A Complete and Explicit Security Reduction Algorithm for RSA-based - - PowerPoint PPT Presentation

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems

Asiacrypt 2003, Taipei

Kaoru Kurosawa 1, Katja Schmidt-Samoa 2, Tsuyoshi Takagi 2

1Ibaraki University 2Technische Universit¨

at Darmstadt

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.1/15

Introduction

Problem: Find "small" solutions x, y of

ax = y + c mod N

Many applications in cryptanalysis and provable security Previous solutions: Brute-force method Continued fraction methods Affine variant of Euclidian algorithm Lattice-based methods

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.2/15

Outline of the talk

PD-OW of RSA Features of the lattice-based solution Proposed algorithm Application to PD-OW of RSA Comparison Conclusion

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.3/15

RSA: OW ⇒ PD-OW

Target: Compute m from C = me mod N PD-OW Oracle O: Gets s1 from (s1 · 2k + s2)e mod N Fujisaki, Okamoto, Pointcheval, Stern 2001:

• 1. Choose a ∈ Z×

N at random

• 2. Define C′ = Cae mod N (encryption of am mod N)
• 3. O(C) = u and O(C′) = v
• 4. m mod N = u · 2k + r and am mod N = v · 2k + s

⇒ a · (u · 2k + r) mod N = v · 2k + s ⇒ ar = s + c mod N, c = (v − ua) · 2k mod N.

⇒ ax = y + c mod N

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.4/15

RSA: OW ⇒ PD-OW, cont’d

Problem

C = (u · 2k + r)e mod N, find r

We have ar = s + c mod N, 0 ≤ r, s < B <

√ N

General answer to the problem Solve ax = y + c mod N (small solutions) For each (x, y): Check C ?

=

• u · 2k + x

e mod N

Questions How to solve ax = y + c mod N? How many small solutions?

back

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.5/15

Features of the lattice-based method

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

Define lattice La,N = {(x, y) ∈ Z2|ax = y mod N} Precondition: La,N contains no 0 = v, |v| < 4B

• 1. unique small solution (x, y) of ax = y + c mod N (֒

→ no

checks necessary)

• 2. (x, y) can be found efficiently (lattice reduction)

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.6/15

Critical area for lattice-based solution

Critical area of lattice La,N = {(x, y) ∈ Z2|ax = y mod N}: No non-zero vector inside critical area ⇒ method works

4B

Target: New algorithm for solving ax = y + c mod N downsizes critical area

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.7/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

1st step: Specify the problem Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N a B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Motivation of proposed algorithm

Problem: Find 0 ≤ x, y < B <

√ N s.t. ax = y + c mod N

• 1st step: Specify the problem

y = ax − c mod N

Find x-minimal solution w. r. t. B:

x = 0 → y = −c mod N

?

< B

no

x = 1 → y = −c + a mod N

?

< B

no

. . . . . . . . . . . . . . . . . . x = ˆ x → ˆ y = −c + ˆ xa mod N

?

< B

yes!

N −c mod N a B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Idea of proposed algorithm

2nd step: Reduction to a smaller instance

aˆ x = ˆ y + c mod N ⇒ aˆ x = ˆ y + c + kN, k ∈ Z

Euclidian division: N = aq + r, 0 ≤ r < a, q ∈ Z+

⇒ aˆ x = ˆ y + c + k(aq + r) ⇒ −rk = ˆ y + c + a(kq − ˆ x) ⇒ −rk = ˆ y + c mod a

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.9/15

Idea of proposed algorithm

2nd step: Reduction to a smaller instance

aˆ x = ˆ y + c mod N ⇒ aˆ x = ˆ y + c + kN, k ∈ Z

Euclidian division: N = aq + r, 0 ≤ r < a, q ∈ Z+

⇒ aˆ x = ˆ y + c + k(aq + r) ⇒ −rk = ˆ y + c + a(kq − ˆ x) ⇒ −rk = ˆ y + c mod a

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.9/15

Idea of proposed algorithm

2nd step: Reduction to a smaller instance

aˆ x = ˆ y + c mod N ⇒ aˆ x = ˆ y + c + kN, k ∈ Z

Euclidian division: N = aq + r, 0 ≤ r < a, q ∈ Z+

⇒ aˆ x = ˆ y + c + k(aq + r) ⇒ −rk = ˆ y + c + a(kq − ˆ x) ⇒ −rk = ˆ y + c mod a

3rd step: Iterating this process

N0 = N a0 = a c0 = c x0 = ˆ x Ni+1 = ai ai+1 = −Ni mod ai ci+1 = ci mod Ni+1 xi+1 = aixi−ˆ

y−ci Ni

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.9/15

Idea of proposed algorithm, cont’d

Iteration process (sequence of congruences):

N0 = N a0 = a c0 = c x0 = ˆ x Ni+1 = ai ai+1 = −Ni mod ai ci+1 = ci mod Ni+1 xi+1 = aixi−ˆ

y−ci Ni

Define (congi) : aix = y + ci mod Ni.

