New RSA vulnerabilities using lattice reduction methods

Die vorliegende Dissertationsschrift beschäftigt sich mit dem heutzutage bekanntesten und meistverwendeten Public-Key Kryptosystem; dem 1978 von Rivest, Shamir und Adleman vorgeschlagenen RSA-Kryptosystem. Es wird gezeigt, dass spezielle Parameterwahlen bei diesem Kryptosystem zu Polynomialzeit-Angriffen führen. Betrachten wir dazu die Generierung der RSA-Parameter genauer: Man wählt zwei große Primzahlen p und q und berechnet deren Produkt N = pq. Der sogenannte RSAModul N ist öffentlich, wohingegen die Faktorisierung von N in p und q geheim ist. Weiterhin wählt man ein Schlüsselpaar (e, d) mit der Eigenschaft ed = 1 mod (p − 1)(q − 1). Hierbei ist der Parameter e bei RSA öffentlich bekannt, und der Parameter d ist geheim. Der geheime Schlüssel d kann leicht aus (N, e) berechnet werden, falls man die Faktorisierung von N kennt. Daher kann ein Angreifer versuchen, die Faktorisierung von N zu bestimmen. Es ist aber bisher kein Algorithmus bekannt, der die Faktorisierung von N in polynomieller Zeit in der Bitlänge von N berechnet. Die vorliegende Arbeit zeigt, dass ein Angreifer die Faktorisierung in polynomieller Zeit finden kann, falls e eine spezielle Form hat oder der Angreifer in den Besitz eines Bruchteils der Bits des geheimen Schlüssels d gelangt. Als Methode wird in der Arbeit ein von Coppersmith 1996 vorgestellter Algorithmus zum Bestimmen kleiner Nullstellen modularer Polynomgleichungen verwendet und weiterentwickelt. Die Dissertationsschrift umfasst unter anderem die folgenden Resultate:

[1]  Alexander May,et al.  Cryptanalysis of Unbalanced RSA with Small CRT-Exponent , 2002, CRYPTO.

[2]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[3]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[4]  Claude Crépeau,et al.  Simple Backdoors for RSA Key Generation , 2003, CT-RSA.

[5]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[6]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[7]  Dan Boneh,et al.  Factoring N = prq for Large r , 1999, CRYPTO.

[8]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[9]  Daniel Bleichenbacher On the Security of the KMOV Public Key Cryptosystem , 1997, CRYPTO.

[10]  I. Shafarevich Basic algebraic geometry , 1974 .

[11]  D. Boneh,et al.  Factoring N = pr q for large r , 1999 .

[12]  Johannes Blömer,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[13]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[14]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[15]  Alexander May,et al.  Secret Exponent Attacks on RSA-type Schemes with Moduli N= prq , 2004, Public Key Cryptography.

[16]  Tsuyoshi Takagi,et al.  Fast RSA-Type Cryptosystem Modulo pkq , 1998, CRYPTO.

[17]  Joachim von zur Gathen,et al.  Modern Computer Algebra , 1998 .

[18]  Eric R. Verheul,et al.  Cryptanalysis of ‘Less Short’ RSA Secret Exponents , 1997, Applicable Algebra in Engineering, Communication and Computing.

[19]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[20]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[21]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[22]  Scott A. Vanstone,et al.  Short RSA keys and their generation , 2004, Journal of Cryptology.

[23]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[24]  Hung-Min Sun,et al.  On the Design of RSA With Short Secret Exponent , 2002, J. Inf. Sci. Eng..

[25]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[26]  Seungjoo Kim,et al.  RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis , 2003, IEEE Trans. Computers.

[27]  Johannes Blömer,et al.  Low Secret Exponent RSA Revisited , 2001, CaLC.

[28]  T. Apostol Introduction to analytic number theory , 1976 .

[29]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[30]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[31]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[32]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice,Second Edition , 2002 .

[33]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[34]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.

[35]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[36]  Charanjit S. Jutla,et al.  On Finding Small Solutions of Modular Multivariate Polynomial Equations , 1998, EUROCRYPT.

[37]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[38]  Adi Shamir,et al.  On Digital Signatures and Public-Key Cryptosystems. , 1977 .

[39]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.

[40]  Benne de Weger,et al.  Cryptanalysis of RSA with Small Prime Difference , 2002, Applicable Algebra in Engineering, Communication and Computing.

[41]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[42]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[43]  N. Koblitz A Course in Number Theory and Cryptography , 1987 .

[44]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[45]  Dan Boneh,et al.  Generating RSA Keys on a Handheld Using an Untrusted Server , 2000, INDOCRYPT.

[46]  H. Minkowski,et al.  Geometrie der Zahlen , 1896 .

[47]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[48]  L. E. Dickson Introduction to the theory of numbers , 1933 .

[49]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[50]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[51]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[52]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[53]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[54]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.

[55]  C. Siegel,et al.  Lectures on the Geometry of Numbers , 1989 .

[56]  Glenn Durfee,et al.  Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99 , 2000, ASIACRYPT.

[57]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[58]  László Lovász,et al.  Algorithmic theory of numbers, graphs and convexity , 1986, CBMS-NSF regional conference series in applied mathematics.

[59]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[60]  Erich Kaltofen,et al.  Polynomial-Time Reductions from Multivariate to Bi- and Univariate Integral Polynomial Factorization , 1985, SIAM J. Comput..

[61]  Peter W. Shor,et al.  Algorithms for Quantum Computation: Discrete Log and Factoring (Extended Abstract) , 1994, FOCS 1994.

[62]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[63]  Johannes Blömer,et al.  A Generalized Wiener Attack on RSA , 2004, Public Key Cryptography.

[64]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[65]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[66]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[67]  Arjen K. Lenstra,et al.  The number field sieve , 1990, STOC '90.

[68]  I. Alger New Directions in , 1988 .