Cryptanalysis of Pseudorandom Generators

Transcription

1 CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we consider the construction of seudorandom generators. We recall that a seudorandom generator is a rogram G(x) (comutable in deterministic olynomial time) that mas bitstrings x {0, 1} n to longer strings G(x) {0, 1} m such that, if x is chosen uniformly at random and ket secret, then the outut G(x) will look random to any efficient observer or adversary. We will formally define secure seudorandom generators later on. But, for now, we will use the minimal security requirement that given G(x), it should be comutationally hard to recover the secret seed x. We consider two oular tyes of generators: subset-sum generators and linear congruential generators. For simlicity, in both cases, we consider a generalized definition of generator where the inut x and outut G(x) are not necessarily bitstrings, but elements of some arbitrary set. We will assume that the secret seed x is chosen uniformly at random from a set of size aroximately 2 n, so that mounting an exhaustive search attack on the seed would take exonential time. The task of the generator is to stretch this relatively short random seed into a olynomially longer string, e.g., an element from a set of size roughly 2 n2. Subset-Sum Generator Let be a rime of size log 2 n 2, and a 1,..., a n Z be chosen uniformly at random. The arameters, a 1,..., a n are made ublic, and known to everybody. You can think of these arameters as art of the rogram that comutes G. The inut to the generator is a sequence of n bits (x 1,..., x n ) {0, 1} n. The outut is G(x) = i a i x i (mod ). Notice that the outut is reresented by log 2 n 2 bits. So, the generator stretches n-bits to roughly n 2 bits. You can think of the outut G(x) as the sum (modulo ) of a random subset I = {i: x i = 1} of the values a 1,..., a n, hence the name subset-sum. The subset-sum roblem asks, given a 1,..., a n and target value b, recover a subset I (or its indicator vector x) that adds u to G(x) = b. Subsetsum is a famous NP-hard roblem, so one may hoe that recovering x from b is indeed comutationally hard, and cannot be solved much faster than an exonential time exhaustive search. Truncated Linear Congruential Generator (LCG) Here we consider another oular tye of generators based on linear recurrence relations. The oularity of the generator is due to its simlicity, and variants of this generator were used for some time as the standard seudorandom generator for the Unix oerating system.

2 As before, we first choose random ublic arameters. Let be a rime with log 2 n bits, and choose a, b Z uniformly at random. The values, a, b are made ublic and hardwired in the rogram comuting the generator. The inut to the generator is a value x Z, reresentable with log 2 n bits. This value defines a sequence according to the recurrence relation 1. x 0 = x 2. x i+1 = a x i + b (mod ) for i = 1, 2,.... Of course, roducing x 0,..., x as the outut of G would be insecure, because it would reveal the secret x 0. (Omitting x 0, and starting the outut with x 1 would hardly make any difference because the secret seed can still be recovered as x = (x 1 b)/a (mod ).) In order to rotect the seed x, the generator G will outut only a ortion of the bits from each x i. For examle, G may outut only the n/10 least significant bits y i = x i mod 2 n/10. (Here we are imlicitly assuming n is a multile of 10. Alternatively, one can round n/10 to an integer.) In order to stretch the n inut bits x to a sequence of n 2 bits, the generator comutes a sequence of length k = 10n, and oututs G(x) = (y 0,..., y ). Since each y i is n/10 bits, the outut of G has length k (n/10) = n 2. In summary, for some arameter δ [0, 1]: The inut to the generator is a value x Z, reresentable with log 2 n bits. The outut of the generator is G(x) = (y 0,..., y ) where y i = x i mod 2 δn is obtained by truncating the values roduced by the linear congruential recurrence x 0 = x, x i+1 = ax i + b mod. 1 Lattices Neither generator (LCG or subsetsum) is trivially insecure. In fact, both tyes of generators, for some values of the arameters, have been (or may still be) used in ractice. However, we will see that both generators can be comletely broken using lattices. This may be surrising at first because neither generator makes exlicit use of lattices, and demonstrates how lattices are owerful combinatorial objects that can be used to attack a variety of seemingly unrelated roblems. So, the first question to answer is: where is the hidden lattice, and what lattice roblem is relevant to the crytanalysis roblem? We will see that in both cases the relevant lattice roblem is the Closest Vector Problem. Definition 1 The closest vector roblem (CVP), given a lattice basis B and a target vector t, asks to find the lattice oint Bx closest to the target, i.e., find an integer vector x such that Bx t is minimized.

