Easing Coppersmith Methods using Analytic Combinatorics: - - PowerPoint PPT Presentation

Easing Coppersmith Methods using Analytic Combinatorics: Applications to Public-Key Cryptography with Weak Pseudorandomness

Fabrice Benhamouda, Céline Chevalier, Adrian Thillard, and Damien Vergnaud

École normale supérieure, CNRS, INRIA, PSL, Université Panthéon-Assas, ANSSI, Paris, France

R E S E A R C H U N I V E R S I T Y

PKC 2016, Taipei, Taiwan

Introduction Analytic Combinatorics Application

Coppersmith Methods

Quick History

Introduced by Coppersmith in 1996 to find:

small roots of univariate modular polynomials [Cop96b]; small roots of bivariate polynomials [Cop96a];

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Quick History

Introduced by Coppersmith in 1996 to find:

small roots of univariate modular polynomials [Cop96b];

e.g., decrypt RSA with known plaintext MSB β: (2k · β + x)e mod N = c with |x| ≤ 2k

small roots of bivariate polynomials [Cop96a];

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Quick History

Introduced by Coppersmith in 1996 to find:

small roots of univariate modular polynomials [Cop96b];

e.g., decrypt RSA with known plaintext MSB β: (2k · β + x)e mod N = c with |x| ≤ 2k extension of small plaintext: xe mod N = c;

small roots of bivariate polynomials [Cop96a];

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Quick History

Introduced by Coppersmith in 1996 to find:

small roots of univariate modular polynomials [Cop96b];

e.g., decrypt RSA with known plaintext MSB β: (2k · β + x)e mod N = c with |x| ≤ 2k extension of small plaintext: xe mod N = c;

small roots of bivariate polynomials [Cop96a];

e.g., factorizing with known primes MSB: (2k · α + x) · (2k · β + y) = N with |x|, |y| ≤ 2k

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Quick History

Introduced by Coppersmith in 1996 to find:

small roots of univariate modular polynomials [Cop96b];

e.g., decrypt RSA with known plaintext MSB β: (2k · β + x)e mod N = c with |x| ≤ 2k extension of small plaintext: xe mod N = c;

small roots of bivariate polynomials [Cop96a];

e.g., factorizing with known primes MSB: (2k · α + x) · (2k · β + y) = N with |x|, |y| ≤ 2k

Further extensions:

more variables [HG97, BM05, JM06]; multiple polynomials and moduli [MR08, MR09, Rit10].

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Quick History

Introduced by Coppersmith in 1996 to find:

small roots of univariate modular polynomials [Cop96b];

e.g., decrypt RSA with known plaintext MSB β: (2k · β + x)e mod N = c with |x| ≤ 2k extension of small plaintext: xe mod N = c;

small roots of bivariate polynomials [Cop96a];

e.g., factorizing with known primes MSB: (2k · α + x) · (2k · β + y) = N with |x|, |y| ≤ 2k

Further extensions:

more variables [HG97, BM05, JM06]; multiple polynomials and moduli [MR08, MR09][Rit10].

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Goal

Solve:        f1(x1, . . . , xn) = 0 mod N1 . . . fs(x1, . . . , xn) = 0 mod Ns with |x1| ≤ X1 . . . |xn| ≤ Xn

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 3 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Goal

Solve:        f1(x1, . . . , xn) = 0 mod N1 . . . fs(x1, . . . , xn) = 0 mod Ns with |x1| ≤ X1 . . . |xn| ≤ Xn Question: which bounds X1, . . . , Xn work?

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 3 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Overview

1 Construction of polynomials ˜

fi,j such that: ˜ fi,j(x1, . . . , xn) = 0 mod Nki,j

i

for any original solution (x1, . . . , xn).

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 4 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Overview

1 Construction of polynomials ˜

fi,j such that: ˜ fi,j(x1, . . . , xn) = 0 mod Nki,j

i

for any original solution (x1, . . . , xn).

2 Use LLL to find an integer system:

       g1(x1, . . . , xn) = 0 . . . gn(x1, . . . , xn) = 0 such that:

1

any original solution is satisfied;

2

it has only a finite number of solutions.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 4 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Overview

1 Construction of polynomials ˜

fi,j such that: ˜ fi,j(x1, . . . , xn) = 0 mod Nki,j

i

for any original solution (x1, . . . , xn).

