Texas Instruments signing key controversy

Last updated
A TI-83+ graphing calculator displaying a sine wave Ti83plus.jpg
A TI-83+ graphing calculator displaying a sine wave

The Texas Instruments signing key controversy resulted from Texas Instruments' (TI) response to a project to factorize the 512-bit RSA cryptographic keys needed to write custom firmware to TI devices.

Contents

Project

In July 2009, Benjamin Moody, a United-TI forum user, published the factors of a 512-bit RSA key used to sign the TI-83+ series graphing calculator. The discovery of the private key would allow end users to flash their own operating systems onto the device without having to use any special software. Moody used two free implementations of the general number field sieve, msieve and ggnfs; the computation took 73 days on a 1.9 GHz dual-core processor. This demonstrates the progress of hardware development: the factorization of the similar 512-bit RSA-155 in 1999 using the same algorithm required a large dedicated research group, 8000 MIPS-years of computing time, and a Cray C916 supercomputer. [1]

In response, members of the wider TI graphing calculators community (at yAronet) set up a BOINC-based distributed computing project, RSA Lattice Siever (RSALS for short), that quickly factored the other keys. [2] RSA Lattice Siever remained active for nearly three years after outliving its initial purpose, by factoring other integers for the mathematical community. After factoring over 400 integers, [3] RSALS moved to RSALS-inspired NFS@home [4] at the end of August 2012.

Texas Instruments began by sending out two initial Digital Millennium Copyright Act (DMCA) take-down requests to the hackers, referring to sites or forum posts that they controlled. [5] [6] The hackers responded by removing the keys, without consulting an attorney. [7] TI then sent further DMCA notices to a variety [8] of websites displaying the keys, including United-TI, Reddit, and Wikipedia. [9] Texas Instruments' efforts then became subject to the Streisand effect, [10] and the keys were mirrored on a number of sites, including WikiLeaks. [11] In September 2009, Dan Goodin from The Register alerted the Electronic Frontier Foundation (EFF) to TI's actions, and the EFF agreed to take on the case pro bono , representing three people who had received DMCA notices.

On October 13, 2009, the EFF sent a letter to TI warning them that the posting of the keys did not violate the DMCA, and that it might be liable for misrepresentation. [12] Despite the letter by the EFF, TI continued to send DMCA notices to websites that posted the keys, but stopped doing so after late 2009. The EFF filed a DMCA Section 512 counter-notice on behalf of three of the bloggers who received DMCA notices. When the EFF did not receive a response by the deadline, the bloggers reposted the content that had been taken down. [13]

Cryptographic keys

The public RSA parameters of the original TI-83+ / TI-83+ Silver Edition OS signing key factored by Benjamin Moody are the following 512-bit modulus n and public (or encryption) exponent e (specified in hexadecimal): [14] 

n = 82EF4009ED7CAC2A5EE12B5F8E8AD9A0AB9CC9F4F3E44B7E8BF2D57A2F2BEACE83424E1CFF0D2A5A7E2E53CB926D61F347DFAA4B35B205B5881CEB40B328E58F e = 11

By factoring n, Moody obtained the factors p (252 bits) and q (260 bits), which can be used in turn to quickly compute the 512-bit private (or decryption) :

p = B709D3A0CD2FEC08EAFCCF540D8A100BB38E5E091D646ADB7B14D021096FFCD q = B7207BD184E0B5A0B89832AA68849B29EDFB03FBA2E8917B176504F08A96246CB d = 4D0534BA8BB2BFA0740BFB6562E843C7EC7A58AE351CE11D43438CA239DD99276CD125FEBAEE5D2696579FA3A3958FF4FC54C685EAA91723BC8888F292947BA1

The value d can then be used to sign arbitrary OS software.

The keys factored by RSA Lattice Siever (the TI-92+, TI-73, TI-89, Voyage 200, TI-89 Titanium, TI-84+ / TI-84 Silver Edition OS signing and date-stamp signing keys) are similar but with different values of n, p, q, and d. A single date-stamp signing key is shared by all models.

