how to fake an rsa signature by encoding modular root finding as a sat problem by claudia fiorini,...
TRANSCRIPT
![Page 1: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/1.jpg)
How to fake an RSA signature by encoding modular root finding as a SAT problem
By Claudia Fiorini, Enrico Martinelli, Fabio Massacci
Discrete Applied Mathematics 130 (2003) 101-127
Presented by Yunho KimProvable Software Lab, KAIST
![Page 2: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/2.jpg)
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 2/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
![Page 3: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/3.jpg)
• Cryptography is the practice and study of hid-ing information
• Cryptography consists of two parts encryption and decryption– Encryption is the process of plaintext into unintelligible
text and decryption is the reverse.– The detailed operations of a cipher is controlled both by
the algorithm and, in each instance, by a key
• There are two types of cryptography– Symmetric-key cryptography– Asymmetric-key cryptography
IntroductionCryptography
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 3/27
From Wikipedia http://en.wikipedia.org/wiki/Cryptog-raphy
![Page 4: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/4.jpg)
• Symmetric-key cryptography uses identical cryp-tographic keys for both decryption and encryption
IntroductionSymmetric-key
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 4/27
Encryptionalgorithm
Plaintext
Cipher-text
Secret key
Decryptionalgorithm
Ciphertext
Plaintext
Secret keyIdenti-
calkeys
![Page 5: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/5.jpg)
• Asymmetric-key cryptography uses different cryptographic keys for decryption and encryption
IntroductionAsymmetric-key
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 5/27
Encryptionalgorithm
Plaintext
Cipher-text
Encryption key differ-
entkeys
Decryptionalgorithm
Ciphertext
Plaintext
Decryption key
![Page 6: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/6.jpg)
• RSA is an algorithm for asymmetric cryptog-raphy developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977.
• RSA consists of a cipher algorithm for encryp-tion and decryption and a key generation algo-rithm
• The key generation algorithm generates public-key and private-key – The public-key should be distributed to others but the
private-key must be kept in secret
IntroductionRSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 6/27
![Page 7: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/7.jpg)
• RSA key generation algorithm
The totient Á(n) of a positive integer n is defined to be the num-ber of positive integers less than or equal to n that are co-prime to n
• RSA cipher algorithms– Let m < n be a original message
IntroductionRSA key generation
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 7/27
1. Choose two distinct large random prime numbers p and q2. Compute n = pq3. Compute the totient: Á(n) = (p – 1)(q – 1) where n is a multiplica-
tion of two primes p and q4. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are co-
prime5. Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n));
i.e. de = 1 + k Á(n) for some integer k.6. <n, e> is the public key and <n, d> is the private key
Encryption
c = md mod nDecryption
m = ce mod n
![Page 8: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/8.jpg)
• RSA example
c = 1232753 mod 3233 = 2746 m = 274617 mod 3233 = 123
IntroductionRSA example
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 8/27
1. Choose two distinct large random prime numbers p and qp = 61 and q = 53
2. Compute n = pq n = 61 * 53 = 32333. Compute the totient: Á(n) = (p – 1)(q – 1) Á(n) = (61 – 1)(53 - 1) = 31204. Choose an integer e such that 1 < e < Á(n), and e and Á(n) are co-
prime e = 175. Compute d to satisfy the congruence relation de ≡ 1 (mod Á(n)); i.e. de = 1 + k Á(n) for some integer k. d = 2753, 17 * 2753 = 46801 = 1 + 15 * 31206. <3233, 17> is the public key and <3233, 2753> is the private key
![Page 9: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/9.jpg)
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 9/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
![Page 10: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/10.jpg)
Logical cryptanalysisoverview
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 10/27
Constraints
Known plaintext +
Known ciphertext +
Exposed variables
Logical analysis/Implication en-
gine
Theorem prover,Satisfiability
solver, ….
Plaintext P
Ciphertext C
Circuit de-scription
Secret key K
Secret Key
From slides of Nachiketh Potlapallyhttp://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18
![Page 11: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/11.jpg)
Logical cryptanalysisSAT-based analysis
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 11/27
Constraints
Ψ(P, C, K
)
Set plaintext and ciphertext
values inΨ(P, C, K)
SATsolver
Time-out
Set val-ues
of ex-posed
variables in
Ψ (P, C, K)
(z+x+y) (z+x+y) (z+x+y) (z+x+y)(z+x) (z+y) (z+x+y)…
.(z+x) (z+y) (z+x+y)
Ψ (P, C, K)
CNF formula ofcryptographic
algorithm,
Plaintext P Secret key K
Ciphertext C
CNF conversion
Constraints
From slides of Nachiketh Potlapallyhttp://www.dss.uwaterloo.ca/talks_2007.html#2007_apr_18 K =
110..1(consistent with the values set)
![Page 12: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/12.jpg)
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 12/27
• For a symmetric cipher, the choice of the crypto-graphic transformation is almost obvious– It uses deterministic algorithms for encryption and de-
cryption– The unknown variable is only the key
• For RSA, we have three known values e, n and m and a number of equations to choose from – n = pq– c = md mod n– m = ce mod n
• What is a suitable equation for SAT-based analy-sis?