2 Use LLL to find an integer system:

       g1(x1, . . . , xn) = 0 . . . gn(x1, . . . , xn) = 0 such that:

1

any original solution is satisfied;

2

it has only a finite number of solutions.

3 Solve the system (using Groebner basis). Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 4 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Condition and Combinatorics

Success condition = combinatorial condition on

the number of polynomials ˜ fi,j the number of monomials in ˜ fi,j the moduli Nki,j

i

the bounds Xi

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Condition and Combinatorics

Success condition = combinatorial condition on

the number of polynomials ˜ fi,j the number of monomials in ˜ fi,j the moduli Nki,j

i

the bounds Xi

Complexity: idem

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Condition and Combinatorics

Success condition = combinatorial condition on

the number of polynomials ˜ fi,j the number of monomials in ˜ fi,j the moduli Nki,j

i

the bounds Xi

Complexity: idem Difficult to compute when s and n non-constant

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

Introduction Analytic Combinatorics Application

Coppersmith Methods

Condition and Combinatorics

Success condition = combinatorial condition on

the number of polynomials ˜ fi,j the number of monomials in ˜ fi,j the moduli Nki,j

i

the bounds Xi

Complexity: idem Difficult to compute when s and n non-constant Our solution Use analytic combinatorics!

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 Update

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 Update v1

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 Update v1 Output w1

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 Update v1 Output w1 Update

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 Update v1 Output w1 Update v2

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 Update v1 Output w1 Update v2 Output w2

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 Update v1 Output w1 Update v2 Output w2 . . .

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Pseudorandom Generator (PRG)

v0 Output w0 ≈ $ Update v1 Output w1 ≈ $ Update v2 Output w2 ≈ $ . . .

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

Linear congruential generator (LCG)

Parameters M ∈ N, a ∈ Z∗

M, b ∈ ZM

Seed v0

$

← ZM Update vi+1 = a · vi + b mod M Output wi = k most significant bits (MSB) of vi

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 7 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

Linear congruential generator (LCG)

Parameters M ∈ N, a ∈ Z∗

M, b ∈ ZM

Seed v0

$

← ZM Update vi+1 = a · vi + b mod M Output wi = k most significant bits (MSB) of vi After seeing some outputs: can recover v0, when not truncated (k > log2 M)

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 7 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

Linear congruential generator (LCG)

Parameters M ∈ N, a ∈ Z∗

M, b ∈ ZM

Seed v0

$

← ZM Update vi+1 = a · vi + b mod M Output wi = k most significant bits (MSB) of vi After seeing some outputs: can recover v0, when not truncated (k > log2 M) can predict outputs even when k = 1 and a, b secret [Ste87]

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 7 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

LCG secure when used in protocols?

Is an LCG secure when used in protocols?

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 8 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

LCG secure when used in protocols?

Is an LCG secure when used in protocols? It depends: Yes! for randomness for ElGamal [Kos02]

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 8 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

LCG secure when used in protocols?

Is an LCG secure when used in protocols? It depends: Yes! for randomness for ElGamal [Kos02] No! for DSA [BGM97]

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 8 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

LCG secure when used in protocols?

Is an LCG secure when used in protocols? It depends: Yes! for randomness for ElGamal [Kos02] No! for DSA [BGM97] Time/memory tradeoff: with RSA key generation [FTZ13]

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 8 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

LCG secure when used in protocols?

Is an LCG secure when used in protocols? It depends: Yes! for randomness for ElGamal [Kos02] No! for DSA [BGM97] Time/memory tradeoff: with RSA key generation [FTZ13] Open: PKCS#1 v1.5 encryption

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 8 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

LCG secure when used in protocols?

Is an LCG secure when used in protocols? It depends: Yes! for randomness for ElGamal [Kos02] No! for DSA [BGM97] Time/memory tradeoff: with RSA key generation [FTZ13]

→ this paper: polynomial time attack in log N

Open: PKCS#1 v1.5 encryption

→ this paper: polynomial time attack in log N

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 8 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

Algebraic generator

Parameters M ∈ N, polynomial F over ZM Seed v0

$

← ZM Update vi+1 = F(vi) mod M Output wi = k most significant bits of vi

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 9 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

Algebraic generator

Parameters M ∈ N, polynomial F over ZM Seed v0

$

← ZM Update vi+1 = F(vi) mod M Output wi = k most significant bits of vi Is it secure?

