A New and Optimal Chosen-message Attack on RSA-type Cryptosystems

Transcription

1 Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol of Lecture Notes in Comer Science, , Sringer-Verlag, A New and Otimal Chosen-message Attack on RSA-tye Crytosystems Daniel Bleichenbacher 1, Marc Joye and Jean-Jacques Quisquater 3 1 Bell Laboratories 700 Mountain Av., Murray Hill, NJ 07974, U.S.A. bleichen@research.bell-labs.com UCL Cryto Grou, Dé. de Mathématique, Université de Louvain Chemin du Cyclotron, B-1348 Louvain-la-Neuve, Belgium joye@agel.ucl.ac.be 3 UCL Cryto Grou, Lab. de Microélectronique, Université de Louvain Place du Levant 3, B-1348 Louvain-la-Neuve, Belgium jjq@dice.ucl.ac.be Abstract. Chosen-message attack on RSA is usually considered as an inherent roerty of its homomorhic structure. In this aer, we show that nonhomomorhic RSA-tye crytosystems are also suscetible to a chosen-message attack. In articular, we rove that only one message is needed to mount a successful chosen-message attack against the Lucas-based systems and Demytko s ellitic curve system. Keywords. Chosen-message attack, signature forgery, RSA, Lucas-based systems, Demytko s ellitic curve system. 1 Introduction The most used ublic-key crytosystem is certainly the RSA [1]. Due to its oularity, the RSA was subject to an extensive crytanalysis. Many attacks are based on the multilicative nature of RSA [5]. To overcome this vulnerability, numerous generalizations of the original RSA were roosed and broken. Later, other structures were envisaged to imlement analogues of RSA. This seemed to be the right way to foil the homomorhic attacks. So, a crytosystem based on Lucas sequences was roosed in [10] and analyzed in [11] by Müller and Nöbauer. The ahors use Dickson olynomials to describe their scheme; however, Dickson olynomials can be rehrased in terms of Lucas sequences [, 14]. The Lucas sequences lay the same role in this scheme as exonentiations in RSA. In 1985, Koblitz and Miller indeendently suggested the use of ellitic curves in crytograhy [7, 9]. Afterwards, Koyama et al. [8] and Demytko [4] exhibited new one-way tradoor functions on ellitic curves in order to roduce analogues of RSA. Demytko s system has the articularity to only use the first coordinate and is therefore not subject to the chosen-message attack described in [8]. The Lucas-based crytosystems and Demytko s ellitic curve crytosystem seem to be resistant against homomorhic attack. However, the existence of a chosen-message

2 forgery that needs two messages has been described in [1]. Kaliski found a similar attack on Demytko s system [6]. In this aer, we describe a new chosen-message attack which needs only one message. This new attack shows that the RSA-tye crytosystems are even closer related to RSA, i.e. it shows that all the attacks based on the multilicative nature of the original RSA can straightforward be adated to any RSA-tye crytosystem. We illustrate this toic with the common modulus failure [13]. The remainder of this aer is organized as follows. In Section, we review the Lucas-based and Demytko s ellitic curve crytosystems. The reader who is not not familiar with these systems may first read the aendix. We resent our attack in Section 3 and aly it in Section 4. In Section 5, we revisit the common modulus failure. Finally, we conclude in Section 6. RSA-tye crytosystems In this section, we resent crytosystems based on Lucas sequences [10, 11, 14] and on ellitic curves [4]. We only oline the systems, for a detailed descrition we refer to the original aers..1 Lucas-based RSA The Lucas-based scheme can briefly be described as follows. Each user A chooses two large rimes and q and an exonent e that is relatively rime to ( 1)(q 1), comes n = q, and ublishes n and e as his ublic key. The corresonding d e 1 (mod lcm( 1; + 1; q 1; q + 1)) is ket secret. A s ublic arameters: n and e. A s secret arameters:, q and d. A message m is encryted by coming c v e (m; 1) (mod n). It is decryted using the secret key d by m v d (c; 1) (mod n). The correctness of this system is based on Proosition 3 (in aendix) as v d ve (m; 1); 1 v de (m; 1) v 1 (m; 1) m (mod n). Signatures are generated accordingly by exchanging the roles of the ublic and secret arameters e and d.. Demytko s system Similarly to RSA, to setu Demytko s system, each user A chooses two large rimes and q, and ublishes their roduct n = q. He ublicly selects integers a and b such that gcd(4a 3 + 7b ; n) = 1. Then once and for all, he comes N n = lcm #E (a; b); #E q (a; b); #E (a; b); #E q (a; b) : (1) He randomly chooses the ublic encrytion key e such that gcd(e; N n ) = 1, and comes the secret decrytion key d according to ed 1 mod N n.

