How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics 130 (2003) 101-127 Presented by Yunho Kim Provable Software Lab, KAIST I will give you a talk about Boolean programs, A model and process for software analysis. Boolean programs are a subset of the programs those in which all variables have Boolean type. Boolean program is expressive enough to represent features in common programming language and amenable to model checking. Today I will explain how to construct a boolean program from the source program, and how to check feasibility of a given program trace. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAA

Yunho Kim, Provable Software Lab, KAIST Contents Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Introduction Cryptography Cryptography is the practice and study of hiding information Cryptography consists of two parts encryption and decryption Encryption is the process of plaintext into unintelligible text and decryption is the reverse. The detailed operations of a cipher is controlled both by the algorithm and, in each instance, by a key There are two types of cryptography Symmetric-key cryptography Asymmetric-key cryptography From Wikipedia http://en.wikipedia.org/wiki/Cryptography How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Introduction Symmetric-key Symmetric-key cryptography uses identical cryptographic keys for both decryption and encryption Encryption algorithm Plaintext Ciphertext Secret key Decryption algorithm Ciphertext Plaintext Secret key Identical keys How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Introduction Asymmetric-key Asymmetric-key cryptography uses different cryptographic keys for decryption and encryption Encryption algorithm Plaintext Ciphertext Encryption key Decryption algorithm Ciphertext Plaintext Decryption key different keys How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Introduction RSA RSA is an algorithm for asymmetric cryptography developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977. RSA consists of a cipher algorithm for encryption and decryption and a key generation algorithm The key generation algorithm generates public-key and private-key The public-key should be distributed to others but the private-key must be kept in secret How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Introduction RSA key generation RSA key generation algorithm The totient Á(n) of a positive integer n is defined to be the number of positive integers less than or equal to n that are coprime to n RSA cipher algorithms Let m < n be a original message Choose two distinct large random prime numbers p and q Compute n = pq Compute the totient: Á(n) = (p – 1)(q – 1) where n is a multiplication of two primes p and q Choose an integer e such that 1 < e < Á(n), and e and Á(n) are coprime Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n)); i.e. de = 1 + k Á(n) for some integer k. <n, e> is the public key and <n, d> is the private key The X programming language is a simple imperative language. It has procedures, assignments, if, while and asserts. The type of a variable in the X language ranges over integers, finite enumerations and three-valued type. Three-valued type is an extension of Boolean type which has undefined value. Here is the kleene’s three-valued interpretation of conjunction, disjunction and negation. Undefined conjunction true is undefined and undefined conjunction false is false. Similarly, undefined disjunction true is true and undefined disjunction false is undefined. Conjunction, disjunction, and negation of undefined is undefined. Encryption c = md mod n Decryption m = ce mod n How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Introduction RSA example c = 1232753 mod 3233 = 2746 m = 274617 mod 3233 = 123 1. Choose two distinct large random prime numbers p and q p = 61 and q = 53 2. Compute n = pq n = 61 * 53 = 3233 3. Compute the totient: Á(n) = (p – 1)(q – 1) Á(n) = (61 – 1)(53 - 1) = 3120 4. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are coprime e = 17 5. Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n)); i.e. de = 1 + k Á(n) for some integer k. d = 2753, 17 * 2753 = 46801 = 1 + 15 * 3120 6. <3233, 17> is the public key and <3233, 2753> is the private key How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Contents Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Logical cryptanalysis overview Plaintext P Ciphertext C Circuit description Secret key K Theorem prover, Satisfiability solver, …. Secret Key Logical analysis/ Implication engine Nachiketh Potlapally Known plaintext + Known ciphertext + Exposed variables From slides of Nachiketh Potlapally http://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18 Constraints How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Logical cryptanalysis SAT-based analysis (z+x+y) (z+x+y) (z+x) (z+y) (z+x+y) …. Ψ (P, C, K) CNF formula of cryptographic algorithm, Plaintext P Secret key K Ciphertext C CNF conversion Ψ(P, C, K) From slides of Nachiketh Potlapally http://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18 K = 110..1 (consistent with the values set) Set plaintext and ciphertext values in Ψ(P, C, K) Nachiketh Potlapally Set values of exposed variables in Ψ (P, C, K) SAT solver Timeout Constraints Constraints How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Logical cryptanalysis logical analysis of RSA For a symmetric cipher, the choice of the cryptographic transformation is almost obvious It uses deterministic algorithms for encryption and decryption The unknown variable is only the key For RSA, we have three known values e, n and m and a number of equations to choose from n = pq c = md mod n m = ce mod n What is a suitable equation for SAT-based analysis? Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Logical cryptanalysis logical analysis of RSA The first possible choice n = pq If we can factorize n into two primes, we can generate a private key from p and q However, the algorithm for integer factorization has sub-exponential time and space complexity O(2(log N)1/3) Also, factoring represented as a SAT problem is hard to solve The second possible choice c = md mod n Since we know only m, n, it has two unknown variables c and d For example, if we set <55, 3> as the public key and 9 as message 16 = 94 mod 55 but 9  163 mod 55 = 26 Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Logical cryptanalysis logical analysis of RSA The last possible choice m = ce mod n For given e, n, m, we can find the ciphertext c encrypted with some private key <n, d>without knowing it We cannot decrypt the ciphertext encrypted with d but we can generate the ciphertext encrypted with d Modular exponentiation is reduced to a sequence of modular multiplications Nachiketh Potlapally m0 = 1, mi+1 = (mi2 + ei∙c ) mod n The desired value m is obtained at mb log e c + 1 How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Logical cryptanalysis logical analysis of RSA Example of a sequence of modular multiplications Let e = 3 = 11(2), c = 4, n = 35 = 5 * 7 m = ce mod n = 43 mod 35 = 64 mod 35 = 29 m0 = 1 m1 = (1 + 1∙4) mod 35 = 5 m2 = (25 + 1∙4) mod 35 = 29 m0 = 1, mi+1 = (mi2 + ei∙c ) mod n The desired value m is obtained at mb log e c + 1 Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Logical cryptanalysis Encoding problem The last choice m = ce mod n For given e, n, m, we can find the ciphertext c encrypted with some private key <n, d>without knowing it We cannot decrypt the ciphertext encrypted with d but we can generate the ciphertext encrypted with d Modular exponentiation is reduced to a sequence of modular multiplications Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Contents Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Encoding The size of the problem would become huge even for small bits If we use the best possible multipliers whose gate complexity is O((log2 n)(log2 (log2 n))), the encoding of the RSA of 100bits would require over 100,000 formulae. For the simplicity, we choose the value e = 3 m = (((c∙c) mod n)∙c)mod n We need more efficient encoding of modular multiplications Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Encoding The basic intuition Let x, y be two 2b bits integers ¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /n c Division is a complex operation and it is simpler to compute an approximate value of k and then subtract the error. Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Encoding The basic intuition Let x, y be two 2b bits integers ¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /n c Division is a complex operation and it is simpler to compute an approximate value of k and then subtract the error. Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Contents Introduction Logical cryptanalysis of RSA Encoding modular exponentiation into SAT Experimental analysis How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Experiments Generating satisfiable instances 1. Randomly generate a public key <n,e> and signature c 2. Compute m = ce mod n 3. Transform m, n, e into the corresponding boolean values 4. Find a model for c using SAT solver Generating unsatisfiable instances Randomly generate a public key <n,e> and signature c where e violates RSA definition e divides either p - 1 or q - 1 if n = pq 3. Transform m, e, n into the corresponding boolean values Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Experiments Three SAT-solver are used HeerHugo is a stalmark algorithm based SAT solver eqsatz is a variant of DPLL which includes equational reasoning for XOR smodels is an efficient DPLL implementation with stable model semantics of logic programs Three machines are used Alpha with 256MB memory PII with 64MB memory PIII with 512 memory All machines run Linux Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Experiments Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Experiments Nachiketh Potlapally How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Conclusion The authors show how to encode the problem of finding an RSA signature for a given message without factoring The experiments on SAT solvers show that SAT solvers are well behind number theoretic algorithms How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST

Yunho Kim, Provable Software Lab, KAIST Reference How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci In Discrete Applied Mathematics 130 (2003) 101-127 How to fake an RSA signature by encoding modular root finding as a SAT problem Yunho Kim, Provable Software Lab, KAIST