an introduction to coppersmith's method and applications...

Download An Introduction to Coppersmith's method and Applications ...renault/CryptoM2/PDF/Intro-Coppersmith.pdf · An Introduction to Coppersmith’s method and Applications in Cryptology

If you can't read please download the document

Upload: doandat

Post on 06-Feb-2018

221 views

Category:

Documents


0 download

TRANSCRIPT

  • An Introduction to Coppersmiths methodand Applications in Cryptology

    Rina Zeitoun

    [email protected]

    Oberthur Technologies

    Master SFPN - UPMC

    November 19th, 2015

  • Agenda

    1 Solving Polynomials and Cryptology

    2 Coppersmiths Method

    3 Some Applications

    2

  • Outline

    1 Solving Polynomials and Cryptology

    2 Coppersmiths Method

    3 Some Applications

    3

  • Algebraic Attacks

    key = ? ? ? ? ? ? ? ?

    x0 + x1 x2 + x1 x4 = 0

    x0 x1 x4 + x3 x5 + x2 = 0

    x0 x1 x3 + x0 x2 + x5 x2 = 0

    x1 = 73218

    x2 = 984

    x3 = 0

    x4 = 37984155

    x5 = 4869

    ?

    RSAFactorization of N = p qN x y = 0 + Difficult [1]

    RSAFactorization of N = p q

    N x y = 0 + DifficultWhat if more information ? [2]

    [1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

    4

  • Algebraic Attacks

    key = 0x8C1337DA

    x0 + x1 x2 + x1 x4 = 0

    x0 x1 x4 + x3 x5 + x2 = 0

    x0 x1 x3 + x0 x2 + x5 x2 = 0

    x1 = 73218

    x2 = 984

    x3 = 0

    x4 = 37984155

    x5 = 4869

    ?

    RSAFactorization of N = p qN x y = 0 + Difficult [1]

    RSAFactorization of N = p q

    N x y = 0 + DifficultWhat if more information ? [2]

    [1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

    4

  • Algebraic Attacks

    key = ? ? ? ? ? ? ? ?

    x0 + x1 x2 + x1 x4 = 0

    x0 x1 x4 + x3 x5 + x2 = 0

    x0 x1 x3 + x0 x2 + x5 x2 = 0

    x1 = 73218

    x2 = 984

    x3 = 0

    x4 = 37984155

    x5 = 4869

    ?

    RSAFactorization of N = p qN x y = 0 + Difficult [1]

    RSAFactorization of N = p q

    N x y = 0 + DifficultWhat if more information ? [2]

    [1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.

    [2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

    4

  • Algebraic Attacks with AdditionalInformation

    key = ? ? ? ? ? ? ? ?

    x0 + x1 x2 + x1 x4 = 0

    x0 x1 x4 + x3 x5 + x2 = 0

    x0 x1 x3 + x0 x2 + x5 x2 = 0

    x1 = 73218

    x2 = 984

    x3 = 0

    x4 = 37984155

    x5 = 4869

    Additional Information

    x2 + x3 + 1 = 0

    x4 x1 + x5 = 0

    ?

    RSAFactorization of N = p qN x y = 0 + Difficult [1]

    RSAFactorization of N = p q

    N x y = 0 + DifficultWhat if more information ? [2]

    [1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

    5

  • Algebraic Attacks with AdditionalInformation

    key = ? ? ? ? ? ? ? ?

    x0 + x1 x2 + x1 x4 = 0

    x0 x1 x4 + x3 x5 + x2 = 0

    x0 x1 x3 + x0 x2 + x5 x2 = 0

    x1 = 73218

    x2 = 984

    x3 = 0

    x4 = 37984155

    x5 = 4869

    Additional Information

    x2 + x3 + 1 = 0

    x4 x1 + x5 = 0

    ?

    RSAFactorization of N = p qN x y = 0 + Difficult [1]

    RSAFactorization of N = p q

    N x y = 0 + DifficultWhat if more information ? [2]

    [1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.

    [2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.

