A CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM

Similar documents
Chapter 8 Public-key Cryptography and Digital Signatures

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography. pieces from work by Gordon Royle

RSA. Ramki Thurimella

Number Theory & Modern Cryptography

Discrete Mathematics GCD, LCM, RSA Algorithm

Lecture Notes, Week 6

Mathematics of Cryptography

Number Theory. Modular Arithmetic

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Public Key Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public Key Algorithms

Introduction to Modern Cryptography. Benny Chor

The RSA cryptosystem and primality tests

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Lecture 1: Introduction to Public key cryptography

CIS 551 / TCOM 401 Computer and Network Security

Topics in Cryptography. Lecture 5: Basic Number Theory

CS March 17, 2009

Introduction to Public-Key Cryptosystems:

Cryptography. P. Danziger. Transmit...Bob...

RSA RSA public key cryptosystem

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

10 Modular Arithmetic and Cryptography

Introduction to Cybersecurity Cryptography (Part 5)

CRYPTOGRAPHY AND NUMBER THEORY

Asymmetric Encryption

An Introduction to Probabilistic Encryption

1 Number Theory Basics

CPSC 467b: Cryptography and Computer Security

10 Public Key Cryptography : RSA

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Elliptic Curve Cryptography

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Public Key Cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Introduction to Cryptography. Lecture 6

Number Theory and Algebra: A Brief Introduction

8.1 Principles of Public-Key Cryptosystems

The Elliptic Curve in https

PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

ECE596C: Handout #11

Public-Key Cryptosystems CHAPTER 4

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm

CPSC 467b: Cryptography and Computer Security

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

ICS141: Discrete Mathematics for Computer Science I

Lecture V : Public Key Cryptography

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

My brief introduction to cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

MATH 158 FINAL EXAM 20 DECEMBER 2016

Other Public-Key Cryptosystems

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Security II: Cryptography exercises

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Introduction to Modern Cryptography. Benny Chor

OWO Lecture: Modular Arithmetic with Algorithmic Applications

THE RSA CRYPTOSYSTEM

A New Attack on RSA with Two or Three Decryption Exponents

Mathematical Foundations of Public-Key Cryptography

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

Encryption: The RSA Public Key Cipher

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Discrete mathematics I - Number theory

Ti Secured communications

THE RSA ENCRYPTION SCHEME

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

5199/IOC5063 Theory of Cryptology, 2014 Fall

ALG 4.0 Number Theory Algorithms:

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

19. Coding for Secrecy

Public Key Encryption

RSA ENCRYPTION USING THREE MERSENNE PRIMES

Public Key Cryptography

Great Theoretical Ideas in Computer Science

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Gurgen Khachatrian Martun Karapetyan

Discrete Logarithm Problem

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Integers and Division

Partial Key Exposure: Generalized Framework to Attack RSA

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Public Key Encryption

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

9 Knapsack Cryptography

Mathematics of Public Key Cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Implementation Tutorial on RSA

Transcription:

Philips J. Res. 35, 301-306, 1980 R J022 A CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM by J.-M. GOETHALS and C. COUVREUR Abstract We present a method for finding the secret decryption key of the public-key cryptosystem recently proposed by S. C. Lu and L. N. Lee 4). The method uses a technique similar to the one recently proposed by L. Adieman and R. Rivest I). 1. Introduetion Since the introduetion of the concept of public-key cryptography by Diffie and Hellman 2) 'in 1976, a number of public-key cryptosystems have been proposed in the literature. Among these, the system devised by Rivest, Shamir and Adlemarr") (usually referred to as the RSA or M.I.T. cryptosystem) seems to offer many advantages. lts security is based on the difficulty of factoring a large composite number and it has resisted so far various cryptanalytic attacks. However, its encryption and decryption operations (exponentiation modulo a large number) are relatively complex. Thus the scheme proposed by Lu and Lee 4) seemed to promise serious advantages over the RSA system, in particular in terms of speed, since the encryption/decryption operations are much simpler. Moreover at first sight it seemed to offer the same level of security, This, however, is not true. In this short note we show how the cryptanalyst can use his knowledge of the public-key to derive the secret decryption key, thus breaking the system. We like to mention that two other cryptanalytic attacks of this system have recently been proposed by Adieman and Rivest 1) and Kochanski 3). Both methods allow the cryptanalyst to decrypt a cryptogram without actually finding the secret key. In conclusion, the Lu-Lee system does not appear to be at all secure. 2. Basic principles of the Lu-Lee cryptosystem Letp1>P2 be two large (e.g. 160 bits) prime numbers, let r =PIP2' and let all' a12, a21, a22 be four moderate-sized numbers (e.g. 16 bits each) such that (1) The secret decryption key consists of the parameters (P1>P2; all, a12' a21>a22), PhilipsJouroal er Research Vol.35 Nos.4/5 1980 301

J.-M. Goethals and C. Couvreur whereas the public encryption key consists of the three numbers (r; Cl' C2) where the ci's are the unique solutions (obtained by the Chinese Remainder technique) of the congruences Cj == a ü (modj»), i = 1,2; j = 1,2. (2) The messages to be encrypted consist of pairs of numbers (mi> m2) satisfying the conditions 0 <mi <Mi for i = 1, 2, where the limits MI and M2 are also publicly available. These quantities are chosen so that, for all admissible messages (mi> m2), the following conditions are satisfied: ail m, + a«m«<pi, for i = 1,2. (3) The ciphertext X corresponding to the plaintext (mi> m2) is calculated from the public-key by the formula x == Cl m, + C2 m2 (mod r). Decryption is performed as follows. First, the residues xi == xünodp.), i = 1,2, are computed. Then the pair (mi> m2) is determined by solving the two linear equations ail m, + ai2 m«= xi, i = 1,2, which, by (1), (2), (3), have the original plaintext as their unique solution. 3. A cryptanalytic attack At first sight it seems that a knowledge of the two factors PI' P2 of r would be necessary in order to be able to decrypt a cryptogram. However, in two recently proposed attacks (refs 1 and 3), algorithms were devised which enable the cryptanalyst to recover the plaintext (m., m2) from a cryptogram x, without actually finding the factors Pi>P2' The basic fact behind these attacks is that, to a given cryptogram, there corresponds a unique pair (mi> m2) satisfying (4), within the limits 0 < mi < Mi for i = 1,2. Here we describe an attack which uses the fact that the publicly revealed coefficients Cj have small residues a ü modulo the unknown factors Pi. We observe that, if a = a ü, then Cj - a and r will have Pi as their greatest common divisor (gcd). Thus, in principle, we could use Euclid's algorithm for computing gcd (r, Cj - a) and try all possible small numbers a until we find a gcd different from 1. We would then have obtained the factorization r = PIP2, thus breaking the system. There is, however, a simpler way of finding the right number a, which we shall now explain. For this we use slightly different notations. (4) 302 Phllips Journal of Research Vol.35 Nos.4/5 1980

A cryptanalytic attack on the Lu-Lee public-key cryptosystem Let us assume we are given a number r = pq and. a number c, relatively prime to r, but with small residu es a and bmodulop and q, respectively. Thus we have. whence c - a == O(modp), c - b == O(modq), (c - a) (c - b) == 0 (modr). (5) Suppose that, as it is the case for the Lu-Lee system, we can obtain upper bounds on (a + b) and ab, (a + b) <A and ab <B, say, so that B < min {p, q}. Then the solution to the following minimization problem: minimize F(u) == uc - c? (mod r), for u <A, (6) will yield u = a + b, F(u) = ab. Indeed, by using the Chinese Remainder Theorem, it is easy to show that, in this case, F(u) <B, for u <A, will hold only if the residues a (u - a) and b (u - b) of F(u) modulo pand q, respectively, are equal, that is for u = a + b. The above minimization problem is easily solved using a variation of Euclid's algorithm for computing gcd (r, c), by a method similar to the one used by AdIeman and Rivest 1). The basic idea is this. Using an extended version of Euclid's algorithm one obtains a series of congruences: ecc == (-li.!i(modr), i = 0, 1,2,..., (7) where the coefficients ei increase, while the.!i's decrease, with increasing i. This can be seen from the basic recurrences they satisfy ei+l= ei-1 + qiei;.!i+l =.!i-1 - qi.!i; qi = [Ji-d.!i], with the initial values: e-1 = 0, f-1 = r; eo = 1, fo = c. The algorithm terminates when, for some n, fn+1 = 0. One then has fn = gcd (r, c) = 1, whence enc == (-lt(modr). (8) The above congruences (7) are used successively in order to solve the minimization problem (6). At each step one uses the smallest multiple of the congruence (7) which, when added to the current value of F(u), will change its sign and decrease its absolute value. This is done until it is no longer possible to add a multiple of ei to u without violating the condition u <A. Some adjustment might be necessary at the last step in order to obtain a positive value for the last F(u). We illustrate this by an example. Phillps Jouronlof Research Vol.35 Nos.4/5 1980 303

J.-M. Goethals and C. Couvreur TABLE I Extended Euclid algorithm for example 1 ei ( -1)ifi 0 597301 1 2-411 701 2 3 185600 3 8 40501 4 35 23596 5 43 16905 6 78 6691-7 119 3523 8 277 3 168 9 476 355 10 4085 328 11 4561 27 12 58817 4 13 357463 3 14 416280 1 15 1606303 0 Example 1: r = 1606303, c = 597301. The values of ei,/; obtained by use of the extended Euclid algorithm are given in table I. We first compute and we begin with the state é" == 556786 (mod r), u = 0, F(u) = - 556786. Then, we use the first congruence with a coefficient 1 to obtain u = 1, F(u) = 40515. We do not use the next two congruences since no multiple would decrease the current absolute value of F(u). In principle, with the next one (i = 3), we should use a coefficient 2 to obtain u = 1 + 2 x 8 = 17, F(u) = - 40 487, I 304 Phillps Journalof Research Vol.3S Nos.4/S 1980

A cryptanalytic attack on the Lu-Lee public-key cryptosystem but; by using the smaller coefficient 1, we obtain and we are done, since and u = 9, F(u) = 14, c2-9c + 14 = (c - 2) (c - 7), gcd (r, c - 2) = 1307;gcd (r, c - 7) = 1229. The above method requires first calculating c2 mod r. This can be avoided by considering a slightly different version of the minimization problem. We simply observe that, since gcd (r, c) = 1, each congruence (7) can be written as f;c- I == (-liei(modr). Then, by the same reasoning as above, it can be shown that the solution to the following minimization problem minimize O(iJ) == c + vc- I (mod r), for v <B, will yield v = ab, O(v) = a + b. This, of course, can be solved by the same technique' as above. We further observe that, provided e is chosen so as to satisfy ea <min rp, qj, one could slightly change the above problem into minimize eo(v) = ec + euc+, for v < B. Sometimes, the solution is given at once, as illustrated by the following examples, taken from Kochanski 3). Example 2: r = 3932273, c = 1474358. Using the extended Euclid algorithm, we obtain, congruences for i = 3,4, the following 8c == -1955 (mod r), 96c- 1 == 2011 (mod r), which immediateïy give 8(c + 12c- l ) = 8 x 7 (mod r), thus v = 12, O(v) = 7. The system is broken since c2-7c + 12 = (c - 3) (c - 4), and gcd (r, c - 3) = 1979; gcd (r, c - 4) = 1987. Philip, Journalof Research Vol.35 Nos.4/5 1980 305

J.-M. Goethals and C. Couvreur Example 3: r = 32832851, c = 14072862. Here we have, for i = 2 and i = 5, the two congruences 7c == 11481 (mod r), 35c- 1 == - 11439 (mod r), and the system is similarly broken, as v = 5, G(v) = 6 yields a = 1, b = 5; p = 5737, q = 5723. 4. Conclusions Although it is in principle possible to prevent our proposed attack (for example, by multiplying the coefficients Cj by a secret factor d so as to avoid small residues), we believe the Lu-Lee system is totally insecure. In our opinion the main reason for that is the fact that the encryption function is linear. This generally allows the cryptanalyst to recover plaintext from ciphertext without actually finding the secret decryption key. Our analysis ;llso shows that extreme care must be taken not to include in the public-key some parameters which could help the cryptanalyst in finding the secret decryption key. Acknowledgements We should like to thank Professor L. M. Adieman and Dr M. J. Kochanski for communicating their results to us. Philips Research Laboratory Brussels, March 1980 REFERENCES ') L. M. Adieman and R. L. Rivest, How to break the Lu-Lee (COMSAT) public-key cryptosystem, M.LT. Laberatory for Computer Science, July, 1979. 2) W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inf. Theory IT-22, 644-654, 1976. 3) M. J. Kochanski, Remarks on Lu and Lee's proposals, Cryptologia 4, 1980, to appear. 4) S. C. Lu and L. N. Lee, A simple and effective public-key cryptosystem, COMSAT Tech. Rev. 9, 15-24, 1979. 6) R. Rivest, A. Shamir and L. Adieman, A method for obtaining digital signatures and public-key cryptosystems, Commun. ACM 21, 120-126, 1978. PhIlIpsJournnI of Research Vol.35 Nos.4/5 1980

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback