Professional Documents
Culture Documents
DISCLOSURE
By
182698
By
Supervisor: Assoc. Prof. Dr. Muhammad Rezal bin Dato’ Kamel Ariffin
In 1996, Don Coppersmith used the Lenstra, Lenstra and Lovasz (LLL) algorithm
equations and he proved that the method would find small roots, if they existed,
in polynomial time. In this thesis we look at the LLL algorithm and how this can
and public-key cryptosystems, and we will present some theory about lattices. We
will look in detail at Coppersmith’s method and show how it can be used to attack
RSA encryption with a low exponent. In the end, we give an example to illustrate
this attack.
i
Abstrak
Oleh
Penyelia: Prof. Madya Dr. Muhammad Rezal bin Dato’ Kamel Ariffin
Pada tahun 1996, Don Coppersmith menggunakan algoritma Lenstra, Lenstra dan
Lovasz (LLL) untuk mencari punca integer kecil polinomial. Ia digunakan pada
persamaan modular univariat dan dia membuktikan bahawa kaedah itu akan men-
beri punca-punca kecil, jika punca ini wujud, dalam masa polinomial. Dalam
tesis ini kita akan melihat algoritma LLL dan penggunaan algoritma ini untuk
tentang kriptografi dan sistem kripto kunci awam, dan membentangkan beberapa
teori. Kita juga akan melihat secara terperinci kaedah Coppersmith dan menun-
ii
ACKNOWLEDGMENTS
First and foremost, praise to the almighty Allah s.w.t as I managed to complete this
Final Year Project Thesis which is titled Cryptanalysis of Partial RSA Message
Rezal bin Dato’ Kamel Ariffin, who encourage, supervise, guide and support me
a lot during two semesters session 2018/2019. I would like to express my sincere
gratitude to my supervisor for the continous support, for his patience, motivation,
enthusiasm and immense knowledge. His guidance helped me in all the time of
Deepest thanks and appreciation to both of my parents, family and others for
me to complete this project. I would like to thank to all my friends and everyone
especially to my coursemates, Siti Fatimah Azzahra binti Azhari for her encour-
agement, insightful comments, and knowledge. Last but not least, my thanks to
iii
DECLARATION
I declare that the thesis is my original work except for quotations and citations
which have been duly acknowledged. I also declare that it has not been previ-
ously, and is not concurrently, submitted for any other degree at Universiti Putra
iv
TABLE OF CONTENTS
Page
ABSTRACT i
ABSTRAK ii
ACKNOWLEDGMENTS iii
APPROVAL iv
DECLARATION iv
LIST OF ABBREVIATIONS vi
CHAPTER
1 INTRODUCTION 1
1.1 Number Theory 1
1.1.1 Divisibility 1
1.1.2 Greatest Common Divisor 1
1.1.3 Euclidean Algorithm 1
1.1.4 Extended Euclidean Algorithm 3
1.1.5 Modular Arithmetic 4
1.2 Research Background 4
1.2.1 Cryptographic goals 4
1.2.2 Symmetric Key Cryptography 5
1.2.3 Asymmetric Key Cryptography 6
1.2.4 Selected Cryptographic One-Way Functions and Its Difficulty 6
1.3 RSA- An Asymmetric Cryptosystem (1978) 10
1.4 Problem Statement 13
1.5 Objective 13
2 LITERATURE REVIEW 14
2.1 Stereotyped Message 14
2.2 Fixed Padding Schemes in RSA 15
2.3 Coppersmith’s Method 16
3 METHODOLOGY 17
3.1 Useful Theorem 18
3.2 Lattice 19
3.3 LLL- lattice reduction algorithm 21
3.4 Coppersmith’s Method 22
3.5 Coppersmith’s Univariate Method 25
v
4 RESULT AND DISCUSSIONS 32
4.1 Strategies 32
4.2 Reconstructing Message with Partial Disclosure 33
4.3 Numerical Example for Stereotyped Messages 34
4.4 Numerical Example for Fixed Padding Message 37
CONCLUSIONS 38
REFERENCES 39
APPENDICES 40
vi
LIST OF ABBREVIATIONS
vii
CHAPTER 1
INTRODUCTION
In this section, we present the necessary definitions and algorithms that will apply
for the next section, such as :
1.1.1 Divisibility
Definition 1.1.1
Let a,b ∈ Z and a 6= 0. We say a divides b if there exists k ∈ Z such that b = ak.
