A Survey of the Security of RSACryptosystem

Slides:



Advertisements
Similar presentations
第一讲:导论 The Introduction  哲学与中国哲学  哲学与哲学史  中国哲学史的历史.
Advertisements

發現生命的力量 — 陳樹菊阿嬤,來了 … 《不凡的慷慨》書籍賞析. 你所知道的陳樹菊  2010 《富比世》雜誌亞洲慈善英雄! 2010 美國《時代》雜誌最具影響力百大人物! 《讀者文摘》亞洲英雄!  導演李安﹕「她的生活稱不上富裕,仍然陸續捐贈 了將近一千萬台幣幫助數個不同的單位 … 」
因果图. 因果图 因果图的适用范围 如果在测试时必须考虑输入条件的各种 组合,可使用一种适合于描述对于多种 条件的组合,相应产生多个动作的形式 来设计测试用例,这就需要利用因果图。 因果图方法最终生成的就是判定表。它 适合于检查程序输入条件的各种组合情 况。 因果图的适用范围 如果在测试时必须考虑输入条件的各种.
第八讲 RSA 和 Rabin 算法 ( 下 ). 本讲提要  RSA 加密的安全 ( 续 )  RSA 加密实践  Rabin 加密算法  Rabin 加密的执行  Rabin 加密的安全  公钥加密的总结.
質數的應用 – RSA加密演算法 國立中央大學 資工系 江振瑞.
选修3-5 第十六章 动量守恒定律 动量守恒定律(一).
Introduction to Computer Science
Chapter 1: 概論 1.1 密碼學術語簡介及假設
情緒與壓力管理 手部舒壓運動 第六組.
Chapter 3 The Fundamentals : Algorithms, the Integers, and Matrices
第 三 节 电磁铁的应用.
2016届高三期初调研 分析 徐国民
第九章 網際網路資料探勘.
岳阳市教学竞赛课件 勾股定理 授课者 赵真金.
专题复习 时间的计算 ---地方时和区时 吴江市汾湖高级中学 丁竹芳.
勾股定理 说课人:钱丹.
公開鑰匙加密演算法 密碼學大革命 public key所想要解決的問題 public key密碼系統特性
Algorithms for Biological Sequence Analysis
Minimum Spanning Trees
Euler’s method of construction of the Exponential function
RSA-256bit Digital Circuit Lab TA: Po-Chen Wu.
CH1 Number Systems and Conversion
Population proportion and sample proportion
RSA Cryptosystem Theorem 1.3: For n = p * q p,q 均是質數
網路與多媒體實驗 第一組報告 B 鄧鎮海 B 葉穎達
模式识别 Pattern Recognition
二、現代的加解密法:RSA 非對稱式密碼系統的一種。
Chapter 4 歸納(Induction)與遞迴(Recursion)
樹狀結構 陳怡芬 2018/11/16 北一女中資訊專題研究.
Sampling Theory and Some Important Sampling Distributions
Course 9 NP Theory序論 An Introduction to the Theory of NP
Simulated Annealing 報告者:李怡緯 OPLAB in NTUIM.
Quantum Computer B 電機三 莊子德
第三章 數據保密系統.
Randomized Algorithms
人教版数学四年级(下) 乘法分配律 单击页面即可演示.
1.3 在整除性問題之應用 附加例題 3 © 文達出版 (香港 )有限公司.
4-5 数论基础.
Chapter 5 Recursion.
Chp.4 The Discount Factor
公開金鑰密碼系統 (Public-Key Cryptosystems)
RSA and Rabin.
计算机问题求解—论题4.9 随机算法的概念 陶先平 2017年5月15日.
Chp.4 The Discount Factor
Common Qs Regarding Earnings
Hashing Michael Tsai 2013/06/04.
公钥密码学与RSA.
DES算法.
密碼學 Chapter 4 基於電腦的非對稱性金鑰密碼學演算法
應用加密技術 A 譚惠心 指導教授:梁明章教授.
所以我們需要     密碼學…. 每個人都有秘密….. 安俐的體重.
Chp.4 The Discount Factor
Course 10 削減與搜尋 Prune and Search
Welcome 实验:筷子提米.
现代密码学理论与实践 第7章用对称密码实现保密性
An Efficient MSB Prediction-based Method for High-capacity Reversible Data Hiding in Encrypted Images 基于有效MSB预测的加密图像大容量可逆数据隐藏方法。 本文目的: 做到既有较高的藏量(1bpp),
演算法分析 (Analyzing Algorithms)
Efficient Query Relaxation for Complex Relationship Search on Graph Data 李舒馨
Hashing Michael Tsai 2017/4/25.
 隐式欧拉法 /* implicit Euler method */
if (j…) printf ("… prime\n"); else printf ("… not prime\n");
投影组态相互作用方法 (Projected Configuration Interaction(PCI) method
張仁俊 (Jen-Chun Chang) 國立台北大學 資訊工程學系 通訊工程研究所 電機工程研究所
Introduction to Computer Security and Cryptography
二项式的分解因式 Factoring binomials
WEP 破解大公開 陳小龍.
Computer Security and Cryptography
Hybrid fractal zerotree wavelet image coding
Presentation transcript:

