Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012

Size: px

Start display at page:

Download "Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012"

Gervase Arnold
6 years ago
Views:

1 Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of Technology Session ID: CRYP-R35 Session Classification: Advanced

2 Public Key Encryption m m A pk B CT B B sk B 2 Presenter Logo

3 Forwarding m m A pk B CT B B sk B pk C CT C m C sk C 3 Presenter Logo

4 Proxy Re-Encryption (PRE) m A pk B CT B Proxy B m sk B pk C rk B C CT C C sk C 4 Presenter Logo

5 Proxy Re-Encryption (PRE) Types Bidirectional or Unidirectional Multi-hop or Single-hop This work: Unidirectional, Single-hop PRE 5 Presenter Logo

6 Our Results We present a definition of security against chosen-ciphertext attacks (CCA) for unidirectional, single-hop PRE Extended from previous works New PRE scheme with this security 6 Presenter Logo

7 Agenda Model of PRE Security Notions of PRE Proposed PRE Scheme Concluding Remarks 7 Presenter Logo

8 8 Model of PRE

9 Model of PRE Setup(1 k ) PP KGen(PP) (pk,sk) ReKey(PP,sk i,pk j ) rk i->j Enc 1 (PP,pk i,m) 1 st -CT i (first level) Enc 2 (PP,pk i,m) 2 nd -CT i (second level) ReEnc(PP, rk i->j,2 nd -CT i ) 1 st -CT j (first level) Dec 1 (PP,pk i,1 st -CT i ) m Dec 2 (PP,pk i,2 nd -CT i ) m 9 Presenter Logo

10 Model of PRE (second level) 2 nd -CT i ReEnc (first level) 1 st -CT j Setup(1 k ) PP KGen(PP) (pk,sk) ReEnc ReKey(PP,sk (first level) 1 i st,pk -CT j ) i rk i->j Enc 1 (PP,pk i,m) 1 st -CT i (first level) Enc 2 (PP,pk i,m) 2 nd -CT i (second level) ReEnc(PP, rk i->j,2 nd -CT i ) 1 st -CT j (first level) Dec 1 (PP,pk i,1 st -CT i ) m Dec 2 (PP,pk i,2 nd -CT i ) m 10 Presenter Logo

11 Summary of uni-pre Schemes Schemes IND-CCA Security of ReEnc RO-free Security of Second Level Ciphertext [AFGH06] CPA [LV08] RCCA [CWYD10] CCA [HMY+11] RCCA [CDL11] CCA [HKK+12] CCA Ours CCA 11 Presenter Logo

12 12 Security Notions of PRE

13 Security Notions of PRE Previous works Security of second level ciphertext Security of first level (E.g. [LV08], [CWYD10], [HKK+12], ) 13 Presenter Logo

14 Security Notions of PRE This work Security of second level ciphertext Security of original first level ciphertext Security of re-encrypted ciphertext 14 Presenter Logo

15 Security Notions of PRE This work Security of second level ciphertext (2nd-level-CCA security) Security of original first level ciphertext (1st-ori-CCA security) Security of re-encrypted ciphertext (1st-re-CCA security) 15 Presenter Logo

16 2nd-level-CCA Security Oracles O pk, O sk, O rk, O re, O dec1, O dec2 With some conditions!!! Output b pk i*,(m 0,m 1 ) 2 nd -CT* Oracles b {0,1} 2 nd -CT* Enc 2 (pk i*,m b ) 16 Presenter Logo

17 2nd-level-CCA Security Conditions: O sk (i*) is not allowed O rk (i*,j) is allowed if pk j is uncorrupted key If Adv issueso re (i,j,ct i ) oro dec1 (i,ct i ): (pk i, CT i ) can t be a derivative of (pk i, 2 nd -CT*) 17 Presenter Logo

t the restriction on the first level decryption queries The example

18 Extension from The Model of [HKK+12] Security of second level ciphertext The gap w.r.t the restriction on the first level decryption queries The example showing this gap in the proceedings is wrong, however, we can show the gap by other examples Security of first level ciphertext 18 Presenter Logo

19 1st-ori-CCA Security [CDL11] Oracles O pk, O sk, O rk, O re, O dec1, O dec2 Output b pk i*,(m 0,m 1 ) 1 st -CT* Oracles b {0,1} 1 st -CT* Enc 1 (pk i*,m b ) 19 Presenter Logo

