an introduction to coppersmith's method and applications...
TRANSCRIPT
-
An Introduction to Coppersmiths methodand Applications in Cryptology
Rina Zeitoun
Oberthur Technologies
Master SFPN - UPMC
November 19th, 2015
-
Agenda
1 Solving Polynomials and Cryptology
2 Coppersmiths Method
3 Some Applications
2
-
Outline
1 Solving Polynomials and Cryptology
2 Coppersmiths Method
3 Some Applications
3
-
Algebraic Attacks
key = ? ? ? ? ? ? ? ?
x0 + x1 x2 + x1 x4 = 0
x0 x1 x4 + x3 x5 + x2 = 0
x0 x1 x3 + x0 x2 + x5 x2 = 0
x1 = 73218
x2 = 984
x3 = 0
x4 = 37984155
x5 = 4869
?
RSAFactorization of N = p qN x y = 0 + Difficult [1]
RSAFactorization of N = p q
N x y = 0 + DifficultWhat if more information ? [2]
[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.
4
-
Algebraic Attacks
key = 0x8C1337DA
x0 + x1 x2 + x1 x4 = 0
x0 x1 x4 + x3 x5 + x2 = 0
x0 x1 x3 + x0 x2 + x5 x2 = 0
x1 = 73218
x2 = 984
x3 = 0
x4 = 37984155
x5 = 4869
?
RSAFactorization of N = p qN x y = 0 + Difficult [1]
RSAFactorization of N = p q
N x y = 0 + DifficultWhat if more information ? [2]
[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.
4
-
Algebraic Attacks
key = ? ? ? ? ? ? ? ?
x0 + x1 x2 + x1 x4 = 0
x0 x1 x4 + x3 x5 + x2 = 0
x0 x1 x3 + x0 x2 + x5 x2 = 0
x1 = 73218
x2 = 984
x3 = 0
x4 = 37984155
x5 = 4869
?
RSAFactorization of N = p qN x y = 0 + Difficult [1]
RSAFactorization of N = p q
N x y = 0 + DifficultWhat if more information ? [2]
[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.
[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.
4
-
Algebraic Attacks with AdditionalInformation
key = ? ? ? ? ? ? ? ?
x0 + x1 x2 + x1 x4 = 0
x0 x1 x4 + x3 x5 + x2 = 0
x0 x1 x3 + x0 x2 + x5 x2 = 0
x1 = 73218
x2 = 984
x3 = 0
x4 = 37984155
x5 = 4869
Additional Information
x2 + x3 + 1 = 0
x4 x1 + x5 = 0
?
RSAFactorization of N = p qN x y = 0 + Difficult [1]
RSAFactorization of N = p q
N x y = 0 + DifficultWhat if more information ? [2]
[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.
5
-
Algebraic Attacks with AdditionalInformation
key = ? ? ? ? ? ? ? ?
x0 + x1 x2 + x1 x4 = 0
x0 x1 x4 + x3 x5 + x2 = 0
x0 x1 x3 + x0 x2 + x5 x2 = 0
x1 = 73218
x2 = 984
x3 = 0
x4 = 37984155
x5 = 4869
Additional Information
x2 + x3 + 1 = 0
x4 x1 + x5 = 0
?
RSAFactorization of N = p qN x y = 0 + Difficult [1]
RSAFactorization of N = p q
N x y = 0 + DifficultWhat if more information ? [2]
[1] On Hilberts Tenth Problem. Yuri Matiyasevich, 1970.
[2] Efficient Factoring Based on Partial Information. Rivest, Shamir, 1985.
5
-
Knowing Some Information
f (m, . . . ) = 0 f (aB + x, . . . ) = 0
Coppersmiths method in polynomial time (1996) [1]
Find all small integer roots of some polynomial equations. Numerous applications in cryptology.
[1] Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Coppersmith, 1997.
6
-
Knowing Some Information
f (m, . . . ) = 0 f (aB + x, . . . ) = 0
Coppersmiths method in polynomial time (1996) [1]
Find all small integer roots of some polynomial equations. Numerous applications in cryptology.
[1] Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Coppersmith, 1997.
6
-
Knowing Some Information
f (m, . . . ) = 0 f (aB + x, . . . ) = 0
Coppersmiths method in polynomial time (1996) [1]
Find all small integer roots of some polynomial equations. Numerous applications in cryptology.
[1] Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Coppersmith, 1997.
6
-
How to get additional information ?
Non-invasive Attacks Can allow to recover some bits of information
7
-
How to get additional information ?
A Diode Laser Station(picture from Riscure Inspector Data Sheet)
Invasive Attacks Can modify some secret data
8
-
Algebraic Attacks with Side-ChannelInformation
key = 0x8C1337DA
x0 + x1 x2 + x1 x4 = 0
x0 x1 x4 + x3 x5 + x2 = 0
x0 x1 x3 + x0 x2 + x5 x2 = 0
x1 = 73218
x2 = 984
x3 = 0
x4 = 37984155
x5 = 4869
x1 + 1 =0
x4 + x1 + 12 = 0
x3 + 27 =0
x2 + 31 = 0
9
-
Outline
1 Solving Polynomials and Cryptology
2 Coppersmiths Method
3 Some Applications
10
-
Don Coppersmith
Don Coppersmith was born in 1950 in America. Holds a doctorate in mathematics from Harvard University. Played a major part of the design of DES within the IBM team. One of the designers of MARS (finalist for the AES). Famous for his works on discrete logarithms, cryptanalysis of
RSA, rapid matrix multiplication.
11
-
Coppersmiths Theorem
The Problem (Univariate Modular Case):
Input: A polynomial f (x) = x + ad1x1 + + a1x + a0. N an integer of unknown factorization.
Find: All integers x0 such that f (x0) 0 mod N.
Coppersmiths Theorem for the Univariate Modular case
The solutions x0 can be found in polynomial time in log(N) if
|x0| < N1/ .
12
-
Coppersmiths Theorem
The Problem (Univariate Modular Case):
Input: A polynomial f (x) = x + ad1x1 + + a1x + a0. N an integer of unknown factorization.
Find: All integers x0 such that f (x0) 0 mod N.
Coppersmiths Theorem for the Univariate Modular case
The solutions x0 can be found in polynomial time in log(N) if
|x0| < N1/ .
12
-
Coppersmiths Method(Howgrave-Graham)
The problem: find all small integers x0 s.t. f (x0) 0 mod N.
The idea: find a small polynomial g s.t. g(x0) = 0 over Z.
Euclidean LatticesNew small polynomial g + LLL Reduction [1].
[1] Factoring Polynomial with rational coefficients. Lenstra, Lenstra, Lovasz, 1982.
How to find the polynomial g:
Family ofPolynomials
(with parameter m)
B BR
LLL g
g(x0) 0 mod Nm g(x0) < Nm
} g(x0) = 0 over Z.
[1] Factoring Polynomial with rational coefficients. Lenstra, Lenstra, Lovasz, 1982.
13
-
Coppersmiths Method(Howgrave-Graham)
The problem: find all small integers x0 s.t. f (x0) 0 mod N.
The idea: find a small polynomial g s.t. g(x0) = 0 over Z.
How to find the polynomial g:
Family ofPolynomials
(with parameter m)
B BR
LLL g
g(x0) 0 mod Nm g(x0) < Nm
} g(x0) = 0 over Z.
13
-
Step 1: Family of Polynomials
Consider the Family of Polynomials:
gi,j(x) = x j Nmi f i(x)
For 0 i < m and 0 j < For i = m and j = 0
Crucial Property of the Polynomials
+ gi,j(x0) xj0 Nmi Ni xj0 N
m 0 mod Nm
14
-
Step 2: Coppersmiths Matrix
Construction of the Matrix with |x0| < X
For i from 0 to m 1For j from 0 to 1
M[i + j] = (xX)j Nmi f i(xX)
M[m] = f m(xX)
15
-
Step 2: Coppersmiths Matrix
Coppersmiths matrixwith m = 1
f (x) = a0 + a1x + + x
B =
N
XN
. . .X1N
a0 a1X . . . X
16
-
Step 2: Coppersmiths Matrix
Coppersmiths matrixwith m = 2
f (x) = a0 + a1x + + x
B =
N2
XN2
. . .X1N2
a0N . . . XN
a0XN . . . X+1N
. . .. . .
a0X1N . . . X21N
a20 . . . . . . . . . X2
17
-
Step 2: Coppersmiths Matrix
B =
Nm
XNm
. . .X1Nm
a0Nm1 . . . XNm1
a0XNm1 . . . X+1Nm1
. . .. . .
a0X1Nm1 . . . X21Nm1
. . . . . .. . .
am10 N . . . . . . X(m1)N
a0 XN . . . . . . X(m1)+1N
. . .. . .
am10 X1N . . . . . . Xm1N
am0 . . . . . . . . . Xm
18
-
Step 3: Lattice Reduction
A lattice is a grid which is: regular infinite
19
-
Step 3: Lattice Reduction
It is defined by a basis:
19
-
Step 3: Lattice Reduction
There is not uniqueness:
19
-
Step 3: Lattice Reduction
Lattice Reduction Problem Given an ordinary basis, find a good basis
A good basis is composed of vectors which are: relatively short nearly orthogonal
+ The Lattice Reduction problem is NP-hard.
20
-
Step 3: Lattice Reduction
A lattice is a discrete additive subgroup of Rn
Let vectors b1,b2, . . . ,bd Rn form a basis B. A lattice L is: L = {
di=1 i bi with i Z }
Some Important Properties
Dimension d of a lattice: number of vectors in the basis. Invariant of all bases of the same lattice: volume. If L is full rank (d = n), then vol(L) = |det(B)|.
21
-
Step 3: Lattice Reduction
HKZ Algorithm (Hermite, Korkine, Zolotarev)
The HKZ algorithm gives the best basis It is exponential in the dimension of the lattice
LLL Algorithm (Lenstra, Lenstra, Lovasz)
LLL is a polynomial time reduction algorithm (1982) Quality of LLL-reduced basis: exponentially poor in d Shortest vector of LLL-reduced basis:
||v|| < 2(d1)/4(det B)1/d
LLL works surprisingly well in practice
22
-
Step 4: Finding Small Solutions
Obtain Polynomial g such that g(x0) 0 mod Nm
First vector of the LLL-reduced basis: v = (v0, v1, . . . , vd1) Get new polynomial g(x) = v0 + v1X x + +
vd1Xd1 x
d1
Theorem: (Howgrave-Graham)
Let g(x0) 0 mod Nm with degree d 1 and |x0| < X
||g(xX)|| < Nm/
d g(x0) = 0 over Z
Condition for g(x0) = 0 over Z
2(d1)/4(det B)1/d < Nm/
d
23
-
Practical Results of Coppersmiths Method
In practice, for dlog2(N)e = 1024 and = 2
Upper bound for x0 2492 2496 2500 2503 2504 2505 ... 2512
Lattice Dimension n = m + 1 29 35 51 71 77 87 ... NASize of elements in B (bits) 15360 18432 26624 36864 39936 45056 ... NATime for LLL (seconds) 10.6 35.2 355 2338 4432 11426 ... NA
+ Tests performed using Magma V2.19-5.
24
-
Exhaustive Search
Performing exhaustive search
Split the variable x into and x.
x x
The new variable is x. Perform an exhaustive search on .
+ Complexity: 2 (LLL-reduction complexity)
25
-
Exhaustive Search
= 0 = 1 = 2 . . . = 255 B0 B1
B2 . . .
B255Coppersmith
Matrices
. . . BR0
BR1 BR2
. . . BR255
LLL-ReducedMatrices
x0 . . . 26
-
Timing / Solution size (dlog2(N)e = 1024 and = 2)
27
-
Other Related Results of Coppersmith
The Problem (Multivariate Modular Case):
Input: A polynomial f (x1, x2, . . . , xn) N an integer of unknown factorization
Find: All integers x1, x2, . . . , xn such that f (x1, x2, . . . , xn) 0 mod N
The Idea to Find Small Solutions (Heuristic)
Take n vectors from the LLL-reduced matrix+ n unknowns n equations over Z
28
-
Other Related Results of Coppersmith
The Problem (Bivariate Integer Case):
Input: A polynomial f (x, y) N an integer of unknown factorization
Find: All integers x0, y0 such that f (x0, y0) = 0 over Z
The Idea to Find Small Solutions
Take 1 vector from the LLL-reduced matrix+ 2 unknowns 2 equations over Z
29
-
Outline
1 Solving Polynomials and Cryptology
2 Coppersmiths Method
3 Some Applications
30
-
RSA Cryptosystem [1]
RSA Key Generation
Generate two large primes p and q Compute N = p q and (N) = (p 1)(q 1) Select (e, d) such that ed 1 mod (N)
Encryption/Decryption Process
Alice BobC me mod N m Cd mod N
Factorize N = p q Break RSA
[1] A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Rivest, Shamir, Adleman, 1978.
31
-
RSA Attack with Small Exponent e
Example 1: Stereotyped messages
Example 2: Fixed pattern padding
32
-
RSA Attack with Small Exponent e
RSA Encryption of the message m
Ciphertext C = me mod N= (2t k + x)e mod N
Application of Coppersmiths Theorem
Consider P(x) = (2t k + x)e C 0 mod N Coppersmiths condition: |x0| < N1/e
+ If e = 3, recover m provided that 2/3 of the bits are known.
33
-
RSA Attack with Short Random Padding
Alice sends to Bob the ciphertext C1 = me = (k + r1)e mod N
Eve intercepts C1 so that Bob does not receive it
Alice sends to Bob the ciphertext C2 = me = (k + r2)e mod N
34
-
RSA Attack with Short Random Padding
Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N
Perform a change of variables:{x = k + r1y = r2 r1
{
p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N
Use resultants and Coppersmiths method
Get a new polynomial p(y) 0 mod N of degree e2
Solution y0 = r2 r1 found if |y0| < N1/e2
Compute gcd(p1(x), p2(x)) = x m
+ If e = 3, recover m provided that r1 and r2 are < N1/9.
35
-
RSA Attack with Short Random Padding
Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N
Perform a change of variables:{x = k + r1y = r2 r1
{
p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N
Use resultants and Coppersmiths method
Get a new polynomial p(y) 0 mod N of degree e2
Solution y0 = r2 r1 found if |y0| < N1/e2
Compute gcd(p1(x), p2(x)) = x m
+ If e = 3, recover m provided that r1 and r2 are < N1/9.
35
-
RSA Attack with Short Random Padding
Eve knows the two polynomials:{p1(k, r1) = (k + r1)e C1 0 mod Np2(k, r2) = (k + r2)e C2 0 mod N
Perform a change of variables:{x = k + r1y = r2 r1
{
p1(x) = (x)e c1 0 mod Np2(x, y) = (x + y)e c2 0 mod N
Use resultants and Coppersmiths method
Get a new polynomial p(y) 0 mod N of degree e2
Solution y0 = r2 r1 found if |y0| < N1/e2
Compute gcd(p1(x), p2(x)) = x m
+ If e = 3, recover m provided that r1 and r2 are < N1/9.35
-
Combined Attack on CRT-RSAWhy Public Verification Must Not Be Public?
G. Barbu, A. Battistello, G. Dabosville, C. Giraud,G. Renault, S. Renner, R. Zeitoun
(PKC 2013)
36
-
Signature RSA-CRT / State of the art
37
-
Signature RSA-CRT / State of the art
Compute gcd ( Se m ,N ) = q
[1] On the importance of Checking Cryptographic protocols for Faults. Boneh, DeMillo, Lipton, 1997.
37
-
Signature RSA-CRT / State of the art
37
-
Our Combined Attack on CRT-RSA
38
-
Our Combined Attack on CRT-RSA
38
-
Our Combined Attack on CRT-RSA
38
-
Side Channel Analysis: CPA attacks
CPA attacks: The idea
Observe a large number of executions Apply a statistic treatment to recover secret values
Target of a CPA
A sensitive value manipulated during execution of the algorithm
What is a sensitive value?Data depending on a known value (that changes from one execution to another) secret value (which remains constant)
39
-
Side Channel Analysis: CPA attacks
CPA attacks: The idea
Observe a large number of executions Apply a statistic treatment to recover secret values
Target of a CPA
A sensitive value manipulated during execution of the algorithm
What is a sensitive value?Data depending on a known value (that changes from one execution to another) secret value (which remains constant)
39
-
Side Channel Analysis: CPA attacks
CPA attacks: The idea
Observe a large number of executions Apply a statistic treatment to recover secret values
Target of a CPA
A sensitive value manipulated during execution of the algorithm
What is a sensitive value?Data depending on a known value (that changes from one execution to another) secret value (which remains constant)
39
-
Side Channel AnalysisCPA during the CRT recombination
Several Executions of RSA Signature Algorithmwith Different Input Messages mi
and a constant injected fault
Power measurements duringmanipulation of Si
e= mi + qiq
Guesses on power measurementsL H(mi, k) = L(mi + k)
Statistical treatmentCompute the Pearsons correlation coefficient
The right guess k is retrieved
For each part kof the secret qiq
40
-
Side Channel AnalysisCPA during the CRT recombination
Several Executions of RSA Signature Algorithmwith Different Input Messages mi
and a constant injected fault
Power measurements duringmanipulation of Si
e= mi + qiq
Guesses on power measurementsL H(mi, k) = L(mi + k)
Statistical treatmentCompute the Pearsons correlation coefficient
The right guess k is retrieved
For each part kof the secret qiq
40
-
Side Channel AnalysisCPA during the CRT recombination
0 10 20 30 40 50 60 70 80 90 1000
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
nb curves ( 500)
Convergence of the correlation for the 28 possible values ki for thesecret (the correct one being depicted in black) depending on thenumber of side-channel measurements (500).
41
-
Improvement using Coppersmiths method
42
-
Conclusion
Coppersmiths Method
Find small solutions to polynomial equations which are: univariate modular multivariate modular (heuristic) bivariate over the integers multivariate over the integers (heuristic)
Based on lattice techniques
Applications of Coppersmiths Method
Many applications in cryptology Useful to recover a secret when:
the secret is small part of the secret is known part of the secret is redundant
43
-
Conclusion
Coppersmiths Method
Find small solutions to polynomial equations which are: univariate modular multivariate modular (heuristic) bivariate over the integers multivariate over the integers (heuristic)
Based on lattice techniques
Applications of Coppersmiths Method
Many applications in cryptology Useful to recover a secret when:
the secret is small part of the secret is known part of the secret is redundant
43
Solving Polynomials and CryptologyCoppersmith's MethodSome Applications