Crypto lecture PDF
-
Upload
nedia-hamoudi -
Category
Documents
-
view
272 -
download
2
Transcript of Crypto lecture PDF
![Page 1: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/1.jpg)
Cryptography and attacks
(or how to start WWIII with your home computer)
Ari Trachtenberg
![Page 2: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/2.jpg)
Alice Bob
Marvin
Dear Bob,
Alice
blah, blah, blah,... gushy romantic nonsense... serious demands... you look like Superman...
![Page 3: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/3.jpg)
• Number theoretic schemes:
• Caesar cipher a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
• al-Kalka-shandi (1412): transposition, substitution
• German enigma machine (WWII)
h => g e => f l => q o => r
hello -> gfqqr
“It is not possible to justify the life of any genuine professional mathematician on the ground of the 'utility' of his work.” -G.H. Hardy, A Mathematician’s Apology
![Page 4: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/4.jpg)
• Rot-13
• Permutation
• Binary XOR
uryybhello →
h => g e => f l => q o => r
gfqqrhello →
h e l l o 01000 00101 01100 01100 01111 10010 10111 00010 10101 00111 <= Random 11010 10010 01110 11001 01000 <= Result z r n y h
![Page 5: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/5.jpg)
• shift cipher • substitution cipher • Vignere cipher • DES • Triple DES
![Page 6: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/6.jpg)
![Page 7: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/7.jpg)
Table of Contents • Introduction
– review of number theory – review of RSA – Security of RSA basis
• Computational attacks – “Intuitively obvious” attacks – Bad choice of primes – Netscape’s bug
• Implementation attacks – Timing attacks – Random faults (to err is not computer-like)
• Conclusions – How to implement a “secure” RSA cryptosystem
![Page 8: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/8.jpg)
(the basis of RSA)
![Page 9: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/9.jpg)
6 people: 15 keys! 10,000 people: 49 million keys!
![Page 10: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/10.jpg)
Alice Bob
BOB
BOB
Dear Bob,
Alice
blah, blah, blah,... do you like cs... what is 0.5 in binary... let’s go out...
BOB
BOB BOB
BOB
BOB
BOB
BOB
![Page 11: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/11.jpg)
Modulo Inverses Euler’s phi function
( )12 mod 27153 …≡≡ ( ) bkmakmba =+∃⇔≡ s.t. mod
( ) 1 mod 1 11 =+∃⇒≡ −− kmaakmaa( )10mod 173 ≡⋅
( ) n withprime relatively arethat n integers of# <=nφ
( ) ∏ ⎟⎠⎞
⎜⎝⎛ −=
nd dnn 11φ ( ) =pφ
( )=pqφ
![Page 12: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/12.jpg)
Order ord(a) (mod n) smallest t s.t. ord(3) (mod 10) =4
Euler’s theorem Euclid’s algorithm Discrete logarithm theorem
( )nat mod1≡
( ) ( )naa n mod 1 , ≡∀ φ
( ) ( )( )nyxngg yx φmodmod ≡⇔≡
Given x and y, we can find A and B such that: Ax+By = gcd(x,y)
![Page 13: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/13.jpg)
Given n=n1n2n3... nk, there is a one-to-one correspondence:
( )kaaaaa ,,,, 321 …↔
na Ζ∈ ( )iniii anaa Ζ∈≡ ,mod
( )( )( )( )
( )( )( )3 mod 0
10 mod 313 mod 11
3 mod 6310 mod 6313 mod 63
093 mod 63 →→
Example:
( )( )( )
( )903 mod 63010533300011300
105393933300103011
1910
13010133931330310
3 mod 010 mod 313 mod 11
13
12
11
3
2
1
≡++→
=⋅⋅
=⋅⋅
=⋅⋅
→
≡
≡
≡
→
=⋅=
=⋅=
=⋅=
→−
−
−
mmm
mmm
![Page 14: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/14.jpg)
Bob’s Initialization: • pick NBob=pq • pick public key eBob • finds secret key dBob • public info: • private info:
( )( )( )11mod 1BobBob
−−
≡
qpde
( )BobBob , Ne
Bobd
Alice: • message M • encodes:
Bob: • decodes:
( )NMC Bobe mod = ( )) (mod
mod NM
NMC BobBobBob ded
≡
≡
(or signs): S = PAlice M( )
≡MdAlice mod N( )
• (or checks signature):
( )NMMS AliceAliceAlice ede
mod ≡
≡
![Page 15: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/15.jpg)
Basis for RSA security (be afraid…be very afraid)
1. Factoring N=pq is hard to do
or else can compute (p-1)(q-1)
and use Euclidean algorithm to get d and M
2. Getting the private key d is hard
or else, given Me can compute Med ≡ M (mod N)
3. Discrete logarithm is hard
Given e and Me (mod N), can we compute M?
![Page 16: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/16.jpg)
16
Basis for RSA security (=>) Factoring is as hard as computing “d”
• Given p, q, N=pq:
• By the Euclidean algorithm, we can solve for d, K:
( ) )1)(1( −−= qpNφ
( ) ( )( )( )( )NedNeNKdeφ
φφ
mod 11,gcd
≡
==+
![Page 17: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/17.jpg)
17
( )( ) ( ) ( )
( ) ( ) ( )( ) ( ) ( )( ) ( ) ( )( ) ( ) ( )
( ) pNx
NqpNxqpNxqpNqp
N
NaakNNededk
k
=−
−⇒−−−⇒−
⇒−⇒
≡∀⇒⇒≡
−=
,1gcd.3
mod 1 mod 1 mod 1 mod mod 1 mod 1 mod mod 1 mod 1 mod 1 mod 1 mod 1
:CRTby 1 of roots squarefour has .2
mod 1 , mod 1 that So,1 Compute.1
φφ
Given <N,e> and d, we can factor N=pq “efficiently” using a probabilistic Las Vegas algorithm
Basis for RSA security (<=) Computing “d” is as hard as factoring
![Page 18: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/18.jpg)
18
Basis for RSA security (<=) Computing “x” with a Las Vegas algorithm)
To compute x: (expected run time is O((log N)3)) With probability 0.5, an exponent of g equals x:
number odd4k
2kk
*
g, ,g ,g ,g
:Compute. random a Choose
…
Ng Z∈
(recall: k = ed-1)
1,,1
, 1, 1, 1, ≠−……
x
![Page 19: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/19.jpg)
Computational attacks
1) No bit padding (common sense)
C = 2347809AE8 => Attack at midnight!