This is denoted by a | b.
The greatest common divisor (gcd ) for two integers a and b is the largest integer
dividing a and b.
Example 1.1.2
gcd(4,6) = 2
gcd(8,12) = 4
Definition 1.1.2
We say two integers a and b are relatively prime or co-prime if gcd(a,b)=1.
Step 2
Set i =1.
Step 3
Divide r i−1 by r i to get quotient q i and remainder r i + 1. Initially; divide r 0 =a
by r 1 = b. Determine the remainder. We will have a= bq1 + r2 , 0≤ r2 ≤ b.
Step 4
If r 2 = 0 , then gcd(a,b) = b.
If r 2 = 0 , continue by dividing b with r 2 . We will have
b= r2 q2 + r3 , 0≤ r3 ≤ r2 .
Step 5
If r 3 = 0 , gcd(a,b) = r 2 , else do
r2 = r3 q3 + r4
..
.
rt−1 = rt qt + 0
So gcd(a,b) =rt
2
Example 1.1.3
Compute gcd (1015,231)
1015= 231(4) + 91
231= 91(2) + 49
91= 49(1) + 42
49= 42(1) + 7
42= 7(6) + 0
Algorithm 1.1.
The following is an efficient algorithm to find the solution for ax + by = gcd(a,b).
Step 1
Divide b into a
a = bq1 +r1
b = bq2 +r2 rt = r2 q3 + r3
..
.
rt−2 = rt−1 qt−1 + rt
rt−1 = rt qt + 0
Step 2
Set x0 = 0,x1 = 1, and xj = -qj − 1 xj − 1 + xj − 2 .
Set y0 = 0,y1 = 1, and yj = -qj − 1 xj − 1 + xj − 2 .
j =1, ..., t − 1
Then axn + byn = gcd(a,b).
By using this algorithm, we can solve congruence problem and find the multiplica-
tive inverse of certain congruences.
3
1.1.5 Modular Arithmetic
1.1.5.1 Congruence
Definiton 1.1.5.1
Let a, b, n Z and n 6= 0. We say a ≡ b (mod n) if a−b
n = k Z.
There are four main goal of the cryptography as to protect private communication
between two entities :
4
There are two types of cryptosystems :
This is the simplest kind of encryption that involves only one secret key to cipher
and decipher information. Symmetric encryption uses a secret key that can either
be a number, a word or a string of random letters. It is a blended with the
plain text of a message to change the content in a particular way. The sender
and the recipient should know the secret key that is used to encrypt and decrypt
all the messages. Thus, the major problem in symmetric key cryptography is
key distribution. This is because the key must be shared secretly to exchange
information in a secure manner.
5
1.2.3 Asymmetric Key Cryptography
A one-way function that have a trapdoor is used to build a secure public key
cryptosystem. It is a mathematical function that is significantly easier to compute
in one direction (the forward direction) than in the opposite direction (the inverse
direction). By having a trapdoor, it allows the computation of the inverse to be
easier. Example of this problem is Discrete Log Problem,Diffie-Hellman Problem
and Decisional Diffie-Hellman.
6
1.2.5 Discrete Log Problem
Definition 1.2.5.1
Let g ∈ Z be a primitive root, p be a prime. The DLP is the problem of finding
an exponent e such that
g x ≡ h (mod p)
The value of x is called the discrete log of h to the base g and is denoted by
logg (h) DLP is a hard problem if there exists a negligible function ε(n) such that
the probability, Pr to solve the DLP is given by
Pr(Dlog = 1) ≤ ε(n)
7
5. Shared Secret Key will work as follow :
A0 ≡ B a ≡ (g b )a ≡ (g a )b ≡ Ab ≡ B 0 (mod p)
8
Basically, Eve is an eavesdropper, watches what is sent between Alice and Bob,
but she does not alter the contents of their communications. Eve will be facing
a dilemma in which she knows the value A and B, so she knows the values of g a
(mod p) and g b (mod p). For the known values of g and p, if Eve can solve the
DLP, then she able to find a and b. For further discussion regarding the DHKE
along the concepts of DLP,DHP and DDH refer to [6].
