Cryptanalysis of Modular Exponentiation Outsourcing Protocols Charles Bouillaguet, Florette Martinez, Damien Vergnaud To cite this version: Charles Bouillaguet, Florette Martinez, Damien Vergnaud. Cryptanalysis of Modular Exponentia- tion Outsourcing Protocols. The Computer Journal, Oxford University Press (UK), In press. hal- 03209303 HAL Id: hal-03209303 https://hal.archives-ouvertes.fr/hal-03209303 Submitted on 27 Apr 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Modular Exponentiation Outsourcing Protocols Charles Bouillaguet1, Florette Martinez1 and Damien Vergnaud2 1Sorbonne Universit´e,CNRS, LIP6, F-75005 Paris, France 2Sorbonne Universit´e,CNRS, LIP6, F-75005 Paris, France and Institut Universitaire de France Email: charles. bouillaguet@ lip6. fr , florette. martinez@ lip6. fr and damien. vergnaud@ lip6. fr Public-key cryptographic primitives are time-consuming for resource-constrained devices. A classical problem is to securely offload group exponentiations from a (comparatively) weak device | the client | to an untrusted more powerful device | the server. A delegation protocol must usually meet two security ob- jectives: privacy { the exponent or the base should not be revealed to a passive adversary | and verifiability | a malicious server should not be able to make the client accept an invalid value as the result of the delegated computation. Most proposed protocols relies on a secret splitting of the exponent and the base and a considerable amount of literature has been devoted to their analysis. Recently, Su, Zhang and Xue [The Computer Journal, 2020] and Rangasamy and Kuppusamy [Indocrypt 2018] proposed outsourcing protocols for modular exponentiations. They claim that their protocols achieve security (privacy and verifiability). We show that these claims are flawed and that their schemes are broken beyond repair. They remain insecure even if one increases significantly the proposed parameters (and consequently the protocols computational and communication complexities). Our attacks rely on standard lattice-based crypt- analytic techniques, namely the Coppersmith methods to find small integer zeroes of modular multivariate polynomials and simultaneous Diophantine approxima- tion methods for the so-called approximate greatest common divisor problem. Keywords: Secure outsourcing; Modular exponentiation; Privacy; Verifiability; Cryptanalysis 1. INTRODUCTION Rangasamy and Kuppusamy [2]. In both cases, the proposed protocols are simple and efficient and the Group exponentiation is a fundamental operation in authors claim that they achieve security (privacy and public-key cryptography as it is used in RSA-based verifiability). We show that these claims are flawed and and discrete-logarithm based protocols. Since the that their schemes are broken beyond repair. computational resources can be very limited on certain devices, it is natural, as most of the devices are 1.1. Prior Work on Exponentiation Outsourc- online or directly connected to a powerful device, ing Protocols to consider securely delegating some sensitive and costly exponentiation to an untrusted device capable The problem of outsourcing cryptographic operations of carrying out large operations. A delegation protocol has already received a lot of attention but there has must usually meet two security objectives: privacy { the been a recent regain of interest with the development exponent or the base should not be revealed to a passive of mobile technologies. In 2005, Hohenberger and adversary { and verifiability { a malicious server should Lysyanskaya [3] proposed formal security definitions not be able to make the client accept an invalid value for securely outsourcing computations from a compu- as the result of the delegated computation tationally limited device, called the client, to untrusted This paper presents several lattice-based attacks helpers, called the servers. Delegating a cryptographic on two group exponentiation outsourcing protocols operation presents many risks since they usually involve recently proposed by Su, Zhang and Xue [1] and sensitive information which should not be revealed to The Computer Journal, Vol. ??, No. ??, ???? 2 Ch. Bouillaguet, F. Martinez and D. Vergnaud potential adversaries. Moreover, since the servers are particular equations we are studying in this article and not fully trusted, a delegation protocol should enable any improvement in these techniques would provide an clients to verify the correctness of the result returned immediate improvement to our attacks. by the server with high probability. Obviously, to be of We also present attacks based on another standard practical interest, these delegation protocols must have lattice-based cryptanalytic technique from simultane- a computational cost for the client lower than that of ous Diophantine approximation for the approximate the delegated computation. greatest common divisor problem [26, 27, 28]). This Hohenberger and Lysyanskaya notably presented computational problem is to determine a secret inte- an efficient scheme to securely outsource group ger p when one is given many samples of the form exponentiation to two, possibly dishonest, servers that xi = p · qi + ri for small error terms ri. A simple ap- are physically separated (and do not communicate). proach for solving it relies on a simple lattice-based al- Since this separation of the two servers is actually a gorithm due to Lagarias [26] for simultaneous Diophan- strong assumption, recent works focus on outsourcing tine approximation. The technique was first proposed group exponentiation to a single computationally by Howgrave-Graham in [27], then expanded in [28]. stronger server. It has been a very active research topic in which numerous protocols have been proposed [4, 1.3. Contributions 5, 6, 7, 8, 9, 10]) and many of these proposals were subsequently broken [11, 12, 13, 14, 15]). We prove that the protocols MExpSOS and MCExp In 2018, Rangasamy and Kuppusamy [2] presented as proposed in [2] and [1] are insecure. Both a protocol named MExpSOS for outsourcing modular schemes do not achieve the claimed privacy and exponentiations to a single, malicious computational verifiability security properties (without increasing the resource. Their protocol is presented for delegation size of the parameters to the point of making the of exponentiation modulo a prime number as well as delegation protocol more expensive than the modular modulo an RSA modulus. It is simple and efficient, exponentiation computation itself). and does not require any pre-computation from the We first underline a major security break in MCExp client. Rangasamy and Kuppusamy claimed that their from a single execution of the protocol, as two of its scheme achieve the two fundamental security properties, parameters are too small to resist exhaustive search. namely privacy of inputs and verifiability of outputs, This allows us to obtain readily a multiple of the Euler and claimed that it is the \best to-date outsourcing totient function '(N) of the underlying RSA modulus scheme for single-server case". They also proposed N and then using a classical algorithm due to Rabin [29] another scheme based on similar ideas for simultaneous to factor N and obtain the (supposedly) secret base and exponentiations. exponent of the delegated exponentiation. In 2020, Su, Zhang and Xue [1] presented another We then consider different ways of fixing the scheme protocol called MCExp for outsourcing exponentiations MCExp (by increasing only one of the small parameters, modulo an RSA modulus to a single, malicious then both of them). Using Coppersmith's methods, we computational resource. It requires pre-computation show that even the modified schemes are also broken, from the client but relies on similar ideas to those of the from a single execution of the protocol, for a wide range MExpSOS protocol. It is also simple and efficient and Su of parameters. For each variant, we present a simple et al. claimed that it achieves privacy and verifiability. attack that allows to factor N and retrieve the base They also proposed another scheme for outsourcing and exponent of the delegated exponentiation. This simultaneous composite modular exponentiations. information is sufficient to also break the verifiability property of MCExp. 1.2. Prior Work on Lattice-Based Cryptanaly- As a final nail in MCExp's coffin, we present an sis even more devastating attack against the modified protocol when the adversary can passively eavesdrop Some attacks we present in the paper rely on several runs of the delegation protocol for the same Coppersmith's methods, a classical technique in lattice- exponent. This is a particularly important use-case based cryptanalysis. These methods have been for the RSA primitive in which the client may want introduced in 1996 by Coppersmith to find small to delegate the computation of signatures for a fixed integer zeroes of modular polynomials of one or two secret signing exponent. Our attack relies methods variables [16, 17]. Since their introduction, many for the