ISO 9796-1 and the new forgery strategy (Working Draft) Don Coppersmith

Shai Halevi

Charanjit Jutla

IBM August 23, 1999 Abstract In this note we show how the new forgery strategy of Coron, Naccache and Stern can be modified to break the ISO 9796-1 standard for RSA and Rabin digital signatures.

1

ISO 9796-1 and the attack of Coron et al.

ISO 9796-1 [4] is a standard for RSA (and Rabin) signatures [7, 6]. In particular, it was designed to resist attacks that exploit the multiplicative structure underlying these cryptosystem. See [5] for a survey of these attacks, and [3] for the reasoning behind the ISO 9796-1 standard. Recently, Coron, Naccache and Stern described in [1] a “new signature forgery strategy”, which is a sophisticated variant of the Desmedt-Odlyzko multiplicative attack from [2]. In their paper, Coron et al. described an attack against a slight modification of ISO 9796-1, but this attack does not work “right out of the box” against the actual standard. In this note we show how a small modification to the technique in [1] can be applied to break the actual ISO 9796-1 standard. We start by quickly reviewing the format that was considered by Coron et al. and the attack against it, as well as the actual format used in ISO 9796-1.

1.1 The “new forgery strategy” The ISO 9796-1 standard (and the variant the was considered by Coron at al.) specifies how a message m is encoded for a signature before applying the RSA operation to it. It uses a fixed nonlinear permutation s(x) mapping 4 bits to 4 bits. Below we let s(x) be the result of setting the most significant bit of s(x) to ‘1’ (where x is a 4-bit nibble). That is, s(x) = 1000 OR s(x). The variant that was considered in [1] is as follows: Assume that the modulus length is 16z + 1 bit (where z is even), and the message m is of length 8z bits. The message is encoded into a 16z -bit integer by using an encoding function , which is defined as

(m) = s(m`;1 ) s(m`;2) m`;1 m`;2 s(m`;3 ) s(m`;4) m`;3 m`;4 1

s(m3) s(m2) m3 m2 s(m1) s(m0) m0 6 where mi is the i’th 4-bit nibble of m. To sign a message m, one needs to apply the RSA operation to (m). The Coron et al. attack against this signature scheme proceeds roughly as follows. They consider 64-bit strings x of the form

x = s(a6) s(a5) a6 a5 s(a4) s(a3) a4 a3 s(a2) s(a1) a2 a1 2 2 6 6 where a6 : : :a1 are any six nibbles, except that a6 must be one of the eight nibbles for which s(a6) already has the most significant bit set to 1. Since x is short (only 64 bits), then there is a good probability that it will be smooth (i.e., will have only “small” prime factors – say all smaller than 216). Then they set z=X 2;1 ;= 264i i=0 and consider the 16z -bit integers M = ; x, which is just z=2 repetitions of the string x. Since x has the most significant bit set to 1 (because of the restriction on a6 ) and the least significant nibble set to ’6’, then M is indeed a valid encoding of some message m. Namely, there exists a message m (which can be easily recovered from M ) such that (m) = M . The procedure above is repeated many times, with different x’es, so as to generate many valid encodings Mi = ; xi for which xi is smooth. For example, if the smoothness bound that is considered is 216 , then the attack needs to collect about 6500 such Mi ’s, since there are about 6500 primes smaller than 216 . Once enough Mi ’s are collected, one can find “homomorphic dependencies” between these Mi ’s, and use these dependencies to devise a signature on one of these Mi ’s from the signatures on the others. See [1] for more details on the attack. Remark (off-line work). An interesting feature of the attack from [1], is that essentially all the work is invested in finding the Mi ’s, and this work can be done off-line, before even seeing the RSA modulus. Once enough Mi ’s are collected, they can be used against any RSA modulus of the right length. The attack that we describe in this note enjoys the same feature. In the sequel we refer to the Mi ’s that are found in the off-line phase of the attack as “would be forgeries”.

1.2 The “real” ISO 9796-1 standard The actual encoding function that is used in the ISO 9796-1 standard is slightly different than the function  above. For the same setting of parameters (i.e., modulus of 16z + 1 bits and 8z -bit messages), the encoding function – denoted ISO – is defined as follows:

ISO (m) = s(m`;1) s~(m`;2) m`;1 m`;2 s(m`;3) s(m`;4) m`;3 m`;4 2

s(m3) s(m2) m3 m2 s(m1) s(m0) m0 6 where s~(x) denotes the nibble s(x) with the least significant bit flipped (i.e., s~(x) = s(x)  1, where  denotes exclusive-or). Namely, for these parameters, the difference between (m) and ISO (m) is that the lowest bit in the second-most-significant nibble of ISO (m) is flipped. As before, to sign a message m, one needs to apply the RSA operation to ISO (m). One can see that now we cannot simply represent the encoding ISO (m) as a product ; x with ; x as above. Hence the attack must be modified to apply to this encoding function.

2

Modifying the attack

The modified attack is similar to the one from [1], except that it uses a slightly different structure for ; and x. In the original attack, the constant ; consisted of several 1’s that were separated by as many 0’s as there are bits in x. In the modified attack, we again have a constant ; which consists of a few 1’s separated by many 0’s, but this time there are fewer separating 0’s. We start with an example. Consider a 64-bit integer x, which is represented as four 16-bit words x = abcd (so a is the most-significant word of x, b is the second-most-significant, etc.). Also, consider the 144-bit constant ; = 100010001, where again each digit represent a 16-bit word. Now consider what happens when we multiply ; x. We have

; x=

a b c d 1 0 0 1 0 0 1 a b c d a b c d a b c d a b c e b c e b c d

where e = a + d (assuming that no carry is generated in the addition a + d). Notice that the 16-bit d appears only as the least-significant word of the result, and the 16-bit a appears only as the most-significant word of the result. It is therefore possible to arrange it so that the form of the words a d be different than the form of the words b c and e, and this could match the different forms of the least- and most-significant words in the encoded message ISO (m). More precisely, we consider three types of 16-bit words. For a 16-bit word x, we say that:   

x is a valid low word if it has the form x = s(u) s(v) v 6, for some two nibbles u v. x is a valid middle word if it has the form x = s(u) s(v) u v, for some two nibbles u v. x is a valid high word if it has the form x = s(u) s~(v) u v, for some two nibbles u v.