(xi, ˆ y) is x-minimal solution of (congi) w.r.t. B, xi > 0 ⇒ (xi+1, ˆ y) is x-minimal solution of (congi+1) w.r.t. B

For each i: iterate

no yes

= −ci mod Ni ˆ y −ci mod Ni

?

< B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.10/15

Proposed algorithm, outline

Lin_Cong (Outline)

Input: a, c, N, B, gcd(a, N) = 1 Output: x-minimal solution (ˆ

x, ˆ y) of ax = y + c mod N

• 1. set a′ = a, c′ = c, N′ = N, y′ = −c′ mod N′
• 2. while y′ ≥ B do

3. set (a′, N′) = (−N′ mod a′, a′) (parallel assignment) 4. set c′ = c′ mod N′, y′ = −c′ mod N′

• 5. set ˆ

y = y′, ˆ x = a−1 · (ˆ y + c) mod N

• 6. return (ˆ

x, ˆ y)

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.11/15

Proposed algorithm, outline

Lin_Cong (Outline)

Input: a, c, N, B, gcd(a, N) = 1 Output: x-minimal solution (ˆ

x, ˆ y) of ax = y + c mod N

• 1. set a′ = a, c′ = c, N′ = N, y′ = −c′ mod N′
• 2. while y′ ≥ B do

3. set (a′, N′) = (−N′ mod a′, a′) (parallel assignment) 4. set c′ = c′ mod N′, y′ = −c′ mod N′

• 5. set ˆ

y = y′, ˆ x = a−1 · (ˆ y + c) mod N

• 6. return (ˆ

x, ˆ y)

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.11/15

Proposed algorithm, outline

Lin_Cong (Outline)

Input: a, c, N, B, gcd(a, N) = 1 Output: x-minimal solution (ˆ

x, ˆ y) of ax = y + c mod N

• 1. set a′ = a, c′ = c, N′ = N, y′ = −c′ mod N′
• 2. while y′ ≥ B do

3. set (a′, N′) = (−N′ mod a′, a′) (parallel assignment) 4. set c′ = c′ mod N′, y′ = −c′ mod N′

• 5. set ˆ

y = y′, ˆ x = a−1 · (ˆ y + c) mod N

• 6. return (ˆ

x, ˆ y)

Improvements: Efficient variant, extension for finding all small solutions, . . .

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.11/15

Application to OW ⇒ PD-OW (RSA)

Remember two questions: Click here

• 1. How to solve ax = y + c mod N?
• 2. How many small solutions (bound B)?

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.12/15

Application to OW ⇒ PD-OW (RSA)

Remember two questions: Click here

• 1. How to solve ax = y + c mod N?
• 2. How many small solutions (bound B)?

ad 1. Lin_Cong succeeds for any input

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.13/15

Application to OW ⇒ PD-OW (RSA)

Remember two questions: Click here

• 1. How to solve ax = y + c mod N?
• 2. How many small solutions (bound B)?

ad 1. Lin_Cong succeeds for any input

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.13/15

Application to OW ⇒ PD-OW (RSA)

Remember two questions: Click here

• 1. How to solve ax = y + c mod N?
• 2. How many small solutions (bound B)?

ad 1. Lin_Cong succeeds for any input ad 2. precondition on a ⇒ not too many small solutions

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.13/15

Application to OW ⇒ PD-OW (RSA)

Remember two questions: Click here

• 1. How to solve ax = y + c mod N?
• 2. How many small solutions (bound B)?

ad 1. Lin_Cong succeeds for any input ad 2. precondition on a ⇒ not too many small solutions

La,N contains no (x, y), 0 < x < B/l, −B/l < y < B/l ⇔

at most l small solutions of ax = y + c mod N

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.13/15

Application to OW ⇒ PD-OW (RSA)

Remember two questions: Click here

• 1. How to solve ax = y + c mod N?
• 2. How many small solutions (bound B)?

ad 1. Lin_Cong succeeds for any input ad 2. precondition on a ⇒ not too many small solutions

La,N contains no (x, y), 0 < x < B/l, −B/l < y < B/l ⇔

at most l small solutions of ax = y + c mod N

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.13/15

Comparison

Critical area of lattice La,N = {(x, y) ∈ Z2|ax = y mod N}: No non-zero vector inside critical area ⇒ method works

Lattice method

4B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.14/15

Comparison

Critical area of lattice La,N = {(x, y) ∈ Z2|ax = y mod N}: No non-zero vector inside critical area ⇒ method works

Lattice method Lin Cong: unique solution

B 4B

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.14/15

Comparison

Critical area of lattice La,N = {(x, y) ∈ Z2|ax = y mod N}: No non-zero vector inside critical area ⇒ method works

Lattice method Lin Cong: Lin Cong:

≤ 5 solutions

unique solution

B 4B B/5

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.14/15

Conclusion and further work

Proposed algorithm always finds small solutions, provided small solutions exist at all Proposed algorithm is simple and efficient Proposed algorithm is flexible Further work: Find new applications!

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.15/15

Conclusion and further work

Proposed algorithm always finds small solutions, provided small solutions exist at all Proposed algorithm is simple and efficient Proposed algorithm is flexible Further work: Find new applications!

Thank you for your attention!

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.15/15