1 / 77

Algorithms to attack RSA

Algorithms to attack RSA. Presented by Yu. Objective. The main purpose of this project is to research and learn some algorithms to attack RSA which is the most widely used encryption algorithm in the modern world.

nikki
Download Presentation

Algorithms to attack RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Algorithms to attack RSA Presented by Yu

  2. Objective • The main purpose of this project is to research and learn some algorithms to attack RSA which is the most widely used encryption algorithm in the modern world. • Try to find if there is any probability to improve the performance by using multi-core programming.

  3. Encryption Algorithms • What is encryption? • In cryptography, encryption is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can

  4. Private Key Schemes • In private-key schemes, the encryption and decryption keys are the same. Thus communicating people must agree on a secret key before they wish to communicate. • The same key to encrypt and decrypt. • Much more faster than RSA • Examples: DES, IDEA, RC2, RC4, AES and so on

  5. Private Key Schemes • By contrast, in public-key schemes, the encryption key is public: anyone (friend or foe) has access to the encryption key, and can encrypt messages. • However only the receiving party has access to the decryption key and thus is the only one capable of reading the encrypted messages. • Public-key encryption is a relatively recent invention: historically, all encryption schemes have been private-key schemes • Examples: RSA

  6. Background of RSA • Introduced by  Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. • the letters RSA are the initials of their surnames. • Nowadays, RSA is widely used in many critical areas such as government, bank and military • RSA is generally considered the best encryption algorithm in the mordern world.

  7. Background of RSA

  8. Background of RSA Bob Alice

  9. RSA Scheme • Step 1: Find two primes p, q and e. • Step 2: Calculate N, where N = p*q. • Step 3: Calculate phi, where phi = (p-1)(q-1). • Step 4: Calculate d, where d=e^(-1) mod phi. • Step 5: Encryption C = M^e mod N. • Step 6: Decryption M =C^d mod N

  10. RSA Example • Step 1: p = 11, q = 17 and e=3. • Step 2: N = 187 • Step 3: phi = (11-1) * (17-1) = 160. • Step 4: d=3^(-1) mod 160 = 107 • Step 5: plaintext M =116. • Step 6: Encryption C =116^3 mod 187 = 129.

  11. Ideas about RSA Scheme • a. Generally, in the real applications, p and q should have the same length. If they have different size, one prime is small, another one is big. Therefore, the smaller prime is relatively easy to find. • Example: N = 1013 * 740020709 = 749640978217, which is a 12 digits, 40 bits number. The smaller prime 1013 can be found in 0.01 second in my computer!

  12. Ideas about RSA Scheme • b. When calculating d, where d=e^(-1) mod phi, e and phi should be coprime, which means GCD(e,phi) = 1. Otherwise, d may not exist. • Example: p=13, q=17, N=13*17=221. phi=(13-1)(17-1)=192. if we choose e = 3. GCD(e,phi) != 1 • Therefore, d=3^-1 mod 192 -> • 3 * d ≡ 1 mod 192 -> 3 * d mod 192 =1 • There is no such a “d” exsiting!

  13. Ideas about RSA Scheme • c. The performance of RSA encryption is slow compared with other encryption algorithm. • Reason: in the real applications, e is also very big. • For example: e= 154846979599567375782647 141650963141650981982451629740020709 • A lot of time is needed to compute C = M^e mod N.

  14. Ideas about RSA Scheme • Not directly compute M^e, which is too large. Need some iterations to make 0<C<N in every iteration • The complexity is log(e). • Therefore, RSA is not applicable to long text.

  15. Attacks on RSA • Why RSA is safe? How safe is it? • In order to break RSA, we have to factor a big number N. • Actually, nowadays humans still didn’t find a very efficient way to factor a big number. If one day we find this algorithm, RSA is no longer safe. • Therefore, most of the researches on attacking RSA are based on big number factorization.

  16. Attacks on RSA • RSA factorization record: 768-bit integer, announced in December 2009. It took four years and involved the smartest number theorists currently living on Earth

  17. RSA factorization record • N=1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 • P=33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 • q=36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917

  18. Attacks on RSA • Attacks on RSA = big number factorization? • No one knows… there is no scientific proof that they are equivalent. • Actually, we do have some other methods to attack RSA. Generally, these methods are based on the misuse of RSA. Not real breaking.

  19. Common Modulus Attack • The same Modulus N is used multiples times for different users. • For example: C(Alice)=M^(e_alice) mod N.C(Bod) = M^(e_bob) mod N. • This may seems to work, because Bob does not have d_alice which is needed to decrypt Alice’s ciphertext.

  20. Common Modulus Attack • However, this is incorrect, and the resulting system is insecure. • Bob can use his own exponents e_bob, d_bob to factor the modulus N.

  21. Faulty Encryption Alice Marvin Bob Generate public key p1, private key d1 Intercept p1, p1 to Bob Generate public key p2, private key d2. Receive p2 p2 to Bob

  22. Faulty Encryption Alice Marvin Bob Encrypt plaintext M with p2 Encrypted text C2 Intercept C2 C1 to Alice

  23. Faulty Encryption Alice Marvin Bob Decrypted C2 with d2 to get M Decrypted C1 with d1 to get M Encrypt M with p1 to get C1 C1 to Alice

  24. Integer factorization • There are still a lot of other methods to attack RSA. However, we can see that they are all based on the misuse of RSA. We can easily defense these attacks by correctly using of RSA. • Then we move to the last method: Integer factorization

  25. Integer factorization • In this project, I focused on integer factorization. So basically, I tried to find some fast algorithms on integer factorization and then implemented them in parallel.

  26. Trial Algorithm • Let’s assume p<q. Since N = p * q • So p * q = √N * √N • Therefore, p< √N, q> √N

  27. Trial Algorithm for(i=2; i<=nsqrt; i++) { if(N % i==0) { p=MI; q=N/p; break; } }

  28. Trial Algorithm • This algorithm is very straightforward and easy to understand. • However, there is a problem here. • How to handle a huge N like N = 965211201359850383 • Neither int nor long are able to store a huge number like this. Actually, there will be larger number in the later algorithms.

  29. Trial Algorithm • Fortunately, I finally found an open source big number library call ttmath. • http://www.ttmath.org/

  30. Trial Algorithm

  31. Parallel Trial Algorithm #pragmaomp parallel for shared(N,p,q,done,nsqrt) private(MII,i,MI) schedule(static) for( i=2; i<=nsqrt; i++) // openmp does not support custermized { // class as index, only support signed int MII=i; // signed long, double…. MI.FromInt(MII); if(Mod(N,MI)==0) { p=MI; q=N/p; } #pragmaomp barrier

  32. Trial Algorithm

  33. Parallel Trial Algorithm

  34. Fermat Factorization • The sequential version of this algorithm is also not difficult. • The idea of this algorithm is to find two number X and Y such that X² - Y² = N. • If so, we have ( X +Y ) * ( X – Y ) = N, which means p = X + Y, and q = X – Y.

  35. Fermat Factorization u= floor(square root of N); while(true) { MyBig temp; temp=u*u-N; if(isSquare(temp)) { temp.Sqrt(); p=u+temp; q=u-temp; break; } u++ }

  36. Improved Fermat Factorization u=floor(square root of N); v=0; while(true) { MyBig temp; temp=u*u-v*v; if(temp>N) { v++; } else if(temp<N) { u++; } else { p=u+v; q=u-v; break; } }

  37. Improved Fermat Factorization Example: N = 99400891, so initially X = floor(√N) = 9969, Y=0; • X=9969 Y=0 X² - Y² = 99380961 < N • X=9970 Y=0 X² - Y² = 99400900 >N • X=9970 Y=1 X² - Y² = 99400899 >N • X=9970 Y=2 X² - Y² = 99400896 >N • X = 9970 Y=3 X² - Y² = 99400891 = N