A Survey of the Security of RSACryptosystem OUTLINE: 1. Introduction: C = Me mod N 2. Attack N 3. Attack C 4. Attack e 5. Attack Protocol 6. RSA參數限制 7. Conclusions 03:16

1. Introduction It is conjectured that the security of RSA depends on the problem of factoring large numbers. [Schneier 96] C = Me mod N 破解程度: (1) get M (2) get secret key p, q or d 03:16

1. Introduction (cont.) 2. Attack N (1) general: factoring methods (2) condition: [Rivest &Shanir 85, Coppersmith 96] 3. Attack C cycling attack: [Simmon & Norris 77] 4. Attack e (1) e/N: [Wiener 90, Chen et al. 96] (2) e, Ci : Hastad attack (in network) [Hastad 88] (3) e, Ci: random padding[Coppersmith 96] (4) e, Ci:related message[Coppersmith 96] 5. Attack protocol (1) timing attack:[Kocher 96] (2) fault-based attack:[Bonch 97] 6. RSA參數限制 7. conclusions 03:16

2. Attack N (cont.) (digit) Franke 160 63bit subexponential Modern Year Franke 160 2003 Cowie 130 1995 Chen Atkins 129 1993 Buhler Denny 120 GNFS 1990 Lenstra Lenstra 107 Lenstra NFS Silverman Lenstra 1987 100 MPQS 1982 Pomerance (digit) QS 1981 Dixon Monte Carlo 1975 Pollard Morrison 63bit subexponential 1974 Pollard Lehmann P-1 1931 Lehmer Modern Implementation Old 03:16

03:16

03:16

Factorization (cont.) Fastest factoring method -Number Field Sieve Each bit operation was estimated as 10-9 seconds. 03:16

Factorization (cont.) Fermat factorization If N = a*b then N = x2 - y2 , where x= (a+b)/2 and y = (a-b)/2. Therefore, x2 - N will be square. To factor N, we search for a square among the sequence of integers t2 - N, (t+1)2 - N, (t+2)2 - N, …, ((N+1)/2)2 - N where t is the smallest integer greater than N1/2. 03:16

Factorization (cont.) Fermat factorization EX: Let N= 6077. Then t  60771/2  78. 782 - 6077 = 7 792 - 6077 = 164 802 - 6077 = 323 812 - 6077 = 484 = 222 Since 6077 = 812 - 222, we see that 6077 = (81-22)(81+22) = 59*103. Worst case: need to check (N+1)/2 -N1/2 integers 03:16

