5,111 research outputs found
A New Partial Key Exposure Attack on Multi-power RSA
An important attack on multi-power RSA () was introduced by Sarkar in 2014, by extending the small private exponent attack of Boneh and Durfee on classical RSA. In particular, he showed that can be factored efficiently for with private exponent satisfying . In this paper, we generalize this work by introducing a new partial key exposure attack for finding small roots of polynomials using Coppersmith\u27s algorithm and Gröbner basis computation. Our attack works for all multi-power RSA exponents (resp. ) when the exponent (resp. ) has full size bit length. The attack requires prior knowledge of least significant bits (LSBs), and has the property that the required known part of LSB becomes smaller in the size of . For practical validation of our attack, we demonstrate several computer algebra experiments
Partial key exposure attacks on multi-power RSA
Tezin basılısı Ä°stanbul Ćehir Ăniversitesi KĂŒtĂŒphanesi'ndedir.In this thesis, our main focus is a type of cryptanalysis of a variant of RSA, namely multi-power RSA. In multi-power RSA, the modulus is chosen as N = prq, where r â„ 2. Building on Coppersmithâs method of ïŹnding small roots of polynomials, Boneh and Durfee show a very crucial result (a small private exponent attack) for standard RSA. According to this study, N = pq can be factored in polynomial time in log N when d < N 0.292 . In 2014, Sarkar improve the existing small private exponent attacks on multi-power RSA for r †5. He shows that one can factor N in polynomial time in log N if d < N 0.395 for r = 2 .
Extending the ideas in Sarkarâs work, we develop a new partial key exposure attack on multi-power RSA. Prior knowledge of least signiïŹcant bits (LSBs) of the private exponent d is required to realize this attack. Our result is a generalization of Sarkarâs result, and his result can be seen as a corollary of our result. Our attack has the following properties: the required known part of LSBs becomes smaller in the size of the public exponent e and it works for all exponents e (resp. d) when the exponent d (resp. e) has full-size bit length. For practical validation of our attack, we demonstrate several computer algebra experiments. In the experiments, we use the LLL algorithm and Gröbner basis computation. We achieve to obtain better experimental results than our theoretical result indicates for some cases.Declaration of Authorship ii
Abstract iii
Ăz iv
Acknowledgments v
List of Figures viii
List of Tables ix
Abbreviations x
1 Introduction
1 1.1 A Short History of the Partial Key Exposure Attacks . . . . . . . . . . . . 4
1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 The RSA Cryptosystem 8
2.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 RSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Multi-power RSA (Takagiâs Variant) . . . . . . . . . . . . . . . . . . . . . 10
2.4 Cryptanalysis of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4.1 Factoring N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4.2 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4.2.1 Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . 12
2.4.2.2 Bleichenbacherâs Attack . . . . . . . . . . . . . . . . . . . 13
2.4.3 Message Recovery Attacks . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.3.1 HĂ„stadâs Attack . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.3.2 Franklin-Reiter Attack . . . . . . . . . . . . . . . . . . . . 15
2.4.3.3 Coppersmithâs Short Pad Attack . . . . . . . . . . . . . . 15
2.4.4 Attacks Using Extra Knowledge on RSA Parameters . . . . . . . . 15
2.4.4.1 Wienerâs Attack . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.4.2 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . 17
3 Preliminaries 18
3.1 Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Finding Small Roots of Polynomials . . . . . . . . . . . . . . . . . . . . . 20
3.2.1 Finding Small Modular Roots . . . . . . . . . . . . . . . . . . . . . 21
3.2.2 Complexity of the Attacks . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.2.1 Polynomial Reduction . . . . . . . . . . . . . . . . . . . . 25
3.2.2.2 Root Extraction . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.3 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 Partial Key Exposure Attacks on Multi-Power RSA 28
4.1 Known Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.1.1 Attacks when ed ⥠1 mod ( pâ1)( qâ1) . . . . . . . . . . . . . . . 29
4.1.2 Attacks when ed ⥠1 mod ( pr âprâ1)( qâ1) . . . . . . . . . . . . . 29 4.2 A New Attack with Known LSBs . . . . . . . . . . . . . . . . . . . . . . . 31 4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5 Conclusion and Discussions 39
Bibliograph
Revisiting the security model for aggregate signature schemes
