More on Security of Public-Key Cryptosystems Based on Chebyshev ...

9 downloads 233 Views 138KB Size Report
Saitama University, Saitama, Japan (e-mail: kaiyuen@tcs.ics.saitama-u.ac.jp; ..... digital signature and public key cryptosystems,” Commun. ACM, vol. 21, no.
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 54, NO. 9, SEPTEMBER 2007

795

More on Security of Public-Key Cryptosystems Based on Chebyshev Polynomials Kai Y. Cheong and Takeshi Koshiba, Member, IEEE

Abstract—Recently, a public-key cryptosystem based on Chebyshev polynomials has been proposed, but it has been later analyzed and shown insecure. This paper addresses some unanswered questions about the cryptosystem. We deal with the issue of computational precision. This is important for two reasons. Firstly, the cryptosystem is defined on real numbers, but any practical data communication channel can only transmit a limited number of digits. Any real number can only be specified to some precision level, and we study the effect of that. Secondly, we show that the precision issue is related to its security. In particular, the algorithm previously proposed to break the cryptosystem may not work in some situations. Moreover, we introduce another method to break the cryptosystem with general precision settings. We extend the method to show that a certain class of cryptosystems is insecure. Our method is based on the known techniques on the shortest vector problem in lattice and linear congruences. Index Terms—Chaos-based cryptography, Chebyshev polynomials, key agreement, public-key cryptography.

I. INTRODUCTION URRENTLY, secure network communications are supported by many cryptographic techniques. The techniques are partitioned into public-key cryptography and secret-key cryptography. While both disciplines are indispensable, practical public-key cryptographic systems are relatively slower than practical secret-key ones. Though the Rivest–Shamir–Adleman (RSA) cryptosystem [1] and the Diffie–Hellman key-agreement protocol [2] play important roles in practical systems, the speed gap between such public-key cryptosystems and secret-key cryptosystems [e.g., Advanced Encryption Standard (AES)] has narrowed the possibilities to hybridize the two types of cryptography. Thus, public-key cryptographic systems of comparable speed with secret-key ones are desired. For instance, the NTRU [3], based on polynomial rings, is known as such a candidate and its security has been discussed in the literature. As a new candidate, a public-key cryptosystem based on Chebyshev polynomials has been proposed in [4] recently. The system uses a key-agreement protocol similar to the Diffie–Hellman protocol. Also, it can be seen as a chaos-based cryptosystem, a class of cryptosystems making use of chaotic

C

mappings or signals. Due to the sensitivity to initial conditions, chaotic systems often have random-like behaviors, which make them popular candidates as building blocks of cryptosystems [5]. Other chaos-based cryptographic primitives, like random number generators [6] and hash functions [7], are also studied in the literature. The cryptosystem based on Chebyshev polynomials can run efficiently due to the properties of Chebyshev polynomials, but its security had been left unclear in [4]. In [8], Bergamo et al. analyzed the cryptosystem and demonstrated its insecurity. In this paper, we would like to figure out some of the unsettled problems in [8]. After a brief review of the cryptosystem in Section II, we explicitly define the issue of computational precision in Section III. This observation is important for two reasons. Firstly, the proposed cryptosystem is defined on real numbers, but any practical data communication channel can only transmit a limited number of digits. So, in general any real number will only be specified to some precision level, and we would like to study the effect of that. Secondly, we will show that the precision issue is related to its security. In particular, in Section IV we show that the algorithm used in [8] to break the cryptosystem may not work when the precision setting defined by us in Section III is used in the cryptosystem. Furthermore, in Section V we propose another method to break the cryptosystem, under some general assumptions on precision settings. We also use our method to conclude that a larger class of cryptosystems is insecure. Our method is based on the known techniques on the shortest vector problem (e.g., in [9]). Though the shortest vector problem itself is computationally intractable, either approximation or special-case algorithms have been used to break many cryptosystems. The low-density attack [10], [11] against knapsack public-key cryptosystems utilized the Lenstra–Lenstra–Lovász (LLL) algorithm [12] as an oracle for the shortest vector problem. The LLL algorithm is also used to reveal the hidden parameters of the truncated linear congruential (pseudorandom) generators [13]. Moreover, it is well known that the Gaussian algorithm can efficiently solve the two-dimensional case of the shortest vector problem. We show that the cryptosystem in [4] can be broken by using the Gaussian algorithm. II. REVIEW OF THE CRYPTOSYSTEM

Manuscript received February 9, 2007; revised April 16, 2007. This work is supported in part by Grant-in-Aid for Scientific Research, Japan Society for the Promotion of Science, 18300002. This paper was recommended by Associate Editor T. Schimming. The authors are with the Area of Informatics, Division of Mathematics, Electronics and Informatics, Graduate School of Science and Engineering, Saitama University, Saitama, Japan (e-mail: [email protected]; [email protected]). Digital Object Identifier 10.1109/TCSII.2007.900875

First of all, the family of Chebyshev polynomials [14] is defined by the recurrent relation

1549-7747/$25.00 © 2007 IEEE

(1)

796

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 54, NO. 9, SEPTEMBER 2007

while internal calculations of the users of the system have unlim, ited precision. Alice generates randomly and calculates and she sends them to Bob through the channel. Bob receives (5) (6)

Fig. 1. Precision requirements of the cryptosystem.

It is easy to verify that is a polynomial of degree . If is uniformly chosen from [ 1, 1] then and in this case we can also calculate in real numbers

where are the error terms. Next, Bob calculates and sends to Alice (7) where

. Bob will also calculate secretly

(2) (8) By (2) it is clear that Alice calculates (3) Making use of the property in (3), a scheme of secure communication, similar to the Diffie–Hellman protocol, can be created in the following manner. and a large • Alice generates a random number and sends the pair random integer . She computes to Bob. • Bob generates a large random integer and computes , and he sends it to Alice. , according to • Both Alice and Bob can calculate (3). Either can now send a secret message, represented by number , to the other side by sending ciphertext . The receiving party will calculate

(9) and . We now look into the difference between There are only two types of error propagation. Firstly, in the multiplications by and , the errors simply increase at that and will also ratio. Secondly, the functions transform the errors. This can be modelled by the Taylor’s the, which states that orem for the continuous function (10)

(4)

for some to assume

to recover the plaintext.

(11) (12)

III. PRECISION REQUIREMENT ANALYSIS In [4] and [8], the table in Fig. 1 is given by numerical simulations to show how the precision requirement of the system changes with the range of and , for a plaintext of 128 bits. The issue has not been studied further by the authors. In this paper, we study the relation between bit precision requirement and the size of and . First of all, we have two different implementations of , the polynomial function in (1) or the trigonometric function in (2). Assume that we have finite but arbitrary precision level, the polynomial function will give us exact values, as all numbers that appear are rational numbers. Also assume that we have arbitrary precision in the evaluations and . Then the trigonometric funcof functions tion in (2) can be calculated to any precision level, so that the two implementations are equivalent. We choose the trigonometric implementation here, which will give us a clearer picture of the effect of errors in computations. We now define our precision setting. Assume that the system has -bit precision for anything transmitted in the channel,

. Where is small, it is also reasonable and we have

From the study of Chebyshev polynomials in [15], we can asabove are uniformly distributed. So sume that and there is a high probability that the transformed error and the original error are in the same range. For instance, in (12), for the error to increase 10 times or more, we have the condition that . Treating as uniformly distributed, it has a probability of about 0.064, which is low enough for our study, because such error transformations will only be invoked a few times. From (8), now we have

(13) And using (9) we have

(14)

CHEONG AND KOSHIBA: MORE ON SECURITY OF PUBLIC-KEY CRYPTOSYSTEMS BASED ON CHEBYSHEV POLYNOMIALS

where and are in the same range, according to the argu, and to . ments above. Similarly, is close to and Bob has . This is the common Now Alice has secret they share. But there is an error . If and are in the range of , then the error is close to , . or We also argue that this is also the worst case scenario if Alice and Bob use -bit precision in their internal calculations. By assuming that the original has only -bit precision, any internal calculations with higher precision would not do better than a system with -bit precision. Now the common secret between Alice and Bob has bits only. As the error is close to , the digits of values smaller than that are unreliable. If Alice and Bob are using and as the common secret, respectively, Alice will recover a plaintext sent by Bob by calculating

