Escolar Documentos
Profissional Documentos
Cultura Documentos
Abstract
In this paper we describe a polynomial time ali;,.
rithm for computing the values of variables zl,. . . , zk
when some of their bits and some linear relationships bctween them are known. The a1gorith.m is essentially optimal in its use of information in the sense that it can be
applied as soon as the values of the xi become uniquciy
determined by the constraints. Its cryptanalytic signiflcance is demonstrated by two applications: breaking iinear congruential generators whose outputs are truncated,
and breaking Blums protocol for exchanging secrets.
1. Introduct ion
The design and analysis of cryptographic schemes
and protocols has been a very active research area in recent years. A large number of cryptosystems, signature
schemes, key distribution schemes, key sharing schemes,
secret exchange schemes, pseudo random bit generators,
and a variety of protocols were proposed in the literature.
However, progress in cryptographic research was accompanied by progress in cryptanalytic research, and some of
these schemes and protocols wore shown to be insecure.
This game of proposing and breaking schemes might seem
a bit strange, but in the absence of any techniques for
-___
-_
* Department uf Mathemat,ics,MIT, Cambridge, MA
02139. Partially supported b:r NSF grant 8413577DCR.
* * Drvpartment of Applied M;lt,hematics, The Wr?Anla.nn
Inxtihtr
of SGcnce, R.ehwot., Ismel. Partially supprtcd by NW grant nrj. MCS-80-06938.
Permlsslon
10copy without feeall or par1of this material is granted
provided
that the copies are no1 made or distributed
for direct
commercial
advantage.
the AChl copyright
Inotice and the rltlc of the
pubhcauon
and its date appear. and notice is given tha! copying 1s by
permls\lon
of the A~~c~at~on
for (Tompurmg
Machinery.
lr~ copy
othcrwlre.
or IO rcpuhhsh, require, a fee and or qxclfic
pcrmisrioo.
1985 ACM
O-89791-151-2! 85;005/0356
$00.75
To make rcsearchin cryptography less empirical, proponrnts of new schemes and protocols should carefully list
all the assumptions they make about the computational
complexity of various problems, and rigorously prove the
security of their proposal under these assumptions. The
proof becomes particularly useful when the security of the
scheme is shown to be equivalent to the complexity of a
single well studied problem such as factoring or discrete
log. An a,iterna.tivc approach is to develop schemes which
are not b,aqedon a specific problem but on any one-way
function. The large class of possible implementations of
these schemes makes them less vulnerable to attacks (but
still leaves the possibility that such functions do not exist
or that P =NP).
One commou idea which is used in several of these
schemes and protocols is to hide the values of certain variables by applying (regular or modular) arithmetic operations to them and then truncating the binary representations of the results. A simple scheme of this type (which
was used extensively on the early computers) generates a
pseudo random sequence of numbers by alternately squaring the previous tl bit value and discarding the top and
bottom n/2 bits of the 2n-bit result.
The purpose of this paper is to analyze the security
of such procedures in a general setting. The main result
is a novel cryptanalytic technique which can solve many
of the instmces of truncated linearly related variables in
polynomial time. WC demonstrate the power of this technique by describing two applications:
1.
It simplifies, generalizes, and puts in a clearer perspective the recent result by Frieze, Kannan and Lagarias [ 31 that truncated linear congruentiai generators we insecure.
2.
2.
Formulation
where
7k
of the Problem
j=
&...,I
i=1
(mod m)
i=l
(i)
C W{Z~= dim
(LLL) There exits a ,polynomial time algoinput L 5nds a basis gi such that 11& 112
OD
As Gj are in L
k
CW:z+
+=I
=O
(mod m),
j = l,...,f
isI
(,mod 2)
i=l
i=l
Zi+l=
azi +
(mod m)
=O
(modm)
~vlai-
= 0 (mod m)
i=l
where v= (uI, u2.. . , uk). We want to estimate the cardinality of t,he set of a which. sati::fy such an equation with
smaJ1coeflfcients. To do this WCestimate the number of
such equations and the number of solutions to each equation. Let us make this precise.
