Lecture 13 - University of Virginia, Department of Computer Science

Download Report

Transcript Lecture 13 - University of Virginia, Department of Computer Science 

Lecture 13:
Security of RSA
THE MAGIC WORDS ARE
SQUEAMISH OSSIFRAGE.
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Menu
• Legality of discussing RSA
• Properties of RSA
– Correct (last Thursday)
– Easy to compute if you know the key
– Hard to break if you don’t know the key
CS588 Spring 2005
2
Properties of E and D
Trap-door one way function:
 1. D (E (M)) = M
2. E and D are easy to compute.
3. Revealing E doesn’t reveal an easy way
to compute D
Trap-door one way permutation: also
4. E (D (M)) = M
CS588 Spring 2005
3
Property 4: E (D (M)) = M
D(M) = Md mod n
E(D(M)) = (Md mod n)e mod n
= Mde mod n
= Med mod n
= M
(from the property 1 proof)
CS588 Spring 2005
4
Properties of E and D
Trap-door one way function:
 1. D (E (M)) = M
2. E and D are easy to compute.
3. Revealing E doesn’t reveal an easy way
to compute D
Trap-door one way permutation: also
 4. E (D (M)) = M
Before going on…is it legal to talk about 2?
CS588 Spring 2005
5
RSA in Perl
print pack"C*", split/\D+/,
Until "16iII*o\U@{$/=$z;
1997 –
`echo
[(pop,pop,unpack"H*",<>)]}
Illegal
to show
\EsMsKsN0[lN*1lK[d2%Sa2/d0
this slide to non<X+d*lMLa^*lN%0]dsXx++lMlN
US citizens!
/dsM0<J]dsJxp"|dc`
(by Adam Back)
Until Jan 2000: can export RSA, but only with 512 bit keys
Now: can export RSA except to embargoed destinations
CS588 Spring 2005
6
First Amendment
Because computer source code is an
expressive means for the exchange of
information and ideas about computer
programming, we hold that it is protected
by the First Amendment.
Sixth Circuit Court of Appeals, April 4, 2000
Ruling that Peter Junger could post RSA source
code on his web site
CS588 Spring 2005
7
Property 2: Easy to Compute
• E(M) = Me mod n
• Easy – every 4th grader can to
exponents, every kindergartner can
do mod n.
• How big are M, e, and n?
– M: 2n where n is the number of bits in M
– M and n must be big (~10200) for security
CS588 Spring 2005
8
Fast Exponentiation
• a m + n = am * a n
• ab = ab/2 * ab/2 (if 2 divides b)
• So, can compute Me in about log2e
multiplies
• 10150 < 2512, 512 multiplies is doable (by
a computer, not a kindergartner)
• Faster bitwise algorithms known
CS588 Spring 2005
9
Anything else hard to compute?
• We need to find large prime
numbers p and q
• Obvious way:
Pick big number x
for i = 2 to sqrt
x - 1(x)
if i divides x its not prime,
start over with x + 1
done – x is prime
CS588 Spring 2005
10
How many prime numbers?
• Infinite number (proved by Euclid,
300BC)
CS588 Spring 2005
11
Infinite Primes Proof
Suppose that there exist only finitely many
primes p1 < p2 < ... < pr.
Let N = (p1)(p2)...(pr) + 1
N > pr so it is composite, N = p * M
If p = pi for some 1…r, then,
N = pi * M = pi * (p1)(p2)...(pi-1) (pi+1)...(pr) + 1
pi (M - (p1)(p2)...(pi-1) (pi+1)...(pr)) = 1
Contradiction: pi > 1
Hence, there must be infinitely many primes.
CS588 Spring 2005
12
Density of Primes
(x) is the number of primes  x
From http://www.utm.edu/research/primes/howmany.shtml
CS588 Spring 2005
13
Finding Primes
• The Prime Number Theorem:
(x) ~ x/ln x
• So, to find a prime bigger than x, we need to
make about ln x/2 guesses
• Naïve prime test
– Each guess requires (√x) work
– Expect to need (ln x/2 * √x) work
– For 200 digits = 230 * 10100
– More work than breaking 3DES!
CS588 Spring 2005
14
Need a faster prime test
• There are several fast probabilistic prime
tests
• Can quickly test a prime with high
probability, with a small amount of work
• If we pick a non-prime, its not a disaster
(left as PS4 exercise to figure out what
happens)
CS588 Spring 2005
15
Fermat Test
• Recall Fermat’s Little Theorem:
– If n is prime and a is not divisible by n then
an-1  1 mod n
• Prove n is composite by finding an-1  1 mod n
• Showing an-1  1 mod n does not prove n is prime
• But if it holds for many a’s it is likely than n is
prime
– Holds for all a’s for some non-primes known as
Carmichael Numbers: 561, 645, 1105, …
CS588 Spring 2005
16
Primality Test
• PRIMES Problem
– Input: a number n
– Ouput: TRUE if n is prime, otherwise FALSE
• Is PRIMES in P?
