Attacking RSA

Attacking RSA

Brian Winantbwinant@gwu.edu

Reference

“Twenty Years of Attacks on the RSA Cryptosystem”

By Dan BonehIn Notices of the American

Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999

Introduction

RSA introduced August 1977 R = Ron Rivest S = Adi Shamir A = Len Adleman

Subject to two+ decades of cryptanalysis No serious attacks found Most known attacks based on

implementation weaknesses

RSA Review - Modulus

Let pq = N N is n bits long p, q are large primes of length n/2 In practice N is at least 1024 bits

1024 bits = 309 decimal digits

RSA Review - Keys

Choose exponents e and d Such that ed = 1 mod (N) (N) is the Euler phi function Since N=pq, (N) = (p – 1)(q – 1) (N) is the order of the multiplicative group

ZN*

(N, e), (N, d) are the public/private keys Doesn’t matter which is which

RSA Review - Encryption

Plaintext M ZN*

Ciphertext C ZN*

Encryption fk(M) = C = Me mod N

Decryption gk(C) = Cd mod N Med mod N = M

Trapdoors

fk(M) is a one-way trapdoor function

Exponent d is the trapdoor Makes inverting fk(M) easy

How hard is it to invert fk(M) without the trapdoor? No known mechanism to easily invert

fk(M) However, not proven to be impossible

Breaking RSA

Goal Invert fk(M) without knowing d

Formally Given (N, e, C) Assume the factorization of N is

unknown How hard is it to compute the eth root

of C mod N?

Naïve Approach

ZN* is finite

Try all M ZN*

Runtime is exponentialInterested only in efficient algorithms O(nc) where

n = log2 N c is a small constant (< 5)

Theory vs. Implementation

Difference between the function and the cryptosystemCryptosystem is not semantically secure Given (N, e, C) it is possible to recover

some information about M Example: Jacobi symbol of M over N Fixed by padding M with random bits

Types of Attacks

FactoringElementaryLow Private ExponentLow Public ExponentImplementation

Factoring

If N can be factored p,q are known (N) can be computed d = e-1 mod (N) easily computed using

Euclid’s method

State of the art factoring algorithms still exponential log N General Number Field Sieve

Largest factored modulus: 576 bits 174 decimal digits

More Factoring

For some N, factoring is easyPollard’s p – 1 algorithm p – 1 is a product of primes less than

B N can be factored O(B3)

Some RSA implementations reject such p

Breaking RSA vs. Factoring

If an efficient factoring algorithm exists, RSA is insecureOpen Problem: Is converse true? Must N be factored in order to

efficiently compute eth roots mod N? Is breaking RSA as hard as factoring?

Open Problem: Definition

Given N, e = gcd(e, (N)) = 1Define fe,N: ZN* -> ZN

* = x1/e mod N

Given an oracle that evaluates f in unit timeIs there a polynomial-time algorithm A that computes factorization of N?

Open Problem: Answer?

Probably not Evidence that for small e, answer may be no

There may not exist a polynomial-time reduction from factoring to breaking RSA However, not proven

Negative answered probably preferred over positive answer

Elementary Attacks

Due to misuse of RSAMany exist Modulus Reuse Blinding

Modulus Reuse

To save time, why not reuse N?Trusted authority can provide user i with keys (N, ei), (N, di)

Attacker can use own ea, da to factor N

Once N is factored, recovering di easy

Do not reuse N

BlindingFool Bob into signing an arbitrary M e,d are Bob’s public and private keys

Choose random r ZN*

Let M’ = reM mod NHave Bob sign S’ = (M’)d mod N

Blinding

Compute S = S’/r mod N Se = (S’)e/re = (M’)ed/re = (reM)ed/re =

reM/re = M

Attacker now has signature on M

Blinding: Defense

In practice, attack not feasible Prevented by first hashing M before

signing

An attack, but required for anonymous digital cash

Low Private Exponent

Reduce decryption time by using small dIf d < (1/3)N1/4, d can be recovered Approximation method based on continued

fractions

Small d can still be chosen using Chinese Remainder Theorem in a possibly secure manner Ensure d mod (N) is still large

Open Problem: How small can d be?

