The Cryptanalysis of a New Public-Key Cryptosystem based on Modular Knapsacks

Transcription

1 The Cryptanalysis of a New Pblic-Key Cryptosystem based on Modlar Knapsacks Yeow Meng Chee Antoine Jox National Compter Systems DMI-GRECC Center for Information Technology 45 re d Ulm 73 Science Park Drive, S Paris Cedex 5 REPUBLIC OF SINGAPORE FRANCE yeowmeng@itivax.bitnet jox@dmi.ens.fr Jacqes Stern DMI-GRECC 45 re d Ulm 7523 Paris Cedex 5 FRANCE stern@dmi.ens.fr Abstract At the 199 EroCrypt Conference, Niemi proposed a new pblic-key cryptosystem based on modlar knapsacks. Y.M. Chee in Singapore, A. Jox and J. Stern in Paris independently fond that this cryptosystem is insecre. Or two cryptanalytic methods are slightly different, bt they are both based on the LLL algorithm. This is one more example of a cryptosystem that can be broken sing this powerfl algorithm. 1 Introdction Let p be a prime and denote by Z/pZ the field of integers modlo p. Unless otherwise stated, all vectors shall be assmed to be colmn vectors. The MODULAR KNAPSACK problem is defined as follows: MODULAR KNAPSACKS INSTANCE: A prime p, a matrix E (Z/pZ) n m and a vector c (Z/pZ) n. QUESTION: Is there a vector x {, 1} m sch that Ex = c over Z/pZ? The MODULAR KNAPSACK problem is a decision problem that is NP-complete in the strong sense, even nder the restriction m = 2n [Nie91]. The related NP-hard algorithmic problem is considered here: Find a vector x {, 1} m that satisfies Ex = c over Z/pZ when one exists. At the 199 EroCrypt Conference, Niemi proposed a new pblic-key cryptosystem

2 based on this problem [Nie91]. Y.M. Chee in Singapore, A. Jox and J. Stern in Paris independently discovered that this cryptosystem is insecre. The prpose of this paper is to present or cryptanalysis on Niemi s cryptosystem. Or attacks are based on the LLL algorithm [LLL82]. This is one more example of a cryptosystem that can be broken sing this powerfl algorithm (see [Adl83, Ste87, ST91]). 2 The Proposed Cryptosystem We briefly review Niemi s pblic-key cryptosystem in this section. The basic idea is a notion of absolte vales in Z/pZ. The absolte vale g of g Z/pZ is the minimm of the least non-negative resides modlo p of the two integers g and g. We call g k-small if g k and g k-large if g p/2 k. We typically speak of small and large nmbers, ths leaving k nfixed. The constrction of the cryptosystem is as follows. Fix a prime p, and positive integers n and k p. We randomly select matrices C, D, S (Z/pZ) n n with k-small entries, a non-singlar matrix R (Z/pZ) n n, and a diagonal matrix (Z/pZ) n n with k-large entries. The pblic information is p and the n 2n matrix E = ( A B ), where A = R 1 ( SC), (1) B = R 1 SD. (2) The private key is R. The matrices C, D, S, and shold also be kept secret bt they are not needed after the initial constrction. The message space is M = { x {, 1} 2n}, and the ciphertext space is C = {c (Z/pZ) n }. The encryption fnction is E : M C defined by E(x) = Ex, arithmetic being done modlo p. To decrypt a ciphertext c, we compte l = Rc. From (1) and (2) we can show that ( ) x = l + S ( C D ) x. Since the entries of C, D, and S are k-small and x {, 1} 2n, the entries of S ( C D ) x shold be small as well. Hence, i,i x i = l i + α i for some small α i, 1 i n. It follows that or decryption rle is: {, if li is small; x i = 1, if l i is large; for 1 i n. The bits x i, n+1 i 2n can be obtained by solving the matrix eqation Bx (2) = c Ax (1), where x (1) = (x 1,..., x n ) T and x (2) = (x n+1,..., x 2n ) T. This can easily be done since we have n eqations in n nknowns.

