## Section: New Results

### Cryptanalysis (Mathematical)

Participants : Gaëtan Leurent, David Naccache, Phong Quang Nguyen, Mehdi Tibouchi.

**Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
(Journal of Cryptology, 2009)**

Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. We present a practical and provable method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n -dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUsign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUsign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

**Factoring pq ^{2} with Quadratic Forms: Nice Cryptanalyses (ASIACRYPT '09)**

Factoring integers remains the most famous hard computational
problem used in cryptology.
Yet, there are many open questions regarding the complexity of
factoring. For instance, we do not even know if numbers of the form
N = pq where p and q are distinct primes are easier or harder to
factor than numbers of the form N = pq^{2} .
The former numbers are used in RSA. The latter numbers are used in
many public-key cryptosystems, such as the ESIGN signature scheme,
because their structure allows special properties such as improved
efficiency or unusual features.
This article [30] presents a new algorithm to
factor numbers of the form N = pq2 when special properties are met,
related to the so-called NICE family of public-key cryptosystems
based on quadratic fields, that was introduced in the 1990s.
The main member of the NICE family was recently broken at
EUROCRYPT '09, but this article presents an alternative attack which
can apply to the whole NICE family.
In particular, the article presents a heuristic algorithm to obtain
a squarefree factorization N = pq^{2} when the regulator of
is small, and this algorithm is works very
well in practice.
The results are based on combining Lagrange's classical reduction of
quadratic forms with a well-known cryptanalysis technique to find
small roots of polynomial equations, due to Coppersmith.

**Factoring Unbalanced Moduli with Known Bits (ICISC '09)**

In the particular case where n = pq>q^{3} , we describe an
LLL-based method allowing to factor n given 2log_{2}q contiguous
bits of p , irrespective to their position. A second method is
presented, which needs fewer bits but whose length depends on the
position of the known bit pattern. Finally, we introduce a somewhat
surprising ad hoc method where two different known bit chunks,
totalling bits suffice to factor n .

**Oracle-Assisted Static Diffie-Hellman Is Easier Than Discrete
Logarithms (Cryptography and Coding, 2009)**

This paper extends Joux-Naccache-Thomé's e -th root algorithm [73] to the static Diffie-Hellman problem (SDHP). The new algorithm can be adapted to diverse finite fields by customizing it with an NFS-like core or an FFS-like core. In both cases, after a number of SDHP oracle queries, the attacker builds-up the ability to solve new SDHP instances unknown before the query phase. While sub-exponential, the algorithm is still significantly faster than all currently known DLP and SDHP resolution methods. We explore the applicability of the technique to various cryptosystems. The attacks were implemented in and also in , for a 516-bit p .

**How Risky is the Random-Oracle Model? (CRYPTO '09)**

The Random-Oracle Model (ROM) is a widespread methodology popularized by Bellare and Rogaway in 1993 to prove security properties by modeling hash functions as random oracles: several standardized RSA schemes are provably secure in the ROM. There are well-known pros and cons to the ROM, but this article [45] presents new issues. The first contribution is to show that the random-oracle instantiations proposed in the litterature for the special case of long hash output (as required in certain RSA signature schemes) are not satisfactory: in particular, the 1993 proposal by Bellare and Rogaway is completely insecure. The second contribution is to highlight the lack of granularity of the ROM: the article shows that the security of certain recent cryptographic schemes provably secure in the ROM completely collapses with the slightest defect in the hash function; for instance, a hash collision may suffice to disclose the secret key. This is however not the case for most schemes secure in the ROM, which implies that a ROM security proof alone is insufficient to compare the actual security guarantees of schemes.

**Practical Cryptanalysis of ISO/IEC 9796-2 and EMV Signatures
(CRYPTO '09)**

In 1999, Coron, Naccache and Stern [69] discovered
an existential signature forgery for two popular RSA signature
standards, ISO/IEC 9796-1 and 2. Following this attack ISO/IEC
9796-1 was withdrawn. ISO/IEC 9796-2 was amended by increasing the
message digest to at least 160 bits. Attacking this amended version
required at least 2^{61} operations.
In this paper, we exhibit algorithmic refinements allowing to attack
the amended (currently valid) version of ISO/IEC 9796-2 for all
modulus sizes. A practical forgery was computed in only two days
using 19 servers on the Amazon EC2 grid for a total cost of
US$800. The forgery was implemented for e = 2 but attacking
odd exponents will not take longer. The forgery was computed for the
RSA-2048 challenge modulus, whose factorization is still unknown.

The new attack blends several theoretical tools. These do not change the asymptotic complexity of Coron et al.'s technique but significantly accelerate it for parameter values previously considered beyond reach.

While less efficient (US$45,000), the acceleration also extends to EMV signatures. EMV is an ISO/IEC 9796-2-compliant format with extra redundancy. Luckily, this attack does not threaten any of the 730 million EMV payment cards in circulation for operational reasons.

Costs are per modulus: after a first forgery for a given modulus, obtaining more forgeries is virtually immediate.