an introduction to coppersmith's method and applications...

An Introduction to Coppersmiths methodand Applications in Cryptology

Rina Zeitoun

[email protected]

Oberthur Technologies

Master SFPN - UPMC

November 19th, 2015

Agenda

1 Solving Polynomials and Cryptology

2 Coppersmiths Method

3 Some Applications

2

Outline



3 Some Applications

3

Algebraic Attacks

key = ? ? ? ? ? ? ? ?

x0 + x1 x2 + x1 x4 = 0

x0 x1 x4 + x3 x5 + x2 = 0

x0 x1 x3 + x0 x2 + x5 x2 = 0

x1 = 73218

x2 = 984

x3 = 0

x4 = 37984155

x5 = 4869

?

RSAFactorization of N = p qN x y = 0 + Difficult [1]

RSAFactorization of N = p q

N x y = 0 + DifficultWhat if more information ? [2]

[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

4

Algebraic Attacks

key = 0x8C1337DA

x0 + x1 x2 + x1 x4 = 0

x0 x1 x4 + x3 x5 + x2 = 0

x0 x1 x3 + x0 x2 + x5 x2 = 0

x1 = 73218

x2 = 984

x3 = 0

x4 = 37984155

x5 = 4869

?





4

Algebraic Attacks

key = ? ? ? ? ? ? ? ?

x0 + x1 x2 + x1 x4 = 0

x0 x1 x4 + x3 x5 + x2 = 0

x0 x1 x3 + x0 x2 + x5 x2 = 0

x1 = 73218

x2 = 984

x3 = 0

x4 = 37984155

x5 = 4869

?




[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.

[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

4

Algebraic Attacks with AdditionalInformation

key = ? ? ? ? ? ? ? ?

x0 + x1 x2 + x1 x4 = 0

x0 x1 x4 + x3 x5 + x2 = 0

x0 x1 x3 + x0 x2 + x5 x2 = 0

x1 = 73218

x2 = 984

x3 = 0

x4 = 37984155

x5 = 4869

Additional Information

x2 + x3 + 1 = 0

x4 x1 + x5 = 0

?





5

Algebraic Attacks with AdditionalInformation

key = ? ? ? ? ? ? ? ?

x0 + x1 x2 + x1 x4 = 0

x0 x1 x4 + x3 x5 + x2 = 0

x0 x1 x3 + x0 x2 + x5 x2 = 0

x1 = 73218

x2 = 984

x3 = 0

x4 = 37984155

x5 = 4869

Additional Information

x2 + x3 + 1 = 0

x4 x1 + x5 = 0

?




[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.

[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

5

Knowing Some Information

f (m, . . . ) = 0 f (aB + x, . . . ) = 0

Coppersmiths method in polynomial time (1996) [1]

Find all small integer roots of some polynomial equations. Numerous applications in cryptology.

[1] Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Coppersmith, 1997.

6

How to get additional information ?

Non-invasive Attacks Can allow to recover some bits of information

7

How to get additional information ?

A Diode Laser Station(picture from Riscure Inspector Data Sheet)

Invasive Attacks Can modify some secret data

8

Algebraic Attacks with Side-ChannelInformation

key = 0x8C1337DA

x0 + x1 x2 + x1 x4 = 0

x0 x1 x4 + x3 x5 + x2 = 0

x0 x1 x3 + x0 x2 + x5 x2 = 0

x1 = 73218

x2 = 984

x3 = 0

x4 = 37984155

x5 = 4869

x1 + 1 =0

x4 + x1 + 12 = 0

x3 + 27 =0

x2 + 31 = 0

9

Outline



3 Some Applications

10

Don Coppersmith

Don Coppersmith was born in 1950 in America. Holds a doctorate in mathematics from Harvard University. Played a major part of the design of DES within the IBM team. One of the designers of MARS (finalist for the AES). Famous for his works on discrete logarithms, cryptanalysis of

RSA, rapid matrix multiplication.

11

Coppersmiths Theorem

The Problem (Univariate Modular Case):

Input: A polynomial f (x) = x + ad1x1 + + a1x + a0. N an integer of unknown factorization.

Find: All integers x0 such that f (x0) 0 mod N.

Coppersmiths Theorem for the Univariate Modular case

The solutions x0 can be found in polynomial time in log(N) if

|x0| < N1/ .

12

Coppersmiths Method(Howgrave-Graham)

The problem: find all small integers x0 s.t. f (x0) 0 mod N.

The idea: find a small polynomial g s.t. g(x0) = 0 over Z.

Euclidean LatticesNew small polynomial g + LLL Reduction [1].

[1] Factoring Polynomial with rational coefficients. Lenstra, Lenstra, Lovasz, 1982.

How to find the polynomial g:

Family ofPolynomials

(with parameter m)

B BR

LLL g

g(x0) 0 mod Nm g(x0) < Nm

} g(x0) = 0 over Z.

