1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.
-
date post
20-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.
![Page 1: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/1.jpg)
1
A New Related Message Attack on RSA
Oded Yacobi UCSD
Yacov Yacobi MSR
4/3/2006
![Page 2: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/2.jpg)
2
Motivation
• A new attack on RSA.
• New tools (new in cryptanalysis).
![Page 3: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/3.jpg)
3
Related Messages
number. serial a with edconcatenatcontent
theof composed is messagehat addition tin and recipient, the
teauthenticat doesn' that protocol ain recipient thebe topretends
attacker an ifoccur can relationsknown with messages :Example
![Page 4: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/4.jpg)
4
OAEP
OAEP. avoid to temptedbemay designers some and
ems,cryptosystcompact very require will tagsRFID
OAEP. use not to chooses onereason somefor
casein onsramificati theknow touseful isit ssNeverthele
ended.
-recommhighly are methodsion randomizatsimilar or OAEP
![Page 5: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/5.jpg)
5
OAEP
[MG(r)] || [r H(M G(r))]
![Page 6: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/6.jpg)
6
Previous Result
).messages
on fails method (they probabiliterror small some
with operations-login computecan one
, constantsknown any for ) mod()(
and ) mod( scryptogramRSA given two that show
alet h Coppersmit key. publicRSA thebe ),(Let
:Reiter M. Patarin, J. Franklin, M. h,Coppersmit D.
2
2
e
)O(e
e) ZO(ex
ZbaNbax
Nx
Ne
N
Ne
![Page 7: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/7.jpg)
7
Our Result
instances.many over amortized becan n computatio-pre The
constants.known on theonly depend that operations
)log( doingafter ,operations- )(in compute
tically determiniscan one, constantsknown for
1,...,0for )( scryptogram Given
2 eeOZeOx
Zba
eibxace
N
Nii
eiii
![Page 8: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/8.jpg)
8
A Special Case
case In this .overall operations- )(
in determinecan one 1,...,0for )( If
N
ei
ZeO
xeiibaxc
)mod](2
1)1(
1[)!( 1
1
0
11 Ne
ci
eebbax ie
i
e
i
e
![Page 9: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/9.jpg)
9
Follow your nose…
).( e.prohibitiv becomes
n computatio-pre thebits 50an greater thkey public aFor
. find and Let
).(mod)( ofexpansion binomial theCompute
:problemour solve oapproach t rwardstraightfoA
7log
1
2eO
zxz
Nbxacj
j
eiii
![Page 10: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/10.jpg)
10
Our tool: the divided difference
k
kk
k
ii
iiiiiiiii
ji
jiji
ii
xx
xxxxxxxxx
xx
xxxx
xhx
0
21110
10
],...,[],...,,[],...,,[
][][],[
)(][
:follows as defined is
theamong elements any torelative of difference ided
-div The .for exists )(mod)(such that
of elementsdistinct be ,...,let and ][Let 1
0
i
thji
NnN
x
kh
kjiNxx
ZxxxZh
![Page 11: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/11.jpg)
11
Example
thenlet weand )( If
.)( polynomial RSA the torelative difference
divided heconsider tonly will wepurposesour For
3ii
e
bxxxxh
xxh
)()(33)()(
],[ 2110
2010
2
10
1010 bbbbxbbx
xx
xhxhxx
21010
2110210 3
],[],[],,[ bbbx
xx
xxxxxxx
![Page 12: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/12.jpg)
12
Adopted lemmas
.)('
)(],...,[ .2
.)()('Then.)()(Let .1
010
00
n
j jn
jn
k
jii
ijjk
k
iik
x
xhxxx
xxxxyy
![Page 13: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/13.jpg)
13
A new lemma
: thatshowing down to comes
This ). (recall theoft independen is ],...,[ of
t coefficien leading e that thshowingby thisprove We
.],...,deg[ For :Claim
0
0
iiin
n
bxxbxx
nexxen
1)())(()(
)1(0 110
n
i niiiiii
nii
bbbbbbbb
b
![Page 14: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/14.jpg)
14
A new lemma
scalar. a is where,mod)(
;deg
:for ,polynomialRSA For
110
0
vNvex],...x,x[xii
ne],...,x[x(i)
en
e
n
![Page 15: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/15.jpg)
15
The attack
).(
is complexity theforwardstraight compute weIf
.))0()(( Compute
.],..[)(Let:Method
:Find
1,...1,0for )( and ,,:Given
2
0
1
10
eOi
ewxwx
vexxxxw
x
eibxcNe
e
i
e
eii
![Page 16: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/16.jpg)
16
Algorithm
• Pre-computation
• Real-time computation
.)()('compute1,...,1,0For
1
0
e
ijj
jiini bbxpei
).log( is Complexity . )0( computeThen 21
0
eeOp
bw
e
i i
ei
.)( is Complexity
.))0()(( then and )( Compute
11
0
eO
ewxwxp
cxw
e
i i
i
![Page 17: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/17.jpg)
17
(Reminder: Adopted lemmas)
.)('
)(],...,[ .2
.)()('Then.)()(Let .1
010
00
n
j jn
jn
k
jii
ijjk
k
iik
x
xhxxx
xxxxyy
![Page 18: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/18.jpg)
18
More about the computational complexity of the pre-computation
).log takesDFT that (recall
AHU][ ))log((points,giventheinderivative
theofvaluetheevaluateuslySimultaneo.3
)).((,above theof derivative theCompute.2
)).log((,)()(.1
:do 1,...,0over )()('compute To
2
21
01
1
01
e)O(e
eeOn
eO
eeObyy
eibbx
e
jje
e
ijj
jiie
![Page 19: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/19.jpg)
19
Why is the special case more efficient?
). assume wlg(
:form theof difference finitesimpler much a to
reduces difference divided theWhen
ixx
biaxx
i
i
)(mod)()1()(
:lemma
)()1()(
)(
0
(n)
)1()1()(
)0(
Nixi
nx
xxx
xx
en
i
in
iii
e
![Page 20: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/20.jpg)
20
Finite difference continued…
n.computatio-pre no is thereso
),2
)1(!( form simple a has timeBut this
.!)( compute toformula previous theuse
times,1 difference finite theapplying of Instead
eevv
vxexw
e
![Page 21: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/21.jpg)
21
Compare Results
# of
cryptogram
pre-
comp
real-
time
Coppersmith et al
2 0
Newton e
Our main result e
Our special case
e 0
)( 7log2eO
)log( 2 eeO
)(eO
)log( 2 eeO
)(eO
)(eO
![Page 22: 1 A New Related Message Attack on RSA Oded Yacobi UCSD Yacov Yacobi MSR 4/3/2006.](https://reader030.fdocuments.net/reader030/viewer/2022032800/56649d425503460f94a1df3a/html5/thumbnails/22.jpg)
22
Acknowledgments and References?
ACKNOWLEDGEMENTS:
Peter Montgomery
Gideon Yuval