Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *

Transcription

1 2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS Research Center, Institute of Information Engineering, Chinese Academy of Sciences, University of Chinese Academy of Sciences, Beijing , China *Corresponding author KeyWords: Hidden number problem, Lattice approximate nearest vector algorithm, Schnorr signature algorithm. Abstract. In this paper, we study the HNP problem only with constant Oracle queries, and transform the problem into solving the singular variable modular inequality (tx-u) modn <δ, basing on lattice techniques given the bound X of the hidden number x. Using these Oracle queries, we can successfully recover the secret with a sufficient large probability. Furthermore, as an application, we analyze the security of Schnorr signature scheme in the Random Oracle model, and give the effective reduction from security of the scheme to bits predictability of its nonce. Introduction Boneh and Venkatesan proposed the Hidden Number Problem (HNP) method, in the study of the private key bit security of the Diffie-Hellman key exchange protocol in 1996, also known as the hidden number method [1, 2]. By combining the lattice reduction algorithm [3,4,5], the approximate nearest vector algorithm [6] and the exponential sum estimation, we can recover the hidden number in the probability polynomial time. This is essentially a process of finding an integer solution x[7] that satisfies the inequality of the form (t i x-u i ) modp<. The hidden number method can be used to study the equivalence between the security of partial bits of the private key in the cryptosystem and the security of the key itself [8]. [9] has used the HNP method to study the secutiy of DSA signature system[10] with partial bits leakage of temporary random number k (Nonce). 1999, [11] pointed the relation between solving HNP and an attack of a flawed DSA implementation software. At present the best result is: given a certain number of message signatures, the nonce of DSA signature leaks 1 bit, we can use 2 24 signatures to give an attack [12]. On the other hand, [9] indicated that at least three leaked bits of nonce is required to make the attack effective. There are multiple Oracle queries for HNP method. If we can reduce the number of Oracle queries, it will save the consumption of external resources of the application of the method, and improve the probability of success. However, there is no progress in this direction. [7] proposed the One-Time HNP method under a given bound X of the secret, reducing the number of Oracle queries to 1. The experimental simulation of the ElGamal signature scheme [13] shows that the method can directly use the range of hidden information [14], we can restore the user's private key within a few seconds. However, when is close to O(q), if we make the attack effective, X will be small, the problem will be trivial at this time. In addition, there are some technical defects in the paper. We extend the idea of [7], and study the situation of Oracle has constant number d queries, named as d-times HNP. And we give the constraint relation between X and δ and its effect on success probability and efficiency. Generally, the bigger value of the d, the higher the probability that we get x is higher. d =1, i.e., Rosa's OT-HNP method. As an application, this paper analyzes the security of the Schnorr signature in the Random Oracle model, and realize the reduction from its security to partial bit predictability of the nonce k. Organization of the Paper This paper is organized as follows. In Section 3, we introduce some basic concepts and notations. In 156

2 Section 4, we present the concept of (d-times) HNP for constant Oracle queries, and gives a concrete solution algorithm. Section 5 is the analysis of Rosa's OT-HNP method improvement. In Section 6 we propose an application, and give the security analysis about Schnorr signature scheme [15]. Finally, we make some summary in Section 7. Preliminaries For an integer x, the least significant (lower) bits of x are denoted by LSB k (x), and the k most significant bits of x are denoted by MSB k ( ). Define MSB k ( ) as a positive integer z, satisfying x-z <p/2 k+1. For example, x>p/2, MSB 1 (x) = 1. x<p/2, MSB 1 (x)=0. It approximates the actual most significant bits of a positive integer, with only a few bits in the low bits there is a certain error. By x-z <p/2 k+1, we have 0 (x-z)modp<p/2 k+1, where (x-z)modp is treated as a positive integer in [0, p-1]. LSB can be converted to MSB [16]. Notation: X=q/2 l, δ=q/2 k, d=o(1) 1 is a constant. Set G=1/2+(d+1) 1/2 2 (d-3)/4. xmodn are treated as a positive integer in [0, N-1]. Define. q as q = min b Z z-bq, z Q. Definition 1. Given n linearly independent vectors,,, R m, we define the lattice L(,,, ) { Z}. Here,,,, is the basis of the lattice. Definition 2. Given t, u Z, N N, Q, X Q, we define a five-tuple (t, u, δ, N, X) to satisfy: there exists x that makes the modular inequality (tx-u)modn< holds, where 0<x<X<N. Definition 3. (Hidden Number Problem, HNP) Suppose there is a hidden number (information) Z, where p is a large prime number. Choose some intergers t i uniformly and independently at random from Z * p. Using an Oracle that have sufficient predictive ability to give k-1 most siginificant bits MSB k-1 ( t i (modp)) of t i (modp), that is, 0 (αt i -z)modp<p/2 k holds, where 1, the hidden number problem is to find. Definition 4. For an integer x that needs to be secret, and 0<x<X, X Q is known. Given q N, it is assumed that there is an Oracle O x (t), which can compute u for the input integer t and make (tx-u)modq<δ holds, where (tx-u)modq is an integer on [0, q-1]. Then we get a five-tuple (t, u, δ, q, X) instance corresponding to the modular inequality under Oracle Ox( ). Given d instances about x, described by (t i, u i, δ, q, X), where i=1, 2,, d, to solve x. We call the problem hidden number problem given bound of secret, named d-times HNP. Proposition 1. (Babai) Let L be a d-dimensional lattice. Given a vector v R, we can find a lattice point in the polynomial time such that 2 min. d-times Hidden Number Problem Given Bound of Secret Assume that the given Orace is Oracle O x (t), which can compute u such that (tx-u)modq< holds, where (tx-u)modq is an integer on [0, q-1]. When we ask Oracle for d times, then, we will have d modular inequalities (t i x-u i )modq<. To obtain x, consider a lattice L(q, δ/x, t 1, t 2,, t d ), which is spanned by the row vector of the following matrix, q q 0. (1) 0 0 q 0 t 1 t d / Lemma 1. Given d modular inequalities (t i x-u i )modq<, i=1, 2,,d, q is a large prime number. Let t i, u i, l, k Z, Q satisfy l>0, O(1)<k<logq, 0<l<logq, and t i is uniformly distributed on [1, q). 0<x X= q/2 l, 1 δ= q/2 k, and l+kd logq+(d+1)log2g+1. Then with a probability P 1-(2G) d+1 q/2 l + kd all L(q, δ/x, t 1, t 2,, t d ) satisfying are in the form =(0,, 0, δ/x), where 0(modq). 157

3 Proof. Since L(q, δ/x, t 1, t 2,, t d ), we can write as, ( t 1 +c 1 q,, t d +c d q, δ/x), where c i is an integer (2) If β 0(modq), each t i +c i q will be a multiple of q. O(1)<k<logq, we have 1< =q/2 k <q/2g. Since <q/2, then t i +c i q=0, that is =(0,, 0, δ/x). For any β 0(modq), and t i is on [1, q), then t i 0(modq). Since, that is, + <q/2, i=1,2,,d, (3) /, that is, - (4) We use E( ) to denote the event that (3) holds. Obviously, if +, then q. We use p(, q) to denote the probability that q, we know that Pr(E( )) p(,q) d. we have p(, q)=1-pr( q >G )=1-Pr(G < (modq)<q-g ). p(, q)=1. 0(modq) and I=[-, 0) (0, ], P (, ) 2G * (2G) d+1 q/2 l + kd, Notice that l+kd logq+(d+1)log2g +1, we have Pr (2G) d+1 q/2 l + kd 1/2, P=1-Pr 1/2. Theorem 1. Given d modular inequalities (t i x-u i )modq<, i=1, 2,, d, where q is a large prime number. Let t i, u i, l, k Z, Q satisfy l>0, O(1)<k<logq, 0<l<logq, and t i is uniformly distributed on [1, q). And 0<x X=q/2 l, 1 δ=q/2 k satisfy l+kd logq+(d+1)log2g +1. Then with a probability P 1-(2G) d+1 q/2 l + kd we can find the solution x. Proof. Since (t i x-u i )modq<, i=1,2,,d, we know that there must exist c i Z such that 0 t i x-u i +c i q<, then t i x-u i - /2+c i q /2. Let us set v=(u 1 + /2, u 2 + /2,,u d + /2, /2) and consider the lattice L(q, δ/x, t 1, t 2,, t d ). There is a vector h L(q, δ/x, t 1, t 2,,t d ), such that h=(t 1 x+c 1 q,, t d x+c d q, x /X) and /2. We apply the Babai s algorithm (Proposition 1) to lattice L(q, δ/x, t 1, t 2,,t d ) and vector v, then we can get w=(w 1,,w d, w d+1 ). We have (d+1) 1/2 2 (d-3)/4. Since =h w L, then we have + (1/2+(d+1) 1/2 2 (d-3)/4 ). According to lemma 1, t with probability P 1-(2G) d+1 q/2 l + kd 1/2, is the form (0,, 0, zqδ/x). So we have x=(w d+1 X/δ)modq. According to the definition of L, it must hold (w d+1 X/δ) Z. Unique solution proof. From lemma 1, L(q, δ/x, t 1, t 2,, t d ) such (1/2+(d+1) 1/2 2 (d-3)/4 ), then with probability P 1-(2G) d+1 q/2 l + kd, we have the form =(0,, 0, qδ/x), where z Z. Assume that there is another solution x, and corresponding hidden vector h, then 1/2. Set =, then, ρ = h -v + v-h δ, so ρ (1/2+(d+1) 1/2 2 (d-3)/4 ). From lemma 1, consider the last component of, that is / /, we must have / / = qδ/x, so x x (modq). Because x and x are both on (0, q), we have x=x, the solution is unique. Application: The Security of Schnorr Signature Scheme This section analyzes the security of the Schnorr signature scheme with d-times HNP, proving that there is a probabilistic polynomial time attack algorithm, which needs less query times applied in the Schnorr signature than the classical HNP method. Next, we first review the Schnorr signature process: Select system parameters. Select a prime number p ( 512 bits), a prime number q ( 160 bits) and q p-1. g is in Z and g q 1modp. x represents the user s private key, 1<x<q. At the same time, y denotes the user's public key, y=g x modp. M denotes information to be signed. Key space K={(p, q, g, x, y): y g x modp} where p, q, g, y are public keys and x is the private key. Sign. Select nonce kϵz q, compute r=g k modp, s k-xe(modq), where e=h(r M). Return signature s= (M)=(e, s). Verify. After receiving signature information s=(e, s), compute r =g s y e modp, e =H(r M). and verify r e modp, if the equation is established, the signature is legal, then accept, otherwise refused. 158

