Coppersmith-style attacks

Coppersmith’s method ([Coppersmith, 1996] and [Coppersmith, 1997]) is a method based in the use of lattice basis reduction ([Menezes et al., 1996]) that factors RSA moduli if at least half of the top bits of the primes are known. Coppersmith’s method runs in polynomial-time.

[Bernstein et al., 2013] uses the Univariate Coppersmith attack and the Bivariate Copper- smith attack. Although none of these attacks has been used in the modulus produced by the HSM Luna SA, a brief description of each one of these attacks, based on the description present in [Bernstein et al., 2013] is done. The attacks had not being used in the modulus produced by the Luna SA, since no common factor were previously found, contrary to what happened in [Bernstein et al., 2013].

Univariate Coppersmith

Let p = a + r be the prime factor of n, where a is a known 512-bit integer and r is a small integer error to account for a sequence of bit errors among the least significant bits of p.

In the Coppersmith method, and following the [Howgrave-Graham, 2001] approach, the polynomial f (x ) = a + x can be written. It will be calculated a root, r of f modulo a large divisor of n. Let X be the bound on the size of the root. This divisor is going to be approximately n1/2≈ p. A new polynomial, g(x ), where g(x ) = 0, is going to be constructed over the integers using the lattice basis reduction. Thus, by factoring g, one can discover r .

5.1. How the attack works 35    X2 Xa 0 0 X a 0 0 n   

corresponding to the coefficients of the polynomials Xx f (Xx ), f (Xx ), n. Any vector in L can be written as an integer combination of basis vectors. If one divides those basis vectors by the appropriate power of X, one will have the coefficients of a polynomial, g(x ). Thus, g(x ) is an integer combination of f and n and thus it is divisible by p by construction. A prime p is found by this method only if the function g found satisfies the condition g(ri)≡ 0 (mod p) not only

modulo p but all over the integers. The latter is ensured if the coefficients of g are sufficiently small. Finding the sufficiently small coefficients of g to ensure the previous condition is the same as finding a short vector in L.

The application of the LLL basis reduction algorithm, that can be found in [Lenstra et al., 1982], enables to find the short vector.

In the last step of the algorithm, the shortest vector in the reduced basis is regarded as the coefficients of a polynomial g(Xx ) and the roots ri of g(x ) are computed and the condition

a + ri divides n is checked. If so, n has been factored.

The length of the shortest vector, v is

|v | ≤ 2(d i m(L)−1)/4(d et(L))1/d i m(L) which will be smaller than p for the attack to succeed.

Bivariate Coppersmith

This attack is an extension of the previous attack. It intends to factor keys with unpredictable bits amongst the middle or from the most significant bits of one of the factors, without addressing to brute-force of the bottom bits.

Let p = a + 2ts + r be a prime that factors n, where a is a 512-bit integer with a predictable bit pattern, t is a bit offset where a sequence of bit errors s deviating from the predictable pattern in a occurred during the key generation, and r is an error at the least significant bits.

Let’s consider the equation f (x , y ) = a + 2tx + y . The lattice basis reduction is going to be used to find new polynomials Qi(x , y ). If f (s, r ) vanishes modulo a large unknown divisor

p of n and s and r are substantially small, then Qi(s, r ) = 0 over the integers. Qi(x , y ) must

hold this property. In order to do that, the appropriate zeros of Qi should be found. The most

common method to achieve that is to take multiple distinct polynomials Qi and expect that

their common solution set is not too large.

Almost all the applications of multivariate Coppersmith methods demand a heuristic assump- tion that the attacker can obtain two or various algebraically independent polynomial equations determined by the short vectors in a LLL-reduced lattice. This requirement gives authorization for the attacker to compute a finite set of common solutions.

Many cryptanalytic applications use these kinds of bivariate Coppersmith attack. One of those applications is the Boneh and Durfee’s attack against RSA private key d < n0.29 in

36 Chapter 5. Recent Attacks on RSA Keys [Boneh and Durfee, 1999]. The approach used in [Bernstein et al., 2013] is identical to the approach described by Herrmann and May for factoring RSA modulus with some known bits, in [Herrmann and May, 2008].