20 1st-re-CCA Security [CDL11] Oracles O pk, O sk, O rk, O re, O dec1, O dec2 pk i,pk i*,(sct 0,sCT 1 ) 1 st -CT* sct 0 Enc 2 (pk i,m 0 ) sct 1 Enc 2 (pk i,m 1 ) Output b Oracles b {0,1} 1 st -CT* ReEnc 1 (rk i->i*,sct b ) 20 Presenter Logo

21 CCA-Security of first level ciphertext VS. 1st-ori-CCA Security 1st-re-CCA Security 21 Presenter Logo

22 CCA-Security of first level ciphertext 1 st -CT*=Enc 1 (pk i*,m b ) or ReEnc(rk i->i*,enc 2 (pk i,m b )) 22

23 CCA-Security of first level ciphertext 1 st -CT*=Enc 1 (pk i*,m b ) or ReEnc(rk i->i*,enc 2 (pk i,m b )) CCA-Security of first level ciphertext 23 1st-ori-CCA Security 1st-re-CCA Security

24 CCA-Security of first level ciphertext 1 st -CT*=Enc 1 (pk i*,m b ) or ReEnc(rk i->i*,enc 2 (pk i,m b )) If Adv both compromised delegator (sk i ) and proxy (rk i->i* ) then Adv may have obtained the original ciphertext 2 nd -CT b Enc 2 (pk i, m b ) and use sk i to decrypt trivially 24

25 CCA-Security of first level ciphertext 1st-re-CCA Security Secure Secure If Adv both compromised delegator (sk i ) and proxy (rk i->i* ) then Adv may have obtained the original ciphertext 2 nd -CT b Enc 2 (pk i, m b ) and use sk i to decrypt trivially 25

26 CCA-Security of first level ciphertext 1st-ori-CCA Security 1st-re-CCA Security 26

27 27 Proposed PRE Scheme

28 Introduction of Our Scheme Construction based on IND-CCA secure PKE scheme from CT-RSA 10 (Lai, Deng, Liu, and Kou) IND-CCA secure PKE scheme from PKC 07 (Kiltz) Properties 2nd-level-CCA 1st-ori-CCA 1st-re-CCA w/o Random Oracle Using bilinear maps 28 Presenter Logo

29 The Proposed Scheme (1/2) Setup(1 λ ): PP=(p,G,G T,g,g 1,h,u,v,d,u 1,v 1,d 1,e,H, TCR, TCR ). KGen: pk = (g x, g 1 x 2, g y ),sk = (x, y) ReKey(sk i,pk j ): rk i j = g 1 x 2 j /x i 29 Presenter Logo

30 The Proposed Scheme (2/2) Enc 2 (pk i,m): ReEnc : Check the validity of Compute CT i = (C 1,C 2,C 3,C 4,C 5 ), where C 1 = pk r i1,c 2 = h r,c 3 = e(g, g 1 ) r m,t = H(C 2,C 3 ), C 4 = (u t v s d),c 5 = s. (rk i j, pk i,ct i ) CT i CT j = (A, B,C),where C 6 = C R 1,C 7 = pk R i1,c 8 = rk 1/R i j,c T = C 2 C 3... C 8 A = g r t, t = TCR(A), B = (pk i,3 C SYM.Enc(H(pk r i,3 ),C T ) h) r, 30 Presenter Logo

31 Security of Our Scheme Theorem 1 Our scheme meets the 2nd-level-CCA security, assuming the hash function H is target collision resistant, the 6-AmDBDH assumption holds in groups (G, G T ), and the 2-AmCDH problem is hard. Theorem 2 Our scheme meets the 1st-ori-CCA and the 1st-re-CCA security, assuming the hash function TCR is target collision resistant, the GHDH problem is hard, and SYM is CCA-secure. 31 Presenter Logo

32 32 Concluding Remarks

33 Concluding Remarks We have present a CCA security definition for unidirectional, single-hop PRE Extended from previous works New PRE scheme with this security 33 Presenter Logo

34 Solving BDD by Enumeration: An Update Mingjie Liu 1, Phong Q.Nguyen 2 1 BICMR, Peking University and Tsinghua University 2 INRIA and Tsinghua University CT-RSA 2013

35 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion

36 BDD: Why Is Important Lattice is a discrete additive subgroup of R m BDD: Bounded Distance Decoding, a basic lattice problem, a special case of CVP (closest vector problem), the target vector very close to lattice

37 BDD: Why Is Important Lattice is a discrete additive subgroup of R m BDD: Bounded Distance Decoding, a basic lattice problem, a special case of CVP (closest vector problem), the target vector very close to lattice

