SLIDE 1
How to Generalize RSA Cryptanalyses
Atsushi Takayasu and Noboru Kunihiro The University of Tokyo, Japan AIST, Japan
PKC2016@Taipei
1/19
Background
2 /19
How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru - - PowerPoint PPT Presentation
How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru - - PowerPoint PPT Presentation
PKC2016@Taipei How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru Kunihiro The University of Tokyo, Japan AIST, Japan 1/19 Background 2 /19 RSA Public key: , Secret key: (, , ) Key generation: =
SLIDE 2
SLIDE 3
RSA
Public key: π, π Secret key: (π, π, π) Key generation: π = ππ and ππ = 1 mod (π β 1)(π β 1) οΌ One of the most famous cryptosystems οΌ A number of paper study the security.
3 /19
SLIDE 4
Known Attacks on RSA
- Small secret exponent attack: [BD00]
Small secret exponent
π < π0.292 disclose the factorization of π.
- Partial key exposure attacks: [EJMW05], [TK14]
The most/least significant bits of π disclose the factorization of π. οΌ These attacks are based on Coppersmithβs method.
4 /19
SLIDE 5
Variants of RSA
RSA Takagi RSA Prime Power RSA PK
π, π π, π π, π
SK
(π, π, π) (π, π, π) (π, π, π)
KG π = ππ π = ππ π π = ππ π ππ = 1 mod (π β 1)(π β 1) ππ = 1 mod (π β 1)(π β 1) ππ = 1 mod ππ β1(π β 1)(π β 1) οΌ The variants enable faster decryption using CRT. οΌ When π = 1, both variants are the same as RSA.
5 /19
SLIDE 6
Known Attacks on the Variants
RSA Takagiβs RSA Prime Power RSA Small Secret Exponent [BD00] [IKK08] [May04], [LZPL15], [Sar15] Partial Key Exposure [EJMW05], [TK14] [HHX+14] [May04], [LZPL15], [Sar15], [EKU15] οΌ When π = 1, only [IKK08] achieves the same bound as the best attacks on RSA.
6 /19
SLIDE 7
Open Questions
- Are there better attacks on the variants that generalize the
best attacks on RSA?
- [IKK08]βs algorithm construction is very technical and hard
to follow.
7 /19
SLIDE 8
Open Questions
- Are there better attacks on the variants that generalize the
best attacks on RSA?
- [IKK08]βs algorithm construction is very technical and hard
to follow. Are there easy-to-understand generic transformations that convert the attacks on RSA to Takagiβs RSA and the prime power RSA?
7 /19
SLIDE 9
Our Results
We propose transformations for both the Takagiβs RSA and the prime power RSA which are very simple and give improved results. β Simpler analyses of [IKK08], [Sar15] β Better bounds than [HHX+14], [Sar15], [EKU15] β Some evidence of optimality
8 /19
SLIDE 10
PKE attacks on Takagiβs RSA (π = 2)
[HHX+14] Our Improvements
9 /19
logπ π Exposed proportion of π
SLIDE 11
PKE attacks on Takagiβs RSA (π = 2)
9 /19
logπ π [HHX+14] Our Improvements Exposed proportion of π
SLIDE 12
PKE attacks on the prime power RSA (π = 2)
9 /19
logπ π [LZPL15] [Sar15] Our Improvements Exposed proportion of π
SLIDE 13
Coppersmithβs Method
10 /19
SLIDE 14
Overview [How97]
To find small roots of a bivariate modular equation
β π¦, π§ = 0 mod π
where π¦ < π and π§ < Y,
11 /19
SLIDE 15
Overview [How97]
To find small roots of a bivariate modular equation
β π¦, π§ = 0 mod π
where π¦ < π and π§ < Y,
- Generate β1 π¦, π§ , β¦ , βπ(π¦, π§) that have the roots
(π¦ , π§ ) modulo ππ.
11 /19
SLIDE 16
Overview [How97]
To find small roots of a bivariate modular equation
β π¦, π§ = 0 mod π
where π¦ < π and π§ < Y,
- Generate β1 π¦, π§ , β¦ , βπ(π¦, π§) that have the roots
(π¦ , π§ ) modulo ππ.
- If integer linear combinations of β1 π¦, π§ , β¦ , βπ(π¦, π§)
become β1
β² π¦, π§ and β2 β² (π¦, π§) satisfying
βπβ²(π¦π, π§π) < ππ,
the original roots can be recovered.
11 /19
SLIDE 17
LLL Reduction to Find the Polynomials
- Polynomials β1
β² π¦, π§ and β2 β² (π¦, π§) that are the integer
linear combinations of β1 π¦, π§ , β¦ , βπ(π¦, π§) and the norms
- f βπβ²(π¦π, π§π) are small.
12 /19
SLIDE 18
LLL Reduction to Find the Polynomials
- Polynomials β1
β² π¦, π§ and β2 β² (π¦, π§) that are the integer
linear combinations of β1 π¦, π§ , β¦ , βπ(π¦, π§) and the norms
- f βπβ²(π¦π, π§π) are small.
- LLL algorithm can efficiently find short lattice vectors π1β²
and π2β² that are the integer linear combinations of π1, β¦, ππ and the Euclidean norms are small.
12 /19
SLIDE 19
LLL Reduction to Find the Polynomials
- Polynomials β1
β² π¦, π§ and β2 β² (π¦, π§) that are the integer
linear combinations of β1 π¦, π§ , β¦ , βπ(π¦, π§) and the norms
- f βπβ²(π¦π, π§π) are small.
