To Break or not to Break?

advertisement
CSC 540 RESEARCH ASSIGNMENT
To Break or not to Break?
A review of the security of RSA encryption.
John Imboden
4/28/2012
John Imboden
CSC 540
RSA Encryption: To Break or not to Break
RSA encryption is a form of public key encryption used in our everyday lives developed by three
men named Rivest, Shamir, and Adleman. It's uses include online transactions as well as corporate data
security. "The RSA encryption method often is used to hide your credit card number from would-be
thieves on the Internet, because it uses a public key to hide your information and a private key to reveal
it."[1] This is a great convenience since it means anyone possessing the public key may encrypt the data
(IE average online shoppers) but only the person with the private key may decrypt stored data(IE the
shop owner).
The security provided by RSA encryption is based on the idea that it is very simple to multiply
two numbers together but it is much more difficult to factor a single large number.[2] According to a
paper released by Divesh Aggarwal and Ueli Maurer from Switzerland, Breaking RSA encryption
generically is equivalent to factoring.[6] In order for a computer to factor a number it basically does it by
trying most of the possible combinations of factors to produce the desired result. This renders RSA
encryption using small numbers worthless because a computer can brute force factor it relatively
quickly. The time it would take to brute force factor a number is described as the order of the size of the
square root of the number to be factored.[2] This means that a number that is 10 digits in length may be
factored with at most 105(100,000) cycles. On most home use machines right now (year 2012) this can
be done in less than a matter of minutes. So the way to combat this is to just use larger and larger
numbers. If the number being factored has 50 digits in it then the brute force factoring would take
roughly 1025 cycles before coming across the correct pair. "A secure RSA implementation requires rather
large numbers. Most secure protocol standards recommend key sizes of 1,024-bit numbers, which 32-bit
processors, such as the Pentium III or PowerPC, cannot handle natively."[1]
2
John Imboden
CSC 540
RSA Encryption: To Break or not to Break
The current key size for RSA encryption is 1024 bits. Just how large is 1024 bits? The decimal
form maximum of a 1024 bit key is
16152174667064029642647365822885998430666314431815268152405470907824573659036629
72483772980826569393306732864932303362619914669385966910731129686267107921489042
39628873374506302653492009810626437582587089465395941375496004739918498276676334
238241465498030036586063929902368192004233172032080188726965600617167
That is 309 digits.[7] Using the method described earlier to approximate the time required to brute force
factor this key, it would take approximately 10154 cycles in order to brute force factor a number that is
1024 bits. So assuming that a computer is capable of performing one million cycles per second it would
take 10149 seconds or 3.16142 Years to come up with a solution. This proves without a doubt that a
standard approach to brute-force factoring is an infeasible solution to breaking RSA encryption with a
1024 bit key.
At the moment RSA seems to be extremely secure, but what happens if a new method of
factoring is used? The standard method is to set up a basic desktop machine to perform the
mathematics needed to factor out the appropriate key. The main limitation of this is the fact that the
number of computational cores are limited to however many are in the CPU of the machine in question.
In late 2001 a paper released by Daniel J. Bernstein, a mathematics professor at University of Illinois,
suggested building a machine specifically for factoring using many computational cores much like a
graphics card. The idea was to pipeline the information in such a way that the time required for a
complete factorization would be significantly reduced.[4] Due to this paper being released Robert D
Silverman of RSA Laboratories said
3
John Imboden
CSC 540
RSA Encryption: To Break or not to Break
"While Bernstein's paper suggests some very clever methods for reducing the amount of
memory required to break very large RSA keys, his methods are all implementation techniques
for the Number Field Sieve, currently the best method for factoring large numbers. The basic
number of operations required by the Number Field Sieve, however, is not reduced. Since
previous security estimates for 1024-bit RSA keys are based on the number of operations
required by the Number Field Sieve, they still apply."[5]
and
" Bernstein himself is quoted as saying "This is a theoretical advance. I have no idea and
…nobody else has any idea how practical it might be."[5]
When reading through the various papers cited on rsa.com in Silverman's post as papers
containing information that could lead to the ability to break 1024 bit RSA encryption, ALL of them were
dead links with the exception of Bernstein's original paper, and Bernstein's paper merely went over
general theory behind a cost effective method of factorization.
Arguments for RSA encryption state that attacks that aim not at RSA itself but at a given
insecure implementation of RSA do not count as "breaking RSA" because it is not any weakness in the
RSA algorithm that is exploited, but rather a weakness in a specific implementation.[3] How do you store
a key that is 300+ digits long? It is going to have to be written down somewhere and this becomes a
liability, weakening the security. What is the point of implementing a security algorithm if it is a poor
implementation? The flaw lies in the system itself. RSA is versatile in the sense that it may be used with
many different keys of larger and larger sizes, but what happens when a newer faster machine comes to
the market? All of the old implementations of the RSA algorithm must then be updated with even larger
keys to prevent security risks and the program itself must be updated in order to allow for larger keys to
4
John Imboden
CSC 540
RSA Encryption: To Break or not to Break
be accepted in the first place as seen by the need to use custom large integer constructs just to hold the
key. The need for such a large key may in itself be a security risk of a different nature since it may not be
stored securely.
Conclusion: As it stands RSA encryption is quite reliable as a method for securing stored data.
My fear is that RSA encryption is becoming less effective as technology progresses, and if a more
efficient factorization method is discovered then the need for a more secure encryption type will
become necessary. Despite the assurance of Robert Silverman, I feel that there may well be a method of
breaking RSA encryption that has already been discovered. Otherwise, why would all of the links
referenced as compromising RSA encryption in Silverman's report just have disappeared? If there is no
reason to hide something, then why hide it?
5
John Imboden
CSC 540
RSA Encryption: To Break or not to Break
References:
1) http://www.linuxjournal.com/article/6826
2) http://mathcircle.berkeley.edu/BMC3/rsa/node4.html
3) http://x5.net/faqs/crypto/q10.html
4) http://cr.yp.to/papers/nfscircuit.pdf
5) http://www.rsa.com/rsalabs/node.asp?id=2007#1
6) ftp://ftp.inf.ethz.ch/pub/crypto/publications/AggMau09.pdf
7) http://www.jensign.com/JavaScience/dotnet/CSPPrimes/index.html
Fun Fact: Excluding the title page, headers and references page this paper is 1024 words long.
6
Download