http://www.di.ens.fr/ pnguyen INRIA and École normale supérieure, Paris, France MPRI, 2010
Outline 1 Introduction Asymmetric Cryptology Course Overview 2 Textbook RSA 3 Euclid s Algorithm Applications to Cryptanalysis
Asymmetric Cryptology Course Overview What is Public-Key Cryptography? Invented by Diffie and Hellman in 1976. A user U has a pair of keys (p, s): p is public, while s is secret. p and s are related to each other, but it should be computationally hard to recover s from p. Historical goals: Asymmetric encryption: anyone can encrypt a message to U, using U s public key p. But only U should be able to decrypt. Digital signatures: U can sign any message m, using his private key s. Anyone can check whether a given signature corresponds to a message and a public key.
Two Kinds of Hard Problems Asymmetric Cryptology Course Overview Few and rather large unknowns, "slow" operations. Factoring and e-th roots (RSA, etc.) Discrete Log (Diffie-Hellman, El Gamal, DSA, etc.). Many small unknowns, "fast" operations. Often related to NP-hard problems. Lattices and Knapsacks (NTRU, etc.) Coding (McEliece, etc.), Multivariate polynomials (HFE, etc.)
Asymmetric Cryptology Course Overview What is? Trying to "break" public-key cryptographic schemes, either with general techniques (factoring, lattice reduction, Gröbner basis, etc.) or specific ones. Studying attack environments (chosen-ciphertext attacks, side-channel, etc.) and goals of attacks (key recovery, partial information, distinguishability, etc.). This is very much related to the development of "provable security". Thirty years after the introduction of public-key cryptography, we have a much better understanding of what security means. But no good book on public-key cryptanalysis yet.
In This Series of Lectures Asymmetric Cryptology Course Overview We only have 12 hours. We will focus on the most famous public-key scheme: RSA, for both asymmetric encryption and digital signatures. We will present attacks which explain the strengthening of security notions: e.g. a trapdoor one-way function should not be used directly as an asymmetric encryption scheme. Textbook RSA should not be used. In particular, we will present two popular techniques in public-key cryptanalysis: square root attacks and lattice reduction (a geometric high-dimensional generalization of Euclid s gcd algorithm). No side-channel attack.
Schedule Asymmetric Cryptology Course Overview 1 Basic attacks and basic security notions 2 Square-root attacks 3 Lattice attacks 1 Lattice reduction in a nutshell 2 "Linear" attacks 3 "Polynomial" attacks
Textbook RSA (1978) Textbook RSA Public key: N = p q where p and q are large primes, and an exponent e coprime with φ(n) = (p 1) (q 1). Private key: d Z such that e d 1 mod φ(n). RSA gives a trapdoor one-way permutation, which provides both encryption and signature. Encryption: A "message" m Z N is encrypted as c = m e mod N. The message is recovered as m = c d mod N. Signature: The signature of a "message" m Z N is s = m d mod N. To verify (s, m) Z 2 N, check that m se mod N.
Textbook RSA Textbook RSA This is the scheme described in the original article (and in many textbooks) by Rivest, Shamir and Adleman published in 1978. At that time, there was no preprocessing of messages, no hash functions, and almost no security notions. And now? We know that textbook RSA should not be directly used for asymmetric encryption or signature, because it is only a trapdoor one-way permutation. We need a padding scheme to process the messages, before/after encryption/signature and decryption/verification, using hash functions and/or pseudo-random number generators. The RSA standards currently advocated by RSA are RSA-OAEP (for encryption) and RSA-PSS (signatures).
Multiplicativity Textbook RSA RSA encryption is multiplicative. The "product" of ciphertexts is a ciphertext of the "product" of plaintexts. m 1 e m 2 e (m 1 m 2 ) e (mod N).
Euclid s Algorithm Euclid s Algorithm Applications to Cryptanalysis Toy Example Specification Input: Integers a b N. To compute gcd(21, 15): Output: gcd(a, b). 21 = 1 15 + 6 15 = 2 6 + 3 6 = 2 3 + 0 Description a b 21 15 15 6 6 3 3 0 While b 0 a := a mod b Swap a and b Output a.
Euclid s Algorithm Applications to Cryptanalysis Classical Result on Euclid s Algorithm Specification Input: Integers a b N. Output: gcd(a, b). Description While b 0 a := a mod b Swap a and b Output a. The full cost with elementary arithmetic is no more than a multiplication: O(log 2 a).
Generalizing Euclid s Algorithm Euclid s Algorithm Applications to Cryptanalysis Interpretation Since gcd(a, b)z = az + bz, Euclid computes the shortest non-zero linear combination of a and b. In the Next Lectures We will discuss a more general problem, lattice reduction, where a and b are replaced by n-dimensional vectors with integer coordinates. The algorithms will perform similar operations as Euclid: translations and swaps. They have numerous applications in public-key cryptanalysis. We will present the following ones.
Euclid s Algorithm Applications to Cryptanalysis Small Solutions of Linear Equations Assume that we have a linear congruence n i=1 a ix i b (mod M). If n is small, then lattice reduction can find a solution such that x i = O(M 1/n ). This is trivial if n = 1. If there is a solution such that n i=1 x i is much smaller than M, then it can "probably" be recovered in practice, and perhaps also in theory. This problem or its variant arise in many cryptanalytic applications: knapsack cryptosystems, linear congruential generators, DL-based signatures with exposed one-time keys, forgery of RSA signatures, etc.
Euclid s Algorithm Applications to Cryptanalysis Small Solutions of Polynomial Equations Assume that we have a polynomial congruence x δ P(x) (mod N) where deg P < δ and N has unknown factorization. Coppersmith showed in 1996 using lattice reduction that in time polynomial in (δ, log N), one can find all the small roots x N 1/δ. This is trivial if P() is constant. This result and its many variants/generalizations have many cryptanalytic applications to RSA.
Appendix For Further Reading Many References In The Survey P. Q. Nguyen.. In Recent Trends in Cryptography. AMS-RSME, 2009. P. Q. Nguyen and J. Stern. The two faces of lattices in cryptology. In Proc. Workshop on Cryptography and Lattices (CALC 01), volume 2146 of LNCS, pages 146 180. Springer-Verlag, 2001.