cryptanalysis of rsa variants and implicit factorization
play

Cryptanalysis of RSA Variants and Implicit Factorization Santanu - PowerPoint PPT Presentation

Sep 17, 2022 •227 likes •773 views

Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013 Outline of the Talk RSA Cryptosystem Lattice based Root Finding of Polynomials Common Prime RSA Dual RSA Prime Power RSA Implicit Factorization

  1. Cryptanalysis of RSA Variants and Implicit Factorization Santanu Sarkar August 20, 2013

  2. Outline of the Talk RSA Cryptosystem Lattice based Root Finding of Polynomials Common Prime RSA Dual RSA Prime Power RSA Implicit Factorization CRT-RSA having Low Hamming Weight Decryption Exponents Conclusion

  3. The RSA Public Key Cryptosystem ◮ Invented by Rivest, Shamir and Adleman in 1977. ◮ Most businesses, banks, and even governments use RSA to encrypt their private information.

  4. RSA in a Nutshell Key Generation Algorithm ◮ Choose primes p , q ◮ Construct modulus N = pq , and φ ( N ) = ( p − 1)( q − 1) ◮ Set e , d such that d = e − 1 mod φ ( N ) ◮ Public key: ( N , e ) and Private key: d Encryption Algorithm: C = M e mod N Decryption Algorithm: M = C d mod N

  5. Example ◮ Primes: p = 653 , q = 877 ◮ Then N = pq = 572681, φ ( N ) = ( p − 1)( q − 1) = 571152 ◮ Take Public Exponent e = 13 ◮ Note 13 × 395413 ≡ 1 (mod 571152) ◮ Private exponent d = 395413 ◮ Plaintext m = 12345 ◮ Ciphertext c = 12345 13 mod 572681 = 536754

  6. Practical Example Example p = 846599862936164736402988177812099956013778770876315707836731563770 5880893839981848305923857095440391598629588811166856664047346930517527 891174871536167839, q = 121764346862040688467973181827710403396896519724618922933494273650 3033910096582171197571988374294918003138669675396892122967962313235346 8174200136260738213, N = 10308567936391526757875542896033316178883861174865735387244345263 7137208314161521669308869345882336991188745907630491004512656603926295 3518502967942206721243236328408403417100233192004322468033366480788753 9303481101449158308722791555032457532325542013658355061619621556208246 3591629130621212947471071208931707, e = 2 16 + 1 = 65537, and d = 101956309423526004076893177133219940094766772585504692321252302615 1120238295258506352584280960487541607315458593878388760777253827593350 0788233193317652234750616708162985718345962209115090210535366860135950 1135207708372912478251719497009548072271475262211661830196811724409660 406447291034092315494830924578345.

  7. Factorization Methods “The problem of distinguishing prime numbers from composites, and of resolving composite numbers into their prime factors, is one of the most important and useful in all of arithmetic.” – Carl Friedrich Gauss ◮ Pollard’s p − 1 algorithm (1974) ◮ Dixon’s Random Squares Algorithm (1981) ◮ Quadratic Sieve (QS): Pomerance (1981) ◮ Williams’ p + 1 method (1982) ◮ Elliptic Curve Method (ECM): H. W. Lenstra (1987) ◮ Number Field Sieve (NFS): A. K. Lenstra et al.(1993)

  8. Lattice Lattice based Root Finding of Polynomials

  9. Finding roots of a polynomial Univariate Integer Polynomial ◮ f ( x ) ∈ Z [ x ] with root x 0 ∈ Z efficient methods available Multivariate Integer Polynomial ◮ f ( x , y ) ∈ Z [ x , y ] with root ( x 0 , y 0 ) ∈ Z × Z not efficient Univariate Modular Polynomial ◮ f ( x ) ∈ Z N [ x ] with root x 0 ∈ Z N not efficient Hilbert’s tenth Problem: 1900

  10. Finding roots of a polynomial Univariate Integer Polynomial ◮ f ( x ) ∈ Z [ x ] with root x 0 ∈ Z efficient methods available Multivariate Integer Polynomial ◮ f ( x , y ) ∈ Z [ x , y ] with root ( x 0 , y 0 ) ∈ Z × Z not efficient Univariate Modular Polynomial ◮ f ( x ) ∈ Z N [ x ] with root x 0 ∈ Z N not efficient Hilbert’s tenth Problem: 1900 Lattice based techniques help in some cases.