[1] Factoring Polynomial with rational coefficients. Lenstra, Lenstra, Lovasz, 1982.

13

Coppersmiths Method(Howgrave-Graham)

The problem: find all small integers x0 s.t. f (x0) 0 mod N.

The idea: find a small polynomial g s.t. g(x0) = 0 over Z.

How to find the polynomial g:

Family ofPolynomials

(with parameter m)

B BR

LLL g

g(x0) 0 mod Nm g(x0) < Nm

} g(x0) = 0 over Z.

13

Step 1: Family of Polynomials

Consider the Family of Polynomials:

gi,j(x) = x j Nmi f i(x)

For 0 i < m and 0 j < For i = m and j = 0

Crucial Property of the Polynomials

+ gi,j(x0) xj0 Nmi Ni xj0 N

m 0 mod Nm

14

Step 2: Coppersmiths Matrix

Construction of the Matrix with |x0| < X

For i from 0 to m 1For j from 0 to 1

M[i + j] = (xX)j Nmi f i(xX)

M[m] = f m(xX)

15


Coppersmiths matrixwith m = 1

f (x) = a0 + a1x + + x

B =

N

XN

. . .X1N

a0 a1X . . . X

16


Coppersmiths matrixwith m = 2

f (x) = a0 + a1x + + x

B =

N2

XN2

. . .X1N2

a0N . . . XN

a0XN . . . X+1N

. . .. . .

a0X1N . . . X21N

a20 . . . . . . . . . X2

17


B =

Nm

XNm

. . .X1Nm

a0Nm1 . . . XNm1

a0XNm1 . . . X+1Nm1

. . .. . .

a0X1Nm1 . . . X21Nm1

. . . . . .. . .

am10 N . . . . . . X(m1)N

a0 XN . . . . . . X(m1)+1N

. . .. . .

am10 X1N . . . . . . Xm1N

am0 . . . . . . . . . Xm

18

Step 3: Lattice Reduction

A lattice is a grid which is: regular infinite

19


It is defined by a basis:

19


There is not uniqueness:

19


Lattice Reduction Problem Given an ordinary basis, find a good basis

A good basis is composed of vectors which are: relatively short nearly orthogonal

+ The Lattice Reduction problem is NP-hard.

20


A lattice is a discrete additive subgroup of Rn

Let vectors b1,b2, . . . ,bd Rn form a basis B. A lattice L is: L = {

di=1 i bi with i Z }

Some Important Properties

Dimension d of a lattice: number of vectors in the basis. Invariant of all bases of the same lattice: volume. If L is full rank (d = n), then vol(L) = |det(B)|.

21


HKZ Algorithm (Hermite, Korkine, Zolotarev)

The HKZ algorithm gives the best basis It is exponential in the dimension of the lattice

LLL Algorithm (Lenstra, Lenstra, Lovasz)

LLL is a polynomial time reduction algorithm (1982) Quality of LLL-reduced basis: exponentially poor in d Shortest vector of LLL-reduced basis:

||v|| < 2(d1)/4(det B)1/d

LLL works surprisingly well in practice

22

Step 4: Finding Small Solutions

Obtain Polynomial g such that g(x0) 0 mod Nm

First vector of the LLL-reduced basis: v = (v0, v1, . . . , vd1) Get new polynomial g(x) = v0 + v1X x + +

vd1Xd1 x

d1

Theorem: (Howgrave-Graham)

Let g(x0) 0 mod Nm with degree d 1 and |x0| < X

||g(xX)|| < Nm/

d g(x0) = 0 over Z

Condition for g(x0) = 0 over Z

2(d1)/4(det B)1/d < Nm/

d

23

Practical Results of Coppersmiths Method

In practice, for dlog2(N)e = 1024 and = 2

Upper bound for x0 2492 2496 2500 2503 2504 2505 ... 2512

Lattice Dimension n = m + 1 29 35 51 71 77 87 ... NASize of elements in B (bits) 15360 18432 26624 36864 39936 45056 ... NATime for LLL (seconds) 10.6 35.2 355 2338 4432 11426 ... NA

+ Tests performed using Magma V2.19-5.

24

Exhaustive Search

Performing exhaustive search

Split the variable x into and x.

x x

The new variable is x. Perform an exhaustive search on .

+ Complexity: 2 (LLL-reduction complexity)

25

Exhaustive Search

= 0 = 1 = 2 . . . = 255 B0 B1

B2 . . .

B255Coppersmith

Matrices

. . . BR0

BR1 BR2

. . . BR255

LLL-ReducedMatrices

x0 . . . 26

Timing / Solution size (dlog2(N)e = 1024 and = 2)

27

Other Related Results of Coppersmith

The Problem (Multivariate Modular Case):

Input: A polynomial f (x1, x2, . . . , xn) N an integer of unknown factorization

Find: All integers x1, x2, . . . , xn such that f (x1, x2, . . . , xn) 0 mod N

The Idea to Find Small Solutions (Heuristic)

Take n vectors from the LLL-reduced matrix+ n unknowns n equations over Z

28

Other Related Results of Coppersmith

The Problem (Bivariate Integer Case):

Input: A polynomial f (x, y) N an integer of unknown factorization

Find: All integers x0, y0 such that f (x0, y0) = 0 over Z

The Idea to Find Small Solutions

Take 1 vector from the LLL-reduced matrix+ 2 unknowns 2 equations over Z

29

Outline



3 Some Applications

30

RSA Cryptosystem [1]

RSA Key Generation

Generate two large primes p and q Compute N = p q and (N) = (p 1)(q 1) Select (e, d) such that ed 1 mod (N)

Encryption/Decryption Process

Alice BobC me mod N m Cd mod N

Factorize N = p q Break RSA

[1] A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Rivest, Shamir, Adleman, 1978.

31

RSA Attack with Small Exponent e

Example 1: Stereotyped messages

Example 2: Fixed pattern padding

32

RSA Attack with Small Exponent e

RSA Encryption of the message m

Ciphertext C = me mod N= (2t k + x)e mod N

Application of Coppersmiths Theorem

Consider P(x) = (2t k + x)e C 0 mod N Coppersmiths condition: |x0| < N1/e

+ If e = 3, recover m provided that 2/3 of the bits are known.

33

RSA Attack with Short Random Padding

Alice sends to Bob the ciphertext C1 = me = (k + r1)e mod N

Eve intercepts C1 so that Bob does not receive it

Alice sends to Bob the ciphertext C2 = me = (k + r2)e mod N

34


Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N

Perform a change of variables:{x = k + r1y = r2 r1

{

p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N

Use resultants and Coppersmiths method

Get a new polynomial p(y) 0 mod N of degree e2

Solution y0 = r2 r1 found if |y0| < N1/e2

Compute gcd(p1(x), p2(x)) = x m

+ If e = 3, recover m provided that r1 and r2 are < N1/9.

35


Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N

Perform a change of variables:{x = k + r1y = r2 r1

{

p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N

Use resultants and Coppersmiths method

Get a new polynomial p(y) 0 mod N of degree e2

Solution y0 = r2 r1 found if |y0| < N1/e2

Compute gcd(p1(x), p2(x)) = x m

+ If e = 3, recover m provided that r1 and r2 are < N1/9.35

Combined Attack on CRT-RSAWhy Public Verification Must Not Be Public?

G. Barbu, A. Battistello, G. Dabosville, C. Giraud,G. Renault, S. Renner, R. Zeitoun

(PKC 2013)

36

Signature RSA-CRT / State of the art

37


Compute gcd ( Se m ,N ) = q

[1] On the importance of Checking Cryptographic protocols for Faults. Boneh, DeMillo, Lipton, 1997.

37


37

Our Combined Attack on CRT-RSA

38

Side Channel Analysis: CPA attacks

CPA attacks: The idea

Observe a large number of executions Apply a statistic treatment to recover secret values

Target of a CPA

A sensitive value manipulated during execution of the algorithm

What is a sensitive value?Data depending on a known value (that changes from one execution to another) secret value (which remains constant)

39

Side Channel AnalysisCPA during the CRT recombination

Several Executions of RSA Signature Algorithmwith Different Input Messages mi

and a constant injected fault

Power measurements duringmanipulation of Si

e= mi + qiq

Guesses on power measurementsL H(mi, k) = L(mi + k)

Statistical treatmentCompute the Pearsons correlation coefficient

The right guess k is retrieved

For each part kof the secret qiq

40

Side Channel AnalysisCPA during the CRT recombination

0 10 20 30 40 50 60 70 80 90 1000

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

nb curves ( 500)

Convergence of the correlation for the 28 possible values ki for thesecret (the correct one being depicted in black) depending on thenumber of side-channel measurements (500).

41

Improvement using Coppersmiths method

42

Conclusion

Coppersmiths Method

Find small solutions to polynomial equations which are: univariate modular multivariate modular (heuristic) bivariate over the integers multivariate over the integers (heuristic)

Based on lattice techniques

Applications of Coppersmiths Method

Many applications in cryptology Useful to recover a secret when:

the secret is small part of the secret is known part of the secret is redundant

43

Conclusion

Coppersmiths Method

Find small solutions to polynomial equations which are: univariate modular multivariate modular (heuristic) bivariate over the integers multivariate over the integers (heuristic)

Based on lattice techniques

Applications of Coppersmiths Method

Many applications in cryptology Useful to recover a secret when:

the secret is small part of the secret is known part of the secret is redundant

43

Solving Polynomials and CryptologyCoppersmith's MethodSome Applications

an introduction to coppersmith's method and applications...

Documents