factoring rsa modulus
play

Factoring RSA Modulus using Prime Reconstruction from Random Known - PowerPoint PPT Presentation

Aug 26, 2022 •27 likes •607 views

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

  1. Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010

  2. Background Slide 2 of 31

  3. RSA Framework Key-Gen ◮ Large (512 bits) primes p , q and N = pq ◮ φ ( N ) = ( p − 1)( q − 1) and gcd( e , φ ( N )) = 1 ◮ d = e − 1 mod φ ( N ) ◮ Publish � N , e � and keep � N , d � Private Encryption : C = M e mod N for M ∈ Z N Decryption : M = C d mod N Efficient Decryption: CRT-RSA (uses d p = d mod p − 1 and d q = d mod q − 1) Slide 3 of 31

  4. Motivation RSA Problem Given RSA Public Key � N , e � and C = M e mod N , compute M . Facts ◮ Easy to prove: “Factoring N = pq ” ≥ “RSA Problem” ◮ As of 2010: Factoring N is hard for log 2 ( N ) > 768 ◮ Practical RSA: log 2 ( N ) = 1024 , 2048 (recommended) Slide 4 of 31

  5. Motivation RSA Problem Given RSA Public Key � N , e � and C = M e mod N , compute M . Facts ◮ Easy to prove: “Factoring N = pq ” ≥ “RSA Problem” ◮ As of 2010: Factoring N is hard for log 2 ( N ) > 768 ◮ Practical RSA: log 2 ( N ) = 1024 , 2048 (recommended) Questions ◮ Does factoring N get easier if we know some bits of p , q ? ◮ How do we know the bits of p , q in the first place? Slide 4 of 31

  6. Coldboot Attack Ref: Lest We Remember: Cold Boot Attacks on Encryption Keys. Halderman et. al. Princeton University. 2008. Base Logic ◮ System memory can be thought of as an array of capacitors ◮ Capacitors take time to charge or discharge completely ◮ Information can be tapped from retained charge in capacitors Slide 5 of 31

  7. Coldboot Attack How good is it? ◮ Works against popular Disk Encryption systems ◮ Reconstruction of DES key - Halderman et. al. ◮ Reconstruction of AES key - Halderman et. al. ◮ Reconstruction of RSA keys - Heninger and Shacham Slide 6 of 31

  8. Coldboot Attack How good is it? ◮ Works against popular Disk Encryption systems ◮ Reconstruction of DES key - Halderman et. al. ◮ Reconstruction of AES key - Halderman et. al. ◮ Reconstruction of RSA keys - Heninger and Shacham Our Focus ◮ Study and analyze Heninger and Shacham (Crypto 2009) ◮ Suggest improvements to their results ◮ Propose related scheme(s) for RSA prime reconstruction Slide 6 of 31

  9. Reconstruction from LSBs Slide 7 of 31

  10. General Idea Due to: Nadia Heninger and Hovav Shacham [Crypto 2009] “Reconstructing RSA Private Keys from Random Key Bits” Goal: Reconstruct bits of primes starting at the LSB. Note: Total search space (tree) size = 2 512 (for 1024 RSA) ◮ 4 possible choices for each pair of bits of p , q ◮ known RSA equation N = pq rules out 2 choices Idea: Search tree can be pruned if we know some bits of p , q . Slide 8 of 31

  11. General Idea Due to: Nadia Heninger and Hovav Shacham [Crypto 2009] “Reconstructing RSA Private Keys from Random Key Bits” Goal: Reconstruct bits of primes starting at the LSB. Note: Total search space (tree) size = 2 512 (for 1024 RSA) ◮ 4 possible choices for each pair of bits of p , q ◮ known RSA equation N = pq rules out 2 choices Idea: Search tree can be pruned if we know some bits of p , q . How many bits of p , q do we need to know? Slide 8 of 31

  12. Solution Tree Notation ◮ p [ i ] , q [ i ] - i -th bits of p , q ( p [0] = q [0] = 1 are LSBs) ◮ p i , q i - partial solution for p , q through bits 0 − i ◮ Level i - all possibilities for p i , q i in the Search tree Normal Branching 4 naive choices for p [ i ] , q [ i ] reduces to 2 as Level i − 1 the known relation N = pq gives Level i p [ i ] + q [ i ] = ( N − p i − 1 q i − 1 )[ i ] mod 2 Slide 9 of 31

