Applications of Lattice Reduction in Cryptography

Size: px

Start display at page:

Download "Applications of Lattice Reduction in Cryptography"

Malcolm Little
5 years ago
Views:

1 Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 1 / 42

2 Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 2 / 42

3 Multivariate linear equations Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 3 / 42

4 Multivariate linear equations Linear diophantine equation We want to solve x 1 e x n e n = S, for small values with max( x 1,, x n ) < X. We transform the equation x 1 e x n e n S = 0 using the matrix e e e 3 M(L) = e n S Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 4 / 42

5 Multivariate linear equations Linear diophantine equation From the matrix, we deduce the vectors b 1 = (1, 0, 0,, 0, e 1 ), b 2 = (0, 1, 0,, 0, e 2 ), b 3 = (0, 0, 1,, 0, e 3 ),... b n = (0, 0, 0,, 1, e n ), b n+1 = (0, 0, 0,, 0, S), Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 5 / 42

6 Multivariate linear equations Linear diophantine equation We have v 0 = x 1 b x n+1 b n+1 = (x 1, x 2,..., x n, x 1 e x n e n S). We define the lattice L := {v = a 1 b a n+1 b n+1 a i Z}. Then dim(l) = n + 1 and det(l) = S. We have v 0 = x x2 n nx 2 = X n. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 6 / 42

7 Multivariate linear equations Linear diophantine equation By applying the LLL algorithm to the lattice L, it outputs a basis (u 1,..., u n+1 ) such that u 1 2 n 4 det(l) 1 n+1. To find v 0 among the vectors (u 1,..., u n+1 ), we set Since det(l) = S, we get v 0 X n 2 n 4 det(l) 1 n+1. X 2 n 4 n S 1 n+1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 7 / 42

8 Multivariate linear equations Linear diophantine equation Theorem Let x 1 e x n e n = S be a linear equation with max( x 1,, x n ) < X. If X 2 n 4 n S 1 n+1, then one can solve the equation in polynomial time. The LLL algorithm has been applied to break the knapsack cryptosystem. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 8 / 42

9 Multivariate linear equations Example Let 340x x x x 4 = 9138 be a linear equation with max( x 1,, x 4 ) < X. We have 2 n 4 n S 1 n , Set b 1 := [1, 0, 0, 0, 340]; b 2 := [0, 1, 0, 0, 257]; b 3 := [0, 0, 1, 0, 378]; b 4 := [0, 0, 0, 1, 251]; b 5 := [0, 0, 0, 0, 9138]. Applying the LLL algorithm, we get the vectors [3, 2, 2, 1, 1]; [0, 1, 2, 2, 3]; [0, 0, 2, 3, 3]; The solution is [9, 7, 8, 5, 0] [ 4, 4, 3, 5, 1]; [9, 7, 8, 5, 0] Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 9 / 42

10 Application to NTRU Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 10 / 42

11 Application to NTRU NTRU NTRU Invented by Hoffstein, Pipher et Silverman in Security based on the Shortest Vector Problem (SVP). Various versions between 1996 and Definition The Shortest Vector Problem (SVP): Given a basis matrix B for L, compute a non-zero vector v L such that v is minimal, that is v = λ 1 (L). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 11 / 42

12 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42

13 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42

14 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42

15 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Convolution f = (f 0, f 1,, f N 1 ), g = (g 0, g 1,, g N 1 ). }{{} f g = h = (h 0, h 1,, h N 1 ) 1 X X k X N 1 f 0 g 0 f 0 g 1 f 0 g k f 0 g N 1 + f 1 g N 1 f 1 g 0 f 1 g k 1 f 1 g N 2 + f 2 g N 2 f 2 g N 1 f 2 g k 2 f 2 g N f N 2 g 2 f N 2 g 3 f N 2 g k+2 f N 2 g 1 + f N 1 g 1 f N 1 g 2 f N 1 g k+1 f N 1 g 0 h = h 0 h 1 h k h N 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 13 / 42

