 Welcome to my talk, Partial Key Exposure Attack on Short Secret Exponent, CAT-RSA. This is joint work with Alexander Mai and Santana Saka and my name is Julian Novakovsky. Before we dive into CAT-RSA, I would like to have a few words on just RSA. For that, let me quickly fix some rotation. So as usual in RSA, we denote the public key by a tuple N, E and the private key by a tuple N, D and we call the two prime vectors of N, P and Q. Now what's very interesting about RSA is the fact that if you instantiate it with D significantly smaller than N, then the scheme becomes completely insecure. This was first shown by Wiener in 89 and then improved by Bonnier-Durffy in 99. They showed if D is smaller than N to the power of 0.292, then you can break RSA in polynomial time. Now it's an interesting question to ask, what happens if I choose D, which is just slightly above this bound of N to the power of 0.292? Well, then you can't show that RSA becomes completely insecure, but you can still show something very surprising and that is this line of research here, starting with a result by Ernst-Jochim Smae and Tevecha from 2005 and then improved by Aono and Takayaso and Konihiro. They showed that actually whenever you use small D, meaning D smaller than N, then RSA admits for so-called partial key exposure attacks. What are partial key exposure attacks? Well, this means that whenever you use too small D, then you can break RSA in polynomial time, provided that you know a fraction of the bits of D. I guess this graph here explains these results best. So on the horizontal axis, we see how large D is in comparison to N and on the vertical axis, we see how large of a fraction of bits of D you need to be able to break RSA in polynomial time. And now these results by Wiener and Bonnier-Durffy, they show us if we are below this 0.292 bound, then you don't have to know any bits at all. And then these partial key exposure attacks now nicely extend these results as they show if you are just slightly above this bound, then you have to know a really small fraction of bits and then the larger D gets, the more bits you have to know. Then finally, at this point on the right of this graph, where D is of the same sizes and then these attacks show you that at this point, you really need to know all of the bits of D. This is quite a natural ending point for these attacks because if you choose D properly, meaning choose D at random, then with overwhelming probability, D is of the same sizes. And at least we hope that for these properly chosen keys, RSA has no such weaknesses. Let's move on to CAT RSA. So in CAT RSA, the public key is exactly the same as in RSA, but the private key looks a bit different instead of having just this one secret exponent D. We now have two shorter secret exponents called DP and DQ. Now we can of course ask the exact same question for CAT RSA and that is, does CAT RSA also become insecure if we use it with short secret exponents? Which we'd see if we use it with DP and DQ significantly smaller than the square root of N. We now already asked this in 89 as an open question and it took actually quite some time until this question could be answered. Until then in 2007, Johans and Mike gave an affirmative answer to this question. Quite recently, this has been improved by Takayasu Lu and Peng in 2017 and then again in 2019. And now we know that if DP and DQ are smaller than N to the power of 0.122, then you can break CAT RSA in polynomial time. And now to our result, what we showed is basically the CAT RSA counterpart for the result on the bottom left of this slide. We showed that also CAT RSA with two short secret exponents admits for partial key exposure text. Let's also take a quick look at the graph for our attack. Again, on the horizontal axis, we see how large the secret exponents are. And on the vertical axis, we see how large of the fraction of the secret exponents we need to be able to break now CAT RSA in polynomial time. This is previously known results show us if we are below this 0.122 bound, then we don't have to know any bits at all. And now our partial key exposure attack extends these results and it shows if we are slightly above this bound, then we have to know a really small fraction and then the larger the secret exponent get, the more bits we have to know. And as in RSA, we also reach here a very natural ending point. She now is where DP and DQ are of the same size as the square root of N, which again is the point which properly chosen keys have. Now the proof for our new attack basically consists of two steps. In the first step, we take another look at this TLP-19 result and we give a new proof for it. The advantage of our new proof is that it provides much more intuition than the original proof did. And then we use this intuition to generalize this TLP-19 result and with this generalization, we then obtain our partial key exposure attack. So let's first take a look at this new simplified proof for TLP-19. This attack is based on Coppersmith method, which is a famous algorithmic technique to solve problems of this kind here, problems which I like to call Coppersmith type problems. So we are given a modulus m, some bounds x1 up to xk, and a bunch of polynomials p1 up to pn and k variables and these polynomials are defined modulo m. What you want to do is you want to find all the common roots of these polynomials, modulo m, with the restriction that the absolute values of the components of these rules should be upper bounded by the bounds xi. Now