RSA Cryptosystem 1977

1
RSA Cryptosystem (1977)
de facto standard of public-key cryptosystems
p, q primes, n pq, ed 1 mod (p-1)(q-1),
e, n public key, d secret key, (factoring,
n 1024 bits) M message, M ?0,1,2,.,n-1.
Encryption C Me mod n
e small (2161)
Decryption M Cd mod n
d large (dgtn1/2)
2
Fast Exponentiation
The binary representation of d dk-12k-1
dk-22k-2 d121 d020, where dk-11.
Left-to-right binary method Input C, n,
d Output Cd mod n X C For ik-2 to 0 X X2
mod n if di1, then XXC mod n Return X
cubic complexity O((log n)3). - we need about
1500 modular multiplications for 1024-bit n,d
on average.
d 179769313486231590772930519078902473361797697
89423065727343008115773263944520916726277163493714
0456477800995856 486367356035749422778584041
89265584674398992586950491403608217709659968519739
03412635215659390188627764072341203
16682859702665262897377118205139448713763256495756
55785893257302729658745304709432808
3
RSA Decryption using Chinese Remainder Theorem
M Cd mod n
23 8 time faster
n
dp d mod (p-1) Cp C mod p Mp Cpdp mod p
dq d mod (q-1) Cq C mod q Mq Cqdq mod
q
p
q
Garners algorithm
M Mp pv mod n, v (Mq - Mp) p-1 mod q
n
RSA decryption using the CRT can be computed
about 4 times faster than the original
decryption.
4
RSA with CRT
Algorithm RSA_Decryption_CRT (npq) Input
C,n,p,q,dp,dq,p_inv_q Output M 1 Mp Cdp mod
p 2 Mq Cdq mod q 3 v (Mq - Mp)
p_inv_q mod q 4 M Mp pv 5 Return M
Pre-computation avoiding inversion
PKCS 1, http//www.rsasecurity.com/rsalabs/pkcs/
5
(No Transcript)
6
Security Analysis of RSA Cryptosystem
SECURE RSA!
Programming or Coding failure
Klima-Rosa attack against PGP
Side Channel Attack (SCA)
Timing Attack
Differential Fault Attack (DFA)
Implementation failure
Bleichenbacher Attack (PKCS1)
Common modulus
Broad cast attack
Padding failure
Chosen Ciphertext Attack (Simmons)
Protocol failure
Other parameters
Strong prime, Cycling attack, low exponent attack
Number theoretic Problems (key size)
Factoring n pq
7
Power Consumption of RSA-CRT
Cited from the paper R.Novak, SPA-Based
Adaptive Chosen Ciphertext Attack on RSA
Implementation,'' PKC 2002, LNCS 2274,
pp.252-262, 2002.
8
Side Channel Attacks
Left-to-right binary method Input M, n,
d Output Md mod n X M For ik-2 to 0 X
XX mod n if di1, then XXM mod n Return
X
The time or the power to execute Squaring and
Multiplication are different (side-channel
information).
Cited from Clavier et. al, Universal
exponentiation algorithm A first step towards
provable SPA-resistance, CHES 2001, LNCS 2162,
pp. 300-308, 2001
9
Differential Fault Attack (DFA)
An attacker obtains a decryption which is
computed in a wrong way.
M Cd mod n
n
Fault
dp d mod (p-1) Mp Cdp mod p
dq d mod (q-1) Mq Cdq mod q
p
q
M Mp pv mod n, v (Mq Mp) p-1 mod q
n
In the RSA using the CRT, if an attacker can
cause a fault for the computation of Mq, then n
can be factored by gcd(M-M,n)p.
10
An experiment by Infineon
Cited from Aumüller et. al, Fault Attacks on RSA
with CRT Concrete Results and Practical
Countermeasures CHES 2002, LNCS 2523, pp.
260275, 2003.
11
Novak Attack on RSA-CRT
Step 4
(We assume that qgtp) Algorithm RSA_Decryption_CRT
(npq) Input C,n,p,q,dp,dq,p_inv_q Output M 1
Mp Cdp mod p 2 Mq Cdq mod q 3 u Mq
Mp 4 if ult0 then u uq 5 v u
p_inv_q mod q 6 M Mp pv 7 Return M
Power Analysis can detect the sign of Step 4.
Thus we have the following oracle
if f(x) lt0, then O(x) 0, else O(x) 1, where
f(x) (x mod q) (x mod p).
Cited from the paper R.Novak, SPA-Based
Adaptive Chosen Ciphertext Attack on RSA
Implementation,'' PKC 2002, LNCS 2274,
pp.252-262, 2002.
12
Theorem (Novak02) Let npq and qgtp. For
x0,1,,n-1, we have the following sequence
O(x) 1,1,,1,0,,0,1,,1,0,0,1,
If O(x-1)1 and O(x)0 hold, then x is
divisible by q, namely qx.
Proof LP 0,1,,p-1, UP p,p1,,n-1.
Claim 1, O(x) 1 for x in LP
f(x) (x mod q) (x mod p) 0 due to qgtp
Claim 2, O(kq) 0, O(kq-1) 1 for 0 lt k lt p.
f(kq) (kq mod q) (kq mod p) lt 0 due to kq is
not divisible by p.
f(kq-1) (kq-1 mod q) (kq-1 mod p)
(q-1) h for some (0 lt h lt p) gt
(p-1) (p-1) 0
13
The two sequences (x mod p) and (x mod q) and
the corresponding O(x) are as follows
x mod q , q-3, q-2, q-1, 0, 1,
2, x mod p , s-3, s-2, s-1,
s, s1, s2, O(x) , 1,
1, 1, 0, 0, 0, , where s is an
integer 0 lt s lt p lt q. We have consecutive 0s
after x mod q 0 and 1s before x mod q 1.
q
p
x mod q
x mod p
s
0 q-2 q-1
0 1 2 q-1
0
f(x) 0 0 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1
1 1 1 1 0 0.
14
From the theorem we can construct a binary search
algorithm for secret prime q in the adaptive
chosen ciphertext attack scenario.
Input n, e, oracle O Output secret prime
p,q 1. x0, x1 in Z/nZ such that O(x0) 1, and
O(x1)0 2. set LB x0, UB x1 3. While
LB?UB do the following 3.1. m
(LBUB)/2 3.2. compute O(m) of c me
mod n 3.3. if O(m)1, then LBm, otherwise
UBm 4. compute g gcd(m,n) 5. Return (g,n/g)
15
Timing Attack on C mod p
Kocher et al. proposed a timing attack against C
mod p.
Note that if C lt p holds, there is no reduction
modulo p. In this case, the timing of the whole
decryption is slightly faster. Thus we have the
following oracle if C lt p then
O(C) 1, else O(C)0.
Similarly, we can construct a factoring algorithm
using the oracle O. Boneh et al. showed a
practical remote timing attack on SSL.
chosen ciphertext C
Server Secret key p
attacker
decryption time of C