- LLL algorithm can efficiently find short lattice vectors π1β²
and π2β² that are the integer linear combinations of π1, β¦, ππ and the Euclidean norms are small. οΌ Build a lattice whose basis consists of coefficients of β1 π¦π, π§π , β¦ , βπ(π¦π, π§π) and apply the LLL.
12 /19
SLIDE 20
SSE Attack on RSA [BD00]
π = ππ and ππ = 1 mod (π β 1)(π β 1) π π¦, π§ = 1 + π¦ π + 1 + π§ mod π
whose root (β, β π + π ) discloses the factorization of π.
- A bivariate equation with three monomials (1, π¦, π¦π§)
13 /19
SLIDE 21
SSE Attack on RSA [BD00]
π = ππ and ππ = 1 mod (π β 1)(π β 1) π π¦, π§ = 1 + π¦ π + 1 + π§ mod π
whose root (β, β π + π ) discloses the factorization of π. Polynomials
π¦ππ§πππ£ π¦, π§ ππβπ£ generate a triangular matrix with diagonals ππ+π£ππ+π£ππβπ£.
οΌ The resulting lattice constructions are well-analyzed.
13 /19
SLIDE 22
SSE Attack on RSA [BD00]
π = ππ and ππ = 1 mod (π β 1)(π β 1) π π¦, π§ = 1 + π¦ π + 1 + π§ mod π
whose root (β, β π + π ) discloses the factorization of π. Polynomials
π¦ππ§πππ£ π¦, π§ ππβπ£ generate a triangular matrix with diagonals ππ+π£ππ+π£ππβπ£.
οΌ The resulting lattice constructions are well-analyzed.
13 /19
SLIDE 23
How to Generalize the Attacks
14 /19
SLIDE 24
SSE Attack on Takagiβs RSA
π = ππ π and ππ = 1 mod (π β 1)(π β 1) π π¦, π§1, π§2 = 1 + π¦ π§1 β 1 (π§2 β 1) mod π
whose root (β, π, π) discloses the factorization of π.
- A trivariate equation with five monomials
(1, π¦, π¦π§1, π¦π§2, π¦π§1π§2)
- Nontrivial algebraic relation π§1
π π§2 = π
15 /19
SLIDE 25
SSE Attack on Takagiβs RSA
π = ππ π and ππ = 1 mod (π β 1)(π β 1) π π¦, π§1, π§2 = 1 + π¦ π§1 β 1 (π§2 β 1) mod π
whose root (β, π, π) discloses the factorization of π. Polynomials
1, π§2, π§1π§2, β¦ , π§1
π β1π§2 β π¦ππ§ 1 πππ£ π¦, π§1, π§2 ππβπ£
generate a triangular matrix with (sizes of ) diagonals π0, π1, β¦ , ππ β ππ+π£ππ+π£ππβπ£.
15 /19
SLIDE 26
SSE Attack on Takagiβs RSA
π = ππ π and ππ = 1 mod (π β 1)(π β 1) π π¦, π§1, π§2 = 1 + π¦ π§1 β 1 (π§2 β 1) mod π
whose root (β, π, π) discloses the factorization of π. Polynomials
1, π§2, π§1π§2, β¦ , π§1
π β1π§2 β π¦ππ§ 1 πππ£ π¦, π§1, π§2 ππβπ£
generate a triangular matrix with (sizes of ) diagonals π0, π1, β¦ , ππ β ππ+π£ππ+π£ππβπ£.
15 /19
SLIDE 27
SSE Attack on the prime power RSA
π = ππ π and ππ = 1 mod (π β 1)(π β 1) π π¦, π§1, π§2 = 1 + π¦π§1
π β1 π§1 β 1 (π§2 β 1) mod π
whose roots (β, π, π) offer the factorization of π.
- A trivariate equation with five monomials
(1, π¦, π¦π§1
π β1, π¦π§1 π , π¦π§1 π β1π§2)
- Nontrivial algebraic relation π§1
π π§2 = π
16 /19
SLIDE 28
SSE Attack on the prime power RSA
π = ππ π and ππ = 1 mod (π β 1)(π β 1) π π¦, π§1, π§2 = 1 + π¦π§1
π β1 π§1 β 1 (π§2 β 1) mod π
whose roots (β, π, π) offer the factorization of π. Polynomials
π§2
π, π§1π§2 π, β¦ , π§1 π β1π§2 π, π§1 π β1π§2 π+1
β π¦ππ§
1 πππ£ π¦, π§1, π§2 ππβπ£
generate a triangular matrix with (sizes of ) diagonals ππ, ππ+1, β¦ , ππ+π β ππ+π£ππ+π£ππβπ£.
16 /19
SLIDE 29
Our Transformations
SSE on RSA PKE on RSA
1, π§2, π§1π§2, β¦ , π§1
π β1π§2
SSE on Takagi RSA PKE on Takagi RSA
17 /19
SLIDE 30
Our Transformations
SSE on RSA PKE on RSA
π§2
π, π§1π§2 π, β¦ , π§1 π β1π§2 π, π§1 π β1π§2 π+1
SSE on prime power RSA PKE on prime power RSA
18 /19
SLIDE 31
Conclusion
- We propose generic transformations that convert lattices
- n RSA to those on the Takagi RSA and the prime power
RSA. As applications, we propose small secret exponent attacks and partial key exposure attacks on the variants. οΌ Further applications of our transformations? οΌ Better attacks can be obtained from other frameworks?
19 /19