  11. Lattice Definition (Lattice) Let v 1 , . . . , v n ∈ Z m ( m ≥ n ) be n linearly independent vectors. A lattice L spanned by { v 1 , . . . , v n } is the set of all integer linear combinations of v 1 , . . . , v n . That is, � � n � v ∈ Z m | v = L = a i v i with a i ∈ Z . i =1 n � || v i ∗ || . The determinant of L is defined as det( L ) = i =1 Example Consider two vectors v 1 = (1 , 2) , v 2 = (3 , 4). The lattice L generated by v 1 , v 2 is L = { v ∈ Z 2 | v = a 1 v 1 + a 2 v 2 with a 1 , a 2 ∈ Z } .

  12. LLL Algorithm Devised by A. Lenstra, H. Lenstra and L. Lov´ asz (Mathematische Annalen 1982) Main goal: Reduce a lattice basis in a certain way to produce a ‘short (bounded)’ and ‘nearly orthogonal’ basis called the LLL-reduced basis.

  13. Connecting LLL to Root finding The clue was provided by Nick Howgrave-Graham in 1997. Theorem Let h ( x ) ∈ Z [ x ] be an integer polynomial with n monomials. Let for a positive integer m, || h ( xX ) || < N m (mod N m ) with | x 0 | < X √ n . h ( x 0 ) ≡ 0 and Then, h ( x 0 ) = 0 holds over integers.

  14. Connecting LLL to Root finding Main idea: We can transform a modular polynomial h ( x ) to an integer polynomial while preserving the root x 0 , subject to certain size constraints. 1 n < N m . We need roughly det( L )

  15. RSA Variants ◮ Multi Prime RSA ◮ Twin RSA ◮ Common Prime RSA ◮ Dual RSA ◮ Prime Power RSA ◮ CRT-RSA

  16. Common Prime RSA

  17. Common Prime RSA ◮ Primes: p − 1 = 2 ga and q − 1 = 2 gb ◮ RSA modulus: N = pq ◮ ed ≡ 1 mod 2 gab

  18. Common Prime RSA ◮ Primes: p − 1 = 2 ga and q − 1 = 2 gb ◮ RSA modulus: N = pq ◮ ed ≡ 1 mod 2 gab Existing results: ◮ Hinek: CT-RSA 2006 ◮ Jochemsz and May: Asiacrypt 2006

  19. Sarkar and Maitra: DCC 2013 1. Let g ≈ N γ and p , q be of same bit size 2. e ≈ N 1 − γ and d ≈ N β Theorem N can be factored in polynomial time if 2 + γ 2 β < 1 4 − γ 2 .

  20. Proof ◮ We have ed ≡ 1 mod 2 gab . ◮ So ed = 1 + 2 kgab . ◮ ed = 1 + k ( p − 1)( q − 1) . 2 g ◮ 2 edg = 2 g + k ( p − 1)( q − 1) ⇒ 2 edg = 2 g + k ( N +1 − p − q ) ◮ Root ( x 0 , y 0 ) = (2 g + k (1 − p − q ) , k ) of the polynomial f ( x , y ) = x + yN in Z ge ◮ Note g divides N − 1 as p = 1 + 2 ga and q = 1 + 2 gb ◮ Let c = N − 1

  21. Proof For integers m , t ≥ 0, we define following sets of polynomials: x j f i ( x , y ) e m − i c max { 0 , t − i } g i ( x , y ) = where i = 0 , . . . , m , j = m − i . Note that g i ( x 0 , y 0 ) ≡ 0 mod ( e m g t ). Dimension of the lattice L is ω = m + 1

  22. Proof ◮ Condition: det( L ) < e m ω g t ω m 2+ m t 2+ t ◮ Here det( L ) = ( XYe ) c 2 2

  23. Dual RSA

  24. Dual RSA Proposed by H.-M. Sun, M.-E. Wu, W.-C. Ting, and M.J. Hinek [IEEE-IT, August 2007] ◮ Two different RSA moduli N 1 = p 1 q 1 , N 2 = p 2 q 2 ◮ Same pair of keys e and d such that ed ≡ 1 mod φ ( N 1 ) ed ≡ 1 mod φ ( N 2 ) Applications: blind signatures, authentication/secrecy etc.

