Diophantine equations via weighted LLL algorithm

Transcription

1 Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory Seminar 1 st September, Kyushu University, JAPAN This is a joint work with Jintai Ding, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao.

2 Contents 1. Introduction This talk is based on the paper Jintai Ding, Momonari Kudo, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao, Cryptanalysis of a public key ctyptosystem based on Diophantine equations via weighted LLL reduction, IACR Cryptology eprint Archive 2015/1229, A short paper version has been accepted by the refereed-international conference IWSEC 2016, and it will be published.

3 1-1. Diophantine equations and Cryptography Diophantine Problem / Q For a given f Z x 1,, x n, find a 1,, a n Q n s.t. f(a 1,, a n ) = 0. In general, there is no algorithm to test Diophantine equations for solvability in Z [1]. apply Some cryptographic protocols based on the difficulty of solving Diophantine Equations have been proposed as Post-Quantum Cryptosystems (PQC). Q. How secure are these cryptosystems? [1] M. Davis, Y. Matijasevi c and J. Robinson, Hilbert s tenth problem, Diophantine equations: positive aspects of a negative solution, In: Mathematical Developments Arising from Hilbert Problem Browder, F.E.(ed.) AMS, Providence, RI., pp (1976).

4 1-2. Previous Works E.g. A public key cryptosystem [2] in 1995 Key exchange protocols [3, 4, 5] in Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009 Impractical In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory. [2] C. H. Lin, C. C. Chang, R. C. T. Lee, A new public-key cipher system based upon the diophantine equations, IEEE Trans. Comp. 44, (1995). [3] A. Bérczes, L. Hajdu, N. Hirata-Kohno, T. Kovács, A. Pethö, A key exchange protocol based on Diophantine equations and S-integers, JSIAM Letters Vol.6, (2014). [4] N. Hirata-Kohno, A. Pethӧ, On a key exchange protocol based on Diophantine equations, Infocommunications Journal 5, (2013). [5] H. Yosh, The key exchange cryptosystem used with higher order Diophantine equations, IJNSA Journal 3, (2011). [6] K. Akiyama, Y. Goto, H. Miyake, Algebraic Surface Cryptosystem, In : Proceedings of PKC'09, Lecture Notes in Comput. Sci., 5443, (2009). [7] J. -C. Faugere, P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem, In: Proceedings of PKC'10, Lecture Notes in Comput. Sci., 6056, (2010).

5 1-3. Previous Works A public key cryptosystem [2] in 1995 Key exchange protocols [3, 4, 5] in Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009 Impractical In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory. Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC: A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC). Expected to have resistance against the ideal decomposition attack (and other attacks). [Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pac. Journal of Math. for Industry, 7 (4), pp (2015).

6 1-4. Our Problem Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC: Function field Number field Section finding problem Diophantine problem Algebraic Surface Cryptosystem (ASC) Broken by the ideal decomposition attack Diophantine Equation Cryptosystem (DEC) What s new : ``twisting plaintext (to avoid the ideal decomposition attack) A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC). Expected to have resistance against the ideal decomposition attack (and other attacks), and to be one of PQC. Q. How secure is DEC? [Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pac. Journal of Math. for Industry, 7 (4), pp (2015).

7 1-5. Our Main Contribution We call it ``weighted LLL algorithm. Apply a variant of the LLL algorithm to the cryptanalysis. Break the one-wayness of instances of DEC via weighted LLL.

8 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

9 2-1. DEC scheme To simplify the notation, assume n = 2 throughout this talk. Public key Secret key d, e Z >0, X Z[x, y] with certain conditions (a, b) Z 2 s.t. X a d, b d = 0. Plaintext polynomial m Z[x, y] ``twist m by e, N Z Encrypt Ciphertext (3 polynomials and N Z) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X Crucial Remark (1) The sets of the monomials of X, m, m, f, s j, r j are same and known. (2) The bit length of the coefficients of X, m, m, f, s j, r j are known. (3) The coefficients of s j, X are much smaller than those of the others. some randomness N, f, s j, r j

10 2-2. Notation For a polynomial f x, y = c i,j x i y j Z x, y {0}, define 1. c i,j f : = c i,j. Non-zero coefficient of the monomial x i y j in f 2. f: = (c i1,j 1 f,, c iq,j q f ). The vector consisting of all the non-zero coefficients of f, with (i 1, j 1 ) (i q, j q ) : lexicographical order Bold style

11 2-3. Toy Example of DEC (Key Generation) λ : security parameter (In this example, λ 4) Public key d = 5 e = 15 X = 25x 3 4y Z[x, y] Secret key a, b = (46,64) Z 2 chosen so that gcd ab, d = 1, gcd e, φ(d) = 1, (φ : Euler s function) X a d, b d = 0, 2 λ 2λ+1 d max{ a, b } < d, φ(d) φ(d) Remark [Oku15] suggests λ = 128. d 2 λ 2, e λ λ +1 deg X. 2

