Common modulus and chosen-message attacks on public-key schemes with linear recurrence relations

Information Processing Letters 70 (1999) 153–156

Common modulus and chosen-message attacks on public-key

schemes with linear recurrence relations

Wen-Guey Tzeng

Department of Computer and Information Science, National Chiao Tung University, Hsinchu City 30050, Taiwan Received 1 September 1998; received in revised form 1 January 1999

Communicated by S.G. Akl

Abstract

We consider the linear recurrence relation Vt(x)=Pm_i=1(aix+ bi)Vt−i(x)+ cx + f where m > 1, aiand bi, 16 i 6 m, are integers. The RSA and LUC schemes can be defined by this relation. In this paper we show that if the linear recurrence relation has some properties, the public-key scheme based on it cannot withstand the common modulus and chosen-message attacks, no matter what the order m is and what the parameters for aiand bi, 16 i 6 m, are. This implies that the LUC cryptosystem cannot withstand the common modulus attack and the LUC digital signature scheme cannot withstand the chosen-message attack.1999 Elsevier Science B.V. All rights reserved.

Keywords: Cryptanalysis; Chosen-message attack; Common modulus attack; Linear recurrence relation; Cryptography

1. Introduction

We consider the linear recurrence relation Vt(x)=

m

X

i=1

(aix+ bi)Vt−i(x)+ cx + f,

where ai, bi, c and f , 16 i 6 m, are integers. In the RSA scheme [13], the encryption, decryption, signing and verification operations are of the form

Vt(M)= Mtmod n.

We observe that this form can be expressed as the first-order (m= 1) linear recurrence relation with a1= 1, b1= 0, c = 0, f = 0 and the initial value V0(x)= 1. Similarly, the LUC scheme [15,16] can be expressed

✩

Research supported in part by the National Science Council grant NSC 87-2213-E009-055, Taiwan.

1_{Email: [email protected].}

as the second-order (m= 2) linear recurrence relation with a1= 1, b1= 0, a2= 0, b2= −1, c = 0, f = 0 and initial values V0(x)= −2 and V1(x)= x.

Two well-known attacks on the RSA scheme are the common modulus attack on the RSA cryptosys-tem [14] and the chosen-message attack on the RSA signature scheme [3]. It has been shown that the LUC cryptosystem cannot withstand the chosen-message attack [2]. Other the other hand, to our best knowl-edge there is no known common modulus attack on the LUC cryptosystem in the open literature. In this paper we show that the LUC cryptosystem cannot withstand the common modulus attack either.

It has been discussed that the exponentiation in the RSA scheme that preserves the “multiplicative” property makes the scheme vulnerable to the chosen-message attack [3,5,6]. Therefore, there are proposed public-key schemes based on permutation polyno-mials [10–12] and Lucas functions [15,16] in order 0020-0190/99/$ – see front matter1999 Elsevier Science B.V. All rights reserved.

154 W.-G. Tzeng / Information Processing Letters 70 (1999) 153–156 to prevent the weakness. However, Bleichenbacher

et al. [2] showed that this is not necessarily true by providing a chosen-message attack on the LUC sig-nature scheme. One might naturally try to choose dif-ferent parameters for ai, bi, c and f , 16 i 6 m, or use a higher-order linear relation so that the public-key scheme with the linear recurrence relation can with-stand the attacks. In this paper we show that if the lin-ear recurrence relation has some properties, which are usually required for the public-key scheme to function, the public-key scheme with the linear recurrence rela-tion cannot withstand the chosen-message and com-mon modulus attacks no matter what the order m is and what the parameters are. In particular, we provide a general chosen-message attack and a general com-mon modulus attack on the public-key scheme with a linear recurrence relation. These results show that the design of public-key schemes along the direction of Lucas-like functions is not feasible if the chosen-message and common modulus attacks are considered as major threats.

The LUC scheme has been attacked in many di-rections [2,9]. Its claimed advantages over the RSA scheme seem not existent. However, it might have one merit. Our common modulus attack on the LUC cryp-tosystem uses three pairwise relatively prime expo-nents. From the structure, we observe that the attack with two relatively prime exponents might not exist. If a cryptographic protocol uses RSA-like functions and suffers from the two-exponent common-modulus attack, one might use Lucas-like functions as an alter-native.

2. Preliminaries

We first assume that the public-key scheme is de-signed along the RSA-like direction. The scheme serves two purposes, cryptosystem and digital signa-ture, simultaneously. The operations of the scheme are onZn, i.e., “mod n” with few exclusions on finding multiplicative inverses. In Section 5, we consider the schemes with operations on other algebraic objects. The requirements (assumptions) for our attacks to suc-ceed are:

R1 (efficiency). Given a and x, a> 0, 0 < x < n,

Va(x) mod n is polynomial-time computable in the size of a and n. We assume that Vab(x)= Va(Vb(x)).

R2 (commutativity). Va(Vb(x))= Vb(Va(x)). For a public-key scheme to be used as both cryptosystem and digital signature, this property is almost neces-sary.