3 In general, as we will see, CVP is an NP-hard roblem. So, we have little hoe to efficiently solve this roblem in its full generality. However, in ractice one often needs to solve only a secial variant of this roblem, where the target is known to be close to the lattice. Definition 2 The Bounded Distance Decoding roblem (α-bdd), given a lattice basis B and a target vector t such that dist(t, L(B)) αλ 1 (L(B)), asks to find a lattice oint Bx such that dist(t, Bx) αλ 1 (L(B)). In the above definition dist(t, L(B)) = min{ t Bx : x Z n } is the distance between the target and the closest lattice oint, and λ 1 (L(B)) = min{ Bx : x Z \ {0}} is the minimum distance of the lattice. Tyically, α is very close to 0, making the target very close to the lattice, comared to the distance between lattice oints. Notice than as soon as α < 1/2, the solution to BDD is necessarily unique, as for any two solutions x, y, their difference x y is a lattice vector of length at most x y x t + t y 2αλ 1 < λ 1. So, by definition of λ 1 it must be x y = 0, i.e., x = y are the same solution. Later in the course we will show that the LLL basis reduction algorithm allows to solve α-bdd in olynomial time when α = 2 (n 1)/2 is exonentially small in the lattice dimension n. 2 Crytanalysis of LCG First thing to do is to set u an aroriate lattice. Let, a, b be the ublicly known arameters, and, for any seed x, define the sequence x 0,..., x where x 0 = x and x i = ax i 1 + b (mod ) for i = 1,..., k 1. By solving the recurrence we see that x i = a i x + b i (mod ) for b i = b j<i aj (mod ). (The exact exression for b i is not really relevant. All that matters is that each b i can be easily comuted from the ublic arameters a, b,.) Write each x i as x i = z i 2 u + y i, where u is the number of bits outut by the generator from each x i, z i = x i /2 u < /2 u and y i = x i mod 2 u. The outut of the generator can be written as y = y 0,..., y. In vector notation ax + b = 2 u z + y (mod ) where a = (1, a, a 2,..., a ) (mod ), b = (b 0,..., b ), and y are known, and z is an unknown vector with relatively small entries z i [0, /2 u ). To fix some arameters, let n = log 2 be the bitsize of the modulus, and assume u = δ n for some (small) constant 0 < δ < 1. Let k be the number of oututs the attacker takes from the generator. At the end of the roof, we discuss aroriate choices of k for which the attacker can recover the seed with high robability.

4 Consider the integer lattice Λ a generated by the basis 1 a B = a 2 t = 2 u (y b) (mod ).... a and the target vector t. We remark that in the definition of t, the value 2 u should be interreted as the inverse of 2 u in Z, so that the target vector has integer coordinates. Note that k, the number of generator oututs, becomes the dimension of the lattice. First, we claim that the target t is close to the lattice. In fact, if we multily the first basis vector by by 2 u x (mod ) and using the other basis vectors for reduction modulo gives a(2 u x) = 2 u (2 u z + (y b)) = z + t (mod ) which is at distance z k(/2 u ) = µ from the target t. If the minimum distance of the lattice Λ is much larger than µ, then this is an instance of the BDD roblem, and can be efficiently solved by lattice aroximation algorithms. We conclude the analysis by showing that if a is chosen uniformly at random, then λ(λ) is much larger than µ (say, by a factor γ > 1) with very high robability. We will see that BDD can be solved in olynomial time when γ is exonential in the dimension of the lattice. Since B defines a k-dimensional lattice, we may set γ = 2. All vectors in Λ a equal c a (mod ) for some integer c. So, the shortest nonzero vector in Λ a can be obtained by icking an integer c 0 (mod ), and then bringing all coordinates of c a in the range ( /2, /2) by reduction modulo. Let A be the set of all a s such that there is a c Z for which c a i (mod ) γµ for all i = 0,..., k 1. (When taking the absolute value of a number modulo, we always assume that the number has been reduced to the interval ( /2, /2).) Note that a A is a necessary but insufficient condition for λ(λ) < γµ. Certainly, if any comonent of the shortest vector satisfies c a i (mod ) > γµ, then the length of the vector will be greater than γµ. So a / A imlies λ(λ) > γµ. But even if no comonent is longer than γµ, it may turn out that the vector is still longer than this value. We will show that satisfying even this relaxed condition is imrobable by bounding the size of A. To this end, we claim that all a A are the root of a nonzero olynomial m(a) = 0 (mod ) with small coefficients. Lemma 3 For any a A there is a nonzero olynomial q Z [x] of degree less than k with coefficients q i β = (kγµ) 1/() such that q(a) = 0. Proof. Fix an a A and let c 0 (mod ) be an integer such that c a i (mod ) γµ for all i < k. Let M be the set of all olynomials m(x) Z [x] with coefficients m i β/2. Notice that for any m(x) M we have c m(a) (mod ) = i c m i a i (mod ) i m i (mod ) c a i (mod ) β 2 kγµ.