Chapter 6

Randomness

It may be taken for granted that any attempt at defining disorder in a formal way will lead to a contradiction. This does not mean that the notion of disorder is contradictory. It is so, however, as soon as I try to formalize it.

Hans Freudenthal

Randomness is often defined as the outcome of an experiment, where, no matter how many times the experiment is done, the next outcome is unpredictable. Nonetheless this definition, the real question is: how can something be defined as random?

For example, in the area of artificial intelligence (AI), there is a proposed test to decide if a computer program possesses artificial intelligence or not. This test consists on the following set up, there are two rooms, one has a single person in front of a computer terminal that allows he/her to ask questions to another room. On this other room there are 2 responders, a computer running AI-software and a human being. The task is for the person on the first room to decide, by asking questions and making conversation, which one of the two is responding to the conversation. If judgements are correct as often as incorrect, the AI-software is said to pass the test.

Is there some similar test that decides if a source is random or not? One way to do it is to measure the randomness in the studying source and compare the results with true randomness. This measurement and comparison can be done by computer testing programs. If the results are indistinguishable, the source is said to pass the test and it is considered to be a random source. Otherwise, the source is not considered to be random. The only problem is that it seems very hard to do such testing, using “all” possible testing software. However, it has been shown that the testing process can be restrict to a single test (or class of tests) that covers all aspects.

Generating random numbers is critical to the security of cryptographic systems. Nevertheless, it is also very difficult to accomplish. Non-deterministic behaviour is considered to be a fault in almost every component of a computer but it is a vital component of a random numbers generator. Several national and international standards for random numbers generation specify the correct behaviour one wants to achieve for this kind of systems.

38 Chapter 6. Randomness

6.1

Random and Pseudorandom Numbers

The random and pseudorandom numbers are fundamental to many cryptographic applica- tions. In fact, in almost all cryptosystems the keys used must be generated in a specific random way and, for example, many cryptographic protocols like authentication and digital signatures protocols require random or pseudorandom inputs at various points.

A random bit sequence is the result of a random choice between the numbers 0 or 1 for each bit. The probability of choosing the value 0 or the value 1 must be exactly 1/2. Also, the choices of the value must be independent: the choice of a certain bit must not affect the choice of the following one. This unbiased choice of bits is considered to be the perfect random stream generator, since the possible values for each bit are randomly distributed, following a uniform distribution.

Pseudorandomness refers to a distribution on strings. When a string of length l is said to follow a pseudorandom distribution D this means that D is indistinguishable from the uniform distribution over strings of length l , which means that it is infeasible for any polynomial-time algorithm to tell whether it is a string sampled according toD or an l -bit string chosen uniformly at random. Pseudorandomness is a computational relaxation of true randomness.

The distributionsD are defined by choosing a random seed s ← {0, 1}nuniformly at random and then outputting G(s)∈ {0, 1}l. The distribution D define the string y ∈ {0, 1}l as output with the exact probability

|{s ∈ {0, 1}n_{} | G(s) = y}|}

2n

which will, in general, not be the uniform distribution ([Katz and Lindell, 2007]).

There are two different strategies for generating random bits: the bits can be produced non-deterministically or they can be computed deterministically by using a certain algorithm. The generators that use the first strategy are known as random bits generators (RBGs) which originate the Random Numbers Generators (RNGs), and the generators that use the second strategy are known as deterministic random bits generators (DRBGs) which, in their turn, origi- nate the Pseudorandom Numbers Generators (PRNGs). The DRNG produce a sequence of bits by instantiate the used algorithm with an initial value that is determined by the seed set from the input entropy. Those bits are said to be pseudorandom bits instead of random bits because of the deterministic nature of their generation process. The seed used to instantiate the DRBG must contain sufficient entropy to provide a randomness assurance and it must be kept secret. If these properties are ensured and if the algorithm is well designed, the bits outputted by the DRBG will be unpredictable.

Both RNGs and PRNGs produce a stream of zeros and ones that may be divided into substreams or blocks of random numbers.

Another important feature of a bitstream generation is its unpredictability. This means all elements of the sequence must be generated independently, i.e., for all position i it should not be possible to predict the value of the position i + 1, regardless of how many of the elements have already been produced.

6.2. Random Number Generators (RNGs) 39