Generating EIGamal Signatures Without Knowing the Secret Key

Transcription

1 Generating EIGamal Signatures Without Knowing the Secret Key Daniel Bleichenbacher ETH Zurich Institute for Theoretical Computer Science CH-8092 Zurich, Switzerlan bleichenminf.ethz. ch Abstract. We present a new metho to forge EIGamal signatures if the public parameters of the system are not chosen properly. Since the secret key is hereby riot fouri this attack shows that forging ElGamal signatures is sometimes easier than the unerlying iscrete logarithm problem. 1 Introuction ElGamal's igital signature scheme [4] relies on the ifficulty of computing iscrete logarithm in the multiplicative group IF'; an can therefore be broken if the computation of iscrete logarithms is feasible. However, the converse has never been prove. In this paper we show that it is sometimes possible to forge signatures without breaking the unerlying iscrete logarithm problem. This shows that the ElGarrial signature scheme an some variants of the scheme must be use very carefully. The paper is organize as follows. Section 2 escribes the ElGamal signature scheme. In Section 3 we present a metho to forgc signatures if some aitional information on the generator is known. We show that signatures can be forge if the generator Q is smooth an ivies p- 1. Hence for example Q = 2 is a totally insecure choice. In Section 4 we iscuss the case where the public parameters are not chosen by the user itself. The authority that chooses these parameters may generate some trapoor information, which will allow it to sign arhit,rary messages for any user. Section 5 contains a brief escription of some possible countermeasures. In Section 6 we iscuss a variant of the ElGamal scheme over Z/nZ with n = pq, which was believe to be as har as factoring an computing iscrete logarithms. However, the factorization of n can often be erive from known signatures. Moreover, we show that in this case computation in only one of the groups IF'; or IF; is sufficient to forge signatures. Again it is not ncccssary to iscover the complete secret key of a user to generate signatures. U. Maurer (E.): Avances in Cryptology - EUROCRYPT '96, LNCS 1070, pp , Springer-Verlag Berlin Heielberg 1996

2 11 2 ElGarnal's signature scheme ElGamal's signature scheme can be escribe as follows. Public parameters. Let, p be a large prime an a a generator of the multiplicative group IF;. Secret key an public kev. Every user A chooses a secret key XA E (0,...,p - 2) an publishes YA G ax* (mo p) as his public key. Computation of a signature. Let 0 5 h < p - 1. To compute a signature on h user A procees as follows. First he chooses a ranom value k E (0,...,p - 2) relatively prime to p - 1 an computes 1 5 7' < p an s by r = a Ic (mo p) The pair (T, s) is a vali sigmture on 11. an s = (h - xar)k-' (mo p - 1). Verification of a signature. Any user knowing the public key IJA can vcrify the signature by checking that 1 5 r < p an the following equation are satisfie. The ElGamal signature scheme can bc broken when iscrete logarithms in IF'; can be compute. The prime p must therefore be chosen large enough to prevent the computation of iscrete logarithms by the number fiel sieve [6] an p - 1 must contain at least one large prime factor to isable the algorithm of Pohlig an Hellman [13]. The value h, that occurs in the signature is normally not equal to the message to sign, it is rather the result of a collision free hash function applie to the message. This avois the existential attack escribe in [4]. It is important that the verifier checks whether 1 5 r < p is satisfie. If he woul accept signatures where r is larger than p then any signature (r, s) on h coul be use to generate a signature (rz, s2) on an arbitrary hash value h2 by setting u = h2h-l (mo p - 1). This implies NOW (r2, s2) can be foun by setting.fa E su. (mo p - 1) an by computing 7'2 satisfying ~2 ru (mo p - 1) an r2 = r (mo p) by using the Chinese Remainer Theorem. This kin of attack will for example be use in Section 6.

