Breaking Stuff: Cryptanalysis and Protocol Failures. Wade Trappe. Lecture Overview. We have covered basic cryptographic tools that will be useful for building things. But, before you can build, you need to know the structural weaknesses of your tools…
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Breaking Stuff: Cryptanalysis and Protocol Failures
a = D1(m)
b = D2(m)
yj = D3(m)
y1 = D2^(56)-1(m)
c = D2^(56)(m)
E1(m) = y1
E2(m) = y2
E3(m) = y3
E2^(56)-1(m) = yj
E2^(56)(m) = yh
Theorem: Suppose p and q are primes with q < p < 2q. Let n=pq, and choose e and d as in the RSA algorithm. If d < (1/3)n1/4, then d can be calculated quickly.
Since q<p<2q, we have and
Write ed ≡ 1+k φ(n), for some integer k. Since e< φ(n), we have
φ(n)k < ed < (1/3) φ(n)n1/4,
Also, since k(n- φ(n)) -1 > 0, we have kn-ed >0.
We may divide by dn to get:
Since 3d<n1/4, by assumption.
Now, we satisfy a condition of the form:
This condition means that the fraction (k/d) will arise during the continued fraction expansion of x.
In our case, k/d will arise from the continued fraction expansion of e/n.
Low Exponent Continued-Fraction Attack: Suppose we have the conditions stated earlier, then Eve can do the following:
The number of steps in the continued fraction of e/n is logarithmic in n, so we won’t have to try too many steps.
Remarks: The continued fraction expansions alternate between larger and smaller than e/n. We don’t need to consider k/d that are smaller than e/n since we had 0< k/d – e/n. So, we only need every other expansion!!!
A procedure for approximating a real number x: Let [x] be the greatest integer less than or equal to x.
Let us define a0=[x] and x0=x. Then define
We may approximate x by
The sequence of rational numbers rk/sk give increasingly better accuracy.
Theorem: If for some integers r and s, then r/s=ri/si for some i in this procedure.
Example: Let n = 1966981193543797 and e = 323815174542919. The continued fraction expansion for e/n is
[0, 6, 13, 2, 3, 1, 3, 1, 9, 1, 36, 5, 2, 1, 6, 1, 43, 13, 1, 10, 11, 2, 1, 9, 5]
The first fraction is 1/6, so we try k=1, d=6. Since d must be odd, this won’t work.
By the remark, we may skip the second expansion and go to third:
Again, d must be odd, so discard this.
The fifth fraction is 121/735, which gives C=(e*735-1)/121. This is not an integer! So discard it!
The seventh fraction is 578/3511. This gives C=1966981103495136 as a candidate for φ(n).
The roots for
Are 37264873 and 52783789. Try these out and we find
n = 37264873 × 52783789
We have factored n.
She looks for a match between two lists
Note: This will not always find a match!