Cryptanalysis of a pay-as-you-watch system

In this paper, we exhibit security flaws in MICROCAST payas-you-watch system. From the sole knowledge of public parameters, we show how any intruder is able to forge a coin and so to freely get access to the service. MICROCAST [2] includes a ‘pay-as-you-watch’ system for multicast content delivery. In this system, the bank acts as a certification authority. The bank setup goes as follows. Given a randomly chosen 160-bit prime q, two random 512-bit primes p1 and p2 are constructed so that q divides p1−1. Next, the RSA modulus n = p1p2 is formed and a matching pair of RSA public/private exponents (e, d) is computed according to ed ≡ 1 (mod φ(n)). Finally, a generator g ∈ (Z/nZ)∗ is computed so that the cyclic group 〈g〉 has order q. The public parameters are n, q, e, and g. The security of the micropayment system in MICROCAST —that is, the impossibility of coin forgery by an intruder— relies on the difficulty of finding a solution (A, p) to the equation PA ≡ g (mod n) (1) given P , x, g and n, and where P is an element of the form P = g mod n. In [2, § 4.1], the authors argue that the knowledge of a prime factor of p1 − 1 (namely, q) does not weaken the system. This claim is not justified. Indeed, since p2 is randomly chosen, it follows, with very high probability, that prime q does not divide p2 − 1. Therefore, from g q ≡ 1 (mod {p1, p2}), we deduce that g ≡ 1 (mod p2) and so g 6≡ 1 (mod p1), which yields gcd(g − 1, n) = p2 . Once the factorization of n is known, it becomes trivial to solve Eq. (1) by computing, for an arbitrary p, A = ( g P )x −1 mod (p1−1)(p2−1) mod n . An easy way that comes to mind for preventing the previous attack consists in choosing prime p2 such that q divides p2 − 1 and then in constructing g with