We note that there are exactly 256 valid low words, 256 valid middle words, and 256 valid high words (since in each case we can arbitrarily choose the nibbles u v ). In the example above, we needed a to be a valid high word, d to be a valid low word, b and c to be valid middle words, and we also needed e = a + d to be a valid middle word. In Appendix A 3

we list useful combinations of valid words for which the sum is also a valid word. We note the following: 







There are 64 pairs x y such that x is a valid high word, y is a valid low word, and z = x + y is a valid middle word (this is what we needed for the example above). We call such a pair (x y) a high-low pair. There are 84 pairs x y such that x is a valid high word, y is a valid middle word, and z = x + y is a valid middle word. We call such a pair (x y) a high-mid pair. There are 150 pairs x y such that x is a valid middle word, y is a valid low word, and z = x + y is a valid middle word. We call such a pair (x y) a mid-low pair. There are 468 pairs x y such that x is a valid middle word, y is a valid middle word, and z = x + y is also a valid middle word. We call such a pair (x y) a mid-mid pair.

We are now ready to present the attack. For clarity of presentation we start by presenting the attack for the special cases where the modulus size is 1024+1 bits and 2048+1 bits. We later describe the general case.

2.1 Moduli of size 1024+1 bits When the modulus size is k = 1025 bits, we need to encode the messages as 1024-bit integers with the high bit set to 1. The attack proceeds similarly to the example from above: We consider 64-bit integers x = abcd, where a is a valid high-word, d is a valid low-word, and b c and e = a + d are valid middle words. There are 64 choices for the high-low pair (a d) and 256 choices for each of b c, so there are total of 222 x’es of the right form. We then set

;1024 = This gives us

20 X

i=0

248i =

1| 001 001 {z: : : 001 216}

1 followed by 20 repetitions of 001 (base 216 )

M = ;1024 x = a bce bce{z: : : bce} bcd | 20 repetitions

which is a valid encoding of some message M = ISO (m), because of the way x was chosen. If we set the smoothness bound of the attack to B = 216, then the 64-bit integer x has probability of about 2;7:7 to be B -smooth, so we expect that there are about 222 2;7:7  20000 x’es of the right form which are B -smooth. Since there are only about 6500 primes smaller than 216 , we have more than enough smooth x’es to get the “homomorphic dependencies” that are needed for the attack. The above attack has essentially the same complexity as the one that is described by Coron et al. in [1, Section 4.1] (since it uses 64-bit integers x, just as it is done in the original attack). In it reported in [1] that for smoothness bound of about 215 , a single PC can prepare thousands of “would be forgeries” in less than a day. Recall also that this work is all done off-line, and then these “would-be forgeries” can be used against any RSA modulus of 1024+1 bits. After the off-line work is done, the attack needs to collect about 3000 signatures, and then the actual forgeries can be generated instantly. 4

2.2 Moduli of size 2048+1 bits When the modulus size is k = 2049 bits, we need to encode the messages as 2048-bit integers with the high bit set to 1. Here we need to modify the attack a little, by changing the length of x and the amount of “overlap” that is used in the product ; x. Specifically, we can work with 128-bit x’es, x = abcdefgh, where a is a valid high-word, h is a valid low-word, and b c d e f g and also i = a + g and j = b + h are valid middle-words. This gives us 84 choices for the high-mid pair (a g), 150 choices for the mid-low pair (b h) and 256 choices for each of c d e f , so we have total of more than 245 choices for x. We set

;2048 = and so we get

20 X

i=0

296i = 1 000001 :{z: : 000001} 216 | 20 repetitions

M = ;2048 x = ab cdefij :{z: : cdefij} cdefgh | 20 repetitions

which is again a valid encoding. Since x is a 128-bit integer, the probability that it is, say, 220smooth is about 2;17:4 . So we expect there to be about 245 2;17:4  228 x’es of the right form which are 220 -smooth, and we only need about 82000  216 of them to get the “homomorphic dependencies” (since there are about 82000 primes smaller than 220 ). Using the estimates from [1, Section 2], the complexity offinding p a B -smooth, L-bit integer L x during the off-line phase of this attack is about CLB = O (L= logB2 B) . In our case we have L = 128 B = 220 so we get CLB  235. In the off-line phase of the attack we need to find about 82000 smooth x’es to get “homomorphic dependencies”, and then each additional smooth x would give us another “would be forgery”. Hence we estimate that the complexity of the off-line phase is about 251 to get the first “would be forgery”, and then 235 for each additional one. This is still well below the complexity of, say, an exhaustive DES key search (and just as for DES key search, this work can be done off-line and is easily parallelizable). Once the off-line phase is over, the list of “would be forgeries” can be used against any RSA modulus of 2048+1 bits. The attack needs to collect about 82000 signatures, and then the forgeries can be produced almost instantly.

