Weak-keys in public key cryptosystems based on discrete logarithms
3
Click here to load reader
Transcript of Weak-keys in public key cryptosystems based on discrete logarithms
TSINGHUA SCIENCE AND TECHNOLOGYISSN 1007-0214 10/20 pp579-581Volume 10, Number 5, October 2005
Weak-Keys in Public Key Cryptosystems
Based on Discrete Logarithms*
TAI Suiyan ( ), LUO Ping ( )**,
PENG Xiaoning ( ) , WANG Daoshun ( )
Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China; Department of Computer Science and Technology, Huaihua University, Huaihua 418008, China
Abstract: The discrete logarithm method is the foundation of many public key algorithms. However, one type
of key, defined as a weak-key, reduces the security of public key cryptosystems based on the discrete
logarithm method. The weak-key occurs if the public key is a factor or multiple of the primitive element, in
which case the user’s private key is not needed but can be obtained based on the character of the public key.
An algorithm is presented that can easily test whether there is a weak-key in the cryptosystem. An example is
given to show that an attack can be completed for the Elgamal digital signature if a weak-key exists, therefore
validating the danger of weak-keys. Methods are given to prevent the generation of these weak-keys.
Key words: discrete logarithm; public key cryptography; weak-key; Elgamal digital signature
Introduction
The solution of the discrete logarithm method, such as
factorization and elliptic curves, is one of the most
difficult problems in mathematics, so it has become the
foundation of many public key cryptosystems such as
the Elgamal digital signature[1]
, the Diffie-Hellman key
agreement protocol,[2]
and the DSA digital signature
algorithm[3]
.
The weak-key is defined as an insecure key which
reduces the complexity of attacks in the key space.
Research on weak-keys has been conducted for years,
especially in block cipher algorithms. Hellman et al.[4]
and Davies[5]
gave clear descriptions of the weak-keys
in DES. Large classes of weak-keys have been found
for IDEA[6]
which showed how to eliminate these
weak-keys. Vaudenay[7]
proved that there are
weak-keys in Blowfish that significantly reduce the
complexity of attacks. Weak-keys also exist in public
key algorithms besides block cipher algorithms.
Loidreau and Sendrier[8]
found that it is possible to
identify a weak-key with a binary generator
polynomial in the McEliece public key algorithm.
When a weak-key is used, an attack can be completed
with a feasible amount of computations. Juels and
Guajardo[9]
used the verifiable randomness method to
avoid generating weak-keys in RSA.
This paper describes an analysis of cryptosystems
based on the discrete logarithm method and found
weak-keys similar to those in other cryptosystems. A
method is then given to attack Elgamal digital
signatures, one of the cryptosystems based on the
discrete logarithm method, that use weak-keys.
Received: 2004-01-09; revised: 2005-01-04
Supported by the National Key Basic Research and Development
(973) Program (No. 2003CB314805) and the National Natural
Science Foundation of China (No. 90304014)
To whom correspondence should be addressed.
E-mail: [email protected]; Tel: 86-10-62789754
1 Discrete Logarithm and Elgamal Digital Signature Methods
The discrete logarithm method is based on the value of
p which is assumed to be a large prime with g as a
Tsinghua Science and Technology, October 2005, 10(5): 579 581580
primitive element of GF(p) and f as a one-way function.
Also, assume that the user’s secret key is x which must
be x [1, p–1] and gcd(x p–1) 1. The public key is
y gxmod p. It is very easy to calculate y from x but
difficult to calculate x from y which is the basis of the
discrete logarithm method. For the Elgamal digital
signature, y, x, g, and p are known. Furthermore,
assume m is a message to be signed and k is a random
number selected by the user with k [1, p–1] and
gcd(k p–1) 1. Then, calculate r from r gkmod p
and s from m (xr+ks)mod(p–1). (r s) is the signature
of message m which is often written as (m, r, s). If
yrrsmod p gm
mod p , then the signature is accepted,
otherwise, the signature is refused.
2 Weak-Key
2.1 Definition of weak-key
Definition: Assume Z+ is a positive integer set. If there
are i j Z such that y gj/i Z , then y is the
weak-key of the discrete logarithm.
From the principle of discrete logarithms, assume
that g is a primitive element in GF(p) and y gxmod p
such that . Hence, it is possible that
y=g
[1,2,..., 1]y pj/i
when i j Z , which is to say that the weak-key
exists. However, j/i may or may not be equal to x. For
example, if g 27, then y 27j/i
may be 271/3
3, 272/3
9, 273/3
27, 274/3
81, 275/3
243,…, which are the
so-called weak-keys of the discrete logarithm method
regardless of the value of x . In other words, if the
public key y is a factor or multiple of the primitive
element g, then y is a weak-key.
2.2 An attack on a weak-key system
Attack method: Let y gj/i be the weak-key with the
following known parameters:
,
/
r y
s m i j y(1)
Therefore, x needs not to produce the fake signature
( , r ,m s ). If the signature ( m , ,r s ) will be accepted,
then the equation mod mod p must be true.