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 9 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

Algebraic generator

Parameters M ∈ N, polynomial F over ZM Seed v0

$

← ZM Update vi+1 = F(vi) mod M Output wi = k most significant bits of vi Is it secure? No! [BVZ12]

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 9 / 18

Introduction Analytic Combinatorics Application

Weak Pseudorandom Generator

Algebraic generator

Parameters M ∈ N, polynomial F over ZM Seed v0

$

← ZM Update vi+1 = F(vi) mod M Output wi = k most significant bits of vi Is it secure? No! [BVZ12] but complex analysis and no complexity. . .

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 9 / 18

Introduction Analytic Combinatorics Application

Introduction

Contributions

Toolbox for Coppersmith methods:

Check success condition; Compute complexity (size of the lattice); Use analytic combinatorics;

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 10 / 18

Introduction Analytic Combinatorics Application

Introduction

Contributions

Toolbox for Coppersmith methods:

Check success condition; Compute complexity (size of the lattice); Use analytic combinatorics;

Applications to cryptanalysis of weak PRG:

Algebraic PRG

Compute complexity of [BVZ12];

RSA key generation N with LCG

Polynomial time (in log N) attacks (instead of exponential [FTZ13]);

PKCS#1 v1.5 padding with LCG

Polynomial time attacks (in log N).

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 10 / 18

Introduction Analytic Combinatorics Application

Analytic Combinatorics

Overview

Introduced by Flajolet and Sedgewick [FS09] Goal: count combinatorial objects Two steps:

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 11 / 18

Introduction Analytic Combinatorics Application

Analytic Combinatorics

Overview

Introduced by Flajolet and Sedgewick [FS09] Goal: count combinatorial objects Two steps:

1

Compute generating function (=formal series P(z))

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 11 / 18

Introduction Analytic Combinatorics Application

Analytic Combinatorics

Overview

Introduced by Flajolet and Sedgewick [FS09] Goal: count combinatorial objects Two steps:

1

Compute generating function (=formal series P(z))

2

Do the counting from P(z): exact: use any CAS (Taylor expansion) asymptotics: easy using the “transfer theorem”

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 11 / 18

Introduction Analytic Combinatorics Application

Analytic Combinatorics

Overview

Introduced by Flajolet and Sedgewick [FS09] Goal: count combinatorial objects Two steps:

1

Compute generating function (=formal series P(z))

− → manual but easy step (in our case) using a “dictionary”

2

Do the counting from P(z): exact: use any CAS (Taylor expansion) asymptotics: easy using the “transfer theorem”

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 11 / 18

Introduction Analytic Combinatorics Application

Example of Use of Analytic Combinatorics

Number nd of polynomials of total degree d of the form: xi · (y4 + 1)

j

for any i ≥ 1 and j ≥ 0

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 12 / 18

Introduction Analytic Combinatorics Application

Example of Use of Analytic Combinatorics

Number nd of polynomials of total degree d of the form: xi · (y4 + 1)

j

for any i ≥ 1 and j ≥ 0

1 Generating function:

P(z) =

∞

• d=0

ndzd = z 1 − z · 1 1 − z4

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 12 / 18

Introduction Analytic Combinatorics Application

Example of Use of Analytic Combinatorics

Number nd of polynomials of total degree d of the form: xi · (y4 + 1)

j

for any i ≥ 1 and j ≥ 0

1 Generating function:

P(z) =

∞

• d=0

ndzd = z 1 − z · 1 1 − z4

2 Count: Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 12 / 18

Introduction Analytic Combinatorics Application

Example of Use of Analytic Combinatorics

Number nd of polynomials of total degree d of the form: xi · (y4 + 1)

j

for any i ≥ 1 and j ≥ 0

1 Generating function:

P(z) =

∞

• d=0

ndzd = z 1 − z · 1 1 − z4

2 Count:

exact: use any CAS (Taylor expansion)

