Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

Transcription

1 Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faugère, P. Nguyen, G. Renault, R. Zeitoun Public Key Cryptography March, Buenos Aires, Argentina

2 1 Coppersmith s Method 2 Speeding up Coppersmith s Algorithm by Rounding 3 Speeding up Exhaustive Search by Chaining PKC / 27

3 Core Ideas of Rounding and Chaining Rounding: The problem: a f b Rather consider a/c instead of a. Chaining: f f f The problem: a 1 b 1, a 2 b 2, a 3 b 3,... Rather do a 1 f b 1, f (b 1 ) f b 2, f (b 2 ) f b 3,... Rounding and Chaining can also be combined. PKC / 27

4 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. PKC / 27

5 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. Coppersmith s Method (1996) Find small integer roots. PKC / 27

6 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. Coppersmith s Theorem for the Univariate Modular case The solutions x 0 can be found in time poly (log N, δ) if: x 0 < N 1/δ. PKC / 27

7 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. The problem is easy without the modulo N. Find a polynomial g such that g(x 0 ) = 0 over Z. PKC / 27

8 Applications in cryptology Cryptanalysis of RSA Factoring with high bits known. Coppersmith, Security proof of RSA-OAEP. Shoup, Equivalence: factoring / computing d. Coron, May, Stereotyped messages. Coppersmith, RSA Pseudorandom Generator Fischlin, Schnorr, Affine Padding. Coppersmith, Franklin, Patarin, Reiter, Polynomially related messages (Hastad). Coppersmith, Finding smooth numbers and Factoring. Boneh, Coppersmith in the wild. Bernstein et al., PKC / 27

9 About Coppersmith s Method Euclidean Lattices Find a new small polynomial equation LLL Reduction. A matter of Bound Coppersmith s bound x 0 < N 1/δ Exhaustive search. PKC / 27

10 About Coppersmith s Method Euclidean Lattices Find a new small polynomial equation LLL Reduction. A matter of Bound Coppersmith s bound x 0 < N 1/δ Exhaustive search. In practice The LLL-reduction can be costly. The exhaustive search can be prohibitive. PKC / 27

11 Rounding and Chaining LLL Our Approach Use structure to improve Coppersmith s method. Two Speedups: Rounding and Chaining Asymptotical speed-up of LLL-reduction: δ 2 log 9 N log 7 N Heuristic speed-up of the exhaustive search. Core Ideas of Rounding and Chaining Rounding: Apply LLL on a matrix with smaller coefficients Divide all coefficients in Coppersmith s matrix. Chaining: Reuse previous computation Apply a small transformation on the last reduced matrix. PKC / 27

12 Rounding and Chaining LLL Our Approach Use structure to improve Coppersmith s method. Two Speedups: Rounding and Chaining Asymptotical speed-up of LLL-reduction: δ 2 log 9 N log 7 N Heuristic speed-up of the exhaustive search. Timings for a typical instance ( log 2 (N) = 2048 and δ = 3) Original method: 4 years. Our new method: 2.6 days. PKC / 27

13 Coppersmith s Method (Howgrave-Graham) The problem: find all small integers x 0 s.t. f (x 0 ) 0 mod N. The idea: find a small polynomial g s.t. g(x 0 ) = 0 over Z. How to find the polynomial g: Family of Polynomials (with parameter h) B LLL B R g g(x 0 ) 0 mod N h 1 g(x 0 ) < N h 1 } g(x 0 ) = 0 over Z. PKC / 27

14 Complexity / Practical Results of Coppersmith s Method State-of-the-art Analysis Complexity using L 2 : O(log 9 (N)/δ 2 ). In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x Lattice Dimension n = hδ NA Size of elements in B (bits) NA Time for LLL (seconds) NA Remark: All tests were performed using Magma V [L 2 ] An LLL Algorithm with Quadratic Complexity. P. Q. Nguyen and D. Stehlé, SIAM J. of Computing, PKC / 27

15 Using Structure: A First Result State-of-the-art Analysis Complexity using L 2 : O(log 9 (N)/δ 2 ). New Preliminary Result Using Structure [1] Complexity using L 2 : O(log 8 (N)/δ). [1] An Upper Bound on the Average Number of Iterations of the LLL Algorithm. Hervé Daudé, Brigitte Vallée, PKC / 27

16 Speeding up Coppersmith s Algorithm by Rounding Use Coppersmith s matrix structure. PKC / 27

17 Speeding up Coppersmith s Algorithm by Rounding The idea: Perform computations with most significant bits A B A c B c PKC / 27