38 BDD: Why Is Important Lattice is a discrete additive subgroup of R m BDD: Bounded Distance Decoding, a basic lattice problem, a special case of CVP (closest vector problem), the target vector very close to lattice t v

39 Lattice in Crypto Applications to cryptanalysis Lattice based schemes:ntru, GGH etc Non-lattice based schemes: knapsack, RSA, DSA, etc Cryptography Applications: hashing, encryption, signatures, identification, FHE, oblivious transfer, etc Crypto Functions Abstract Properties Average-case Problem: LWE, SIS

40 BDD: Why Is Important The security of most lattice-based encryption schemes relies on the hardness of BDD, such as LWE (Learning with error): one of the two average-case problems most of the provably-secure lattice-based constructions are based on Hidden number problem(hnp) DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5, What is the best algorithm for BDD?

41 Previous Work Babai s NearestPlane algorithm, Babai, 1985 NearestPlanes algorithm, Lindner and Peikert, 2011 Claimed that this was the best attack known on Search-LWE Embedding method, Kannan 1987 Heuristically reduces BDD to the unique-shortest vector problem The largest BDD cryptanalytic instances ever solved in practice using this method

42 Our Work Rephrasing NearestPlanes algorithm in the pruned-enumeration framework of Gama-Nguyen-Regev (GNR) Present a simple randomized variant. In the case of LWE, significantly better than the Lindner-Peikert attack the speedup can be as big as NPs Radom-NPs

43 Our Work Consider GNR pruned-enumeration algorithms to solve BDD: Provides even better attacks on Search-LWE The method of choice in practice for the general BDD case. Recover the DSA secret key from 2 3 least significant bits with 100 instances Lattice version of Bleichenbacher s celebrated chosen ciphertext attack [Ble98] on RSA-PKCS#1.5 encryption version 1.5, 1024bit, 80 dimension (Babai algorithm) 65 dimesion (Enumeration with pruning) GGH: the first partial secret-key recovery in dimensions and re-solved the 350-dimensional message-recovery challenge using much weaker lattice reduction

44 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion

45 BDD Problem Bounded Distance Decoding (BDD): Given a lattice and a target vector unusually close to the lattice, to find the closest lattice vector to the target What is the best algorithm for solving BDD in practice? Several parameters impact the answer, e.g. the dimension, the size and shape of the error.

46 LWE problem Search: find s Z n q, given noisy random inner product a 1, b 1 = a 1, s + e 1 mod q a 2, b 2 = a 2, s + e 2 mod q. Uniform a i Z n q, Gaussian error e i LWE is a BDD instance for the lattice Λ q (A) = {y Z m : y = sa mod q for s Z n q}

47 LWE problem Search: find s Z n q, given noisy random inner product a 1, b 1 a 2, b 2 a 3, b 3 Uniform a i Z n q, Gaussian error e i LWE is a BDD instance for the lattice Λ q (A) = {y Z m : y = sa mod q for s Z n q}

48 LWE problem Search: find s Z n q, given noisy random inner product.. m A t, b = A t s + e.. Uniform a i Z n q, Gaussian error e i LWE is a BDD instance for the lattice Λ q (A) = {y Z m : y = sa mod q for s Z n q}

49 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1

50 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1

51 αt 1 u 1 αt 2 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5

52 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2

53 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2 αt 3 u 3

54 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2 αt 3 u 3 u 4 αt 4

55 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2 αt 3 u 3 αt 5 u 5 u 4 αt 4

56 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt d αt 1 u 1 αt 2 u 2 u d... αt 3 u 3 αt 5 u 5 u 4 αt 4

57 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt d αt 1 u 1 αt 2 u 2... u d α αt 3 u 3 αt 5 u 5 u 4 αt 4

58 HNP Problem Can be reduced to :BDD problem in a d + 1-dimensional lattice target vectorµu = (u 1, u 2,..., u d, 0) q q q 0 1 t 1 t d 2 l+1 There exists a lattice vector h = (αt 1 + qh 1,..., αt d + qh d, α 2 l+1 ), such that h u d + 1 q 2 l+1 (1)

59 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion

60 Babai s NearestPlane Algorithm Gram-schmidt orthogonalization: Give n linearly independent vetors, GS constructs n orthogonal vectors span the same subspaces. b i = π i (b i ), where π i : orthogonal projection over span (b 1, b 2,..., b i 1 ) 1(B) 2(B) m-k+1(b) m(b)

