Looking back at lattice-based cryptanalysis
|
|
- Morris Flynn
- 5 years ago
- Views:
Transcription
1 September 2009
2 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n
3 Lattice reduction Lattice reduction looks for a good basis Easy to view in dimension 2
4 Gauss s reduction algorithm Require: Initial lattice basis ( u, v) if u < v then Exchange u and v end if repeat Minimize u λ v, i.e., λ ( u v)/ v 2 Let u u λ v Swap u and v until u v Output ( u, v) as reduced basis
5 Gauss s reduction algorithm
6 Gauss s reduction algorithm
7 Gauss s reduction algorithm
8 Gauss s reduction algorithm
9 Lenstra-Lenstra-Lovász (1982) Polynomial time algorithm for arbitrary dimension Combines Gauss s algorithm and Gram-Schmidt orthogonalization Enforces the following properties on the output basis: i < j : ( b j bi ) b i 2 2 i : δ b i 2 Implies (note: 1/4 < δ 1): b i ( b i+1 b i )2 b i 2 (δ 1/4) b i 2 b i+1 2
10 Key properties of LLL-reduced basis First vector is quite short λ 1 det(l) Often used with δ = 3/4: ( δ 1 4) (n 1)/2 b 1 ( δ 1 ) n(n 1)/4 4 b 1 n b 1 2 (n 1)/2 λ 1 b 1 2 (n 1)/4 det(l) 1/n
11 Key properties of LLL-reduced basis Last vector is quite orthogonal to previous ones b n b n n In particular, with δ = 3/4: b n ( δ 1 ) (n i)/2 4 bi ( δ 4) 1 n(n 1)/4 det(l) b 1 2 (n 1)/2 b n det(l)1/n 2 (n 1)/4
12 Early applications: Knapsacks The subset-sum problem (or knapsack problem) is: Given integers a1,..., a n and S Find ɛ1,..., ɛ n with 0/1 values such that: S = n ɛ i a i i=1 NP-hard problem Some cases are easy (e.g. a i = 2 i 1 )
13 Knapsack-based cryptosystems Main idea: Hide an easy knapsack in a hard-looking one Example: Merkle-Hellman cryptosystem Start from super-increasing knapsack where a i > i 1 j=1 a j n Choose q > i=1 a i (prime for simplicity) Choose r a random integer modulo q Form new knapsack with bi = ra π(i) (mod q) n Encryption: Compute S = i=1 ɛ ib i Decryption: Let Sa = S r 1 (mod q) and solve easy knapsack Broken by Shamir at Crypto 82
14 Sketch of Shamir s attack Assume π is identity (or guess π(1), π(2), π(3), π(4)) For simplicity, assume that b 1 and b 2 are coprime Let c 3 = b 3 /b 2 (mod b 1 ) and c 4 = b 4 /b 2 (mod b 1 ) Form lattice (spanned by rows) : 1 c 3 c 4 0 b b 1 Contains all vectors (λb 2, λb 3, λb 4 ) modulo b 1 Remark that a 1 b i a i b 1 = u i q and u i small Yields short vector (u 2, u 3, u 4 )
15 Sketch of Shamir s attack (continued) In particular: a 1 /q = u i /b i (mod b 1 ) Let µ = u i /b i (mod b 1 ) We can now decrypt with (mostly) equivalent key (µ, b 1 )
16 Another approach to break Merkle-Hellman knapsack Since a i is super-increasing, a n has 2n bits So does q and all b i s Define density of a knapsack: d = n log 2 (max i a i ) As a general rule: Low density Easy to solve
17 Basic low-density attack Consider the lattice generated by columns of: Ka 1 Ka 2 Ka n Ks With K large enough LLL outputs short vector with 0 on the first line Short relation n i=1 v ia i = s Is it the correct {0, 1} solution?
18 Basic low-density attack Lagarias-Odlyzko (1985) Correct solution when d < Assuming a shortest lattice vector oracle Surprisingly: Works well in practice! With LLL bounds, would need d < O(1)/n
19 Improved low-density attacks Consider the lattice generated by columns of: Ka 1 Ka 2 Ka n Ks / / /2 Improved bound d <
20 Improved low-density attacks Alternative lattice: Ka 1 Ka 2 Ka n Ks n n n n + 1 Same bound d < Useful when number of 0s and 1s is unbalanced
21 A note of caution Despite these early success: Lattice-reduction is hard In practice: Lattice-reduction works very well in moderate dimension In higher dimension, many problems appear: Exponential gap between b1 and first minimum Unstability problems Running time and performance greatly depend on considered lattice Would be nice to have attacks without oracles.