    5

  • Knowing Some Information

    f (m, . . . ) = 0 f (aB + x, . . . ) = 0

    Coppersmiths method in polynomial time (1996) [1]

    Find all small integer roots of some polynomial equations. Numerous applications in cryptology.

    [1] Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Coppersmith, 1997.

    6

  • Knowing Some Information

    f (m, . . . ) = 0 f (aB + x, . . . ) = 0

    Coppersmiths method in polynomial time (1996) [1]

    Find all small integer roots of some polynomial equations. Numerous applications in cryptology.

    [1] Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Coppersmith, 1997.

    6

  • Knowing Some Information

    f (m, . . . ) = 0 f (aB + x, . . . ) = 0

    Coppersmiths method in polynomial time (1996) [1]

    Find all small integer roots of some polynomial equations. Numerous applications in cryptology.

    [1] Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Coppersmith, 1997.

    6

  • How to get additional information ?

    Non-invasive Attacks Can allow to recover some bits of information

    7

  • How to get additional information ?

    A Diode Laser Station(picture from Riscure Inspector Data Sheet)

    Invasive Attacks Can modify some secret data

    8

  • Algebraic Attacks with Side-ChannelInformation

    key = 0x8C1337DA

    x0 + x1 x2 + x1 x4 = 0

    x0 x1 x4 + x3 x5 + x2 = 0

    x0 x1 x3 + x0 x2 + x5 x2 = 0

    x1 = 73218

    x2 = 984

    x3 = 0

    x4 = 37984155

    x5 = 4869

    x1 + 1 =0

    x4 + x1 + 12 = 0

    x3 + 27 =0

    x2 + 31 = 0

    9

  • Outline

    1 Solving Polynomials and Cryptology

    2 Coppersmiths Method

    3 Some Applications

    10

  • Don Coppersmith

    Don Coppersmith was born in 1950 in America. Holds a doctorate in mathematics from Harvard University. Played a major part of the design of DES within the IBM team. One of the designers of MARS (finalist for the AES). Famous for his works on discrete logarithms, cryptanalysis of

    RSA, rapid matrix multiplication.

    11

  • Coppersmiths Theorem

    The Problem (Univariate Modular Case):

    Input: A polynomial f (x) = x + ad1x1 + + a1x + a0. N an integer of unknown factorization.

    Find: All integers x0 such that f (x0) 0 mod N.

    Coppersmiths Theorem for the Univariate Modular case

    The solutions x0 can be found in polynomial time in log(N) if

    |x0| < N1/ .

    12

  • Coppersmiths Theorem

    The Problem (Univariate Modular Case):

    Input: A polynomial f (x) = x + ad1x1 + + a1x + a0. N an integer of unknown factorization.

    Find: All integers x0 such that f (x0) 0 mod N.

    Coppersmiths Theorem for the Univariate Modular case

    The solutions x0 can be found in polynomial time in log(N) if

    |x0| < N1/ .

    12

  • Coppersmiths Method(Howgrave-Graham)

    The problem: find all small integers x0 s.t. f (x0) 0 mod N.

    The idea: find a small polynomial g s.t. g(x0) = 0 over Z.

    Euclidean LatticesNew small polynomial g + LLL Reduction [1].

    [1] Factoring Polynomial with rational coefficients. Lenstra, Lenstra, Lovasz, 1982.

    How to find the polynomial g:

    Family ofPolynomials

    (with parameter m)

    B BR

    LLL g

    g(x0) 0 mod Nm g(x0) < Nm

    } g(x0) = 0 over Z.

    [1] Factoring Polynomial with rational coefficients. Lenstra, Lenstra, Lovasz, 1982.

    13

  • Coppersmiths Method(Howgrave-Graham)

    The problem: find all small integers x0 s.t. f (x0) 0 mod N.

    The idea: find a small polynomial g s.t. g(x0) = 0 over Z.

    How to find the polynomial g:

    Family ofPolynomials

    (with parameter m)

    B BR

    LLL g

    g(x0) 0 mod Nm g(x0) < Nm

    } g(x0) = 0 over Z.

