 Welcome everyone to the second out of two sessions on physical attacks and masking. So you have three excellent talks in this session. The first one is on approximate division multiples by Alexander May, Julian Novakovsky, and Santanu Sarkar. And Julian is giving the talk. Okay. Hi everyone. This is approximate divisor multiples, factoring with only a third of the secret CT exponents. And this is a new attack on RSA. So let's first recall the definition of RSA keys. So as you probably all know, an RSA public key contains a modulus N, which is the product of two primes, P and Q, and it contains a public exponent E, which is just some integer. The private key also contains N, and in addition it contains the secret exponent D, which is defined as the multiplicative inverse of E modulo P minus one times Q minus one. Now that's not really how you would do RSA in practice. So in practice, you would use CT RSA. The public keys are exactly the same, but the private keys are a bit larger. And these larger private keys allow for more efficient decryption. Now here we would additionally store P and Q, the two primes. We would also store the two CT exponents, D P and D Q, which is just D reduced modulo P minus one, or Q minus one, respectively. And we have this value Q inf, which is the multiplicative inverse of Q modulo P. Now these CT RSA keys are of course obviously redundant. I mean, we can throw away basically everything here, except for one of the primes, say P. And we still have a valid private key that allows us to decrypt very efficiently because given the public key and P, all these other values that we just threw away can be computed efficiently. And very interestingly, even this very minimalistic key that consists only of P, even this key is still very redundant because we can actually still throw away half of the bits of P and we still have a valid private key that allows us to decrypt relatively efficient. Let's do to this result by Coppersmith from Eurocrypt 96, which says given only half of the bits of P, we can factor N in polynomial time. I think that's a pretty interesting result for taking RSA as it tells us to completely break the scheme. You actually have to know only a very small fraction of the secret key. Maybe you disagree and say, no, that's not that interesting at all for attacking RSA because maybe you say, okay, polynomial time, this does not necessarily mean that it's really practical, this attack. And you could also argue that learning half of the bits of P may seem a bit too much for a real world attacker. But let me try to convince you otherwise. First of all, from an attacker's perspective, this attack should really be considered efficient. So if you just do a straightforward implementation and run it on a laptop, then you can break 1,000-bit RSA in only two minutes with this attack and even 4,000-bit RSA requires less than half an hour. And this attack is also surprisingly practical. This was first shown by Bernstein et al. in 2013, where they used this exact attack to break roughly 80 smart cards. And then few years later in 2017, there was an even more impressive attack by Namiads et al. And they could actually use this attack to break 10 million smart cards. The problem in both of these attacks was pretty much the same, and that was that these smart cards used pretty bad random number generators, which made predicting half of the bits of P easy, and then you could apply this attack by Coppersmith. So I think a really important result for the cryptanalysis of RSA. And this leads to a natural question, and that is, can we do similar attacks? But maybe if we not know bits of P, but maybe if we know bits of the secret exponent or the CRT exponent. And there has been lots of research on this question, which is usually called partial key exposure attacks, and there are many results. So let me recall some of them. So for instance, we have this result by Bonet, Dervie, and Frankel from Asia Crypt 98, which shows if we assume that E is reasonably small, like it's always is in practice, then you can break RSA with only a quarter of the bits of the secret exponent. That's also a result for CRT RSA. Again, if you assume that the public exponent is small, then you can factor with half of the bits of one CRT exponent. And quite interestingly, all these attacks behave very similarly in the sense that if you have an N-bit modulus, all these attacks require roughly N over four bits. There are some partial key exposure attacks which aren't that similar. And since we have this line of research here, started by Ernst, Jochamst, Mai, and Divera, and then improved by Aonu and Takayasu and Konihiro. And they kind of relax the assumption on N on E. We no longer assume that it's really small, but even allow it to be up to the same size as the modulus. But now we assume that the secret exponent gets small. And then you can show the smaller the secret exponent gets, the less bits you have to know to factor the modulus in polynomial time. So if we draw on the horizontal axis, how large D is in comparison to N, and on the vertical axis, how large of a fraction of the bits of D we know. And we can see if D is full size, so of the same size as N, then we have to know all of the bits, and then the smaller it gets, the less and less bits we have to know. And actually, if we are below this 0.292 bond, then we don't have to know any bits at all. It's also an analog result for CRT-RSA, which we showed at last year's Azure Crypt. Again, if you make no strong assumption on E, but again, assume that the secret exponents are kind of small, then as with usual RSA, the smaller they get, the less bits you have to know. And you can make even stronger assumptions and stronger assumptions. For instance, you may assume that also E is kind of smallish, so that maybe E is not larger than the square root of N, then everything gets even better. For instance, for full size CRT exponents, you wouldn't need all of the bits, but only a three over four. And then you would actually need no bits at all if you are below 0.232. So in a nutshell, partial key exposure attacks may be summarized by the smaller E, D, Dp and Dq get, the less bits we have to know to factor N in polynomial time. Now let's move on to our new result. So we give a new partial key exposure attack and we assume exposed CRT exponents, Dp and Dq, and the kind of smallish public exponent, smaller than the fourth root of the modulus. And our attack goes completely against this intuition that we had from all previous no one