22 Knuth s truncated linear congruential generator A classical pseudo-random generator defined from sequence: x i+1 = a x i + b (mod q) for simplicity, assume that q is prime. Write x i in binary as y i z i Output y i (α-fraction of k = log 2 q) Many attacks: most general by Stern (1987) Later improved by Contini and Shparlinski
23 Sketch of attack First remark that: x i+1 x i = a i (x 1 x 0 ) (mod q). If: d α i (x i+1 x i ) = 0 i=0 then, assuming x 1 x 0 0 (mod q), the polynomial P(z) = d α i z i i=0 has a as a root modulo q.
24 Sketch of attack Given two such polynomials P 1 and P 2 : q Res(P 1, P 2 ). With three polynomials, take GCD of resultants. It remains to construct such polynomials.
25 Sketch of attack: Stern s construction of polynomials First build vectors: Y i = y i+1 y i y i+2 y i+1. y i+t y i+t 1 we also use notation X i and Z i Search for a short zero linear combination: n α i Y i = 0. i=1 Relations exist with α i B with B = 2t(αk+log n+1)/(n t)
26 Sketch of attack: Stern s construction of polynomials Classical use of lattice reduction: KY 1 KY 2 KY n With LLL and K = n 2 (n 1)/2 B, relation satisfies: n αi 2 K 2 i=1
27 Sketch of attack: Stern s construction of polynomials Since n i=1 α iy i = 0, we have: n α i X i = i=1 n α i Z i i=1 Thus, n i=1 α ix i is small. It is also belongs to the lattice: a q 0 0 a 2 0 q a t q No small non-zero vector in this lattice
28 Sketch of attack: Stern s construction of polynomials Thus: n α i X i = 0 i=1 As a consequence, the polynomial: n α i z i 1 = 0 i=1 admits a as a root modulo q.
29 Coppersmith s small root algorithms Modular version, solve polynomial equation: f (x) = 0 (mod N). Easy when factorization of N is known. Hard in general. Bivariate version, find integral roots of: f (x, y) = 0. Diophantine equations. Hard in general.
30 Variant (for simplified analysis) Search rational solutions Equivalently, consider homogeneous polynomials Modular version, solve polynomial equation: f (x 0, x 1 ) = 0 (mod N). Bivariate version, find integral roots of: f (x 0, x 1, y 0, y 1 ) = 0. Homogeneous separately in x and y.
31 A simple case (Howgrave-Graham s variation) Search small solutions of: f (x 0, x 1 ) = a x b x 0 x 1 + c x 2 1 = 0 (mod N). W.l.o.g, we may assume c = 1. Fix two parameters, D and t Consider homogeneous polynomials of degree D with root (x 0, x 1 ) modulo N t Obtained by linearly combining: x D 2i 0 f (x 0, x 1 ) i N max(0,t i) and x D 2i 1 0 x 1 f (x 0, x 1 ) i N max(0,t i)
32 A simple case Use monomial ordering with x 1 > x 0 Head monomial in x D 2i θ 0 x θ 1 f (x 0, x 1 ) i N max(0,t i) is x 2i+θ 1 x D 2i θ 0 and has coefficient N max(0,t i) Interpret polynomials as lattice points ([x D 0 ], [x D 1 0 x 1 ],, [x 0 x D 1 1 ], [x D 1 ])
33 A simple case Dimension of the lattice D + 1 Determinant of the lattice is N t(t+1) LLL produces a short vector of norm: 2 D/4 N t(t+1)/(d+1) If x 0 B and x 1 B the corresponding polynomial at (x 0, x 1 ) has value less than: D D/4 N t(t+1)/(d+1) B D With D = 2t and letting t, assuming B < N 1/4 ɛ : D D/4 N t(t+1)/(d+1) B D < N t
34 End of the simple case As a consequence, get polynomial F with F(x 0, x 1 ) = 0 over Z Dehomogenizing, we find F a (x 0 /x 1 ) = 0 Solve over R Recover x 0 and x 1 from root r using continued fractions f of degree d Works up to N 1/2d bound on x 0 and x 1
35 Small root algorithms for integral solutions Similar idea, but scaling factors in lattices For univariate degree d, modulo N, bound B < N 1/d
36 Bon Anniversaire Jacques
Lattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationA New Trapdoor in Modular Knapsack Public-Key Cryptosystem
A New Trapdoor in Modular Knapsack Public-Key Cryptosystem Takeshi Nasako Yasuyuki Murakami Abstract. Merkle and Hellman proposed a first knapsack cryptosystem. However, it was broken because the density
More informationA Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming
A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming Bala Krishnamoorthy William Webb Nathan Moyer Washington State University ISMP 2006 August 2, 2006 Public Key
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationCryptanalysis of Unbalanced RSA with Small CRT-Exponent
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent Alexander May Department of Mathematics and Computer Science University of Paderborn 3310 Paderborn, Germany alexx@uni-paderborn.de Abstract. We
More informationNew Partial Key Exposure Attacks on RSA Revisited
New Partial Key Exposure Attacks on RSA Revisited M. Jason Hinek School of Computer Science, University of Waterloo Waterloo, Ontario, N2L-3G, Canada mjhinek@alumni.uwaterloo.ca March 7, 2004 Abstract
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationM4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD
M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD Ha Tran, Dung H. Duong, Khuong A. Nguyen. SEAMS summer school 2015 HCM University of Science 1 / 31 1 The LLL algorithm History Applications of