    13

  • Step 1: Family of Polynomials

    Consider the Family of Polynomials:

    gi,j(x) = x j Nmi f i(x)

    For 0 i < m and 0 j < For i = m and j = 0

    Crucial Property of the Polynomials

    + gi,j(x0) xj0 Nmi Ni xj0 N

    m 0 mod Nm

    14

  • Step 2: Coppersmiths Matrix

    Construction of the Matrix with |x0| < X

    For i from 0 to m 1For j from 0 to 1

    M[i + j] = (xX)j Nmi f i(xX)

    M[m] = f m(xX)

    15

  • Step 2: Coppersmiths Matrix

    Coppersmiths matrixwith m = 1

    f (x) = a0 + a1x + + x

    B =

    N

    XN

    . . .X1N

    a0 a1X . . . X

    16

  • Step 2: Coppersmiths Matrix

    Coppersmiths matrixwith m = 2

    f (x) = a0 + a1x + + x

    B =

    N2

    XN2

    . . .X1N2

    a0N . . . XN

    a0XN . . . X+1N

    . . .. . .

    a0X1N . . . X21N

    a20 . . . . . . . . . X2

    17

  • Step 2: Coppersmiths Matrix

    B =

    Nm

    XNm

    . . .X1Nm

    a0Nm1 . . . XNm1

    a0XNm1 . . . X+1Nm1

    . . .. . .

    a0X1Nm1 . . . X21Nm1

    . . . . . .. . .

    am10 N . . . . . . X(m1)N

    a0 XN . . . . . . X(m1)+1N

    . . .. . .

    am10 X1N . . . . . . Xm1N

    am0 . . . . . . . . . Xm

    18

  • Step 3: Lattice Reduction

    A lattice is a grid which is: regular infinite

    19

  • Step 3: Lattice Reduction

    It is defined by a basis:

    19

  • Step 3: Lattice Reduction

    There is not uniqueness:

    19

  • Step 3: Lattice Reduction

    Lattice Reduction Problem Given an ordinary basis, find a good basis

    A good basis is composed of vectors which are: relatively short nearly orthogonal

    + The Lattice Reduction problem is NP-hard.

    20

  • Step 3: Lattice Reduction

    A lattice is a discrete additive subgroup of Rn

    Let vectors b1,b2, . . . ,bd Rn form a basis B. A lattice L is: L = {

    di=1 i bi with i Z }

    Some Important Properties

    Dimension d of a lattice: number of vectors in the basis. Invariant of all bases of the same lattice: volume. If L is full rank (d = n), then vol(L) = |det(B)|.

    21

  • Step 3: Lattice Reduction

    HKZ Algorithm (Hermite, Korkine, Zolotarev)

    The HKZ algorithm gives the best basis It is exponential in the dimension of the lattice

    LLL Algorithm (Lenstra, Lenstra, Lovasz)

    LLL is a polynomial time reduction algorithm (1982) Quality of LLL-reduced basis: exponentially poor in d Shortest vector of LLL-reduced basis:

    ||v|| < 2(d1)/4(det B)1/d

    LLL works surprisingly well in practice

    22

  • Step 4: Finding Small Solutions

    Obtain Polynomial g such that g(x0) 0 mod Nm

    First vector of the LLL-reduced basis: v = (v0, v1, . . . , vd1) Get new polynomial g(x) = v0 + v1X x + +

    vd1Xd1 x

    d1

    Theorem: (Howgrave-Graham)

    Let g(x0) 0 mod Nm with degree d 1 and |x0| < X

    ||g(xX)|| < Nm/

    d g(x0) = 0 over Z

    Condition for g(x0) = 0 over Z

    2(d1)/4(det B)1/d < Nm/

    d

    23

  • Practical Results of Coppersmiths Method

    In practice, for dlog2(N)e = 1024 and = 2

    Upper bound for x0 2492 2496 2500 2503 2504 2505 ... 2512

    Lattice Dimension n = m + 1 29 35 51 71 77 87 ... NASize of elements in B (bits) 15360 18432 26624 36864 39936 45056 ... NATime for LLL (seconds) 10.6 35.2 355 2338 4432 11426 ... NA

    + Tests performed using Magma V2.19-5.

    24

  • Exhaustive Search

    Performing exhaustive search

    Split the variable x into and x.

    x x

    The new variable is x. Perform an exhaustive search on .

    + Complexity: 2 (LLL-reduction complexity)

    25

  • Exhaustive Search

    = 0 = 1 = 2 . . . = 255 B0 B1

    B2 . . .

    B255Coppersmith

    Matrices

    . . . BR0

    BR1 BR2

    . . . BR255

    LLL-ReducedMatrices

    x0 . . . 26

  • Timing / Solution size (dlog2(N)e = 1024 and = 2)

    27

  • Other Related Results of Coppersmith

    The Problem (Multivariate Modular Case):

    Input: A polynomial f (x1, x2, . . . , xn) N an integer of unknown factorization

    Find: All integers x1, x2, . . . , xn such that f (x1, x2, . . . , xn) 0 mod N

    The Idea to Find Small Solutions (Heuristic)

    Take n vectors from the LLL-reduced matrix+ n unknowns n equations over Z

    28

  • Other Related Results of Coppersmith

    The Problem (Bivariate Integer Case):

    Input: A polynomial f (x, y) N an integer of unknown factorization

    Find: All integers x0, y0 such that f (x0, y0) = 0 over Z

    The Idea to Find Small Solutions

    Take 1 vector from the LLL-reduced matrix+ 2 unknowns 2 equations over Z

    29

  • Outline

    1 Solving Polynomials and Cryptology

    2 Coppersmiths Method

    3 Some Applications

    30

  • RSA Cryptosystem [1]

    RSA Key Generation

    Generate two large primes p and q Compute N = p q and (N) = (p 1)(q 1) Select (e, d) such that ed 1 mod (N)

    Encryption/Decryption Process

    Alice BobC me mod N m Cd mod N

    Factorize N = p q Break RSA

    [1] A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Rivest, Shamir, Adleman, 1978.

    31

  • RSA Attack with Small Exponent e

    Example 1: Stereotyped messages

    Example 2: Fixed pattern padding

    32

  • RSA Attack with Small Exponent e

    RSA Encryption of the message m

    Ciphertext C = me mod N= (2t k + x)e mod N

    Application of Coppersmiths Theorem

    Consider P(x) = (2t k + x)e C 0 mod N Coppersmiths condition: |x0| < N1/e

    + If e = 3, recover m provided that 2/3 of the bits are known.

    33

  • RSA Attack with Short Random Padding

    Alice sends to Bob the ciphertext C1 = me = (k + r1)e mod N

    Eve intercepts C1 so that Bob does not receive it

    Alice sends to Bob the ciphertext C2 = me = (k + r2)e mod N

    34

  • RSA Attack with Short Random Padding

    Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N

    Perform a change of variables:{x = k + r1y = r2 r1

    {

    p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N

    Use resultants and Coppersmiths method

    Get a new polynomial p(y) 0 mod N of degree e2

    Solution y0 = r2 r1 found if |y0| < N1/e2

    Compute gcd(p1(x), p2(x)) = x m

    + If e = 3, recover m provided that r1 and r2 are < N1/9.

    35

  • RSA Attack with Short Random Padding

    Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N

    Perform a change of variables:{x = k + r1y = r2 r1

    {

    p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N

    Use resultants and Coppersmiths method

    Get a new polynomial p(y) 0 mod N of degree e2

    Solution y0 = r2 r1 found if |y0| < N1/e2

    Compute gcd(p1(x), p2(x)) = x m

    + If e = 3, recover m provided that r1 and r2 are < N1/9.

    35

  • RSA Attack with Short Random Padding

    Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N

    Perform a change of variables:{x = k + r1y = r2 r1

    {

    p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N

    Use resultants and Coppersmiths method

    Get a new polynomial p(y) 0 mod N of degree e2

    Solution y0 = r2 r1 found if |y0| < N1/e2

    Compute gcd(p1(x), p2(x)) = x m

    + If e = 3, recover m provided that r1 and r2 are < N1/9.35

  • Combined Attack on CRT-RSAWhy Public Verification Must Not Be Public?

    G. Barbu, A. Battistello, G. Dabosville, C. Giraud,G. Renault, S. Renner, R. Zeitoun

    (PKC 2013)

    36

  • Signature RSA-CRT / State of the art

    37

  • Signature RSA-CRT / State of the art

    Compute gcd ( Se m ,N ) = q

    [1] On the importance of Checking Cryptographic protocols for Faults. Boneh, DeMillo, Lipton, 1997.

    37

  • Signature RSA-CRT / State of the art

    37

  • Our Combined Attack on CRT-RSA

    38

  • Our Combined Attack on CRT-RSA

    38

  • Our Combined Attack on CRT-RSA

    38

  • Side Channel Analysis: CPA attacks

    CPA attacks: The idea

    Observe a large number of executions Apply a statistic treatment to recover secret values

    Target of a CPA

    A sensitive value manipulated during execution of the algorithm

    What is a sensitive value?Data depending on a known value (that changes from one execution to another) secret value (which remains constant)

    39

  • Side Channel Analysis: CPA attacks

    CPA attacks: The idea

    Observe a large number of executions Apply a statistic treatment to recover secret values

    Target of a CPA

    A sensitive value manipulated during execution of the algorithm

    What is a sensitive value?Data depending on a known value (that changes from one execution to another) secret value (which remains constant)

    39

  • Side Channel Analysis: CPA attacks

    CPA attacks: The idea

    Observe a large number of executions Apply a statistic treatment to recover secret values

    Target of a CPA

    A sensitive value manipulated during execution of the algorithm

    What is a sensitive value?Data depending on a known value (that changes from one execution to another) secret value (which remains constant)

    39

  • Side Channel AnalysisCPA during the CRT recombination

    Several Executions of RSA Signature Algorithmwith Different Input Messages mi

    and a constant injected fault

    Power measurements duringmanipulation of Si

    e= mi + qiq

    Guesses on power measurementsL H(mi, k) = L(mi + k)

    Statistical treatmentCompute the Pearsons correlation coefficient

    The right guess k is retrieved

    For each part kof the secret qiq

    40

  • Side Channel AnalysisCPA during the CRT recombination

    Several Executions of RSA Signature Algorithmwith Different Input Messages mi

    and a constant injected fault

    Power measurements duringmanipulation of Si

    e= mi + qiq

    Guesses on power measurementsL H(mi, k) = L(mi + k)

    Statistical treatmentCompute the Pearsons correlation coefficient

    The right guess k is retrieved

    For each part kof the secret qiq

    40

  • Side Channel AnalysisCPA during the CRT recombination

    0 10 20 30 40 50 60 70 80 90 1000

    0.02

    0.04

    0.06

    0.08

    0.1

    0.12

    0.14

    0.16

    0.18

    0.2

    nb curves ( 500)

    Convergence of the correlation for the 28 possible values ki for thesecret (the correct one being depicted in black) depending on thenumber of side-channel measurements (500).

    41

  • Improvement using Coppersmiths method

    42

  • Conclusion

    Coppersmiths Method

    Find small solutions to polynomial equations which are: univariate modular multivariate modular (heuristic) bivariate over the integers multivariate over the integers (heuristic)

    Based on lattice techniques

    Applications of Coppersmiths Method

    Many applications in cryptology Useful to recover a secret when:

    the secret is small part of the secret is known part of the secret is redundant

    43

  • Conclusion

    Coppersmiths Method

    Find small solutions to polynomial equations which are: univariate modular multivariate modular (heuristic) bivariate over the integers multivariate over the integers (heuristic)

    Based on lattice techniques

    Applications of Coppersmiths Method

    Many applications in cryptology Useful to recover a secret when:

    the secret is small part of the secret is known part of the secret is redundant

    43

    Solving Polynomials and CryptologyCoppersmith's MethodSome Applications