3 12 3 Weak generators Thc security of the ElGamal signature scheme epens heavily on thc parameters p an a. The following theorem shows that, ElGarnal signatiires can be generate when some aitional information on the generator cy is available. Theorem 1. Let p - 1 = bw where b is smooth an let y~ be the public key of user A. If a generator /3 = ctu with 0 < c < b an an inte,qer t are known such that Pt G LY (mo p) then a vali ElGurnul signature (rl s) on a given h can be foun. Proof. First, we show that the eqiiat,ion ow' = ( y ~ (mo ) ~ p) can bc solve for z. It follows from p - 1 = bui that the subgroup H generate by IY" has orer b. Since b is smooth it is possible to corripute iscrete logarithms in H by using the algorithm of Pohlig an Hcllman [13], so that z can be foun. Now let r=/3 s E t(h - cwz) (mo p - 1). Then (T, s) is a vali signature on h since Corollary 2. If Q is smooth an ivies p - 1 th,en it is possible to generate a iinli ElGamal signature on an arbitrary mhre h. Proof. Let,L? = (p - 1)/u ari t = ( p - 3)/2. Then Pt = (-1)P-l = Q: (mo p). 0 Thus it follows by Theorem 1 that signatures for all h can be forge. Thus if the generator 01 is chosen baly then signatures on every given mcssage can bc foun without knowing the secret key. Choosing cy = 2 is exceptionally ba since it allows to forge signatures inepenently of the choice of p. Such small generators are sometimes chosen in orer t,o get ari efficient exponentiation. It shoul be note that this attack succees because of the special choice of rl which reuces the iscrete logarithm problem in IF'; to the iscrete logarithm problem in a subgroup of with smooth orer. Another attack that is base on the fact that iscrete logarithms in small subgroups are computable has been escribe recently by Menezes Qu ari Vanstone [ll].(their attack shows that authcnticity is not guarantee in a few Diffie-Hellman base key agreement protocols.)

4 13 4 Constructing a trapoor The public parameters 1) an a inay be fixe so that, every user in the system uses the same group ari generator. Such a convention is attractive because it allows the use of shorter public keys. Aitionally, signatures can be compute an verifie much faster by using precompute exponents [2]. However, the authority choosing the prirris p an the generator cy for a signature system may ait,ioiially generate some trapoor information that can be use to forge arbitrary messages later. One way to generate a prime p such that IF; has a trapoor has been pointe out in [l, p.501. The prime p can be generate together with a polynomial that is highly suita.ble for the number fiel sieve. The authority will then be able to compute iscrek logarithms faster than a user who oes not know the trapoor [5]. However, this gives only a moerate avantage an can be avoie by chosing the prime p sufficiently large. Moreover, such primes can be recognize fairly easily [14]. Here we present another way to generate a trapoor. An authority that can choose the public parameters p an (Y can generate these parameters such that it aitionally knows secret values p an t satisfying the constraints of Theorem 1. We illustrat,e t,his possibility by giving two ifferent methos to generate the trapoor. The first metho shows how a generator a an the trapoor information can be generate given a fixe prime p. The secon metho shows how a prime p an the trapoor information can be generate given a fixe small generator a. There is no guarantee t,ha.t, t,hpse methos succee. However, the probability of success is sufficiently high t,o threaten the security of the system. Metho A. Let, p - 1 = bw with b smooth. If b is not too small then we can fin a,,i3 an t in the following way. We choose c E { 1,..., b - 1) ranomly until p = cw is a generator of IF;. Finally we chose /, with gc(t,y - 1) = 1 an compute a = Pt. This attxk is practical when a generat,or /j = cw of IF; can be foun in reasonable time. When b is too small then no generator of the form cw may exist. However, the number of generators of I!?; is cp(p- 1). Sinw n/cp(n) = O(l~iln(rt)) (see for example [7]) we expect to fin a generator after O(ln ln(p)) trials. When t is chosen uniforrrily from the set of all 1 5 t < p- 1 that are relatively prirne to p - 1 then a = pt is a ranom generator of F;. Thus it is impossible to etmt the trapoor as long as no false signature has been publishe. However, the trapoor can be reconstructe from a given false signature (p, s) on h since ah z yips (mo p) implies h E ts (mo 711). In orer to fin t it is then sufficient to compute log,(p) (mo h) a.n this can be one efficiently as h is smooth. Metho 13. When the genemtor a is fixe then p,fi an t can be generate as follows. First three positive integers IL,V,C: are selecte such that 'u is o an cuau has approximately the size of the prime to construct. Next the smooth ivisors of cuau, - 1 are compute. This can be one easily using for example trial ivision or Pollar-rho factorization since only the small prime factors of

