RSA, Integer Factorization, Diffie–Hellman, Discrete Logarithm
Total Page:16
File Type:pdf, Size:1020Kb
RSA, integer factorization, Diffie–Hellman, discrete logarithm computation Aurore Guillevic Inria Nancy, France November 12, 2020 1/71 Aurore Guillevic [email protected] • L1-L2 at Université de Bretagne Sud, Lorient (2005–2007) • L3 Vannes (2007–2008) • M1-M2 maths and cryptography at Université de Rennes 1 (2008–2010) • internship and PhD at Thales Communication, Gennevilliers (92) • post-doc at Inria Saclay (2 years) and Calgary (Canada, 1 year) • researcher in cryptography at Inria Nancy since November 2016 • adjunct assistant professor at Polytechnique (2017–2020) 2/71 Outline Preliminaries RSA, and integer factorization problem Naive methods Quadratic sieve Number Field Sieve Bad randomness: gcd, Coppersmith attacks Diffie-Hellman, and the discrete logarithm problem Generic algorithms of square root complexity Pairings 3/71 Introduction: public-key cryptography Introduced in 1976 (Diffie–Hellman, DH) and 1977 (Rivert–Shamir–Adleman, RSA) Asymmetric means distinct public and private keys • encryption with a public key • decryption with a private key • deducing the private key from the public key is a very hard problem Two hard problems: • Integer factorization (for RSA) • Discrete logarithm computation in a finite group (for Diffie–Hellman) 4/71 Textbooks Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Christof Paar and Jan Pelzl. Understanding Cryptography, a Textbook for Students and Practitioners. Springer, 2010. (Two texbooks [PP10] (Paar and Pelzl) are available at the library at Lorient, code 005.8 PAA). Relvant chapters: 6, 7, 8, and 10. During lockdown, the library is opened: see La BU sur rendez-vous https://www-actus.univ-ubs.fr/fr/index/actualites/scd/ covid-19-la-bu-sur-rdv.html Lecture notes: https://gitlab.inria.fr/guillevi/enseignement/ (Lorient → Master-CSSE.md) 5/71 Textbooks The Handbook is available in PDF for free. Relevant chapters: • chapter 3 http://cacr.uwaterloo.ca/hac/about/chap3.pdf • section 3.3 on the RSA problem, • section 3.6 on the discrete logarithm problem, • section 3.7 on the Diffie-Hellman problem, • chapter 8 http://cacr.uwaterloo.ca/hac/about/chap8.pdf • section 8.2 on public-key cryptography and RSA, • section 8.4 on ElGamal encryption. • chapter 11 http://cacr.uwaterloo.ca/hac/about/chap11.pdf • section 11.5.2 on ElGamal signature scheme, • section 11.5.1 on Digital Signature Algorithm. 6/71 Outline Preliminaries RSA, and integer factorization problem Introduction on RSA Attacking RSA with Integer Factorization Naive methods Quadratic sieve Number Field Sieve Attacks on the RSA cryptosystem Bad randomness: gcd, Coppersmith attacks Diffie-Hellman, and the discrete logarithm problem Generic algorithms of square root complexity Pairings 7/71 public parameters PKA public parameters public keyPK A secret key skA 1. gets Alice’s public keyPK A 2. encrypts M withPK A 3. sends C = EncPKA (M) to Alice C 4. gets C from Bob 5. computes DecskA (C) = M Public-key encryption Alice Bob 8/71 PKA public keyPK A secret key skA 1. gets Alice’s public keyPK A 2. encrypts M withPK A 3. sends C = EncPKA (M) to Alice C 4. gets C from Bob 5. computes DecskA (C) = M Public-key encryption Alice Bob public parameters public parameters 8/71 PKA 