in general, this can, these problems can be very hard and in fact, you can even for some instances, rule out the existence of polynomial time algorithms to solve these problems. But what Coppersmith discovered is that if the bounds are sufficiently small, then these problems can become easy. What you should keep in mind is that the smaller these bounds are, the better you can solve these problems. Coppersmith suggests the following strategy to solve these problems. You first fix a parameter small m, which is polylogarithmic in this modulus m, then you define so-called shift polynomials. After that, you take your shift polynomials and plug in these bounds x1 up to xk into these polynomials. Then you construct a triangular lattice basis matrix consisting of the coefficient vectors of these shift polynomials. Then we have this nice heuristic, which tells us if this enabling condition holds, then we can compute all these roots are in polynomial time. And this enabling condition basically says that the determinant of this basis matrix has to be sufficiently small, namely its absolute value has to be roughly upper bounded by this capital M to the power of small m times the dimension of the lattice generated by V. So how can we apply Coppersmith's method in the cryptanalysis of CTRSA? Well, just by definition, we know that the product of E and DP has to be one plus a multiple of P minus one. Similarly, we know that the product of E and DQ has to be one plus a multiple of Q minus one. And what you can easily show is that if both DP and DQ are significantly smaller than the square root of N, then both K and L become kind of smallish. So if you use CTRSA with short secret exponents, then you know that there are two polynomial equations which have small unknowns, which means we may hope to compute these unknowns using Coppersmith's method. But if you could really do that, then we would of course break the security of CTRSA. So this sounds quite promising, but you can't immediately apply Coppersmith's method here because so far we have two equations defined over the integers, but what we actually want is polynomials modulo sum integer, but that's not a huge problem. We just take these two equations modulo E and then we obtain these two polynomials here, F and G in three variables. And these both have the same root modulo E and that is the root K, P and L minus one. First polynomial comes directly from the first equation and the second one comes from the second equation if you multiply it by P and then rearrange some terms. Actually, you can even learn a third polynomial for that you have to rearrange terms again and then multiply these equations together in a clever way. Now we have this quite nice situation. Now we have three polynomials with a small common root modulo E. And if we could compute this root, then we would break the security of CTRSA with short secret exponents. Now, before we apply Coppersmith method, I would like to have a few words on why we exactly chose these three polynomials. I mean, you could, of course, derive many different polynomials from these two CTRSA equations, but we think these three are actually the best that you can use because in Coppersmith method, you always want to satisfy these two words of thumb. First one being your polynomials should share as many monomials as possible. And the second is in every monomial, the degree of each variable should be as low as possible. We think that with respect to these two rules, our three polynomials are the best that you can obtain from the CTRSA equations. Let me visualize this a bit. First, let us write the polynomials more explicitly so that we write in every monomial be the exponent of every variable. Now, the key really for all of our attack is to think of these polynomials in some geometric way. What we want to do now is to think of these exponents in the monomials as vectors in three-dimensional space. So this 0, 0, 0 monomial would be the 0, 0, 0 point. In a three-dimensional space, this 1, 0, 0 would be the 1, 0, 0 point and so on. Now, these three points, which we now see here in the three-dimensional space, are the monomials of F. What we say now is that the area enclosed by these monomials is the polynomial. So this area here is our polynomial F. Do the same thing for G, that's G, and again, the same thing for H, and then H looks like this. Now let's take another look at our rules. First one being that our monomials should share as many monomials as possible. And then if you take a look at this graphic, and you see that this polynomial satisfies this quite good. We have six different monomials, but three of them, so the half of them, actually appears in multiple polynomials. So that's nice. And the second rule in every monomial, the degree of each variable should be as low as possible, but that's also satisfied quite good because you can see we have no monomial in which the degree of any variable is larger than one. In fact, in F and G, we even have this 0, 0, 0 monomial. So this looks quite promising, and therefore one may hope if we now apply Coppersmith's method to these three polynomials to obtain a quite good result. But unfortunately, if you now apply Coppersmith's method and then calculate the enabling condition, then you actually get a quite disappointing result, and that is this enabling condition here, which now tells you you can extract this root KpL-1 provided that dp and dq are smaller than n to the power of 0.25 times e to the power of minus 0.286. But here we are