing• How OAEP works

• Improvements on OAEP• Hash Functions; Random Oracles (brief)

Generic attacks on factoring• Small Small or • Pollard-

Unsafe modes for RSA

• Small sk: Wiener’s attackSome physical attacks

• Small pk and related ciphertexts

Cristina Onete || 25/09/2014 || 21

Attacks on RSA

For the remainder of this lecture

We =

1st goal:

• Given something of the form , find Strategies:• Generic: factor . Given , easy to recover • Specific: retrieve plaintext without factoring

Cristina Onete || 25/09/2014 || 22

Small

Easy case: we are given and

• If are prime, then • Given and

Calculate: This gives:

Also:

So:

and: ¿∓√(𝑛−𝜑 (𝑛)+1)2−4𝑛

Factorization: and

Cristina Onete || 25/09/2014 || 23

Small

Hard case: we are given only Try to guess Use: Then:

Algorithm SmallDiff: Input Complexity parameter Write Let .

Note: are odd. Thus: and are even

IF is a square (it is equal to for a positive integer )

THEN: if and are prime, Output and

ELSE:

While DO

Cristina Onete || 25/09/2014 || 24

Small or : Pollard’s

Attack on factoring – bad (p-1)

• Vulnerability: with one small prime • Pollard’s-(p-1) factors in steps if smallest factor

If is small, then this method is fast

• Idea: if is prime, then is not

Since all are odd (impair), is even

We are hoping has only small factors and we will try to retrieve them all

Obviously will have 2 as a factor

All in the same set

Cristina Onete || 25/09/2014 || 25

Small or : Pollard’s

Attack on factoring – bad (p-1)

• Vulnerability: with one small prime • Supposition:

• How large can be for each ?

Well, for any , so

• Start with definite upper bound:

As , any divides . So divides

1≤𝑎<𝑝 :𝑎𝑝− 1=1(𝑚𝑜𝑑𝑝) So

Cristina Onete || 25/09/2014 || 26

Small or : Pollard’s

Attack on factoring – bad (p-1)

• Vulnerability: with one small prime

As , any divides . So divides

1≤𝑎<𝑝 :𝑎𝑝− 1=1(𝑚𝑜𝑑𝑝) So

Pick random Check that

𝑝 divides𝑎𝑅−1

• If : then . Hooray!

• If and With high probability

Then Else, pick a new a

Cristina Onete || 25/09/2014 || 27

Exercise time!

Write pseudocode for Pollard’s

Cristina Onete || 25/09/2014 || 28

So far

Small

• Given and : calculate Take:

Factorization: and

• Given : verify values of for integer

For each check if is integer

If so, if are prime then:Output

Else, next and repeat procedure

Cristina Onete || 25/09/2014 || 29

So far

Small

Pick random Check that • If : then . Hooray!

• If and With high probability

Then

Else, pick a new a and repeat

Cristina Onete || 25/09/2014 || 30

Pollard’s

General factorization attack (are we lucky?)

• Strategy: find specific small such that Most likely then,

• Imagine we could calculate Say we had:

• Suppose we find such that , then:

𝑎𝑢−𝑎𝑣=0(𝑚𝑜𝑑𝑝) divides

Then with high probability

• But, we don’t know . We do this .

Cristina Onete || 25/09/2014 || 31

Pollard’s

• Strategy: we compute:

• Choice: speed vs. storage

• Find: such that • With high probability

• Storage: method as above. Need to store all • Speed: Floyd’s cycle finding algorithm:

• and • Mod n:

Only checking pairs at a time

Cristina Onete || 25/09/2014 || 32

Floyd’s Cycle-Finding Alg.

Source:http://home.online.no/~vlaenen/

Cristina Onete || 25/09/2014 || 33

Exercise time!

Put the method (with Floyd’s cycle-finding algorithm) in pseudocode/algorithm form!

