1 / 34

Security of RSA: Analyzing Factoring and Attacks

This lecture explores the security of RSA, focusing on the factoring of large numbers and the potential attacks on the encryption algorithm. It discusses various algorithms and approaches that have been used to break RSA, as well as the challenges and limitations in finding the correct prime factors of a number.

grayson
Download Presentation

Security of RSA: Analyzing Factoring and Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE. David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science

  2. Menu • (Anonymous) Pop Quiz • Security of RSA • Factoring • Public Key Infrastructures University of Virginia CS 551

  3. Properties of E and D • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D (next time) • Trap-door one way permutation: also • E (D (M)) = M Are there other functions that have properties 1, 2 and 4? University of Virginia CS 551

  4. RSA E(M) = Me mod n D(C) = Cd mod n n = p * q p, q are prime d is relatively prime to(p – 1)(q – 1) e * d  1 (mod (p – 1)(q – 1)) University of Virginia CS 551

  5. Revealing E doesn’t reveal D • Revealing E: e, n. • Can attacker find D? • If attacker factors n = p * q e * d  1 (mod (p – 1)(q – 1)) Easy to find d  e-1 mod (p – 1)(q – 1) • Use experience to argue factoring is hard. • Argue all other attacks are at least as hard as factoring n. University of Virginia CS 551

  6. Gardner’s Column: Original RSA challenge ($100) n (RSA-129) = 1 1438 1625 7578 8886 7669 2357 7997 6146 6120 1021 8296 7212 4236 2562 5618 4293 5706 9352 4573 3897 8305 9712 3563 9587 0505 8989 0751 4759 9290 0268 7954 3541 e = 9007 C = 9686 9613 7546 2206 1477 1409 2225 4355 8829 0575 9991 1245 7431 9874 6951 2093 0816 2982 2514 5708 3569 3147 6622 8839 8962 8013 3919 9055 1829 9451 5781 5154 Scientific American, August 1977 University of Virginia CS 551

  7. 40000000000000000  17 Ron Rivest (1977): factoring n (129 digits) would require at least 40 quadrillion years if you could do a * b mod c in one nanosecond. Derek Atkins (April 1994): We are happy to announce that RSA-129 = 3490 5295 1084 7650 9491 4784 9619 9038 9813 3417 7646 3849 3387 8439 9082 0577 * 3 2769 1329 9326 6709 5499 6198 8190 8344 6141 3177 6429 6799 2942 5397 9828 8533 University of Virginia CS 551

  8. How so Fast • Better factoring algorithms • Distributed computation • Still can’t do a * b mod c in one nanosecond (not faster processors) • 1ns = 10-9 s • Best processors today 1 GHz (cycle = 1ns) • But, multiplying 100 digit numbers takes many cycles University of Virginia CS 551

  9. Trial and Error Factoring • Try every number up to n. • Requires O(n) divisions. • For RSA-129 = 1.1 * 1064 divisions, 1 per nanosecond = 3.4 * 1047 years • Just try prime numbers: requires O((n)) divisions (assumes you already know all the primes up to n) • The Prime Number Theorem: (x) ~ x/lnx • For RSA-129 = 7.2 * 1061 divisions, 1 per nanosecond = 2.3 * 1045 years University of Virginia CS 551

  10. Pollard Rho Method • Fastest known in 1977 [Pollard75] • To find factor p, requires 4p modular multiplies • Worst case: lowest p is n, we need 4n multiplies • For RSA-129 = 1.3 * 1032 = 4 * 1015 years • Rivest probably used this, but made a math error (4 quadrilllion  40 quadrilllion) University of Virginia CS 551

  11. Pollard Rho • Pick arbitrary x0. • Iterate: xn + 1 = xn2 + 1 • If p is prime, xnmod p must eventually repeat: xn1 xn2 mod p xn1 + k xn2 + k mod p for allk >= 0. • Can find x2n xn mod p for some n >= n1. • If gcd(x2n – xn,N)> 1 then p is a factor of N. • x2n – xn = kp = gcd(x2n – xn,N) University of Virginia CS 551

  12. Quadratic Sieve • To factor n, find x and y such that x2 y2 mod n • Then, n divides x2 – y2 = (x – y) (x + y). • n = gcd (n, x – y) * gcd (n, x + y). • If we’re lucky, factors will be non-trivial • If x and y generated “randomly”, probability is ½ since n has 2 prime factors University of Virginia CS 551