See also

Related Research Articles

In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm.

In number theory, integer factorization is the decomposition of a composite number into a product of smaller integers. If these factors are further restricted to prime numbers, the process is called prime factorization.

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ) by the English mathematician Clifford Cocks. That system was declassified in 1997.

In number theory, the general number field sieve (GNFS) is the most efficient classical algorithm known for factoring integers larger than 10100. Heuristically, its complexity for factoring an integer n (consisting of ⌊log2n⌋ + 1 bits) is of the form

<span class="mw-page-title-main">Daniel J. Bernstein</span> American mathematician, cryptologist and programmer

Daniel Julius Bernstein is an American German mathematician, cryptologist, and computer scientist. He is a visiting professor at CASA at Ruhr University Bochum, as well as a research professor of Computer Science at the University of Illinois at Chicago. Before this, he was a professor in the department of mathematics and computer science at the Eindhoven University of Technology.

<span class="mw-page-title-main">Trapdoor function</span> Cryptographic tool that is easy to compute in one direction and difficult in the other

In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction without special information, called the "trapdoor". Trapdoor functions are a special case of one-way functions and are widely used in public-key cryptography.

<span class="mw-page-title-main">TI-83 series</span> Series of graphing calculators produced by Texas Instruments

The TI-83 series is a series of graphing calculators manufactured by Texas Instruments.

The RSA Factoring Challenge was a challenge put forward by RSA Laboratories on March 18, 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers and cracking RSA keys used in cryptography. They published a list of semiprimes known as the RSA numbers, with a cash prize for the successful factorization of some of them. The smallest of them, a 100-decimal digit number called RSA-100 was factored by April 1, 1991. Many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time, however advances in quantum computers make this prediction uncertain due to Shor's algorithm.

In mathematics, the RSA numbers are a set of large semiprimes that were part of the RSA Factoring Challenge. The challenge was to find the prime factors of each number. It was created by RSA Laboratories in March 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers. The challenge was ended in 2007.

"The Magic Words are Squeamish Ossifrage" was the solution to a challenge ciphertext posed by the inventors of the RSA cipher in 1977. The problem appeared in Martin Gardner's Mathematical Games column in the August 1977 issue of Scientific American. It was solved in 1993–94 by a large, joint computer project co-ordinated by Derek Atkins, Michael Graff, Arjen Lenstra and Paul Leyland. More than 600 volunteers contributed CPU time from about 1,600 machines over six months. The coordination was done via the Internet and was one of the first such projects.

The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second fastest method known. It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.

<span class="mw-page-title-main">TI-84 Plus series</span> Series of graphing calculators produced by Texas Instruments

The TI-84 Plus is a graphing calculator made by Texas Instruments which was released in early 2004. There is no original TI-84, only the TI-84 Plus, the TI-84 Plus Silver Edition models, and the TI-84 Plus CE. The TI-84 Plus is an enhanced version of the TI-83 Plus. The key-by-key correspondence is relatively the same, but the TI-84 features improved hardware. The archive (ROM) is about 3 times as large, and the CPU is about 2.5 times as fast. A USB port and built-in clock functionality were also added. The USB port on the TI-84 Plus series is USB On-The-Go compliant, similar to the next generation TI-Nspire calculator, which supports connecting to USB based data collection devices and probes, and supports device to device transfers over USB rather than over the serial link port.

<span class="mw-page-title-main">TI-73 series</span> Series of graphing calculators produced by Texas Instruments

The TI 73 series is a series of graphing calculators made by Texas Instruments, all of which have identical hardware.

In cryptography and number theory, TWIRL is a hypothetical hardware device designed to speed up the sieving step of the general number field sieve integer factorization algorithm. During the sieving step, the algorithm searches for numbers with a certain mathematical relationship. In distributed factoring projects, this is the step that is parallelized to a large number of processors.

TWINKLE is a hypothetical integer factorization device described in 1999 by Adi Shamir and purported to be capable of factoring 512-bit integers. It is also a pun on the twinkling LEDs used in the device. Shamir estimated that the cost of TWINKLE could be as low as $5000 per unit with bulk production. TWINKLE has a successor named TWIRL which is more efficient.

