Looking back at lattice-based cryptanalysis

Transcription

1 September 2009

2 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n

3 Lattice reduction Lattice reduction looks for a good basis Easy to view in dimension 2

4 Gauss s reduction algorithm Require: Initial lattice basis ( u, v) if u < v then Exchange u and v end if repeat Minimize u λ v, i.e., λ ( u v)/ v 2 Let u u λ v Swap u and v until u v Output ( u, v) as reduced basis

5 Gauss s reduction algorithm

6 Gauss s reduction algorithm

7 Gauss s reduction algorithm

8 Gauss s reduction algorithm

9 Lenstra-Lenstra-Lovász (1982) Polynomial time algorithm for arbitrary dimension Combines Gauss s algorithm and Gram-Schmidt orthogonalization Enforces the following properties on the output basis: i < j : ( b j bi ) b i 2 2 i : δ b i 2 Implies (note: 1/4 < δ 1): b i ( b i+1 b i )2 b i 2 (δ 1/4) b i 2 b i+1 2

10 Key properties of LLL-reduced basis First vector is quite short λ 1 det(l) Often used with δ = 3/4: ( δ 1 4) (n 1)/2 b 1 ( δ 1 ) n(n 1)/4 4 b 1 n b 1 2 (n 1)/2 λ 1 b 1 2 (n 1)/4 det(l) 1/n

11 Key properties of LLL-reduced basis Last vector is quite orthogonal to previous ones b n b n n In particular, with δ = 3/4: b n ( δ 1 ) (n i)/2 4 bi ( δ 4) 1 n(n 1)/4 det(l) b 1 2 (n 1)/2 b n det(l)1/n 2 (n 1)/4

12 Early applications: Knapsacks The subset-sum problem (or knapsack problem) is: Given integers a1,..., a n and S Find ɛ1,..., ɛ n with 0/1 values such that: S = n ɛ i a i i=1 NP-hard problem Some cases are easy (e.g. a i = 2 i 1 )

13 Knapsack-based cryptosystems Main idea: Hide an easy knapsack in a hard-looking one Example: Merkle-Hellman cryptosystem Start from super-increasing knapsack where a i > i 1 j=1 a j n Choose q > i=1 a i (prime for simplicity) Choose r a random integer modulo q Form new knapsack with bi = ra π(i) (mod q) n Encryption: Compute S = i=1 ɛ ib i Decryption: Let Sa = S r 1 (mod q) and solve easy knapsack Broken by Shamir at Crypto 82

14 Sketch of Shamir s attack Assume π is identity (or guess π(1), π(2), π(3), π(4)) For simplicity, assume that b 1 and b 2 are coprime Let c 3 = b 3 /b 2 (mod b 1 ) and c 4 = b 4 /b 2 (mod b 1 ) Form lattice (spanned by rows) : 1 c 3 c 4 0 b b 1 Contains all vectors (λb 2, λb 3, λb 4 ) modulo b 1 Remark that a 1 b i a i b 1 = u i q and u i small Yields short vector (u 2, u 3, u 4 )

15 Sketch of Shamir s attack (continued) In particular: a 1 /q = u i /b i (mod b 1 ) Let µ = u i /b i (mod b 1 ) We can now decrypt with (mostly) equivalent key (µ, b 1 )

16 Another approach to break Merkle-Hellman knapsack Since a i is super-increasing, a n has 2n bits So does q and all b i s Define density of a knapsack: d = n log 2 (max i a i ) As a general rule: Low density Easy to solve

17 Basic low-density attack Consider the lattice generated by columns of: Ka 1 Ka 2 Ka n Ks With K large enough LLL outputs short vector with 0 on the first line Short relation n i=1 v ia i = s Is it the correct {0, 1} solution?

18 Basic low-density attack Lagarias-Odlyzko (1985) Correct solution when d < Assuming a shortest lattice vector oracle Surprisingly: Works well in practice! With LLL bounds, would need d < O(1)/n

19 Improved low-density attacks Consider the lattice generated by columns of: Ka 1 Ka 2 Ka n Ks / / /2 Improved bound d <

20 Improved low-density attacks Alternative lattice: Ka 1 Ka 2 Ka n Ks n n n n + 1 Same bound d < Useful when number of 0s and 1s is unbalanced

21 A note of caution Despite these early success: Lattice-reduction is hard In practice: Lattice-reduction works very well in moderate dimension In higher dimension, many problems appear: Exponential gap between b1 and first minimum Unstability problems Running time and performance greatly depend on considered lattice Would be nice to have attacks without oracles.