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 12 / 18

Introduction Analytic Combinatorics Application

Example of Use of Analytic Combinatorics

Number nd of polynomials of total degree d of the form: xi · (y4 + 1)

j

for any i ≥ 1 and j ≥ 0

1 Generating function:

P(z) =

∞

• d=0

ndzd = z 1 − z · 1 1 − z4

2 Count:

exact: use any CAS (Taylor expansion) asymptotics: use transfer theorem P(z) ∼

z→1

1 4 · (1 − z)2 = ⇒ nd ∼

d→∞

d 4

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 12 / 18

Introduction Analytic Combinatorics Application

Attack on Algebraic PRG (I)

Parameters M ∈ N, polynomial F of degree d over ZM Seed v0

$

← ZM Update vi+1 = F(vi) mod M Output wi = k most significant bits of vi

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 13 / 18

Introduction Analytic Combinatorics Application

Attack on Algebraic PRG (I)

Parameters M ∈ N, polynomial F of degree d over ZM Seed v0

$

← ZM Update vi+1 = F(vi) mod M Output wi = k most significant bits of vi We know wi and we write vi = wi · 2n−k + xi for 0 ≤ i ≤ n + 1 We want to solve:        f0(x0, x1) = w1 · 2n−k + x1 − F(w0 · 2n−k + x0) ≡ 0 mod M . . . fn(xn, xn+1) = wn+1 · 2n−k + xn+1 − F(wn · 2n−k + xn) ≡ 0 mod M

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 13 / 18

Introduction Analytic Combinatorics Application

Attack on Algebraic PRG (II)

We construct the polynomials of degree at most dm: x0j · f i0

0 · · · f in n

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 14 / 18

Introduction Analytic Combinatorics Application

Attack on Algebraic PRG (II)

We construct the polynomials of degree at most dm: x0j · f i0

0 · · · f in n

Using our toolbox, the attack works when m → ∞: ⌈log2 M⌉ − k ⌈log2 M⌉ ≤ dn+1 − 1 dn+2 − 1 ≈ 1 d

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 14 / 18

Introduction Analytic Combinatorics Application

RSA Key Generation with LCG (I)

Factorize an RSA modulus N = pq where p = v0 + Mv1 + · · · + Mnvn and q = w0 + Mw1 + · · · + Mnwn and v0, . . . , vn and w0, . . . , wn are non-truncated output of a LCG.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 15 / 18

Introduction Analytic Combinatorics Application

RSA Key Generation with LCG (I)

Factorize an RSA modulus N = pq where p = v0 + Mv1 + · · · + Mnvn and q = w0 + Mw1 + · · · + Mnwn and v0, . . . , vn and w0, . . . , wn are non-truncated output of a LCG. We have:                              f = (v0 + · · · + Mnvn)(w0 + · · · + Mnwn) ≡ 0 mod N g0 = v1 − (av0 + b) ≡ 0 mod M . . . gn−1 = vn − (avn−1 + b) ≡ 0 mod M h0 = w1 − (aw0 + b) ≡ 0 mod M . . . hn−1 = wn − (awn−1 + b) ≡ 0 mod M

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 15 / 18

Introduction Analytic Combinatorics Application

RSA Key Generation with LCG (II)

We construct the polynomials of degree 2t: ˜ fi0,...,in,j0,...,jn,k = v0i0 . . . vnin · w0j0 . . . wnjn · f k mod Nk with 1 ≤ k < t, (i0 = 0 or j0 = 0) and deg(˜ f...) = i0 + · · · + in + j0 + · · · + jn + 2k < 2t ˜ gi0,...,in,j0,...,jn = gi0

0 . . . gin−1 n−1 · vnin · hj0 0 . . . hjn−1 n

· wnjn mod Mℓ with 1 ≤ ℓ = i0 + · · · + in−1 + j0 + · · · + jn−1 and deg(˜ g...) = i0 + · · · + in + j0 + · · · + jn < 2t .

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 16 / 18

Introduction Analytic Combinatorics Application

RSA Key Generation with LCG (II)

We construct the polynomials of degree 2t: ˜ fi0,...,in,j0,...,jn,k = v0i0 . . . vnin · w0j0 . . . wnjn · f k mod Nk with 1 ≤ k < t, (i0 = 0 or j0 = 0) and deg(˜ f...) = i0 + · · · + in + j0 + · · · + jn + 2k < 2t ˜ gi0,...,in,j0,...,jn = gi0

0 . . . gin−1 n−1 · vnin · hj0 0 . . . hjn−1 n

· wnjn mod Mℓ with 1 ≤ ℓ = i0 + · · · + in−1 + j0 + · · · + jn−1 and deg(˜ g...) = i0 + · · · + in + j0 + · · · + jn < 2t . Using our toolbox: ∀n ≥ 2, ∃t, attack works in time poly in log N.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 16 / 18

Introduction Analytic Combinatorics Application

PKCS#1 v1.5 = padding for RSA: encryption of m: c = µ(m, r)e mod N and µ(m, r) = 000216||r||0016||m with r random bit string. Attack similar to the previous one, when r generated by LCG modulo M. Work for M < N1/e.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 17 / 18

Thank you for your attention!