Then, in 1978, Ron Rivest, Adi Shamir and Leonard Adleman came up with a very
elegant solution for the key exchange problem [1].They invented the first public
key cryptosystem,called the RSA scheme regarding to the discovery of Diffie and
Hellman.
9
1.3 RSA- An Asymmetric Cryptosystem (1978)
In 1978, Ron Rivest,Adi Shamir and Leonard Adleman were the three researchers
that invented the first public-key cryptosystem called the RSA Cryptosystem as a
solution for the key exchange problem [1]. RSA uses two different keys; public key
for encryption and private key for decryption of messages. Below is the detailed
initial schemes of the RSA Cryptosystem :
10
Theorem 1.1 : Euler’s Theorem
If gcd (a, N ) = 1, then aφ(N ) ≡ 1 (mod N ), where φ is Euler’s totient function.
Proof:
Let a1 , a2 , · · · , aφ ( N ) ∈ Z+ less than and relatively prime to N .
Consider aa1 , aa2 , · · · , aaφ ( N ) are permutation of φ(N) integers ai modulo N . For
some k, aai ≡ ak mod N since for each i, aai is also relatively prime to N . Since
ai ≡ aj (mod N )
hence,
a1 a2 · · · aφ ( N ) ≡ aφ(N ) a1 a1 a2 · · · aφ ( N ) (mod N )
aφ(N ) ≡ 1 (mod N )
Proposition 1.1
Let p, q be distinct primes and N = pq,φ(N ) = (p − 1)(q − 1), gcd(e, φ(N ) = 1
and d is the multiplicative inverse of e such that ed ≡ 1 (mod φ(N )). Then the
congruence relation y ≡ xe (mod N ) has the unique solution x ≡ y d (mod N ).
Proof:
Notice first that
≡ m.(mφ(n) )k (mod N )
≡ m.1k (mod N )
≡ m (mod N ).
11
Example 1.1 The RSA Encryption and RSA Decryption can be implemented as
follows :
12
1.4 Problem Statement
1.5 Objective
• To prove that knowing a part of bit of message, we can discover full message.
13
CHAPTER 2
LITERATURE REVIEW
When you open a new account in a bank , your bank will normally send you a pin
number usually in the form:
So when encrypting a plain text m, one should be careful about the size of it.
Unfortunately, is not the only one, specially when we use a small public exponent.
If the public exponent is sufficiently small, there is a risk that the ciphertext will
satisfy c = me < N. Knowing this, all Eve has to do is to calculate the e-th root
of c over the integers. So plain texts m such that m < N 1/e cannot be used. This
is relevant because RSA is often used to share a key to use in a symmetric key
cryptosystem.
2.2 Fixed Padding Schemes in RSA
One simple proposal for κ − bit RSA moduli take a κ0 bit message and pad it by
putting (κ − κ0 − 1) ones to left-hand side of it.This will brings a short message
to full length. This padding scheme is sometimes called fixed padding scheme
Suppose short message ( for example, 128-bit AES keys K ) are being encrypted
using this padding scheme with κ= 1024. Then
m = 21024 − 2128 + K
c ≡ m3 (mod N )
NOTE: If the cryptanalyst can intercept the ciphertext , then the cryptanalyst
only need to find the value for K. In this case, we know that K is a solution to the
polynomial
128 1
This is a polynomial of degree 3 with a root modulo N of size at most N 1024 = N 8 .
So Coppersmith’s method finds the solution K in polynomial time.
15
2.3 Coppersmith’s Method
F (x0 ) ≡ 0 (mod N )
16
CHAPTER 3
METHODOLOGY
Example 3.3
1. 2x3 + 3x2 − 24
2. x2 + x − 5
17
Definition 3.4
A multivariate polynomial is a polynomial that consists of two or more variables.
