Opportunities, challenges, and power of media and information
Security Attacks on RSA
1. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Security Attacks on RSA
A Computational Number Theoretic Approach
Pratik Poddar
Department of Computer Science and Engineering
IIT Bombay
April 10, 2009
2. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 Introduction
Introduction to RSA Cryptosystem
Introduction to RSA Signatures
Basic Ideas of RSA
2 Factoring Attacks
Some Factoring Algorithms
Breaking RSA v/s Factoring
Exposing d v/s Factoring
Guessing φ(N) v/s Factoring
Are Strong Primes Needed?
Conclusion
3 Elementary Attacks
Dictionary Attack
Common Modulus Attack
Blinding Attack
4 Low Private Exponent Attack
Theory of Continued Fractions
Wiener’s Attack
Avoiding Wiener’s Attack
3. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
RSA
Adi Shamir, Ron Rivest, Len Adleman in 1977
4. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
The Math behind RSA
p and q are two distinct large prime numbers
N = pq and φ(N) = (p − 1)(q − 1)
Choose a large random number d > 1 such that
gcd(d, φ(N)) = 1 and compute the number e, 1 < e < φ(N)
satisfying the congruence
ed ≡ 1 mod φ(N)
The numbers N, e, d are referred to as the modulus,
encryption exponent and decryption exponent respectively.
The public key is the pair (N, e) and the secret trapdoor is d.
5. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Introduction to RSA Cryptosystem
Simplified Model of RSA Cryptosystem
Why it it simplified?
Difference between RSA cryptosystem and RSA function
6. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Introduction to RSA Signatures
Simplified Model of RSA Signatures
7. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Basic Ideas of RSA
Based on the idea that . . . Factorization is difficult
But . . .
There is no formal proof that
1 Factorization is difficult
2 Factorization is needed for cryptanalysis of RSA
8. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 Introduction
Introduction to RSA Cryptosystem
Introduction to RSA Signatures
Basic Ideas of RSA
2 Factoring Attacks
Some Factoring Algorithms
Breaking RSA v/s Factoring
Exposing d v/s Factoring
Guessing φ(N) v/s Factoring
Are Strong Primes Needed?
Conclusion
3 Elementary Attacks
Dictionary Attack
Common Modulus Attack
Blinding Attack
4 Low Private Exponent Attack
Theory of Continued Fractions
Wiener’s Attack
Avoiding Wiener’s Attack
9. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 1: Fermat’s Factorization Method
√
First improvement over the n trial-division method
Every odd composite number can be represented as a difference of two
squares
n = cd
» –2 » –2
c +d c −d
n= −
2 2
√
Start from k = n, go on incrementing k till k 2 − n is a perfect square
Might be worse than trial division . . .
1
Effect on RSA . . . Special case p − q ≤ 4n 4
10. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 2: Euler’s Factorization Method
Based upon representing a positive integer n as the sum of two squares in
two different ways
n = a2 + b 2 = c 2 + d 2
If n can be represented as a sum of two squares in two different ways, it
can be factorized!!
(a − c)(a + c) = (d − b)(d + b)
Let k be the gcd of a − c and d − b, so that a − c = kl and d − b = km.
l(a + c) = m(d + b) and a + c = mr and d + b = lr (Why?)
h` ´ ` r ´2 i
2
n= k + 2
2
· (m2 + l 2 ) (Are k and r always even?)
, go on decrementing k till n − k 2 is a perfect square
pn
Start from k = 2
Historically important!! Flaws!!
11. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Basic idea
Effect on RSA
12. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Pollard’s p − 1 algorithm
Require: A composite integer N
Ensure: A non-trivial factor of N or failure
B ⇐ Chosen Smoothness Bound
a ⇐ Random number coprime to N
for q = 1 to B do
if q is prime then
—
log N
e← log q
e
a ← aq mod N
end if
end for
13. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Pollard’s p − 1 algorithm
g ← gcd (a − 1, N)
if 1 < g < N then
return g
else if g = 1 then
Select a higher B and go to step 2 or return failure
else
Go to step 2 or return failure
end if
14. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 3: Pollard’s p − 1 Method
Example... Factorize 5917
Say B = 5, we make α = 213 38 56
So, β = 2α − 1
gcd(β, 5917) = 61 !!
16. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Factoring Algorithm 4: Pollard’s ρ Method
Pollard’s ρ algorithm
Require: n, the integer to be factored; x1 , such that 0 ≤ x1 ≤ n; and f (x), a
pseudo-random function modulo n.
