* Supported by an IBM fellowship, partially supported by NSF grant DCR by Johan Hastad* MIT

Transcription

1 ?J USING RSA WITH LOW EXPONENT IN A PUBLIC KEY NETWORM by Johan Hasta* MIT Abstract: We consier the problem of solving systems of equations P;(z) = 0 (mo n;) i = 1... k where P; me polynomials of egree an the n, are istinct relatively prime numbers an z < minn,. We prove that if k > we can recover z in polynomial time provie n, >> 2k. This shows that RSA with low exponent is not a goo alternative to use as a public key cryptosystem in a large network. It also shows that a protocol by Broer an Dolev [4] is insecure if RSA with low exponent is use. 1. Introuction Let us start with some cryptographic motivation. The famous RSA function [8] is efine 89 f(z) = z (mo n). Here n is usually taken of the form n = pq where p an q are two large primes an is an integer relatively prime to (p l)(q 1). Using these parametera the function is 1 1 when restricte to 1 5 z 5 n, (2, n) = 1. Furthermore the function is wiely believe to be a trapoor function i.e. given n an it is easy to compute f(z) an given f(z) it is also easy to recover z provie you have some secret information but otherwise it is infeasible. In this case the secret information is the factorization of n. The RSA function can be use to construct a eterministic Public Key Cryp tosystem(pkc) in the following way: Each user B in a communication network chooeea two large primes p an q an multiplies them together an publishes the result nb together with a number e which is relatively prime to (p l)(q 1). He keeps the factorization as his private secret information. If any user A in the system wants to sen a secret message rn to another user B she retrievea B's publishe information computes y mb (mo ne) an sens y to B. B now obtains the original message using his secret information while someboy else presumably faces an intractable computational task. However PKC are ifferent an more complex objecta than trapoor functions. For example the use of RSA in a PKC may present obetaclea that i not occur when we consiere it as a trapoor function. Several people (at least Blum, Lieberherr an Williams) have observe the following attack. hume that 3 is chosen ae the exponent an that A wants to sen the same message rn to users U1,Ut an Us. She will compute an sen y; = m3 (mo n;) i = 1,2,3. But using the fact that nl, n2 an ns are relatively prime a listener who know the values of y1,yz an y3 can combine the messages by chinese remainering to get m3 (mo nlnang) an since ms < nlnzn3 he can recover m. In general if the exponent is the number of messages neee is. * Supporte by an IBM fellowship, partially supporte by NSF grant DCR H.C. Williams (E.): Avances in Cryptology CRYPT0 '85, LNCS 218, pp , SpringerVerlag Berlin Heielberg 1986

2 404 A natural question is therefore: Is there a better way to sen the same message to many people using thia PKC? A common heuristic tells us to use a time stamp. Instea of sening the same message m to everyboy one attaches the time an thus sens the encryption of 2i*lrn + t where 2Itlm is the shifte message an t is the time (which will be ifferent for the ifferent receivers). The previous attack fails an we are le to the following computational problem (for = 3). Given (aim + 6;) (mo n;) where all the % an b; are known is it possible to recover rn in polynomial time? We wil1 see in section 3 that the answer is YES if the number of similar messages is at least 7. In fact we will prove that given a set of equations P;(z) z 0 (mo n;) i= 1,..., k where we have k polynomial equations of egree 2 it is possible to recover the solution in time polynomial in both k an logn; if k > ( + 1)/2 provie n; >> 2. Therefore we conclue that if MA is to be use as a PKC we shoul use a large exponent or even better use a probabilistic encryption scheme [3],[6] base on RSA. By [1],[3] this can be one with as much efficiency as in the eterministic case. 2. The insecurity of a protocol by Broer an Dolev. Broer an Dolev propose a protocol for flipping a coin in a istribute system [4]. Some of their emential ingreients were Shamir s metho of sharing a secret an the use of a eterministic PKC. They propose to use the RSA. In 121 it is shown that what they really nee from the security of the cryptosystem is: Given the encryption of a;z + b, with ifferent keys it shoul be infeasible to ecie the parity of z with a better probability than flipping a coin. The analysis in the next section shows that given this information we can, not only fin the parity of z, but the exact value of z if the PKC is RSA with a small exponent. In the case of a large exponent the protocol is not known to be insecure but on the other han there is no proof of correctness. A provably secure protocol has been esigne by Awerbuch et. [Z]. 3. Main Theorem Let us start by fixing some notation. Let N = nf=, we can state the problem formally: n; an n = minn;. Now Problem: Given a set of k equations Cj=ou,,zj z 0 (mo n;), i = 1,...,k. Suppme that the system have a solution z < n. Can we fin such a solution efficiently? Before we give the theorem Iet us give the basic ieas. Define u, < N to be the Chinese remainering coefficients i.e. u, E S;, (mo n;) (6;, = 1 if i = j an 0 otherwise). We can combine the equations to a single equation using the Chinese remainer theorem. o ~ p zj = zfz1 ~ u,a,, G c,=~ zjc, (mo N )