3. Attack C C0 = Me mod N Ck = Ck-1e mod N If Ck = C0 , then M = Ck-1. 重覆加密攻擊法 cycling attack:[Simmon & Norris 77] C0 = Me mod N Ck = Ck-1e mod N If Ck = C0 , then M = Ck-1. Ck-1 = Mek mod N = M ek = 1 mod O(M), where O(M)| (N) (=l.c.m.(p-1,q-1)) k is small why? (1) the order of e modulo (N) is small (2) O(M) of the message is small 03:16

3. Attack C RSA密碼系統重覆加密攻擊法:已知收方之公開金匙(3, 55), 若有一人送一份機密給收方其密文為C=23,,請問原機密為何? Ans: M = 12 03:16

4. Attack e (1) e/N: continued fraction method Continued Fraction = [ 2, 3, 2, 3] [2, 3] [2, 3, 2, 3] [2, 3, 2] 2 [2] 03:16

4. Attack e Continued Fraction Continued Fraction = [ 2, 3, 2, 3], = [ 2, 3, 2, 2] [2, 3] [2, 3, 2, 2] [2, 3, 2, 3] [2, 3, 2] 2 [2] 03:16

4. Attack e (1) e/N: continued fraction method ed = 1 mod l.c.m.(p-1,q-1) If d < N1/4, then d can be discovered. [Wiener 90] If (N) - N1/4 < d < (N), then d can be discovered. [Chen et al. 96] 03:16

4. Attack e (cont.) (2) Hastad attack:[Hastad 88] k=3 and e=3 (3, N1) C1 = M3 mod N1 C = C1 mod N1 = C2 mod N2 = C3 mod N3 C2 = M3 mod N2 (3, N2) CRT M C < N1N2N3 C3 = M3 mod N3 (3, N3) M = C1/3 If k > e(e-1)/2 then M can be discovered. [Hastad 88] If k >= e then M can be discovered. [Shimizu 96] Ref. [Joye 97] 03:16

4. Attack e (cont.) (2) Hastad attack:[Hastad 88] 中國餘數定理 Define:令n1,n2,…,nt為兩兩互質之正整數,令 N=n1*n2*…*nt. 則以下同餘系統中,x = a1 mod n1 , x = a2 mod n2 ,…x = at mod nt,會在[0,N-1]中有唯一解. Proof:因為n1,n2,…,nt為兩兩互質之正整數.所以 i=0,1,2,…,t. 所以存在yi,使得(N/ni) yi=1 mod ni. 此外(N/ni) yi=1 mod nj,當 j i, (N/ ni) 為nj的倍數. mod N 03:16

4. Attack e (cont.) (2) Hastad attack:[Hastad 88] 中國餘數定理 EX: To solve the system x 1 (mod 3), x 2 (mod 5), x 3(mod 7) Sol: N=3*5*7=105, N1 =105/3, N2 =105/5=21, N3 =105/7=15. 35y1 1 (mod 3) y1 2 (mod 3) 21y2 1 (mod 3) y2 1 (mod 3) 15y3 1 (mod 3) y3 1 (mod 3) x 1*35*2+2*21*1+3*15*1 157 52 (mod 105) 03:16

4. Attack e (cont.) (2) Hastad attack:[Hastad 88] RSA密碼系統:已知3 users之公開金匙分別為(e1, N1)=(3, 87), (e2, N2)=(3, 115), (e3, N3)=(3, 187), 若有一人送同一份機密給這三個users其密文分別為C1=82, C2=113, C3=156,請問原機密為何? Ans: M = 7 03:16

4. Attack e (cont.) (3) e, Ci: 附加亂數攻擊法 [Coppersmith 96] 方法: p(x) =0 mod N, degree(p(x))=k If there is a root x0<N1/k , then x0 can be discovered by LLL algorithm from polynomials qij(x)=xi p(x)j mod Nj 應用:RSA with random padding 相同M送兩次 C1 = (2hM+t1)3 mod N = m3 mod N C2 = (2hM+t2)3 mod N = (m+t)3 mod N 則計算 Resultantm (m3 - C1 , (m+t)3 - C2) t9 +(3C1- 3C2)t6 +(3C12+21C1C2+3C22)t3 +(C1- C2)3 = 0 mod N get M If t < N1/9 , get t. 03:16