CS588 Spring 2005
17
Quiz Time
CS588 Spring 2005
18
PRIMES
• PRIMES Problem
– Input: a number n
– Ouput: TRUE if n is prime, otherwise FALSE
• Until 2002: believed there was no
polynomial algorithm for PRIMES
– Lots of effort on this over 1000s of years
CS588 Spring 2005
19
Gauss on PRIMES
The problem of distinguishing prime numbers from
composite numbers and of resolving the latter into
their prime factors is known to be one of the most
important and useful in arithmetic. It has engaged
the industry and wisdom of ancient and modern
geometers to such an extent that it would be
superuous to discuss the problem at length...
Further, the dignity of the science itself seems to
require that every possible means be explored for
the solution of a problem so elegant and so
celebrated.
Karl Friedrich Gauss, Disquisitiones Arithmeticae, 1801
CS588 Spring 2005
20
PRIMES is in P
• Manindra Agrawal, Neeraj Kayal and Nitin
Saxena, PRIMES is in P. Indian Institute of
Technology Kanpur, 2002
– Neeraj Kayal and Nitin Saxena were 4th year
undergraduates at IIT Kanpur
– http://www.cse.iitk.ac.in/news/primality.html
– 7 pages long + references
CS588 Spring 2005
21
Paper Excerpt
Key insight based on
generalization of
Fermat’s little theorem
CS588 Spring 2005
22
Properties of E and D
Trap-door one way function:
 1.
 2.
D (E (M)) = M
E and D are easy to compute.
?? 3. Revealing E doesn’t reveal an easy way
to compute D
Trap-door one way permutation: also
 4.
E (D (M)) = M
CS588 Spring 2005
23
RSA
E(M) = Me mod n
D(C) = Cd mod n
n = pq
p, q are prime
d is relatively prime to (p – 1)(q – 1)
ed  1 (mod (p – 1)(q – 1))
CS588 Spring 2005
24
Strategy
• Revealing E: e, n. Can attacker find D?
• If attacker factors n = p * q
ed  1 mod (p – 1)(q – 1)
Easy to find d  e-1 mod (p – 1)(q – 1)
• Use experience to argue factoring is hard.
– This should make us somewhat nervous
• Argue all other attacks are at least as hard
as factoring n.
CS588 Spring 2005
25
Gardner’s Column: Original
RSA challenge ($100)
n (RSA-129) = 1 1438 1625 7578 8886 7669 2357
7997 6146 6120 1021 8296 7212 4236 2562 5618
4293 5706 9352 4573 3897 8305 9712 3563 9587
0505 8989 0751 4759 9290 0268 7954 3541
e = 9007
C = 9686 9613 7546 2206 1477 1409 2225 4355 8829
0575 9991 1245 7431 9874 6951 2093 0816 2982
2514 5708 3569 3147 6622 8839 8962 8013 3919
9055 1829 9451 5781 5154
Scientific American, August 1977
CS588 Spring 2005
26
40000000000000000  17
Ron Rivest (1977): factoring n (129 digits)
would require at least 40 quadrillion
years if you could do a * b mod c in one
nanosecond.
Derek Atkins (April 1994): We are happy to
announce that RSA-129 = 3490 5295 1084 7650
9491 4784 9619 9038 9813 3417 7646 3849 3387
8439 9082 0577 * 3 2769 1329 9326 6709 5499 6198
8190 8344 6141 3177 6429 6799 2942 5397 9828
8533
CS588 Spring 2005
27
Trial and Error Factoring
• Guess x, if 1 < gcd (x, n) < n then x is an
interesting factor
• If p and q are similar size, lowest factor is
around n.
– Requires O(n) divisions.
– For RSA-129 = 1.1 * 1064 divisions, 1 per
nanosecond = 3.4 * 1047 years
CS588 Spring 2005
28
Pollard’s Rho Method
• Fastest known in 1977 [Pollard75]
• To find factor p, requires 4p modular
multiplies
• Worst case: lowest p is n, we need 4n
multiplies
• For RSA-129 = 1.3 * 1032 = 4 * 1015 years
• Rivest probably used this, but made a
math error (4 quadrilllion  40 quadrilllion)
CS588 Spring 2005
29
How so Fast
• Better factoring algorithms
• Distributed computation
• Still can’t do a * b mod c in one
nanosecond (not faster processors)
– 1ns = 10-9 s
– Best Pentium 4 today: 4 GHz (cycle =
.25ns)
– But, multiplying 100 digit numbers takes
many cycles
CS588 Spring 2005
30
Factoring Pragmatics
• Conjectured to take esqrt(2 log n log log n)
steps to factor n.
• Quadratic Sieve Factoring
– Improved Kraitchik’s algorithm to choose
likely good values for x’s
– Complexity: esqrt(log n log log n)
– How much bigger numbers can it factor?
Twice as many digits in same time!
CS588 Spring 2005
31
Breaking RSA-129
• Organized by Derek Atkins and others, 1994
• Quadratic Sieve algorithm
• Memory-limited (1994 – most workstations
16MB RAM), used 10M to hold .5M primes
• Recruited volunteers from Internet
• 1600 machines
• Used 5000 MIPS years over 8 months
CS588 Spring 2005
32
To factor r [RSA-129] we assembled the largest
collaboration yet seen in computational number
theory and, possibly, performed the largest single
computation ever completed. In several important
respects, the resources we had available were
barely adequate for the task. Consequently,
ingenuity and diplomacy were required for the
successful completion of the project.
Derek Atkins, Michael Graff, et. al.,
The Magic Words Are Squeamish Ossifrage,
AsiaCrypt 1994.
CS588 Spring 2005
33
Recent Factoring Algorithms
• Team from CWI (Amsterdam) factored
RSA-155 (512 bits), August 1999
• ~8000 MIPS years (36 CPU years)
• 7 months on ~300 machines
• Lecture 1: factor 300 digit number for
automatic A. How much harder is this?
CS588 Spring 2005
34
Faster Factoring Algorithm
• Function Field Seive [Adelman & Lasker,
1992]
• O(log10.5 n)
“Breakthrough of Gaussian
Proportions”
• One serious limintation:
– Only works in Hollywood: this is what the
movie “Sneakers” is about!
CS588 Spring 2005
35
RSA Security
• Factoring is hard (except in Sneakers)
• Is this enough to know RSA is secure?
• Can you compute D without factoring n?
– Probably not, but can’t prove it.
– But, can prove other obvious mathematical
attacks are equivalent to factoring.
CS588 Spring 2005
36
 (n) without factoring
• Calculate 
(n) without factoring n.
ed  1 mod  (n)
• Equivalent to factoring:
 (n) = (p – 1)(q – 1) = n – (p + q) + 1
p + q = n –  (n) – 1
p – q = sqrt ((p + q)2 – 4n)
[next slide]
2p
= sqrt ((n – (n) –1)2 – 4n) + n – (n) –1
If we know  (n) we can calculate p and q easily.
CS588 Spring 2005
37
p – q = sqrt ((p +
2
q)
– 4n)
(p – q)2
= p2 – 2pq + q2
(p + q)2
(p – q)2
p–q
= p2 + q2 – 2n
= p2 + q2 + 2n
= (p + q)2 – 4n
= sqrt ((p + q)2 – 4n)
CS588 Spring 2005
38
Determine d without 
(n)
• Brute force: m digits long, amount of work
is 10m.
– Try 1T/second (special purpose hardware)
– Will take 3*1030 years for m = 50.
– For factoring difficulty, m > 100. (Bigger than
AES key)
• Non-brute force: knowing d enables
factoring.
CS588 Spring 2005
39
Determining d  factoring
ed = 1 mod  (n)
k *  (n) = ed – 1
Already showed, finding 
factoring.
Also true for multiple of 
CS588 Spring 2005
(n) is same as
(n).
40
Properties of RSA’s E and D
• Trap-door one way function:
D (E (M)) = M
E and D are easy to compute.
 Revealing E doesn’t reveal an easy way to
compute D
• Trap-door one way permutation: also
 E (D (M)) = M
CS588 Spring 2005
41
Applications of RSA
• Privacy:
– Bob encrypts message to Alice using EA
– Only Alice knows DA
• Signatures:
– Alice encrypts a message to Alice using DA
– Bob decrypts using EA
– Knows it was from Alice, since only Alice knows DA
• Things you use every day: ssh, SSL, DNS, etc.
• More than 400,000,000 copies of the RSA
algorithm are currently installed
CS588 Spring 2005
42
Faculty Candidate Talks
• Wednesday, 3:30: Cliff Zou – modeling
and detecting Internet worms
• Monday, 3:30 (Olsson 009)
– Kevin Fu, MIT (PhD student of Ron Rivest
and Frank Kaashoek)
– Secure content distribution using untrusted
servers
CS588 Spring 2005
43
Charge
• Thursday: Doug Szajda
• Monday: Kevin Fu, 3:30
• Tuesday: what to do about all those
couriers
• Thursday: guess lecture, Daniel Mellen,
Jennifer Combs and Trab Farrales from
Accenture
– Implementing a public-key infrastructure in
industry
• Work on your projects
CS588 Spring 2005
44