Ensure: A non-trivial factor of n or failure
i ⇐ 1; y ⇐ x1 ; k ⇐ 2
loop
i ⇐i +1
2
xi ⇐ (xi−1 − 1) mod n
d ⇐ gcd(y − xi , n)
if d = 1 and d = n then
return d
end if
if i = k then
y ⇐ xi
k ⇐ 2k
end if
end loop
Example... Factorize 1387
19. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Breaking RSA v/s Factoring
Breaking RSA ≤ Factoring (Obvious!)
Open Problem: Factoring ≤ Breaking RSA??
Expectation: No!!! Factoring is expected to be strictly > Breaking RSA
20. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring
Theorem
Exposing the private key d and factoring N are equivalent
Proof
Determining d ≤ Factoring N (Why??)
Determining d ≥ Factoring N (Non-obvious algorithm)
We will now present a randomized algorithm by which knowing d,
factors of N can be easily determined.
21. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Test
Randomized primality testing algorithm
Miller version · · · Rabin version
22. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Test
Require: n > 2, an odd integer to be tested for primality
Ensure: Composite if n is composite, otherwise probably Prime
Write n − 1 as 2s d with d odd
a ⇐ Random number between 1 and n − 1
x0 ⇐ ad mod n
if x = 1 OR x = n − 1 then
return Probably Prime
end if
23. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Test
for i = 1 to s − 1 do
2
xi ⇐ xi−1 mod n
if xi = 1 and xi−1 = 1 and xi−1 = n − 1 then
return Composite
end if
end for
if xt = 1 then
return Composite
else
return Probably Prime
end if
24. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Miller Rabin Error Rate Analysis
If n is a composite number, then the number of witnesses to the
compositeness of n is at least n−1 .
2
Proof
n−1
Prove that number of non-witnesses is at most 2
Creating a subgroup B, which is a subgroup of Z∗ , which
n contains all the
non-witnesses
Show the existence of an element in Z∗ − B,
n
n−1 n−1
Order of B ≤ 2
. Number of non-witnesses ≤ 2
We break the proof into two cases.
25. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Case 1: There exists an x ∈ Z∗ such that x n−1 ≡ 1 mod n
n
Let B = {b ∈ Z∗ : b n−1 ≡ 1 (mod n)}
n
Since there exists an element x for which x n−1 ≡ 1 mod n, Z∗ − B is
n
non-empty
n−1
Number of non-witnesses ≤ 2
26. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Case 2: For all x ∈ Z∗ , x n−1 ≡ 1 mod n
n
Represent n as n1 n2 where n1 and n2 are relatively prime
Note that n − 1 = 2s u and for input a, we can compute the following sequence
2 3 4 s
modulo n: au , a2u , a2 u , a2 u , a2 u · · · a2 u
Let us call a pair of integers (v , j) acceptable if v ∈ Z∗ , j = 0, 1, 2, · · · , s and
n
j
v 2 u ≡ −1 (mod n)
Set of acceptable pairs contains (n − 1, 0). So, the set is non-empty.
Pick the largest possible j for which there exists an v such that (v , j) is an acceptable
pair. We will use this j in the proof.
j
B = {x ∈ Z∗ : x 2 u ≡ ±1
n (mod n)}
Clearly, B is a subgroup of Z∗ . Also note that the sequence produced by a
n
non-witness must be either all 1’s or contain −1 no later than the jth position (due to
maximality of j). So, every non-witness belongs to B.
27. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . Miller Rabin Test
Case 2: For all x ∈ Z∗ , x n−1 ≡ 1 mod n
n
To complete the proof, we have to prove that Z∗ − B is non-empty. Note that there
n
exists a w such that
w ≡v (mod n1 ) and w ≡ 1 (mod n2 )
j
where v is an element in B such that v 2 u ≡ −1 (mod n). So,
j j
w 2 u ≡ −1 (mod n1 ) and w 2 u ≡ 1 (mod n2 )
j j
This implies w 2 u ≡ −1 (mod n) and w 2 u ≡ 1 (mod n). So, w ∈ B. /
All we need to prove is that w ∈ Z∗ . Since v ∈ Z∗ , gcd(v , n) = 1, which implies
n n
gcd(v , n1 ) = 1. Since gcd(w , n1 ) = gcd(v , n1 ), gcd(w , n1 ) = 1. By construction of w ,
gcd(w , n2 ) = 1. So, gcd(w , n1 n2 ) = gcd(w , n) = 1.
28. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Exposing d v/s Factoring . . . The Randomized Algorithm
The Algorithm. . . knowing d, factors of N can be easily determined
Let k = ed − 1
If g is chosen at random from Z∗ , the with probability at least
n
1
2 , one of the elements in the sequence
t
g k/2 , g k/4 , g k/8 , ..., g k/2 mod N is a witness for the
compositeness of N
A witness of compositeness of Miller Rabin test reveals a
factor of N as square roots of 1 mod N (other than 1 and -1)
would be x and −x where x ≡ 1 mod p and x ≡ −1 mod q
gcd(x − 1, N) would get the factor of N
30. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Strong Primes
What are strong primes?
