Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (2.78 MB, 385 trang )
For simplicity, let us suppose Alice and Bob use the DH protocol in the
subgroup illustrated in Figure 11.3 without checking that X and Y are proper
values. Furthermore, after this exchange Alice starts using the new key k
to send an encrypted and authenticated message to Bob that contains some
further protocol data. (This is a very common situation, and similar situations
can occur in IKE.)
Here is the dangerous behavior by Alice: when she receives a resend of the
second message containing Y, she simply recomputes the key k and sends the
appropriate reply to Bob. Sounds entirely harmless, right? But the attacker Eve
can now start to play games. Let d be a small divisor of (p − 1). Eve can replace
Y by an element of order d. Alice’s key k is now limited to d possible values,
and is completely determined by Y and (x mod d). Eve tries all possible values
for (x mod d), computes the key k that Alice would have gotten, and tries to
decrypt the next message that Alice sends. If Eve guesses (x mod d) correctly,
this message will decrypt properly, and Eve has learned (x mod d).
But what if p − 1 contains a number of small factors (d1 , d2 , . . . , dk )? Then
Eve can run this attack repeatedly for each of these factors and learn
(x mod d1 ), . . . , (x mod dk ). Using the general form of the Chinese Remainder Theorem (see Section 12.2) she can combine this knowledge to obtain
(x mod d1 d2 d3 · · · dk ). So if the product of all small divisors of p − 1 is large, Eve
can get a signiﬁcant amount of information about x. As x is supposed to be
secret, this is always a bad development. In this particular case, Eve can ﬁnish
by forwarding the original Y to Alice and letting Alice and Bob complete the
protocol. But Eve has collected enough information about x that she can now
ﬁnd the key k that Alice and Bob use.
To be quite clear: this is not an attack on IKE. It is an attack on an implementation of IKE that is allowed by the standard . Still, in our opinion the protocol should include enough information for a competent programmer to create a secure implementation. Leaving this type of information out is
dangerous, as somebody somewhere will implement it the wrong way. (We
have not veriﬁed whether this attack applies to newer versions of IKE.)
For this attack to work, Eve has to be lucky enough to have a p − 1 with
sufﬁcient small divisors. We are designing against an adversary that can
perform 2128 steps of computing. This allows Eve to take advantage of all
divisors of p − 1 up to 2128 or so. We’ve never seen a good analysis of the
probabilities of how much information Eve could get, but a quick estimate
indicates that on average Eve will be able to get approximately 128 bits of
information about x from the factors smaller than 2128 . She can then attack the
unknown part of x using a collision-style attack, and as x is only 256 bits long,
this leads to a real attack. At least, it would if we didn’t check that X and Y
were in the proper subgroup.
The attack becomes even easier if Eve was the person selecting the subgroup
(p, q, g). She may have put the small divisors into p − 1 herself when she selected
p in the ﬁrst place. Or maybe she sat on the committee that recommended
certain parameters for a standard. This isn’t as crazy as it seems. The U.S.
government, in the form of NIST, helpfully provides primes that can be used
with DSA, a signature scheme that uses subgroups like this. Other parts of that
same U.S. government (e.g., NSA, CIA, FBI) have a vested interest in being
able to break into private communications. We certainly don’t want to imply
that these primes are bad, but it is something that you would want to check
before you use them. This is easy to do; in fact, NIST published an algorithm
for choosing parameters that does not insert additional small factors, and you
can check whether the algorithm was indeed followed. But few people ever do.
In the end, the simplest solution is to check that every value you receive is
in the proper subgroup. All other ways of stopping small subgroup attacks
are much more complicated. You could try to detect the small factors of p − 1
directly, but that is way too complicated. You could require the person who
generated the parameter set to provide the factorization of p − 1, but that adds
a great deal of complexity to the whole system. Verifying that the received
values are in the right subgroup is a bit of work, but it is by far the simplest
and most robust solution.
Assume 200 people wish to communicate securely using
symmetric keys, one symmetric key for each pair of people. How many
symmetric keys would this system use in total?
Exercise 11.2 What are the subgroups generated by 3, 7, and 10 in the
multiplicative group of integers modulo p = 11?
Exercise 11.3 Why is a number r a square modulo p, p = 2q + 1 and p and q
both prime, if and only if r q = 1 (mod p).
Exercise 11.4 What problems, if any, could arise if Alice uses the same x and
gx for all her communications with Bob, and Bob uses the same y and gy for all
his communications with Alice?
Exercise 11.5 Alice and Bob wish to agree on a 256-bit AES key. They are
trying to decide between using 256-bit, 512-bit, or some other length DH public
keys gx and gy . What would be your recommendation to them?
The RSA system is probably the most widely used public-key cryptosystem
in the world. It is certainly the best known. It provides both digital signatures
and public-key encryption, which makes it a very versatile tool, and it is based
on the difﬁculty of factoring large numbers, a problem that has fascinated
many people over the last few millennia and has been studied extensively.
RSA is similar to, yet very different from, Difﬁe-Hellman (see Chapter 11).
Difﬁe-Hellman (DH for short) is based on a one-way function: assuming p and
g are publicly known, you can compute (gx mod p) from x, but you cannot
compute x given gx mod p. RSA is based on a trapdoor one-way function.