2.3 The general case For a modulus whose size if 16z +1 bits (for an even z ), we need to encode the messages as 16z -bit integers, which means that the encodings should have z 16-bit words. We write the integer z as z =  m +  , where   m are all integers with    1 and m  2. For reasons that will soon become clear, we try to get  +  as small as possible, while making sure that  ;  is at least 2 or 3. The attack then works with integers x of  +  16-bit words (which is why we want to minimize  +  ), and use “overlap” of  words in the product ; x. If we denote  =  +  , then we have x = a : : : a1, where a is a valid high-word, a1 is a valid low-word, and the other ai’s are valid middle words (and we also need some of the sums to be valid middle words). We then set mX ;1 ;16z = 216i = 1 0| :: 0 1 0 :: 0{z1 : : : 0 :: 0 1} i=0 m;1 repetitions of 0::01 (;1 0 s followed by 1) 0

5

When we multiply ;16z

;16z x =

x we get

a :: a+1 a :: a :: a1 ::: 0 1 0 :: 0 1 0 :: 0 1 a :: a+1 a :: a :: a1 a :: a+1 a :: a :: a1 : : : a :: a1 hence we also need the sums (a + a ) : : : (a+2 + a2 ) (a+1 + a1) to be valid middle words. If  = 1 (as in the case of 1025-bit moduli above), we have 64 choices for the high-low pair (a  a1) and 256 choices for each of the other ai’s, so we get total of 64 256;1 choices for x. If  2 (as in the case of 2049-bit moduli above), we have 84 choices for the high-mid pair (a  a ), 150 choices for the mid-low pair (a+1 a1), 468 choices for each of the mid-mid pairs (a;1 a;1) : : : (a+2 a2). Thus the total number of choices for x is 84 150 468;2 256; . (This is the reason that we want   to be at least 2 or 3.) For the attack to be successful, we should set the parameters   so that there are enough smooth x’es to guarantee the “homomorphic 

;

dependencies” that we need. As another example for the general case, consider moduli of 768+1 bits. We need to encode the messages as integers of 768 bits, or 768=16 = 48 words. We can write 48 = 5 9 + 3, so we have  = 5  = 3. Hence we work with x’es of 5 + 3 = 8 words (128 bits) and use an overlap of 3 words. For this case we have 84 150 468 2562 > 238 choices for x. If pick the smoothness bound to be 220, then the probability that x be smooth is about 2;17:4 , so we expect there to be about 221 smooth x’es, and we only need about 82000  216 of them to get the “homomorphic dependencies”, since there are about 82000 primes smaller than 220 . The complexity of this attack is the same as for the (2048 + 1)-bit moduli.

2.4 Possible extensions The attack that we described above was intended to works against moduli of size 16z +1 bits for an even integer z , but there are a few straightforward ways to extend the attack to handle other moduli sizes. For example, for a modulus of size 16z -bits (with z even), we should encode messages as integers with 16z ; 1 bits, which we can view as z -word integers with the highest bit set to 0 and the second-highest bit set to 1. To handle these integers, we re-define a valid high-word as a 16-bit word of the form x = s^(u) s~(v ) u v , for some two nibbles u v , where s^(u) is the nibble s(u) with the highest bit set to 0 and the second-highest bit set to 1. Although we did not check this, we suspect that the modified definition of a valid high-word will not significantly change the number of high-low and high-mid pairs, so the complexity of an attack against 16z -bit moduli should be roughly the same as that of an attack against moduli of 16z + 1 bits. Another extension of the attack is to consider also the cases where there are some carry bits between the nibbles in the computation of ; x. For example, for the case of   2 (see Section 2.3) we can have carry bits between the “overlap” words in the multiplication without effecting the attack. We estimate that considering these carry bits can increase the number of possible x’es by about a factor of 2 ;1 (since we can have x’s that cause any pattern of carry bits inside a string of length  nibbles). Yet another plausible extension is to handle the case where not only the first and last words of the encoding have different formats, but also one other word in the middle. This is the case, for 6

example, when we encode a message m of length less than half the size of the modulus. In that case, the form of the highest word would be x = s(u) s(v ) u v , the form of the lowest word would be x = s(u) s(v ) v 6, and there would be one other word somewhere in the middle of the form x = s(u) s~(v) u v. In this case we may be able to modify ; a little, so that the spacing of the 1’s is not equal everywhere. For example, if we have x = abcd and ; = 10010001, we get

; x=

a 1 0 0 1 0 a a b c d a b c d a b c e b c d a

b c d 0 0 1 b c d b c d

Now notice that the word e only appears once in the middle, and so we can arrange it so that it would have a different form than the other words. This technique can potentially be used to find more forgeries, or to reduce the complexity of the attack against certain moduli-lengths.

3

Conclusions

In this note we demonstrated that the ISO 9796-1 standard can be broken using a variant of the Coron, Naccache and Stern attack from [1]. The estimated complexity of the new attack depends heavily on the modulus length: for some lengths (e.g., 1024+1 bits) the attack can be easily carried out on a single PC in less than a day, while for other lengths (e.g., 2048+1 bits) it has nearly the same complexity as an exhaustive search for a DES key. Still, we stress that the attack is feasible against all the moduli lengths that we considered. We also sketched a few ways in which this attack can be generalized to work against other moduli lengths. In light of this break, we believe that the standard needs to be modified. In our view, the first step that should be taken is to re-examine the need for this mode of “hash-free encoding” for signatures. An obvious disadvantage of this mode is that it gives an attacker quite a bit of control over the encoded messages. Since the encoding rule is usually very “local” (i.e., each bit of m effects only very few bits of (m)), an attacker has an ample opportunity to play with m in order to arrange that (m) has some desired properties. Moreover, as opposed to the “full domain hash” that can be analyzed (and proven secure) in the random-oracle model, there seems to be no hope of getting similar results in the “hash free” case. If it is decided to keep this “hash free” mode, we describe in Appendix B some possible modifications that can be made to the encoding function. In particular, we suggest to consider encodings with “massive mask changes”, such as the functions 2 and 3 from Subsection B.1. (Similar encodings were also suggested in [8].) These functions stay close to the original intent of ISO 9796-1, but at the same time they seem resistant to multiplicative attacks such as the ones in [1] and in this note. Acknowledgments. We thank Mike Matyas for encouraging us to work on these new attacks and for several useful discussions. We also thank David Naccache for bringing the note [8] to our attention. 7

References [1] Jean-S´ebastien Coron, David Naccache and Julien P. Stern. On the Security ofRSA Padding In proceedings of Crypto’99. LNCS vol. 1666, pages 1–18, Springer, 1999. [2] Y. Desment and A.Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In Crypto’85, LNCS vol. 218, pp. 516-522. Springer-Verlag, 1986. [3] L.C. Guillou and J.-J. Quisquater. Precautions Taken Against Various Potential Attacks in ISO/IEC DIS 9796”. In EUROCRYPT’90, LNCS vol. 473, Pages 465–473. Springer-Verlag, 1990. [4] ISO/IEC 9796-1, Information technology – Security techniques – Digital signature schemes giving message recovery – Part 1: Mechanisms using redundancy. [5] J.F. Misarsky. How (not) to design RSA signature schemes. In PKC’98, LNCS vol. 1431, pp. 14-28. Springer-Verlag, 1998. [6] M.O. Rabin. Digitized Signatures and public key functions as intractable as factoring. MIT/LCS/TR-212, 1979. [7] R. Rivest, A. Shamir and L. Adelman. A Method for Obtaining Digital Signature and Public Key Cryptosystems. Comm. of ACM, 21 (1978), pp. 120–126 [8] SC27N23xx: Report of the Ad-Hoc meeting on 9796 held at Gemplus, Paris, on May-141999.

8

A

Useful pairs for the attack

Here we list all the various types of pairs (x y ) of 16-bit words that we use in our attack (together with their sum, z = x + y ). All the constants in the tables below are in hexadecimal (base-16) representation. Table 1: High-Low pairs

x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z=

8f 30 0316 9246 a4d2 4ba6 f 078 95f 5 6086 f 67b a1d8 1ad6 bcae a66c 1f 76 c5e2 803f 5456 d495

af 60 4316 f 276 94f 2 3ba6 d098 d326 2456 f 77c cc59 2526 f 17f 96fc 4e06 e502 904f 2456 b4a5

8f 80 4316 d296 d923 2456 fd79 9346 4456 d79c 8c89 2526 b1af bb1d 2ce6 e803 808f 4456 c4e5

bfa0 2266 e206 9943 4456 dd99 8386 2456 a7dc ba1a 4456 fe70 8b3d 1d96 a8d3 c0ef 2316 e405

afd0 1316 c2e6 8983 2456 add9 93f 6 5316 e70c 8a3a 5456 de90 9b4d 2d96 c8e3

b211 0d96 bfa7 99f 3 5316 ed09 ae67 3ba6 ea0d 9a4a 2456 bea0 8b8d 6ce6 f 873

9

d221 1ce6 ef 07 8834 1316 9b4a aed7 4ba6 fa7d 8a8a 4456 cee0 bbad 1ce6 d893

9241 1d96 afd7 a864 5316 fb7a 9ef 7 3ba6 da9d caea 2316 ee00 9bfd 2ce6 c8e3

c251 0d96 cfe7 8884 5316 db9a 8138 2ba6 acde c75b 1ba6 e301 cd5e 1ba6 e904

d291 2ce6 ff 77 b8a4 3266 eb0a 8138 6ad6 ec0e c7eb 0ba6 d391 cdee 0ba6 d994

92f 1 1ce6 afd7 a8d4 2316 cbea 9148 3ba6 ccee 97fb 1ba6 b3a1 9dfe 1ba6 b9a4

a462 3ba6 e008 8585 6086 e60b b1a8 4ad6 fc7e b61c 1f 76 d592 b01f 4456 f 475

Table 2: High-Mid pairs

x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z=

bfa0 2e60 ee00 bfa0 2266 e206 bfa0 276c e70c 9442 4552 d994 b5a5 2e60 e405 8386 3b1a bea0 b7ab 2e60 e60b

bfa0 1ef 0 de90 bfa0 12f 6 d296 bfa0 17fc d79c 9442 2562 b9a4 b5a5 1ef 0 d495 8386 4b5a cee0 b7ab 1ef 0 d69b

bfa0 2361 e301 bfa0 2f 67 ef 07 bfa0 2a6d ea0d 9442 465b da9d b5a5 2b6a e10f 8386 311f b4a5 b7ab 2964 e10f

bfa0 13f 1 d391 bfa0 1ff 7 df 97 bfa0 1afd da9d 9442 266b baad b5a5 1bfa d19f 8386 415f c4e5 b7ab 19f 4 d19f

bfa0 2562 e502 bfa0 2068 e008 bfa0 2c6e ec0e b9a3 2e60 e803 b316 4b5a fe70 b3a6 2e60 e206 bbad 2e60 ea0d

bfa0 15f 2 d592 bfa0 10f 8 d098 bfa0 1cfe dc9e b9a3 1ef 0 d893 b316 0b8a bea0 b3a6 1ef 0 d296 bbad 1ef 0 da9d

10

bfa0 2863 e803 bfa0 2d69 ed09 bfa0 216f e10f b9a3 2863 e206 b316 415f f 475 b3a6 2d69 e10f bbad 2562 e10f

bfa0 18f 3 d893 bfa0 1df 9 dd99 bfa0 11ff d19f b9a3 18f 3 d296 b316 018f b4a5 b3a6 1df 9 d19f bbad 15f 2 d19f

bfa0 2964 e904 bfa0 2b6a eb0a 9241 4351 d592 b9a3 2d69 e70c c356 3b1a fe70 b1a8 2e60 e008 bdae 2e60 ec0e

bfa0 19f 4 d994 bfa0 1bfa db9a 9241 2361 b5a2 b9a3 1df 9 d79c c356 0b8a cee0 b1a8 1ef 0 d098 bdae 1ef 0 dc9e

bfa0 2465 e405 bfa0 266b e60b 9241 4a5d dc9e b9a3 276c e10f c356 311f f 475 b1a8 2f 67 e10f bdae 2361 e10f

bfa0 14f 5 d495 bfa0 16fb d69b 9241 2a6d bcae b9a3 17fc d19f c356 018f c4e5 b1a8 1ff 7 d19f bdae 13f 1 d19f

Table 3: Mid-Low pairs

x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z=

5e20 9456 f 276 8532 1ba6 a0d8 4853 b526 fd79 2964 5266 7bca 4455 51f 6 964b 62b6 4526 a7dc bfa7 3ad6 fa7d 0d89 9456 a1df 361b ace6 e301 873c 0e06 9542 8a3d 0e06 9843 5c2e 1d96 79c4 018f b316 b4a5

9e40 3456 d296 8532 5ad6 e008 0883 b526 bda9 2964 21f 6 4b5a 2465 5266 76cb 62b6 8456 e70c 7fc7 5ad6 da9d 1df 9 c316 e10f 562b 1d96 73c1 276c ce06 f 572 2a6d ce06 f 873 8c3e 1d96 a9d4 d19f 1266 e405

4e50 6456 b2a6 9542 2ba6 c0e8 68b3 4526 add9 0984 c266 cbea 2465 21f 6 465b 72c6 5526 c7ec afd7 0ad6 baad 3b1a 5316 8e30 863b 1d96 a3d1 276c bd96 e502 2a6d bd96 e803 9c4e 2d96 c9e4 61bf 4316 a4d5

2e60 3456 62b6 4552 0ad6 5028 68b3 8456 ed09 0984 f 1f 6 fb7a 0485 c266 c6eb 12f 6 8456 974c 1ff 7 5ad6 7acd 5b2a 4316 9e40 964b 2d96 c3e1 078c ce06 d592 0a8d ce06 d893 4c5e 4ce6 9944 71cf 5316 c4e5

0e80 9456 a2d6 2562 5ad6 8038 78c3 5526 cde9 b9a4 21f 6 db9a 0485 f 1f 6 f 67b 3f 17 2ba6 6abd 2068 cba6 ec0e 4b5a b316 fe70 465b 4ce6 9341 078c 4d96 5522 0a8d 4d96 5823 2c6e 1ce6 4954 71cf 1266 8435

1ef 0 c316 e206 0582 3ad6 4058 18f 3 8456 9d49 69b4 51f 6 bbaa b4a5 21f 6 d69b 5f 27 1ba6 7acd 0088 5ba6 5c2e 0b8a b316 bea0 266b 1ce6 4351 67bc 0e06 75c2 6abd 0e06 78c3 0c8e ece6 f 974 11ff 1266 2465

11

2361 cba6 ef 07 b5a2 3ad6 f 078 3914 c266 fb7a 19f 4 b1f 6 cbea 64b5 51f 6 b6ab 8f 37 1ba6 aadd a0d8 5ba6 fc7e db9a 1266 ee00 068b ece6 f 371 77cc 2e06 a5d2 7acd 2e06 a8d3 bcae 1ce6 d994

0381 5ba6 5f 27 75c2 5ad6 d098 3914 b1f 6 eb0a 3415 c266 f 67b 14f 5 b1f 6 c6eb 8f 37 5ad6 ea0d 10f 8 cba6 dc9e 6bba 4316 aed0 b6ab 1ce6 d391 a7dc 1e06 c5e2 aadd 1e06 c8e3 6cbe 4ce6 b9a4

a3d1 5ba6 ff 77 a5d2 0ad6 b0a8 8934 5266 db9a 3415 b1f 6 e60b 3216 5526 873c 9f 47 2ba6 caed 5d29 9456 f 17f 7bca 5316 cee0 66bb 4ce6 b3a1 a7dc 4d96 f 572 aadd 4d96 f 873 1cfe ace6 c9e4

13f 1 cba6 df 97 15f 2 5ad6 70c8 9944 2266 bbaa 8435 5266 d69b 5226 4526 974c 4f 57 0ad6 5a2d 9d49 3456 d19f 7bca 1266 8e30 16fb ace6 c3e1 17fc bd96 d592 1afd bd96 d893 311f 5316 8435

3512 2ba6 60b8 3813 5526 8d39 4954 2266 6bba 9445 2266 b6ab 4256 b526 f 77c 2f 67 5ad6 8a3d 4d59 6456 b1af 1bfa 1266 2e60 371c 1e06 5522 3a1d 1e06 5823 3c1e 2d96 69b4 512f 4316 9445

5522 1ba6 70c8 5823 4526 9d49 4954 51f 6 9b4a 4455 2266 66bb 0286 b526 b7ac 0f 87 3ad6 4a5d 2d69 3456 61bf 361b 2d96 63b1 572c 2e06 8532 5a2d 2e06 8833 3c1e ace6 e904 415f b316 f 475

Table 4: Mid-Mid pairs (Part 1)

x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z=

3311 5522 8833 4351 9542 d893 3512 5321 8833 4552 9341 d893 3914 5425 8d39 5924 3a1d 9341 9944 4455 dd99 4954 8a3d d391 0984 5a2d 63b1 3415 5924 8d39 4455 9944 dd99 3216 5924 8b3a 4256 9944 db9a

3311 75c2 a8d3 4351 2562 68b3 3512 73c1 a8d3 4552 2361 68b3 3914 74c5 add9 5924 9a4d f 371 9944 2465 bda9 4954 2a6d 73c1 0984 9a4d a3d1 3415 79c4 add9 4455 2964 6db9 3216 79c4 abda 4256 2964 6bba

3311 572c 8a3d 4351 974c da9d 3512 572c 8c3e 4552 974c dc9e 3914 5226 8b3a 5924 0a8d 63b1 9944 4256 db9a 4954 8c3e d592 0984 5c2e 65b2 3415 5226 863b 4455 9246 d69b 3216 5425 863b 4256 9445 d69b

3311 77cc aadd 4351 276c 6abd 3512 77cc acde 4552 276c 6cbe 3914 72c6 abda 5924 6abd c3e1 9944 2266 bbaa 4954 2c6e 75c2 0984 9c4e a5d2 3415 72c6 a6db 4455 2266 66bb 3216 74c5 a6db 4256 2465 66bb

5321 3512 8833 2361 9542 b8a3 5522 3311 8833 2562 9341 b8a3 3914 5a2d 9341 5924 3c1e 9542 9944 5a2d f 371 2964 9445 bda9 69b4 3a1d a3d1 5425 3914 8d39 2465 9944 bda9 5226 3914 8b3a 2266 9944 bbaa

5321 75c2 c8e3 2361 4552 68b3 5522 73c1 c8e3 2562 4351 68b3 3914 6abd a3d1 5924 9c4e f 572 9944 0a8d a3d1 2964 4455 6db9 69b4 5a2d c3e1 5425 79c4 cde9 2465 4954 6db9 5226 79c4 cbea 2266 4954 6bba

12

5321 371c 8a3d 2361 974c baad 5522 371c 8c3e 2562 974c bcae 3914 5c2e 9542 5924 0c8e 65b2 9944 5c2e f 572 2964 9246 bbaa 69b4 3c1e a5d2 5425 3216 863b 2465 9246 b6ab 5226 3415 863b 2266 9445 b6ab

5321 77cc caed 2361 475c 6abd 5522 77cc ccee 2562 475c 6cbe 3914 6cbe a5d2 5924 6cbe c5e2 9944 0c8e a5d2 2964 4256 6bba 69b4 5c2e c5e2 5425 72c6 c6eb 2465 4256 66bb 5226 74c5 c6eb 2266 4455 66bb

9341 4552 d893 73c1 3512 a8d3 9542 4351 d893 75c2 3311 a8d3 5924 3415 8d39 8934 4a5d d391 4954 9445 dd99 2964 8a3d b3a1 79c4 3415 add9 9445 4954 dd99 74c5 3914 add9 9246 4954 db9a 72c6 3914 abda

9341 2562 b8a3 73c1 5522 c8e3 9542 2361 b8a3 75c2 5321 c8e3 5924 74c5 cde9 8934 2a6d b3a1 4954 2465 6db9 2964 4a5d 73c1 79c4 5425 cde9 9445 2964 bda9 74c5 5924 cde9 9246 2964 bbaa 72c6 5924 cbea

9341 475c da9d 73c1 371c aadd 9542 475c dc9e 75c2 371c acde 5924 3216 8b3a 8934 4c5e d592 4954 9246 db9a 2964 8c3e b5a2 79c4 3216 abda 9445 4256 d69b 74c5 3216 a6db 9246 4455 d69b 72c6 3415 a6db

9341 276c baad 73c1 572c caed 9542 276c bcae 75c2 572c ccee 5924 72c6 cbea 8934 2c6e b5a2 4954 2266 6bba 2964 4c5e 75c2 79c4 5226 cbea 9445 2266 b6ab 74c5 5226 c6eb 9246 2465 b6ab 72c6 5425 c6eb

Table 4: Mid-Mid pairs (Part 2)

x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z=

3f 17 562b 9542 8f 37 465b d592 2f 67 863b b5a2 3d19 5b2a 9843 8d39 4b5a d893 2d69 8b3a b8a3 3b1a 5d29 9843 8b3a 4d59 d893 2b6a 8d39 b8a3 361b 5f 27 9542 863b 4f 57 d592 266b 8f 37 b5a2 371c 5321 8a3d

3f 17 66bb a5d2 8f 37 266b b5a2 2f 67 465b 75c2 3d19 6bba a8d3 8d39 2b6a b8a3 2d69 4b5a 78c3 3b1a 6db9 a8d3 8b3a 2d69 b8a3 2b6a 4d59 78c3 361b 6fb7 a5d2 863b 2f 67 b5a2 266b 4f 57 75c2 371c 73c1 aadd

3f 17 5a2d 9944 8f 37 4a5d d994 2f 67 8a3d b9a4 3d19 572c 9445 8d39 475c d495 2d69 873c b4a5 3b1a 572c 9246 8b3a 475c d296 2b6a 873c b2a6 361b 5a2d 9048 863b 4a5d d098 266b 8a3d b0a8 371c 5522 8c3e

3f 17 6abd a9d4 8f 37 2a6d b9a4 2f 67 4a5d 79c4 3d19 67bc a4d5 8d39 276c b4a5 2d69 475c 74c5 3b1a 67bc a2d6 8b3a 276c b2a6 2b6a 475c 72c6 361b 6abd a0d8 863b 2a6d b0a8 266b 4a5d 70c8 371c 75c2 acde

5f 27 361b 9542 9f 47 562b f 572 0f 87 562b 65b2 5d29 3b1a 9843 9d49 5b2a f 873 0d89 5b2a 68b3 5b2a 3d19 9843 9b4a 5d29 f 873 0b8a 5d29 68b3 562b 3f 17 9542 964b 5f 27 f 572 068b 5f 27 65b2 371c 5d29 9445

5f 27 964b f 572 9f 47 068b a5d2 0f 87 964b a5d2 5d29 9b4a f 873 9d49 0b8a a8d3 0d89 9b4a a8d3 5b2a 9d49 f 873 9b4a 0d89 a8d3 0b8a 9d49 a8d3 562b 9f 47 f 572 964b 0f 87 a5d2 068b 9f 47 a5d2 371c 6db9 a4d5

13

5f 27 068b 65b2 9f 47 5a2d f 974 0f 87 5a2d 69b4 5d29 0b8a 68b3 9d49 572c f 475 0d89 572c 64b5 5b2a 0d89 68b3 9b4a 572c f 276 0b8a 572c 62b6 562b 0f 87 65b2 964b 5a2d f 078 068b 5a2d 60b8 371c 5b2a 9246

5f 27 66bb c5e2 9f 47 0a8d a9d4 0f 87 9a4d a9d4 5d29 6bba c8e3 9d49 078c a4d5 0d89 974c a4d5 5b2a 6db9 c8e3 9b4a 078c a2d6 0b8a 974c a2d6 562b 6fb7 c5e2 964b 0a8d a0d8 068b 9a4d a0d8 371c 6bba a2d6