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationLower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices
Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices Jingguo Bi 1 and Qi Cheng 2 1 Lab of Cryptographic Technology and Information Security School of Mathematics
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationLLL lattice basis reduction algorithm
LLL lattice basis reduction algorithm Helfer Etienne 103010 Contents 1 Lattice 1 11 Introduction 1 1 Definition 13 Determinant 3 14 Shortest vector problem 5 Basis reduction 6 1 Introduction 6 Rank basis
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationBALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS
BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies
More informationA Disaggregation Approach for Solving Linear Diophantine Equations 1
Applied Mathematical Sciences, Vol. 12, 2018, no. 18, 871-878 HIKARI Ltd, www.m-hikari.com https://doi.org/10.12988/ams.2018.8687 A Disaggregation Approach for Solving Linear Diophantine Equations 1 Baiyi
More informationApplications of Lattice Reduction in Cryptography
Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of
More informationA Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073
A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 Ellen Jochemsz 1 and Alexander May 2 1 Department of Mathematics and Computer Science, TU Eindhoven, 5600 MB Eindhoven, the
More informationPolynomial Selection Using Lattices
Polynomial Selection Using Lattices Mathias Herrmann Alexander May Maike Ritzenhofen Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum Factoring 2009 September 12 th Intro
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationCryptanalysis of the Knapsack Generator
Cryptanalysis of the Knapsack Generator Simon Knellwolf and Willi Meier FHNW, Switzerland Abstract. The knapsack generator was introduced in 1985 by Rueppel and Massey as a novel LFSR-based stream cipher
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationFactoring N = p 2 q. Abstract. 1 Introduction and Problem Overview. =±1 and therefore
Factoring N = p 2 Nathan Manohar Ben Fisch Abstract We discuss the problem of factoring N = p 2 and survey some approaches. We then present a specialized factoring algorithm that runs in time Õ( 0.1 ),
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationSome Lattice Attacks on DSA and ECDSA
Some Lattice Attacks on DSA and ECDSA Dimitrios Poulakis Department of Mathematics, Aristotle University of Thessaloniki, Thessaloniki 54124, Greece, email:poulakis@math.auth.gr November 10, 2010 Abstract
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationLow-Density Attack Revisited
Low-Density Attack Revisited Tetsuya Izu Jun Kogure Takeshi Koshiba Takeshi Shimoyama Secure Comuting Laboratory, FUJITSU LABORATORIES Ltd., 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki 211-8588, Japan.
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationHow to improve information set decoding exploiting that = 0 mod 2
How to improve information set decoding exploiting that 1 + 1 = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris Representation Find unique solution to hard problem in cryptography
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationFinding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem
Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem Shixiong Wang 1, Longjiang Qu 2,3, Chao Li 1,3, and Shaojing Fu 1,2 1 College of Computer,
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationHow to Generalize RSA Cryptanalyses
How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru Kunihiro The University of Tokyo, Japan AIST, Japan {a-takayasu@it., kunihiro@}k.u-tokyo.ac.jp Abstract. Recently, the security of RSA variants
More information2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ
Corrected version of Algorithmic Number Theory { Proceedings of ANTS-IV (July 3{7, 2000, Leiden, Netherlands) W. Bosma (Ed.), vol.???? of Lecture Notes in Computer Science, pages???{??? cspringer-verlag
More informationThe Cryptanalysis of a New Public-Key Cryptosystem based on Modular Knapsacks
The Cryptanalysis of a New Pblic-Key Cryptosystem based on Modlar Knapsacks Yeow Meng Chee Antoine Jox National Compter Systems DMI-GRECC Center for Information Technology 45 re d Ulm 73 Science Park Drive,
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationLattice Basis Reduction and the LLL Algorithm
Lattice Basis Reduction and the LLL Algorithm Curtis Bright May 21, 2009 1 2 Point Lattices A point lattice is a discrete additive subgroup of R n. A basis for a lattice L R n is a set of linearly independent
More informationA new lattice construction for partial key exposure attack for RSA
A new lattice construction for partial key exposure attack for RSA Yoshinori Aono Dept. of Mathematical and Computing Sciences Tokyo Institute of Technology, Tokyo, Japan aono5@is.titech.ac.jp Abstract.