  13. Solution Tree Notation ◮ p [ i ] , q [ i ] - i -th bits of p , q ( p [0] = q [0] = 1 are LSBs) ◮ p i , q i - partial solution for p , q through bits 0 − i ◮ Level i - all possibilities for p i , q i in the Search tree Normal Branching 4 naive choices for p [ i ] , q [ i ] reduces to 2 as Level i − 1 the known relation N = pq gives Level i p [ i ] + q [ i ] = ( N − p i − 1 q i − 1 )[ i ] mod 2 It gets better if some bits are known ... Slide 9 of 31

  14. Branching Analysis The Vital Relation p [ i ] + q [ i ] = ( N − p i − 1 q i − 1 )[ i ] mod 2 (1) Improvised Branching or If either p [ i ] or q [ i ] is known, Equation 1 fixes the other bit. Slide 10 of 31

  15. Branching Analysis The Vital Relation p [ i ] + q [ i ] = ( N − p i − 1 q i − 1 )[ i ] mod 2 (1) Improvised Branching or If either p [ i ] or q [ i ] is known, Equation 1 fixes the other bit. or If both p [ i ] and q [ i ] are known, Equation 1 is either satisfied or not. Slide 10 of 31

  16. Branching Analysis Coldboot: α fraction of p bits and β fraction of q bits known. Branching Statistics ◮ None of p [ i ] , q [ i ] known: 2 Branches, Prob = (1 − α )(1 − β ) . ◮ Only p [ i ] known: 1 Branch, Prob = α (1 − β ) . ◮ Only q [ i ] known: 1 Branch, Prob = (1 − α ) β. ◮ Both p [ i ] , q [ i ] known: γ Branches, Prob = αβ . (1 > γ > 0) Slide 11 of 31

  17. Branching Analysis Coldboot: α fraction of p bits and β fraction of q bits known. Branching Statistics ◮ None of p [ i ] , q [ i ] known: 2 Branches, Prob = (1 − α )(1 − β ) . ◮ Only p [ i ] known: 1 Branch, Prob = α (1 − β ) . ◮ Only q [ i ] known: 1 Branch, Prob = (1 − α ) β. ◮ Both p [ i ] , q [ i ] known: γ Branches, Prob = αβ . (1 > γ > 0) Total number of branches at Level i from each node at Level i − 1: 2(1 − α )(1 − β ) + α (1 − β ) + (1 − α ) β + γαβ = 2 − α − β + γαβ Slide 11 of 31

  18. Bit Requirement Growth factor of the Search Tree: 2 − α − β + γαβ Natural Idea: Keep the growth factor ≈ 1 to restrict growth. Assuming α = β , α = β ≈ 1 − √ 1 − γ 2 − α − β + γαβ ≈ 1 ⇒ γ Slide 12 of 31

  19. Bit Requirement Growth factor of the Search Tree: 2 − α − β + γαβ Natural Idea: Keep the growth factor ≈ 1 to restrict growth. Assuming α = β , α = β ≈ 1 − √ 1 − γ 2 − α − β + γαβ ≈ 1 ⇒ γ Experimental observation shows γ ≈ 0 . 5. (open problem to prove) √ Assuming this true, we get α = β ≈ 2 − 2 ≈ 0 . 5857. Slide 12 of 31

  20. Bit Requirement Growth factor of the Search Tree: 2 − α − β + γαβ Natural Idea: Keep the growth factor ≈ 1 to restrict growth. Assuming α = β , α = β ≈ 1 − √ 1 − γ 2 − α − β + γαβ ≈ 1 ⇒ γ Experimental observation shows γ ≈ 0 . 5. (open problem to prove) √ Assuming this true, we get α = β ≈ 2 − 2 ≈ 0 . 5857. Knowing 59% of bits of p , q is enough to reconstruct the primes. Slide 12 of 31

  21. Specific Cases Case 1: Bits from just one of the primes are known (50%) ◮ No results till date if random bits are known. ◮ Requires contiguous half of one prime (Boneh, Coppersmith). Slide 13 of 31

  22. Specific Cases Case 1: Bits from just one of the primes are known (50%) ◮ No results till date if random bits are known. ◮ Requires contiguous half of one prime (Boneh, Coppersmith). Case 2: Bits are known in complementary fashion (25%) ◮ Either p [ i ] or q [ i ] is known at each level. ◮ This implies that branching is always just 1. ◮ Requires 50% of lower halves of p , q . Slide 13 of 31

  23. Specific Cases Case 1: Bits from just one of the primes are known (50%) ◮ No results till date if random bits are known. ◮ Requires contiguous half of one prime (Boneh, Coppersmith). Case 2: Bits are known in complementary fashion (25%) ◮ Either p [ i ] or q [ i ] is known at each level. ◮ This implies that branching is always just 1. ◮ Requires 50% of lower halves of p , q . Case 3: Bits are known at random positions (30%) ◮ We need to construct only half of the primes from LSB. ◮ Then, use the lattice based result by Boneh et. al. ◮ Requires 59% of lower halves of p , q . Slide 13 of 31