5f 27 3a1d 9944 4f 57 863b d592 6fb7 361b a5d2 5d29 371c 9445 4d59 8b3a d893 6db9 3b1a a8d3 5b2a 371c 9246 4b5a 8d39 d893 6bba 3d19 a8d3 562b 3a1d 9048 465b 8f 37 d592 66bb 3f 17 a5d2 572c 3311 8a3d

5f 27 9a4d f 974 4f 57 266b 75c2 6fb7 562b c5e2 5d29 974c f 475 4d59 2b6a 78c3 6db9 5b2a c8e3 5b2a 974c f 276 4b5a 2d69 78c3 6bba 5d29 c8e3 562b 9a4d f 078 465b 2f 67 75c2 66bb 5f 27 c5e2 572c 73c1 caed

5f 27 0a8d 69b4 4f 57 8a3d d994 6fb7 3a1d a9d4 5d29 078c 64b5 4d59 873c d495 6db9 371c a4d5 5b2a 078c 62b6 4b5a 873c d296 6bba 371c a2d6 562b 0a8d 60b8 465b 8a3d d098 66bb 3a1d a0d8 572c 3512 8c3e

5f 27 6abd c9e4 4f 57 2a6d 79c4 6fb7 5a2d c9e4 5d29 67bc c4e5 4d59 276c 74c5 6db9 572c c4e5 5b2a 67bc c2e6 4b5a 276c 72c6 6bba 572c c2e6 562b 6abd c0e8 465b 2a6d 70c8 66bb 5a2d c0e8 572c 75c2 ccee

Table 4: Mid-Mid pairs (Part 3)

x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z= x= y= z=

572c 3d19 9445 974c 4351 da9d 475c 8d39 d495 078c 5d29 64b5 3a1d 5924 9341 5a2d 3f 17 9944 8a3d 4954 d391 9a4d 562b f 078 2a6d 8934 b3a1 0a8d 562b 60b8 3c1e 5924 9542 8c3e 4954 d592 2c6e 8934 b5a2

572c 9d49 f 475 974c 2361 baad 475c 2d69 74c5 078c 9d49 a4d5 3a1d 69b4 a3d1 5a2d 9f 47 f 974 8a3d 2964 b3a1 9a4d 068b a0d8 2a6d 4954 73c1 0a8d 964b a0d8 3c1e 69b4 a5d2 8c3e 2964 b5a2 2c6e 4954 75c2

572c 0d89 64b5 974c 4552 dc9e 475c 8b3a d296 078c 5b2a 62b6 3a1d 5f 27 9944 5a2d 0f 87 69b4 8a3d 4f 57 d994 9a4d 5c2e f 67b 2a6d 8f 37 b9a4 0a8d 5c2e 66bb 3c1e 5a2d 964b 8c3e 4a5d d69b 2c6e 8a3d b6ab

572c 6db9 c4e5 974c 2562 bcae 475c 2b6a 72c6 078c 9b4a a2d6 3a1d 6fb7 a9d4 5a2d 6fb7 c9e4 8a3d 2f 67 b9a4 9a4d 0c8e a6db 2a6d 4f 57 79c4 0a8d 9c4e a6db 3c1e 6abd a6db 8c3e 2a6d b6ab 2c6e 4a5d 76cb

572c 3b1a 9246 974c 5d29 f 475 276c 9341 baad 67bc 3d19 a4d5 3a1d 562b 9048 5a2d 361b 9048 8a3d 465b d098 4a5d 8934 d391 2a6d 863b b0a8 6abd 3914 a3d1 5c2e 3914 9542 9c4e 5924 f 572 0c8e 5924 65b2

572c 9b4a f 276 974c 0d89 a4d5 276c 4351 6abd 67bc 5d29 c4e5 3a1d 66bb a0d8 5a2d 964b f 078 8a3d 266b b0a8 4a5d 2964 73c1 2a6d 465b 70c8 6abd 5924 c3e1 5c2e 9944 f 572 9c4e 0984 a5d2 0c8e 9944 a5d2

14

572c 0b8a 62b6 974c 5b2a f 276 276c 9542 bcae 67bc 3b1a a2d6 3a1d 5c2e 964b 5a2d 068b 60b8 8a3d 4c5e d69b 4a5d 8f 37 d994 2a6d 8c3e b6ab 6abd 3f 17 a9d4 5c2e 0984 65b2 9c4e 5a2d f 67b 0c8e 5a2d 66bb

572c 6bba c2e6 974c 0b8a a2d6 276c 4552 6cbe 67bc 5b2a c2e6 3a1d 6cbe a6db 5a2d 66bb c0e8 8a3d 2c6e b6ab 4a5d 2f 67 79c4 2a6d 4c5e 76cb 6abd 5f 27 c9e4 5c2e 69b4 c5e2 9c4e 0a8d a6db 0c8e 9a4d a6db

873c 4d59 d495 475c 9341 da9d 276c 8d39 b4a5 77cc 3311 aadd 5a2d 3914 9341 5a2d 3c1e 964b 9a4d 5924 f 371 4a5d 863b d098 0a8d 5924 63b1 6abd 361b a0d8 5c2e 3a1d 964b 4c5e 8934 d592 6cbe 3914 a5d2

873c 2d69 b4a5 475c 2361 6abd 276c 4d59 74c5 77cc 5321 caed 5a2d 9944 f 371 5a2d 9c4e f 67b 9a4d 0984 a3d1 4a5d 266b 70c8 0a8d 9944 a3d1 6abd 562b c0e8 5c2e 9a4d f 67b 4c5e 2964 75c2 6cbe 5924 c5e2

873c 4b5a d296 475c 9542 dc9e 276c 8b3a b2a6 77cc 3512 acde 5a2d 0984 63b1 5a2d 0c8e 66bb 9a4d 5f 27 f 974 4a5d 8c3e d69b 0a8d 5f 27 69b4 6abd 3c1e a6db 5c2e 0a8d 66bb 4c5e 8a3d d69b 6cbe 3a1d a6db

873c 2b6a b2a6 475c 2562 6cbe 276c 4b5a 72c6 77cc 5522 ccee 5a2d 69b4 c3e1 5a2d 6cbe c6eb 9a4d 0f 87 a9d4 4a5d 2c6e 76cb 0a8d 9f 47 a9d4 6abd 5c2e c6eb 5c2e 6abd c6eb 4c5e 2a6d 76cb 6cbe 5a2d c6eb

B

Possible countermeasures

Below we examine a few possible modifications that can be made to the encoding function to protect it against attacks such the ones described in this note.

