Skip to main content
Download book PDF
View expanded cover

Annual International Cryptology Conference

CRYPTO 2009: Advances in Cryptology - CRYPTO 2009 pp 428–444Cite as

Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 5677)

Abstract

In 1999, Coron, Naccache and Stern discovered an existential signature forgery for two popular rsa signature standards, iso/iec 9796-1 and 2. Following this attack iso/iec 9796-1 was withdrawn. iso/iec 9796-2 was amended by increasing the message digest to at least 160 bits. Attacking this amended version required at least 261 operations.

In this paper, we exhibit algorithmic refinements allowing to attack the amended (currently valid) version of iso/iec 9796-2 for all modulus sizes. A practical forgery was computed in only two days using 19 servers on the Amazon ec2 grid for a total cost of \(\simeq\mbox{{\sc us\$800}}\). The forgery was implemented for e = 2 but attacking odd exponents will not take longer. The forgery was computed for the rsa-2048 challenge modulus, whose factorization is still unknown.

The new attack blends several theoretical tools. These do not change the asymptotic complexity of Coron et al.’s technique but significantly accelerate it for parameter values previously considered beyond reach.

While less efficient (us$45,000), the acceleration also extends to emv signatures. emv is an iso/iec 9796-2-compliant format with extra redundancy. Luckily, this attack does not threaten any of the 730 million emv payment cards in circulation for operational reasons.

Costs are per modulus: after a first forgery for a given modulus, obtaining more forgeries is virtually immediate.

Keywords

  • digital signatures
  • forgery
  • rsa
  • public-key cryptanalysis
  • iso/iec 9796-2
  • emv

Download conference paper PDF

References

  1. Bach, E., Peralta, R.: Asymptotic semismoothness probabilities. Mathematics of Computation 65(216), 1701–1715 (1996)

    MathSciNet  CrossRef  MATH  Google Scholar 

  2. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proceedings of CCS 1993, pp. 62–73. ACM, New York (1993)

    Google Scholar 

  3. Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption: How to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)

    CrossRef  Google Scholar 

  4. Bellare, M., Rogaway, P.: The Exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)

    CrossRef  Google Scholar 

  5. Bernstein, D.J.: Fast Multiplications and its applications. Algorithmic Number Theory 44 (2008)

    Google Scholar 

  6. Bernstein, D.J.: How to find smooth parts of integers (2004/05/10), http://cr.yp.to/papers.html#smoothparts

  7. Bernstein, D.J.: Scaled remainder trees (2004/08/20), http://cr.yp.to/papers.html#scaledmod

  8. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  9. Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Mathematics of Computation 62(205), 333–350 (1994)

    MathSciNet  MATH  Google Scholar 

  10. Coppersmith, D., Coron, J.-S., Grieu, F., Halevi, S., Jutla, C.S., Naccache, D., Stern, J.P.: Cryptanalysis of iso/iec 9796-1. Journal of Cryptology 21, 27–51 (2008)

    MathSciNet  CrossRef  MATH  Google Scholar 

  11. Coppersmith, D., Halevi, S., Jutla, C.: iso 9796-1 and the new, forgery strategy, Research contribution to P.1363 (1999), grouper.ieee.org/groups/1363/Research

  12. Coron, J.S., Naccache, D., Tibouchi, M., Weinmann, R.P.: Practical Cryptanalysis of ISO / IEC 9796-2 and EMV Signatures, Cryptology ePrint Archive, Report 2009/203, http://eprint.iacr.org/

  13. Coron, J.-S.: Security proofs for partial domain hash signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 613–626. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  14. Coron, J.-S., Desmedt, Y., Naccache, D., Odlyzko, A., Stern, J.P.: Index calculation attacks on RSA signature and encryption. Index calculation attacks on RSA signature and encryption Designs, Codes and Cryptography 38(1), 41–53 (2006)

    MathSciNet  CrossRef  MATH  Google Scholar 

  15. Coron, J.-S., Naccache, D., Joye, M., Paillier, P.: New attacks on pkcs#1 v1.5 encryption. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 369–381. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  16. Coron, J.-S., Naccache, D., Stern, J.P.: On the security of RSA padding. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)

