Presentation is loading. Please wait.

Presentation is loading. Please wait.

Simple Backdoors for RSA Key Generation Scott Dial.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Simple Backdoors for RSA Key Generation Scott Dial."— Presentation transcript:

1 Simple Backdoors for RSA Key Generation Scott Dial

2 Overview  Some Necessary Theorems  The Scenario  Four Methods  Conclusions

3 Important Notation  |n| represents the magnitude of n in bits  |240| = |11110000b| = 8  n:m represents the concatenation of n and m in there respective order  1011:0101 = 10110101  n  m represents the m MSBs of n  n  m represent the m LSBs of n

4 Wiener’s Method  Suppose we are given (n, e), and d < 4 √(n)/3, then we can compute the whole of d and factor n in poly(|n|).  Loosely |d| < |n|/4

5 Coppersmith’s Method  Suppose we are given (n, e) and |n|/4 bits of p, then we can factor n in poly(|n|).

6 Theorem 1 [Boneh]   Let t be an integer in the range [|n|/4,..., |n|/2] and e be a prime in the range [2 t, …, 2 t+1 ]. Suppose we are given (n, e), and the t most significant bits of d. Then we can compute the whole of d and factor n in time poly(|n|).

7 Theorem 2 [Boneh]   Let t be an integer in the range [1, …, |n|/2] and e be an integer in the range [2 t, …, 2 t+1 ]. Suppose we are given (n, e), the t most significant bits of d, and the |n|/4 least significant bits of d. Then we can factor n in time poly(|n|).

8 Theorem 3 [Slakmon]   Let t be an integer in the range [1, …, |n - Φ(n)|] and d be an integer in the range [1, …, 2 |n - Φ(n)| - t/2 ]. Suppose we are given (n, e), and the |n - Φ(n)| - t most significant bits of n - Φ(n). Then we can factor n in time poly(|n|).

9 The Scenario (Users)  A Black-Box  No Knowledge of The Generation  Produces tuples (p, q, e, d)  The Challenge  Distinguish Good Keys From Bad Keys  External Analysis Only

10 The Scenario (Creators)  Generate RSA tuples (p, q, e, d)  Through (n, e) volunteer enough information to apply partial knowledge factoring on n  Create a backdoor discretely  Indistinguishable subliminal channel

11 A Backdoor  Let β be a backdoor key  Let π β be a permutation of odd integers smaller than n to themselves  Several Choices  Advantages/Disadvantages

12 The RSA Algorithm  1: Generate random primes p and q, n := pq, a k bit integer.  2: Generate a random odd e such that |e| < k  3: Goto 2 until gcd(e, Φ(n)) = 1  4: Compute d := e -1 mod Φ(n)  5: Return (p, q, d, e)

13 Algorithm 1 (RSA-HSD β )  1: Generate random primes p and q, n := pq, a k bit integer  2: Generate a random odd δ such that gcd(δ, Φ(n)) = 1 and |δ| < k/4  3: Compute ε = δ -1 mod Φ(n), e := π β (ε)  4: Goto 2 until gcd(e, Φ(n)) = 1  5: Compute d := e -1 mod Φ(n)  6: Return (p, q, d, e)

14 Attack 1 (RSA-HSD β )  1: Given (n, e), compute ε = π β -1 (e)  2: Compute δ from (n, ε) using Wiener’s low exponent attack  3: Given (ε, δ) factor n as p, q  4: Return (p, q)

15 Algorithm 2 (RSA-HSPE β )  1: Generate random primes p and q, n := pq, a k bit integer.  2: Generate a random prime ε such that gcd(ε, Φ(n)) = 1 and |ε| = k/4  3: Compute δ := ε -1 mod Φ(n), δ H := δ  k/4, e := π β (δ H :ε)  4: Goto 2 until gcd(ε, Φ(n)) = 1  5: Compute d := e -1 mod Φ(n)  6 : return (p, q, d, e)

16 Attack 2 (RSA-HSPE β )  1: Given (n, e), compute (δ H :ε) := π β -1 (e)  2: Compute δ from (n, δ H, ε) using BDF low public prime exponent attack (Theorem 1) with partial knowledge of private exponent.  3: Given (ε, δ) factor n as p,q.  4: return (p, q)