3 The decryption rle for x i, 1 i n, does not always yield the correct plain bits since its correctness depends on the size of the entries of S ( C D ) x. Niemi restricts himself to the case S = I, where I denotes the identity matrix, and claims that in this case, the sfficient condition to ensre correct decryption is p > 4kn. Niemi also claims that k = 1 is a good choice. In the seqel, we show how the plaintext can be recovered from the ciphertext withot the knowledge of the secret key R. 3 The Cryptanalytic Principle An integer lattice L of dimension m is an additive sbgrop of Z n that contains m linearly independent vectors over R n (hence m n). An ordered basis (v 1,..., v m ) of a lattice L of dimension m is a list of elements of L sch that L = Zv 1 Zv 2 Zv m. We represent an ordered basis of an m-dimensional lattice L by the n m basis matrix V = ( v 1 v 2 v m ), whose colmns are the basis vectors. A lattice with basis matrix V is simply denoted by L(V ). The main idea behind the attacks we are going to describe is the following. It is well-known that the LLL algorithm [LLL82] is a polynomial time algorithm designed to find a short (non-zero) vector in an integer lattice. More precisely, if the dimension of the lattice is n, then the LLL algorithm can find a vector in the lattice whose length is no more than 2 (n 1)/2 times the length of the shortest vector in the lattice. In particlar, if the length of the shortest vector in the lattice is 2 (n 1)/2 times smaller than that of the other vectors, then the LLL algorithm will find the shortest vector. In practice, the LLL algorithm is mch more effective and finds vectors whose lengths are mch smaller than that garanteed by the theoretical bond; and other algorithms exist, that are even more powerfl [ScE91]. In or attacks, we transform the problem of finding the plaintext to that of finding short vectors in certain lattices. Then we show that the short vector is mch shorter than the average short vectors. This gives heristical evidence that the short vector can be fond in polynomial time.

4 4 The Attack of Y.M. Chee An observer of Niemi s cryptosystem who sees a ciphertext c, and has knowledge of pblic information p and E, can recover the corresponding plaintext by solving for a vector x {, 1} 2n in the matrix eqation Ex = c over Z/pZ. The eqivalent problem over Z is to find x {, 1} 2n sch that for some y Z n. ( E pi ) x = c, (3) y I Lemma 4.1 Let L be the lattice with basis matrix V =. Then M = λc for M c some λ Z if and only if L. Proof: The lattice L contains a vector and integral vector v sch that ( I = M c ) ( v = λ if and only if there exist some integer λ v Mv λc ) M = λc. It is easy to see that Lemma 4.1 implies that solving for( x ){, 1} n satisfying (3) for some y Z n is eqivalent to finding a vector of the form, first 2n components of being either or 1, in the lattice L with basis matrix I E pi c sch that the first 2n components of constittes a ({, ) 1}-vector x satisfying Ex = c. Since the first 2n components of is either or 1, is a reasonably short vector

5 in L. Given an ordered basis of a lattice, the LLL algorithm comptes another ordered basis, containing relatively short vectors, for the lattice. This new ordered basis is called a redced ( basis. ) Or hope is that by rnning the LLL algorithm on the lattice L, the vector we are looking for appears in the redced basis. Unfortnately, becase the last n components of may be large, sch a vector is often too long to appear in any redced bases. In order to remedy this sitation, we adopt the following strategy. Let ɛ i,j = (,...,, 2 j 1 p,,..., ) T, }{{} i 1 for 1 i n. Then x {, 1} 2n satisfies (3) for some y Z n if and only if x satisfies x ( E ɛ 1,1 ɛ 1,j1 ɛ 2,1 ɛ 2,j2 ɛ n,1 ɛ n,jn ) = c, (4) y for some y Z j1+j2+ +jn, where j i > for all 1 i n. Let s i = 2n j=1 E i,j denote the sm of all entries in row i of E. It is easy to see that if we choose j i = log 2 (s i /p), 1 i n, then x satisfies (4) for some y {, ±1} j1+j2+ +jn. We now consider a new lattice with the (3n + n i=1 j 1) (2n n i=1 j i) basis matrix G = I E E c where E = ( ɛ 1,1 ɛ 1,j1 ɛ 2,1 ɛ 2,j2 ɛ( n,1 ) ɛ n,jn ). It follows from previos discssions that we are looking for a vector L(G) sch that its first n components consittes a {, 1}-vector x satisfying Ex = c. There exists sch a vector whose components are either, or ±1. This short vector very often appears in the redced basis of L(G).

