Crytanalysis of Nyberg- Rueppel’s Message Recovery Scheme Chen –Chi Lin and Chi-Sung Laih 簡報者 : 鐘敏毓

outline Review of Nyberg-Rueppel’s Message Recovery Scheme The Nyberg-Rueppel Attack The Extended Known Message Attack

Review of Nyberg-Rueppel’s Message Recovery Scheme Message recovery signature 的優點在通訊的觀 點上比一個加簽的訊息要求較少的頻寬 使用 ElGamal‘s 簽章法的一個變形

Review of Nyberg-Rueppel’s Message Recovery Scheme (Cont.) -- ElGamal type message recovery scheme p,q  large primes, q|(p-1) r=mg -k mod p,k is a random integer s=k -1 (m+rx) mod q, r’=r mod q (original) General signature equation  ak+bx+c=0 (a,b,c) is a permutation of (±r’,±s,±1) x is the secret key (y=g x mod p)

Review of Nyberg-Rueppel’s Message Recovery Scheme (Cont.) signature Equation (S1) sk-r’x-1=0 mod q (S2)r’k+sx-1=0 mod q (S3)k-r’x-s=0 mod q message recovery equation m=g s -1 y s -1 r’ r mod p m=g (r’) -1 y- s(r’) -1 r mod p m=g s y r’ r mod p

Review of Nyberg-Rueppel’s Message Recovery Scheme (Cont.) signature Equation (S4)sk-x-r’=0 mod q (S5)r’k+x-s=0 mod q (S6)k-sx-r’=0 mod q message recovery equation m=y s -1 g s -1 r’ r mod p m=y (r’) -1 g- s(r’) -1 r mod p m=y s g r’ r mod p

The Nyberg-Rueppel Attack 所有的 ElGamal type scheme 都有會受到 substitution 攻擊的 弱點, 如果我們使用密碼學上的 hash function 可以保護它. m=g k r=y -a -1 b g -a -1 c r mod p Given a message M’  m=M’g e mod p r=my a -1 b g a -1 c mod p r=Mg e y a -1 b g a -1 c mod p r=My a -1 b g a -1 c+e mod p  choosing any A,B in Z q r=y A g B M mod p o for (s2)—(s6), not for (s3),(s5)

A=a -1 b,B=a -1 c+e A= s -1 (-r’),B= s -1 +e(S1) A= r’ -1 s,B = r’ -1 (-1)+e(S2) A=-r’,B=-s+e(S3)not A= s -1,B= s -1 (-r’)+e(S4) A= r’ -1,B= r’ -1 (-s)+e(S5)not A=-s,B=(-r’)+e(S6) 未知 e, 要找相對應 e,r’,s

The Extended Known Message Attack—(s3),(s5) m=g k r=y -a -1 b g -a -1 c r mod p Given a message M  m=My d mod p r=My d y a -1 b g a -1 c mod p r=My a -1 b+d g a -1 c mod p  choosing any C,D in Z q r=y C g D M mod p 3 cases :

The Extended Known Message Attack (Cont.) C=a -1 b+d mod q(a,b,c) – (±r’,±s,±1) Case 1)r’=b, C =a -1 r’+d d=C- a -1 r’ (if a=1) d=C-r’  c=s D=a -1 c mod q s=D mod q  (s3) not for (s1)

The Extended Known Message Attack (Cont.) C=a -1 b+d mod q(a,b,c) – (±r’,±s,±1) Case 2) r’=a,C=r’ -1 b+d mod q d=C- r’ -1 b mod q (if b=1) d=C- r’ -1 mod q  c=s D=a -1 c mod q s=D/r’ mod q  (s5) not for (s2)

The Extended Known Message Attack (Cont.) C=a -1 b+d mod q(a,b,c) – (±r’,±s,±1) Case 3) r’=c, D=a -1 r’ mod q (a=1,b=s) or (a=s,b=1) (r’=D,d=C-s)(d=C-s,r’=D/s)  not for (s4),(s6)

Conclusion 在 Nyberg and Rueppel 所提出的四種簽章 的 scheme 並不能抵抗所謂的已知明文攻 擊法 (known message attack), 在此篇中延 續此種攻擊針對另外兩個剩餘的簽章 scheme.

ak+bx+c=0 (S1) sk-r’x-1=0 mod q a=s,b=-r’,c=-1 (S2)r’k+sx-1=0 mod q a=r’,b=s,c=-1 (S3)k-r’x-s=0 mod q a=1,b=-r’,c=-s (S4)sk-x-r’=0 mod q a=s,b=-1,c=-r’ (S5)r’k+x-s=0 mod q a=r’,b=1,c=-s (S6)k-sx-r’=0 mod q a=1,b=-s,c=-r’

C=a -1 b+d,D=a -1 c C= s -1 (-r’)+d,D= s -1 (S1) C= r’ -1 s+d,D = r’ -1 (-1)(S2)not C=-r’+d,D=-s(S3) C= s -1 +d,D= s -1 (-r’)(S4) C= r’ -1 +d,D= r’ -1 (-s)(S5) C=-s+d,D=(-r’)(S6)not