1. gets Alice’s public keyPK A 2. encrypts M withPK A 3. sends C = EncPKA (M) to Alice C 4. gets C from Bob 5. computes DecskA (C) = M Public-key encryption Alice Bob public parameters public parameters public keyPK A secret key skA 8/71 1. gets Alice’s public keyPK A 2. encrypts M withPK A 3. sends C = EncPKA (M) to Alice C 4. gets C from Bob 5. computes DecskA (C) = M Public-key encryption Alice Bob public parameters PKA public parameters public keyPK A secret key skA 8/71 C 4. gets C from Bob 5. computes DecskA (C) = M Public-key encryption Alice Bob public parameters PKA public parameters public keyPK A secret key skA 1. gets Alice’s public keyPK A 2. encrypts M withPK A 3. sends C = EncPKA (M) to Alice 8/71 4. gets C from Bob 5. computes DecskA (C) = M Public-key encryption Alice Bob public parameters PKA public parameters public keyPK A secret key skA 1. gets Alice’s public keyPK A 2. encrypts M withPK A 3. sends C = EncPKA (M) to Alice C 8/71 Public-key encryption Alice Bob public parameters PKA public parameters public keyPK A secret key skA 1. gets Alice’s public keyPK A 2. encrypts M withPK A 3. sends C = EncPKA (M) to Alice C 4. gets C from Bob 5. computes DecskA (C) = M 8/71 RSA, how does it work? 1977, Rivest, Shamir, Adleman • modulus N = p × q, p, q two distinct large primes • arithmetic modulo N, in Z/NZ = {0, 1,..., N − 1} The multiplicative group is the set of invertible integers in {1, 2,..., N − 1}. invertible x means gcd(x, N) = 1, x coprime to N. There are ϕ(N) = (p − 1)(q − 1) invertible integers in {1,..., N − 1} Hard tasks without knowing p, q if N is large enough: • computing (p − 1)(q − 1), √ • computing a square root x = x 1/2 mod N, • computing an e-th root x 1/e mod N. 9/71 RSA, how does it work? Alice chooses two distinct primes p and q and set N = pq Alice chooses a public exponent e coprime to N and (p − 1)(q − 1) Alice computes ϕ(N) = (p − 1)(q − 1) and d = 1/e mod ϕ(N) public key: (N, e), e for encryption private key: (p, q, d), d for decryption Encryption: To send a secret message m to Alice: Bob • obtains Alice’s public key (N, e) • encodes m as an integer between 0 and N − 1, • ciphertext c = me mod N, sends c to Alice. Decryption: Alices computes m = cd mod N. It works because med = m mod N, because ed = 1 mod ϕ(N). 10/71 RSA, how does it work? The security relies on the hardness of computing d from N, e. p, q are required to compute ϕ(N) → security relies on the hardness of integer factorization. Usecases: ssh-keygen (linux), PGP: Enigmails on Thunderbird, Protonmail. Note that short keys are not allowed: ssh-keygen -b 512 -t rsa Invalid RSA key length: minimum is 1024 bits 11/71 Knowing the public and private exponents gives a factorization of N Facts: • if x is a square mod N, it has 4 square roots y such that y 2 = x mod N • ed = 1 mod (p − 1)(q − 1) ⇐⇒ ed − 1 = 0 mod (p − 1)(q − 1) • For all x ∈ {1,..., N − 1} coprime to N, x ed−1 ≡ x mod N • ed − 1 is even: (ed − 1)/2 is integer If N, e and d are known: Compute y = x (ed−1)/2 mod N a square root of 1. If y =6 ±1, then y 2 ≡ 1 mod N ⇐⇒ y 2 − 1 = (y − 1)(y + 1) ≡ 0 mod N → compute gcd(y − 1, N) or gcd(y + 1, N) to find p or q. If y is 1, try with (ed − 1)/4,..., (ed − 1)/2i as long as it is an integer. Otherwise, try with another x. Success rate is high. 12/71 Example N = 