  24. Experiments Size | p | , | q | Known α, β Target t Final W t max W i Avg. γ 256, 256 0.5, 0.5 128 30 60 0.56 256, 256 0.47, 0.47 128 106 1508 0.54 256, 256 0.45, 0.45 128 6144 6144 0.49 512, 512 0.5, 0.5 256 352 928 0.53 512, 512 0.5, 0.5 256 8 256 0.55 512, 512 0.55, 0.45 256 37 268 0.51 512, 512 0.55, 0.45 256 64 334 0.51 512, 512 0.6, 0.4 256 1648 13528 0.55 512, 512 0.6, 0.4 256 704 5632 0.56 512, 512 0.7, 0.3 256 158 1344 0.53 512, 512 0.7, 0.3 256 47 4848 0.52 1024,1024 0.55, 0.55 512 1 352 0.53 1024,1024 0.53, 0.53 512 16 764 0.53 1024,1024 0.51, 0.51 512 138 15551 0.54 1024,1024 0.51, 0.5 512 17 4088 0.52 Slide 14 of 31

  25. Specific Cases Case 4: Bits are known in a Regular Pattern (25%) ◮ Pattern: U bits of both unknown, P bits of p known, Q bits of q known, K bits of both known. ◮ Growth of tree at Level T : T U + P + Q + K = 2 T ( U − K ) � 2 U − K � W T ≈ U + P + Q + K P + K Q + K ◮ Required U + P + Q + K fraction of p and U + P + Q + K fraction of q . ◮ For P = Q , U = K , this means 50% of lower halves of p , q . Slide 15 of 31

  26. Specific Cases Case 4: Bits are known in a Regular Pattern (25%) ◮ Pattern: U bits of both unknown, P bits of p known, Q bits of q known, K bits of both known. ◮ Growth of tree at Level T : T U + P + Q + K = 2 T ( U − K ) � 2 U − K � W T ≈ U + P + Q + K P + K Q + K ◮ Required U + P + Q + K fraction of p and U + P + Q + K fraction of q . ◮ For P = Q , U = K , this means 50% of lower halves of p , q . Case 5: Bits are known only at the top half - discussed later. Slide 15 of 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides

Factoring and RSA Nadia Heninger University of Pennsylvania September 18, 2017 *Some slides joint with Dan Bernstein and Tanja Lange Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption

1.39k views • 95 slides
Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Factors 2 12 Factors Factors 3 13 and Unique Unique 14 4 to 10 to 15 Greatest Common

Slide 1 / 128 Slide 2 / 128 Table of Contents Factors and GCF Factoring out GCF's Polynomials Factoring Trinomials x 2 + bx + c Factoring Using Special Patterns Factoring Trinomials ax 2 + bx + c Factoring 4 Term Polynomials

472 views • 22 slides
FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about?

F A C T O R I N G W I T H J U D G M E N T S FACTORING WITH JUDGMENTS w w w . g u t i e r r e z g r o u p . c o m . c o What is it about? FACTORING It is precisely after the judgment is won by This out-of-the-box product uses the - the

199 views • 7 slides
Objectives The Pollard p-1 Algorithm The Pollard RHO Algorithm Dixons Random Squares

Objectives The Pollard p-1 Algorithm The Pollard RHO Algorithm Dixons Random Squares

The RSA Cryptosystem: Factoring the public modulus Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives The Pollard p-1 Algorithm

289 views • 11 slides
Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress

Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress

Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress Resilient Modulus Cyclic Triaxial Test Haversine Load Pulse Haversine Load Pulse T t sin 2 = ( ) t Flowchart

704 views • 31 slides
Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain

Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain

Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain Resilient Modulus Cyclic Triaxial Test 2 Haversine Load Pulse Haversine Load Pulse sin t ( ) = 2 t T

537 views • 11 slides
Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and

Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and

0 12 1 Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and two integers a and b, we say a b (mod m) if m|(a-b) Typically, we shall consider modulus > 0 a b (mod 0) a=b a b (mod 1)

342 views • 13 slides
Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of

Hardware- -Based Implementations Based Implementations Hardware of Factoring Algorithms of Factoring Algorithms Factoring Large Numbers with the TWIRL Device Factoring Large Numbers with the TWIRL Device Adi Shamir, Eran Tromer Adi

