Skip to main content
Springer Nature Link
Log in

The Hidden Number Problem with Small Unknown Multipliers: Cryptanalyzing MEGA in Six Queries and Other Applications

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2023 (PKC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13940))

Included in the following conference series:

  • 1042 Accesses

Abstract

In recent work, Backendal, Haller, and Paterson identified several exploitable vulnerabilities in the cloud storage provider MEGA. They demonstrated an RSA key recovery attack in which a malicious server could recover a client’s private RSA key after 512 client login attempts. We show how to exploit additional information revealed by MEGA’s protocol vulnerabilities to give an attack that requires only six client logins to recover the secret key.

Our optimized attack combines several cryptanalytic techniques. In particular, we formulate and give a solution to a variant of the hidden number problem with small unknown multipliers, which may be of independent interest. We show that our lattice construction for this problem can be used to give improved results for the implicit factorization problem of May and Ritzenhofen.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/meganz/webclient/blob/9fca1d0b7d8a65b9d483a10e798f1f67d1fb8f1e/js/crypto.js#L207.

  2. 2.

    https://github.com/meganz/sdk/blob/849aea4d49e2bf24e06d1a3451823e02abd76f39/src/crypto/cryptopp.cpp#L798.

  3. 3.

    Our implementation is available at https://github.com/keeganryan/attacks-poc.

References

  1. Alexi, W., Chor, B., Goldreich, O., Schnorr, C.P.: RSA and Rabin functions: certain parts are as hard as the whole. SIAM J. Comput. 17(2), 194–209 (1988). https://doi.org/10.1137/0217013

    Article  MathSciNet  MATH  Google Scholar 

  2. Backendal, M., Haller, M., Paterson, K.G.: MEGA: malleable encryption goes awry. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 450–467 (2023). https://doi.org/10.1109/SP46215.2023.00026

  3. Bauer, A., Joux, A.: Toward a rigorous variation of coppersmith’s algorithm on three variables. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 361–378. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_21

    Chapter  Google Scholar 

  4. Boneh, D., Halevi, S., Howgrave-Graham, N.: The modular inversion hidden number problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_3

    Chapter  Google Scholar 

  5. Boneh, D., Shparlinski, I.E.: On the unpredictability of bits of the elliptic curve Diffie-Hellman scheme. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 201–212. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_12

    Chapter  Google Scholar 

  6. Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_11

    Chapter  MATH  Google Scholar 

  7. Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_16

    Chapter  Google Scholar 

  8. De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 435–452. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_25

    Chapter  Google Scholar 

  9. Faugère, J.-C., Marinier, R., Renault, G.: Implicit factoring with shared most significant and middle bits. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 70–87. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_5

    Chapter  Google Scholar 

  10. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3

    Chapter  Google Scholar 

  11. Garner, H.L.: The residue number system. In: Papers Presented at the the 3–5 March 1959, Western Joint Computer Conference, pp. 146–153. IRE-AIEE-ACM 1959 (Western), Association for Computing Machinery, New York, NY, USA (1959). https://doi.org/10.1145/1457838.1457864

  12. Hlaváč, M., Rosa, T.: Extended hidden number problem and its cryptanalytic applications. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 114–133. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74462-7_9

    Chapter  Google Scholar 

  13. Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001). https://doi.org/10.1023/A:1011214926272

    Article  MathSciNet  MATH  Google Scholar 

  14. Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024458

    Chapter  Google Scholar 

  15. Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_6

    Chapter  Google Scholar 

  16. Howgrave-Graham, N.A., Nguyen, P.Q., Shparlinski, I.E.: Hidden number problem with hidden multipliers, timed-release crypto, and noisy exponentiation. Math. Comput. 72(243), 1473–1485 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  17. Jutla, C.S.: On finding small solutions of modular multivariate polynomial equations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 158–170. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054124

    Chapter  Google Scholar 

  18. Kannan, R., Bachem, A.: Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix. SIAM J. Comput. 8(4), 499–507 (1979). https://doi.org/10.1137/0208040

  19. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982). https://doi.org/10.1007/BF01457454

    Article  MathSciNet  MATH  Google Scholar 

  20. Lu, Y., Peng, L., Zhang, R., Hu, L., Lin, D.: Towards optimal bounds for implicit factorization problem. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 462–476. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_26

    Chapter  Google Scholar 

  21. May, A., Ritzenhofen, M.: Implicit factoring: on polynomial time factoring given only an implicit hint. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 1–14. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_1

    Chapter  Google Scholar 

  22. Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: Nguyen, P., (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 19–69. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1

  23. Nguyen, P.Q., Stehlé, D.: LLL On the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_18

    Chapter  Google Scholar 

  24. Ortmann, M.: MEGA security update (2022). https://blog.mega.io/mega-security-update/

  25. Peng, L., Hu, L., Xu, J., Huang, Z., Xie, Y.: Further improvement of factoring RSA moduli with implicit hint. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 165–177. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06734-6_11

    Chapter  Google Scholar 

  26. Ryan, K., Heninger, N.: The hidden number problem with small unknown multipliers: cryptanalyzing MEGA in six queries and other applications. Cryptology ePrint Archive, Report 2022/914 (2022). https://eprint.iacr.org/2022/914

  27. Sarkar, S., Maitra, S.: Further results on implicit factoring in polynomial time. Adv. Math. Commun. 3(2), 205–217 (2009). https://doi.org/10.3934/amc.2009.3.205

    Article  MathSciNet  MATH  Google Scholar 

  28. Sarkar, S., Maitra, S.: Approximate integer common divisor problem relates to implicit factorization. IEEE Trans. Inf. Theory 57(6), 4002–4013 (2011). https://doi.org/10.1109/TIT.2011.2137270

    Article  MathSciNet  MATH  Google Scholar 

  29. Wang, S., Qu, L., Li, C., Fu, S.: A better bound for implicit factorization problem with shared middle bits. Sci. Chin. Inf. Sci. 61(3), 1–10 (2017). https://doi.org/10.1007/s11432-017-9176-5

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgment

We thank Miro Haller and Kenny Paterson for their helpful comments on an earlier draft, insightful discussions, and providing further context. This material is based upon work supported by the National Science Foundation under grants no. 2048563 and 1913210.

Author information

Authors and Affiliations

  1. University of California, San Diego, USA

    Nadia Heninger & Keegan Ryan

Authors
  1. Nadia Heninger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Keegan Ryan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Keegan Ryan .

Editor information

Editors and Affiliations

  1. Georgia Institute of Technology, Atlanta, GA, USA

    Alexandra Boldyreva

  2. Georgia Institute of Technology, Atlanta, GA, USA

    Vladimir Kolesnikov

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Heninger, N., Ryan, K. (2023). The Hidden Number Problem with Small Unknown Multipliers: Cryptanalyzing MEGA in Six Queries and Other Applications. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13940. Springer, Cham. https://doi.org/10.1007/978-3-031-31368-4_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-31368-4_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-31367-7

  • Online ISBN: 978-3-031-31368-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships