Space cardioid

From formulasearchengine
Jump to navigation Jump to search

Coppersmith's attack describes a class of attacks on the public-key cryptosystem RSA based on Coppersmith's theorem (see below). The public key in the RSA system is a tuple of integers (N,e), where N is the product of two primes p and q. The secret key is given by an integer d satisfying ed1mod(p1)(q1); equivalently, the secret key may be given by dpdmod(p1) and dqdmod(q1) if the Chinese remainder theorem is used to improve the speed of decryption, see CRT-RSA. Encryption of a message M produces the ciphertext CMemodN which can be decrypted using d by computing CdMmodN.

Coppersmith's theorem has many applications in attacking RSA specifically if the public exponent e is small or if partial knowledge of the secret key is available.

Low Public Exponent Attack

In order to reduce encryption or signature-verification time, it is useful to use a small public exponent (e). In practice, common choices for e are 3, 17 and 65537 (216+1).[1] These values for e are Fermat primes, sometimes referred to as F0,F2 and F4 respectively (Fx=22x+1). They are chosen because they make the modular exponentiation operation faster. Also, having chosen such e, it is simpler to test whether gcd(e,p1)=1 and gcd(e,q1)=1 while generating and testing the primes in step 1 of the key generation. Values of p or q that fail this test can be rejected there and then. (Even better: if e is prime and greater than 2 then the test pmode1 can replace the more expensive test gcd(p1,e)=1.
If the public exponent is small and the plaintext m is very short, then the RSA function may be easy to invert which makes certain attacks possible. Padding schemes ensure that messages have full lengths but additionally choosing public exponent e=216+1 is recommended. When this value is used, signature-verification requires 17 multiplications, as opposed to about 25 when a random e of similar size is used. Unlike low private exponent (see Wiener's Attack), attacks that apply when a small e is used are far from a total break which would recover the secret key d. The most powerful attacks on low public exponent RSA are based on the following theorem which is due to Don Coppersmith.

Theorem 1 (Coppersmith)[2]

Let N be an integer and f[x] be a monic polynomial of degree d over the integers. Set X=N1dϵ for 1d>ϵ>0. Then, given N,f attacker, Eve, can efficiently find all integers x0<X satisfying f(x0)=0modN. The running time is dominated by the time it takes to run the LLL algorithm on a lattice of dimension O(w) with w=min(1ϵ,log2N).

This theorem states the existence of an algorithm which can efficiently find all roots of f modulo N that are smaller than X=N1d. As X gets smaller, the algorithm's runtime will decrease. This theorem's strength is the ability to find all small roots of polynomials modulo a composite N.

Håstad's Broadcast Attack

The simplest form of Håstad's attack is presented to ease understanding. The general case uses Coppersmith's theorem.

How does it work?[3]

Suppose one sender sends the same message M in encrypted form to a number of people P1;P2;;Pk, each using the same small public exponent e, say e=3, and different moduli Ni,ei. A simple argument shows that as soon as k3 ciphertexts are known, the message M is no longer secure: Suppose Eve intercepts C1,C2, and C3, where CiM3modNi. We may assume gcd(Ni,Nj)=1 for all i,j (otherwise, it is possible to compute a factor of one of the Ni’s by computing gcd(Ni,Nj).) By the Chinese Remainder Theorem, she may compute CN1N2N3* such that CCimodNi. Then CM3modN1N2N3 ; however, since M<Ni for all i', we have M3<N1N2N3. Thus C=M3 holds over the integers, and Eve can compute the cube root of C to obtain M.

For larger values of e more ciphertexts are needed, particularly, e ciphertexts are sufficient.

Generalizations

Håstad also showed that applying a linear-padding to M prior to encryption does not protect against this attack. Assume the attacker learns that Ci=fi(M)e for 1ik and some linear function fi, i.e., Bob applies a pad to the message M prior to encrypting it so that the recipients receive slightly different messages. For instance, if M is m bits long, Bob might encrypt Mi=i2m+M and send this to the i-th recipient.

If a large enough group of people is involved, the attacker can recover the plaintext Mi from all the ciphertext with similar methods. In more generality, Håstad proved that a system of univariate equations modulo relatively prime composites, such as applying any fixed polynomial g1(M)=0 mod Ni, could be solved if sufficiently many equations are provided. This attack suggests that randomized padding should be used in RSA encryption.

Theorem 2 (Håstad)

Suppose N1,,Nk are relatively prime integers and set Nmin=mini{Ni}. Let gi(x)/Ni[x] be k polynomials of maximum degree q. Suppose there exists a unique M<Nmin satisfying gi(M)=0(mod Ni) for all i{1,,k}. Furthermore suppose k>q. There is an efficient algorithm which, given Ni,gi(x) for all i, computes M.

Proof:
Since the Ni are relatively prime the Chinese Remainder Theorem might be used to compute coefficients Ti satisfying Ti1modNi(is1) and Ti0modNj for all ij. Setting g(x)=iTigi(x) we know that g(M)0modNi. Since the Ti are nonzero we have that g(x) is also nonzero. The degree of g(x) is at most q. By Coppersmith’s Theorem, we may compute all integer roots x0 satisfying g(x0)0modNi and |x0|<(Ni)1q. However, we know that M<Nmin<(N1)1k<(N1)1q, so M is among the roots found by Coppersmith's theorem.

This theorem can be applied to the problem of broadcast RSA in the following manner: Suppose the i-th plaintext is padded with a polynomial fi(x), so that Ni=(fi(x))eiCimodNi. Then the polynomials gi=(fi(x))eiCimodNi satisfy that relation. The attack succeeds once k>maxi(eidegfi). The original result used the Håstad method instead of the full Coppersmith method. Its result was required k=O(q2) messages, where q=maxi(ei.degfi).[3]

Franklin-Reiter Related Message Attack

Franklin-Reiter identified a new attack against RSA with public exponent e=3. If two messages differ only by a known fixed difference between the two messages and are RSA encrypted under the same RSA modulus N, then it is possible to recover both of them.

How does it work?

Let N;ei be Alice's public key. Suppose M1;M2N are two distinct messages satisfying M1f(M2)modN for some publicly known polynomial fN[x]. To send M1 and M2 to Alice, Bob may naively encrypt the messages and transmit the resulting ciphertexts C1;C2. Eve can easily recover M1;M2 given C1;C2, by using the following theorem:

Theorem 3 (Franklin-Reiter)

Set e=3 and let N,e be an RSA public key. Let M1M2N* satisfy M1f(M2)modN for some linear polynomial f=ax+bN[x] with b0. Then, given N,e,C1,C2,f, attacker, Eve, can recover M1,M2 in time quadratic in log2N.

For an arbitrary e (rather than restricting to e=3) the time required is quadratic in e and log2N).

Proof:
Since C1=M1emodN, we know that M2 is a root of the polynomial g1(x)=f(x)eC1N[x]. Similarly, M2 is a root of g2(x)=xeC2N[x]. The linear factor xM2 divides both polynomials. Therefore, Eve calculates the greatest common divisor (gcd) of g1 and g2, if the gcd turns out to be linear, M2 is found. The gcd can be computed in quadratic time in e and log2N using the Euclidean algorithm.

Coppersmith’s Short Pad Attack

Like Håstad’s and Franklin-Reiter’s attack, this attack exploits a weakness of RSA with public exponent e=3. Coppersmith showed that if randomized padding suggested by Håstad is used improperly then RSA encryption is not secure.

How does it work?

Suppose Bob sends a message M to Alice using a small random padding before encrypting it. An attacker, Eve, intercepts the ciphertext and prevents it from reaching its destination. Bob decides to resend M to Alice because Alice did not respond to his message. He randomly pads M again and transmits the resulting ciphertext. Eve now has two ciphertexts corresponding to two encryptions of the same message using two different random pads.

Even though Eve does not know the random pad being used, she still can recover the message M by using the following theorem, if the random padding is too short.

Theorem 4 (Coppersmith)

Let N,e be a public RSA key where N is n-bits long. Set m=ne2. Let MN* be a message of length at most nm bits. Define M1=2mM+r1 and M2=2mM+r2, where r1 and r2 are distinct integers with 0r1,r2<2m. If Eve is given N,e and the encryptions C1,C2 of M1,M2 (but is not given r1 or r2, she can efficiently recover M.

Proof[2]
Define g1(x,y)=xeC1 and g2(x,y)=xeC2. We know that when y=r2r1, these polynomials have x=M1 as a common root. In other words, =r2r1 is a root of the resultant h(y)=resx(g1,g2)N[y]. Furthermore, ||<2m<N1e2. Hence, is a small root of h modulo N, and Eve can efficiently find it using Theorem 1 (Coppersmith). Once is known, the Franklin-Reiter attack can be used to recover M2 and consequently M.

See also

Coppersmith method

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.