  13. Breaking RSA-129 • Organized by Derek Atkins and others, 1994 • Quadratic Sieve algorithm • Memory-limited (1994 – most workstations 16MB RAM), used 10M to hold .5M primes • Recruited volunteers from Internet • 1600 machines • Used 5000 MIPS years over 8 months University of Virginia CS 551

  14. To factor r [RSA-129] we assembled the largest collaboration yet seen in computational number theory and, possibly, performed the largest single computation ever completed. In several important respects, the resources we had available were barely adequate for the task. Consequently, ingenuity and diplomacy were required for the successful completion of the project. Derek Atkins, Michael Graff, et. al., The Magic Words Are Squeamish Ossifrage, AsiaCrypt 1994. University of Virginia CS 551

  15. Recent Factoring Algorithms • Team from CWI (Amsterdam) factored RSA-155 (512 bits), August 1999 • ~8000 MIPS years (36 CPU years) • 7 months on ~300 machines • Number Field Sieve • Lecture 1: factor RSA-300 for automatic A. How much harder is this? University of Virginia CS 551

  16. RSA Security • Factoring is hard  RSA is secure? • Can you compute D without factoring n? • Probably not, but can’t prove it. • Can prove other mathematical attacks are equivalent to factoring. University of Virginia CS 551

  17. (n) without factoring • Calculate (n) without factoring n. e * d  1 (mod (n)) • Equivalent to factoring: (n) = n – (p + q) + 1 p + q = n – (n) –1 University of Virginia CS 551

  18. (n) without factoring (p + q)2 – 4n = (p2 + 2pq + q2 ) – 4n = p2 + 2n + q2 –4n = p2 – 2n + q2 = p2 – 2pq + q2 = (p – q)2 p – q = sqrt ((p + q)2 – 4n) p + q = n – (n) –1 2p = sqrt ((n – (n) –1)2 – 4n) + n – (n) –1 University of Virginia CS 551

  19. Determine dwithout (n) • Brute force: m digits long, amount of work is 10m. • Try 1M/second (special purpose hardware) • Will take 3*1036years for m = 50. • For factoring difficulty, m > 100. • Non-brute force: knowing d enables factoring. University of Virginia CS 551

  20. Determining d factoring ed = 1mod  (n) k *  (n) = ed – 1 Already showed, finding (n) is same as factoring. Also true for multiple of (n). University of Virginia CS 551

  21. Properties of RSA’s E and D • Trap-door one way function: • D (E (M)) = M • E and D are easy to compute. • Revealing E doesn’t reveal an easy way to compute D (next time) • Trap-door one way permutation: also • E (D (M)) = M University of Virginia CS 551

  22. Key Management Public keys only useful if you know: • The key matches the entity you think it does. • The entity is trustworthy. University of Virginia CS 551

  23. Approach 1: Public Announcement • Publish public keys in a public forum • USENET groups • Append to email messages • New York Time classifieds • Easy for rogue to pretend to be someone else University of Virginia CS 551

  24. Approach 2: Public Directory • Trusted authority maintains directory mapping names to public keys • Entities register public keys with authority in some secure way • Authority publishes directory • Print using watermarked paper, special fonts, etc. • Allow secure electronic access University of Virginia CS 551

  25. One Key • Electronic access requires directory have key (public/private key pair might work, but how do entities validate public key?) • If authority’s key is compromised, everything is vulnerable! • Keep the key locked up well • Directory is single point of failure University of Virginia CS 551

  26. KUB CA = EKRTrustMe[“Alice”, KUA] CB = EKRTrustMe[“Bob”, KUB] CA CB Approach 3: Certificates TrustMe.com KUA Alice Bob How do I know “Alice” is “Alice”? University of Virginia CS 551

  27. CA = EKRTrustMe [IDA, KUA] CB = EKRTrustMe [IDB, KUB] CA CB TrustMe.com KUA KUB Alice Bob What if Alice’s private key is compromised? University of Virginia CS 551

  28. CA = EKRTrustMe[Time1, IDA, KUA] CB = EKRTrustMe[Time2, IDB, KUB] CA CB TrustMe.com KUA $$$$ KUB Alice Bob University of Virginia CS 551

  29. Data encrypted using secret key exchanged using some public key associated with some certificate. University of Virginia CS 551

  30. University of Virginia CS 551

  31. University of Virginia CS 551

  32. University of Virginia CS 551

  33. Web Treasure Hunt • Click on “lock” next time when you browse the web • Find a certificate with a hierarchy of trust more than one level deep • The CA has a certificate University of Virginia CS 551

  34. Charge • PS2 Due Wednesday • Full Project Proposals due 4 Oct (description now on web) • SSL details coming in a few weeks... University of Virginia CS 551

More Related