Example 3.4
1. 2x3 + 3y 2 − 24
2. y 2 + xy − 5x + 3
18
3.2 Lattice
In 1996 Coppersmith described how to use the LLL algorithm on lattice bases to
be able to find small roots of polynomials. Coppersmith makes a matrix that will
span a lattice, and this matrix consists among other things of the coefficients to our
polynomial. After the matrix get the appropriate form we use the LLL algorithm
on it to get a LLL reduced basis. We use this basis to create a new polynomial,
that we can solve and have the same small roots as the original polynomial. This
can be used to attack RSA cryptosystems with a low exponent.
Definition 3.1.1
A vector space V is a subset of Rm with the property that
w = α1 v1 + α2 v2 + · · · + αk with α1 , · · · , αk ∈ R.
α1 v1 + · · · + αk vk : α1 , · · · , αk ∈ R ,
is called the span of v1 + · · · + vk .
19
Definition 3.1.3
Independence. A set of vectors v1 , v2 , · · · , vk ∈ V is (linearly) independent if
the only way to get
α1 v1 + α2 v2 + · · · + αk with α1 , · · · , αk = 0
is to have α1 = α2 = · · · = αk = 0.
Defintion 3.1.4
A basis for V is a set of linearly independent vectors v1 , · · · , vn that span V .
This is equivalent to saying that every vector w ∈ V can be written in the form
w = α1 v1 + α2 v2 + · · · + αn vn .
Definition 3.1.7
Let n and m be positive integers. A subset L of the m-dimensional real vector
space Rm is called a lattice if there exists a finite set of vectors {bi } ⊆ Rm such
that:
n
X n
nX
L= Zbi = ri bi : ri ∈ Z(1 ≤ i ≤ n)
i=1 i=1
We say that such a set b1 , · · · , bn ; is a basis if it spans L and is Z-linearly
independent. We call n the rank of L, and m the dimension. The lattice is a
full-rank lattice if n = m. Given a n × m matrix B, we can define
L = L(B) = xB|x ∈ Zn
20
3.3 LLL- lattice reduction algorithm
We will not dig into the internals of LLL here, see Chris Peikert’s course for
detailed explanations of the algorithm [2].
21
3.4 Coppersmith’s Method
In 1996 , Coppersmith was the first researcher who used LLL-algorithm to at-
tack the RSA by introducing a method to find the small roots of univariate and
multivariate modular polynomial equations[3]. Supposed we assigned the unknown
values of d, k, p + q − 1 with variables x, y, z respectively from the public key/secret
key that satisfies ed = 1 + kφ(N ), we would obtain a polynomial
f (x, y, z) = ex − y(N − z) − 1
such that polynomial fN has the root (d, k(p+q −1)) modulo N and polynomialfe
has the root (k, p + q − 1) modulo e. We observe that the parameter k is bounded
by
22
First notice the problem of decrypting an RSA-encrypted message c = me (mod N )
is the problem of finding the unique positive root x0 = m < N of the polynomial
fN (x) = xe − c (mod N )
We could find the roots of f )N (x) modulo p and modulo q if we knew the factors
pand q by using the Chinese Remainder Theorem. However, the attack of recover-
ing the value of m in polynomial time whenever m < N ( 1/e) yields a simple idea
how to solve modular univariate polynomial equations by:
Reduce the root finding problem in modular equations to the case of root finding
in equations over the integer.
Thus, Coppersmith is a small method to find small integer roots of polynomial
equation.If we know the factorization of the modulus, it is easy for us to find the
solutions to the modular equations. Otherwise, it can be difcult.
β2
|x0 | ≤ 21 N δ −
23
Next, the following theorem is a direct implication of Theorem 2.2.1 ,as we can
easily remove the terms 12 and from the upper bound on x0 by a simple brute-force
search.
β2
|x0 | ≤ cN N δ
β 2
|x0 | ≤ 14 N δ
24
For completeness reasons and since it is one of the most interesting cases of Cop-
persmiths method, we explicitly state the special case b = N and cN = 1, which
is given in the work of Coppersmith [4,5].
1
|x0 | ≤ N δ
p(x0 ) = 0 (mod N );
25
For finding a small root x0 , given a monic univariate modular polynomial equation:
1 0 0 · · · 0 p0
0 X1 0 ··· 0 p
1
0
2
0 X · · · 0 p2
M =
.
