# Dual Rsa and Its Security Analysis

Document Sample

```					Dual RSA and Its Security Analysis

Author : Hung-Min Sun, Mu-En Wu, Wei-Chi Ting,
and M. Jason Hinek
Source : IEEE Transactions on Information Theory,
Vol 53, No 8, August 2007
Presenter : 張瑞修
Date : 12/25
1
Outline
   Introduction
   Dual RSA
   Security Analysis
   Conclusions

2
Introduction (1/7)
RSA

   Key generation
   N = p× q
   Choose a pair of key (e,d) such that e×d=1 mod Φ(n).
   Φ(N) = Φ(p)Φ(q)=(p-1)(q-1)       (Euler quotient function)

   Publish ( e, N), as public key, and keep ( d, N), as private key.

3
Introduction (2/7)                          N=pq

RSA
Euler’s Theorem
Bob                         Alice                  If gcd( m, N) = 1,
mΦ(n) = 1 mod N

m       Alice’s public                    m
Key (e,N)

m = Cd mod N
= med mod N
= mkT+1 mod N
C = me mod N
Alice’s private
Key (d,N)
C                                     C

4
Introduction (3/7)
Small e
   Popular use e = 3 ( Knuth) or
   Known attacks :
   Low-exponent attack

C1
C2
C1 =   m3   mod N1
C2 = m3 mod N2
C3 = m3 mod N3
5
Introduction (4/7)
Small d ( private exponent)

   It’s unsafe below.
                    ( Wiener, 1990)
                    ( Boneh and Durfee, 1998)

   For security, d is usually not small.

6
Introduction (5/7)                                      N=pq

CRT-decryption CRT-decryption
Bob                          Alice

 d p  d mod( p  1)
Alice’s public       d q  d mod(q  1)
m                                                          m
Key (e,N)          x  c mod p
dp


x  c q mod q
d

find x by Chinese Remainder
Theorem.

C = me mod N                   m=Cd mod N

C                                             C
Alice’s private
Key ( d, p, q)
7
Introduction (6/7)
Rebalanced RSA
   Rebalanced RSA is shifting the cost of decryption to key
generation. ( Wiener, 1990)

   According to CRT-decryption, we want to find that dp and dq
can reduce decryption costs.

   For a 1024-bit RSA, dp,dq >160 bit for safe. ( Qiao and Lam,
1998)

   public key ( e, N)
   private key ( dp, dq, p, q)
8
Introduction (7/7)
      Dual RSA is essentially two distinct instances of RSA that
share the same public and private exponents.

   Goal : Reduce the storage space of 2 RSA keys. In particular,
focus on the situation of using two RSA systems simultaneously,
such as blind signature and authentication/secrecy.

   Three Schemes
   Dual RSA-Small-e
   Dual RSA-Small-d
   Dual Generalized Rebalanced-RSA
9
Dual RSA                (1/14)
Dual RSA key equations :
   There exists two positive integer K1 and K2 such that
ed = 1 + k1φ( N1 )
ed = 1 + k2φ( N2 )

Basic Idea:

   Find three integer K1,K2,and K3 such that

10
Dual RSA (2/14)
Dual RSA-Small-e

Input : ( ne , n) such that ne< n/2

11
Dual RSA (3/14)
Start                              randomly select ne  bit y1
q1  y1 y2 +1
no

randomly select ne  bit x1                             Is q1 prime?
and (n/ 2  ne )  bit x2                           yes

p1  x1 x2 + 1                               randomly select ne  bit e
no
no
C heck gcd( x1 y2 y1 y2 , e)  1?
Is p1 prime?                                yes
yes                                     Compute d and k 1
satisfying ed  1 + k1 (p1 - 1)(q 1 - 1)
randomly select (n/ 2  ne )  bit y2
randomly select ne  bit y1
p2  x1 y2 + 1
no    q2  k1 x2 +1                                  no

Is p2 prime?
Is q2 prime?
yes
12
yes
End
Dual RSA (4/14)
Output : ( e, N1, N2) ( d, p1, q1, p2, q2)

e is ne-bit.
d is n-bit.

p1 = (x1x2 + 1) is n/2-bit.

q1 = (x1y2 + 1) is n/2-bit.

p2 = (y1y2 + 1) is n/2-bit.

q2 = (k1x2 + 1) is n/2-bit.

N1 = p1q1 is n-bit.

N2 = p2q2 is n-bit.
13
Dual RSA (5/14)

The experiment takes 1000 key pairs for each public
key size.

14
Dual RSA        (6/14)
ed = 1 + k1φ( N1 )

= 1 + k1(p1 – 1)(q1 – 1)

= 1 + k1(x1x2 )( y1y2 )

= 1 + y1 (x1y2)(k1x2 )

= 1 + k2(p2 – 1)(q2 – 1)

= 1 + k2φ( N2 )
15
Dual RSA           (7/14)
Dual RSA-Small-d

   Use the same algorithm of Dual RSA-Small-e.
   Change ( ne, n) to ( nd, n), and e to d.
   d < N0.333 are considered unsafe.

16
Dual RSA           (8/14)
Theorem 1

Let a and b be two relatively prime integers.
For every integer h thereexists a unique pair of
integers  uh , vh  satisfying auh  bvh  1, where
( h  1)b  uh  hb and ( h  1)a  vh  ha.

17
Dual RSA            (9/14)
Dual Generalized Rebalanced-RSA

Input
Let         and

Let          .