  25. Dual CRT-RSA Motivation: CRT-RSA is faster than RSA Sun et al. proposed a CRT variant of Dual RSA. Dual CRT-RSA: ◮ Two different RSA moduli N 1 = p 1 q 1 , N 2 = p 2 q 2 ◮ Same set of keys e and d p , d q such that ed p ≡ 1 mod ( p 1 − 1) ed p ≡ 1 mod ( p 2 − 1) ed q ≡ 1 mod ( q 1 − 1) ed q ≡ 1 mod ( q 2 − 1)

  26. Cryptanalysis of Dual CRT-RSA Sarkar and Maitra: DCC 2013 Theorem Let N 1 , N 2 be the public moduli of Dual CRT-RSA and suppose e = N α , d p , d q < N δ . Then, for α > 1 4 , one can factor N 1 , N 2 in poly (log N ) time when δ < 1 − α − ǫ 2 for some arbitrarily small positive number ǫ > 0 .

  27. Sketch of the proof Note the following: ◮ ed p ≡ 1 mod ( p 1 − 1) ⇔ ed p − 1 + k p 1 = k p 1 p 1 ◮ ed q ≡ 1 mod ( q 1 − 1) ⇔ ed q − 1 + k q 1 = k q 1 q 1 Combining these two relations: ( ed p − 1 + k p 1 ) ( ed q − 1 + k q 1 ) = k p 1 k q 1 N 1

  28. Sketch of the proof This in turn gives us: e 2 y 1 + ey 2 + y 3 = ( N 1 − 1) k p 1 k q 1 e 2 y 1 + ey 4 + y 5 = ( N 2 − 1) k p 2 k q 2 where we have y 1 = d p d q , y 2 = d p ( k p 1 − 1) + d q ( k q 1 − 1), y 3 = 1 − k p 1 − k q 1 , y 4 = d p ( k p 2 − 1) + d q ( k q 2 − 1), y 5 = 1 − k p 2 − k q 2 .

  29. Sketch of the proof Consider the polynomial f ( X , Y , Z ) = e 2 X + eY + Z to obtain: f ( y 1 , y 2 , y 3 ) ≡ 0 (mod N 1 − 1) f ( y 1 , y 4 , y 5 ) ≡ 0 (mod N 2 − 1)

  30. Sketch of the proof Combine the two modular equations to obtain G such that G ( y 1 , y 2 , y 3 , y 4 , y 5 ) ≡ 0 (mod ( N 1 − 1)( N 2 − 1)) where G ( x 1 , x 2 , x 3 , x 4 , x 5 ) = x 1 + b 2 x 2 + b 3 x 3 + b 4 x 4 + b 5 x 5 We prove that one can find the root ( y 1 , y 2 , y 3 , y 4 , y 5 ) of G if δ < 1 − α − ǫ 2

  31. Prime Power RSA

  32. Prime Power RSA ◮ RSA modulus N is of the form N = p r q where r ≥ 2 ◮ An electronic cash scheme using the modulus N = p 2 q : Fujioka, Okamoto and Miyaguchi (Eurocrypt 1991). 1 r +1 fraction of MSBs of p ⇒ polynomial time factorization: ◮ Boneh, Durfee and Howgrave-Graham (Crypto 1999)

  33. Prime Power RSA 1 2( r +1) : Takagi (Crypto 1998) ◮ d ≤ N r ( r +1)2 or d < N ( r − 1 r +1 ) 2 : May (PKC 2004) ◮ d < N 9 } = N ◮ When r = 2, N max { 2 9 , 1 2 9 ≈ N 0 . 22 .