. . . . . . . . . . . . . . . . .
0 0 0 ··· X δ pδ
0 0 0 ··· 0 N
N X δ(δ+1)/2 > α
X δ(δ+1)/2 > αN −1
X > αN −2/δ(δ+1)
This shows that if we directly apply positive integers in the matrix M instead of
rational numbers, we cannot identify our x0 as the upper bound X > 0. Since X
is not bounded by some values, we can take the value of X up to a higher number
and computing it would be meaningless and time consuming.
26
Observation 2
We will improvise our matrix M by taking the diagonal elements by 1, X −1 , X −2 , · · · , X −δ , N .
Establish a suitable upper bound X on the size of the desired root x0 ,and then
build a (δ + 2)×(δ + 2) of matrix M if
1 0 0 ··· 0 p0
0 X −1 0 ··· 0 p1
0 0 X −2 ··· 0 p2
M =
..
. . . . . .
... . . . . . . .
0
0 0 · · · X −δ pδ
0 0 0 ··· 0 N
N X −δ(δ+1)/2 > α
X −δ(δ+1)/2 > αN −1
X < αN −2/δ(δ+1)
< N 1/δ
27
Disscusion :
x x x
rM = [(1, ( 0 ), ( 0 )2 , · · · , ( 0 )δ , p0 + p1 x0 + p2 x20 + · · · + p0 xδ0 − y0 N ]
X X X
= (1, x0 , x20 , · · · , xδ0 −1 , xδ0 , 0).
=s
By using lattice basis reduction techniques, we might find that s is among the
shorter vectors of this lattice such that
Remark :
One problem with this heuristic approach is that, although the entries ri of the
vector r are supposed to represent powers of x0 , there is no way (within the lattice
structure) to enforce that relationship, for example, to enforce the requirement
ri + 1 /ri = rj + 1 /rj. A second related problem is that we have many unknowns ri
and only one relation p(x0 ) = y0 N . Each unknown ri contributes a factor X −i to
det(M ), and the lone relation p(x0 ) = y0 N contributes a factor N . The resulting
imbalance, and the requirement det(M )> 1, lead to the stringent requirement
X δ(δ+1)/2 < N [3, page 238].
28
Observation 3
For finding x0 , it will be sufficiently to find a polynomial G(x) with the same
root x0 modulo M but with sufficiently small coefficients. Coppersmiths’s method
consider the d + 1 polynomials Gi (x) = N xi for 0≤ i < d and F (x).They all have
the solution x = x0 modulo N .
Define the lattice L with the basis corresponding to the polynomials. Therefore,
the basis matrix for the lattice L is
N 0 ··· 0 0
0 NX
··· 0 0
. .. ..
M = .
. . .
0 0 ··· NXd−1 0
a0 a1 X · · · ad − 1 X d−1 Xd
Every element in this lattice is a row vector that can represent as a polynomial
F (x) such that F (x) ≡ 0 (mod N ).
29
Theorem 3.5.1
Let the notation be as above and let G(x) be the polynomial corresponding to
the first vector in the LLL-reduced basis for L. Set c1 (d) = 2−1/2 (d + 1)−1/d .
If X < c1 (d)N 2/d(d+1) < N 1/d then any root x0 of F (x) modulo N such that
|x0 | ≤ X satisfies G(x0 ) = 0 in Z.
Proof :
Recall that b1 satisfies
√
2d/4 N d/(d+1) X d/2 < N/ d + 1
√
d + 12d/4 X d/2 < N 1/(d+1)
30
Observation 4
The method in the previous observation allows one to find small roots of modular
polynomials, but it can be improved further.
Looking at the proof of Theorem 3.5.1, we can see that the requirement for
success is essentially M d X d(d+1)/2 = det(M ) < N d+1 (more precisely it is
√
2d/4 N d/(d+1) X d/2 < N/ d + 1).
There are two strategies to extend the utility of the method (i.e., to allow bigger
values for X). The first is to increase the dimension n by adding rows to L that
contribute less than N to the determinant. The second is to increase the power
ofN on the right hand side. One can increase the dimension without increasing the
power of N by using the so-called x-shift polynomials xF (x), x2 F (x), · · · , xk F (x).