Cristina Onete || 25/09/2014 || 34

Contents

Pre-processing• How OAEP works

• Improvements on OAEP• Hash Functions; Random Oracles (brief)

Generic attacks on factoring• Small Small or • Pollard-

Unsafe modes for RSA

• Small sk: Wiener’s attackSome physical attacks

• Small pk and related ciphertexts

Cristina Onete || 25/09/2014 || 35

Unsafe Modes for RSA

Small public key• More receivers with same small (different )• Same plaintext is sent to users

𝑚𝑒

𝑚𝑒(𝑚𝑜𝑑𝑁 1)

𝑚𝑒(𝑚𝑜𝑑𝑁 2)

𝑚𝑒(𝑚𝑜𝑑𝑁 1)

𝑚𝑒(𝑚𝑜𝑑𝑁 1)

𝑚

Cristina Onete || 25/09/2014 || 36

Unsafe Modes for RSA

Small public key• One receiver with small (different )• Two related plaintexts: and

• If knows the relationship of the messages,

she can use polynomial multiplication to find

Recommended

• e =

• This leads to fast encryption

Cristina Onete || 25/09/2014 || 37

More Unsafe Modes

Small secret key• Better for decryption: makes it more efficient

𝑒𝑑=1(𝑚𝑜𝑑𝜑 (𝑁 )) 𝑒𝑑=1(𝑚𝑜𝑑(𝐿𝐶𝑀 (𝑝−1 ,𝑞−1)))

Math “magic”

→• Use: least common multiple LCM

𝐿𝐶𝑀 (𝑝−1 ,𝑞−1 )= (𝑝−1)(𝑞−1)𝐺𝐶𝐷(𝑝−1 ,𝑞−1) 𝐺

𝑒𝑑=1+𝐾𝐺

(𝑝𝑞−𝑝−𝑞+1)→

Divide by dpq

𝑒𝑝𝑞

=1

𝑑𝑝𝑞+𝐾𝑑𝐺

−𝐾

𝑑𝐺𝑞−

𝐾𝑑𝐺𝑝

+𝐾

𝑑𝐺𝑝𝑞

𝑒𝑝𝑞−

1𝑑𝑝𝑞

+ 𝐾𝑑𝐺 ( 1𝑞 + 1

𝑝−1𝑝𝑞 )= 𝐾

𝑑𝐺

Cristina Onete || 25/09/2014 || 38

More Unsafe Modes

Small secret key• If is small, then .

𝐾𝑑𝐺

= 𝑒𝑝𝑞−

1𝑑𝑝𝑞

+ 𝐾𝑑𝐺 ( 1𝑞 + 1

𝑝−1𝑝𝑞 )

• If is small, then .Tend to 0

≅𝑒𝑛≅ 1

| 𝐾𝑑𝐺− 𝑒𝑝𝑞|=| 𝐾𝑑𝐺 ( 1𝑞+ 1

𝑝−1𝑝𝑞 )− 1

𝑑𝑝𝑞|≤ 1

√𝑝𝑞< 1

2(𝑑𝐺)2

• This means that converges towards

• Continued fractions and some trial and error gives d

Cristina Onete || 25/09/2014 || 39

Physical Attacks

Implementation: Square and Multiply

𝑚=𝑐𝑑(𝑚𝑜𝑑𝑛)• Standard way to do exponentiation

• Write in binary []. Set For DO:

• If then set • Else, set

Square AND Multiply

Square

• Example:

i 7 6 5 4 3 2 1 0

m

Cristina Onete || 25/09/2014 || 40

Physical Attacks

Implementation: Square and Multiply

𝑚=𝑐𝑑(𝑚𝑜𝑑𝑛)

• Time the operation and write out the order of ops

Timing attack: multiply takes longer than square

M, Sq, Sq, M, Sq, Sq, M, Sq, M, Sq, Sq, M

• Retrieve key from inverse Square and Multiply

Power attack: multiply burns more than square

• Retrieve for smartcards

Source: http://www.dbs.com.hk/

CIDRE

Thanks!