A prime p is considered to be a “strong prime” if it satifies the following
conditions:
p is a large prime (say |p| ≥ 256)
The largest prime factor of p − 1, say p − , is large (say |p − | ≥ 100)
The largest prime factor of p − − 1, say p −− , is large (say |p −− | ≥ 100)
The largest prime factor of p + 1, say p + , is large (say |p + | ≥ 100)
A prime is
p − -strong if p − is large
p −− -strong if p −− is large
p + -strong if p + is large
(p − , p + )-strong if both p − and p + are large
strong if all p − , p −− and p + are large
31. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Are Strong Primes Needed?
Believed that p and q in RSA have to be strong
Original RSA paper, Cycling Attack, X .509 Standard
Rivest and Silverman proved that use of strong primes is unnecessary
PKCS#1 v2.1 does not recommend strong primes
32. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Conclusion
We discussed about the factoring algorithms present at the
time of RSA publication
How those factorization algorithms affected RSA paper
We discussed various other ways to attempt RSA breaking
and compared them to factoring
The myth of RSA needing strong primes
33. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 Introduction
Introduction to RSA Cryptosystem
Introduction to RSA Signatures
Basic Ideas of RSA
2 Factoring Attacks
Some Factoring Algorithms
Breaking RSA v/s Factoring
Exposing d v/s Factoring
Guessing φ(N) v/s Factoring
Are Strong Primes Needed?
Conclusion
3 Elementary Attacks
Dictionary Attack
Common Modulus Attack
Blinding Attack
4 Low Private Exponent Attack
Theory of Continued Fractions
Wiener’s Attack
Avoiding Wiener’s Attack
34. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Elementary Attack 1: Dictionary Attack
One-to-one mapping between ciphertext and plaintext : vulnerable to
Dictionary Attack
Security measure: Random Padding (PKCS#1 v1.5)
35. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Elementary Attack 2: Common Modulus Attack
RSA modulus should not be used by more than one entity
Alice recieves the ciphertext C = M ea mod N
Mallory does not have da , but using eb and db , Mallory can factor N
da can be calculated and Mallory can decrypt the message intended for
Alice
36. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Elementary Attack 3: Blinding Attack
Attack specific to RSA signatures
Suppose attacker A wants to get a document M signed by B
A needs M d mod N · · · A sends r e M mod N for B to sign
Signing the sent message gives
r ed M d mod N = rM d mod N
Security measure: Random Padding, Signing Hash
37. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Contents
1 Introduction
Introduction to RSA Cryptosystem
Introduction to RSA Signatures
Basic Ideas of RSA
2 Factoring Attacks
Some Factoring Algorithms
Breaking RSA v/s Factoring
Exposing d v/s Factoring
Guessing φ(N) v/s Factoring
Are Strong Primes Needed?
Conclusion
3 Elementary Attacks
Dictionary Attack
Common Modulus Attack
Blinding Attack
4 Low Private Exponent Attack
Theory of Continued Fractions
Wiener’s Attack
Avoiding Wiener’s Attack
38. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Low Private Exponent Attack
Wiener’s Attack
Let N = pq with p and q approximately of the same size, i.e.
1
q < p < 2q. Let d < 3 N 1/4 . Given (N, e) with ed ≡ 1 mod φ(N),
the attacker can easily recover d.
39. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions
Definition
The function of n + 1 variables
1
a0 +
1
a1 +
1
a2 +
1
a3 + · · ·
an
or
[a0 , a1 , a2 , a3 · · · , an ]
is defined as a continued fraction. We consider only simple and
positive continued fractions, i.e. all ai s are integral and positive.
[a0 , a1 , a2 , a3 · · · , ai ], 0 ≤ i ≤ n are said to be the convergents of
[a0 , a1 , a2 , a3 · · · , an ].
40. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Theorem 1
The continued fraction
[a0 , a1 , a2 , · · · , an ] = [a0 , a1 , · · · , am−1 , [am , · · · an ]]
Theorem 2
The continued fraction
pm am pm−1 + pm−2
[a0 , a1 , a2 , · · · , am−1 , am ] = =
qm am qm−1 + qm−2
41. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Theorem 3
Continued Fraction Algorithm: Any rational number x can be represented as a
simple finite continued fraction.
