Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction

Transcription

1 Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work with Jintai Ding, Momonari Kudo, Tsuyoshi Takagi, Chengdong Tao * ƚ ǂ Department of Mathematics, University of Cincinnati Graduate School of Mathematics, Kyushu University Institute of Mathematics for Industry, Kyushu University South China University of Technology

2 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction 5. Experimental results on our attack 6. Conclusion

3 1. Introduction Outline

4 1. Introduction Aim: Cryptanalysis of a candidate of post-quantum cryptosystems based on Diophantine equations [1](DEC) [1] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pacific Journal of Mathematics for Industry, Vol. 7 (4), pp , Springer, (2015).

5 1. Introduction Aim: Cryptanalysis of a candidate of post-quantum cryptosystems based on Diophantine equations [1](DEC) Why is post-quantum cryptography (PQC) important now? 1. PKCs used widely will be broken by quantum computers [2] 2. Resistance to quantum computers 3. Long-term security and small devices [1] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pacific Journal of Mathematics for Industry, Vol. 7 (4), pp , Springer, (2015). [2] P. W. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, In: Proc. of SFCS 94, pp , IEEE Computer Society Washington, DC, USA, (1994).

6 1. Introduction Aim: Cryptanalysis of a candidate of post-quantum cryptosystems based on Diophantine equations [1](DEC) Why is post-quantum cryptography (PQC) important now? 1. PKCs used widely will be broken by quantum computers [2] 2. Resistance to quantum computers 3. Long-term security and small devices NSA and NIST announced their plans for transitioning to PQC (c.f. PQCrypto 2016: [1] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pacific Journal of Mathematics for Industry, Vol. 7 (4), pp , Springer, (2015). [2] P. W. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, In: Proc. of SFCS 94, pp , IEEE Computer Society Washington, DC, USA, (1994).

7 Some projects on PQC have started. -PQC for long-term security: -JST, CREST CryptoMath:

8 Some projects on PQC have started. -PQC for long-term security: -JST, CREST CryptoMath: Desired properties for practical PQC 1. Based on NP-hard problem 2. Efficient implementation and High performance (efficient encryption/decryption and small key sizes)

9 Some projects on PQC have started. -PQC for long-term security: -JST, CREST CryptoMath: Desired properties for practical PQC 1. Based on NP-hard problem 2. Efficient implementation and High performance (efficient encryption/decryption and small key sizes) The Algebraic Surface Cryptosystem (ASC) [2] -A candidate of PQC -Small key sizes (about 500 bits for recommended parameters) -The one-wayness of ASC is broken [3]. [2] K. Akiyama, Y. Goto, H. Miyake, An Algebraic Surface Cryptosystem, In Proc. of PKC 09, LNCS, Vol. 5443, pp , Springer, (2009). [3] J. -C. Faugere, ሖ P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem, In: Proc. of PKC'10, LNCS, Vol. 6056, pp , Springer, (2010).

10 ASC: based on Diophantine problem/f p t DEC: I. based on Diophantine problem/z and an analogue of ASC II. A candidate of PQC III. Expected to have resistance to all attacks against ASC Ⅳ. Small public key size (1, 200 bits for 128 bit security)

11 ASC: based on Diophantine problem/f p t DEC: I. based on Diophantine problem/z and an analogue of ASC II. A candidate of PQC III. Expected to have resistance to all attacks against ASC Ⅳ. Small public key size (1, 200 bits for 128 bit security) About 4 times smaller than NTRU s public key size [4] [4] A draft of the report on post-quantum cryptography NISTIR 8105, available at draft.pdf.

12 ASC: based on Diophantine problem/f p t DEC: I. based on Diophantine problem/z and an analogue of ASC II. A candidate of PQC III. Expected to have resistance to all attacks against ASC Ⅳ. Small public key size (1, 200 bits for 128 bit security) About 4 times smaller than NTRU s public key size [4] Diophantine problem/z Given: f x 1,, x n Z[x 1,, x n ] Find: a 1,, a n Z s.t. f a 1,, a n = 0 if such integers exist (f x 1,, x n = 0 : Diophantine equation) The solvability of f = 0 cannot be tested in general [5] II, IV [4] A draft of the report on post-quantum cryptography NISTIR 8105, available at draft.pdf. [5] M. Davis, Y. Matijasevic, J. Robinson, Hilbert's tenth problem, Diophantine equations: positive aspects of a negative solution, Mathematical Developments Arising from Hilbert Problems, pp. 323{378, American Mathematical Society, Providence, RI., (1976).

13 Our attack Security of DEC Finding some relatively short vectors

14 Our attack Security of DEC Finding some relatively short vectors Most important vector: -Not shortest in a lattice of low rank (3-rank) Usual LLL algorithm -Bit length of each entry: unbalance, known LLL algorithm w.r.t. a weighted norm Called weighted LLL in our work

15 Our attack Security of DEC Finding some relatively short vectors Most important vector: -Not shortest in a lattice of low rank (3-rank) Usual LLL algorithm -Bit length of each entry: unbalance, known LLL algorithm w.r.t. a weighted norm Called weighted LLL in our work Remark -The weighted LLL is applied to attack ECDSA [6]. -The above two situations also occurred in [6]. -The weighted LLL is useful to find vectors with above two properties. [6] J. -C. Faugere, ሖ C. Goyet, G. Renault, Attacking (EC)DSA Given Only an Implicit Hint, In: Proc. of SAC 2012, LNCS, Vol. 7707, pp , Springer, (2013).