22 Knuth s truncated linear congruential generator A classical pseudo-random generator defined from sequence: x i+1 = a x i + b (mod q) for simplicity, assume that q is prime. Write x i in binary as y i z i Output y i (α-fraction of k = log 2 q) Many attacks: most general by Stern (1987) Later improved by Contini and Shparlinski

23 Sketch of attack First remark that: x i+1 x i = a i (x 1 x 0 ) (mod q). If: d α i (x i+1 x i ) = 0 i=0 then, assuming x 1 x 0 0 (mod q), the polynomial P(z) = d α i z i i=0 has a as a root modulo q.

24 Sketch of attack Given two such polynomials P 1 and P 2 : q Res(P 1, P 2 ). With three polynomials, take GCD of resultants. It remains to construct such polynomials.

25 Sketch of attack: Stern s construction of polynomials First build vectors: Y i = y i+1 y i y i+2 y i+1. y i+t y i+t 1 we also use notation X i and Z i Search for a short zero linear combination: n α i Y i = 0. i=1 Relations exist with α i B with B = 2t(αk+log n+1)/(n t)

26 Sketch of attack: Stern s construction of polynomials Classical use of lattice reduction: KY 1 KY 2 KY n With LLL and K = n 2 (n 1)/2 B, relation satisfies: n αi 2 K 2 i=1

27 Sketch of attack: Stern s construction of polynomials Since n i=1 α iy i = 0, we have: n α i X i = i=1 n α i Z i i=1 Thus, n i=1 α ix i is small. It is also belongs to the lattice: a q 0 0 a 2 0 q a t q No small non-zero vector in this lattice

28 Sketch of attack: Stern s construction of polynomials Thus: n α i X i = 0 i=1 As a consequence, the polynomial: n α i z i 1 = 0 i=1 admits a as a root modulo q.

29 Coppersmith s small root algorithms Modular version, solve polynomial equation: f (x) = 0 (mod N). Easy when factorization of N is known. Hard in general. Bivariate version, find integral roots of: f (x, y) = 0. Diophantine equations. Hard in general.

30 Variant (for simplified analysis) Search rational solutions Equivalently, consider homogeneous polynomials Modular version, solve polynomial equation: f (x 0, x 1 ) = 0 (mod N). Bivariate version, find integral roots of: f (x 0, x 1, y 0, y 1 ) = 0. Homogeneous separately in x and y.

31 A simple case (Howgrave-Graham s variation) Search small solutions of: f (x 0, x 1 ) = a x b x 0 x 1 + c x 2 1 = 0 (mod N). W.l.o.g, we may assume c = 1. Fix two parameters, D and t Consider homogeneous polynomials of degree D with root (x 0, x 1 ) modulo N t Obtained by linearly combining: x D 2i 0 f (x 0, x 1 ) i N max(0,t i) and x D 2i 1 0 x 1 f (x 0, x 1 ) i N max(0,t i)

32 A simple case Use monomial ordering with x 1 > x 0 Head monomial in x D 2i θ 0 x θ 1 f (x 0, x 1 ) i N max(0,t i) is x 2i+θ 1 x D 2i θ 0 and has coefficient N max(0,t i) Interpret polynomials as lattice points ([x D 0 ], [x D 1 0 x 1 ],, [x 0 x D 1 1 ], [x D 1 ])

33 A simple case Dimension of the lattice D + 1 Determinant of the lattice is N t(t+1) LLL produces a short vector of norm: 2 D/4 N t(t+1)/(d+1) If x 0 B and x 1 B the corresponding polynomial at (x 0, x 1 ) has value less than: D D/4 N t(t+1)/(d+1) B D With D = 2t and letting t, assuming B < N 1/4 ɛ : D D/4 N t(t+1)/(d+1) B D < N t

34 End of the simple case As a consequence, get polynomial F with F(x 0, x 1 ) = 0 over Z Dehomogenizing, we find F a (x 0 /x 1 ) = 0 Solve over R Recover x 0 and x 1 from root r using continued fractions f of degree d Works up to N 1/2d bound on x 0 and x 1

35 Small root algorithms for integral solutions Similar idea, but scaling factors in lattices For univariate degree d, modulo N, bound B < N 1/d

36 Bon Anniversaire Jacques