partial key exposure attacks because we have a surprising behavior for E smaller than N to the power of one over 12, because there our attack actually requires the less bits the larger E gets. So let's take a closer look. So on the horizontal axis, we plot how large E is and on the vertical axis, we plot how large of a fraction of the bits of Dp and Dq we know. You can see if E is very small, then we have to know roughly half of the bits. And then as E increases, we have to know the less and less bits. And at this point at one over 12, we only have to know a third of the bits. Somewhat strangely, at this point, our attack then has a bump and after that, it requires again more bits, the larger E gets. And what also should be noted, if we are below one over eight, then our attack is the best in the sense that it requires the fewest bits, but after that we are superseded by a result by Takayasu and Konohiro from 2015. Okay, so why does our attack behave so differently? For that, let's have a look how you would usually do these attacks. You would model your problem of attacking RSA as a problem of solving or computing the solutions of a system of polynomial equations. And then you would just apply Copper's method, lattice-based method to extract these solutions. We almost did the same thing, but just with a minor twist, we had one intermediate step. We first compute a partial solution in a few variables. And after that, we end up with a bit simpler system of equations because we now have fewer variables and then with a simpler to solve and Copper's method works better. So let's take a look at these two steps of our attack. So let's start with the first step where we want to compute a partial solution in a few variables. We start with the CRT RSA equations, which just tell us that the product of E and DP has to be one plus an integer multiple of P minus one and the product of E and DQ has to be one plus an integer multiple of Q minus one. Now we could treat this as a system of polynomial equations in the unknown DP, K, P, DQ, L and Q and we could now try to extract these unknowns. But that's not what we did. We said, no, we only focus on K and L. We don't care for the others at the moment. We just want to compute K and L. So how difficult is this actually to compute K and L? There's not much known about that. We basically have two results, one for Chloe result, which tells us if E is really small, then you can just do brute force search and have an efficient attack. And then there's a result by Galbraith at all from 2005, which tells us if E gets kind of large, so larger than the fourth root of the modulus, then this is as hard as factoring. We could show basically a perfect interpolation between these two results. So our result looks like this. Again, we phrase this as a function of known bits of the CIT exponent and the size of the public exponent E. So you can see if E is very small, then we don't have to know any bits at all. So this corresponds to this folklore result where E is very small and you can just do brute force. And similarly at the point where E is of the size one over N to the power of one over four, then we really have to know all of the bits. So this is essentially this point where it gets as hard as factoring. This part of our attack is surprisingly simple. So let me try to sketch how it works. So we first split the CIT exponents into more significant bits and least significant bits. And in this talk, I assume that somehow we have obtained these more significant bits. Our attack would also work if we know the least significant bits. We have expanded our paper how this works, but this is a bit more complicated. So I won't go into the details in this talk. We just focus on the most significant bits. Okay. Now we make two very simple observations. The first one is this here, that in the first equation, the right hand side is approximately K times P because all the other terms are much smaller. And similarly in the second equation, this is approximately L times Q. And we approximate the left hand side of these equations by E times D P MSB and E times D Q MSB. Then we multiply these two equations together and we obtain that E squared times the product of the MSBs is roughly K times L times N. And we divide by N and we get that E squared times the MSBs divided by N is an approximation for K times L. Now E squared and N are known anyways. It is just a public key, but we now also assume that we know these MSBs. So this tells us that from the values that we know anyway, we can compute an approximation for K times L. And it turns out that this approximation is extremely good. So if you know sufficiently many MSBs in the sense that they are larger than E squared, then you have just to round, you just have to round this fraction and then it actually equals K times L. This condition here that the MSBs have to be larger than E squared, this corresponds to the graph which you see on the right. So this lemma already tells us if we are in this orange region, then we can compute the product K times L. Then we also showed that factoring K times L is very easy. So you can split it into K and L in time log squared of N. So combining these two levels, we get the result on the right, which tells us that in this orange region we can efficiently compute K and L. So that's already the first step of our attack, where we started with this general system of polynomial equations. And now we only extracted two of the unknowns, namely K and L. Let's move on to the second step, where we want to apply Coppers-Mitt's method. I try to do this in a very black box fashion so that I don't have to go into the technical details of Coppers-Mitt's method. For that, I try to phrase this as an instance of the approximate GCD problem. First, let me recall this definition. In the simplest form of this problem, you're given an integer N zero, which is of the form Q zero times S. And you're given an integer N one, which is very close to an integer of the form Q one times S, and you want to extract S. When Hougreff-Grayam introduced this problem in 2001, he also gave some algorithms to solve it and we need this algorithm here, which tells us if S is sufficiently large, namely larger than N zero to the power of beta, where beta lies between zero and one, and one approximates Q times Q one times S sufficiently good, such that the difference is smaller than N zero to the power of beta squared, then you can compute S in polynomial time, and it's just a standard application of Coppers-Mitt's