1 / 26

Simple Backdoors for RSA Key Generation

Simple Backdoors for RSA Key Generation. Scott Dial. Overview. Some Necessary Theorems The Scenario Four Methods Conclusions. Important Notation. | n | represents the magnitude of n in bits |240| = |11110000b| = 8 n : m represents the concatenation of n and m in there respective order

gutowski
Download Presentation

Simple Backdoors for RSA Key Generation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Simple Backdoors for RSA Key Generation Scott Dial

  2. Overview • Some Necessary Theorems • The Scenario • Four Methods • Conclusions

  3. Important Notation • |n| represents the magnitude of n in bits • |240| = |11110000b| = 8 • n:m represents the concatenation of n and m in there respective order • 1011:0101 = 10110101 • nm represents the m MSBs of n • nm represent the m LSBs of n

  4. Wiener’s Method • Suppose we are given (n, e), and d < 4√(n)/3, then we can compute the whole of d and factor n in poly(|n|). • Loosely |d| < |n|/4

  5. Coppersmith’s Method • Suppose we are given (n, e) and |n|/4 bits of p, then we can factor n in poly(|n|).

  6. Theorem 1 [Boneh] • Let t be an integer in the range[|n|/4, ..., |n|/2] and e be a prime in the range [2t, …, 2t+1]. Suppose we are given (n, e), and the t most significant bits of d. Then we can compute the whole of d and factor n in time poly(|n|).

  7. Theorem 2 [Boneh] • Let t be an integer in the range[1, …, |n|/2] and e be an integer in the range [2t, …, 2t+1]. Suppose we are given (n, e), the t most significant bits of d, and the |n|/4 least significant bits of d. Then we can factor n in time poly(|n|).

  8. Theorem 3 [Slakmon] • Let t be an integer in the range[1, …, |n - Φ(n)|] and d be an integer in the range [1, …, 2|n - Φ(n)| - t/2]. Suppose we are given (n, e), and the |n - Φ(n)| - t most significant bits of n - Φ(n). Then we can factor n in time poly(|n|).

  9. The Scenario (Users) • A Black-Box • No Knowledge of The Generation • Produces tuples (p, q, e, d) • The Challenge • Distinguish Good Keys From Bad Keys • External Analysis Only

  10. The Scenario (Creators) • Generate RSA tuples (p, q, e, d) • Through (n, e) volunteer enough information to apply partial knowledge factoring on n • Create a backdoor discretely • Indistinguishable subliminal channel

  11. A Backdoor • Let β be a backdoor key • Let πβbe a permutation of odd integers smaller than n to themselves • Several Choices • Advantages/Disadvantages

  12. The RSA Algorithm • 1: Generate random primes p and q,n := pq, a k bit integer. • 2: Generate a random odd e such that|e| <k • 3: Goto 2 until gcd(e, Φ(n)) = 1 • 4: Compute d := e-1 mod Φ(n) • 5: Return (p, q, d, e)

  13. Algorithm 1 (RSA-HSDβ) • 1: Generate random primes p and q,n := pq, a k bit integer • 2: Generate a random odd δ such that gcd(δ, Φ(n)) = 1 and |δ| <k/4 • 3: Compute ε = δ-1 mod Φ(n), e := πβ(ε) • 4: Goto 2 until gcd(e, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6: Return (p, q, d, e)

  14. Attack 1 (RSA-HSDβ) • 1: Given (n, e), compute ε = πβ-1(e) • 2: Compute δ from (n, ε) using Wiener’s low exponent attack • 3: Given (ε,δ) factor n as p, q • 4: Return (p, q)

  15. Algorithm 2 (RSA-HSPEβ) • 1: Generate random primes p and q,n := pq, a k bit integer. • 2: Generate a random prime ε such that gcd(ε, Φ(n)) = 1 and |ε| = k/4 • 3: Compute δ := ε-1 mod Φ(n),δH := δk/4, e := πβ(δH:ε) • 4: Goto 2 until gcd(ε, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6 : return (p, q, d, e)