3 A s ublic arameters: n, a, b and e. A s secret arameters:, q, N n and d. It is useful to introduce some notation. The x and the ycoordinates of a oint P will resectively be denoted by x(p) and y(p). To send a message m to Alice, Bob uses Alice s ublic key e and comes the corresonding cihertext c x(em) (mod n) where M is a oint having its xcoordinate equal to m. Note that, from Proosition 1, the comation of c x(em) (mod n) does not require the knowledge of y(m). Using her secret key d, Alice can recover the laintext m by coming m x(dc) (mod n) where C is a oint having its xcoordinate equal to c. Note also that Alice has not to know y(c). Remark 1. To seed u the comations, Alice can choose ; q mod 3 and a = 0. In that case, N n = lcm( + 1; q + 1). The same conclusion holds by choosing ; q 3 mod 4 and b = 0 (see [8]). Remark. For efficiency reasons, it is also ossible to define a message-deendent system (see [4]). 3 Sketch of the new attack Let n = q be a RSA modulus. Let e and d be resectively the ublic key and the secret key of Alice, according to ed 1 (mod (n)). The ublic key e is used to encryt messages and verify signatures; the secret key d is used to decryt cihertexts and to sign messages. Suose a crytanalyst (say Carol) wants to make Alice to sign message m witho her consent. Carol can roceeds as follows. She chooses a random number k and asks Alice to sign (or to decryt) m 0 mk e (mod n). Carol gets then c 0 m d (k e ) d m d k, and therefore the signature c of message m as c c 0 k 1 (mod n). Consequently, chosen-message attacks against RSA seem quite naturally to be a consequence of its multilicative structure. By reformulating this attack with the extended Euclidean algorithm, it aears that non-homomorhic crytosystems are also suscetible to a chosen-message attack. Alying to RSA, the attack goes as follows. In: A message m and the ublic key n; e of Alice. Ste 1: Carol chooses an integer k relatively rime to e. Then she uses the extended Euclidean algorithm to find r; s Z such that kr +es = 1. Ste : Carol comes m 0 m k (mod n). Ste 3: Next, she asks Alice to sign m 0 and gets therefore c 0 m 0 d (mod n): Ste 4: Consequently, Carol can come the signature c of m by c c 0 r m s (mod n): ()

4 O: The signature c of message m. Proof. From kr + es = 1, it follows d = d(kr + es) dkr + s (mod (n)). Hence, c m d m dkr m s m dk r m s c 0r m s (mod n). Remark 3. This attack can also be considered as a generalization of the Davida s attack [3]. 4 Alications The revious attack alies also to non-homomorhic crytosystems. In this section, we show how it works against Lucas-based systems and Demytko s system. 4.1 Attacking Lucas-based systems The crytanalyst Carol can try to get a signature c on a message m in the following way. In: A message m and the ublic key n; e of Alice. Ste 1: Carol chooses an integer k relatively rime to e. Then she uses extended Euclidean algorithm to find r; s Z such that kr + es = 1. Ste : Next she comes m 0 v k (m; 1) (mod n). Ste 3: Now she asks Alice to sign m 0. If Alice does so then Carol knows c 0 such that c 0 v d (m 0 ; 1) (mod n): Ste 4: Finally Carol comes the signature c of m as follows v rkd (m; 1) v r (c 0 ; 1) (mod n); (3) u rkd (m; 1) u k(m; 1)u r (c 0 ; 1) u e (c 0 ; 1) c = v d (m; 1) v rkd(m; 1)v s (m; 1) + u rkd(m; 1)u s (m; 1) where = m 4. O: The signature c of message m. Proof. Equation (3) follows from (13) 1 since (mod n); (4) v r (c 0 ; 1) v r vkd (m; 1); 1 v rkd (m; 1) (mod n): 1 (9) to () refer to equations in the aendix. (mod n) (5)