B.1 Massive mask changes Supposed that instead of changing one bit here and there in the encoded message, the standard is rewritten to have a massive, fixed, change in (m). For example, let i  ei be the i’th nibbles in the hexadecimal expansion of the irrational numbers = 3:14159 : : : and e = 2:71828 : : : , respectively. Possible encodings that use these masks could be:

1 (m) = `;1 `;2 m`;1 m`;2

`;3 `;4 m`;3 m`;4 :::

1 0 m1 m0 2 (m) = ( `;1 s(m`;1)) ( `;2 s(m`;2)) m`;1 m`;2 ( `;3 s(m`;3)) ( `;4 s(m`;4)) m`;1 m`;2 ::: ( 1 s(m1)) ( 0 s(m0)) m1 m0 











3 (m) = ( `;1 s(m`;1 e`;1)) ( `;2 s(m`;2 e`;2)) m`;1 m`;2 ( `;3 s(m`;3 e`;3)) ( `;4 s(m`;4 e`;4)) m`;3 m`;4 ::: ( 1 s(m1 e1)) ( 0 s(m0 e0)) m1 m0 























For each of these, it seems much harder to find a systematic choice of ; x and messages m to satisfy (m) = ; x. Below we describe some potential “partial attacks” against these encodings. It is conceivable that an attacker can find large ; (say ; larger than the 3=4 power of the modulus N ), for which there are two strings x and x0 and two messages m and m0 such that

(m) = ; x

and

(m0) = ; x0

Here ; would be unstructured (unlike in the attacks from above). Since x and x0 would both be relatively small (of size N=;), they might both be smooth. Then one could combine the two signatures to eliminate the factor of ; and develop a relation among the small primes represented by x and x0. We note that for the purpose of this attack, a multiplier ; is only useful if we can find at least two strings x x0 which satisfy relations as above. Heuristically, we can assert that many such ; factors EXIST, even very large ones (say, larger than the 9/10 power of N ). However, finding them might be quite difficult. We could not come up with any efficient way of finding a suitable ; and the associated x x0 m m0. 15

One possibility that we looked at, is to take two messages m m0 that have small Hamming distance from each other, consider the difference  = (m) ; (m0 ) (which also has a low Hamming weight, since the encoding  is very local), and find an integer ; which is a factor of the difference . Then alter the nibbles in which m and m0 AGREE, creating new messages M M0 , in the hope that (M ) is a multiple of ;. If so, then (M 0 ) must also be a multiple of ;. However, there seems to be no efficient way of changing m to M as above; having found ; by this fairly random process, there is a very slim hope that any M will exist for which (M ) is divisible by ;. So this strategy seem to require quite a bit of trial and error. (We note that one might hope to make a heuristic argument that encodings as above might be difficult to attack; that if we could find many smooth numbers x satisfying these relations, then we could just as easily factor N in the first place. We have not looked into substantiating such arguments.)

B.2 Length expanding encoding Other constructions that may be considered, involve encoding the message m into a string longer than the modulus N . This has the advantage that it forces the attacker to deal with larger integers (and so it is potentially harder to find smooth integers), but it does not have the “message recovery” property. That is, it is no longer possible to extract m from the signature on m. For example, suppose that we fix two constants c0 and c1, each half the length of the modulus N . To encode a message m (which is also half the length of the modulus N ), we form the sums m + c0 m + c1 , express them as binary strings, and form the concatenated string

4(m) = (m + c0) (m + c1) m whose length is 3/2 that of N . For this encoding, an attacker could try to get either 4 (m) or the residue (4 (m) mod N ) to be smooth. Trying to get 4 (m) to be smooth, one could set

 = c0 22n + c1 2n  = 22n + 2n + 1 and then 4 (m) =  +  m As long as pand  are relatively primes, it would seem unlikely that m could be chosen much smaller than N to obtain 4 (m) = ; x for a large ; and a small, smooth, x. (Intuitively, it seems hard to pick a small m so that 4 (m) has a large factor which we understand and a small factor that we don’t, where the small factor is required to be smooth, and that the small factor is p smaller than, say, N .) If the attacker is trying to get the residue 4 (m) mod N to be smooth, than he can compute a constant  = = mod N , and he is reduced to trying to make the quantity  + m smooth. Again this should be a daunting task, since  is about the same size as N , and m is only about half that size. Hence the attacker can control the low order bits by choice of m, but the uncontrolled part is p still of size about N . A (very informal) hope here is that if the p attacker is forced into a position where he needs certain “randomly generated integers” of size N to be smooth, then he is in no better position than a person applying the Continued Fraction factoring method on N . (Such a person is also 16

p

generating integers of size N and depending on a number of them to be smooth for the success of his method.) By contrast, in the attacks from above the attacker works with integers x of 64-128 bits, so the probability that they are smooth is much higher.

B.3 Encoding via squaring Another encoding method uses addition and squaring: We fix a random constant same size as the modulus N , and set

 of about the

5(m) = m2 +  One advantage of this form is that finding many numbers of the form ; x for a smooth x, is as difficult as factoring  (using the “Quadratic Sieve” method). On the other hand, 5 (m) is harder to compute than the other encodings, and the relation to the signed message m is not transparent.

17