260 likes | 268 Views
Simple Backdoors for RSA Key Generation. Scott Dial. Overview. Some Necessary Theorems The Scenario Four Methods Conclusions. Important Notation. | n | represents the magnitude of n in bits |240| = |11110000b| = 8 n : m represents the concatenation of n and m in there respective order
E N D
Simple Backdoors for RSA Key Generation Scott Dial
Overview • Some Necessary Theorems • The Scenario • Four Methods • Conclusions
Important Notation • |n| represents the magnitude of n in bits • |240| = |11110000b| = 8 • n:m represents the concatenation of n and m in there respective order • 1011:0101 = 10110101 • nm represents the m MSBs of n • nm represent the m LSBs of n
Wiener’s Method • Suppose we are given (n, e), and d < 4√(n)/3, then we can compute the whole of d and factor n in poly(|n|). • Loosely |d| < |n|/4
Coppersmith’s Method • Suppose we are given (n, e) and |n|/4 bits of p, then we can factor n in poly(|n|).
Theorem 1 [Boneh] • Let t be an integer in the range[|n|/4, ..., |n|/2] and e be a prime in the range [2t, …, 2t+1]. Suppose we are given (n, e), and the t most significant bits of d. Then we can compute the whole of d and factor n in time poly(|n|).
Theorem 2 [Boneh] • Let t be an integer in the range[1, …, |n|/2] and e be an integer in the range [2t, …, 2t+1]. Suppose we are given (n, e), the t most significant bits of d, and the |n|/4 least significant bits of d. Then we can factor n in time poly(|n|).
Theorem 3 [Slakmon] • Let t be an integer in the range[1, …, |n - Φ(n)|] and d be an integer in the range [1, …, 2|n - Φ(n)| - t/2]. Suppose we are given (n, e), and the |n - Φ(n)| - t most significant bits of n - Φ(n). Then we can factor n in time poly(|n|).
The Scenario (Users) • A Black-Box • No Knowledge of The Generation • Produces tuples (p, q, e, d) • The Challenge • Distinguish Good Keys From Bad Keys • External Analysis Only
The Scenario (Creators) • Generate RSA tuples (p, q, e, d) • Through (n, e) volunteer enough information to apply partial knowledge factoring on n • Create a backdoor discretely • Indistinguishable subliminal channel
A Backdoor • Let β be a backdoor key • Let πβbe a permutation of odd integers smaller than n to themselves • Several Choices • Advantages/Disadvantages
The RSA Algorithm • 1: Generate random primes p and q,n := pq, a k bit integer. • 2: Generate a random odd e such that|e| <k • 3: Goto 2 until gcd(e, Φ(n)) = 1 • 4: Compute d := e-1 mod Φ(n) • 5: Return (p, q, d, e)
Algorithm 1 (RSA-HSDβ) • 1: Generate random primes p and q,n := pq, a k bit integer • 2: Generate a random odd δ such that gcd(δ, Φ(n)) = 1 and |δ| <k/4 • 3: Compute ε = δ-1 mod Φ(n), e := πβ(ε) • 4: Goto 2 until gcd(e, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6: Return (p, q, d, e)
Attack 1 (RSA-HSDβ) • 1: Given (n, e), compute ε = πβ-1(e) • 2: Compute δ from (n, ε) using Wiener’s low exponent attack • 3: Given (ε,δ) factor n as p, q • 4: Return (p, q)
Algorithm 2 (RSA-HSPEβ) • 1: Generate random primes p and q,n := pq, a k bit integer. • 2: Generate a random prime ε such that gcd(ε, Φ(n)) = 1 and |ε| = k/4 • 3: Compute δ := ε-1 mod Φ(n),δH := δk/4, e := πβ(δH:ε) • 4: Goto 2 until gcd(ε, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6 : return (p, q, d, e)
Attack 2 (RSA-HSPEβ) • 1: Given (n, e), compute (δH:ε) := πβ-1(e) • 2: Compute δ from (n, δH, ε) using BDF low public prime exponent attack (Theorem 1) with partial knowledge of private exponent. • 3: Given (ε, δ) factor n as p,q. • 4: return (p, q)
Algorithm 3 (RSA-HSEβ) • 1: Generate random primes p and q,n := pq, a k bit integer • 2: Generate a random ε such thatgcd(ε, Φ(n)) = 1 and |ε| = t • 3: Compute δ := ε-1 mod Φ(n), δH := δt, δL := δk/4, e := πβ(δH:δL:ε) • 4: Goto 2 until gcd(e, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6: Return (p, q, d, e)
Attack 3 (RSA-HSEβ) • 1: Given (n, e), compute(δH:δL:ε) := πβ-1(e) • 2: Compute δ from (n, δH, δL, ε) using BDF low public exponent attack (Theorem 2) with partial knowledge of private exponent. • 3: Given (ε, δ) factor n as p, q • 4: Return (p, q)
Choice of πβ • πβ(x) = x (2β)|x| • πβ(x) = DESβ(x) • πβ(x) = AESβ(x) • πβ(x) = x-1 mod β • πβ(x) = (x + 2β) mod (n + 1) • πβ(x) = ((2α + 1)x + 2β) mod (n + 1 - 2m)
Some Problems • Relies on choosing specific exponents from specific subsets. • Restrictive forced subsets foil easily • S = {d | gcd(d, Φ(n)) = 1 and d = (x:x)} • Indistinguishability
Algorithm 4 (RSA-HPβ(e)) • 1: Pick a random prime p of appropriate size, such that gcd(e, p - 1) = 1 • 2: Pick a random odd q` of appropriate size, set n` := pq`, a k bit integer. • 3: Compute τ := n`k/8, μ := πβ(pk/4), and λ := n`5k/8 • 4: Set n := (τ:μ:λ) andq := n/p + (1 1)/2 so that it is odd • 5: While gcd(e, q – 1) > 1 or q is composite do: • Pick a random even m such that |m| = k/8,q := q m and n := pq • 6: Compute d := e-1 mod Φ(n) • 7: Return (p, q, d, e)
Attack 4 (RSA-HPβ) • 1: Given n, computepk/4 := πβ-1(n3k/8k/4) • 2: Factor n as p,q using Coppersmith’s partial information attack. • 3: Return (p, q)
Problems And A New πβ • πβ(x) = x (2β)|x| • (n` n)3k/8k/4 = (p` p)k/4 • πβ(x) = x-1 mod β • n3k/8k/4pk/4 - 1 is a multiple of β • New Permutations • πβ,μ(x) = (x (2μ)|x|)-1 mod β • πβ,μ(x) = (x-1mod β) (2μ)|β|
Conclusions • Potentially impossible to distinguish backdoored RSA key tuples • Never trust key tuples provided to you • The extra backdoor could potentially weaken the RSA key tuples
A Challenge • http://crypto.cs.mcgill.ca/~crepeau/RSA/ • RSA-HSE, πβ(x) = x β • Distinguish broken keys from real RSA keys • Determine the backdoor key
References • D. Boneh and G. Durfee, Cryptanalysis of rsa with private key d less than n0.292, Information Theory, IEEE Transactions on, 46 (2000), pp. 1339-1349. • C. Crépeau and A. Slakmon, Simple backdoors for RSA key generation, http://crypto.cs.mcgill.ca/~crepeau/PDF/CS02.pdf, 18 Oct 2002. • D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Advances in Cryptology - EuroCrypt '96, U. Maurer, ed., Berlin, 1996, Springer-Verlag, pp. 178-189. Lecture Notes in Computer Science Volume 1070.