12 2-4. Toy Example of DEC (Encryption) Plaintext (polynomial) m = 3x 3 + 3y + 3 Encryption 1 < c i,j m < d, gcd c i,j m, d = 1. Step 1. Twist the plaintext m Choose an N Z >0 s.t. Nd > 2 λ max i,j c i,j X. N = (Nd = ) Put c i,j m c i,j m e (mod Nd). c 3,0 m 3 15 (mod ) m: = 55787x y = Recall X = 25x 3 4y d = 5 e = 15

13 2-5. Toy Example of DEC (Encryption) Step 2. Choose some polynomials Recall uniformly at random. X = 25x 3 4y f = x y s 1 = 28x 3 + 4y , s 2 = 26x 3 + 7y , s 3 = 28x 3 + 5y , Crucial Remark s j : very short r 1 = x y , r 2 = x y , r 3 = x y f, s j, r j are chosen so that certain conditions hold. e.g. the coefficients of s j and X have the same bit sizes.

14 2-6. Toy Example of DEC (Encryption) Step 3. Make a ciphertext (polynomials) Put F 1 m + s 1 f + r 1 X, F 2 m + s 2 f + r 2 X, F 3 m + s 3 f + r 3 X, F 1 = x x 3 y x y y , F 2 = x x 3 y x y y , Send (F 1, F 2, F 3, N). F 3 = x x 3 y x y y Remark 1 One can decrypt the ciphertext as in Sections 3.4 and 3.5 of [Oku15]. In this talk we omit the decryption process. Remark 2 We mention the recommended (and estimated) parameter size later.

15 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

16 3-1. Idea of Our Attack Ciphertext (3 polynomials) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X X, F 1, F 2, F 3 : known m, f, s j, r j : unknown Crucial Remark (1) The sets of the monomials of X, m, m, f, s j, r j are same and known. (2) The bit length of the coefficients of X, m, m, f, s j, r j are known. (3) The coefficients of s j, X are much smaller than those of the others.

17 3-2. Idea of Our Attack Ciphertext (3 polynomials) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X X, F 1, F 2, F 3 : known m, f, s j, r j : unknown Put F 1 F 1 F 2, F 2 F 2 F 3, s 1 s 1 s 2, s 2 s 2 s 3, r 1 r 1 r 2, r 2 r 2 r 3. From the above equalities s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2.

18 3-3. Idea of Our Attack F 1 F 1 F 2, F 2 F 2 F 3, s 1 s 1 s 2, s 2 s 2 s 3, r 1 r 1 r 2, r 2 r 2 r 3. s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. X, F 1, F 2 : known s j, g : unknown However, the monomials of s 1, s 2, g are known. First step of our attack is to find s 1, s 2. Regarding the unknown coefficients of s 1, s 2, g as indeterminates derives a linear system over Z.

19 3-4. Outline of Our Attack It is sufficient for breaking DEC to find m. Step 1. Step 2. Find s 1 s 1 s 2 and s 2 s 2 s 3 by the weighted LLL. Find f satisfying F 1 = s 1 f + r 1 X, F 2 = s 2 f + r 2 X by using s 1 and s 2 obtained in Step 1. We fix such f. Focus on Step 1 in this talk. Step 3. Find s 1 by Babai s nearest plane algorithm. After that, recover m by linear algebra technique and modular arithmetic. In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.

20 3-5. SVP and LLL algorithm LLL alg. is an algorithm to (approximately) solve the SVP: Definition (Shortest Vector Problem). Given: B = {b 1,, b n } ; a basis of a lattice L R m ; a norm on R m (typically the Euclidean norm is chosen) SVP is to find the shortest vector u L w.r.t., i.e., u w for all w L {0}.

21 3-6. SVP and LLL algorithm LLL alg. is an algorithm proposed in 1982 to (approximately) solve the SVP. In this talk, let us omit to describe its detail (see [8, 9]), but review some properties. LLL algorithm Input: a (ordered) basis A = {a 1,, a n } of a lattice L Q m, and a real number 1 4 < δ < 1 Output: an LLL-reduced basis B = {b 1,, b n } of L for the factor δ Remark: An LLL-reduced basis is defined as a sufficiently close to orthogonal basis for a lattice, see [8, 9] for details (1) B is LLL-reduced with δ = 3/4 b 1 < 2 (n 1)/2 min{ w : w L {0}} Note: In practice, LLL seeks the shortest vector with high probability for random lattices of low rank (2) LLL terminates in polynomial time for rank and dimension of the input lattice basis [8] A. K. Lenstra, H. W. Lenstra and L. Lovasz, Factoring polynomials with rational coefficients, In: Mathematische Annalen 261 (4), (1982). [9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012).

