Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures

In 1999, Coron, Naccache and Stern discovered an existential signature forgery for two popular rsa signature standards, iso/iec 9796-1 and 2. Following this attack iso/iec 9796-1 was withdrawn. iso/iec 9796-2 was amended by increasing the message digest to at least 160 bits. Attacking this amended version required at least 261 operations. In this paper, we exhibit algorithmic refinements allowing to attack the amended (currently valid) version of iso/iec 9796-2 for all modulus sizes. A practical forgery was computed in only two days using 19 servers on the Amazon ec2 grid for a total cost of $\simeq\mbox{{\sc us\$800}}$. The forgery was implemented for e = 2 but attacking odd exponents will not take longer. The forgery was computed for the rsa-2048 challenge modulus, whose factorization is still unknown. The new attack blends several theoretical tools. These do not change the asymptotic complexity of Coron et al.'s technique but significantly accelerate it for parameter values previously considered beyond reach. While less efficient (us$45,000), the acceleration also extends to emv signatures. emv is an iso/iec 9796-2-compliant format with extra redundancy. Luckily, this attack does not threaten any of the 730 million emv payment cards in circulation for operational reasons. Costs are per modulus: after a first forgery for a given modulus, obtaining more forgeries is virtually immediate.

[1]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[2]  P. Erdös,et al.  On a problem of Oppenheim concerning “factorisatio numerorum” , 1983 .

[3]  Eric Bach,et al.  Asymptotic semismoothness probabilities , 1996, Math. Comput..

[4]  Jean-Sébastien Coron,et al.  Security Proof for Partial-Domain Hash Signature Schemes , 2002, CRYPTO.

[5]  K. Dickman On the frequency of numbers containing prime factors of a certain relative magnitude , 1930 .

[6]  Jean-François Misarsky,et al.  How (not) to Design RSA Signature Schemes , 1998, Public Key Cryptography.

[7]  Peter L. Montgomery,et al.  A Block Lanczos Algorithm for Finding Dependencies Over GF(2) , 1995, EUROCRYPT.

[8]  D. Bernstein HOW TO FIND SMOOTH PARTS OF INTEGERS , 2004 .

[9]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[10]  Erich Kaltofen,et al.  Distributed Matrix-Free Solution of Large Sparse Linear Systems over Finite Fields , 1999, Algorithmica.

[11]  Jean-Sébastien Coron,et al.  Index Calculation Attacks on RSA Signature and Encryption , 2006, Des. Codes Cryptogr..

[12]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[13]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[14]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[15]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[16]  Jean-Sébastien Coron,et al.  On the Security of RSA Padding , 1999, CRYPTO.

[17]  Daniel J. Bernstein Proving Tight Security for Rabin-Williams Signatures , 2008, EUROCRYPT.

[18]  C. Lanczos An iteration method for the solution of the eigenvalue problem of linear differential and integral operators , 1950 .

[19]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..

[20]  François Grieu A Chosen Messages Attack on the ISO/IEC 9796-1 Signature Scheme , 2000, EUROCRYPT.

[21]  Yvo Desmedt,et al.  A Chosen Text Attack on the RSA Cryptosystem and Some Discrete Logarithm Schemes , 1986, CRYPTO.

[22]  Jean-Sébastien Coron,et al.  Cryptanalysis of ISO/IEC 9796-1 , 2008, Journal of Cryptology.

[23]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[24]  Douglas R. Stinson Cryptography: Theory and Practice, Third Edition , 2005 .

[25]  Pierrick Gaudry,et al.  A gmp-based implementation of schönhage-strassen's large integer multiplication algorithm , 2007, ISSAC '07.

[26]  DANIEL J. BERNSTEIN SCALED REMAINDER TREES , .

[27]  D. J. Bernstein Fast multiplication and its applications , 2008 .

[28]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[29]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[30]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[31]  D. Coppersmith Solving homogeneous linear equations over GF (2) via block Wiedemann algorithm , 1994 .

[32]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[33]  Christof Paar,et al.  E-Passport: Cracking Basic Access Control Keys , 2007, OTM Conferences.

[34]  Burton S. Kaliski,et al.  PKCS #1: RSA Encryption Version 1.5 , 1998, RFC.

[35]  Jean-Sébastien Coron,et al.  New Attacks on PKCS#1 v1.5 Encryption , 2000, EUROCRYPT.

[36]  Carl Pomerance,et al.  The Quadratic Sieve Factoring Algorithm , 1985, EUROCRYPT.

[37]  Shai Halevi,et al.  Iso 9796-1 and the new forgery strategy , 1999 .

[38]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[39]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[40]  Richard E. Crandall,et al.  The twenty-fourth Fermat number is composite , 2003, Math. Comput..

[41]  Antoine Joux,et al.  When e-th Roots Become Easier Than Factoring , 2007, ASIACRYPT.