R3 (identity). One can find pairs (e, d) so that

Ved(x)≡ x (mod n) for any value 0 < x 6 n. This is to make the scheme work. Therefore, the encryp-tion/verification key is e and the decryption/signing key is d.

Note that Va(Vb(x)) mod n= Va(Vb(x) mod n) mod n. By the requirements R1–R3, the scheme looks like the following.

Let 0 < M < n be the message. Then, the en-cryption is C = Ve(M) mod n, the decryption is Vd(C) mod n, the signing is S= Vd(M) mod n, and the verification is to verify whether Ve(S) mod n is equal to M.

The RSA and LUC schemes both fit into this classification. In the RSA scheme the identity is computed by ed≡ 1 mod (p − 1)(q − 1) and in the LUC scheme it is computed by ed≡ 1 mod (p2− 1) · (q2− 1).

3. Common modulus attacks

In implementating a public-key cryptosystem as described in Section 2, the system may use the same modulus n for every user so that user i has the public key (ei, n) and private key (di, n). We note that a user with some (ei, di) pair can factor the moduli n. If a message M is encrypted and sent to every user, the adversary (not one of the users) can use the public keys (ei, n) and the ciphertexts Vei(M) mod n to

compute the plaintext M. We show that the public-key cryptosystem with an order-m linear recurrence relation that satisfies the requirements R1–R3 cannot withstand the common modulus attack with m+ 1 pairwise relatively prime exponents.

Let ei, 16 i 6 m + 1, be pairwise relatively prime. Assume that 0 < M < n and gcd(M, n)= 1. We consider the system of equations:

riei− ri+1ei+1= 1, 1 6 i 6 m.

The integer solutions for ri, 16 i 6 m + 1, exist and can be found by Euclid’s algorithm.

W.-G. Tzeng / Information Processing Letters 70 (1999) 153–156 155

Lemma 1. If ei, 1 6 i 6 m + 1, are pairwise rel-atively prime, then the system of equations: riei− ri+1ei+1= 1, 1 6 i 6 m, has integer solutions for ri, 16 i 6 m + 1.

Proof. We prove this theorem by induction on m. For

the induction base m= 1, since e1and e2are relatively prime, we use Euclid’s algorithm to find an integer so-lution (r₁0, r₂0) for r1e1− r2e2= 1. For the induction hypothesis m= k, we assume that (r₁0, r₂0, . . . , r_k0₊₁) is an integer solution for riei− ri+1ei+1= 1, 1 6 i6 k. Let Ei be e1e2· · ·ei−1ei+1· · ·ek+1. We can see that (r₁0 + tE1, r₂0 + tE2, . . . , r_k0₊₁+ tEk+1) is also an integer solution for an arbitrary integer t . We consider the case m= k + 1 now. For the first k equations riei − ri+1ei+1 = 1, 1 6 i 6 k, we find integer solutions (r₁0+ tE1, r₂0+ tE2, . . . , r_k0₊₁+ tEk+1) for an arbitrary integer t by the hypothe-sis. We then substitute r_k0₊₁+ tEk+1 for rk+1 in the (k+ 1)th equation rk+1ek+1− rk+2ek+2= 1 to obtain (r_k0₊₁+ tEk+1)ek+1− rk+2ek+2 = 1, which is te1e2· · ·ek+1− rk+2ek+2= 1 − r_k0₊₁ek+1. Since gcd(e1e2· · ·ek+1, ek+2)= 1, we use Euclid’s algo-rithm to find an integer solution (t0, r_k0₊₂) for (t, rk+2). Therefore, (r₁0 + t0E1, r₂0 + t0E2, . . . , r_k0₊₁+ t0Ek+1, r_k0₊₂) is an integer solution for riei− ri+1ei+1= 1, 16 i 6 k + 1. 2

Theorem 2. The public-key cryptosystem with an

order-m linear recurrence relation that satisfies the requirements R1–R3 cannot withstand the common modulus attack with m+ 1 pairwise relatively prime exponents.

Proof. In fact, riei, 16 i 6 m + 1, are m + 1 con-secutive numbers. If the adversary obtains the cipher-texts Vei(M) mod n, 16 i 6 m + 1, it can compute

the values Vriei(M) mod n, 16 i 6 m + 1, in

polyno-mial time. Therefore, the adversary can solve the linear equation Vr1e1(M) mod n = m_X+1 i=2 (aiM+ bi)Vriei(M)+ cM + f ! mod n. to obtain the message M. 2

4. Chosen-message attacks

In the chosen-message attack, the adversary can query a signer to sign some messages and then uses the signed messages to deduce the signature of some other message of its choice.

Theorem 3. If the public-key signature scheme with

an order-m linear recurrence that satisfies the require-ments R1–R3, then it cannot withstand the chosen-message attack with m queries.

