Philips J. Res. 35, 301-306, 1980 R J022 A CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM by J.-M. GOETHALS and C. COUVREUR Abstract We present a method for finding the secret decryption key of the public-key cryptosystem recently proposed by S. C. Lu and L. N. Lee 4). The method uses a technique similar to the one recently proposed by L. Adieman and R. Rivest I). 1. Introduetion Since the introduetion of the concept of public-key cryptography by Diffie and Hellman 2) 'in 1976, a number of public-key cryptosystems have been proposed in the literature. Among these, the system devised by Rivest, Shamir and Adlemarr") (usually referred to as the RSA or M.I.T. cryptosystem) seems to offer many advantages. lts security is based on the difficulty of factoring a large composite number and it has resisted so far various cryptanalytic attacks. However, its encryption and decryption operations (exponentiation modulo a large number) are relatively complex. Thus the scheme proposed by Lu and Lee 4) seemed to promise serious advantages over the RSA system, in particular in terms of speed, since the encryption/decryption operations are much simpler. Moreover at first sight it seemed to offer the same level of security, This, however, is not true. In this short note we show how the cryptanalyst can use his knowledge of the public-key to derive the secret decryption key, thus breaking the system. We like to mention that two other cryptanalytic attacks of this system have recently been proposed by Adieman and Rivest 1) and Kochanski 3). Both methods allow the cryptanalyst to decrypt a cryptogram without actually finding the secret key. In conclusion, the Lu-Lee system does not appear to be at all secure. 2. Basic principles of the Lu-Lee cryptosystem Letp1>P2 be two large (e.g. 160 bits) prime numbers, let r =PIP2' and let all' a12, a21, a22 be four moderate-sized numbers (e.g. 16 bits each) such that (1) The secret decryption key consists of the parameters (P1>P2; all, a12' a21>a22), PhilipsJouroal er Research Vol.35 Nos.4/5 1980 301
J.-M. Goethals and C. Couvreur whereas the public encryption key consists of the three numbers (r; Cl' C2) where the ci's are the unique solutions (obtained by the Chinese Remainder technique) of the congruences Cj == a ü (modj»), i = 1,2; j = 1,2. (2) The messages to be encrypted consist of pairs of numbers (mi> m2) satisfying the conditions 0 <mi <Mi for i = 1, 2, where the limits MI and M2 are also publicly available. These quantities are chosen so that, for all admissible messages (mi> m2), the following conditions are satisfied: ail m, + a«m«<pi, for i = 1,2. (3) The ciphertext X corresponding to the plaintext (mi> m2) is calculated from the public-key by the formula x == Cl m, + C2 m2 (mod r). Decryption is performed as follows. First, the residues xi == xünodp.), i = 1,2, are computed. Then the pair (mi> m2) is determined by solving the two linear equations ail m, + ai2 m«= xi, i = 1,2, which, by (1), (2), (3), have the original plaintext as their unique solution. 3. A cryptanalytic attack At first sight it seems that a knowledge of the two factors PI' P2 of r would be necessary in order to be able to decrypt a cryptogram. However, in two recently proposed attacks (refs 1 and 3), algorithms were devised which enable the cryptanalyst to recover the plaintext (m., m2) from a cryptogram x, without actually finding the factors Pi>P2' The basic fact behind these attacks is that, to a given cryptogram, there corresponds a unique pair (mi> m2) satisfying (4), within the limits 0 < mi < Mi for i = 1,2. Here we describe an attack which uses the fact that the publicly revealed coefficients Cj have small residues a ü modulo the unknown factors Pi. We observe that, if a = a ü, then Cj - a and r will have Pi as their greatest common divisor (gcd). Thus, in principle, we could use Euclid's algorithm for computing gcd (r, Cj - a) and try all possible small numbers a until we find a gcd different from 1. We would then have obtained the factorization r = PIP2, thus breaking the system. There is, however, a simpler way of finding the right number a, which we shall now explain. For this we use slightly different notations. (4) 302 Phllips Journal of Research Vol.35 Nos.4/5 1980
A cryptanalytic attack on the Lu-Lee public-key cryptosystem Let us assume we are given a number r = pq and. a number c, relatively prime to r, but with small residu es a and bmodulop and q, respectively. Thus we have. whence c - a == O(modp), c - b == O(modq), (c - a) (c - b) == 0 (modr). (5) Suppose that, as it is the case for the Lu-Lee system, we can obtain upper bounds on (a + b) and ab, (a + b) <A and ab <B, say, so that B < min {p, q}. Then the solution to the following minimization problem: minimize F(u) == uc - c? (mod r), for u <A, (6) will yield u = a + b, F(u) = ab. Indeed, by using the Chinese Remainder Theorem, it is easy to show that, in this case, F(u) <B, for u <A, will hold only if the residues a (u - a) and b (u - b) of F(u) modulo pand q, respectively, are equal, that is for u = a + b. The above minimization problem is easily solved using a variation of Euclid's algorithm for computing gcd (r, c), by a method similar to the one used by AdIeman and Rivest 1). The basic idea is this. Using an extended version of Euclid's algorithm one obtains a series of congruences: ecc == (-li.!i(modr), i = 0, 1,2,..., (7) where the coefficients ei increase, while the.!i's decrease, with increasing i. This can be seen from the basic recurrences they satisfy ei+l= ei-1 + qiei;.!i+l =.!i-1 - qi.!i; qi = [Ji-d.!i], with the initial values: e-1 = 0, f-1 = r; eo = 1, fo = c. The algorithm terminates when, for some n, fn+1 = 0. One then has fn = gcd (r, c) = 1, whence enc == (-lt(modr). (8) The above congruences (7) are used successively in order to solve the minimization problem (6). At each step one uses the smallest multiple of the congruence (7) which, when added to the current value of F(u), will change its sign and decrease its absolute value. This is done until it is no longer possible to add a multiple of ei to u without violating the condition u <A. Some adjustment might be necessary at the last step in order to obtain a positive value for the last F(u). We illustrate this by an example. Phillps Jouronlof Research Vol.35 Nos.4/5 1980 303
J.-M. Goethals and C. Couvreur TABLE I Extended Euclid algorithm for example 1 ei ( -1)ifi 0 597301 1 2-411 701 2 3 185600 3 8 40501 4 35 23596 5 43 16905 6 78 6691-7 119 3523 8 277 3 168 9 476 355 10 4085 328 11 4561 27 12 58817 4 13 357463 3 14 416280 1 15 1606303 0 Example 1: r = 1606303, c = 597301. The values of ei,/; obtained by use of the extended Euclid algorithm are given in table I. We first compute and we begin with the state é" == 556786 (mod r), u = 0, F(u) = - 556786. Then, we use the first congruence with a coefficient 1 to obtain u = 1, F(u) = 40515. We do not use the next two congruences since no multiple would decrease the current absolute value of F(u). In principle, with the next one (i = 3), we should use a coefficient 2 to obtain u = 1 + 2 x 8 = 17, F(u) = - 40 487, I 304 Phillps Journalof Research Vol.3S Nos.4/S 1980
A cryptanalytic attack on the Lu-Lee public-key cryptosystem but; by using the smaller coefficient 1, we obtain and we are done, since and u = 9, F(u) = 14, c2-9c + 14 = (c - 2) (c - 7), gcd (r, c - 2) = 1307;gcd (r, c - 7) = 1229. The above method requires first calculating c2 mod r. This can be avoided by considering a slightly different version of the minimization problem. We simply observe that, since gcd (r, c) = 1, each congruence (7) can be written as f;c- I == (-liei(modr). Then, by the same reasoning as above, it can be shown that the solution to the following minimization problem minimize O(iJ) == c + vc- I (mod r), for v <B, will yield v = ab, O(v) = a + b. This, of course, can be solved by the same technique' as above. We further observe that, provided e is chosen so as to satisfy ea <min rp, qj, one could slightly change the above problem into minimize eo(v) = ec + euc+, for v < B. Sometimes, the solution is given at once, as illustrated by the following examples, taken from Kochanski 3). Example 2: r = 3932273, c = 1474358. Using the extended Euclid algorithm, we obtain, congruences for i = 3,4, the following 8c == -1955 (mod r), 96c- 1 == 2011 (mod r), which immediateïy give 8(c + 12c- l ) = 8 x 7 (mod r), thus v = 12, O(v) = 7. The system is broken since c2-7c + 12 = (c - 3) (c - 4), and gcd (r, c - 3) = 1979; gcd (r, c - 4) = 1987. Philip, Journalof Research Vol.35 Nos.4/5 1980 305
J.-M. Goethals and C. Couvreur Example 3: r = 32832851, c = 14072862. Here we have, for i = 2 and i = 5, the two congruences 7c == 11481 (mod r), 35c- 1 == - 11439 (mod r), and the system is similarly broken, as v = 5, G(v) = 6 yields a = 1, b = 5; p = 5737, q = 5723. 4. Conclusions Although it is in principle possible to prevent our proposed attack (for example, by multiplying the coefficients Cj by a secret factor d so as to avoid small residues), we believe the Lu-Lee system is totally insecure. In our opinion the main reason for that is the fact that the encryption function is linear. This generally allows the cryptanalyst to recover plaintext from ciphertext without actually finding the secret decryption key. Our analysis ;llso shows that extreme care must be taken not to include in the public-key some parameters which could help the cryptanalyst in finding the secret decryption key. Acknowledgements We should like to thank Professor L. M. Adieman and Dr M. J. Kochanski for communicating their results to us. Philips Research Laboratory Brussels, March 1980 REFERENCES ') L. M. Adieman and R. L. Rivest, How to break the Lu-Lee (COMSAT) public-key cryptosystem, M.LT. Laberatory for Computer Science, July, 1979. 2) W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inf. Theory IT-22, 644-654, 1976. 3) M. J. Kochanski, Remarks on Lu and Lee's proposals, Cryptologia 4, 1980, to appear. 4) S. C. Lu and L. N. Lee, A simple and effective public-key cryptosystem, COMSAT Tech. Rev. 9, 15-24, 1979. 6) R. Rivest, A. Shamir and L. Adieman, A method for obtaining digital signatures and public-key cryptosystems, Commun. ACM 21, 120-126, 1978. PhIlIpsJournnI of Research Vol.35 Nos.4/5 1980