6 5 The Attack of A. Jox and J. Stern Given a ciphertext c and pblic information p and E, we choose a large scaling factor λ and define: λc λe λpi H = I Lemma 5.1 If x Z 2n satisfies (3) for some y Z n, then lattice L(H). 1 is a vector in the x Proof: The lattice L(H) contains the vector λc λe λpi 1 1 λc λex + λpy x = 1. I y x By the hypothesis of the lemma, c Ex + py =. Hence 1 is a vector in L(H). x As a conseqence of Lemma 5.1, we see that if x {, 1} 2n is the plaintext corresponding to a ciphertext c, then v(x) = fact, 1 is a short vector in the lattice L(H). In x v(x) 2 = x n + 1. Let s now discss the other short vectors in L(H). Since λ is large, the first n components of the first vector of the redced basis for L(H) will almost srely all be zero. A random vector of this form has average length n(p 2 1). This shows that with p = 4kn, v(x) is approximately 2kn 2 times shorter than an average vector with first n components all zero. This provides heristical evidence that the vector v(x) appears

7 in the redced basis for L(H) with high probability. It is also interesting to remark that there are other vectors which may provide a decryption of c, since they increase the probability of finding x. Let s explain informally what these vectors are, and why they are sefl. First, we can say that smming p a few small nmbers gives a small nmber (with a different constant k of corse) and that smming p a few large nmbers can give either a small nmber or a large nmber, depending on the parity of the nmber of nmbers we sm p. Ths, if we obtain in the redced basis a short vector of the form µ, where µ is a small odd nmber, we can write E(µx x ) = and ths, x if µx x is small enogh, we can infer that the first n components of this vector are all even, and therefore that the first n components of x and x have the same parity. 6 Conclsion The previos sections gave heristical and nmerical evidence that Niemi s proposed pblic-key cryptosystem is not secre. We wold like to remark that it gets less and less secre. The reason for this is that a recent improvement of attacks against low-density knapsacks [CLJ91] can be sed to improve the attacks described here. The idea is to replace the identity part of the basis matrices as described in [CLJ91]. We plan to carry ot systematic experiments with this improved version. Acknowledgement. The first named athor wold like to thank K. H. Lim for helpfl discssions. References [Adl83] [CLJ91] [LLL82] L. Adleman. On Breaking the Iterated Merkle-Hellman Pblic Key Cryptosystem, in: Advances in Cryptology, Proceedings of CRYPTO 82, Plenm Press, New York, 1983, A. J. Coster, B. LaMacchia, A. Jox, A. Odlyzko, C. P. Schnorr and J. Stern. Improved Low-Density Sbset Sm Algorithms, to appear. A. K. Lenstra, H. W. Lenstra Jr. and L. Lovász. Factoring Polynomials with Rational Coefficients, Mathematische Annalen 261 (1982),

8 [Nie91] [ScE91] [Sha82] [Ste87] [ST91] V. Niemi. A New Trapdoor in Knapsacks, in: Advances in Cryptology, Proceedings of EUROCRYPT 9, Lectre Notes in Compter Science 473, Springer-Verlag, Berlin, 1991, C. P. Schnorr, M. Echner. Lattice Basis Redction: Improved Practical Algorithms and Solving Sbset Sm Problems. to appear in: Proceedings of the FCT 91, Springer Lectre Notes in Compter Science. A. Shamir. A Polynomial-Time Algorithm for Breaking the Basic Merkle- Hellman Cryptosystem, in: Proceedings of the 23rd IEEE Symposim on Fondations of Compter Science, IEEE, New York, 1982, J. Stern. Secret Linear Congrential Generators are Not Cryptographically Secre, in: Proceedings of the 28th IEEE Symposim on Fondations of Compter Science, IEEE, New York, 1987, J. Stern and P. Toffin. Cryptanalysis of a Pblic-Key Cryptosystem Based on Approximations by Rational Nmbers, in: Advances in Cryptology, Proceedings of EUROCRYPT 9, Lectre Notes in Compter Science 473, Springer- Verlag, Berlin, 1991,