dealing with short secret exponents here at ERSA. If the secret exponent are small, then necessarily the public exponent is large, and in fact, in practice, e would really be of the same size as n. But then this product here becomes smaller than one. So this enabling condition now tells us you can extract this root if dp and dq are smaller than a number which itself is smaller than one, okay? And this means you can't extract the root. That's a bit strange because with respect to these rules of thumb, we really did the best thing possible for CRT-RSA, but still we obtained such a bad result. So what did we do wrong? The thing is, so far, we didn't use all the information that we have. First one is that we know a multiple of one of the unknowns. We know n, and we know n is a multiple of the unknown p. And this knowledge is in no way reflected in Coppersmith's method. The second thing is, our polynomials have small coefficients, and it's known from previous Coppersmith-type results that if you have small coefficients in your polynomials, then you usually can exploit this in some way. And we also didn't do this so far. I would like to show you now that we can exploit this additional information to satisfy two more rules of thumb. Rule number three is, the total degree of the shift polynomial should be as low as possible. And the fourth rule being, the shift polynomial should have as few monomials as possible. Now, how can we satisfy these rules using our additional information? I would like to illustrate this with a small example. All that, let us take a look at the shift polynomial f to the power of i. This is a bivariate polynomial in xp and yp, and this polynomial has the root k and p. Now, the key is again to think of this polynomial geometrically. And if you would do the same things that we did on the previous slide, then you would find that this polynomial looks like a triangle of width and height i. Now, we want to use this information that we know a multiple of p. For that, we introduce a new variable, which we call yq. And now we multiply our shift polynomial by this new variable. And after that, we replace every term of the form yp times yq by n. By that, we obtain a polynomial in three variables, xp, yp, yq. And what's not hard to see is that now this polynomial has the root k, p, and n over p, or state differently, k, p, and q. What happens to the shape of the polynomial is very nice, and that is the following. If we now multiply our shift polynomial by yq to the power of i over two, and then replace these terms yp times yq by n, then it is as if we would move this triangle in this coordinate system to the left. And every point which moves through this xp axis disappears and then reappears in a new coordinate system, representing the variables xp and yq. And if we now take another look at our rule number three, then we find that we did a quite good job here because we started with our polynomial f to the power of i, which as this graphic shows has a total degree two times i. But then our new polynomial, we can see has only degree three over two times i. And therefore, we now satisfy rule number three better. Let's also do a similar thing for rule number four. For that, we want to use the fact that our polynomials have small coefficients. And what we want to do now is introduce one more variable, which we call xq. And what we want to do now is we want to replace every term of the form xp times yq by xq plus one times yq. By that we obtain a new polynomial in four variables, xp, xq, yp and yq. Now this has the root k, k minus one, p, pq. And now because our polynomials have this small coefficients, lots of nice cancellation is going on between the monomials of our shift polynomials. And then the shape of our polynomial becomes this here. And this is with respect to rule number four, very good because we got rid of lots of monomials, now have a new shift polynomial which has much less monomials than the polynomial which we started with and therefore we satisfied rule number four better. Now you would simply generalize these ideas and then you would finally get a nice enabling condition that you can extract the root if the p and the q are smaller than n to the power of five over 56, which is roughly n to the power of 0.89. And then it's very easy to improve this and finally obtain this Takayaso looping result for that to do something which is in terms of Coppersmith method, just standard. You just have to include so-called extra shifts in the variables yp and yq, then parameterize them correctly and then you are done and get this Takayaso looping result of n to the power of 0.122. Now that we have discussed our new proof for the TLP-19 attack, we now can finally move on to our partial key exposure attack. For that, let's quickly summarize what we did so far. So in the TLP-19 attack, we started with the CIT-RSA equation and obtained from these equations three polynomials which have the root Kp L minus one module E. Then applying Coppersmith method directly to these polynomials unfortunately didn't give us a successful attack, but then we had this additional information that we know a multiple of one of the unknowns and the fact that our polynomials have small coefficients. And then we incorporated this information using our two metric view on Coppersmith method and with that eventually obtained the TLP-19 result. Now in our partial key exposure attack, we now assume that we know some bits of the CRT exponents. This additional knowledge gives us three