# Practical Cryptanalysis of ISO 9796-2 and EMV Signatures

- 434 Downloads

## Abstract

At Crypto 1999, Coron, Naccache and Stern described an existential signature forgery against two popular RSA signature standards, ISO 9796-1 and ISO 9796-2. Following this attack, ISO 9796-1 was withdrawn, and ISO 9796-2 was amended by increasing the message digest to at least 160 bits. In this paper, we describe an attack against the amended version of ISO 9796-2, for all modulus sizes. Our new attack is based on Bernstein’s algorithm for detecting smooth numbers, instead of trial division. In practice, we were able to compute a forgery in only 2 days on a network of 19 servers. Our attack can also be extended to EMV signatures, an ISO 9796-2-compliant format with extra redundancy. In response to this new attack, the ISO 9796-2 standard was amended again in late 2010.

## Keywords

Public-key cryptanalysis RSA signatures ISO 9796-2 EMV## References

- 1.E. Bach and R. Peralta,
*Asymptotic semismoothness probabilities*, Mathematics of Computation, vol. 65, number 216, 1996, pp. 1701–1715.MathSciNetCrossRefzbMATHGoogle Scholar - 2.M. Bellare, P. Rogaway,
*Random oracles are practical: a paradigm for designing efficient protocols*, Proceedings of ccs 1993, acm, 1993, pp. 62–73Google Scholar - 3.M. Bellare, P. Rogaway,
*Optimal asymmetric encryption: how to encrypt with RSA*, Proceedings of Eurocrypt 1994, lncs, vol. 950 (Springer, Berlin, 1995), pp. 92–111Google Scholar - 4.M. Bellare, P. Rogaway,
*The exact security of digital signatures: how to sign with RSA and Rabin*, Proceedings of Eurocrypt 1996, lncs, vol. 1070 (Springer, Berlin, 1996), pp. 399–416Google Scholar - 5.D.J. Bernstein, T. Lange (eds.),
*e*bacs: ecrypt*Benchmarking of cryptographic systems*, bench.cr.yp.to Google Scholar - 6.D.J. Bernstein,
*Fast Multiplications and its applications*, Algorithmic Number Theory, vol. 44 (2008)Google Scholar - 7.D.J. Bernstein,
*How to find smooth parts of integers*, 2004/05/10, cr.yp.to/papers.html#smoothparts Google Scholar - 8.D.J. Bernstein,
*Proving tight security for Rabin-Williams signatures*. Proceedings of Eurocrypt 2008, lncs, vol. 4665 (Springer, Berlin, 2008), pp. 70–87Google Scholar - 9.
- 10.D.J. Bernstein, T. Lange, C. Peters,
*Attacking and defending the McEliece cryptosystem*, Proceedings of Post-Quantum Cryptography 2008, lncs, vol. 5299 (Springer, Berlin, 2008), pp. 31–46Google Scholar - 11.D. Bleichenbacher,
*Chosen ciphertext attacks against protocols based on the RSA encryption standard*, Proceedings of Crypto 1998, lncs, vol. 1462 (Springer, Berlin, 1998), pp. 1–12Google Scholar - 12.E.R. Canfield, P. Erdős and C. Pomerance, On a Problem of Oppenheim concerning ’Factorisation Numerorum’, Journal of Number Theory, vol. 17, 1983, pp. 1–28.MathSciNetCrossRefzbMATHGoogle Scholar
- 13.D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm, Mathematics of Computation, vol. 62, number 205, 1994, pp. 333–350.MathSciNetzbMATHGoogle Scholar
- 14.D. Coppersmith, J.-S. Coron, F. Grieu, S. Halevi, C.S. Jutla, D. Naccache and J.P. Stern, Cryptanalysis of ISO 9796–1, Journal of Cryptology, vol. 21, 2008, pp. 27–51.MathSciNetCrossRefzbMATHGoogle Scholar
- 15.D. Coppersmith, S. Halevi, C. Jutla, iso 9796-1
*and the new, forgery strategy*, Research contribution to P.1363, 1999, grouper.ieee.org/groups/1363/Research Google Scholar - 16.J.-S. Coron,
*Security proofs for partial domain hash signature schemes*, Proceedings of Crypto 2002, lncs, vol. 2442 (Springer, Berlin, 2002), pp. 613–626Google Scholar - 17.J.-S. Coron, Y. Desmedt, D. Naccache, A. Odlyzko and J.P. Stern, Index calculation attacks on RSA signature and encryption Designs, Codes and Cryptography, vol. 38, number 1, 2006, pp. 41–53.MathSciNetCrossRefzbMATHGoogle Scholar
- 18.J.-S. Coron, D. Naccache, M. Joye, P. Paillier,
*New attacks on*pkcs*#1 v1.5 encryption*, Proceedings of Eurocrypt 2000, lncs, vol. 1807 (Springer, Berlin, 2000), pp. 369–381Google Scholar - 19.J.-S. Coron, D. Naccache, J.P. Stern,
*On the security of RSA padding*, Proceedings of Crypto 1999, lncs, vol. 1666 (Springer, Berlin, 1999), pp. 1–18Google Scholar - 20.R.E. Crandall, E.W. Mayer and J.S. Papadopoulos, The twenty-fourth Fermat number is composite, Mathematics of Computation, volume 72, number 243, July 2003, pp. 1555–1572.MathSciNetCrossRefzbMATHGoogle Scholar