  34. Sarkar: WCC 2013 Theorem Let N = p 2 q be an RSA modulus. Let the public exponent e and private exponent d satisfies ed ≡ 1 mod φ ( N ) . Then N can be factored in polynomial time if d ≤ N 0 . 395 .

  35. Proof Idea ◮ ed ≡ 1 mod φ ( N ) where N = p 2 q . ◮ So we can write ed = 1 + k ( N − p 2 − pq + p ). ◮ We want to find the root ( x 0 , y 0 , z 0 ) = ( k , p , q ) of the polynomial f e ( x , y , z ) = 1 + x ( N − y 2 − yz + y ) . ◮ Note y 2 0 z 0 = N

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri

Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri

unrestricted Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB and HB-MP) Henri Gilbert, Matt Robshaw, and Yannick Seurin Financial Crypto 2008 January 29, 2008 intro HB+ HB-MP HB* HB++ conclusion the context

281 views • 24 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
New variants of Nonnegative Matrix Factorization for sparsity improvement and maximum biclique

New variants of Nonnegative Matrix Factorization for sparsity improvement and maximum biclique

New variants of Nonnegative Matrix Factorization for sparsity improvement and maximum biclique finding Nicolas Gillis nicolas.gillis@uclouvain.be In collaboration with Fran cois Glineur UCL/CORE (Center for Operations Research and

1.18k views • 98 slides
Learning Embeddings for Transitive Verb Disambiguation by Implicit Tensor Factorization Kazuma

Learning Embeddings for Transitive Verb Disambiguation by Implicit Tensor Factorization Kazuma

Learning Embeddings for Transitive Verb Disambiguation by Implicit Tensor Factorization Kazuma Hashimoto Yoshimasa Tsuruoka University of Tokyo 31/07/2015 CVSC2015 in Beijing, China Composition: Words Phrases Composition models Word

731 views • 26 slides
Matrix Co-factorization for Recommendation with Rich Side Information and Implicit Feedback Yi

Matrix Co-factorization for Recommendation with Rich Side Information and Implicit Feedback Yi

Matrix Co-factorization for Recommendation with Rich Side Information and Implicit Feedback Yi Fang and Luo Si Department of Computer Science Purdue University West Lafayette, IN 47906, USA fangy@cs.purdue.edu HetRec 2011 Yi Fang and Luo Si

367 views • 23 slides
Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1

Cryptanalysis of Two Variants of the McEliece Cryptosystem Ayoub Otmani 1 Ayoub.Otmani@info.unicaen.fr eonard Dallot 1 Jean-Pierre Tillich 2 L Leonard.Dallot@info.unicaen.fr jean-pierre.tillich@inria.fr 1 GREYC - Groupe de Recherche en

857 views • 51 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR,

Cryptanalysis of a variant of the McEliece encryption scheme Julien Lavauzelle IRMAR, Universit de Rennes 1 Journes Nationales de Calcul Formel 2020 03/03/2020 Outline 1. McEliece cryptosystem and variants 2. Attack on the ReedSolomon

782 views • 52 slides
Im Implicit Feedback and Performance Evaluation in in Recommender Systems Shay Ben Elazar

Im Implicit Feedback and Performance Evaluation in in Recommender Systems Shay Ben Elazar

Im Implicit Feedback and Performance Evaluation in in Recommender Systems Shay Ben Elazar Mike Gartrell Noam Koenigstein Gal Lavee Agenda Intro Universal Store Recommendations Extreme Classification with Matrix Factorization

905 views • 37 slides
Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we consider here, just like in consensus, the processes need to make consistent decisions, such as agreeing on one common value. Most of the

590 views • 35 slides
Implicit Bias Implicit bias Implicit bias refers to attitudes or stereotypes that affect our

Implicit Bias Implicit bias Implicit bias refers to attitudes or stereotypes that affect our

Implicit Bias Implicit bias Implicit bias refers to attitudes or stereotypes that affect our understanding, actions and decisions in an unconscious manner. It's different from suppressed thoughts we might conceal to keep the peace; it's

634 views • 16 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Jointly Learning Word and Phrase Embeddings Using Neural Networks and Implicit Tensor

