260 likes | 276 Views
Learn about backdoors for RSA key generation, including Wiener’s and Coppersmith’s methods, Boneh’s theorems, and techniques for creating backdoors in RSA. Explore various attack scenarios and defenses against them.
E N D
Simple Backdoors for RSA Key Generation Scott Dial
Overview • Some Necessary Theorems • The Scenario • Four Methods • Conclusions
Important Notation • |n| represents the magnitude of n in bits • |240| = |11110000b| = 8 • n:m represents the concatenation of n and m in there respective order • 1011:0101 = 10110101 • nm represents the m MSBs of n • nm represent the m LSBs of n
Wiener’s Method • Suppose we are given (n, e), and d < 4√(n)/3, then we can compute the whole of d and factor n in poly(|n|). • Loosely |d| < |n|/4
Coppersmith’s Method • Suppose we are given (n, e) and |n|/4 bits of p, then we can factor n in poly(|n|).
Theorem 1 [Boneh] • Let t be an integer in the range[|n|/4, ..., |n|/2] and e be a prime in the range [2t, …, 2t+1]. Suppose we are given (n, e), and the t most significant bits of d. Then we can compute the whole of d and factor n in time poly(|n|).
Theorem 2 [Boneh] • Let t be an integer in the range[1, …, |n|/2] and e be an integer in the range [2t, …, 2t+1]. Suppose we are given (n, e), the t most significant bits of d, and the |n|/4 least significant bits of d. Then we can factor n in time poly(|n|).
Theorem 3 [Slakmon] • Let t be an integer in the range[1, …, |n - Φ(n)|] and d be an integer in the range [1, …, 2|n - Φ(n)| - t/2]. Suppose we are given (n, e), and the |n - Φ(n)| - t most significant bits of n - Φ(n). Then we can factor n in time poly(|n|).
The Scenario (Users) • A Black-Box • No Knowledge of The Generation • Produces tuples (p, q, e, d) • The Challenge • Distinguish Good Keys From Bad Keys • External Analysis Only
The Scenario (Creators) • Generate RSA tuples (p, q, e, d) • Through (n, e) volunteer enough information to apply partial knowledge factoring on n • Create a backdoor discretely • Indistinguishable subliminal channel
A Backdoor • Let β be a backdoor key • Let πβbe a permutation of odd integers smaller than n to themselves • Several Choices • Advantages/Disadvantages
The RSA Algorithm • 1: Generate random primes p and q,n := pq, a k bit integer. • 2: Generate a random odd e such that|e| <k • 3: Goto 2 until gcd(e, Φ(n)) = 1 • 4: Compute d := e-1 mod Φ(n) • 5: Return (p, q, d, e)
Algorithm 1 (RSA-HSDβ) • 1: Generate random primes p and q,n := pq, a k bit integer • 2: Generate a random odd δ such that gcd(δ, Φ(n)) = 1 and |δ| <k/4 • 3: Compute ε = δ-1 mod Φ(n), e := πβ(ε) • 4: Goto 2 until gcd(e, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6: Return (p, q, d, e)
Attack 1 (RSA-HSDβ) • 1: Given (n, e), compute ε = πβ-1(e) • 2: Compute δ from (n, ε) using Wiener’s low exponent attack • 3: Given (ε,δ) factor n as p, q • 4: Return (p, q)
Algorithm 2 (RSA-HSPEβ) • 1: Generate random primes p and q,n := pq, a k bit integer. • 2: Generate a random prime ε such that gcd(ε, Φ(n)) = 1 and |ε| = k/4 • 3: Compute δ := ε-1 mod Φ(n),δH := δk/4, e := πβ(δH:ε) • 4: Goto 2 until gcd(ε, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6 : return (p, q, d, e)
Attack 2 (RSA-HSPEβ) • 1: Given (n, e), compute (δH:ε) := πβ-1(e) • 2: Compute δ from (n, δH, ε) using BDF low public prime exponent attack (Theorem 1) with partial knowledge of private exponent. • 3: Given (ε, δ) factor n as p,q. • 4: return (p, q)
Algorithm 3 (RSA-HSEβ) • 1: Generate random primes p and q,n := pq, a k bit integer • 2: Generate a random ε such thatgcd(ε, Φ(n)) = 1 and |ε| = t • 3: Compute δ := ε-1 mod Φ(n), δH := δt, δL := δk/4, e := πβ(δH:δL:ε) • 4: Goto 2 until gcd(e, Φ(n)) = 1 • 5: Compute d := e-1 mod Φ(n) • 6: Return (p, q, d, e)
Attack 3 (RSA-HSEβ) • 1: Given (n, e), compute(δH:δL:ε) := πβ-1(e) • 2: Compute δ from (n, δH, δL, ε) using BDF low public exponent attack (Theorem 2) with partial knowledge of private exponent. • 3: Given (ε, δ) factor n as p, q • 4: Return (p, q)
Choice of πβ • πβ(x) = x (2β)|x| • πβ(x) = DESβ(x) • πβ(x) = AESβ(x) • πβ(x) = x-1 mod β • πβ(x) = (x + 2β) mod (n + 1) • πβ(x) = ((2α + 1)x + 2β) mod (n + 1 - 2m)
Some Problems • Relies on choosing specific exponents from specific subsets. • Restrictive forced subsets foil easily • S = {d | gcd(d, Φ(n)) = 1 and d = (x:x)} • Indistinguishability
Algorithm 4 (RSA-HPβ(e)) • 1: Pick a random prime p of appropriate size, such that gcd(e, p - 1) = 1 • 2: Pick a random odd q` of appropriate size, set n` := pq`, a k bit integer. • 3: Compute τ := n`k/8, μ := πβ(pk/4), and λ := n`5k/8 • 4: Set n := (τ:μ:λ) andq := n/p + (1 1)/2 so that it is odd • 5: While gcd(e, q – 1) > 1 or q is composite do: • Pick a random even m such that |m| = k/8,q := q m and n := pq • 6: Compute d := e-1 mod Φ(n) • 7: Return (p, q, d, e)
Attack 4 (RSA-HPβ) • 1: Given n, computepk/4 := πβ-1(n3k/8k/4) • 2: Factor n as p,q using Coppersmith’s partial information attack. • 3: Return (p, q)
Problems And A New πβ • πβ(x) = x (2β)|x| • (n` n)3k/8k/4 = (p` p)k/4 • πβ(x) = x-1 mod β • n3k/8k/4pk/4 - 1 is a multiple of β • New Permutations • πβ,μ(x) = (x (2μ)|x|)-1 mod β • πβ,μ(x) = (x-1mod β) (2μ)|β|
Conclusions • Potentially impossible to distinguish backdoored RSA key tuples • Never trust key tuples provided to you • The extra backdoor could potentially weaken the RSA key tuples
A Challenge • http://crypto.cs.mcgill.ca/~crepeau/RSA/ • RSA-HSE, πβ(x) = x β • Distinguish broken keys from real RSA keys • Determine the backdoor key
References • D. Boneh and G. Durfee, Cryptanalysis of rsa with private key d less than n0.292, Information Theory, IEEE Transactions on, 46 (2000), pp. 1339-1349. • C. Crépeau and A. Slakmon, Simple backdoors for RSA key generation, http://crypto.cs.mcgill.ca/~crepeau/PDF/CS02.pdf, 18 Oct 2002. • D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Advances in Cryptology - EuroCrypt '96, U. Maurer, ed., Berlin, 1996, Springer-Verlag, pp. 178-189. Lecture Notes in Computer Science Volume 1070.