61 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 2 b 1

62 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 2 * b 2 b 1

63 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 2 * b 2 b 1

64 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 1 b 2

65 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 2 * b 1 b 2

66 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 2 * b 1 b 2

67 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 2 * b 1 t b 2

68 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 v b 2 * b 1 v t b 2

69 Babai s Nearest Plane Algorithm The algorithm success error vector in P 1/2 (B ) When the error distribution is Gaussian with standard deviation s/ 2π, the success probability ( m i=1 erf b i ) π 2s

70 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. b 3 * b3 b 2 b 1

71 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. b 3 * b 3 * b3 b 2 b 1

72 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. t b 3 * b 3 * b3 b 2 b 1

73 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. t b 3 * b 3 * t b3 b 2 b 1

74 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion

75 The NearestPlanes Algorithm Choose d i 1 distinct planes in the i-th level These generalizations make P 1/2 (B ) wider in the direction of b i by a factor of d i Output a set of Πd i distinct lattice vectors in L(B), v t P 1/2 (DB ) where D is diagonal matrix with (d 1, d 2,..., d m ). ξ i (v t) d i b i /2 The success probability is m i=1 erf ( di b i π 2s Lindner and Peikert[LP11]: their algorithm is better for most parameters and success probability than the distinguisher of Micciancio and Regev[MR08] for LWE. ).

76 The NearestPlanes Algorithm b 3 * b3 b 2 b 1

77 The NearestPlanes Algorithm b 3 * b 3 * b3 b 2 b 1

78 The NearestPlanes Algorithm t b 3 * b 3 * b3 b 2 b 1

79 The NearestPlanes Algorithm t 1 t b 3 * b 3 * b3 b 2 b 1

80 The NearestPlanes Algorithm t 1 t b 3 * b 3 * t 2 b3 b 2 b 1

81 The NearestPlanes Algorithm t 1 t b 3 * b 3 * t 2 b3 b 2 t 3 b 1

82 The NearestPlanes Algorithm b 2 b 1

83 The NearestPlanes Algorithm t b 2 b 1

84 The NearestPlanes Algorithm v1 t b 2 b 1

85 The NearestPlanes Algorithm v 2 v1 t b 2 b 1

86 The NearestPlanes Algorithm v 2 v1 t b 2 v 3 b 1

87 The NearestPlanes Algorithm v 4 v 2 v1 t b 2 v 3 b 1

88 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion

89 Lattice Enumeration for CVP Both Babai s algorithm and NearestPlanes algorithm can be viewed as a pruned enumeration: ξ i (v t) b i /2 Vs ξ i(v t) d i b i /2 Outline of enumeration Step 1: Basis reduction Step 2: Enumerate all lattice vector v, v t R by project lattice. R is the expected length of error vector. Target vector t = Σ m i=1 t ib i, v = Σ m i=1 v ib i. π i (v t) R, i = 1,..., m π m (v t) R = v m (t m R b m, t m + R b m ) For each value of v m, π m 1 (v t) R implies that the integer v m 1 belongs to an interval of /small0length

90 Lattice Enumeration for CVP v m v m m (v-t) m (v-t) v m-1 v m-1 v m-1 v m-1 v m-1... m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) v m-2 v m-2 m-2 (v-t) m-2 (v-t)... v v v

91 Prunned Technique First proposed by Schnorr and Euchner 1994 First rigorous analysis: Gama, Nguyen, Regev, 2010 Cutting down branches to decrease the complexity at the cost of losing the solution. The success probability should be considered.

92 Prunned Technique Replace each inequality π m k+1 (v t) R by π m k+1 (v t) R k for each index k, where 0 < R 1 R 2 R m R. k Linear pruning R k = m R. Choosing the optimal bounding function is very helpful for finding the solution. Take dimension 3 as a example, the search range from a ball to a x1 2 R2 3 cylinder x1 2 + x2 2 R2 2 x1 2 + x2 2 + x2 3 R2 1 Algorithm Repeat the following: 1. Generate a reduced basis 2. Do pruned enumeration

93 Prunned Technique v m v m m (v-t) m (v-t) v m-1 v m-1 v m-1 v m-1 v m-1... m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) v m-2 v m-2 m-2 (v-t) m-2 (v-t)... v v v

94 Prunned Technique v m v m m (v-t) m (v-t) v m-1 v m-1 v m-1 v m-1 v m-1... m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) v m-2 v m-2 m-2 (v-t) m-2 (v-t)... v v v

