Transcript A Creative Way of Breaking RSA Azeem Jiva

A Creative Way of Breaking RSA
Azeem Jiva
Overview
●
What is RSA?
–
–
●
Public Key Algorithm
Is it secure?
Ways to break RSA
–
–
Discover the Public Key
Number Field Sieve
What is RSA?
●
●
●
RSA is named after its Inventors
Public Key Algorithm
Variable Key Length
–
–
●
●
●
512bits, 1024bits are most common
2048bits, 4096bits are extreme
Variable Plaintext Length
Ciphertext Length same as Key Length
RSA is slow, used mostly to encrypt second
key
Definitions
●
Relative Prime
–
–
–
●
No common divisors except for 1
Sometimes called Coprime and Strangers [2]
e.g. 3 and 5
Multiplicative Inverse
–
Number which multiplied by another number
gives you one [3]
How RSA Works
●
Need Public and Private Key
–
●
Don't tell anyone the Private Key!
To create Public Key need two large primes
–
–
–
–
–
P and Q; 256bits each
Multiply them together, result is N
ø(N)=(P-1)(Q-1)
Find E relative prime to ø(N)
Public Key is (E,N)
Private Key and Encryption
●
Need to find multiplicative inverse of:
–
●
●
Private Key is (D, N)
Now you can encrypt
–
●
Ciphertext c = ME mod N
And decrypt
–
●
D = E mod ø(N)
M = CD mod N
And sign messages
–
S = MD mod N
Is RSA Secure?
●
●
Fundamental Tenent of Cryptography
Difficult to factor, but there are other ways
–
●
RSA-155 (512bits) was broken in 7 months
[1]
–
●
“Wait”/”Attack”
Took 8700 MIPS years
Estimated time till factored [1]
–
–
768bits – 2010
1024bits – 2018
Breaking RSA
●
Quadratic Sieve
–
●
Previous way
Number Field Sieve
–
–
–
–
Currently the fastest way
O{exp[c(log n)1/3 (log log n)2/3]}
Can be parallelized on multiple machines
Interesting work by Dan Bernstein
●
http://cr.yp.to/papers/nfscircuit.ps
Number Field Sieve
●
Four main steps
–
–
–
–
●
Polynomial Selection
Sieving
Linear Algebra
Square Root
The Sieving is the most time consuming
Polynomial Selection
●
Select two irreducible polynomials (Primes)
–
–
●
F1(x)
F2(x)
They have a common root
–
M mod N
Sieving
●
Finds two numbers that are relatively prime
–
●
Both numbers are smooth over factor bases
–
–
●
●
GCD(a,b) = 1
B deg(f1) f1 (a/b)
B deg(f2) f2 (a/b)
These two numbers are “relations”
Find as many of these “relations” so that
several subsets S with property
≡ Y2 (mod n) can be found
X2
Linear Algebra
●
Filters the results from Sieving
–
–
–
Remove duplicates
Remove relations that do not occur anywhere
else
Certain relations are merged
●
–
Eliminate primes and prime ideals which occur exactly
k times in k situations
Use a Lanczos Algorithm
●
Most time consuming of Linear Algebra Step
Square Root
●
Computes Square Roots
–
–
–
a is the root of a polynomial f1(x), f2(x)
a – ba have smooth norms
Cardinality of S is in the millions
Projects
●
NFS Net
–
●
http://www.iaeste.dk/~henrik/projects/nfsnet.html
Lattice Siever
–
http://www.lehigh.edu/~bad0/nfs2-137.html
Factoring Records
References
●
●
●
●
Factorization of a 512-bit Modulus, Cavallar, etc
mathworld.wolfram.com/RelativelyPrime.html
www.mathnstuff.com/math/spoken/here/1words/m/m31.htm
www.cs.sjsu.edu/~stamp/SecurityEngineering/chapter5/knapsack.html