5 14 c"au - 1 are wante. If there exists a smooth ivisor > c of Pau - 1 such that p = PazL - " is prime, 9 - IL is relatively prime to p - 1 an a is a generator of IF; then it is possible to construct a trapoor as follows. t P-1 E u( ) ~ (mo ~ p - 1) 2 It follows from l(c"a" - 1) that ivies p- 1. Thus /3 satisfies the preconition of Theorem 1. Because of a"c" = " (mo p) we have Q? = (c-l)" (mo p) an therefore,!?" = (-c-l)" G (-l)~-~ : L Y ( P - ~ ) / ~ - ~ a (mo p). It follows that Theorem 1 can be applie. A heuristic analysis sliows that the runtime of this metho epens on the size of c an shoul fin a trapoor after trying O((lnp)(lnlnp)2) values for p of An example for such a trapoor, which has been generate in less than a ay on a SPARC IPC, is given by the values a = 5,u = 227,~ = 1,c = 1629 an = 22.7' 23 ' Countermeasures (mo p). Hence Pt = The attacks shown in Section 3 an 4 can be avoie if signatures (T,s) are consiere to be vali only if - aitionally to the other conitions -- T is not ivisible by a large prime ivisor q of p - 1. This conition shoul always be checke by the verifier. Moreover, an authorize signer will almost always generate a vali signature since it is very unlikely that he ranomly generates an r that is ivisible by q. Such a conition has been inclue in the igital signature stanar (DSS) [12]. Hence the DSS is not susceptible to the attacks presente in this paper. Alternatively trapoors may be avoie if the authority that is choosing the public parameters p an Q is force to use an algorithm like the one propose by NIST for the generation of p in DSS. The values prouce by this algorithm allow to verify publicly that the parameters have inee been generate by the algorithm. This woul make it very har for a ishonest authority to create a trapoor. The two methos to generate trapoors shown in Section 4 inicate that both p an a must, be generate with this algorithm if no other steps to prevent the attacks are taken. Yet another possibility to avoi the attacks might be to moify the equations for signature generation an verification (see for example [9] for an overview of ElGarnal variants). Such a variant must be chosen carefully since other problems may arise. For example if a signature on h is compute by T = ak (mo p) an s 3 ZA + IikT (mo p - 1) an therefore verifie by as z YAT~' (mo p ) then a chosen message attack is possible if the signer can be force to sign a message h where gc(p - 1, h) is large. Any such signature leaks information about the secret key ZA since s A special case of this attack has been iscusse in [9]. ZA + hkr (mo p - 1) implies s = XA (mo gc(p - 1, h)).