Proof
h0
x=
k0
Comparing x with [a0 , a1 , a2 , · · · , aN , aN+1 ],
x = a0 + ξ0 where ξ0 < 1 i.e. h0 = a0 k0 + ξ0 k0
If ξ0 = 0
1 k0
=
ξ0 h0 − a0 k0
Let k1 = h0 − a0 k0 , (since, k1 = ξ0 k0 , we have k1 < k0 )
k0
= a1 + ξ1 and k0 = a1 k1 + ξ1 k1
k1
42. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Proof Contd · · ·
Doing this repeatedly gives a system of equations
h0 = a0 k0 + k1 , k0 = a1 k1 + k2
h1 = a1 k1 + k2 , k1 = a2 k2 + k3
···
as long as kN+1 = 0.
Equations same as when executing Euclid’s extended algorithm to compute gcd
of h0 and k0 .
So, Continued fraction algorithm terminates and the number of convergents for
x is Θ(min(log h0 , log k0 )).
43. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Theorem 4
If ˛ ˛
˛p
˛ − x˛ ≤ 1
˛
˛q ˛ 2q 2
p
then is a convergent of continued fraction expansion of x.
q
Proof
Assuming that the statement is true, then
p θ
−x = 2
q q
p
where = ±1 and 0 < θ < 1 . Let pn and qn−1 be the last and second last
2 qn n−1
convergents of continued fraction of q . Note that pn = p . We can write, for
p
qn q
some ω,
ωpn + pn−1
x=
ωqn + qn−1
44. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Continued Fractions · · · Theorems
Proof Contd · · ·
qn 1 qn−1
θ= and ω = −
ωqn + qn−1 θ qn
Note that since θ < 1 , we have, ω > 1
2
p
Let = [a0 , a1 , · · · am1 ]
q
Let ω = [b0 , b1 , b2 · · · bm2 ]
[a0 , a1 , a2 · · · am1 , ω] = [a0 , a1 , a2 · · · am1 , [b0 , b1 , b2 · · · bm2 ]]
ωpm + pm−1
= =x
ωqm + qm−1
So, x = [a0 , a1 , a2 · · · am1 , b0 , b1 , · · · bm2 ].
p
So, by construction, we have proved that q
is a convergent of continued
fraction expansion of x.
45. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Wiener’s Attack
Attack by Wiener, 1990
Let N = pq with p and q approximately of the same size, i.e. q < p < 2q. Let
d < 3 N 1/4 . Given (N, e) with ed ≡ 1 mod φ(N), the attacker can easily
1
recover d.
Proof
k
There exists k such that ed − kφ(N) = 1. We will first show that that is an
e
√ d
approximation of N . Also note that N − φ(N) < 3 N.
˛ ˛ ˛ ˛
˛ − k ˛ = ˛ 1 − k(N − φ(N)) ˛
˛e ˛ ˛ ˛
˛N d ˛ ˛ Nd ˛
˛ ˛
˛e
˛ − k ˛ ≤ 3k
˛
˛N √
d˛ d N
Also, since kφ(N) = ed − 1 < ed and e < φ(N), we have k < d. In the case
when d < 1 N 1/4 , we obtain k < d < 1 N 1/4 and so
3 3
˛ ˛
˛e
˛ − k˛≤ √ ≤ 1 < 1
1
˛
˛N d˛ d 4N 3d 2 2d 2
46. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Wiener’s Attack
Proof Contd· · ·
k e
d
is a convergent of continued fraction expansion of N
k
Number of fractions to be checked for d
is bounded by Θ(log N)
e k
One of the Θ(log N) convergents of continued fraction for N
is d
k
d
is a reduced fraction
We have Θ(log N) available options for d
47. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Avoiding Wiener’s Attack
Method 1: Large e
Instead of using e < N, use e = e + tφ(N) for a large t
This would mean e > N
Large e would mean a large k which would counter Wiener’s attack
If e > N 1.5 , Wiener’s attack is not possible even for very small d
48. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
Avoiding Wiener’s Attack
Method 2: Using CRT
Use CRT to reduce the decryption time (and signing time) even while
using large d
Choose d such that dp = d mod (p − 1) and dq = d mod (q − 1) are small
For decryption, compute Mp = C dp mod p and Mq = C dq mod q
Then using CRT, compute M satisfying
M ∈ Zn
M = Mp mod p and
M = Mq mod q
Note that here M = C d mod N
49. Introduction Factoring Attacks Elementary Attacks Low Private Exponent Attack
References
D. Boneh. “Twenty Years of Attacks on the RSA
Cryptosystem.” Notices of the American Mathematical
Society, 46(2):203–213, 1999.
M. Wiener. “Cryptanalysis of short RSA secret exponents.”
IEEE Transactions on Information Theory, 36:553 558, 1990
Ron Rivest and Robert Silverman. “Are ‘Strong’ Primes
Needed for RSA?”, Cryptology ePrint Archive: Report
2001/007
Rivest, R.; A. Shamir; L. Adleman. “A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems”.
Communications of the ACM 21 (2): pp.120-126.