5 Equation (4) is a consequence of (14) and u rkd (m; 1)u e (c 0 ; 1) u r vkd (m; 1); 1 u kd (m; 1)u e vkd (m; 1); 1 u r vkd (m; 1); 1 u kde (m; 1) u r vkd (m; 1); 1 u k (m; 1) (mod n): Moreover, kr + es = 1 imlies v d (m; 1) = v rkd+des (m; 1) = v rkd+s (m; 1). Hence Equation (5) is an alication of (15). Remark 4. This attack is the analogue to the chosen-message attack on RSA resented in Section 3, by using algebraic numbers (relace m by = (m + )= and use Equation (9)). The only additional ste to be roved is that u kd (m; 1) is comable from m and v kd (m; 1). This can be shown by using (14) and noting that u k (m; 1) u kde (m; 1) u kd (m; 1)u e vkd (m; 1); 1 (mod n): If = m=+ = then the signature vkd (m; 1) on the message v k (m; 1) can be used to come kd v kd (m; 1)= + u kd (m; 1) =: Once kd is known, d = v d (m; 1)= + u d (m; 1) = can be comed from d (kr+es)d kd r s (mod n): Hence (3) and (4) corresond to the comation of c 0r and (5) corresonds to the multilication of c 0r by m s in (). 4. Attacking Demytko s system Before showing that a similar attack alies to Demytko s system, we need to rove the following roosition. Proosition 1. Let be a rime greater than 3, and let E (a; b) be an ellitic curve over Z. If P E (a; b) or if P E (a; b), then the comations of x(kp) and y(kp) deend only on x(p). y(p) Proof. Letting X j := x(jp) and Y j := y(jp) y (P), the tangent-and-chord comosition rule on ellitic curves gives the following formulas 8 >< X j = x(jp + jp) = >: = 1 X 3 1 +ax1+b 3X j +a Y j X j ; 3 x(jp) +a y (jp) x(jp) if P E (a; b) 3 x(jp) +a D y (jp) D x(jp) if P E (a; b)

6 Y j = y(jp+jp) y (P) = = 8 >< >: 3 x(jp) +a y(jp) x(jp)x(jp) y (jp) 3 x(jp) +a D y(jp) x(jp)x(jp) 1 3X j +a X1 3+aX1+b Y (X j j X j ) Y j ; X j+1 = x jp + (j + 1)P 8 >< = >: y (P) if P E (a; b) y (jp) y (P) if P E (a; b) y(jp)y((j+1)p) x(jp)x((j+1)p) x(jp) x (j + 1)P if P E (a; b) y(jp)y((j+1)p) x(jp)x((j+1)p) D x(jp) x (j + 1)P if P E (a; b) = (X ax Yj Y 1 + b) j+1 X j X j+1 X j X j+1 ; Y j+1 = y jp+(j+1)p y (P) = ( y(jp)y((j+1)p) x(jp)x((j+1)p) ) = x(jp)x((j+1)p) Yj Yj+1 X j X j+1 (X j X j+1 ) Y j : y (jp) y (P) if P E (a; b) or E (a; b) So X k and Y k can be comed from X 1 = x(p) and Y 1 = 1 by using the binary method. Then, the message forgery goes as follows. In: A message m and the ublic key n; e of Alice. Note that m is the xcoordinate of a oint M, i.e. m = x(m). Ste 1: The crytanalyst Carol chooses a random k relatively rime to e. Then she uses extended Euclidean algorithm to find r; s Z such that kr + es = 1. Ste : From x(m), Carol comes m 0 = x(m 0 ) x(km) (mod n). Next, she asks Alice to sign m 0. So, Carol obtains the signature c 0 = x(c 0 ) x(dm 0 ) (mod n): Ste 3: Finally, Carol finds the signature c = x(c) x(dm) (mod n) of message m as follows. 3a) If x(rc 0 ) 6 x(sm) (mod n) then, using Proosition 1, Carol can come y(km) y(m) ; y (rc 0 ) y(c and y (ec 0 ) (6) 0 ) y(c 0 ) and c (m 3 + am + b) 6 4 y (km) y (rc 0 ) y (M) y (C 0 ) y(ec 0 ) y (C 0 ) x(rc 0 ) x(sm) 1 y(sm) y (M) x(rc 0 ) x(sm) (mod n): (7)