469 views • 42 slides
Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma Tre Erbil,

Erbil, Kurdistan 0 Factoring integers,..., RSA Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco Pappalardi Universit` a Roma

749 views • 30 slides
Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy,

Factoring into large primes with P-1, P+1 and ECM Alexander Kruppa LORIA CADO workshop Nancy, 9. October 2008 Using P-1, P+1 and ECM in NFS For large factoring projects, memory becomes a limiting resource. Large factor base bound B requires

385 views • 21 slides
Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi Universit` a

College of Science for Women 0 Factoring integers,..., RSA Lecture in Number Theory College of Science for Women Baghdad University March 31, 2014 Factoring integers, Producing primes and the RSA cryptosystem Francesco Pappalardi

2.06k views • 192 slides
! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on

! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on

ME 437/537 G. Ahmadi ME 437/537 G. Ahmadi Polystyrene on Polyurethane High elastic High elastic ! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on particles on ! ! Hydrodynamic Hydrodynamic

198 views • 6 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides
Integer factoring and compositeness witnesses Jacek Pomykaa & Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa & Maciej Radziejewski June 26,

Integer factoring and compositeness witnesses Jacek Pomykaa & Maciej Radziejewski June 26, 2019 Integer factoring and compositeness witnesses 1 Objective: Factorization of a large integer n Oracles Techniques How many hard numbers are

514 views • 22 slides
RSA Accumulator Oct 29, 2019 Overview Definitions modulus math RSA Accumulator

RSA Accumulator Oct 29, 2019 Overview Definitions modulus math RSA Accumulator

RSA Accumulator Oct 29, 2019 Overview Definitions modulus math RSA Accumulator Hash to prime E ffi cient algorithms (Batching) Trusted Setup problem Class Group accumulators Terminology Accumulator : A

426 views • 40 slides
Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O

Shors Algorithm for Factoring: Background Quantum Algorithms In 1994, Peter Shor came up with O ( n 3 ) -time algorithm DPV Chapter 10 for factoring n -bit integers on a quantum algorithm. Why is this a big deal? O ( e n 1/3 ( log n )

712 views • 5 slides
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World

Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy ibenik , Croatia Outline Why physical attacks matter Implementation attacks and power analysis Leakage Detection

972 views • 52 slides
Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics

Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics

7/15/2014 Low Power Multicore Architecture Using FDSOI Technology Marcello Coppola STMicroelectronics Agenda 2 FDSOI STNOC with FDSOI Application example Conclusions 1 7/15/2014 FD-SOI Speed & Energy Efficiency

211 views • 8 slides
Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer

Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer

Outline Crypto failures, contd CSci 5271 Announcements intermission Introduction to Computer Security Day 21: Firewalls, NATs, and IDSes Firewalls and NAT boxes Stephen McCamant University of Minnesota, Computer Science & Engineering

1.35k views • 7 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security!

Micro-architectural Attacks Chester Rebeiro IIT Madras 1 Things we thought gave us security! Cryptography Passwords Information Flow Policies Privileged Rings ASLR Virtual Machines and confinement Javascript

891 views • 59 slides
Restriction Access, Population Recovery & Partial Identification Avi Wigderson IAS,

Restriction Access, Population Recovery & Partial Identification Avi Wigderson IAS,

Restriction Access, Population Recovery & Partial Identification Avi Wigderson IAS, Princeton Joint with Zeev Dvir Anup Rao Amir Yehudayoff Restriction Access, A new model of Grey-box access Systems, Models, Observations From

751 views • 29 slides
NP04 Powercut Recovery and Cold Starts Pengfei Dine, Bonnie King, Geoff Savage DUNE DAQ meeting

NP04 Powercut Recovery and Cold Starts Pengfei Dine, Bonnie King, Geoff Savage DUNE DAQ meeting

NP04 Powercut Recovery and Cold Starts Pengfei Dine, Bonnie King, Geoff Savage DUNE DAQ meeting 29 July 2019 Power cut #1 July 23 Power cut with subsequent cooling failure brought down all servers except np04-srv-001 and np04-srv-004 (on

238 views • 6 slides
SimBench A Portable Benchmarking Methodology for Full-System Simulators Harry Wagstaff Bruno

SimBench A Portable Benchmarking Methodology for Full-System Simulators Harry Wagstaff Bruno

SimBench A Portable Benchmarking Methodology for Full-System Simulators Harry Wagstaff Bruno Bodin Tom Spink Bjrn Franke Institute for Computing Systems Architecture University of Edinburgh ISPASS 2017 1 Motivation Instruction Set

1.05k views • 52 slides

More recommend