5 So, cm(a) (mod ) ranges over a set { βkγµ/2,..., βkγµ/2} of size at most βkγµ + 1. Since M has size (β + 1) k > β k + 1 = (kγµ) k/() + 1 = βkγµ + 1, by the igeonhole rincile, there must be two distinct olynomials m(x), ˆm(x) M such that c m(a) = c ˆm(a) (mod ). Dividing by c and subtracting gives a nonzero olynomial q(x) = (m ˆm)(x) with coefficients q i (mod ) β, such that (m ˆm)(a) = 0 (mod ). The number of nonzero olynomials of degree < k with coefficients bounded by β is (2β + 1) k 1, and each one of them has at most k 1 roots. Therefore, the set A has size at most A (k 1)(2β + 1) k < k(3β) k. So, the robability that Λ a has a nonzero vector of length bounded by γµ is at most Pr a {λ(λ a ) γµ} A k(3β)k = k3k (kγµ) k/() = k3k (k2 k(/2 u )) k/() = k3k (k 3 2 (2 )(2 u )) k/() = k3k k 3 2 k 2 ()( k ) k () 2 u k = 6k k ( 3 k 2 )+1 1 () 2 δn k This exression, though comlicated, informs the attacker of how to choose k. Setting k = 1 results in an exression with no sensible interretation, so k 2, in which case we can simlify the inequality: Pr a {λ(λ a ) γµ} 6k k ( 3 k 2 )+1 1 () 2 δn k 6k k 4 1 () 2 δn k Note that so the quantity 1/() has less than n + 1 bits. Note also that as k increases, the denominator aroaches 2 δn, which has δn + 1 bits. Thus, the attacker should ick n k so that + 1 < δn + 1, or k 1 > 1, to ensure that the numerator has fewer bits δ than the denominator. In fact, k needs to be a bit larger than this to offset the additional contributions of 6 k and k 4, and then a bit more to ensure the robability is low. Setting k = 2/δ is sufficient to result in a failure robability that is exonentially small in the security arameter n, in which case the attack is almost certain to succeed. 3 Crytanalysis of the Subset-Sum generator Let be a rime of length log 2 = n 2, and a = (a 1,..., a n ) Z n be chosen uniformly at random. These values are ublic and known to the attacker. The Subset-Sum generator, on inut a uniformly random string x = (x 1,..., x n ) {0, 1} n, oututs b = G(x) = i a ix i (mod ) Z. Given the ublic arameters, a and outut b we set u the following lattice and target

6 vector: B = C Ca 1... Ca n t = where C is a large constant to be determined. Clearly, there is a lattice vector B(c, x) = (Cb, 2x) within distance n from the target. We will rove that the minimum distance of the lattice Λ a generated by B is much larger than that (say, by an exonential factor γ = 2 n/2,) so, this is an instance of the BDD roblem, and it can be easily solved using lattice reduction algorithms. We set C = γ n, so that all lattice vectors of length bounded by C = γ n must have the form (0, z) for some z C. We consider the set Z of all nonzero integer vectors z of length z C. For each z Z, (0, z) is a lattice vector if and only if i a iz i = 0 (mod ). But, when the a i are chosen uniformly at random and z 0, the value i a iz i is uniformly distributed in Z. So, (0, z) is a lattice vector with robability 1/. By union bound, the robability (over the choice of a) that there is a short vector is Cb 1. 1 Pr a {λ(λ a ) C} Z (2C + 1)n 1 2 n/2. So, the failure robability is exonentially small. 4 Conclusion We have seen how the crytanalysis of different tyes of seudorandom generators reduces to the bounded distance decoding (BDD) roblem, a variant of the closest vector roblem (CVP) on oint lattices. In the case of the truncated LCG generators, we have seen that even stretching the seed by a small constant factor allows to recover the seed by solving a lattice roblem in constant dimension k = O(1/δ). In the case of subset-sum, we used an n-dimensional lattice, where n is the security arameter of the seudorandom generator. The attack works when the generator oututs more than n 2 bits. Performing a similar attack on subset-sum generators with smaller outut (say, O(n) bits), is closely related to finding better solutions to lattice roblems. In fact, we will see that subset-sum can be quite a fine roblem to build crytograhic functions if used roerly. Both attacks illustrate a common feature of lattice algorithms when alied in crytograhy: both for the linear congruential generator, and the subset-sum generator, the attack we described is not guaranteed to work for any inut. Rather, it works with high robability when run on a randomly selected roblem instance. This makes erfect sense in crytograhy, where keys are chosen at random, and define a robability distribution on roblem instances. Knowing that a roblem is easy or hard in the average case, tells you if your randomly chosen key can or cannot be cracked. Notice how both crytanalysis roblems defined a certain (natural) distribution on lattices, and we roved that the relevant lattice

7 roblem could be solved with high robability when the lattice is chosen according to that distribution. Average case comlexity is relevant not only in crytanalysis, but also in most ractical setting, when the inut distribution is known. For this reason, we will be rimarily interested in the average case comlexity of lattice roblems.