- 21.Y. Desmedt, A. Odlyzko,
*A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes*, Proceedings of Crypto 1985, lncs, vol. 218 (Springer, Berlin, 1986), pp. 516–522Google Scholar - 22.K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv för matematik, astronomi och fysik, vol. 22A, no. 10, 1930, pp. 1–14.Google Scholar
- 23.EMV,
*Integrated Circuit Card Specifications for Payment Systems*, Book 2. Security and Key Management. Version 4.2. June 2008. www.emvco.com - 24.P. Gaudry, A. Kruppa, P. Zimmermann,
*A gmp-based implementation of Schőnhage-Strassen’s large integer multiplication algorithm*, in Proceedings of issac 2007, Waterloo, Ontario, Canada, acm Press, 2007, pp. 167–174Google Scholar - 25.F. Grieu,
*A chosen messages attack on the*iso/iec*9796-1 signature scheme*, Proceedings of Eurocrypt 2000, lncs, vol. 1807 (Springer, Berlin, 2000), pp. 70–80Google Scholar - 26.W.B. Hart et al.,
*Multiple Precision Integers and Rationals*. www.mpir.org - 27.W.B. Hart, D. Harvey et al.,
*Fast Library for Number Theory*. www.flintlib.org - 28.iso/iec 9796,
*Information technology—Security techniques—Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy*(1999)Google Scholar - 29.ISO 9796-2,
*Information technology—Security techniques—Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function*(1997)Google Scholar - 30.ISO 9796-2:2002,
*Information technology—Security techniques—Digital signature schemes giving message recovery, Part 2: Integer factorization based mechanisms*(2002)Google Scholar - 31.ISO 9796-2:2010,
*Information technology—Security techniques—Digital signature schemes giving message recovery, Part 2: Integer factorization based mechanisms*(2010)Google Scholar - 32.A. Joux, D. Naccache, E. Thomé,
*When e-th roots become easier than factoring*, Proceedings of Asiacrypt 2007, lncs, vol. 4833 (Springer, Berlin, 2007), pp. 13–28Google Scholar - 33.B. Kaliski, pkcs
*#1: RSA Encryption Standard, Version 1.5*, RSA Laboratories, November 1993Google Scholar - 34.E. Kaltofen and A. Lobo, Distributed matrix-free solution of large sparse linear systems over finite fields, Algorithmica, vol. 24, 1999, pp. 331–348.MathSciNetCrossRefzbMATHGoogle Scholar
- 35.C. Lanczos, An iterative method for the solution of the eigenvalue problem of linear differential and integral operator, Journal of Research of the National Bureau of Standards, vol. 45, 1950, pp. 255–282.MathSciNetCrossRefGoogle Scholar
- 36.A.K. Lenstra, H.W. Lenstra, Jr., and L. Lovász, Factoring polynomials with rational coefficients. Mathematische Annalen, vol. 261, 1982, pp. 513–534.MathSciNetCrossRefzbMATHGoogle Scholar
- 37.A.K. Lenstra and H.W. Lenstra, Jr., The Development of the number field sieve, Berlin: Springer-Verlag, 1993.CrossRefzbMATHGoogle Scholar
- 38.H. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, vol. 126, number 2, 1987, pp. 649–673.MathSciNetCrossRefzbMATHGoogle Scholar
- 39.Y. Liu, T. Kasper, K. Lemke-Rust, C. Paar,
*E-passport: cracking basic access control keys*, otm Conferences (2) (2007), pp. 1531–1547Google Scholar - 40.A. Lobo, wlss
*2: an implementation of the homogeneous block Wiedemann algorithm*. www4.ncsu.edu/~kaltofen/software/wiliss - 41.A.J. Menezes, P.C. van Oorschot and S.A. Vanstone,
*Handbook of applied cryptography*, (crc Press, 1996)Google Scholar - 42.M. Mezzarobba, de auditu, March 2009Google Scholar
- 43.J.-F. Misarsky,
*How (not) to design RSA signature schemes*, Proceedings of Public Key Cryptography 1998, lncs, vol. 1431 (Springer, Berlin, 1998), pp. 14–28Google Scholar - 44.P.L. Montgomery,
*A block Lanczos algorithm for finding dependencies over*GF(2), Proceedings of Eurocrypt 1995, lncs, vol. 921 (Springer, Berlin, 1995), pp. 106–120Google Scholar - 45.
- 46.D.A. Osvik, de auditu, March 2009Google Scholar
- 47.
- 48.
- 49.C. Pomerance,
*The quadratic sieve factoring algorithm*, Proceedings of Eurocrypt 1984, lncs, vol. 209 (Springer, Berlin, 1985), pp. 169–182Google Scholar - 50.R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the acm, vol. 21, 1978, pp. 120–126.MathSciNetCrossRefzbMATHGoogle Scholar
- 51.
- 52.
- 53.M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D.A. Osvik, B. de Weger:
*Short chosen-prefix collisions for*md5*and the creation of a rogue*ca*certificate*, Cryptology ePrint Archive, Report 2009/111, 2009Google Scholar - 54.