3 405 One of the important parts of the entire paper is the following simple lemma. Lemma I: If lc,( < (+T)niz we can fin z in time polynomial in,k an log n;. Proof: Iflcjl < & then j=o j=o Thus the conition C;=, cjzj = 0. In other wors z solves the equation over the integers an to prove the lemma we just nee the fact that we can solve polynomial equations over the integers in polynomial time. This follows from [7] but there are more efficient algorithms. cjzj e 0 (mo N) implies cy'=, The conition of lemma 1 is quite unlikely to be fulfille when we start with a general set of equations. In spite of this lemma 1 will be one of our main tools for proving: Theorem: Given a set of equations c;=, a;j = 0 (mo n;), i = 1,2,..., k where z < n an gc((a,j)$,, n;) = 1 for all i. Then it is possible to recover z in time polynomial in, k an log n; if As before N = nf=, n;, n = min n,, is the egree of the equations an k is the number of equations. ProoT: The iea is to use lemma 1. However as we remarke it is quite unlikely that it will apply to our equations irectly. To get more possibilities we will multiply the ith equation by a constant a, before we combine them using Chinese remainering. If we have chosen the 8; carefully enough the resulting equation will have the esire small coefficients. We get Let cj enote the coefficient of zj in this equation. To apply lemma 1 we want Icj/nj < &. The main tool for achieving this will be the use of lattices. We first start by recalling some backgroun from the geometry of numbers. 3.1 Backgroun from geometry of numbers. A lattice L is efine to be the set of points where & are linearly inepenent vectors in R". The set 6 is calle a basis for the lattice an n is the imension. The eterminant of a lattice is efine to be the absolute value of the eterminant of the matrix with rows 6. It is not har to see that the eterminant is inepenent of the choice of basis. The length of the shortest nonzero vector in the lattice is enote by XI. Let us recall the following wellknown facts:

4 406 Theorem: (Minkowski) X1 5 7,, 3 (et(l))* where 7n is Hermite's constant. y, is not known explicitly but we have an upper boun 7,, 5 n [5]. Theorem: W e can fin a vector a' in polynomial time which satisfies I I W l This is boun you get from the famous algorithm in the paper by Lenstra,Lenstra ' an Lovasz [7]. By a result by Schnorr it is possible to replace the constant 2 by any number greater than 1 [9] but this is not important to us. Arme with this information we return to the original problem. 3.2 Continuation of Proof. Define the following lattice L of imension k by its base vectors: N bl = (aloul, ~ ~ 1 1 ~ 1 ~ n 2,n ~ alu1, 1 2 ~ 1 m701.., ~ ~ ~.,o). N b2 = (a20u2,na21u2,n2a22~5,...,n a2u2,0, n?(l)>**' '0) + 2 N bk = (akouk, nakluk, n ak2uk,..., n akuk, 0~0,.. I bk+l = (N,O,O,...,o,o, 0,...,o) bk+2 = (0, nn, 0,...,O,O,O,...,0) bk++l = (O,O, 0,..., n N, O,O,... 0) Observe that Observe that for 1 5 i 5 k + 1 the i'th coefficient is ivisible by n'. We multiply the ifferent coefficients by the corresponing powers of n since we want /cj/nj < &. The laat k coorinatea are there to make the multipliers 3; small in a short vector in the lattice a the last + 1 vectors reflect the fact that we have a moular equation. The only term in the expansion of the eterminant is the iagonal term an we get k fill J(f1) Det(L) = nnfk"( $. l)k n nil = ntnik( + l)k This also shows that the vectors are inepenent. Combining the two theorems in section 3.1 we know that we can fin a vector gin L that satisfies *=1 ila'il < ( k++ I)iZ*Det(C)h

5 407 Observe that to get the esire bouns for the c;'s we nee A simple calculation shows that to get this we nee exactly the boun from the theorem to get this. TO finish the proof we nee to prove that we get a nontrivial equation. Since 11gl1 C we know by the expressions for the last k coorinates that Is;] < n;. b' is also nonzero. This together with the boun for its length imply that there is at least one S; # 0. Look at the equation (mo n;) for the same i. Using that 0 # 1s.l < n; an gc((a,,)$o, n;) = 1 we see that this is a nontrivial equation. The proof is complete. 4. Cryptographic Corollaries We get some immeiate corollaries of the main theorem Corollary 1: Sening linearly relate messagee using RSA with low ex +l ponent 8 hecure. Sening more than messages enables an aversary to recover the messages. This follows irectly from our main the main theorem wuming that the constants epening on the imension is small compare to the mouli. In the same spirit we get Corollary 2: Sening linearly relate messages using the Rabin encryption function is insecure. If 4 such rnessage;s are sent it is possible to retrieve the message. If one oes a bit of extra work it is poaaible to say something about the cases of equality (9 an 3 mesaages respectively) but we omit the etails. Corollary 3: The protocol by Broer an Dolev ia insecure if RSA with low exponent is uae. Follows from the analysis in [2] an the main theorem. The theorem also proves that we shoul not encoe messages that are small known polynomials in some unknown but this seems quite farfetche. 5. Open questions One interesting open questions is whether we can solve the problem with fewer equations. It oes not seem possible to use this line of attack with substantially fewer equation. To see this one might argue as follows: The probability that lcjl < nkj for j = 1,..., for a fixe set of s, is approximately n(+l)/z an this woul inicate that we shoul have n(+l)/f sets of equations to choose between an therefore at least (+ 1)/2 equations.

6 405 There oes not seem to be any way to exten the above attack to RSA with large exponent. The reason being that the integers involve are too big even to write own. There is atill a large amount of atructure preaent an it woul be interesting to investigate whether this structure coul be use. Acknowlegments: I woul like to thank Silvio Micali, Sha6 Golwasser an Benny Chor for suggesting the problem, listening to early solutions an suggesting improvements an simplifications. They also pointe out the flaws in the argument of Broer an Dolev. References: + poly logn Secure FOCS 1984 pp [l] Alexi W., Chor B., Golreich 0. an Schnorr C.P. RSA/Rabin Bits are 3 + [2] Awerbuch B., Chor B., Golwasser S. an Micali S. Provably Secure Coin Flip in a Byzantine Environment, manuscript in preparation. [3] Blum M. an Golwaaser S. An efficient Probabilistic Public Key Encryption Scheme which Hiea all Partial Information Presente in Crypto 1984 [4] Broer A.Z. an Dolev D. Flipping Coins in Many Pockets FOCS 1984 pp [S] Casaels J.W.S. Geometry of Numbers Springer 1959 [6] Golwasser S. an Micali S. Probabilistic Encryption JSCC 28 27&299 (71 Lenstra A.K.,Lemtra H.W. an Lavasz L. Factorin6 Polynomials with Integer Coefficients Matematische Annalen 261 (1982) [S] Riveat R.L., Shamir A. an Aleman L. A Metho for Obtaining Digital Sig natures an Public Key Cryptoayetems CACM 212 February [9] Schnorr C.P. A Hierarchy of Polynomial Basis Reuction Algorithms, manuscript