7 3b) Otherwise, the signature is given by 3 x(rc 0 ) + a c 4 x(rc 0 ) 3 + a x(rc 0 ) + b x(rc0 ) (mod n): (8) O: The signature c of message m. Proof. Since kr + es = 1, d krd + esd krd + s (mod N n ). So, x(c) x(dm) x [krd + s]m x(rc 0 + sm) (mod n): a) If x(rc 0 ) 6 x(sm) (mod n), then x(rc 0 + sm) y (rc 0 ) y(sm) x(rc 0 ) x(sm) since x(rc 0 ) x(sm) y(m) 4 y (km) y (M) y (rc 0 ) y (C 0 ) y (C 0 ) x(rc 0 ) x(sm) y (ec 0 ) y(sm) y (M) y(rc 0 ) y (rc 0 y(m) = ) y(c 0 ) 3 5 y(c 0 ) y(km) x(rc 0 ) x(sm) (mod n) y(km) y(m) and y(km) y(edkm) y(ec 0 ) (mod n). b) Otherwise, since gcd(d; N n ) = 1 it follows that rc 0 6 sm (mod n) and therefore x(rc 0 + sm) 3 x(rc 0 ) + a y(rc 0 ) x(rc 0 ) x(sm) (mod n): 5 Common modulus attack Simmons ointed o in [13] that the use of a common RSA modulus is dangerous. Indeed, if a message is sent to two users that have corime ublic encrytion keys, then the message can be recovered. Because our chosen-message attack requires only one message, the Lucas-based systems and Demytko s ellitic curve system are vulnerable to the common modulus attack. We shall illustrate this toic on Demyko s system. Let (e 1 ; d 1 ) and (e ; d ) be two airs of encrytion/decrytion keys and let m = x(m) be the message being encryted. Assuming e 1 and e are relatively rime, the crytanalyst Carol can recover m from the cihertexts c 1 = x(c 1 ) x(e 1 M) (mod n) and c = x(c ) x(e M) (mod n) as follows. Carol uses the extended Euclidean algorithm to find integers r and s such that re 1 + se = 1. Then, she comes x(m) = x((re 1 + se )M) x(rc 1 + sc ) (mod n) as follows. If x(rc 1 ) 6 x(sc ) (mod n), then

8 otherwise m (c ac 1 + b) m 6 4 y (rc1) y (C1) 3 x(rc1 ) + a y(ec1) y (sc) y (C1) y (C) x(rc 1 ) x(sc ) y(e1c) y (C) x(rc 1 ) x(sc ) (mod n) 4 x(rc 1 ) 3 + a x(rc 1 ) + b x(rc 1) (mod n): Proof. Straightforward since y(e C 1 ) y(e 1 C ) (mod n). 6 Conclusion We have resented a new tye of chosen-message attack. Our formulation has ermitted to mount a successful chosen-message attack with only one message against Lucas-based systems and Demytko s system. This also roved that the use of nonhomomorhic systems is not necessarily the best way to foil chosen-message attacks. Acknowledgments The second ahor is grateful to Victor Miller for roviding some useful comments to enhance the resentation of the aer. References 1. D. Bleichenbacher, W. Bosma, and A. K. Lenstra. Some remarks on Lucas-based crytosystems. In D. Coersmith, editor, Advances in Crytology CRYPTO 95, volume 963 of Lecture Notes in Comer Science, ages Sringer-Verlag, D. M. Bressoud. Factorization and rimality testing. Undergraduate Texts in Mathematics. Sringer-Verlag, G. Davida. Chosen signature crytanalysis of the RSA (MIT) ublic key crytosystem. Technical Reort TR-CS-8-, Det. of Electrical Engineering and Comer Science, University of Wisconsin, Milwaukee, USA, October N. Demytko. A new ellitic curve based analogue of RSA. In T. Helleseth, editor, Advances in Crytology EUROCRYPT 93, volume 765 of Lecture Notes in Comer Science, ages Sringer-Verlag, D. E. Denning. Digital signatures with RSA and other ublic-key crytosystems. Communications of the ACM, 7(4):388 39, Aril B. S. Kaliski Jr. A chosen message attack on Demytko s ellitic curve crytosystem. Journal of Crytology, 10(1):71 7, N. Koblitz. Ellitic curve crytosystems. Mathematics of Comation, 48:03 09, K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone. New ublic-key schemes based on ellitic curves over the ring Z n. In J. Feigenbaum, editor, Advances in Crytology CRYPTO 91, volume 576 of Lecture Notes in Comer Science, ages Sringer- Verlag, 1991.