6 15 6 An ElGamal scheme over Z/nZ In [15] Saryazi has propose a variant of the ElGamal signature system using (Z/nZ)* where n is the prouct of two large primes p an q. The author hopcs that the security of the propose signature system relies on the factoring problem an the iscrete logarithm problem. Moreover, the existential attack shown in [4] seems not possible in that scheme, because this attack requires that the orer of the group (Z/nZ)* is known. However, Horster et al. observe in [lo] that the signatures leak information that can be use to factor the moulus. Even though thcir attack oes not work as escribe it, is possible to moify the attack in such a way that it works for Saryazi s scheme as well as the improve scheme propose in [lo]. Moreover, we show that computing iscret,e logarithms in only one of the two groups TF; or IF; is sufficient to break the scheme. Description of the scheme. In Saryazi s variation of the ElGamal signature scheme every user A chooses two large primes p an q an computes n = pq. Then she tries to fin an integer a E (Z/nZ)* with orer A(n). Furthermore he chooses a ranom element XA an computes 9~ = aza (mo n). p, q an ZA are kept secret whereas n, a an y are publishe as A s public key. To sign h. E Z/nZ user A chooses a ranom number k E ( H/)* an computes Then (T, s) is the signature on h where h is either the message or the hash value of a message. A verifyer accepts a signature (r, s) on h if 1 5 T < n an Q = (yait~ (mo n). This scheme oes not allow a moulus n that is common to all users, since every user has to know p(n) in orer to be able to compute signatures. Description of the attack. Assume that t is a small prime that ivies p - 1 but not q - 1. Assume further that (T,,s,) : 1 5 i 5 are known signatures on h, such that t ivies s, an such that the system xc,h, -- 0 (mo t) (3) an ~ I :, T c, 0 (mo t) (4) i= 1 has a nontrivial solution (i.e. ci $ 0 (mo t) for at least one i) in the coefficients ci. Such a solution to (3) an (4) can always be foun when at least 3 signatures ciri then we have with tlsi are known. If we set B := zt=l cih, an C := xt=l

7 16 Since t ivies all exponents in (5) we can compute the gc of n an (pit - (ya)c'/t ~ p ' / t This will factor 71 if exactly one of the following two equations are satisfic. 2= 1 2x1 7=1 (mo P) (6) (mo q) (7) Since t is relatively prime to q - 1 it, follows from (5) that (7) is satisfie. Since Q is a generator moulo p it follows that (6) is satisfie if an o~ily if or equivalcntly ~ / = t za(~/t) + C ~c,ci(si/t) i= I (mo p - 1) u = x,,~c + C liic,s, (mo t (p- 1)) (8) 1=l + ztzl is satisfie. From (2) follows only R 3 ~ AC k,c2s2 (mo cp(n)). Let, tz be the maximal power of t iviing cp(n). It follo~s that tz ivies p - 1 an hcncc tz+' ivies t(p - I). Thus wc expect that (8) is only satisfie with probability about 1 / t. It shoul bc iiotc that an attackel- oes not know which primes t may be successful since lie oes riot know p ari q an can generally not etermine whether a given t ivies p - 1 but not y - 1. But this is not a big problem because an attacker can simply try all small primes t that are a ivisor of somc s, 's. If the fact,orizat,ion of n (:;in he (1isc:overe then signatures can be foun if computing iscrete logaritlinis in 'IF; but riot necessarily in IF; is feasible, provie that p is not much slrialler than q. This can be one as follows. We may assume that the at,tac:ker knows a vali signature (r, s) on 11. This may bc a prcviously given signature or one that was generate using the existential forgery escribe in [4]. If he waiit,s to generate a signature on h' then he uses the Chinese Remainer Theorem to compute 0 5 r' < q(q - 1) such that T' s rh--li~' (mo q - 1) 7' = T (mo q) If p is not much smaller than y then he will fin an T' < n in reasonable time. If we set sq G sh- 'h' (mo y - 1) then we have - ~ I. '.IS,, = (%I) 7 (IIlo 4)