18
Dual RSA                             (10/14)
START

Randomly select ne - bit e
Randomly select k-1 n k - bit integers pa1 , ... ,p k-1 and an even integer pak , such that pa  pa1 ...pa k-1 pak
a

no
gcd pa ,e  1?
yes
Randomly select an n k - bit k p1 .
no
     
gcd k p1 ,e  1?
yes

      
Compute d p and pb such thated p  k p1 pa pb + 1 ( Theorem1)
no

Is p1  pa pb + 1 prime? &
               
Is p2  k p1 pa pb k pi' + 1 prime,
for 1  i'  k-1?                                                                              19

yes
Dual RSA                              (11/14)
Randomly select k-1 n k - bit integers qa1 , ... ,q k-1 and an even integer qak , such thatqa  qa1 ...qa k-1 qak
a

gcdqa ,e  1?
no

yes
Randomly select an n k - bit k q1 .
no
    
gcd k q1 ,e  1?
yes                                                                no
    
Compute d q and qb such thated q  k q1 qa qb + 1 ( Theorem1)

Is q1  qa qb + 1 prime?
              
& Is q2  k q1 qa qb k q j' + 1 prime,
for 1  j'  k-1?
yes
20

END
Dual RSA                          (12/14)
Output :                            and
N1 = p1q1 is n-bit.
N2 = p2q2 is n-bit.
e is ne-bit.
d p is nd - bit.   ( by theorem1)
d q is nd - bit.   ( by theorem1)
n                 n        
p1  pa pb + 1 is knk + ne        - bit.   ( k    ne  nk  )
2                 2        
n
q1  qa qb + 1 is knk + ne         - bit.
2

p2  k p1 pa pb pai ' + 1        n
is - bit.
2
              
q2  k p1 qa qb qai ' + 1
n
is - bit.
2
21
Dual RSA           (13/14)

   The experiment takes over 50 trials for each public
key size.

22
Dual RSA   (14/14)

23
Security Analysis (1/7)
1.     Dual RSA-Small-e

Attack with k1 and k2
N1  1  x1 x2 k2 y2 + x1 x2 + k2 y2
N 2  1  x1 x2 k1 y2 + x1 x2 + k1 y2
where x1  k1  k2  ne and x2  y2  n / 2  ne .
Assume that k1 and k2 are known.
To avoid brute force attack,   ne  n / 2   .

24
Security Analysis (2/7)
2.    Dual RSA-Small-d
Lattice-based attack

 ed  k1 N1               1  k1s1
 ed            k2 N 2    1  k 2 s2

        Write (d , k1 , k2 )  ( Ad ,1  k1s1 ,1  k2 s2 ) .
        Let A=eN1/2 and v = (Ad,1-k1s1, 1-k2s2), so             v 2  3  2nd +ne n / 2
.
        By theorem:
Let L be an n-dimensional lattice. There exists                 vL
such that   v  n1/ 2 det(L)1/ n
25
        We get v  3 det(L)1/ 3  3  2n +3n / 2/ 3 .
e
Security Analysis (3/7)
n d + ne  n / 2            ( ne  3 n / 2 ) / 3
3 2                       3 2
 nd + 2ne / 3  n  n e  n 

 nd  n / 3

26
Security Analysis (4/7)
3.    Dual Generalized Rebalanced-RSA
Small nk attack
N1  p1q1 , N 2  p2 q2
p1  pa pb + 1 ,     p2  pa ' pb ' + 1
q1  qa qb + 1 ,     q2  qa ' qb ' + 1
pa  pa1 pa2  pa k 1 pak ,     pa'  pa k p1 /pa '
j

qa  qa1 qa2  qa k 1 qak ,     qa'  qa k p1 /qa '
j

27
Security Analysis (5/7)
N1  1         pa pb qa qb + pa pb + qa qb pai ' qa j ' pa pb + qa qb pai ' qa j '      2  2n / 2
                                        +                            +
pa ' pb pa ' qb           pa ' pb pa ' qb      k p1 kq1       pa ' pb pa ' qb   k p1 kq1  1 n / 2  2
 2 
2         
N2 1           p p q q + pa ' pb + qa ' qb        p p + qa ' qb
 a' b a' b                    1 + a' b                1
pa ' pb pa ' qb            pa ' pb pa ' qb             pa ' pb pa ' qb

       Dividing the first inequality by the second yields
N1  1 p a i ' q a j '   8
               + n/2
N 2  1 k p1 k q1 2

N1  1 p a i ' q a j '    8        1
                        n/2 
N 2  1 k p1 k q1       2         
2 k p1 k q1   

28
Security Analysis (6/7)
k k 2
p1 q1    k  k  n 
n / 42
p1   q1   k

 nk  n / 8  1

Add the bound by /2 against exhastive search.
 nk  n / 8  1 + /2

29
Security Analysis (7/7)
Safe Dual RSA parameters

1

30
Conclusions
     The memory requirement is reduced in the situations that
require two instances of RSA.

31
Conclusions
      The computational complexity of the key generation
algorithms is also increased when reducing space complexity
of Dual RSA.

   The methods can control the bit-length of key parameters.
( such as ne, nk, nd)

32
End

Thanks!

33
Application

Alice                          Bob

S             C              S
m       簽署       加密                  解密       驗證             m

簽署: S = DA(m) mod N1         解密: S = DB(C) mod N1

加密: C = EB(DA(m)) mod N2     驗證: m = EA(S) mod N2

34
35

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 479 posted: 1/19/2010 language: English pages: 35