797

Same as [8], we select one of the two possible equations in (19) and multiply the whole equation with an integer . This process will eventually transform (19) into one which only involves in, tegers. But due to the error which is assumed to be near such that . In that case, we have we must select

(20) where indicates the truncation function of non-integral part of real number . The definitions of , and are

(15) The number of reliable bits in the recovered plaintext is limited by the number of reliable bits in the common secret. We conclude that the plaintext has around reliable bits. This is a good match to the table in Fig. 1. If we set for the key length, then in every row of the table, matching the length of the plaintext. IV. ATTACKER’S POINT OF VIEW A passive attacker Eve is trying to attack the cryptosystem. In this section, we study the case where the methods in [8] are used. By obtaining and in the channel, Eve will try to find and such that

(21) As , we have . Eq. (20) cannot be solved by Euclidean algorithm directly like the discussion in cannot be eliminated as a real [8], mainly because the term number smaller than one. Although the value of is chosen by , as discussed earlier. Eve, it is limited by the fact that Thus, we argue that, for general values of and , the value of in (21) is uniformly distributed. As a result, the method in [8] cannot be used directly to break the cryptosystem with the precision setting described in this paper. This is also due to the fact that the Euclidean algorithm is sensitive to errors. That is, value of integer in equation

(16) (22) where she would deduce (17) from (7). Knowing the existence of the unknown error , Eve uses to compensate for the difference. If she is successful in recovering , then as well. Following the lines of thought of [8], we simply reduce (16) to

(18) in (16) is transformed into in (18). where the error term Both and are in the range of , around . Eve will try to solve , , to fit the equation. Note that and have a linear relation, and they are in the same range. The situation has been described in [8], but here an error term is added. We transform (18) to

(19)

can change by a large amount when the value of integer is changed slightly. In the next section, we derive a general method to solve (20). We will show that our method is more reliable, by not being sensitive to errors. V. ATTACK WITH THE SHORTEST VECTOR APPROACH We continue the work by solving (20) with another method. We will try to recover the original chosen by Bob. Our first to fit (20). But in our case, the maximum task is to find with the following value of allowed is changed to reasons. Comparing (7) and (16), we can substitute by , and by , into (13) and (14). As discussed before, the error in the . To successfully recover common secret is bits, it is necessary that the common secret, which has . Therefore, the value of must be smaller . But this time, and are in the same range, than so is . is smaller Also, we have to select such that the term than . This is because the value of is controlled by , where is not. We like to solve the equation without the term . From because and thus . (18),

798

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 54, NO. 9, SEPTEMBER 2007

To ensure we will choose such that and . After that, the term , which combines all the terms with and , becomes a free variable. Now we have two unknowns and one equation: (23) where

and . From (31) to (32) we might have a few choices for Eve may try them one after another. Also, once we get the set of two equations with two unknowns in (32), it can be solved for unique solution. This implies that the solution, if correct, corresponds to the original chosen by Bob. and , by Minkowski’s second theorem, For the size of . If is random, discussed in [9], we know that then and are expected to be in the same range, near . In that case, they are smaller than and our method can be applied.

(24) VI. NUMERICAL EXAMPLE

. and the condition that , A general method of solving this type of linear congruences equations can be found in [13], which uses the principles and techniques of the shortest vector problem in lattice [9]. First of all, from (23), we define two vectors

We will try to apply our method to the original example given and using Fig. 1. in [4]. Let us assume

(25)

(33)

and a lattice defined as the set of all vectors in the form of (26) where and are integers. An algorithm that guarantees to produce the two shortest vectors in a given two-dimensional lattice has been described in [9]. It is a straightforward method known as the Gaussian algorithm. The algorithm is included in the Appendix of this paper. It runs in polynomial time and the running time analysis has also been provided in [9]. We apply the algorithm to and to find and , the shortest vectors in the lattice. Then we write (27)

and show all calculations in We choose base-10 for easier reading. Eve will try to get from and . To show that our method is robust against precision limits of data in the channel, let us aswhich is larger than sume that has an error of discussed previously. That is, we give 320 digits of to Eve, which is

(34) and we continue with (23) with

(28) Let

and

(35)

, from (25) we solve Solving for the shortest vectors, we get where

(29) where all numbers are integers. Now we are ready to transform (23) to

Getting and solving (32), we have

(37) and from (18), ignoring

(31) As , , if , , , are significantly smaller , we can remove the modulus and get the than equations (32)

,

(36)

(30) which, by (29), become

and

this time, we have

(38) which is the correct . Note that there are two possible cases in (18), and only one of them gives the correct solution, an integer. Now Eve gets and she can decrypt any messages between Alice and Bob.