8 17 Assuming that the iscrete logarithm in IF ; is feasible it is possible t,o.wlvc h = logo(ya)t + log,(r )s, (mo p - 1) for sp if 1oga(r ) is rehtively prime to p - 1. If aitionally t,he system s E s, (mo p - 1) s = sg (n1o (1-1) is solvable then (T, s ) is a vali signature on h. Remarks. If t ivies both p - 1 ari q - 1 then it follows from (2) that B = x*c + c Ic,czsz (rno cp(n)) 2-1 is satisfie. This implies that (8) ari the analogous equation moulo y - 1 arc satisfie. The at,tack oes thercfore riot work when t ivies p - 1 an q - 1. The attack escribe in [lo] consicrs the case t = 2 only an oes not work therefore. However., it woul wciik when equation (2) is reuce moulo X(n) instea of cp(n) provie that the maximal powers of 2 in p - 1 an q - 1 are not the sarrie. The authors of [lo] propose that only signatures (T, s) where s is o arc allowe. This proposal ocs not prevent, the attack escribe here since s can still be ivisible by a small prime ivisor t. Another consequence of the note above is that the attack oes not work when the smooth parts of p - 1 an q - 1 are equal. Thus the at,t>ack presente here can be avoie by choosing p - 1 an q - 1 such that (p - 1)/2 ari (q - 1)/2 a.rc prime, since then no small prime t exist,s iviing p - 1 but not q - 1. Some of the extensions propose in [lo] scem to avoi the attack presente here too. 0t)her variants of ElGarn base on t,he iscrete logarithm problem an the fact,oring problem that are rriore practical than Saryazi s scheme have been proposc hy Brickell an McCurley [3] an Harn [S]. 7 Conclusion The results presente in this paper show that ElGamal signatures can be forge in some cases without knowing the secret key. The attacks presente can be avoie by restricting the valucs of signatures that are consiere to be vali. The ElGamal igital signature scheme has t,herefore not been broken but it has heen shown that, the system must be use very carefully. Acknowlegments I m grateful to Ueli Maurer, Markus Staler, Holger Pctersen Markus Michels an some members of the EUROCRYPT program committee for their cornmerits ari suggestions.

9 References 1. T. Beth, M. Frisch, an G.J. Simmons (es). Public-key Cryptography, State of the Art an Future Directions, volurrie 578 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, E. F. Brickell, D. M. Goron, K. S. McCurley, an D. B. Wilson. Fast exponentiation with precomputation. Avances in Cryptology - EUROCRYPT '92, volume 658 of Lecture Notes in Computer Sczence, pages , E. F. Rrickell an K. S. McCurley. An interactive ientification scheme base on iscrete logarithms an factoring. Journal 01 Cryptology, 5(1):29-39, T. El Gamal. A public key cryptosystwii aiitl a sigrialure scheme base OII iscrete logarithms. Avances in Cryptology: Proceeings of CRYPT0 '84, volume 196 of Lecture Notes in Co*mputer Science, pages Springer-Verlag, D. M. Goron. Designing an etecting trapoors for iscrete log cryptosystems. Avances in Cryptology- CRYPT0 '92, volume 740 of Lecture Notes in Computer Science, pages Springer-Verlag, D. M. Goron. Discrete logarithms in GF(p) iising the mlmher fiel sieve. SIAM,J. Disc. Math., 6(1): , February G. H. Hary an E. M. Wright. An introuction to the theory of numbers. Clarenon Press, Oxfor, 5th eition, L. Harn. Public-key cryptosystem esign base 011 factoring an iscrete logarithm. IEE Proc. Comput. Digit. Tech., 141(3): , P. Horster, M. Michels, an H. Petersen. Generalize ElGamal signatures for one message block. Technical Report TR-94-3, University of Technology Chemnitz- Zwickau, May P. Horster, M. Michels, an H. Petersen. Meta-ElGamal signature schemes USing a composite moule. Technical Report TR-Y4-16-E, IJniversity of Technology Chemnitz-Zwickau, November A. Menezes, M. Qu, an S. Vanstone. Key agreement an the nee for authentication. PKS, November National Institute of Stanars an Technology (NIST). FIPS Publication 186: Digital Signature Stanar, May 19, S. C. Pohlig an M. E. Hellman. An irriprovc algorithm for computing logarithms over GF(p) an its cryptographic significance. IEEB 7'mns. Inform. Theory, IT- 24: , January R. A. Rueppel, A. K. Lerwtra, M. 15. Smi, K. S. McCurley, Y. Desmet, A. Olyzko, an P. Timrock. Panel iscussion: Trapoor primes an mouli. Avances in Cryptology - EUROCRYPT '92, volume 658 of Lecture Notes in Computer Science, pages Springer-Verlag, S. Saryazi. An extension to ElGamal public key cryptnsyst,em with a new signature scheme. Communication, Control, an Signal Processing, pages Elsevier, 1'390.