NEMEC, Matúš, Marek SÝS, Petr ŠVENDA, Dušan KLINEC and Václav MATYÁŠ. The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli. Online. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM, 2017, p. 1631-1648. ISBN 978-1-4503-4946-8. Available from: https://dx.doi.org/10.1145/3133956.3133969.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli
Authors NEMEC, Matúš (703 Slovakia, belonging to the institution), Marek SÝS (703 Slovakia, belonging to the institution), Petr ŠVENDA (203 Czech Republic, belonging to the institution), Dušan KLINEC (703 Slovakia, belonging to the institution) and Václav MATYÁŠ (203 Czech Republic, belonging to the institution).
Edition New York, NY, USA, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, p. 1631-1648, 18 pp. 2017.
Publisher ACM
Other information
Original language English
Type of outcome Proceedings paper
Field of Study 10201 Computer sciences, information science, bioinformatics
Country of publisher United States of America
Confidentiality degree is not subject to a state or trade secret
Publication form electronic version available online
WWW The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
RIV identification code RIV/00216224:14330/17:00095054
Organization unit Faculty of Informatics
ISBN 978-1-4503-4946-8
ISSN 1543-7221
Doi http://dx.doi.org/10.1145/3133956.3133969
UT WoS 000440307700102
Keywords in English RSA; factorization; smartcard; Coppersmith's algorithm
Tags best1, core_A, firank_1
Tags International impact, Reviewed
Changed by Changed by: RNDr. Pavel Šmerk, Ph.D., učo 3880. Changed: 14/5/2020 15:10.
Abstract
We report on our discovery of an algorithmic flaw in the construction of primes for RSA key generation in a widely-used library of a major manufacturer of cryptographic hardware. The primes generated by the library suffer from a significant loss of entropy. We propose a practical factorization method for various key lengths including 1024 and 2048 bits. Our method requires no additional information except for the value of the public modulus and does not depend on a weak or a faulty random number generator. We devised an extension of Coppersmith's factorization attack utilizing an alternative form of the primes in question. The library in question is found in NIST FIPS 140-2 and CC EAL 5+ certified devices used for a wide range of real-world applications, including identity cards, passports, Trusted Platform Modules, PGP and tokens for authentication or software signing. As the relevant library code was introduced in 2012 at the latest (and probably earlier), the impacted devices are now widespread. Tens of thousands of such keys were directly identified, many with significant impacts, especially for electronic identity documents, software signing, Trusted Computing and PGP. We estimate the number of affected devices to be in the order of at least tens of millions. The worst cases for the factorization of 1024 and 2048-bit keys are less than 3 CPU-months and 100 CPU-years on single core of common recent CPUs, respectively, while the expected time is half of that of the worst case. The attack can be parallelized on multiple CPUs. Worse still, all susceptible keys contain a strong fingerprint that is verifiable in microseconds on an ordinary laptop -- meaning that all vulnerable keys can be quickly identified, even in very large datasets.
Links
GA16-08565S, research and development projectName: Rozvoj kryptoanalytických metod prostřednictvím evolučních výpočtů
Investor: Czech Science Foundation
MUNI/A/0992/2016, interní kód MUName: Zapojení studentů Fakulty informatiky do mezinárodní vědecké komunity (Acronym: SKOMU)
Investor: Masaryk University, Category A
PrintDisplayed: 28/5/2024 06:27