  38. Fermat Factorization

  39. Parallel Improved Fermat Factorization u=floor(square root of N); v=0; while(true) // Problem 1: how to do parallelism with while loop? { MyBig temp; temp=u*u-v*v; if(temp>N) { v++; // Problem 2: how to deal with the dependency between } // vand u ? else if(temp<N) { u++; } else { p=u+v; q=u-v; break; } }

  40. Parallel Improved Fermat Factorization • After some researches, I found that v changed much faster than v. • Therefore, the iteration should be based on u. Each u handle some values of v.

  41. Parallel Improved Fermat Factorization long max= maximum value of long type #pragmaomp parallel for shared(N,p,q,done,sharedV,max,done) private(MII,MI,u,v) schedule(dynamic) for(u=square root of N; u<=max;u++) { v=sharedV; while(true) { MII=u; MI.FromInt(MII); MyBig temp; Temp = MI*MI-v*v; if(temp>N) { v++; }

  42. Parallel Improved Fermat Factorization else if(temp<N) { #pragmaomp critical { If(v>sharedV) sharedV=v; // tell the other threads there is no needs to compute v less than this number. } break; } else { p=MI+v; q=MI-v; max=0; // Does not work done =true; break; } } If( done) { break; // Openmp does not allow a jump outside the loop. } }

  43. Parallel Improved Fermat Factorization max=pow(10,length Of N/2); #pragmaomp parallel for shared(N,p,q,done,sharedV,max) firstprivate(tempV) private(MII,MI,u,v) schedule(dynamic) for(u=nsqrt; u<=max; u++) { if(!done) // if done, go to the next iteration directly. { v=sharedV; while(true) { MII=u; MI.FromInt(MII); MyBig temp; temp=MI*MI-v*v; if(temp>N) { v++; }

  44. Parallel Improved Fermat Factorization else if(temp<N) { #pragmaomp critical { sharedV=v; } break; } } else { p=MI+v; q=MI-v; Done=true; //tell the other threads that p and q have been found. break; } } } }

  45. Parallel Improved Fermat Factorization • Why the max value of u is pow(10,length Of N/2) • Let’s see this equation again: ( u +v ) * ( u – v ) = N ->u + v =p and u-v=q • What does this equation imply?

  46. Parallel Improved Fermat Factorization • u=p-v -> u < p • u = q+v -> u>q • So q<u<p. • In order to get the max value, we just need to know the max value of p. The length of p = ½ length of N. So max value of p is 10^ (½ length of N)

  47. Parallel Improved Fermat Factorization • We should have some speedup after we set the max value. • However, the runtime is the same as sequential version or even worse when I use two or more threads. • Then I checked my algorithms again and found something interesting.

  48. Parallel Improved Fermat Factorization Initially, N = 3293, u = √N = 57, v=0, sharedV=0 Thread 1 Thread 2 • Iteration 1 • u=57, v= 0, u*u - v*v =3249 <N • Set SharedV=0 • Iteration 2 • u=59, v= 0, u*u - v*v =3481>N • u=59, v= 1, u*u - v*v =3480 >N • u=59, v= 2, u*u - v*v =3477 >N • u=59, v= 3, u*u - v*v =3472 >N • ……………………………… • u=59, v= 8, u*u - v*v =3417 >N • u=59, v= 9, u*u - v*v =3400 >N Iteration 1 u=58, v= 0, u*u - v*v =3364 >N u=58, v= 8, u*u - v*v =3363 >N u=58, v= 2, u*u - v*v =3360 >N u=58, v= 3, u*u - v*v =3355 >N ……………………………… u=58, v= 8, u*u - v*v =3300 >N u=58, v= 9, u*u - v*v =3283 <N Go to next iteration

  49. Parallel Improved Fermat Factorization

  50. Parallel Improved Fermat Factorization

More Related