Professional Documents
Culture Documents
85
Cycles
80
75
70
70
Cycles
65
60
55
85
Cycles
80
75
70
90
Cycles
85
80
75
70
50 100 150 200 250
Observations
Textbook RSA
[Rivest Shamir Adleman 1977]
Encryption
dp ≡ d mod (p − 1) dq ≡ d mod (q − 1)
mp = c dp mod p mq = c dq mod q.
m = mq + qu(mp − mq )
Partial key recovery for RSA:
dp
dq
Simplest case
N = pq, get random bits of p and q.
N is known.
... 0 0 1
X0 0
... 1 1 0 1 0 1 0 0 0 1 0 1 0 0 0 0 1 0 1 1 0 1 1 1 p
X0 1 1
... 0 1 1
... 1 0 0
X1 1
... 1 0 1 1 1 0 0 1 1 0 0 1 0 0 0 1 0 1 1 1 1 1 0 1 q
X0 1 1
Assumption:
After an incorrect guess, induced bits are uniformly random.
dp
dq
offset 0 78 15 56 63
Line 0 M0[0-7] M1[0-7] ••• M7[0-7]
7 13 5 5
1 1 1 0 1 1 0 1 0 0 0 0 1 0 1 0 0 0 1 0 1 0 0 0 ...
S S M S S S S M S S S S S S M S S S S S M S S S ...
1 1 0 0 0 1 0 0 1
Only 40% of bits directly leaked → not enough to efficiently
recover.
I We can derive implicit information from square-and-multiply
sequence and efficiently recover key.
Coppersmith/lattice family of algorithms.
(RSA key recovery without redundancy.)
Factoring with Partial Information
a = p - (p % 2^86)
p = random_prime(2^512); q = random_prime(2^512)
N = p*q
a = p - (p % 2^86)
sage: hex(a)
’a9759e8c9fba8c0ec3e637d1e26e7b88befeb03ac199d1190
76e3294d16ffcaef629e2937a03592895b29b0ac708e79830
4330240bc000000000000000000000’
a = p - (p % 2^86)
X = 2^86
M = matrix([[X^2, X*a, 0], [0, X, a], [0, 0, N]])
B = M.LLL()
p = random_prime(2^512); q = random_prime(2^512)
N = p*q
a = p - (p % 2^86)
X = 2^86
M = matrix([[X^2, X*a, 0], [0, X, a], [0, 0, N]])
B = M.LLL()
Q = B[0][0]*x^2/X^2+B[0][1]*x/X+B[0][2]
sage: a+Q.roots(ring=ZZ)[0][0] == p
True
Partial key recovery and finding solutions modulo divisors
Theorem (Howgrave-Graham)
Given degree d polynomial f , integer N, we can find roots r
modulo divisors B of N satisfying
f (r ) ≡ 0 mod B
2 /d
for |B| > N β , when |r | < N β .
f (x) = a + x
If we construct Q(x) as
Q(r ) ≡ 0 mod p
Input: f (x) = x + a, N, β.
Output: Q(x) ∈ hf (x), Ni over Z[x].
with c2 , c1 , c0 ∈ Z.
c2 (x 2 + xa + 0)
+ c1 ( x + a)
+ c0 N
Q2 x 2 + Q1 x + Q0
Manipulating polynomials as coefficient vectors
Definition
A lattice is a subset of Rn generated by b2
integer linear combinations of some
linearly independent basis {b1 , . . . , bn }.
b2
Properties of lattices: Determinant
b1
Definition
The determinant of a lattice with a
basis matrix B is | det B|.
b2
Theorem (Minkowski)
√
λ1 (L) < n det L1/n
Computational problems on lattices: SVP
λ2
I SVP is NP-hard.
b2
b1
Computational problems on lattices: CVP
I CVP is NP-hard.
Algorithmic results
LLL
Given a basis for a lattice can in polynomial time find a reduced
basis {bi } s.t.
|bi | ≤ 2(n−1)/2 λi
BKZ
Given a lattice basis, can in time 2O(k) find a reduced basis s.t.
|bi | ≤ k O(n/k) .
Coppersmith’s method outline
|Q(r )| = |Q2 r 2 + Q1 r + Q0 |
≤ |Q2 |R 2 + |Q1 |R + |Q0 |
I Can factor given 1/2 bits of d mod (p − 1). [Blömer May 03]
Factoring with Partial Information
dp
dq
x + a − e −1 (1 + kp ) ≡ 0 mod p
Unknown.
Factoring with Partial Information
Proof.
1. Input f (x) = a + 2t x.
2. Generate f 0 (x) = 2−t f (x).
3. Run the Howgrave-Graham algorithm.
Factoring with Partial Information
Proof.
1. Input bivariate polynomial f (x, y ) = a + 2t1 x + 2t2 y .
2. Run bivariate extension of Coppersmith/Howgrave-Graham
method.
Application: Taiwan Citizen Digital Certificate broken RNG
[Bernstein, Chang, Cheng, Chou, Heninger, Lange, van Someren 2013]
Proof method.
Multivariate extension of Coppersmith/Howgrave-Graham
method.
Factoring with Partial Information
Sign
1. Input message hash h.
2. Choose integer k mod n.
3. Compute point (r , yr ) = kG .
4. Output (r , s = k −1 (h + dr ) mod n).
Partial key recovery for (EC)DSA:
Sign
1. Input message hash h.
2. Choose integer k mod n.
3. Compute point (r , yr ) = kG .
4. Output (r , s = k −1 (h + dr ) mod n).
Fact
If an attacker learns k for a signature, the long-term secret key d is
revealed.
d = (sk − h)r −1 mod n
ECDSA key recovery from partial information about nonces
k1
k2
..
.
b1 − t1 d − u1 ≡ 0 mod n
b2 − t2 d − u2 ≡ 0 mod n
..
.
bm − tm d − um ≡ 0 mod n
We have:
I dim L = m + 2 det L = B 2 nm−1
I Ignoring approximation factors, LLL or BKZ will find a vector
Intel SGX EPID attestation protocol leaked nonce MSBs via cache
leak.
12 bits known 7 bits known
1 recentered
Success probability
not recentered
0.5
0
18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48
Number of samples
k1
k2
2−` k1
2−` k2
DH Kangaroo
Square root time; hard/annoying.
Open problem: Is there some way to get the best of all worlds?