22 3-7. CVP and Babai s nearest plane algorithm Babai s nearest plane alg. is an algorithm to (approximately) solve the CVP: Definition (Closest Vector Problem). Given: B = {b 1,, b n } ; a basis of a lattice L R m v R m ; a vector in R m with v L ; a norm on R m (typically the Euclidean norm is chosen) CVP is to find the closest lattice point u L to v w.r.t., i.e., u v w v for all w L. b 1 b 2 v u

23 3-8. CVP and Babai s nearest plane algorithm Babai s nearest plane alg. is an algorithm to (approximately) solve the CVP. In this talk, let us omit to describe its detail (see [9, 10]), but review some properties. Babai s nearest plane algorithm (Babai NPA) Input: a basis B = {b 1,, b n } of a lattice L Z m, and v Span b 1,, b n Output: a vector u L b (1) B is LLL-reduced with δ = 3/4 1 v u < 2 n/2 v w for all w L Note: In practice, NPA outputs a lattice point very b 2 close to v for many cases (2) Babai NPA terminates in polynomial time for rank and dimension of the input lattice basis [9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012). [10] L. Babai, On Lovasz lattice reduction and the nearest lattice point problem, Combinatorica 6 (1), 1-13 (1986). Q m with v L u v

24 3-9. Detail of Step 1 In the following, we use blue symbols for unknown objects. s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. The monomials with non-zero coefficients of s 1, s 2 and g are known. We obtain a linear system from. L 1 : the lattice defined as the nullspace of the system Clearly, s 1, s 2, g L 1. We can estimate the bit length of all entries of s 1 and s 2 from X.

25 3-10. Example In the previous example, F 1 = x x 3 y x y y , F 2 = x x 3 y x y y , F 3 = x x 3 y x y y F 1 = F 1 F 2 = x x 3 y x y y , F 2 = F 2 F 3 = x x 3 y x y y

26 3-11. Example s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. Put s 1 c 1 x 3 + c 2 y + c 3, s 2 c 4 x 3 + c 5 y + c 6, g: = c 7 x 6 + c 8 x 3 y + c 9 x 3 + c 10 y 2 + c 11 y + c 12, X = 25x 3 4y (Public Key), F 1 = x x 3 y x y y , F 2 = x x 3 y x y y By ( ), c 1, c 2,, c 12 A = 0 ; linear system over Z

27 3-12. Example c 1, c 2,, c 12 A = 0 ; linear system L 1 Ker A = {u Z 12 ; ua = 0} Basis Matrix : c 1 c 2 c 3 c 4 c 5 c 6 c 7 c Cut s 1 c 1 x 3 + c 2 y + c 3, s 2 c 4 x 3 + c 5 y + c 6, g: = c 7 x 6 + c 8 x 3 y + c 9 x 3 + c 10 y 2 + c 11 y + c 12, Remark s 1, s 2 : very short. (s 1, s 2 ) : very short.

28 3-13. Recall (unknown objects) s 1 = 28x 3 + 4y , s 2 = 26x 3 + 7y , s 3 = 28x 3 + 5y , s 1 s 1 s 2 = 2x 3 3y , s 2 s 2 s 3 = 2x 3 + 2y , s s 1, s 2 = Remark The bit length of the entries of s can be estimated because known from the encryption process the bit length of the entries of s 1, s 2 are the same as those of a public key X.

29 3-14. Does the usual LLL work well? u 1 u 2 u 3 : = c 1 c 2 c 3 c 4 c 5 c s 1 c 1 x 3 + c 2 y + c 3 s 2 c 4 x 3 + c 5 y + c 6 L 1 u 1, u 2, u 3 Z Z 6 s : = (s 1, s 2 ) L 1 : very short. s = Shortest vector??

30 3-15. Does the usual LLL work well? u 1 u 2 u 3 : = c 1 c 2 c 3 c 4 c 5 c LLL s 1 c 1 x 3 + c 2 y + c 3 s 2 c 4 x 3 + c 5 y + c 6 L 1 u 1, u 2, u 3 Z Z 6 s : = (s 1, s 2 ) L 1 : very short. s = v 1 v 2 v 3 = Shortest vector?? No!

31 3-16. Why does the usual LLL work less? s (s 1, s 2 ) L 1 s = small small large? small small large? s is relatively short but not shortest (with unbalanced entries) because of the existence of certain large entries. Nevertheless, we predict s is a shortest vector ``in some sense. Apply a weighted norm instead of the Euclidean norm.