18 B = N h 1 XN h 1 Speeding up Coppersmith s Algorithm by Rounding... X δ 1 N h 1 a 0 N h 2... X δ N h 2 a 0 XN h 2... X δ+1 N h a 0 X δ 1 N h 2... X 2δ 1 N h Largest a δ X δ(h 1) a δ 0 X X δ(h 1) a δ 0 X δ X δh 1... Smallest Since X < N 1 δ, all diagonal elements lie between N h 2 and N h. PKC / 27

19 Speeding up Coppersmith s Algorithm by Rounding First step of rounding method Size-reduce B so that subdiagonal coefficients are smaller than diagonal coefficients. B = Size-Reduce(B) = b 1 < b 1 b 2 < b 1 < b 2 b 3 < b 1 < b 2 < b < b 1 < b 2 < b 3... b n PKC / 27

20 Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c B /c B/c LLL T, B/c R PKC / 27

21 Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c B /c B/c LLL T B/c PKC / 27

22 Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c : first vector of unimodular matrix is x. Compute v = xb and solve v over Z. B /c B/c LLL x T B/c ( x ) B = ( v ) PKC / 27

23 Complexity of Rounding Method Theorem: Rounding Method Complexity using L 2 : O(log 7 N). Remainder on Coppersmith s method complexity: State-of-the-art complexity: O(log 9 (N)/δ 2 ). New preliminary complexity: O(log 8 (N)/δ). PKC / 27

24 Timings with Rounding Improvement In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x Lattice Dimension NA Size of elements in B (bits) NA Size of elements in B/c NA Original LLL (seconds) NA Rounding LLL (seconds) NA Dim 77: Speed-up of 30. PKC / 27

25 Speeding up Exhaustive Search by Chaining Use hidden algebraic structure. PKC / 27

26 Exhaustive Search Performing exhaustive search Split the variable x into α and x. x α x The new variable is x. Perform an exhaustive search on α. PKC / 27

27 Exhaustive Search Coppersmith Matrices α = 0 α = 1 α = 2... α = 255 B 1 B 2... B 255 B 0... LLL-Reduced Matrices B R 0 B R 1 B R 2... B R 255 x 0... PKC / 27

28 Exhaustive Search Coppersmith Matrices α = 0 α = 1 α = 2... α = 255 B 1 B 2... B 255 B 0... Costly Costly Costly Costly LLL-Reduced Matrices B R 0 B R 1 B R 2... B R 255 x 0... PKC / 27

29 A New Exhaustive Search Scheme α = 0 α = 1 α = 2... B 0 B 1 P B 2 P... LLL-Reduced Matrices B R 0 B R 1 B R 2 PKC / 27

30 Transformation P is the Pascal Matrix Proposition The matrix B R i P is a basis for the case α = i + 1, where P = is the Lower Triangular Pascal Matrix. Consequence on B R i P Vectors in B R i P are close to the ones of B R i. PKC / 27

31 Combining Chaining and Rounding α = 0 α = 1 α = 2... B 0 B 1 P B 2 P... LLL-Reduced Matrices B R 0 B R 1 B R 2 x 0 PKC / 27

32 Combining Chaining and Rounding Chaining and Rounding Method Create a new rounded matrix B 1 /c. Apply LLL on matrix B 1 /c : Get T 1 and B 1 /c R. Compute B1 R = T 1 B 1. B 1 /c B 1 /c LLL T 1 B 1 /c T 1 B 1 = B R 1 PKC / 27

33 Complexity of Rounding+Chaining Method Heuristic: Rounding+Chaining Method Complexity using L 2 : O(log 7 N). Remark: Same complexity as for Rounding Method alone. PKC / 27

34 Timings with Rounding and Chaining Improvements In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x Lattice Dimension NA Original LLL (sec.) NA Rounding LLL (sec.) NA Rounding + Chaining (sec.) NA Dim 77: Speed-up of 300. PKC / 27

35 Conclusion/Perspectives Conclusion This work reduces: the complexity of performing LLL on Coppersmith matrix, the time of exhaustive search to reach Coppersmith bound. It allows to reach Coppersmith s bound. It is easy to implement. PKC / 27

36 Conclusion/Perspectives Conclusion This work reduces: the complexity of performing LLL on Coppersmith matrix, the time of exhaustive search to reach Coppersmith bound. It allows to reach Coppersmith s bound. It is easy to implement. Perspectives Generalization to the multivariate case (approximate gcd). Refine complexity for Chaining + Rounding method. PKC / 27