4 Given d Schnorr signatures (r i, s i ) of M i, i=1, 2,, d, where v least significant bits of k i are known by the attacker, that is, there exists a i {0,,2 v -1} such that k i -a i =2 v b i. Then, according to the process of signature, we have s i (a i +2 v b i )-xe i (modq), so e i 2 -v x-(a i -s i )2 -v =b i (modq). We set t i =e i 2 -v modq, u i =(a i -s i )2 -v modq, then we have (t i x-u i )modq=b i <q/2 v. According to the definition, so we get the v-1 most significants MSB v-1 (xt i (modq)) of xt i (modq). Then, we compute x. Given the bound X of x, set =q/2 v, we have d modular inequalities (t i x-u i )modq<, 0<x<X, where i=1, 2,, d. In the Random Oracle model, e i can be considered uniformly distributed, being computed by hash function. Given 2 -v, so t i = e i 2 -v modq is uniformly distributed. Based on the above analysis, using the d-times HNP method, when the private key bound X=q/2 l, the v least significant bits information leakage of nonce by the side channel attack, according to Theorem 1, 0<l<logq, O(1)<v<logq, l+vd logq+(d+1)log2g +1,we can recover x in probability polynomial time. Thus, for the signer, in seeking to ensure that bits information of the nonce is not leaked at the same time, the choice of private key should be sufficiently large. Summary In this paper, we study the HNP method of constant d times Oracle queries under the premise of a given bound of secret(hidden number), and give the constraint relation between X and δ and its influence on success probability and efficiency. We analyze the security of Schnorr signature in Random Oracle model and give the effective reduction from security of the scheme to bits predictability of its nonce. Acknowledgement This work is partially supported by National Key R&D Program of China (2017YFB ). References [1] D. Boneh, R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Advances in Cryptology-CRYPTO'96, N. Koblitz (Eds.), Springer-Verlag, Santa Barbara, 1996, pp [2] D. Boneh, R.Venkatesan, Rounding in lattices and its cryptographic applications, In Proc. of the 8th Symposium on Discrete Algorithms, ACM, 1997, pp [3] N. A. Howgrave-Graham, N. P. Smart, Lattice Attacks on Digital Signature Schemes, Designs, Codes and Cryptography, 23(3), 2001, pp [4] A. K. Lenstra, H. W. Lenstra, L. Lovasz, Factoring polynomials with rational coefficients, Math. Ann., vol. 261, 1982, pp [5] P. Q. Nguyen, J. Stern, The Two Faces of Lattices in Cryptology, in Proc. of Cryptography and Lattices CALC 01, Springer-Verlag, 2001, pp [6] L. Babai, On Lovász Lattice Reduction and the Nearest Lattice Point Problem, Combinatorica, 6:1-13. (1986) [7] T. Rosa, One-Time HNP or Attacks on a Flawed El Gamal Revisited, Proceedings of the international workshop Santa's Crypto. (2005) [8] P.Q. Nguyen, The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA, Cryptography and Computational Number Theory, Birkhäuser Basel, 2001, pp

5 [9] P.Q. Nguyen, I.E. Shparlinski, The Insecurity of the Digital Signature Algorithm with Partially Known Nonces, Journal of Cryptology, 15(3) [10] FIPS PUB 186-2: Digital Signature Standard (DSS), National Institute of Standards and Technology, January 27. (2000) [11] P.Q. Nguyen, Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3., Advances in Cryptology- EUROCRYPT '04, C. Cachin, J.L. Camenisch (Eds.), Springer-Verlag Interlaken, 2004, pp [12] D. Bleichenbacher, Experiments with DSA, CRYPTO 2005 Rump Session, Santa Barbara. (2005) [13] T. ElGamal, A Public Key Cryptosystem and Signature Scheme Based on Discrete Logarithms, IEEE Transactions on Information Theory, 31(4) [14] Y. Wang, K.W Lv, Improved method on the discrete logarithm problem in an interval[j], Journal of Cryptologic Research, 2(6) [15] C.P. Schnorr, Efficient signature generation for smart cards, Advances in Cryptology-CRY PTO'89, G. Brassard (Eds), Springer-Verlag, Santa Barbara, 1991, pp [16] Z.Q. Kang, K.W Lv, The Hidden Number Problem of Least Significant Bits, Future communication technology, vol. 1, ICCT2013, 2014, pp