Proof. Let (d, n) be the signing key of the signer and

(e, n) be the verification key. The adversary chooses a message M, 0 < M < n and gcd(M, n)= 1. The adversary computes the values Ve−i(M) mod n for 16 i 6 m and asks the signer to sign them. It then uses the query results Vd(Ve−i(M) mod n) mod n, 16 i 6 m, for the equation

M= Ved(M) mod n = Ve Vd(M)
mod n = m X i=1 aiVd(M)+ bi
Ve−i Vd(M)
+ cVd(M)+ f ! mod n = m X i=1 aiVd(M) mod n+ bi
Vd × Ve−i(M) mod n
+ cVd(M)+ f ! mod n to solve Vd(M) mod n, which is the signature of the message M. 2

5. Computing on other algebraic objects

We have illustrated our attacks on the public-key scheme with a linear recurrence relation that satisfies the requirements R1–R3 and is of operations onZn. It can be extended to other algebraic objects if the algebraic objects satisfy the following criteria. (1) For efficiency, the general operations, such as

ad-dition, multiplication, additive inverse, multiplica-tive inverse, should be able to be computed effi-ciently.

156 W.-G. Tzeng / Information Processing Letters 70 (1999) 153–156 (2) For the trapdoor property (security), the

opera-tions, such as factoring and discrete logarithm, should be polynomially infeasible to compute. The finite fields Fpm and elliptic curves over a finite

field satisfy the above criteria.

6. Conclusion and open problems

We would like to ask whether the LUC cryptosys-tem can withstand the common modulus attack with only two relatively prime exponents. This can be gen-eralized to ask whether the public-key cryptosystem with an order-m linear recurrence relation can be at-tacked with less than m+ 1 pairwise relatively prime exponents. We note that there exist e1and e2, for ex-ample, e1= 3 and e2= 4, such that r1ei, r2ej and r3ek, i, j, k∈ {1, 2}, cannot be three consecutive num-bers. Therefore, our common modulus attack on the LUC cryptosystem cannot succeed with only two rel-atively prime exponents.

The similar questions can be asked about the chosen-message attack. What is the minimum number of queries needed for a successful chosen-message at-tack?

References

[1] D. Bleichenbacher, On the security of the KMOV public key cryptosystem, in: Proceedings of Advances in Cryptology— Crypto 97, Springer, Berlin, 1997, pp. 235–248.

[2] D. Bleichenbacher, W. Bosma, A.K. Lenstra, Some remarks on Lucas-based cryptosystems, in: Proceedings of Advances in Cryptology—Crypto 95, Springer, Berlin, 1995, pp. 386–396.

[3] G.I. Davida, Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem, Technical Report TR-CS-82-2, Department of Electrical Engineering and Computer Science, University of Wisconsin, Milwaukee, 1982. [4] J.M. DeLaurentis, A further weakness in the common modulus

protocol for the RSA cryptoalgorithm, Cryptologia 8 (1984) 253–259.

[5] D.E. Denning, Digital signatures with RSA and other public-key cryptosystems, Comm. ACM 27 (4) (1984) 388–392. [6] Y. Desmedt, A.M. Odlyzko, A chosen text attack on the

RSA cryptosystem and some discrete logarithm problems, in: Proceedings of Advances in Cryptology—Crypto 85, Springer, Berlin, 1986, pp. 516–522.

[7] B. Kaliski, A chosen message attack on Demytko’s elliptic curve crytosystem, J. Cryptology 10 (1997) 71–72.

[8] D. Kravitz, I. Reed, Extension of RSA cryptostructure: a Galois approach, Electron. Lett. 18 (6) (1982) 255–256. [9] C.-S. Laih, F.-K. Tu, W.-C. Tai, On the security of the Lucas

function, Inform. Process. Lett. 53 (1995) 243–247.

[10] R. Lidl, W.B. Muller, Permutation polynomials in RSA-cryptosystems, in: Proceedings of Advances in Cryptology— Crypto 83, Plenum Press, 1984, pp. 293–301.

[11] W.B. Muller, W. Nobauer, Some remarks on public-key cryp-tosystem, Studia Sci. Math. Hungar. 16 (1981) 71–76. [12] W.B. Muller, W. Nobauer, Cryptanalysis of the

Dick-son scheme, in: Proceedings of Advances in Cryptology— Eurocrypt 85, Springer, Berlin, 1986, pp. 50–61.

[13] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (2) (1978) 120–126.

[14] G.J. Simmons, A “weak” privacy protocol using the RSA crypto algorithm, Cryptologia 7 (1983) 180–182.

[15] P. Smith, LUC public-key encryption, Dr. Dobb’s J. 18 (1) (1993) 44–49.

[16] P. Smith, M.J. Lennon, LUC: a new public key system, in: Proc. 9th IFIP International Conference on Computer Security, North-Holland, Amsterdam, 1993, pp. 103–117.

[17] P. Smith, C. Skinner, A public-key cryptosystem and a digital signature system based on the Lucas function analogue to dis-crete logarithms, in: Proceedings of Advances in Cryptology— Asiacrypt 94, Springer, Berlin, 1995, pp. 357–364.