Jointly Learning Word and Phrase Embeddings Using Neural Networks and Implicit Tensor

Jointly Learning Word and Phrase Embeddings Using Neural Networks and Implicit Tensor Factorization Kazuma Hashimoto Tsuruoka Laboratory, University of Tokyo 19/06/2015 Talk@UCL Machine Reading Lab. Self Introduction Name Kazuma

726 views • 39 slides
Implicit Surfaces Implicit Surfaces An implicit surface is simply an iso-contour CIS 781 of a

Implicit Surfaces Implicit Surfaces An implicit surface is simply an iso-contour CIS 781 of a

Implicit Surfaces Implicit Surfaces An implicit surface is simply an iso-contour CIS 781 of a scalar function f(x,y,z)=0 . Roger Crawfis The term is usually used when modeling a surface, whereas iso-contour is used when visualizing a

388 views • 12 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness Robustness of a mathematical object (such as proof, definition, algorithm, method, etc.) is measured by its invariance to certain changes To prove that a

944 views • 49 slides
Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
System for intelligent buildings MOBILE APP, DESKTOP STUDIO, CLOUD HW &amp; CONNECTIVITY General

System for intelligent buildings MOBILE APP, DESKTOP STUDIO, CLOUD HW &amp; CONNECTIVITY General

System for intelligent buildings MOBILE APP, DESKTOP STUDIO, CLOUD HW &amp; CONNECTIVITY General partner v 6.6 www.inthouse.eu Inthouse Systems s.r.o. 2018 PRESENTATION 30 minutes You can try Inthouse yourself Program

453 views • 19 slides
International Social Security Association Join the leaders in social security administration

International Social Security Association Join the leaders in social security administration

International Social Security Association Join the leaders in social security administration www.issa.int Welcome to the ISSA community of excellence in social security administration social security administration social security

239 views • 8 slides
Social security development and migration key role of administrations The ISSA BRICS project

Social security development and migration key role of administrations The ISSA BRICS project

Promoting excellence in social security Social security development and migration key role of administrations The ISSA BRICS project BRICS 2 nd Labour and Employment Ministerial Meeting 27-28 September 2016, New Delhi, India www.issa.int

483 views • 27 slides
Non-unique factorizations in rings of integer-valued polynomials (Joint work with Sophie Frisch

Non-unique factorizations in rings of integer-valued polynomials (Joint work with Sophie Frisch

Non-unique factorizations in rings of integer-valued polynomials (Joint work with Sophie Frisch and Roswitha Rissner) Sarah Nakato Graz University of Technology Happy 60th birthday Prof. Blas Torrecillas Outline Preliminaries on Int( D ) and

293 views • 13 slides
Finding Small Roots of Bivariate Integer Polynomial Equations Revisited Jean-S ebastien Coron

Finding Small Roots of Bivariate Integer Polynomial Equations Revisited Jean-S ebastien Coron

Finding Small Roots of Bivariate Integer Polynomial Equations Revisited Jean-S ebastien Coron Gemplus Card International Issy-les-Moulineaux, France Solving polynomial equations Let p ( x ) be a polynomial and N an RSA modulus. Solving

495 views • 27 slides
QUANTUM COMPUTING: SHORS FACTORING ALGORITHM A MATHEMATICAL DESCRIPTION OF THE FUNCTION OF

QUANTUM COMPUTING: SHORS FACTORING ALGORITHM A MATHEMATICAL DESCRIPTION OF THE FUNCTION OF

QUANTUM COMPUTING: SHORS FACTORING ALGORITHM A MATHEMATICAL DESCRIPTION OF THE FUNCTION OF SHORS ALGORITHM AND THE BASIC PRINCIPLES OF QUANTUM COMPUTATION A HIGH-LEVEL SUMMARY Eero Jskelinen Mathematics MOTIVATION Quantum

380 views • 16 slides
Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der

Using Fault Injection to weaken RSA public key verification SNE Research Project 2 Ivo van der Elzen University of Amsterdam What is Fault Injection? Simply put: Introducing faults in a target to alter its intended behavior* *(N.

553 views • 34 slides

More recommend