1 / 27

How to fake an RSA signature by encoding modular root finding as a SAT problem

How to fake an RSA signature by encoding modular root finding as a SAT problem. By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics 130 (2003) 101-127 Presented by Yunho Kim Provable Software Lab, KAIST. TexPoint fonts used in EMF.

khuong
Download Presentation

How to fake an RSA signature by encoding modular root finding as a SAT problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics 130 (2003) 101-127 Presented by Yunho Kim Provable Software Lab, KAIST TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

  2. Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis Contents How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  3. Cryptography is the practice and study of hiding information • Cryptography consists of two parts encryption and decryption • Encryption is the process of plaintext into unintelligible text and decryption is the reverse. • The detailed operations of a cipher is controlled both by the algorithm and, in each instance, by a key • There are two types of cryptography • Symmetric-key cryptography • Asymmetric-key cryptography IntroductionCryptography From Wikipedia http://en.wikipedia.org/wiki/Cryptography How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  4. Symmetric-key cryptography uses identical cryptographic keys for both decryption and encryption Plaintext Ciphertext Secret key Secret key Encryption algorithm Decryption algorithm Ciphertext Plaintext IntroductionSymmetric-key Identical keys How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  5. Asymmetric-key cryptography uses different cryptographic keys for decryption and encryption Plaintext Encryption key Ciphertext Decryption key Encryption algorithm Decryption algorithm Ciphertext Plaintext IntroductionAsymmetric-key different keys How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  6. RSA is an algorithm for asymmetric cryptography developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977. • RSA consists of a cipher algorithm for encryption and decryption and a key generation algorithm • The key generation algorithm generates public-key and private-key • The public-key should be distributed to others but the private-key must be kept in secret IntroductionRSA How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  7. RSA key generation algorithm The totientÁ(n) of a positive integer n is defined to be the number of positive integers less than or equal to n that are coprime to n • RSA cipher algorithms • Let m < n be a original message IntroductionRSA key generation Choose two distinct large random prime numbers p and q Compute n = pq Compute the totient: Á(n) = (p – 1)(q – 1) where n is a multiplication of two primes p and q Choose an integer e such that 1 < e < Á(n), and e and Á(n) are coprime Compute d to satisfy the congruence relation de≡ 1 (mod Á(n)); i.e. de = 1 + kÁ(n) for some integer k. <n, e> is the public key and <n, d> is the private key Encryption c = md mod n Decryption m = ce mod n How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  8. RSA example c = 1232753 mod 3233 = 2746 m = 274617mod 3233 = 123 IntroductionRSA example 1. Choose two distinct large random prime numbers p and q p = 61 and q = 53 2. Compute n = pq n = 61 * 53 = 3233 3. Compute the totient: Á(n) = (p – 1)(q – 1) Á(n) = (61 – 1)(53 - 1) = 3120 4. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are coprime e = 17 5. Compute d to satisfy the congruence relation de≡ 1 (mod Á(n)); i.e. de = 1 + kÁ(n) for some integer k. d = 2753, 17 * 2753 = 46801 = 1 + 15 * 3120 6. <3233, 17> is the public key and <3233, 2753> is the private key How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  9. Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis Contents How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  10. Logical cryptanalysisoverview Plaintext P Secret key K Ciphertext C Circuit description Theorem prover, Satisfiability solver, …. Secret Key Logical analysis/ Implication engine Known plaintext + Known ciphertext + Exposed variables From slides of NachikethPotlapally http://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18 Constraints How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  11. (z+x+y) (z+x+y) (z+x+y) (z+x+y) (z+x) (z+y) (z+x+y) …. (z+x) (z+y) (z+x+y) Logical cryptanalysisSAT-based analysis Secret key K Plaintext P CNF conversion CNF formula of cryptographic algorithm, Ψ (P, C, K) Ciphertext C Ψ(P, C, K) From slides of NachikethPotlapally http://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18 K = 110..1 (consistent with the values set) Set plaintext and ciphertext values in Ψ(P, C, K) Set values of exposed variables in Ψ (P, C, K) SAT solver Timeout Constraints Constraints How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  12. For a symmetric cipher, the choice of the cryptographic transformation is almost obvious • It uses deterministic algorithms for encryption and decryption • The unknown variable is only the key • For RSA, we have three known values