  16. Attack 2 (RSA-HSPEβ) • 1: Given (n, e), compute (δH:ε) := πβ-1(e) • 2: Compute δ from (n, δH, ε) using BDF low public prime exponent attack (Theorem 1) with partial knowledge of private exponent. • 3: Given (ε, δ) factor n as p,q. • 4: return (p, q)

  17. Algorithm 3 (RSA-HSEβ) • 1: Generate random primes p and q,n := pq, a k bit integer • 2: Generate a random ε such thatgcd(ε, Φ(n)) = 1 and |ε| = t • 3: Compute δ := ε-1 mod Φ(n), δH := δt, δL := δk/4, e := πβ(δH:δL:ε) • 4: Goto 2 until gcd(e, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6: Return (p, q, d, e)

  18. Attack 3 (RSA-HSEβ) • 1: Given (n, e), compute(δH:δL:ε) := πβ-1(e) • 2: Compute δ from (n, δH, δL, ε) using BDF low public exponent attack (Theorem 2) with partial knowledge of private exponent. • 3: Given (ε, δ) factor n as p, q • 4: Return (p, q)

  19. Choice of πβ • πβ(x) = x (2β)|x| • πβ(x) = DESβ(x) • πβ(x) = AESβ(x) • πβ(x) = x-1 mod β • πβ(x) = (x + 2β) mod (n + 1) • πβ(x) = ((2α + 1)x + 2β) mod (n + 1 - 2m)

  20. Some Problems • Relies on choosing specific exponents from specific subsets. • Restrictive forced subsets foil easily • S = {d | gcd(d, Φ(n)) = 1 and d = (x:x)} • Indistinguishability

  21. Algorithm 4 (RSA-HPβ(e)) • 1: Pick a random prime p of appropriate size, such that gcd(e, p - 1) = 1 • 2: Pick a random odd q` of appropriate size, set n` := pq`, a k bit integer. • 3: Compute τ := n`k/8, μ := πβ(pk/4), and λ := n`5k/8 • 4: Set n := (τ:μ:λ) andq := n/p + (1  1)/2 so that it is odd • 5: While gcd(e, q – 1) > 1 or q is composite do: • Pick a random even m such that |m| = k/8,q := q  m and n := pq • 6: Compute d := e-1 mod Φ(n) • 7: Return (p, q, d, e)

  22. Attack 4 (RSA-HPβ) • 1: Given n, computepk/4 := πβ-1(n3k/8k/4) • 2: Factor n as p,q using Coppersmith’s partial information attack. • 3: Return (p, q)

  23. Problems And A New πβ • πβ(x) = x (2β)|x| • (n` n)3k/8k/4 = (p`  p)k/4 • πβ(x) = x-1 mod β • n3k/8k/4pk/4 - 1 is a multiple of β • New Permutations • πβ,μ(x) = (x  (2μ)|x|)-1 mod β • πβ,μ(x) = (x-1mod β) (2μ)|β|

  24. Conclusions • Potentially impossible to distinguish backdoored RSA key tuples • Never trust key tuples provided to you • The extra backdoor could potentially weaken the RSA key tuples

  25. A Challenge • http://crypto.cs.mcgill.ca/~crepeau/RSA/ • RSA-HSE, πβ(x) = x β • Distinguish broken keys from real RSA keys • Determine the backdoor key

  26. References • D. Boneh and G. Durfee, Cryptanalysis of rsa with private key d less than n0.292, Information Theory, IEEE Transactions on, 46 (2000), pp. 1339-1349. • C. Crépeau and A. Slakmon, Simple backdoors for RSA key generation, http://crypto.cs.mcgill.ca/~crepeau/PDF/CS02.pdf, 18 Oct 2002. • D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Advances in Cryptology - EuroCrypt '96, U. Maurer, ed., Berlin, 1996, Springer-Verlag, pp. 178-189. Lecture Notes in Computer Science Volume 1070.

More Related