Open Problem

Let N = pqLet d < N0.5

Let e <(N)ed = 1 mod (N)If attacker is given (N, e), can d be recovered efficiently?

Low Public Exponent

In practice, small public keys are used Reduces encryption, signature-verification

time

Smallest e = 3Recommended e = 216 + 1 For signature-verification:

Requires 17 multiplications Approx. 1000 when random e used

Small public keys are not as dangerous as small private keys

Low Public Exponent Attacks

Broadcast AttackRelated Message AttackShort Pad AttackPartial Key Exposure Attack

Broadcast Attack

Bob sends M to parties P1 … PK

Pi has public key (Ni, ei)

M < Ni for all i

Bob encrypts M with key for each Pi

Attacker can collect all k ciphertexts and recover M if k e

Broadcast Attack: Simplified

Assume ei = 3 for all i

Attacker collects C1, C2, C3

C1 = M3 mod N1

C2 = M3 mod N2

C3 = M3 mod N3

Chinese Remainder Theorem C’ = M3 mod N1N2N3

Broadcast Attack: Simplified

Since M < all Ni, M3 < N1N2N3

So C’ = M3

Recover M by calculating cube root of C’

Broadcast Attack: Defense

Pad M with random bitsPadding M with non-random bits allows other attacks

Related Message Attack

Bob sends Alice related messages using same modulus(N, e) is Alice’s public keyM1 M2 ZN

*

M1 = f(M2) mod N f is a publicly known polynomial mod N f(x) = ax + b mod N, b

Given (N, e, C1, C2, f) attacker can recover M1, M2 in quadratic time log N

Related Message Attack

Works by computing GCD of two polynomials g1(x) = f(x)e – C1

g1(x) = xe – C2

For large e, computing GCD too expensive

Short Pad Attack

Exploit naïve random paddings of M Add random bits to one end of M

Requires knowledge of two ciphertexts corresponding to the same message

Short Pad Attack

|N| = nm = floor(n/e2) Relationship between pad and key lengths

|M| = n – mM1 = 2mM + r1

M2 = 2mM + r2

0 r1, r2 < 2m

Given (N, e, C1, C2), M can be efficiently recovered

Partial Key Exposure Attack

If a portion of d is exposed, can all of d be recovered? Yes, if e is small

e < sqrt(N) Need ceil(n/4) least significant bits of

d

Implementation Attacks

Attack the implementation of RSA, not the underlying mathematical structureTimingRandom FaultsPCKS 1

Timing Attack

Smartcard attackBased on timing the efficient modulo exponentiation algorithm Can recover bits based on whether or

not the squaring step is performed

Similar attack based on monitoring power consumption

Timing Attack: Defense

Add delayUse blinding on itself Adds randomness to ciphertext Less correlation between input and

key bits Approach due to Rivest

Random FaultsMany RSA implementations use Chinese Remainder Theorem Speed up computation of Md mod N Let a = d mod (p – 1) Let b = d mod (q – 1) Ca = Ma

mod p Cb = Mb

mod q C = T1Ca + T2C2 mod N

Faster since less exponentiation is needed

Random Faults

Suppose computer glitch causes an incorrect bitEither Ca or Cb will be incorrectCan detect the incorrect result C Ce = M mod p Ce M mod q

Exposes a factor of N, but requires knowledge of M

Random Faults: Defense

Requires M to not be padded Add random bits

Check before sending You’re doing this anyway, right?

PKCS 1 Attack

Possible in older version of standardImplementations will raise error if C does not contain 16 bit “02”Equals an oracle which can reveal whether the most significant 16 bits of C equals 02

Conclusion

RSA function susceptible to mathematical trickeryExploits are not practical Easy to defend against Would never occur in reality

Requires correct and secure implementationNo known dangerous attacks against properly implemented RSA