59820BCE84 2347809AE8 684930EFFF
2) p and q are too close N = pq = p (p-c) => p2-cp-N=0. Solve using quadratic theorem!
In general, bad when (for some constant k): ( )kppqp log<−
![Page 20: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/20.jpg)
3) Netscape’s bug: generating p,q
N Random Number
SEED 8 8*7 (mod 13) 4 4*7 (mod 13) 2 2*7 (mod 13) 1 1*7 (mod 13) 7 7*7 (mod 13) 10 10*7 (mod 13) 5
q
p
If we know SEED, we know p,q
![Page 21: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/21.jpg)
4) p-1 is the product of small primes<=B (Pollard ‘74)
5) Common modulus (Simmons):
Fix N for all users; different keys e and d.
( )( )
( )Na pa
NakB
B
B
,1gcd p mod 112 2
mod 221)k-(p!
!2543
−⇒
≡≡≡≡⇒
=≡
Computational attacks
21
6) Blinding: Get advisor to sign “innocent” M’=reM: ( ) ( ) )(mod '' NrMMrMrMS ddedded ≡===
signed thesis!
thesis
![Page 22: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/22.jpg)
22
More computational attacks
6) Low private exponent d Theorem: (Wiener ‘90)
( ).recover can Marvin , ,Given
.e and 31 and 2 Assume 4
1
deNNNdqpq φ<<<<
Running time: Compute convergents of continued fraction in linear time!
Fixes: 1. use e > N1.5 2. Use CRT with big d and small (mod p-1) and (mod q-1)
( )( ) ( )
( ) ( )
2
1N
1N
1NNmod 1
ddk
Ne
ddke
keded
≤−⇒
=−⇒
=−⇒≡
φφ
φφProof:
![Page 23: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/23.jpg)
Implementation Attacks
1. Timing attack (Kocher ’96) Repeated squaring:
22222222222222222222222222222222232
⋅⋅⋅⋅⋅⋅⋅
⋅⋅⋅⋅⋅⋅⋅
⋅⋅⋅⋅⋅⋅⋅
⋅⋅⋅⋅⋅⋅⋅= ( )( )2222232 22 ⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎠⎞
⎜⎝⎛=
( )( )2222233 222 ⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎠⎞
⎜⎝⎛⋅=
( )( )2222239 22222 ⎟⎟⎠
⎞⎜⎜⎝
⎛⎟⎠⎞
⎜⎝⎛ ⋅⋅⋅=39 = 100111 in binary
Long method:
Computation time is correlated with number of 1’s in exponent
![Page 24: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/24.jpg)
2. Random faults (Boneh, DeMillo, Lipton ‘97)
( )pq mod yx
( )p moderror +yx ( )q mod yx
( ) pqp x y moderror ⋅+
ppqp ),errorgcd( ⋅
One error can lead to a factorization of p. Two errors are ok.
![Page 25: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/25.jpg)
25
Fancier attacks (mathematical basis)
Theorem: Take N and poly. f(x) of degree d. Take X=N1/d-s for some s>=0. Given <N,f>, Marvin can efficiently find all integers |x0|<X satisfying f(x0)=0 (mod N).
(Coppersmith, ‘97)
LLL: Let L be a lattice spanned by w bases. Given these bases as input, LLL outputs v in L satisfying:
( ) ww
Lv14 det2≤
Lemma: Take poly. h(x) of degree d and pos. integer X. Suppose ||h(xX)||<N/sqrt(d). If |x0 |<X satisfies h(x0 )=0 (mod N), then h(x0 )=0 holds over integers.
![Page 26: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/26.jpg)
26
Fancier attacks
(low public exponent) 1. Hastad’s Broadcast Attack ‘88 2. Franklin-Reiter Related Message Attack ‘96 3. Coppersmith’s Short Pad Attack 4. Partial Key Exposure (BDF ‘98) Theorem: For N=pq of size n bits, revealing the n/4
least-significant or n/4 most-siginificant bits is enough to factor N efficiently.
![Page 27: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/27.jpg)
How to built a safe RSA cryptosystem (as of 2000)
1. Use long, random padding of messages 2. Use large secret key d (256 bits) 3. Use large public key e (65,537 is recommended) 4. Use primes p,q that are not too close and
not 1+ product of small factors 5. Do not reveal any part of your key.
![Page 28: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/28.jpg)
References • Twenty Years of Attacks on the RSA Cryptosystem by Dan Boneh, Notices of the AMS, February 1999.
• Cryptography: Theory and Practice by Douglas R. Stinson, CRC Press , 1995.
• Cryptanalysis of Short RSA Secret Exponents by Michael J. Wiener, IEEE Transactions on Information Theory, May 1990.
• Sphere Packings, Lattices and Groups by J.H. Conway and N.J.A. Sloane, Springer-Verlag 1993.
![Page 29: Crypto lecture PDF](https://reader034.fdocuments.us/reader034/viewer/2022042716/55a8b8a21a28ab61288b462d/html5/thumbnails/29.jpg)
(the basis of RSA)