i=2,...,k
(a'-',O,...,O,-l,O,...,O)
i=l
(CLI-lUi,-Va,.r-Uk)
i=2
for
lUil<m,
counting the
is n compliconstants for
cube:
i=O,...,R-1
i=2
Cv,a-
Y
i=l
When the vectors rn6 are added to the basis of this lattice, we can change each Vi by arbitrary multiples of m,
and thus the final lattice with which we have to deal is
L, = {v 6 Zk 1eai-Ui
= 0
(mod m)
i=l
= Cl
(mod m)).
i=1
The density of L, is obviously A. and hence the determinant is m. Applying our general technique we get:
Therefore we have:
IF(t)1 < c
dim
k-d(%l)x
c ke3kmfk Cdl-k
dim
35 9
Lemma
qd?!di.?+mI2
I~(01i Cd,m.d<m
(number of A:s
such that D = 0) 5
4.
Cryptanalysis
of Blums
Protocol
for EX-
changing Secrets
Bluxns
protocol[ I) was one of the first resukts which
dealt with the issue of simultaneity in sequential processes.It enables two parties A and r) to exchLnge the factorization of their published moduli MA and rnR (which
are the products of two large primes) in a fair and verifiable way. Let n = log mA = log mg be the size parameter.
Thr protocol is symmetric, and the two parties alternately perform thr following steps:
1.
2.
Extract the four square roots modulo your own uumber of each number g, received from the other party.
This is possible since you know the factorization.
Now write the 4k square roots in a 41%x n binary
matrix where the least signihcant bits are in the last
column.
v E Zk which satisfy
i-1
3.
(Fori=l,...,nf.
L, = (5 E Zk 1kyiui
5:
Thus we can conclude that for almost all gi we can recover the Xi when n/k+ck columns have been exchanged.
As pointed out above this enables us to factor by calculating gcd(zi -vii, m). The original protocol can therefore
be broken by somebody who only deviates from the protocol by stopping early and using our algorithm-there
is
no need to control the choice of random bits or to lie to
the other party.
(mod m),
iz2,sa.k.
(nlod m)
is1
ytzl-yl~i
= 0 (mod m)}.
i-1
,o,-Ylio,-~~,o)
Discussion :
(~&uay-yI
h~**y-fhf&)
I=2
I
for au possible choices of us, * . . , uk in 2;. If we de6ne
YlUl = -klJii
I
id
II!,..*
361
BIums paper axiomatically assumes that this condition is true, and rigorously proves the security of the
protocol modulo this assumption (aud a few others). We
did not find any error in Blums proofs - we just showed
that this assumption was too strong. This should not
be taken as a sign of sloppiness since progress in the design of efficient algorithms is relentless and unpredictable.
What is really important is to distinguish between facts,
assumptions and proofs, and to identify all the possible
sources of insecurity. Blum actually exceeds these minima1 criteria. While he expresses his Ipersonal belief that
I 61 R.
Kannan Improved AIgorithms for Integer Programming and Related Lattice Problems, STOC
1983, 193-256.
I 81
AK. Lenstra, H;W.,Lenstraaud L. Lovasz, Factoring Polynomials With Integer coefficients, Matematieche Anrralen, 261, (1982), 513-534.
I 101Minkowski
he also prepares alternatives to the p.rotocol should something happen to his assumptions:
While the redundancy condition in the most demanding of our assumptions, the protocol can be modified to
work without this redundancy condition at all ..a If this
is done, the applications at the end of this paper can still
go through as before.
Blums modi5cation is based on a multi-moduli variant of his protocol and a redefinition of the secrets which
are exchanged by the parties. Another possible modification is to ask the parties to exchange fewer columns
from their matrices and to use our algorithm to factor
the moduli at an earlier stage. None of these variants
seems to be vulnerable to the cryptanalytic attack proposed in this paper, but its existence demonstrates once
more the extremely delicate nature of proofs of security
in cryptography.
Acknowledgements
We would like to thank Oded Goldreich and Silvio
Micali for starting this research and for contributing generously to its progress. The first author would like to
thank Sha5 Goldwasser for her consta.nt interest and helpful comments.
References
M. Blum, How to Exchauge (Secret) Keys, ACM
Tranractions on Computer Systems 1, 2, May 1983,
175-193.
1 l]
I I
352