95 Complexity of Enumeration The complexity of enumeration is, up to a polynomial factor, the number of lattice points in all projected lattices inside the enumeration range. By the Gaussian heuristic, this number should be Full enumeration : Σ 1 k m v k (R)/vol(π m k+1 (L)), where v k (R) is the volume of the k-dim ball of radius R. Pruning technique: Σ 1 k m vol(c R1,R 2,...,R k )/vol(π m k+1 (L)), where C R1,R 2,...,R k = {(x 1, x 2,..., x k ) R k, j k, j l=1 x2 l R 2 j }. Total cost = T redu+t Enum p succ (R 1,...,R m ) where T Redu is the basis reduction time, T Enum is the time for enumerating

96 Randomizing the NearestPlanes Algorithm Similar to pruning, we randomize the Nearestplanes algorithm by repeating several times the basic algorithm with different randomized reduced bases The numerical data from [LP11] is far from optimal:the running times of basis reduction and enumeration are not totally balanced

97 Numerical Comparison Our algorithm can get a better trade off. In the LWE parameters [LP11] consider, the comparison is following NearestPlanes Randomized-NP Log n q s δ red enum Cost δ red enum pro Cost Speedup

98 Numerical Comparison Our algorithm can get a better trade off. In the LWE parameters [LP11] consider, the comparison is following 200 NPs Radom-NPs

99 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion

100 Adapt Enumeration with Pruning to BDD Further improvement can be obtained by Pruned enumeration Previous: best algorithm for BDD is embedding method, our experiments show pruned enumeration performs better For SVP, the shortest vector is assumed uniformly distribute in the ball with radius R-expected length. For BDD, the shape of error affects the success probability, which make a theoretical analysis difficult. So compute this probability experimentally (by sampling) is essential

101 Application to LWE Bounding function: Linear, search R 2 = c expected length of error 2 Randomized-NP Linear Pruning Log n q s δ red enum pro Cost δ red enum pro f-redius Cost Speedup

102 Application to LWE Bounding function: Linear, search R 2 = c expected length of error NPs Linear-Pruning

103 Application to GGH Key recovery challenge: m BDD-instance with error vector chosen uniformly at random from [ 4,..., +3] m Dimension BKZ blocksize Bounding function linear linear linear optimized Estimated Nb of Nodes Average Nb of Nodes Success probability Nb of Success Table 1: Key-recovery for GGH Challenges

104 Application to GGH Message recovery challenge: In 1999 Nguyen showed it can be reduce to a BDD instance with error in { 1 2, 1 2 }m. Using the embedding method and BKZ 20 basis, he solved dimension 200,250 and 300 instances. For dimension 350, pruned-bkz with blocksize 60 is required. For dimension 350, we do enumerate with pruning to recover 350-dimension message A bounding function according to the error distribution. R 2 k = min{e(x k) + 3D(X k ), 1}R 2 m, E(X k ) = k m, D(X k) = Success probability 92% BKZ-20 basis Time: s in a single 3-Ghz Intel-Core2 core k(m k) m 2 ( m 2 +1).

105 Application to DSA Each DSA signature generation require the use of a one-time key k modulo q, where q is usually a 160-bit prime number. In 2002, Nguyen and Shparlinski showed that disclosing l bits of each one-time key k for several (message,signature) pair to recover the DSA secret key is a HNP problem = BDD instance They used embedding method to recover the DSA secret key in a few hours, given the l = 3 least significant bits of each one-time key for about 100 signatures, but the attack failed for l = 2. Enumeration with pruning: using BKZ-90 reduction[cn11] and linear pruning, l = 2 case, given about 100 signatures, 4185 seconds, success probability 23%

106 Application to DSA Choose the enumeration radius Here, the x-coordinate is the ratio between the (squared) enumeration radius and the (squared) expected length the error vector. The y-coordinate is log 2 (Number of enumeration nodes/success probability) 35.2 Total Cost Figure 1: Total cost for DSA

107 Conclusion Our work shows that any security estimate of BDD-based cryptosystems must take into account enumeration attacks NearestPlanes BDD algorithm [LP11] does not seem to offer any practical advantage over GNR pruning [GNR10], despite having appeared later. BDD enumeration can be practical even in high dimension like 350

108 Thank you for your attention!

Solving BDD by Enumeration: An Update

Solving BDD by Enumeration: An Update Mingjie Liu, Phong Q. Nguyen To cite this version: Mingjie Liu, Phong Q. Nguyen. Solving BDD by Enumeration: An Update. Ed Dawson. CT-RSA 2013 - The Cryptographers