More informationHow to Factor N 1 and N 2 When p 1 = p 2 mod 2 t
How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t Kaoru Kurosawa and Takuma Ueda Ibaraki University, Japan Abstract. Let N 1 = p 1q 1 and N 2 = p 2q 2 be two different RSA moduli. Suppose that p 1 = p 2
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationImproved Generic Algorithms for Hard Knapsacks
Improved Generic Algorithms for Hard Knapsacks Anja Becker 1,, Jean-Sébastien Coron 3, and Antoine Joux 1,2 1 University of Versailles Saint-Quentin-en-Yvelines 2 DGA 3 University of Luxembourg Abstract.
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationOn the Bit Security of Elliptic Curve Diffie Hellman
On the Bit Security of Elliptic Curve Diffie Hellman Barak Shani Department of Mathematics, University of Auckland, New Zealand Abstract This paper gives the first bit security result for the elliptic
More informationLecture 5: CVP and Babai s Algorithm
NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,
More informationA New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm
A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Management Information System National Chung Hsing University
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationAn Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques
Preprints (wwwpreprintsorg) NOT PEER-REVIEWED Posted: 20 July 208 doi:020944/preprints208070379v An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice
More informationThe Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications
The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications Phong Nguyen and Jacques Stern École Normale Supérieure Laboratoire d Informatique 45 rue d Ulm, 75230 Paris Cedex 05 France
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationFurther Results on Implicit Factoring in Polynomial Time
Further Results on Implicit Factoring in Polynomial Time Santanu Sarkar and Subhamoy Maitra Indian Statistical Institute, 203 B T Road, Kolkata 700 108, India {santanu r, subho}@isical.ac.in Abstract.
More informationCOMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio
More informationFault Attacks Against emv Signatures
Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,
More informationOn the cryptographic applications of Gröbner bases and Lattice Theory
. On the cryptographic applications of Gröbner bases and Lattice Theory University of Maria Curie-Sklodowska Faculty of Mathematics, Physics and Computer Science Lublin, 2-14 December 2012 Jaime Gutierrez
More informationSub-Linear Root Detection for Sparse Polynomials Over Finite Fields
1 / 27 Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields Jingguo Bi Institute for Advanced Study Tsinghua University Beijing, China October, 2014 Vienna, Austria This is a joint work
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationCryptanalysis of the Chor-Rivest Cryptosystem
Cryptanalysis of the Chor-Rivest Cryptosystem Serge Vaudenay Ecole Normale Supérieure CNRS Serge.Vaudenay@ens.fr Abstract. Knapsack-based cryptosystems used to be popular in the beginning of public key
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationOn the Security of Multi-prime RSA
On the Security of Multi-prime RSA M. Jason Hinek David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G, Canada mjhinek@alumni.uwaterloo.ca June 3, 2006 Abstract.
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationImplicit factorization of unbalanced RSA moduli
Implicit factorization of unbalanced RSA moduli Abderrahmane Nitaj 1 and Muhammad Rezal Kamel Ariffin 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More information47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010
47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture Date: 03/18/010 We saw in the previous lecture that a lattice Λ can have many bases. In fact, if Λ is a lattice of a subspace L with
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationA KNAPSACK-TYPE CRYPTOGRAPHIC SYSTEM USING ALGEBRAIC NUMBER RINGS
A KNAPSACK-TYPE CRYPTOGRAPHIC SYSTEM USING ALGEBRAIC NUMBER RINGS By NATHAN THOMAS MOYER A dissertation submitted in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY WASHINGTON
More informationFactoring univariate polynomials over the rationals
Factoring univariate polynomials over the rationals Tommy Hofmann TU Kaiserslautern November 21, 2017 Tommy Hofmann Factoring polynomials over the rationals November 21, 2017 1 / 31 Factoring univariate
More information