16 NTRU Parameters Application to NTRU N = a prime number (e.g. N = 167, 251, 347, 503). q = a large modulus (e.g. q = 128, 256). p = a small modulus (e.g. p = 3). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 14 / 42

17 NTRU Algorithms Application to NTRU Key Generation: Randomly choose two private polynomials f and g. Compute the inverse of f modulo q: f f q = 1 (mod q). Compute the inverse of f modulo p: f f p = 1 (mod p). Compute the public key h = f q g (mod q). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 15 / 42

18 NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42

19 NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42

20 NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42

21 Application to NTRU NTRU The lattice Using h f q g (mod q), we get h f g (mod q). Hence f h q u = g for a polynomial u P. Consider the lattice L = { (f, g) P 2 u P, f h q u = g }. Using a matrix, we get [ ] 1 h (f, u) = (f, g). 0 q Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 17 / 42

22 Application to NTRU NTRU Using f = (f 0, f 1,, f N 1 ), h = (h 0, h 1,, h N 1 ) and u = (u 0, u 1,, u N 1 ), we get f 0 f 1. f N 1 u 1 u 2. u N h 0 h 1 h N h N 1 h 0 h N h 1 h 2 h q q q = f 0 f 1. f N 1 g 0 g 1. g N 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 18 / 42

23 Application to NTRU NTRU Hence the matrix of the lattice is h 0 h 1 h N h N 1 h 0 h N h 1 h 2 h q q q. with determinant dim(l) and det(l) = q N. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 19 / 42

24 Application to NTRU NTRU The lattice Since f and g have d f and d g coefficient that are equal to ±1 and the the other coefficients are equal to 0, then (f, g) = ( N 1 i=0 ) N 1 1/2 fi 2 + g 2 i d f + d g. Applying the LLL algorithm, we get a basis with a vector v 1 such that v 1 2 2N 1 4 det(l) 1 2N. Hence, (f, g) will be among the vectors of the reduced basis if df + d g 2 2N 1 4 det(l) 1 2N i=0 = df + d g 2 2N 1 2 det(l) 1 2N 1 N = 2 2 q. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 20 / 42

25 Application to NTRU NTRU Theorem (Coppersmith, Shamir) Let d f be the number of ±1 in f and d g the number of ±1 in g. If d f + d g 2 2N 1 2 q, Then f and g can be found in polynomial time. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 21 / 42

26 Application to RSA Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 22 / 42

27 Application to RSA RSA The Key Equation Problem Given N = pq and e satisfying ed kφ(n) = 1. Find d, k and φ(n). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 23 / 42

28 Application to RSA Coppersmith s method 1 Define the norm of f (x 1,..., x n ) = a i1...i n x i x in n to be f (x 1,..., x n ) = a 2 i 1...i n. 2 Consider the congruence equation f (x 1,..., x n ) 0 (mod N). We want to find the solutions (x (0) 1,..., x(0) n ) such that x (0) i < X i for i = 1,..., n. 3 Find an expression of each X i in terms of N so that X i = N δ i. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 24 / 42

29 Application to RSA Coppersmith s method 1 Let l be the monomial in f with maximal weight. Usually, l, is called the leading monomial of f. If the coefficient of l is a l, then we can assume that gcd(n, al) = 1. Therefore, we can use fa 1 l (mod N) instead of f so that the coefficient of l becomes 1. Throughout this paper, we consider that the coefficient of l is 1. 2 Let m be a positive integer. Find the monomials x i 1 1 x in n of f m. 3 For 0 k m, find the monomials x i 1 1 xn in of f m k. 4 For t 0, find the set M k = {x i 1+j 1 xn in x i 1 1 xn in is a monomial of f m and 0 j t x i 1 1 xn in l k is a monomial of f m k }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 25 / 42