![Page 13: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/13.jpg)
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 13/27
• The first possible choice n = pq– If we can factorize n into two primes, we can generate a
private key from p and q– However, the algorithm for integer factorization has sub-
exponential time and space complexity O(2(log N)1/3)– Also, factoring represented as a SAT problem is hard to
solve
• The second possible choice c = md mod n– Since we know only m, n, it has two unknown variables c
and d– For example, if we set <55, 3> as the public key and 9 as
message16 = 94 mod 55 but 9 163 mod 55 = 26
![Page 14: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/14.jpg)
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 14/27
• The last possible choice m = ce mod n– For given e, n, m, we can find the ciphertext c encrypted
with some private key <n, d>without knowing it– We cannot decrypt the ciphertext encrypted with d but
we can generate the ciphertext encrypted with d
• Modular exponentiation is reduced to a sequence of modular multiplications
m0 = 1,mi+1 = (mi
2 + ei∙c ) mod nThe desired value m is obtained at mb log e c + 1
![Page 15: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/15.jpg)
Logical cryptanalysislogical analysis of RSA
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 15/27
• Example of a sequence of modular multiplications
Let e = 3 = 11(2), c = 4, n = 35 = 5 * 7m = ce mod n = 43 mod 35 = 64 mod 35 = 29m0 = 1
m1 = (1 + 1∙4) mod 35 = 5
m2 = (25 + 1∙4) mod 35 = 29
m0 = 1,mi+1 = (mi
2 + ei∙c ) mod nThe desired value m is obtained at mb log e c + 1
![Page 16: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/16.jpg)
Logical cryptanalysisEncoding problem
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 16/27
• The last choice m = ce mod n– For given e, n, m, we can find the ciphertext c encrypted
with some private key <n, d>without knowing it– We cannot decrypt the ciphertext encrypted with d but
we can generate the ciphertext encrypted with d
• Modular exponentiation is reduced to a sequence of modular multiplications
![Page 17: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/17.jpg)
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 17/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
![Page 18: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/18.jpg)
Encoding
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 18/27
• The size of the problem would become huge even for small bits– If we use the best possible multipliers whose gate com-
plexity is O((log2 n)(log2 (log2 n))), the encoding of the RSA of 100bits would require over 100,000 formulae.
• For the simplicity, we choose the value e = 3– m = (((c∙c) mod n)∙c)mod n
• We need more efficient encoding of modular mul-tiplications
![Page 19: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/19.jpg)
Encoding
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 19/27
• The basic intuition – Let x, y be two 2b bits integers
¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /n c
• Division is a complex operation and it is simpler to compute an approximate value of k and then sub-tract the error.
![Page 20: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/20.jpg)
Encoding
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 20/27
• The basic intuition – Let x, y be two 2b bits integers
¼ = (x∙y) mod n = x∙y – k∙n where k = b (x∙y) /n c
• Division is a complex operation and it is simpler to compute an approximate value of k and then sub-tract the error.
![Page 21: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/21.jpg)
Contents
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 21/27
• Introduction
• Logical cryptanalysis of RSA
• Encoding modular exponentiation into SAT
• Experimental analysis
![Page 22: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/22.jpg)
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 22/27
• Generating satisfiable instances1. Randomly generate a public key <n,e> and signature c2. Compute m = ce mod n3. Transform m, n, e into the corresponding boolean values4. Find a model for c using SAT solver
• Generating unsatisfiable instances1. Randomly generate a public key <n,e> and signature c where e vio-
lates RSA definitione divides either p - 1 or q - 1 if n = pq
2. Compute m = ce mod n3. Transform m, e, n into the corresponding boolean values4. Find a model for c using SAT solver
![Page 23: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/23.jpg)
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 23/27
• Three SAT-solver are used– HeerHugo is a stalmark algorithm based SAT solver– eqsatz is a variant of DPLL which includes equational
reasoning for XOR– smodels is an efficient DPLL implementation with stable
model semantics of logic programs
• Three machines are used– Alpha with 256MB memory– PII with 64MB memory– PIII with 512 memory– All machines run Linux
![Page 24: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/24.jpg)
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 24/27
![Page 25: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/25.jpg)
Experiments
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 25/27
![Page 26: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/26.jpg)
Conclusion
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 26/27
• The authors show how to encode the problem of finding an RSA signature for a given message without factoring
• The experiments on SAT solvers show that SAT solvers are well behind number theoretic algo-rithms
![Page 27: How to fake an RSA signature by encoding modular root finding as a SAT problem By Claudia Fiorini, Enrico Martinelli, Fabio Massacci Discrete Applied Mathematics](https://reader030.vdocument.in/reader030/viewer/2022032702/56649cef5503460f949bd74f/html5/thumbnails/27.jpg)
Reference
How to fake an RSA signature by encoding modular root finding as a SAT problemYunho Kim, Provable Software Lab, KAIST 27/27
• How to fake an RSA signature by encoding modular root find-ing as a SAT problemBy Claudia Fiorini, Enrico Martinelli, Fabio MassacciIn Discrete Applied Mathematics 130 (2003) 101-127