4. Attack e (cont.) (4) e, Ci: 相關明文攻擊法 [Coppersmith 96] 已知: e, N, k ciphertexts and polynomial relationship among the messages 解出: all messages 特例:[Franklin & Reiter 95] k=2, e=3, M1與M2關係為 M2=AM1+B 已知: e, N, A, B, C1 = M13 mod N, C2 = M23 mod N 則計算 B(C2 + 2A3C1 -B3)/A(C2 - A3C1 + 2B3) =( 3A3BM13+3A2B2M12 +3AB3M1)/ (3A3BM12+3A2B2M1 +3AB3) = M1 03:16

5. Attack Protocol (1)相同模數攻擊法 選定一RSA模數N,給予不同使用者(ei, di),其中eidi = 1 mod (N),然而使用者並不知道模數N的質因數p和q。 優點是:易於金匙管理且沒有reblocking的問題 缺點是:不安全  相同明文送給系統兩個不同使用者,第三者將可解出該明文 假設相同明文M送給系統兩個不同使用者U1和U2,其對應的密文分別為C1 = Me1 mod N和C2 = Me2 mod N。第三者可從網路上獲得C1和C2以及e1和e2,由於e1和e2互質,則可以利用歐幾里德演算法求出整數x和y滿足xe1+ ye2 = 1,其中有一整數為負數。然後,第三者計算 C1xC2y = Mxe1+ye2 = M mod N, 03:16

5. Attack Protocol (1)相同模數攻擊法  使用者擁有一對加解密金匙,可以因數分解N 假設使用者U1擁有一對加解密金匙(e1, d1),則滿足e1d1 = 1 + k(N),其中k為一整數。若使用者U1想要求得使用者U2的私密金匙d2,則先計算出g = gcd(e2, e1d1 - 1),然後得到f = (e1d1 - 1)/g,由於(N)整除(e1d1 - 1),所以f為(N)的整數倍。最後我們得到私密金匙d2為e2對f的乘法反元素 03:16

5. Attack Protocol (2)時間攻擊法 Timing Attack [Kocher 96] M = Cd mod N /* k: the length of d */ 運算過程: S0 = 1; for i := 0 to k-1 do begin if di = 1 then R = Si*C mod N else R = Si Si = R2 mod N end; Note: If di = 1, needs more time. If di = 0, needs less time. 收集幾組C值猜出正確的d值 03:16

5. Attack Protocol (cont.) 防制之法: <1>all operations have same time <2>error timing measurement randomly add useless operations <3> blinding hard randomness disappears for more C’s find a pair (u, v) such that v =(u-1)e mod N Encryption: C’ = v*Me mod N Decryption: M = u*(C’)d mod N 03:16

5. Attack Protocol (cont.) (3)植基於故障攻擊法 Fault-Based Attack [Boneh 97] 利用random hardware faults攻擊 以CRT方法的RSA signature 已知 a = 1 mod p and b = 0 mod p where N=p*q = 0 mod q = 1 mod q Compute S =(M)d mod N <1> S1 = Md mod p <2> S2 = Md mod q <3> S = a*S1 + b*S2 mod N 此運算比原指數運算S =(M)d mod N快 03:16

5. Attack Protocol (cont.) 破解方法: <1> signature 兩次 運算過程中: S1 or S2 error, say S1 S = a*S1 + b*S2 mod N ----- correct S’ = a*S1’ + b*S2 mod N ----- error S - S’ = a*(S1 - S1’) mod p implies g.c.d.(S-S’, N) = q <2> signature 一次 because (S)e mod N = M g.c.d.(M - (S’)e , N) = q 克服方法: 計算signature 必須驗証無誤後才能釋出 03:16

7. Conclusions It is conjectured that the security of RSA depends on the problem of factoring large numbers. [Schneier 96] Breaking RSA may not be equivalent to factoring [Boneh & Venkatesan] 03:16