17 Algorithm 3 (RSA-HSE β )  1: Generate random primes p and q, n := pq, a k bit integer  2: Generate a random ε such that gcd(ε, Φ(n)) = 1 and |ε| = t  3: Compute δ := ε -1 mod Φ(n), δ H := δ  t, δ L := δ  k/4, e := π β (δ H :δ L :ε)  4: Goto 2 until gcd(e, Φ(n)) = 1  5: Compute d := e -1 mod Φ(n)  6: Return (p, q, d, e)

18 Attack 3 (RSA-HSE β )  1: Given (n, e), compute (δ H :δ L :ε) := π β -1 (e)  2: Compute δ from (n, δ H, δ L, ε) using BDF low public exponent attack (Theorem 2) with partial knowledge of private exponent.  3: Given (ε, δ) factor n as p, q  4: Return (p, q)

19 Choice of π β  π β (x) = x  (2β)  |x|  π β (x) = DES β (x)  π β (x) = AES β (x)  π β (x) = x -1 mod β  π β (x) = (x + 2β) mod (n + 1)  π β (x) = ((2α + 1)x + 2β) mod (n + 1 - 2m)

20 Some Problems  Relies on choosing specific exponents from specific subsets.  Restrictive forced subsets foil easily  S = {d | gcd(d, Φ(n)) = 1 and d = (x:x)}  Indistinguishability

21 Algorithm 4 (RSA-HP β(e) )  1: Pick a random prime p of appropriate size, such that gcd(e, p - 1) = 1  2: Pick a random odd q` of appropriate size, set n` := pq`, a k bit integer.  3: Compute τ := n`  k/8, μ := π β (p  k/4 ), and λ := n`  5k/8  4: Set n := (τ:μ:λ) and q :=  n/p  + (1  1)/2 so that it is odd  5: While gcd(e, q – 1) > 1 or q is composite do:  Pick a random even m such that |m| = k/8, q := q  m and n := pq  6: Compute d := e -1 mod Φ(n)  7: Return (p, q, d, e)

22 Attack 4 (RSA-HP β )  1: Given n, compute p  k/4 := π β -1 (n  3k/8  k/4 )  2: Factor n as p,q using Coppersmith’s partial information attack.  3: Return (p, q)

23 Problems And A New π β  π β (x) = x  (2β)  |x|  (n`  n)  3k/8  k/4 = (p`  p)  k/4  π β (x) = x -1 mod β  n  3k/8  k/4 p  k/4 - 1 is a multiple of β  New Permutations  π β,μ (x) = (x  (2μ)  |x| ) -1 mod β  π β,μ (x) = (x -1 mod β)  (2μ)  |β|

24 Conclusions  Potentially impossible to distinguish backdoored RSA key tuples  Never trust key tuples provided to you  The extra backdoor could potentially weaken the RSA key tuples

25 A Challenge  http://crypto.cs.mcgill.ca/~crepeau/RSA/ http://crypto.cs.mcgill.ca/~crepeau/RSA/  RSA-HSE, π β (x) = x  β  Distinguish broken keys from real RSA keys  Determine the backdoor key

26 References   D. Boneh and G. Durfee, Cryptanalysis of rsa with private key d less than n 0.292, Information Theory, IEEE Transactions on, 46 (2000), pp. 1339-1349.  C. Crépeau and A. Slakmon, Simple backdoors for RSA key generation, http://crypto.cs.mcgill.ca/~crepeau/PDF/CS02.pdf, 18 Oct 2002. http://crypto.cs.mcgill.ca/~crepeau/PDF/CS02.pdf   D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Advances in Cryptology - EuroCrypt '96, U. Maurer, ed., Berlin, 1996, Springer-Verlag, pp. 178-189. Lecture Notes in Computer Science Volume 1070.

Download ppt "Simple Backdoors for RSA Key Generation Scott Dial."

Similar presentations

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Data encryption with big prime numbers

Data encryption with big prime numbers
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 20 July 2011.

The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 20 July 2011.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
Cryptography & Number Theory

Cryptography & Number Theory
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.

Dr.Saleem Al_Zoubi1 Cryptography and Network Security Third Edition by William Stallings Public Key Cryptography and RSA.
Shor’s Algorithm Osama Awwad Department of Computer Science Western Michigan University July 12, 2015.

Shor’s Algorithm Osama Awwad Department of Computer Science Western Michigan University July 12, 2015.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

Similar presentations

Ads by Google