32 3-17. Idea of Weighted LLL Algorithm s (s 1, s 2 ) = small small large? small small large? Recall The coefficients of s j and X have the same bit sizes. The entries of s 1, s 2 and X have ``near (or the same) bit sizes. X = (25, 4, 19416) ; Public Key 25 Ratio : (absolute values) From this, set : : w: = 2 lg lg lg lg =

33 3-18. Idea of Weighted LLL Algorithm w = W W i : the diagonal matrix defined by W i = w i u 1 u 2 u 3 : = W u 1 W u 2 W u 3 W : =

34 3-19. Idea of Weighted LLL Algorithm w = W W i u 1 W u 2 W = u 3 W u 1 u 2 u 3 : the diagonal matrix defined by W i = w i : = LLL W 1 Just the same as s 1, s 2! u 1 W 1 u 2 W 1 u 3 W 1 =

35 3-20. Assumption of (s 1, s 2 ) What should we assume that (s 1, s 2 ) is, theoretically? Definition (weighted norm and weighted lattice). For a lattice L R m and a vector w = w 1,, w m define an weighted norm w for w as follows: R >0 m, we u w (u 1 w 1 ) 2 + (u m w m ) 2 (u L). Then w is a norm on L R m, and we call L a weighted lattice for w. We denote L by L w depending on the situation.

36 3-21. Assumption of (s 1, s 2 ) Lemma (shortest vectors with a weight). Let L w R m be a lattice with the weight w = w 1,, w m R m >0. We set W as the following diagonal matrix. w 1 0 W, f W R m R m ; x xw. 0 w m Then the following are equivalent for any x L w : 1. The vector x is a shortest vector in L w with respect to the norm w. 2. The vector xw is a shortest vector in Im(f W ) with respect to the Euclidean norm. From this, we may assume that (s 1, s 2 ) is a shortest vector in L 1 w w.r.t. the norm w.

37 3-22. Summary of Weighted LLL Target (3-rank case) s L 1 : relatively short vector with entries of unbalanced sizes. (not a shortest) L 1 u 1, u 2, u 3 Z ``Weighted LLL reduced basis u 1 W 1, u 2 W 1, u 3 W 1 of L 1 f W u uw. f W 1 : u u W 1. f W (L 1 ) = u 1 W, u 2 W, u 3 W Z LLL LLL reduced basis u 1, u 2, u 3 of f W (L 1 ) We generalize this method to an algorithm (let us omit to mention it precisely in this talk). The algorithm terminates in polynomial time w.r.t. the rank and the dimension of a lattice.

38 3-23. Outline of Our Attack It is sufficient for breaking DEC to find m. Step 1. Step 2. Find s 1 s 1 s 2 and s 2 s 2 s 3 by the weighted LLL. Find f satisfying F 1 = s 1 f + r 1 X, F 2 = s 2 f + r 2 X by using s 1 and s 2 obtained in Step 1. We fix such f. Focused on Step 1 in this talk. Step 3. Find s 1 by Babai s nearest plane algorithm. After that, recover m by linear algebra technique and modular arithmetic. In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.

39 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

40 4-1. Complexity of Our Algorithm Parameters : λ and w deg X Main Computation Computation common to all steps Step 1 Weighted LLL Solving linear systems (by Hermite Normal form) Step 2 LLL Arithmetic over Z[x 1, x n ] Step 3 (dominant) Babai nearest plane with LLL Modular arithmetic Under certain assumptions*, Considering the seize of ciphertext, Theorem w should not be so large. The worst case total bit complexity of our attack algorithm is O(w 11 λ 2 + w 5 λ 3 ). Consequently, the attack performs in polynomial time for λ and w. *e.g. assume that the coefficient explosion does not happen in computation of HNF.

41 4-2. Experimental Results 1 Table 1* : Results of our attack for the parameters suggested in [Oku15] with n = 3 and λ = 128 w {term of X} Success Times Average Time (seconds) Step 1 Step 2 Step Step 1 : More than 70 % by weighted LLL Break the one way-ness of instances almost 30 % in practical time. It is sufficiently high probability for cryptanalysis. *EV: Magma V , Windows 8.1 Pro OS 64 bit GHz CPU (Intel Core i5) and 8 GB memory

42 4-3. Experimental Results 2 Table 2* : Results in the case of increasing w (with n = 3 and λ = 128) w {term of X} Average Time (seconds) Size of Secret Key (bit) Size of Public key (bit) Size of Ciphertext (bit) Required time is expected to be more shorter than the estimated complexity. The computation of HNF, estimated to be most expensive, does not take much time because the coefficient matrices obtained in our attack are sparse in many cases.

43 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

44 5-1. Summary DEC has resistance against recovering the secret key directly (difficulty of solving Diophantine equations). However, the one-wayness of the system is transformed to finding a relatively shorter but not a shortest vector in lattices of low ranks. Our experimental results show that our attack with the weighted LLL can find such vectors. As a consequence, the one-wayness of DEC can be broken with high probability in polynomial time for the parameters suggested in [Oku15].