30 Application to RSA Coppersmith s method 1 Similarly, for t 0, find the set M k+1 = {x i 1+j 1 xn in x i 1 1 xn in monomial of f m and 0 j t 2 For 0 k m, find the set M k Mk+1. 3 For 0 k m, define the polynomials x i 1 1 xn in l k+1 monomial of f m (k+1) }. g k,i1,...,i n (x 1,..., x n ) = xi xn in f (x 1,..., x n ) k N m k 4 Then g k,i1,...,i n (x 1,..., x n ) 0 (mod N m ). l k with x i x in n M k Mk+1. 5 For 0 k m, define the polynomials g k,i1,...,i n (x 1 X 1,..., x n X n ). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 26 / 42

31 Application to RSA Coppersmith s method 1 Let L denote the lattice spanned by the coefficient vectors of the polynomials g k,i1,...,i n (x 1 X 1,..., x n X n ). The ordering of the monomials is such that the matrix M is triangular. 2 Compute the dimension ω of the lattice L and its determinant det(l) = N en X e 1 1 Xen n. 3 Compute e N and the exponents e i, 1 i n, in terms of m and t. 4 Let t = mτ. Compute an approximation of e N and the exponents e i, 1 i n, in terms of m and τ by neglecting all terms of low degrees. 5 Apply the LLL algorithm to obtain a reduced basis (b 1,..., b n ) such that b 1 2 ω 2 det(l) 1 ω. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 27 / 42

32 Application to RSA Coppermith s method Theorem (Howgrave-Graham) Let h(x 1,, x n ) Z[x 1,, x n ] be a polynomial with at most ω monomials. Suppose that ( ) 1 h x (0) 1,, x(0) n 0 (mod N m ) where x (0) i < X i for i = 1,..., n, ω. 2 h(x 1 X 1,, x n X n ) < Nm ( ) Then h x (0) 1,, x(0) n = 0 holds over the integers. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 28 / 42

33 Application to RSA Coppersmith s method 1 Combine Howgrave-Graham s bound f (x 1 X 1,..., x n X n ) < Nm ω and LLL to form the inequation 2 ω 2 det(l) 1 ω < N m ω 2 Neglecting 2 ω 2 and ω, consider the condition or equivalently, det(l) < N mω, N en X e 1 1 Xen n = N en N e 1δ1 N enδn < N mω. 3 Taking logarithms, we get the inequation e N + e 1 δ e n δ n < mω. The next task is to solve this inequation. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 29 / 42

34 Application to RSA Coppersmith s method: example We want to solve the equation ed kφ(n) = 1. 1 We have ed k(n + 1 p q) = 1 and then k(p + q) + (N + 1)k (mod e). 2 Set k = x, p + q = y and N + 1 = a. Then the congruence becomes f (x, y) = xy + ax Let e = N β, p + q = N 1/2 and d = N δ. Then Hence k = N δ. k = ed 1 φ(n) < ed φ(n) < d. (mod e). 4 Let l = xy be the leading monomial of f (x, y) = xy + ax + 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 30 / 42

35 Application to RSA Coppersmith s method: example 1 We have f m (x, y) = (x(y + a) + 1)) m m ( ) m = x i 1 (y + a) i 1 = = i 1 =0 i 1 m ( ) m x i 1 i 1 =0 m i 1 i 1 i 1 =0 i 1 =0 ( m i 1 i 1 ( i1 i 2 i 2 =0 )( ) i1 2 Hence the monomials of f m are in the form i 2 ) y i 2 a i 1 i 2 x i 1 y i 2 a i 1 i 2. f m = { x i 1 y i 2, i 1 = 0,..., m, i 2 = 0,..., i 1 }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 31 / 42