Questions?

Toolbox for Coppersmith methods:

Check success condition; Compute complexity (size of the lattice); Use analytic combinatorics;

Applications to cryptanalysis of weak PRG:

Algebraic PRG

Compute complexity of [BVZ12];

RSA key generation N with LCG

Polynomial time (in log N) attacks (instead of exponential [FTZ13]);

PKCS#1 v1.5 padding with LCG

Polynomial time attacks (in log N).

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 18 / 18

References I

Mihir Bellare, Shafi Goldwasser, and Daniele Micciancio. “pseudo-random” number generation within cryptographic algorithms: The DDS case. In Burton S. Kaliski Jr., editor, CRYPTO’97, volume 1294 of LNCS, pages 277–291. Springer, August 1997. Johannes Blömer and Alexander May. A tool kit for finding small roots of bivariate polynomials over the integers. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 251–267. Springer, May 2005.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 19 / 18

References II

Aurélie Bauer, Damien Vergnaud, and Jean-Christophe Zapalowicz. Inferring sequences produced by nonlinear pseudorandom number generators using Coppersmith’s methods. In Marc Fischlin, Johannes Buchmann, and Mark Manulis, editors, PKC 2012, volume 7293 of LNCS, pages 609–626. Springer, May 2012. Don Coppersmith. Finding a small root of a bivariate integer equation; factoring with high bits known. In Ueli M. Maurer, editor, EUROCRYPT’96, volume 1070 of LNCS, pages 178–189. Springer, May 1996.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 20 / 18

References III

Don Coppersmith. Finding a small root of a univariate modular equation. In Ueli M. Maurer, editor, EUROCRYPT’96, volume 1070 of LNCS, pages 155–165. Springer, May 1996. Philippe Flajolet and Robert Sedgewick. Analytic Combinatorics. Cambridge University Press, January 2009. Pierre-Alain Fouque, Mehdi Tibouchi, and Jean-Christophe Zapalowicz. Recovering private keys generated with weak PRNGs. In Martijn Stam, editor, 14th IMA International Conference on Cryptography and Coding, volume 8308 of LNCS, pages 158–172. Springer, December 2013.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 21 / 18

References IV

Nick Howgrave-Graham. Finding small roots of univariate modular equations revisited. In Michael Darnell, editor, 6th IMA International Conference on Cryptography and Coding, volume 1355 of LNCS, pages 131–142. Springer, December 1997. Ellen Jochemsz and Alexander May. A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT 2006, volume 4284 of LNCS, pages 267–282. Springer, December 2006. Takeshi Koshiba. On sufficient randomness for secure public-key cryptosystems. In David Naccache and Pascal Paillier, editors, PKC 2002, volume 2274 of LNCS, pages 34–47. Springer, February 2002.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 22 / 18

References V

Alexander May and Maike Ritzenhofen. Solving systems of modular equations in one variable: How many RSA-encrypted messages does eve need to know? In Ronald Cramer, editor, PKC 2008, volume 4939 of LNCS, pages 37–46. Springer, March 2008. Alexander May and Maike Ritzenhofen. Implicit factoring: On polynomial time factoring given only an implicit hint. In Stanislaw Jarecki and Gene Tsudik, editors, PKC 2009, volume 5443 of LNCS, pages 1–14. Springer, March 2009. Maike Ritzenhofen. On efficiently calculating small solutions of systems of polynomial equations: lattice-based methods and applications to cryptography. PhD thesis, Ruhr University Bochum, 2010.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 23 / 18

References VI

Jacques Stern. Secret linear congruential generators are not cryptographically secure. In 28th FOCS, pages 421–426. IEEE Computer Society Press, October 1987.

Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 24 / 18