The following proves the correctness of this attack.
r sy r mp g
Proof: Assume
/mod mod ,
r s y m i j yE y r p y y p
then,
/ // / /
( ) ( ) modj i j ij i g j i m i j gE g g p
/ /( ) mod mod
j i m i j mg p g p .
Hence, the equation is true
which completes the proof.
mod modr s my r p g p
Because m and s are positive integers which
must be less than p–1, the range of m can be
determined from Eq. (1):
/ 2( 1), if (1 / )( 1) 0 ( 2)
/ ( 1) / , if (1 / )( 1) 0 ( 3)
y im j p i j p y
y im j i p j i j p y
where i m /j Z . Therefore, the range of m which
must be a multiple of j is restricted. Therefore, the
attacker needs to only find a suitable m from its
range to construct a workable fake signature.
2.3 Algorithm to detect weak-keys
The following algorithm can detect weak-keys in a
system by calculating y=gj/i when y, g, and p are
known. If y gj/i , then the algorithm counts the
number of values of i and j. And the algorithm can
quickly determine if y is a weak-key.
int weak_key_check (yourtype g, yourtype y, int & i, int & j)//return 1, when y is a weak-key.
//return 0, when y is not a weak-key.
//yourtype is a user-defined type, g and y are a large positive
integers.
{
int j1 1, j2 0, i1 0, i2 1; // prepare to count the
value of i and j. yourtype A g, B y;
while (A!=B)
if (A>B)
if (A%B 0) //if necessary, % can be changed
to the modulus calculation of a large positive integer.
{
A A/B; //if necessary, / can be changed
to the quotient calculation of a large positive integer.
j1 j1–j2;
i1 i1–i2;
}
else
return 0; // if y is not a weak-key.
else
if (B%A 0) // if necessary, % can be changed
to a modulus calculation of a large positive integer.
{
B B/A; // if necessary, / can be changed
to a quotient calculation of a large positive integer.
j2 j2–j1;
i2 i2–i1;
TAI Suiyan et al Weak-Keys in Public Key Cryptosystems Based on Discrete Logarithms 581
}
else
return 0; //if y is not a weak-key.
j j1 j2;
i i2 i1;
return 1; // if y is a weak-key.
}
2.4 Example
The weak-key problem will be described with a small
number as an example to demonstrate the attack on the
system. Select g 27 p 29, and x 19 which
satisfies gcd(x p 1)=1. Then the public key is y27
19mod 29 3. After g, p, and y are known, the
attacker uses the algorithm in Section 2.3 to determine
that y is a weak-key with i 3, j 1. Then, ( m , r , s )
can be produced from Eq. (2) when [1,2, 3,…,10].
Arbitrarily select 5, then the attacker gets
mm s
3 5–3 12 and 3 from Eq. (1). The equation
p is correct since 3
r
mod modr s my r p g 3
312
275.
Hence, (5, 3, 12) is a workable fake signature produced
by the attacker. Similarly, if y 9 (272/3
9) or y 27
(271
27), the attacker can produce other fake
signatures ( , ,m r s ).
3 Conclusions
Weak-keys were found to exist in public key
algorithms based on the discrete logarithm method,
although weak-keys are difficult to produce randomly.
An attack method is presented for the Elgamal digital
signature if a weak-key exists which verifies the
system vulnerability with weak-keys. This paper does
not solve the discrete logarithm problem, but presents
an algorithm for weak-key checking which shows that
the weak-key is the public key rather than the user’s
private key. The key producer should check if y is a
weak-key to avoid generating weak-keys.
References
[1] Elgamal T. A public key cryptosystem and a signature
scheme based on discrete logarithms. IEEE Transactions
on Information Theory, 1985, IT-31(4): 469-472.
[2] Diffie W, Hellman M. New directions in cryptography.
IEEE Transactions on Information Theory, 1976, IT-22(6):
644-654.
[3] NIST. A proposed federal information processing standard
for digital signature standard. Federal Register, 1991,
56(169): 42 980- 42 982.
[4] Hellman M, Merkle R, Schroeppel R, Washington L,
Diffie W, Pohlig S, Schweitzer P. Results of an initial
attempt to cryptanalyze the NBS data encryption standard.
Technical Report SEL, Information Systems Laboratory
Report, Stanford University, 1976: 76-142.
[5] Davies D W. Some regular properties of the DES. In:
Advances in Cryptology. Proceedings of Crypto’ 82.
Plenum Press, 1983: 89-96.
[6] Daemen J, Govaerts R, Vandewalle J. Weak-keys for
IDEA. In: Stinson D R, ed. Advances in Cryptology,
Crypto'93, LNCS 773. Springer-Verlag, 1994: 224-231.
[7] Vaudenay S. On the weak-keys of Blowfish. In: Gollmann
D, ed. Fast Software Encryption, Vol. 1039 of Lecture
Notes in Computer Science. Springer-Verlag, 1996, 65:
27-32.
[8] Loidreau P, Sendrier N. Weak-keys in McEliece public key
cryptosystem. IEEE Transactions on Information Theory,
2001, 47(3):1207-1212.
[9] Juels A, Guajardo J. RSA key generation with verifiable
randomness. In: Public Key Cryptography. Lecture Notes
in Computer Science. Paris, France: Springer-Verlag, 2002:
357-374.