Aggregate signature schemes combine the digital signatures of multiple users on different messages into one single signature. The Boneh-Gentry-Lynn-Shacham (BGLS) aggregate signature scheme is one such scheme, based on pairings, where anyone can aggregate the signatures in any order. We suggest improvements to its current chosen-key security model. In particular, we argue that the scheme should be resistant to attackers that can adaptively choose their target users, and either replace other users' public keys or expose other users' private keys. We compare these new types of forgers to the original targeted-user forger, building up to the stronger replacement-and-exposure forger. Finally, we present a security reduction for a variant of the BGLS aggregate signature scheme with respect to this new notion of forgery. Recent attacks by Joux and others on the discrete logarithm problem in small-characteristic finite fields dramatically reduced the security of many type I pairings. Therefore, we explore security reductions for BGLS with type III rather than type I pairings. Although our reductions are specific to BGLS, we believe that other aggregate signature schemes could benefit from similar changes to their security models
Public key exponent attacks on multi-prime power modulus using continued fraction expansion method
This paper proposes three public key exponent attacks of breaking the security of the prime power modulus =22 where and are distinct prime numbers of the same bit size. The first approach shows that the RSA prime power modulus =22 for q<<2q using key equation â()=1 where ()= 22(â1)(â1) can be broken by recovering the secret keys / from the convergents of the continued fraction expansion of e/â23/4 +1/2 . The paper also reports the second and third approaches of factoring multi-prime power moduli =2 2 simultaneously through exploiting generalized system of equations â()=1 and â()=1 respectively. This can be achieved in polynomial time through utilizing Lenstra Lenstra Lovasz (LLL) algorithm and simultaneous Diophantine approximations method for =1,2,âŠ,
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
Over the last decade botnets survived by adopting a sequence of increasingly
sophisticated strategies to evade detection and take overs, and to monetize
their infrastructure. At the same time, the success of privacy infrastructures
such as Tor opened the door to illegal activities, including botnets,
ransomware, and a marketplace for drugs and contraband. We contend that the
next waves of botnets will extensively subvert privacy infrastructure and
cryptographic mechanisms. In this work we propose to preemptively investigate
the design and mitigation of such botnets. We first, introduce OnionBots, what
we believe will be the next generation of resilient, stealthy botnets.
OnionBots use privacy infrastructures for cyber attacks by completely
decoupling their operation from the infected host IP address and by carrying
traffic that does not leak information about its source, destination, and
nature. Such bots live symbiotically within the privacy infrastructures to
evade detection, measurement, scale estimation, observation, and in general all
IP-based current mitigation techniques. Furthermore, we show that with an
adequate self-healing network maintenance scheme, that is simple to implement,
OnionBots achieve a low diameter and a low degree and are robust to
partitioning under node deletions. We developed a mitigation technique, called
SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and
discuss a set of techniques that can enable subsequent waves of Super
OnionBots. In light of the potential of such botnets, we believe that the
research community should proactively develop detection and mitigation methods
to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure
DR.SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization
Recent research has demonstrated that Intel's SGX is vulnerable to various
software-based side-channel attacks. In particular, attacks that monitor CPU
caches shared between the victim enclave and untrusted software enable accurate
leakage of secret enclave data. Known defenses assume developer assistance,
require hardware changes, impose high overhead, or prevent only some of the
known attacks. In this paper we propose data location randomization as a novel
defensive approach to address the threat of side-channel attacks. Our main goal
is to break the link between the cache observations by the privileged adversary
and the actual data accesses by the victim. We design and implement a
compiler-based tool called DR.SGX that instruments enclave code such that data
locations are permuted at the granularity of cache lines. We realize the
permutation with the CPU's cryptographic hardware-acceleration units providing
secure randomization. To prevent correlation of repeated memory accesses we
continuously re-randomize all enclave data during execution. Our solution
effectively protects many (but not all) enclaves from cache attacks and
provides a complementary enclave hardening technique that is especially useful
against unpredictable information leakage
- âŠ