9 9. V. S. Miller. Use of ellitic curves in crytograhy. In H. C. Williams, editor, Advances in Crytology CRYPTO 85, volume 18 of Lecture Notes in Comer Science, ages Sringer-Verlag, W. B. Müller and R. Nöbauer. Some remarks on ublic-key crytosystems. Sci. Math. Hungar, 16:71 76, W. B. Müller and R. Nöbauer. Crytanalysis of the Dickson scheme. In J. Pichler, editor, Advances in Crytology EUROCRYPT 85, volume 19 of Lecture Notes in Comer Science, ages Sringer-Verlag, R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and ublic-key crytosystems. Communications of the ACM, 1():10 16, February G. J. Simmons. A weak rivacy rotocol using the RSA crytoalgorithm. Crytologia, 7:180 18, P. J. Smith and M. J. J. Lennon. LUC: A new ublic key system. In E. G. Douglas, editor, Ninth IFIP Symosium on Comer Security, ages Elsevier Science Publishers, A Basic facts A.1 Lucas sequences Let P; Q be integers, = P 4Q be a non-square, = P + and = = P be the roots of x P x + Q = 0 in the quadratic field Q( ). The Lucas sequences v k (P; Q) and u k (P; Q) for k Z are then defined as the integers satisfying k := v k(p; Q) + u k(p; Q) : (9) From = P Q follows k = P k1 Q k. Hence the Lucas sequences satisfy the following recurrence relation v 0 (P; Q) = ; v 1 (P; Q) = P ; v k (P; Q) = P v k1 (P; Q) Qv k (P; Q); u 0 (P; Q) = 0; u 1 (P; Q) = 1; u k (P; Q) = P u k1 (P; Q) Qu k (P; Q): This recurrence relation is sometimes used as an alternative definition of Lucas sequences. Since conjugation and exonentiation are exchangeable it follows k = k = v k(p; Q) From this equation and from (9) it follows that u k(p; Q) : v k (P; Q) = k + k ; (10) and u k (P; Q) = k k : (11) The next roosition states some well-known roerties of Lucas sequences.

10 Proosition. 4Q k = v k (P; Q) u k (P; Q) (1) v km (P; Q) = v k vm (P; Q); Q m (13) u km (P; Q) = u m (P; Q)u k vm (P; Q); Q m (14) v k+m (P; Q) = v k(p; Q)v m (P; Q) u k+m (P; Q) = u k(p; Q)v m (P; Q) Proof. Equation (1) can be roved as follows. + u k(p; Q)u m (P; Q) + v k(p; Q)u m (P; Q) 4Q k = 4() k = k k = (v k (P; Q) + u k (P; Q) )(v k (P; Q) u k (P; Q) ) Equation (1) now imlies that = v k (P; Q) u k (P; Q) : k = v k(p; Q) = v k(p; Q) + and hence k = P 0 = + have + u k(p; Q) = v k(p; Q) vk (P; Q) 4Q k + uk (P; Q) (15) (16) P 0 4Q 0 = with P 0 = v k (P; Q) and Q 0 = Q k. Thus we ( k ) m = v m(p 0 ; Q 0 ) = v m(p 0 ; Q 0 ) + u m(p 0 ; Q 0 ) P 0 4Q 0 + u m(p 0 ; Q 0 )u k (P; Q) Comaring the coefficients of this equation with km = v km (P; Q)= + u km (P; Q) = roves (13) and (14). Writing k+m = k m as sums of Lucas sequences and comaring the coefficients shows (15) and (16). Proosition 3. Let be an odd rime, Q = 1 and gcd(; ) = 1. Then the sequence v k (P; 1) mod is eriodic and the length of the eriod divides. Proof. and therefore also are algebraic integers in Q( ). Thus we have = (P= + =) P= + ( ) = P= + (1)= = P= + = (mod ). Thus if = 1 then 1 1 (mod ) and if = 1 then +1 1 (mod ). It follows that the sequence k (and therefore also v k (P; 1)) is eriodic with a eriod that divides. :

