1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept. 2012 Part I: Introduction to Number Theory Part II: Advanced Cryptography.

1

Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA

Chih-Hung Wang

Sept. 2012

Part I: Introduction to Number TheoryPart II: Advanced Cryptography

2

RSA Cryptosystem (1) Page 258

3

RSA Cryptosystem (2)

4

RSA Cryptosystem 1977 by Ron Rivest, Adi Shamir, and Len

Adleman (MIT) The first “secure” & “practical” public key

cryptosystem A block cipher in which the plaintext and

ciphertext are integers between 0 and n-1 for some n

5

The RSA Algorithm (1/2)

6

The RSA Algorithm (2/2)

7

RSA Example

Receiver Sender

Public Key PKA(e,N)

Acquire(e,n)

C ¡× M e mod nSecret key

M=Cd mod n

Secret key d, p,q

8

RSA Example

N=119 = p*q =7*17e=5; e*d =1 mod 6*16d=77

9

Active attacks on cryptosystems (1) Chosen-plaintext attack (CPA)

Chosen-ciphertext attack (CCA)

10

Active attacks on cryptosystems (2) Adaptive chosen-ciphertext attack (CCA2)

11

Attack Scenarios

12

The RSA Problem and Assumption

13

Insecurity of the Textbook RSA Encryption Theorem 8.1

The RSA cryptosystem is “all-or-nothing” secure against CPA if and only if the RSA assumption holds.

14

Meet-in-the-middle attack (1)

The multiplicative property of the RSA function

Space cost: 2length/2logN bits Time cost: OB(2length/2 +1(length/2+log3N))

15

Meet-in-the-middle attack (2)

16

Inadequacy of the CPA security of the RSA (1)

Blind attack

17

Inadequacy of the CPA security of the RSA (2)

18

Common modulus protocol failure (1) outsider attack Description

19

Common modulus protocol failure (2) outsider attack

20

Common modulus protocol failure (3) insider attack A square root of 1 mod M

21

Common modulus protocol failure (4) insider attack Finding a nontrivial square root of 1 mod M

22

Common modulus protocol failure (5) insider attack Given a public key e1, the holder of of an

encryption/decryption pair e2, d2 can generate the private key of another user.

23

The low exponent protocol failure (1)

Use a small exponent for RSA public key in order to make the calculations for encryption fast and inexpensive to perform.

Problem description

24

The low exponent protocol failure (2) salvaging Never send exactly the same message

25

Other attacks (1) GCD attack

Franklin and Reiter Coopersmith, Franklin and Patarin (Eurocrypt’96)

26

Other attacks (2) The Wiener’s attack

Wiener pointed out that if the secret key d was chosen too small, then it might be recovered

27

Constraints of RSA Key Requirement

Key size in the range of 1024 to 2018 bits p and q should differ in length by only a few

digits. Thus, both p and q should be on the order of 1075 to 10100.

Both (p-1) and (q-1) should contain a large prime factor

gcd(p-1,q-1) should be small

28

Factorization Techniques Fermat Factorization Monte Carlo Factorization The Pollard p-1 method of Factorization [239]

29

Fermat Factorization (1)

30

Fermat Factorization (2)

31

Fermat Factorization (3) Example

32

Monte Carlo Factorization (1)

33

Monte Carlo Factorization (2)

34

Monte Carlo Factorization (3) Example [1]

35

Monte Carlo Factorization (4) Example [2]

36

The Pollard p-1 method of Factorization (1)

37

The Pollard p-1 method of Factorization (2) Example

38

Optimal Asymmetric Encryption Padding (OAEP) Page 508

RSA-OAEP & Rabin-OAEP The plaintext message encrypted inside the RSA-

OAEP scheme can have a length up to 84% of the length of the modulus.

PKCS#1, IEEE P1363 & SET

39

Optimal Asymmetric Encryption Padding (OAEP) RSA-OAEP (page 503)

40

OAEP—Mixing of different algebraic structures

41

RSA-OAEP Algorithm (1)Page 324

42

RSA-OAEP Algorithm (2)

43

RSA-OAEP Algorithm (3)

44

OAEP Property Plaintext Randomization

A padding scheme like OAEP has a random input value which adds the randomness to the distribution of the padding result.

Data Integrity Protection Provides the decryption end with a mechanism to

check data integrity.