A New Related Message Attack on RSA
Oded Yacobi UCSD
Yacov Yacobi MSR
4/3/2006
1
Motivation
• A new attack on RSA.
• New tools (new in cryptanalysis).
2
Related Messages
Example : messages with known relations can occur if an attacker
pretends to be the recipient in a protocol that doesn' t authentica te
the recipient, and in addition t hat message is composed of the
content concatenat ed with a serial number.
3
OAEP
 OAEP or similar randomizat ion methods are highly recomm ended.
 Neverthele ss it is useful to know the ramificati ons in case
for some reason one chooses not to use OAEP.
 RFID tags will require very compact cryptosyst ems,
and some designers may be tempted to avoid OAEP.
4
OAEP
[MG(r)] || [r H(M G(r))]
5
Previous Result
D. Coppersmit h, M. Franklin, J. Patarin, M. Reiter :
Let (e, N ) be the RSA public key. Coppersmit h et al
show that given two RSA cryptogram s x e (mod N ) and
(ax  b) e (mod N ) for any known constants a, b  Z N
one can compute x in O(e log 2 e) Z N - operations with
some small error probabilit y (the method fails on O(e 2 )
messages ).
6
Our Result
Given e cryptogram s ci  (ai x  bi ) e for i  0,..., e  1
for known constants ai , bi  Z N one can determinis tically
compute x in O(e) Z N - operations , after doing O(e log 2 e)
operations that depend only on the known constants.
The pre - computatio n can be amortized over many instances.
7
A Special Case
If ci  (ax  b  i)e for i  0,..., e  1 one can determine x in
O(e) Z N - operations overall . In this case
 e  1
e 1
e i 1
 ci  (1)
x  a b(b e!) [ 

]( mod N )
2
i 0  i 
1
e
1
e 1
8
Follow your nose…
 A straightfo rward approach t o solve our problem :
Compute the binomial expansion of ci  (ai x  bi ) e (mod N ).
Let z j  x j and find z1.
 For a public key greater th an 50 bits the pre - computatio n
becomes prohibitiv e. O(e log2 7 ).
9
Our tool: the divided difference
Let h  Z N [ x] and let x0 ,..., xn be distinct elements of Z N
such that ( xi  x j ) 1 (mod N ) exists for i  j. The k th div ided difference of h relative to any k elements among the
xi is defined as follows :
[ xi ]  h( xi )
[ xi , x j ] 
[ xi ]  [ x j ]
xi  x j
[ xi0 , xi1 ,..., xik ] 
[ xi0 , xi1 ,..., xik 1 ]  [ xi1 , xi2 ,...xik ]
xi0  xik
10
Example
For our purposes we will only consider t he divided
difference relative to the RSA polynomial h( x)  x e .
If h( x)  x and we let xi  x  bi then
3
h( x0 )  h( x1 )
2
2
 [ x0 , x1 ] 
 3x 2  3(b0  b1 ) x  (b0  b0b1  b1 )
x0  x1
 [ x0 , x1 , x2 ] 
[ x0 , x1 ]  [ x1 , x2 ]
 3 x  b0  b1  b2
x0  x1
11
Adopted lemmas
k
k
i 0
i 0
i j
1. Let  k ( y )   ( y  xi ). Then  'k ( x j )   ( x j  xi ).
n
2. [ x0 , x1 ,...xn ]  
j 0
h( x j )
 'n ( x j )
.
12
A new lemma
Claim : For n  e deg[ x0 ,..., xn ]  e  n.
We prove this by showing that th e leading coefficien t
of [ x0 ,..., xn ] is independen t of the bi (recall xi  x  bi ). This
comes down to showing that :
n
n
bi
(1)
1

(b0  bi )  (bi 1  bi )(bi  bi 1 )  (bi  bn )
i 0
i
13
A new lemma
For RSA polynomial , for n  e :
(i) deg [x0 ,...,xn ]  e  n;
(ii ) [x0 ,x1,...xe 1 ]  ex  v mod N , where v is a scalar.
14
The attack
Given : e, N , and ci  ( x  bi ) e for i  0,1,...e  1
Find : x
Method : Let w( x)  [ x0 ,..xe 1 ]  ex  v.
Compute x  ( w( x)  w(0))  e 1.
If we compute straight forward the complexity is
e
2
i

O
(
e
).

i 0
15
Algorithm
•
Pre-computation
e 1
For i  0,1,..., e  1 compute pi   n ' ( xi )   (bi  b j ).
e 1
e
j 0
j i
bi
Then compute w(0)   . Complexity is O(e log 2 e).
i  0 pi
•
Real-time computation
e 1
ci
Compute w( x)   and then x  ( w( x)  w(0))  e 1.
i  0 pi
Complexity is O(e).
16
(Reminder: Adopted lemmas)
k
k
i 0
i 0
i j
1. Let  k ( y )   ( y  xi ). Then  'k ( x j )   ( x j  xi ).
n
2. [ x0 , x1 ,...xn ]  
j 0
h( x j )
 'n ( x j )
.
17
More about the computational complexity of
the pre-computation
e 1
To compute  'e 1 ( xi )   (bi  b j ) over i  0,..., e  1 do :
j 0
j i
e 1
1.  e 1 ( y )   ( y  b j ), (O(e log 2 e)).
j 0
2. Compute the derivative of the above , (O(e)).
3. Simultaneo usly evaluate the value of the
derivative in the n given points, (O(e log 2 e)) [AHU]
(recall that DFT takes O(e log e)).
18
Why is the special case more efficient?
When xi  ax  bi the divided difference reduces
to a much simpler finite difference of the form :
( wlg assume xi  x  i ).
( 0 ) ( x)  x e
( i ) ( x)  (i 1) ( x  1)  (i 1) ( x)
lemma :
n
 ( x)   (1)
(n)
i 0
n i
n
    ( x  i ) e (mod N )
i
19
Finite difference continued…
Instead of applying the finite difference e  1 times,
use the previous formula to compute w( x)  e! x  v.
e!(e  1)
But this time v has a simple form (v 
),
2
so there is no pre - computatio n.
20
Compare Results
# of
precryptogram comp
realtime
Coppersmith et
al
2
0
O(e log 2 e)
Newton
e
O(elog2 7 )
Our main result
e
Our special
case
e
2
O(e log e)
0
O (e)
O (e)
O (e)
21
ACKNOWLEDGEMENTS:
Acknowledgments and
References?
Peter Montgomery
Gideon Yuval
22