Proof : (See[3]).
So, we can see that the bound for unknown parameter on any trivial polynomial
p(x) = xδ + pδ − 1 xδ−1 + · · · + p2 x2 + p1 x + p0 = (mod N ) has been increased
2
from N 2/d +d to N 1/d . This gives more space for cryptanalysis to manoeuvre.
31
CHAPTER 4
RESULT AND DISCUSSIONS
4.1 Strategies
We will look in detail at Coppersmith’s method and show how it can be used to
attack RSA encryption with a low exponent.
Suppose that m = M + x for some known part, M of the message and some
1
unknown part, x ≤ N e . Can we still recover m? So, this situation occurs in the
case of so-called stereotyped messages : Assume we already know a part M of the
message which is always the same.
exampleMcanbe”Y ourpinnumberis ∗ ∗ ∗ ∗”. Let the plaintext m consist of two
pieces, x and M . The first piece M is known and is the fixed part of the message.
1
The second unknown piece x is the secret password, and the length of x ≤ N e .
So the ciphertext, c is given by
c = me = (M + x)e (mod N )
We try to write this as a polynomial with x as the unknown, and we assume that
if we know M, c and N .
32
4.2 Reconstructing Message with Partial Disclosure
|x0 | ≤ N1/e
Proof:
Define
fN (x ):= (M + x )e −c
For simplicity of the discussion, we consider the first case which is of the form
m=M+x
C ≡ me (mod N )
33
If we can solve this polynomial (4.1) for x0 , then we will have recovered the secret
message x. Thus, by solving the modular cubic polynomial equation and then
find the original plaintext message M. The idea of this theorem is to find small
solutions to the modular polynomial equation. Hence, if we know M (part of fixed
message), c and N we can apply the present results to the polynomial.
f (x) ≡ (B + x)3 − C
Thus , let
N = pq
= 2837.5923
= 16803551
m=M +x
34
To stop anyone (i.e Eve), except Bob , to read the message and get the Pin Number,
the Bank actually sends the following cipher-text message to Bob:
c ≡ (m + x)3
So, if Eve, the cryptanalyst, she can perform the following step to know what is
the x?
STEP 1: Form a polynomial f (x) :
f (x) ≡ (M + x)3 − c
≡ M 3 + 3M 2 + 3M x2 + x3 − c
≡ x3 + 3M x2 + 3M 2 x + (M 3 − c)
≡ x 3 + a2 x 2 + a1 x + a0 (mod N )
where
a2 ≡ 8490 (4.2)
a1 ≡ 24026700 (4.3)
a0 ≡ 22650619005 (4.4)
35
N 0 0 0
0 NX 0 0
A=
0 0 NX 2 0
2
a0 a1 X a2 X a3 X 3
STEP 3 : Then use the lattice reduction algorithm LLL to generate a new basis,
the first row of which is
36
4.4 Numerical Example for Fixed Padding Message
= x 3 + a2 x 2 + a1 x + a0
STEP 2 : Define
N 0 0 0
0 NX 0 0
A=
0
0 NX2 0
2
a0 a1 X a2 X a3 X 3
STEP 3 : Performing lattice reduction and taking the first row vector gives the
polynominal with factorisation
37
CONCLUSIONS
We have shown the application of lattice basis reduction and algorithms for find-
ing solutions to univariate modular polynomial equations p(x) = 0 (mod N ). We
used the coefficients of p(x) to build a lattice containing a short vector based on
the unknown x0 . By applying the LLL algorithm, finding small roots of modular
polynomial equations can be done. Then, we showed several applications on RSA
namely the stereotyped message and fixed padding message.
We believe that other applications will arise and we hope that, along with the
simple implementations presented, they can motivate the reader to further explore
the existing attacks on RSA and to think how can improve them. One topic that
deserves to have more study is the variants of RSA. They present exciting new
possibilities but their security has not yet been as analysed .
38
REFERENCES
1. Rivest, R., Shamir, A., Adleman, L.: A Method for obtaining digital sig-
natures and public-key cryptosystems. Communications of the ACM 21(2),
120 − 126.
39
APPENDIX A
Example 1
40
Example 2
41
Example 3
42