e, n and m and a number of equations to choose from • n = pq • c = md mod n • m = ce mod n • What is a suitable equation for SAT-based analysis? Logical cryptanalysislogical analysis of RSA How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  13. The first possible choice n = pq • If we can factorize n into two primes, we can generate a private key from p and q • However, the algorithm for integer factorization has sub-exponential time and space complexity O(2(logN)1/3) • Also, factoring represented as a SAT problem is hard to solve • The second possible choice c = md mod n • Since we know only m, n, it has two unknown variables c and d • For example, if we set <55, 3> as the public key and 9 as message 16 = 94 mod 55 but 9 163 mod 55 = 26 Logical cryptanalysislogical analysis of RSA How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  14. The last possible choice m = ce mod n • For given e, n, m, we can find the ciphertextc encrypted with some private key <n, d>without knowing it • We cannot decrypt the ciphertext encrypted with d but we can generate the ciphertext encrypted with d • Modular exponentiation is reduced to a sequence of modular multiplications Logical cryptanalysislogical analysis of RSA m0 = 1, mi+1 = (mi2 + ei∙c ) mod n The desired value m is obtained at mb log ec + 1 How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  15. Example of a sequence of modular multiplications Let e = 3 = 11(2), c = 4, n = 35 = 5 * 7 m = ce mod n = 43 mod 35 = 64 mod 35 = 29 m0 = 1 m1 = (1 + 1∙4) mod 35 = 5 m2 = (25 + 1∙4) mod 35 = 29 Logical cryptanalysislogical analysis of RSA m0 = 1, mi+1 = (mi2 + ei∙c ) mod n The desired value m is obtained at mb log ec + 1 How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  16. The last choice m = ce mod n • For given e, n, m, we can find the ciphertextc encrypted with some private key <n, d>without knowing it • We cannot decrypt the ciphertext encrypted with d but we can generate the ciphertext encrypted with d • Modular exponentiation is reduced to a sequence of modular multiplications Logical cryptanalysisEncoding problem How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  17. Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis Contents How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  18. The size of the problem would become huge even for small bits • If we use the best possible multipliers whose gate complexity is O((log2 n)(log2 (log2 n))), the encoding of the RSA of 100bits would require over 100,000 formulae. • For the simplicity, we choose the value e = 3 • m = (((c∙c) mod n)∙c)mod n • We need more efficient encoding of modular multiplications Encoding How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  19. The basic intuition • Let x, y be two 2b bits integers ¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /nc • Division is a complex operation and it is simpler to compute an approximate value of k and then subtract the error. Encoding How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  20. The basic intuition • Let x, y be two 2b bits integers ¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /nc • Division is a complex operation and it is simpler to compute an approximate value of k and then subtract the error. Encoding How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  21. Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis Contents How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  22. Generating satisfiable instances 1. Randomly generate a public key <n,e> and signature c 2. Compute m = ce mod n 3. Transform m, n, einto the corresponding boolean values 4. Find a model for c using SAT solver • Generating unsatisfiable instances • Randomly generate a public key <n,e> and signature c where e violates RSA definition e divides either p- 1 or q- 1 if n = pq 2. Compute m = ce mod n 3. Transform m, e, n into the corresponding boolean values 4. Find a model for c using SAT solver Experiments How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  23. Three SAT-solver are used • HeerHugo is a stalmark algorithm based SAT solver • eqsatz is a variant of DPLL which includes equational reasoning for XOR • smodels is an efficient DPLL implementation with stable model semantics of logic programs • Three machines are used • Alpha with 256MB memory • PII with 64MB memory • PIII with 512 memory • All machines run Linux Experiments How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  24. Experiments How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  25. Experiments How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  26. The authors show how to encode the problem of finding an RSA signature for a given message without factoring The experiments on SAT solvers show that SAT solvers are well behind number theoretic algorithms Conclusion How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

  27. How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci In Discrete Applied Mathematics 130 (2003) 101-127 Reference How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

More Related