    CrossRef  Google Scholar 

  17. Desmedt, Y., Odlyzko, A.: A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 516–522. Springer, Heidelberg (1986)

    Google Scholar 

  18. EMV, Integrated circuit card specifications for payment systems, Book 2. Security and Key Management. Version 4.2 (June 2008), http://www.emvco.com

  19. Gaudry, P., Kruppa, A., Zimmermann, P.: A gmp-based implementation of Schőnhage-Strassen’s large integer multiplication algorithm. In: Proceedings of issac 2007, Waterloo, Ontario, Canada, pp. 167–174. ACM Press, New York (2007)

    Google Scholar 

  20. Grieu, F.: A chosen messages attack on the iso/iec 9796-1 signature scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 70–80. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  21. Hart, W.B., et al.: Multiple Precision Integers and Rationals, http://www.mpir.org

  22. ISO / IEC 9796, Information technology – Security techniques – Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy (1999)

    Google Scholar 

  23. ISO / IEC 9796-2, Information technology – Security techniques – Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997)

    Google Scholar 

  24. ISO / IEC 9796-2:2002, Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms (2002)

    Google Scholar 

  25. Joux, A., Naccache, D., Thomé, E.: When e-th roots become easier than factoring. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 13–28. Springer, Heidelberg (2007)

    CrossRef  Google Scholar 

  26. Kaliski, B.: pkcs#1: RSA Encryption Standard, Version 1.5, RSA Laboratories (November 1993)

    Google Scholar 

  27. Kaltofen, E., Lobo, A.: Distributed matrix-free solution of large sparse linear systems over finite fields. Algorithmica 24, 331–348 (1999)

    MathSciNet  CrossRef  MATH  Google Scholar 

  28. Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)

    MathSciNet  CrossRef  MATH  Google Scholar 

  29. Lenstra Jr., H.: Factoring integers with elliptic curves. Annals of Mathematics 126(2), 649–673 (1987)

    MathSciNet  CrossRef  MATH  Google Scholar 

  30. Lobo, A.: wlss2: an implementation of the homogeneous block Wiedemann algorithm, www4.ncsu.edu/~kaltofen/software/wiliss

  31. Misarsky, J.-F.: How (not) to design RSA signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 14–28. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  32. Paar, C., Schimmer, M.: copacobana: A Codebreaker for des and other ciphers, www.copacobana.org

  33. The PARI Group, PARI/GP, version 2.3.4, Bordeaux (2008), http://pari.math.u-bordeaux.fr

  34. Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the acm 21, 120–126 (1978)

    MathSciNet  CrossRef  MATH  Google Scholar 

  35. The sage development team, sage mathematics software, Version 3.3 (2009), http://www.sagemath.org

Download references

Author information

Authors and Affiliations

  1. Université du Luxembourg, 6, rue Richard Coudenhove-Kalergi, l-1359, Luxembourg

    Jean-Sébastien Coron & Ralf-Philipp Weinmann

  2. École normale supérieure Département d’informatique, Groupe de Cryptographie, 45, rue d’Ulm, f-75230, Paris Cedex 05, France

    David Naccache & Mehdi Tibouchi

Authors
  1. Jean-Sébastien Coron
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Naccache
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mehdi Tibouchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ralf-Philipp Weinmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research, Hawthorne, NY, USA

    Shai Halevi

Rights and permissions

Reprints and Permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Coron, JS., Naccache, D., Tibouchi, M., Weinmann, RP. (2009). Practical Cryptanalysis of iso/iec 9796-2 and emv Signatures. In: Halevi, S. (eds) Advances in Cryptology - CRYPTO 2009. CRYPTO 2009. Lecture Notes in Computer Science, vol 5677. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03356-8_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03356-8_25

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03355-1

  • Online ISBN: 978-3-642-03356-8

  • eBook Packages: Computer ScienceComputer Science (R0)