16 Outline 1. Introduction 2. Brief review of DEC

17 2. Brief review of DEC Key Generation Secret Key a 1,, a n Z n Public Key Encryption Idea for avoiding known attacks m Z[x 1,, x n ]: Plaintext N Z >0 : Random, large m Z[x 1,, x n ]: Twisted plaintext f, s j, r j Z[x 1,, x n ]: Random d, e Z >0 X Z[x 1,, x n ] s.t. X a 1,, a n d d = 0 F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X Ciphertext Some necessary conditions are omitted.

18 Important Remarks (1) Bit length of each coefficient of X and s j are known. (2) Coefficients of X and s j are much smaller than those of others.

19 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC

20 Outline 3. Our attack against DEC Ciphertext of DEC: F i = m + s i f + r i X (i = 1, 2, 3) (X: public key) Goal: Find m Step 1: Find s i s i s i+1. Step 2: Find f satisfying F 1 F 1 F 2 = s 1 f + r 1 X, F 2 F 2 F 3 = s 2 f + r 2 X. (r i r i r i+1 ) Step 3: Find the correct s 1 and m.

21 Outline Step 1: Find s i s i s i+1. Step 2: Find f satisfying 3. Our attack against DEC Ciphertext of DEC: F i = m + s i f + r i X (i = 1, 2, 3) (X: public key) Goal: Find m Step 3: Find the correct s 1 and m. The weighted LLL is applied. We focus on Step 1 in this talk. F 1 F 1 F 2 = s 1 f + r 1 X, F 2 F 2 F 3 = s 2 f + r 2 X. (r i r i r i+1 )

22 More details of Step 1 g s 2 r 1 s 1 r 2 r i r i r i+1 Coefficients: unknown (variables) s 2 F 1 s 1 F 2 = g X, Linear system xa = 0. L Ker A = u Z m ua = 0 s 1, s 2, g ( s 1, s 2, g : vector consisting of coefficients of s i and g)

23 More details of Step 1 g s 2 r 1 s 1 r 2 r i r i r i+1 Coefficients: unknown (variables) s 2 F 1 s 1 F 2 = g X, Linear system xa = 0. L Ker A = u Z m ua = 0 s 1, s 2, g ( s 1, s 2, g : vector consisting of coefficients of s i and g) 1. Vectors s 1 and s 2 are not shortest in a lattice of low rank. 2. Bit length of each entry of s 1 and s 2 is almost known. Key point

24 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction

25 4. Weighted LLL reduction Usual norms used in LLL reduction : p-norms p 1 p a 1,, a n p a p a p 1 p n 1 p < a 1,, a n max a i a 1,, a n R n i Definition Let w = w 1,, w n R n >0. The weighted norm w for the weight w is defined as follows: a 1,, a n w = w 1 a 1,, w n a n 2 a 1,, a n R n. Definition Weighted LLL algorithm for w R n >0 is the LLL algorithm w.r.t. w.

26 Toy example (An instance of step 1 of our attack) L: Lattice with basis u 1, u 2, u 3 : u 1 u 2 u 3 = Goal: Find a = 189, 1193, , 194, 14633, L Case of usual LLL reduction u 1, u 2, u 3 LLL u 1,LLL, u 2,LLL, u 3,LLL u 1,LLL u 2,LLL u 3,LLL =

27 Observation The rank of L is 3. The LLL algorithm finds shortest vector with high probability. However, max i u i,lll p < a p for 1 p Our target a is not shortest.

28 Observation The rank of L is 3. The LLL algorithm finds shortest vector with high probability. However, max i u i,lll p < a p for 1 p Our target a is not shortest. Case of weighted LLL reduction Assumption : Bit length of each entry of our target a is known. A weight w R 6 >0 is determined appropriately. a: shortest in L w.r.t. w

29 189, 1193, , 194, 14633, Small Small Large Small Small Large Weight : Large Large Small Large Large Small Vectors with small 1-2nd/4-5th entries and large 3rd/6th entries become shorter compared to other vectors.

30 189, 1193, , 194, 14633, Small Small Large Small Small Large Weight : Large Large Small Large Large Small w = Vectors with small 1-2nd/4-5th entries and large 3rd/6th entries become shorter compared to other vectors. 2 log , 2 log , 2 log , 2 log , 2 log = 2 23, 2 21, 2 1, 2 23, 2 17, 2 1 The assumption allows us to determine w., 2 1

31 189, 1193, , 194, 14633, Small Small Large Small Small Large Weight : Large Large Small Large Large Small w = Vectors with small 1-2nd/4-5th entries and large 3rd/6th entries become shorter compared to other vectors. 2 log , 2 log , 2 log , 2 log , 2 log = 2 23, 2 21, 2 1, 2 23, 2 17, 2 1 The assumption allows us to determine w., 2 1 u 1, u 2, u 3 Weighted LLL u 1,w_LLL, u 2,w_LLL, u 3,w_LLL Target vector! u 1,w_LLL u 2,w_LLL u 3,w_LLL =

32 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction 5. Experimental results on our attack

33 PC 5. Experimental results on our attack CPU: 2.60GHz CPU (Intel Corei5) OS: Mac OS X 64 bit Memory: 16GB Software: Magma V2.21-3

34 Expermental results on our attack for recommended parameters Recommended parameters (128 bit security) Total degree of Public keys X Number of monomials of X Maximum sizes of coefficients of X except its constant and maximal terms (bit) Experimental results Number of successes of our attack / 100 Method for lattice reduction is Step 1 Usual LLL Step 1 Step 3 Ave. Time (sec) Weighted LLL Step 1 Step 3 Ave. Time (sec)

35 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction 5. Experimental results on our attack 6. Conclusion

36 6. Conclusion 1. We proposed an attack against DEC. 2. We use three weakness of DEC: Three polynomials are used as a ciphertext. Coefficients of some polynomials are much smaller compared to those of other polynomials. Bit length of each coefficient of some polynomials is known. 3. The success probability of our attack is about 20~30%.