In cryptography, the RSA problem summarizes the task of performing an RSA private-key operation given only the public key. The RSA algorithm raises a message to an exponent, modulo a composite number N whose factors are not known. Thus, the task can be neatly described as finding the eth roots of an arbitrary number, modulo N. For large RSA key sizes, no efficient method for solving this problem is known; if an efficient method is ever developed, it would threaten the current or eventual security of RSA-based cryptosystems—both for public-key encryption and digital signatures.

In mathematics, a strong prime is a prime number with certain special properties. The definitions of strong primes are different in cryptography and number theory.

Integer factorization is the process of determining which prime numbers divide a given positive integer. Doing this quickly has applications in cryptography. The difficulty depends on both the size and form of the number and its prime factors; it is currently very difficult to factorize large semiprimes.

<span class="mw-page-title-main">Peter Montgomery (mathematician)</span> American mathematician (1947–2020)

Peter Lawrence Montgomery was an American mathematician who worked at the System Development Corporation and Microsoft Research. He is best known for his contributions to computational number theory and mathematical aspects of cryptography, including the Montgomery multiplication method for arithmetic in finite fields, the use of Montgomery curves in applications of elliptic curves to integer factorization and other problems, and the Montgomery ladder, which is used to protect against side-channel attacks in elliptic curve cryptography.

In post-quantum cryptography, ring learning with errors (RLWE) is a computational problem which serves as the foundation of new cryptographic algorithms, such as NewHope, designed to protect against cryptanalysis by quantum computers and also to provide the basis for homomorphic encryption. Public-key cryptography relies on construction of mathematical problems that are believed to be hard to solve if no further information is available, but are easy to solve if some information used in the problem construction is known. Some problems of this sort that are currently used in cryptography are at risk of attack if sufficiently large quantum computers can ever be built, so resistant problems are sought. Homomorphic encryption is a form of encryption that allows computation on ciphertext, such as arithmetic on numeric values stored in an encrypted database.

References

  1. Herman te Riele (1999-08-26), New factorization record Archived 2021-06-24 at the Wayback Machine (announcement of factorization of RSA-155). Retrieved on 2008-03-10.
  2. "All TI Signing Keys Factored — ticalc.org". www.ticalc.org. Retrieved 2009-09-21.
  3. "NumbersRSALS Does not run anymore - Homepage - NFS@Home". October 14, 2012. Archived from the original on 2012-10-14.
  4. "mersenneforum.org - View Single Post - BOINC NFS sieving - RSALS". www.mersenneforum.org.
  5. "brandonw.net". brandonw.net. Retrieved 2010-05-24.
  6. "Signing Keys and the DMCA — ticalc.org". www.ticalc.org. Retrieved 2009-09-21.
  7. "Texas Instruments aims lawyers at calculator hackers". The Register. 2009-09-23. Retrieved 2011-01-01.
  8. "UPDATE: Hey, TI, Leave Those Kids Alone | Electronic Frontier Foundation". Eff.org. 2009-09-25. Retrieved 2010-05-24.
  9. "DMCA Texas Instruments". 2009-09-25. Archived from the original on November 25, 2011. Retrieved 2014-02-03.
  10. "Schneier on Security: Texas Instruments Signing Keys Broken". www.schneier.com. Retrieved 2009-10-06.
  11. Suppressed Texas Instruments cryptographic signing keys, 28 Aug 2009at WikiLeaks. on 10 April 2012.
  12. "EFF Warns Texas Instruments to Stop Harassing Calculator Hobbyists". EFF official press release. 13 October 2009. Retrieved 2009-10-25.
  13. Granick, Jennifer (October 29, 2009). "Hey, Texas Instruments -- Stop Digging Holes". EFF Deeplinks Blog. Retrieved 2009-10-29.
  14. "File". WikiLeaks. Archived from the original on 2012-03-14. Retrieved 2012-04-10.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.