additional polynomials which we call F tilde, G tilde, H tilde and these polynomials have the exact same root. The situation is exactly as in the TLP-19 attack. If we now apply Coppersmith method directly to these polynomials, we unfortunately don't get a working attack. But as before, we have additional information which can help us to get a successful attack. But now we only have the additional information that we know a multiple of the unknown. For our partial key exposure attack, we no longer have polynomials with small coefficients. In fact, the coefficients are very large of this F tilde, G tilde, H tilde. But nevertheless, we can still at least use the fact that we know a multiple of P and then incorporate this again using our geometric idea and with that, you already obtain a working partial key exposure attack and its graph looks like this. What's nice about this attack is that we already reach this natural ending point of the square root of N. As you can see here on the right end of this graph, but what's a bit odd is the left end of this graph. Here we now reach a point of 0.083 and for every dp and dq which are above this point, then we have to know some of the bits to be able to break CRS-A. But this of course goes against the TLP-19 result which already showed us if we are below 0.122, then we don't have to know any bits at all. But this makes sense that we don't match the TLP bound so far because remember, in TLP-19, we have this additional information that we have polynomials with small coefficients. Within our partial key exposure attack, we no longer have this information when it only makes sense that we get a worse bound. So the only thing that prevents us from reaching this 0.122 bound is the fact that we don't have polynomials with small coefficients. This means on the other hand, if there was some way to include polynomials with small coefficients into our attack, then we would reach this 0.122 bound. And we came up with a strategy to include polynomials with small coefficients to our attack. And as before, the key here is to think of the whole thing geometrically. What we want to do now is to visualize geometrically the polynomials that are in the Takayasu loop and basis matrix. You can't really draw them because geometrically they would form a six-dimensional object, but still you can simply draw two-dimensional slices of them. If you do this, then you would find exactly the pattern shown here on this slide. Now we do the exact same thing for our basis matrix, and then we would find a much simpler pattern, which are simply these squares here. Yeah, that we have this simpler pattern comes from the fact that we don't have the small coefficients. If we had them, then we could also use the pattern by Takayasu and Peng, but unfortunately we have large coefficients and therefore we have to stick to these squares. But then what we found, what we can do is we can introduce one parameter sigma and then use sigma to control the width of our squares. So to turn them into rectangles. This works even though we don't have the small coefficients. This wouldn't work with all arbitrary polynomials, but due to special properties of our polynomials, this works in our partial key exposure ethic. Then we found, well, if we now compare the Takayasu and Peng, let us base matrix with our modified basis matrix, then we find these orange-colored rectangles in their basis matrix, which correspond to monomials which aren't already included in ours. Then we thought, okay, now we simply take the polynomials from the Takayasu and Peng-based matrix which add these monomials to the basis matrix and also add them to ours. So having a basis matrix consisting of a party of our polynomials and party of the Takayasu and Peng polynomials. So then we would find the combined ledges-based matrix, now prioritized by our sigma and by the tau from Takayasu and Peng. Now it's simply a thing of optimizing sigma and tau and if you choose them properly, then you finally obtain our main result and this is the partial key exposure attack which this graph, now that the red part is the, our first partial key exposure attack and now with incorporating these extra polynomials from Takayasu and Peng, we finally get this blue area in addition which then finally matches this 0.122 part. So let me conclude my talk with a short summary. So the first thing that we did was give a simplified proof for TEP-19 with more intuition than the original proof had. And then we used this intuition to obtain the first partial key exposure attack on short secret exponents, CITRSA. And what we hope that you take away from this talk is that it can be very useful to approach Coppers method with a geometric view as it can provide deeper insights and lead to stronger results. I would like to end with an open question. So what's a bit strange about our attack so far is that it does only work for exposed least significant bits. The partial key exposure attacks on RSA, so not CITRSA, just RSA, they usually work for both exposed most significant bits or exposed least significant bits. We tried quite a few things to also make our attack work for exposed most significant bits, but it seems like the techniques that were used in these partial key exposure attacks on RSA that they don't translate to CITRSA. So it looks like here still some new techniques have to be invented to also obtain a MSB type partial key exposure attack on CITRSA that might be worth looking into. Thank you very much for listening and goodbye.