Given the publicly known information n and e, it is easy to compute me mod n
from m, but not the other way around. However, if you know the factorization
of n, then it is easy to do the inverse computation. The factorization of n is the
trapdoor information. If you know it, you can invert the function; if you do
not know it, you cannot invert the function. This trapdoor functionality allows
RSA to be used both for encryption and digital signatures. RSA was invented
by Ronald Rivest, Adi Shamir, and Leonard Adleman, and ﬁrst published in
Throughout this chapter we will use the values p, q, and n. The values p and
q are different large primes, each on the order of a thousand bits long or more.
The value n is deﬁned by n := pq. (An ordinary product, that is, not modulo
The Chinese Remainder Theorem
Instead of doing computations modulo a prime p as in the DH system, we
will be doing computations modulo the composite number n. To explain what
is going on, we will need a little more number theory about computations
modulo n. A very useful tool is the Chinese Remainder Theorem, or CRT. It is
named so because the basic version was ﬁrst stated by the ﬁrst-century Chinese
mathematician Sun Tzu. (Most of the math you need for DH and RSA dates
back thousands of years, so it can’t be too difﬁcult, right?)
The numbers modulo n are 0, 1, . . . , n − 1. These numbers do not form a
ﬁnite ﬁeld as they would if n were a prime. Mathematicians still write Zn
for these numbers and call this a ring, but that is a term we won’t need.
For each x in Zn , we can compute the pair (x mod p, x mod q). The Chinese
Remainder Theorem states that you can compute the inverse function: if you
know (x mod p, x mod q), you can reconstruct x.
For ease of notation, we will deﬁne (a, b) := (x mod p, x mod q).
First, we show that reconstruction is possible, then we’ll give an algorithm
to compute the original x. To be able to compute x given (a, b), we must be sure
there is not a second number x in Zn such that x mod p = a and x mod q = b.
If this were the case, both x and x would result in the same (a, b) pair, and no
algorithm could ﬁgure out which of these two numbers was the original input.
Let d := x − x , the difference between the numbers that lead to the same (a, b)
pair. We have (d mod p) = (x − x ) mod p = (x mod p) − (x mod p) = a − a =
0; thus, d is a multiple of p. For much the same reason, d is a multiple of q.
This implies that d is a multiple of lcm(p, q), because lcm is, after all, the least
common multiple. As p and q are different primes, lcm(p, q) = pq = n, and thus
x − x is a multiple of n. But both x and x are in the range 0, . . . , n − 1, so x − x
must be a multiple of n in the range −n + 1, . . . , n − 1. The only valid solution
is x − x = 0, or x = x . This proves that for any given pair (a, b), there is at most
one solution for x. All we have to do now is ﬁnd that solution.
12.2.1 Garner’s Formula
The most practical way of computing the solution is Garner’s formula.
x = (((a − b)(q−1 mod p)) mod p) · q + b
Here the (q−1 mod p) term is a constant that depends only on p and q. Remember
that we can divide modulo p, and therefore we can compute (1/q mod p), which
is just a different way of writing (q−1 mod p).
We don’t need to understand Garner’s formula. All we need to do is prove
that the result x is correct.
First of all, we show that x is in the right range 0, . . . , n − 1. Obviously
x ≥ 0. The part t := (((a − b)(q−1 mod p)) mod p) must be in the range
0, . . . , p − 1 because it is a modulo p result. If t ≤ p − 1, then tq ≤ (p − 1)q and
x = tq + b ≤ (p − 1)q + (q − 1) = pq − 1 = n − 1. This shows that x is in the range
0, . . . , n − 1.
The result should also be correct modulo both p and q.
x mod q = ((((a − b)(q−1 mod p)) mod p) · q + b) mod q
= (K · q + b) mod q
for some K
= b mod q
The whole thing in front of the multiplication by q is some integer K, but any
multiple of q is irrelevant when computing modulo q. Modulo p is a bit more
x mod p = ((((a − b)(q−1 mod p)) mod p) · q + b) mod p
= (((a − b)q−1 ) · q + b) mod p
= ((a − b)(q−1 q) + b) mod p
= ((a − b) + b) mod p
= a mod p
In the ﬁrst line, we simply expand (x mod p). In the next line, we eliminate
a couple of redundant mod p operators. We then change the order of the
multiplications, which does not change the result. (You might remember from
school that multiplication is associative, so (ab)c = a(bc).) The next step is to
observe that q−1 q = 1 (mod p), so we can remove this term altogether. The rest
This derivation is a bit more complicated than the ones we have seen so far,
especially as we use more of the algebraic properties. Don’t worry if you can’t
We can conclude that Garner’s formula gives a result x that is in the right
range and for which (a, b) = (x mod p, x mod q). As we already know that
there can only be one such solution, Garner’s formula solves the CRT problem
In real systems, you typically precompute the value q−1 mod p, so Garner’s
formula requires one subtraction modulo p, one multiplication modulo p, one
full multiplication, and an addition.
The CRT also works when n is the product of multiple primes that are all
different.1 Garner’s formula can be generalized to these situations, but we
won’t need that in this book.
are versions that work when n is divisible by the square or higher power of some primes,
but those are even more complicated.