Coppersmith's attack

Last updated

Coppersmith's attack describes a class of cryptographic attacks on the public-key cryptosystem RSA based on the Coppersmith method. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of a prime factor of the secret key is available.

Contents

RSA basics

The public key in the RSA system is a tuple of integers , where N is the product of two primes p and q. The secret key is given by an integer d satisfying ; equivalently, the secret key may be given by and if the Chinese remainder theorem is used to improve the speed of decryption, see CRT-RSA. Encryption of a message M produces the ciphertext , which can be decrypted using by computing .

Low public exponent attack

In order to reduce encryption or signature verification time, it is useful to use a small public exponent (). [1] In practice, common choices for are 3, 17 and 65537 . These values for e are Fermat primes, sometimes referred to as and respectively . They are chosen because they make the modular exponentiation operation faster. Also, having chosen such , it is simpler to test whether and while generating and testing the primes in step 1 of the key generation. Values of or that fail this test can be rejected there and then. (Even better: if e is prime and greater than 2, then the test can replace the more expensive test .)

If the public exponent is small and the plaintext is very short, then the RSA function may be easy to invert, which makes certain attacks possible. Padding schemes ensure that messages have full lengths, but additionally choosing the public exponent is recommended. When this value is used, signature verification requires 17 multiplications, as opposed to about 25 when a random of similar size is used. Unlike low private exponent (see Wiener's attack), attacks that apply when a small is used are far from a total break, which would recover the secret key d. The most powerful attacks on low public exponent RSA are based on the following theorem, which is due to Don Coppersmith.

Håstad's broadcast attack

The simplest form of Håstad's attack is presented to ease understanding. [2] The general case uses the Coppersmith method.

Suppose one sender sends the same message in encrypted form to a number of people , each using the same small public exponent , say , and different moduli . A simple argument shows that as soon as ciphertexts are known, the message is no longer secure: Suppose Eve intercepts , and , where . We may assume for all (otherwise, it is possible to compute a factor of one of the numbers by computing .) By the Chinese remainder theorem, she may compute such that . Then ; however, since for all , we have . Thus holds over the integers, and Eve can compute the cube root of to obtain .

For larger values of , more ciphertexts are needed, particularly, ciphertexts are sufficient.

Generalizations

Håstad also showed that applying a linear padding to prior to encryption does not protect against this attack. Assume the attacker learns that for and some linear function , i.e., Bob applies a pad to the message prior to encrypting it so that the recipients receive slightly different messages. For instance, if is bits long, Bob might encrypt and send this to the -th recipient.

If a large enough group of people is involved, the attacker can recover the plaintext from all the ciphertext with similar methods. In more generality, Håstad proved that a system of univariate equations modulo relatively prime composites, such as applying any fixed polynomial , could be solved if sufficiently many equations are provided. This attack suggests that randomized padding should be used in RSA encryption.

Franklin and Reiter identified an attack against RSA when multiple related messages are encrypted: If two messages differ only by a known fixed difference between the two messages and are RSA-encrypted under the same RSA modulus , then it is possible to recover both of them. The attack was originally described with public exponent , but it works more generally (with increasing cost as grows).

Let be Alice's public key. Suppose are two distinct messages satisfying for some publicly known polynomial . To send and to Alice, Bob may naively encrypt the messages and transmit the resulting ciphertexts . Eve can easily recover , given , by using the following theorem:

Coppersmith’s short-pad attack

Like Håstad’s and Franklin–Reiter’s attacks, this attack exploits a weakness of RSA with public exponent . Coppersmith showed that if randomized padding suggested by Håstad is used improperly, then RSA encryption is not secure.

Suppose Bob sends a message to Alice using a small random padding before encrypting it. An attacker, Eve, intercepts the ciphertext and prevents it from reaching its destination. Bob decides to resend to Alice because Alice did not respond to his message. He randomly pads again and transmits the resulting ciphertext. Eve now has two ciphertexts corresponding to two encryptions of the same message using two different random pads.

Even though Eve does not know the random pad being used, she still can recover the message by using the following theorem, if the random padding is too short.

See also

Related Research Articles

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.

In number theory, Fermat's little theorem states that if p is a prime number, then for any integer a, the number apa is an integer multiple of p. In the notation of modular arithmetic, this is expressed as

Malleability is a property of some cryptographic algorithms. An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext , it is possible to generate another ciphertext which decrypts to , for a known function , without necessarily knowing or learning .

In analytic number theory and related branches of mathematics, a complex-valued arithmetic function is a Dirichlet character of modulus if for all integers and :

  1. that is, is completely multiplicative.
  2. ; that is, is periodic with period .
<span class="mw-page-title-main">Trapdoor function</span> One-way cryptographic tool

In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction without special information, called the "trapdoor". Trapdoor functions are a special case of one-way functions and are widely used in public-key cryptography.

<span class="mw-page-title-main">Blind signature</span> Form of digital signature

In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

The NTRUEncrypt public key cryptosystem, also known as the NTRU encryption algorithm, is an NTRU lattice-based alternative to RSA and elliptic curve cryptography (ECC) and is based on the shortest vector problem in a lattice.

The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second-fastest method known. It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.

<span class="mw-page-title-main">Carmichael function</span> Function in mathematical number theory

In number theory, a branch of mathematics, the Carmichael functionλ(n) of a positive integer n is the smallest member of the set of positive integers m having the property that

The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

In cryptography, the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1978.

The Benaloh Cryptosystem is an extension of the Goldwasser-Micali cryptosystem (GM) created in 1985 by Josh (Cohen) Benaloh. The main improvement of the Benaloh Cryptosystem over GM is that longer blocks of data can be encrypted at once, whereas in GM each bit is encrypted individually.

In cryptographic protocols, a key encapsulation mechanism (KEM) or key encapsulation method is used to secure symmetric key material for transmission using asymmetric (public-key) algorithms. It is commonly used in hybrid cryptosystems. In practice, public key systems are clumsy to use in transmitting long messages. Instead they are often used to exchange symmetric keys, which are relatively short. The symmetric key is then used to encrypt the longer message. The traditional approach to sending a symmetric key with public key systems is to first generate a random symmetric key and then encrypt it using the chosen public key algorithm. The recipient then decrypts the public key message to recover the symmetric key. As the symmetric key is generally short, padding is required for full security and proofs of security for padding schemes are often less than complete. KEMs simplify the process by generating a random element in the finite group underlying the public key system and deriving the symmetric key by hashing that element, eliminating the need for padding.

CEILIDH is a public key cryptosystem based on the discrete logarithm problem in algebraic torus. This idea was first introduced by Alice Silverberg and Karl Rubin in 2003; Silverberg named CEILIDH after her cat. The main advantage of the system is the reduced size of the keys for the same security over basic schemes.

Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001. The security of the scheme is based on the hardness of the quadratic residuosity problem.

The Schmidt-Samoa cryptosystem is an asymmetric cryptographic technique, whose security, like Rabin depends on the difficulty of integer factorization. Unlike Rabin this algorithm does not produce an ambiguity in the decryption at a cost of encryption speed.

The Wiener's attack, named after cryptologist Michael J. Wiener, is a type of cryptographic attack against RSA. The attack uses the continued fraction method to expose the private key d when d is small.

References

  1. Boneh, Dan (1999). "Twenty years of attacks on the RSA cryptosystem". Notices of the American Mathematical Society. 46 (2): 203–213.
  2. Glenn Durfee, Cryptanalysis of RSA Using Algebraic and Lattice Methods.