11 A. Ellitic curves Ellitic curves over Z Let be a rime greater than 3, and let a and b be two integers such that 4a 3 + 7b 6= 0 (mod ). An ellitic curve E (a; b) over the rime field Z is the set of oints (x; y) Z Z satisfying the Weierstraß equation y = x 3 + ax + b (mod ) (17) together with the oint at infinity O. The oints of the ellitic curve E (a; b) form an Abelian grou under the tangent-and-chord law defined as follows. (i) O is the identity element, i.e. 8P E (a; b), P + O = P. (ii) The inverse of P = (x 1 ; y 1 ) is P = (x 1 ; y 1 ). (iii) Let P = (x 1 ; y 1 ) and Q = (x ; y ) E (a; b) with P 6= Q. Then P + Q = (x 3 ; y 3 ) where x 3 = x 1 x ; (18) y 3 = (x 1 x 3 ) y 1 ; (19) 8 3x >< 1 + a if x 1 = x ; and = y 1 y >: 1 y otherwise. x 1 x Note that if P = (x 1 ; 0) E (a; b), then P = O. Theorem 1 (Hasse). Let #E (a; b) = + 1 a denote the number of oints in E (a; b). Then ja j. Comlementary grou of E (a; b) Let E (a; b) be an ellitic curve over Z. Let D be a quadratic non-residue modulo. The twist of E (a; b), denoted by E (a; b), is the ellitic curve given by the (extended) Weierstraß equation D y = x 3 + ax + b (0) together with the oint at infinity O. The sum of two oints (that are not inverse of each other) (x 1 ; y 1 ) + (x ; y ) = (x 3 ; y 3 ) can be comed by x 3 = D x 1 x ; y 3 = (x 1 x 3 ) y 1 ; 8 3x >< 1 + a if x 1 = x ; and = D y 1 >: y 1 y otherwise. x 1 x Proosition 4. If #E (a; b) = + 1 a, then #E (a; b) = a. Proof. Since P #E (a; b) = 1 + xz 1 x + 3 +ax+b, P a = x 3 +ax+b xz. Hence, P #E (a; b) = 1 + xz 1 x 3 +ax+b = a.

12 Ellitic curves over Z n Let n = q with and q two rimes greater than 3, and let a and b be two integers such that gcd(4a 3 + 7b ; n) = 1. An ellitic curve E n (a; b) over the ring Z n is the set of oints (x; y) Z n Z n satisfying the Weierstraß equation y = x 3 + ax + b (mod n) (1) together with the oint at infinity O n. Consider the grou e En (a; b) given by the direct roduct ee n (a; b) = E (a; b) E q (a; b): () By the Chinese remainder theorem there exists a unique oint P = (x 1 ; y 1 ) E n (a; b) for every air of oints P = (x 1 ; y 1 ) E (a; b) n fo g and P q = (x 1q ; y 1q ) E q (a; b) n fo q g such that x 1 mod = x 1, x 1 mod q = x 1q, y 1 mod = y 1 and y 1 mod q = y 1q. This equivalence will be denoted by P = [P ; P q ]. Since O n = [O ; O q ], the grou e En (a; b) consists of all the oints of E n (a; b) together with a number of oints of the form [P ; O q ] or [O ; P q ]. Lemma 1. The tangent-and-chord addition on E n (a; b), whenever it is defined, coincides with the grou oeration on e En (a; b). Proof. Let P and Q E n (a; b). Assume P + Q is well-defined by the tangent-andchord rule. Therefore P + Q = [(P + Q) ; (P + Q) q ] = [P + Q ; P q + Q q ]. If n is the roduct of two large rimes, it is extremely unlikely that the addition is not defined on E n (a; b). Consequently, comations in e En (a; b) can be erformed witho knowing the two rime factors of n.