method. Now let's look at our attack scenario. So we are given the modulus N, which we can write as Q times P. And we are also given the MSBs and the public exponent. And we have seen already on the previous slide that the product of E and the MSBs of DP gives us a good approximation for K times P. Now comparing our attack scenario with the approximate GCD problem, we see that our attack really isn't approximate GCD problem because we want to compute P, which takes here the role of S. So we could now try to apply Hougreff-Grayam theorem to our attack and then it would also obtain some result. But we didn't do that because we thought the usual definition of the approximate GCD problem doesn't fully capture our attack because as seen on the previous slide, we can compute K very efficiently. So we can essentially consider that K is also known. In contrast, in the usual approximate GCD problem, Q one is not known. So we modified the problem a bit and gave it a new name. We call it now the approximate GCD multiple problem. And here we now also assume that we know Q one. And it turns out that this problem is much easier than the usual approximate GCD problem because the theorem changes like this. The approximation of N one and Q one times S can be much more loose because you get an additional factor of Q one. So for very large Q ones, this approximation can be super loose. Then we applied this theorem to our attack and we obtained this corollary which tells us that given K and the MSBs with MSB larger than fourth root of N divided by E, we can factor N in polynomial time. And here, you already see that here, we have this new surprising behavior that the larger E gets, the less bits of the CIT exponents we have to know. So putting the two steps of our attack together, now have these two results, one orange line where we can efficiently compute K and L and we have this blue line where given K, we can efficiently factor N. Putting this together, we obtain this blue area here which tells us in this region, we can efficiently factor N. And this is exactly the picture from one of the first few slides where I first introduced our result. So that's our new attack with this strange bump shape. When we first saw the shape, we thought, okay, this looks kind of unnatural where should one expect such a bump there? So we try to speculate a bit what the correct answer to this question could be. Okay, one could argue that it could look like this or like this, when you just extend one of the two components of this graph, but this is of course very unlikely because if we touch the horizontal axis when this means that RSA is completely insecure because when you can factor without knowing any bits, well, this is probably not the correct answer. When we thought, okay, maybe it looks like this, but we thought that's also probably quite, that's probably not the correct answer because we could show this here. Suppose the dashed line is correct, then there exists an efficient algorithm that factors N on input of a third fraction of the bits of P. When you first read this, maybe this doesn't seem so unlikely. However, such an attack would actually require only for an N bit modulus would require only N over six bits. And this would be in this research direction of partial key exposure attacks a major breakthrough because all the best one attacks either require at least N over four bits or they require keys that you would never find in practice, namely such keys which have very short secret exponents. This is probably also not the correct answer but fortunately we don't also know a better answer. So maybe it's really the case that this bump shape is the correct answer. Okay, let's already move on to the conclusion. So previously known partial key exposure attacks all these previously known attacks work the better the smaller the parameters in RSA get and we introduced the first partial key exposure attacks with a completely different behavior which first works better the larger it gets and after that again has the old behavior. And we have this strange point at N to the power of one over 12 where our attack works best. Let me end, I don't want to end I also want to give a takeaway. I think the most important technical takeaway from our paper probably is that you shouldn't apply Coppersmith method directly to the systems of equation seems that a two-step approach like we did seems to be much more effective if you first try to eliminate some variables because then you get much better results. Now I want to move on to the open questions or open problems. I think it's not so clear now what size of E one should actually use in practice. I mean, if one is concerned with partial key exposure attacks and it's not so clear anymore what the correct size of E is. Does our result really tell us so that E of the size N over N to the power of one over 12 is the least signal? That's not so clear. And I think there should be some more research on that and I would be very happy to discuss this further. I think I don't have enough time for that here. And one completely different open problem which is also probably quite interesting that is the algorithm for the approximate GCD multiple problem this new problem that we introduced does it have any implications for the usual approximate GCD problem? That's the case that could also be very important because this would have implication for the security of fully homomorphic encryption over the integers and probably even for LWE because there's a reduction from AGCD to LWE. Thanks for listening. Okay, thanks for the talk. Are there any questions? If you have questions, please go forward to the microphone and ask there, maybe everyone. You mentioned earlier on that for something for small Ds. Are small Ds ever used? I never heard. No, I think they are never used because there are even these extreme points where you can factor without any bits and this was already known in 89 and I think since then no one wanted to use small Ds. And so you said, you know, send over four seems to be like a fundamental bound. Is there any other evidence other than that everything that is known kind of ends there? No, just I have one additional slide where we compare that just in all these attacks it somehow comes up just one over four. And it would be surprising if these attacks would kind of look properly done. So there's not much to improve that these are for some reason not optimal. That's the only reason. Okay, if there are no more questions, let's thank the speaker again and our next.