Project-Cascade:Cryptanalysis (Mathematical)

Inria / Raweb 2009
Presentation of the Project Cascade

Section: New Results

Cryptanalysis (Mathematical)

Participants : Gaëtan Leurent, David Naccache, Phong Quang Nguyen, Mehdi Tibouchi.

Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures (Journal of Cryptology, 2009)

Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer's secret key, but this does not necessarily imply that such schemes are insecure. We present a practical and provable method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n -dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUsign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUsign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

Factoring pq² with Quadratic Forms: Nice Cryptanalyses (ASIACRYPT '09)

Factoring integers remains the most famous hard computational problem used in cryptology. Yet, there are many open questions regarding the complexity of factoring. For instance, we do not even know if numbers of the form N = pq where p and q are distinct primes are easier or harder to factor than numbers of the form N = pq² . The former numbers are used in RSA. The latter numbers are used in many public-key cryptosystems, such as the ESIGN signature scheme, because their structure allows special properties such as improved efficiency or unusual features. This article [30] presents a new algorithm to factor numbers of the form N = pq2 when special properties are met, related to the so-called NICE family of public-key cryptosystems based on quadratic fields, that was introduced in the 1990s. The main member of the NICE family was recently broken at EUROCRYPT '09, but this article presents an alternative attack which can apply to the whole NICE family. In particular, the article presents a heuristic algorithm to obtain a squarefree factorization N = pq² when the regulator of $Im1 ${\#8474 (\sqrt p)}$$ is small, and this algorithm is works very well in practice. The results are based on combining Lagrange's classical reduction of quadratic forms with a well-known cryptanalysis technique to find small roots of polynomial equations, due to Coppersmith.

Factoring Unbalanced Moduli with Known Bits (ICISC '09)

In the particular case where n = pq>q³ , we describe an LLL-based method allowing to factor n given 2log₂q contiguous bits of p , irrespective to their position. A second method is presented, which needs fewer bits but whose length depends on the position of the known bit pattern. Finally, we introduce a somewhat surprising ad hoc method where two different known bit chunks, totalling $Im2 ${\mfrac 32log_2q}$$ bits suffice to factor n .

Oracle-Assisted Static Diffie-Hellman Is Easier Than Discrete Logarithms (Cryptography and Coding, 2009)

This paper extends Joux-Naccache-Thomé's e -th root algorithm [73] to the static Diffie-Hellman problem (SDHP). The new algorithm can be adapted to diverse finite fields by customizing it with an NFS-like core or an FFS-like core. In both cases, after a number of SDHP oracle queries, the attacker builds-up the ability to solve new SDHP instances unknown before the query phase. While sub-exponential, the algorithm is still significantly faster than all currently known DLP and SDHP resolution methods. We explore the applicability of the technique to various cryptosystems. The attacks were implemented in $Im3 $\#120125 _2^1025$$ and also in $Im4 $\#120125 _p$$ , for a 516-bit p .

How Risky is the Random-Oracle Model? (CRYPTO '09)

The Random-Oracle Model (ROM) is a widespread methodology popularized by Bellare and Rogaway in 1993 to prove security properties by modeling hash functions as random oracles: several standardized RSA schemes are provably secure in the ROM. There are well-known pros and cons to the ROM, but this article [45] presents new issues. The first contribution is to show that the random-oracle instantiations proposed in the litterature for the special case of long hash output (as required in certain RSA signature schemes) are not satisfactory: in particular, the 1993 proposal by Bellare and Rogaway is completely insecure. The second contribution is to highlight the lack of granularity of the ROM: the article shows that the security of certain recent cryptographic schemes provably secure in the ROM completely collapses with the slightest defect in the hash function; for instance, a hash collision may suffice to disclose the secret key. This is however not the case for most schemes secure in the ROM, which implies that a ROM security proof alone is insufficient to compare the actual security guarantees of schemes.

Practical Cryptanalysis of ISO/IEC 9796-2 and EMV Signatures (CRYPTO '09)

In 1999, Coron, Naccache and Stern [69] discovered an existential signature forgery for two popular RSA signature standards, ISO/IEC 9796-1 and 2. Following this attack ISO/IEC 9796-1 was withdrawn. ISO/IEC 9796-2 was amended by increasing the message digest to at least 160 bits. Attacking this amended version required at least 2⁶¹ operations. In this paper, we exhibit algorithmic refinements allowing to attack the amended (currently valid) version of ISO/IEC 9796-2 for all modulus sizes. A practical forgery was computed in only two days using 19 servers on the Amazon EC2 grid for a total cost of US$800. The forgery was implemented for e = 2 but attacking odd exponents will not take longer. The forgery was computed for the RSA-2048 challenge modulus, whose factorization is still unknown.

The new attack blends several theoretical tools. These do not change the asymptotic complexity of Coron et al.'s technique but significantly accelerate it for parameter values previously considered beyond reach.

While less efficient (US$45,000), the acceleration also extends to EMV signatures. EMV is an ISO/IEC 9796-2-compliant format with extra redundancy. Luckily, this attack does not threaten any of the 730 million EMV payment cards in circulation for operational reasons.

Costs are per modulus: after a first forgery for a given modulus, obtaining more forgeries is virtually immediate.

Logo Inria