43 × 47 = 2021, e = 5 coprime to ϕ(N) = 42 × 46 = 1932, d = 1/e mod ϕ(N) = 773 p= 43;q= 47;N=p*q e=5 phiN=(p-1)*(q-1) g,d,v= xgcd(e, phiN) # d is the private exponent y=1;x=2 whiley ==1: expo=e*d-1 whiley ==1 and(expo%2) ==0: expo= expo//2 y=x**expo%N ify ==1: x=x+1 gcd(y-1,N); gcd(y+1,N) We obtain: 21932/4 = 988 mod N, gcd(y − 1, N) = 47 = q, gcd(y + 1, N) = 43 = p. 13/71 Short private exponent is a bad idea For faster encryption, one can choose a short public exponent e (coprime to N). Two common choices of prime exponents: • e = 3 • e = 216 + 1 = 65537 For a faster decryption, one could set a short private exponent d (and a large public exponent e instead). It is wrong: Wiener attack. Idea: continued fraction technique. 14/71 Padding m ∈ {0, 1, 2,..., N − 1}. Problems: • m = 0 =⇒ c = me = 0 mod N • m = 1 =⇒ c = me = 1 mod N √ • 2 ≤ m ≤ b e Nc =⇒ c = me (no modular reduction) =⇒ m = c1/e as an integer. Standards (PKCS) define ways to fill the zeros (the unused bytes) between m and N. 15/71 Choosing key sizes Symmetric ciphers (AES): key sizes are 128, 192 or 256 bits. Perfect symmetric cipher: trying all keys of size n bits takes 2n tests → brute-force search perfect symmetric cipher with secret key of 2n bits ↔ n bits of security For RSA with N of length(N) bits: n bits of security ↔ the best (mathematical) attack should take at least 2n steps • what is the fastest attack? • how much time does it take with respect to length(N)? RSA keys are much larger. Cipher suite: a pair of symmetric and asymmetric ciphers offering the same level of security. 16/71 log2 cost 512 √ √ N, p N /p √ (naive facto. , generic DL in Z Z) 3 448 e 64/9(ln p)(ln ln p)2 / 10.17 ↔ 67.51 √ 2 (DL-240 2 ) 3 e 64/9(ln N)(ln ln N)2 / 11.91 ↔ 65.77 384 2 (RSA-240 2 ) 320 256 192 128 64 log2 N 1024 2048 3072 4096 5120 6144 7168 8192 log2 p 17/71 Particles n 2n Examples 32 232 = 109.6 number of humans on Earth 46 246 = 1013.8 distance Earth - Sun in millimeters number of operations in one day on a processor at 1 GHz 55 255 = 1016.6 number of operations in one year on a processor at 1 GHz 82 282 = 1024.7 mass of Earth in kilogramms 90 290 = 1027.1 numer of operations in 15 · 109 years (age of the universe) on a processor at 1 GHz 155 2155 = 1046.7 number of molecules of water on Earth 256 2256 = 1077.1 number of electrons in universe Courtesy Marine Minier 18/71 Boiling water Universal Security; From bits and mips to pools, lakes – and beyond Arjen Lenstra, Thorsten Kleinjung, and Emmanuel Thomé https://hal.inria.fr/hal-00925622 • 290 operations require enough energy to boil the lake of Genève • 2114 operations: boiling all the water on Earth • 2128 operations: boiling 16000 planets like the Earth 19/71 Naive way 1: Testing all primes up to square root of N √ Trial division: testing all the primes up to N But if there are too many primes to test, it never ends • x/ ln x prime numbers between 1 and x (with ln exp(1) = 1) √ √ √ • N/ ln N prime numbers between 1 and N √ √ N (bits) N (digits) N/ ln N 256 77 2122 1037 512 154 2249 1075 768 231 2376 10114 1024 308 2504 10152 1280 385 2632 10191 1536 462 2759 10229 1792 539 2887 10267 2048 617 21015 10306 20/71 Naive way 2: testing all primes around square root of N √ If√p and q are of the same length (in bits), test all prime factors between b N/2c and b Nc.