CHEONG AND KOSHIBA: MORE ON SECURITY OF PUBLIC-KEY CRYPTOSYSTEMS BASED ON CHEBYSHEV POLYNOMIALS

799

tion and avoids the attack. This concludes the discussion in [8] concerning the security of cryptosystems using such maps. APPENDIX Fig. 2 shows the algorithm described in [9]. The algorithm finds two shortest vectors in the lattice generated by and . REFERENCES

Fig. 2. Shortest vectors solving algorithm for two-dimensional lattice.

VII. CONCLUDING REMARKS The algorithm described in this paper can be generalized to solve the integer in equation

(39) are known to some precision level, and funcwhere and and are efficiently computable, in polynotions mial time of the number of digits required by the precision level. is periodic, and continuous such that and If do not significantly increase the error in , our method can be applied. In that sense, the cryptosystem based on Jacobian elliptic Chebyshev rational maps mentioned in [8] can also be attacked by our algorithm. As a conclusion, this paper continued the work of [8] to show that a certain class of cryptosystems is not secure. In particular, the mappings which appear not to be reversible are actually reversible with techniques of linear congruences equations, even when the numbers involved are given with certain errors. The precision requirement is explained in this paper. It is impossible to choose a precision level which allows authentic communica-

[1] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signature and public key cryptosystems,” Commun. ACM, vol. 21, no. 2, pp. 120–126, 1978. [2] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Inf. Theory, vol. IT-22, no. 6, pp. 644–654, Jun, 1976. [3] J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: A ring-based public key cryptosystem,” in Proc. 3rd Int. Symp. Algorithmic Number Theory, J. Buhler, Ed., 1998, vol. 1423, pp. 267–288. [4] L. Kocarev and Z. Tasev, “Public-key encryption based on Chebyshev maps,” in Proc. IEEE Symp. Circuits Syst. (ISCAS’03), 2003, vol. 3, pp. 28–31. [5] L. Kocarev, “Chaos-based cryptography: A brief overview,” IEEE Circuits Syst. Mag., vol. 1, pp. 6–21, 2001. [6] M. Jessa, “Designing security for number sequences generated by means of the Sawtooth chaotic map,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 53, no. 5, pp. 1140–1150, May 2006. [7] X. Yi, “Hash function based on chaotic tent maps,” IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 52, no. 6, pp. 354–357, Jun. 2005. [8] P. Bergamo, P. D’Arco, A. De Santis, and L. Kocarev, “Security of public key cryptosystems based on Chebyshev polynomials,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 52, no. 7, pp. 1382–1393, Jul. 2005. [9] D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective. Norwell, MA: Kluwer, 2002. [10] E. F. Brickell, “Solving low density knapsacks,” in Proc. CRYPTO ’83 , pp. 25–37. [11] J. C. Lagarias and A. M. Odlyzko, “Solving low-density subset sum problems,” J. Assoc. Comput. Mach., vol. 32, no. 1, pp. 229–246, 1985. [12] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász, “Factoring polynomials with rational coefficients,” Math. Ann., vol. 261, pp. 515–534, 1982. [13] A. M. Frieze, J. Hastad, R. Kannan, J. C. Lagarias, and A. Shamir, “Reconstructing truncated integer variables satisfying linear congruences,” SIAM J. Comput., vol. 17, no. 2, pp. 262–280, 1988. [14] T. J. Rivlin, Chebyshev Polynomials: From Approximation Theory to Algebra and Number Theory, 2nd ed. New York: Wiley, 1990. [15] T. Geisel and V. Fairen, “Statistical properties of chaos in Chebyshev maps,” Phys. Lett., vol. 105A, no. 6, pp. 263–266, 1984.