36 Application to RSA Coppersmith s method: example 1 From the monomials of f m, we easily deduce the monomials of f m k : f m k = { x i 1 y i 2, i 1 = 0,..., m k, i 2 = 0,..., i 1 }. 2 For t 0 and k m, let consider extra shifts in y, that is, we consider the set M k = {x i 1 y i 2+j x i 1 y i 2 monomial of f m and 0 j t 0 j t x i 1y i 2 l k monomial of f m k }. 3 Since l = xy, then M k = {x i 1 y i 2+j x i 1 y i 2 monomial of f m and x i 1 k y i 2 k monomial of f m k }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 32 / 42

37 Application to RSA Coppersmith s method: example 1 Hence x i 1 y i 2 M k i 1 = k,..., m, i 2 = k,..., i 1 + t. 2 Similarly, for t 0, we get x i 1 y i 2 M k+1 i 1 = k + 1,..., m, i 2 = k + 1,..., i 1 + t. 3 For 0 k m, we find that x i 1 1 y i 2 M k Mk+1 if and only if { { i1 =k,..., m, i1 =k, or i 2 =k, i 2 =k + 1,..., i 1 + t. 4 For 0 k m, we define the polynomials g k,i1,i 2 (x, y) = xi 1y i 2 (xy) k f (x, y)k e m k with x i 1 y i 2 M k Mk+1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 33 / 42

38 Application to RSA Coppersmith s method: example 1 For i 1 = k,..., m and i 2 = k, the polynomials reduce to g k,i1,k(x, y) = G k,i1 (x, y) = x i 1 k f (x, y) k e m k for i 1 = k,..., m. For i 1 = k and i 2 = k + 1,..., i 1 + t = k + t, the polynomials reduce to g k,k,i2 (x 1, y) = H k,i2 (x, y) = y i 2 k f (x, y) k e m k for i 2 = k+1,..., k+t. 2 For 0 k m, we define the polynomials G k,i1 (xx, yy) = x i 1 k X i 1 k f (xx, yy) k e m k for i 1 = k,..., m, H k,i2 (xx, yy) = y i 2 k Y i 2 k f (xx, yy) k e m k for i 2 = k + 1,..., k + t. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 34 / 42

39 Application to RSA Coppersmith s method: example 1 x x 2 x 3 y xy x 2 y x 3 y xy 2 x 2 y 2 x 3 y 2 x 2 y 3 x 3 y 3 x 3 y 4 G 0,0 e G 0,1 0 Xe G 0,2 0 0 X 2 e G 0, X 3 e H 0, Ye G 1, XYe G 1, X 2 Ye G 1, X 3 Ye H 1, XY 2 e G 2, X 2 Y G 2, X 3 Y 2 e H 2, X 2 Y 3 e 0 0 G 3, X 3 Y 3 0 H 3, X 3 Y 4 Table: The coefficient matrix for the case m = 3, t = 1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 35 / 42

40 Application to RSA Coppersmith s method: example 1 The dimension of L is ω = m k=0 i 1 =k m The determinant of L is m k+t k=0 i 2 =k+1 1 = 1 (m + 1)(m + 2t + 2). 2 det(l) = e e 0 X e 1 Y e 2. 3 From the construction of the polynomials G k,i1 (xx, yy) and H k,i2 (xx, yy), we get e 0 = m k=0 i 1 =k m (m k) + m k+t k=0 i 2 =k+1 (m k) = 1 m(m + 1)(2m + 3t + 4). 6 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 36 / 42

41 Application to RSA Coppersmith s method: example 1 Similarly, we have and e 2 = e 1 = m m k=0 i 1 =k k=0 i 1 =k m k + m i 1 + m m k+t k=0 i 2 =k+1 k+t k=0 i 2 =k+1 k = 1 m(m + 1)(2m + 3t + 4), 6 i 2 = 1 6 (m + 1)(m2 + 3mt + 3t 2 + 2m + 3t). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 37 / 42

42 Application to RSA Coppersmith s method: example 1 Let t = mτ. Then ω = 1 2 (m + 1)(m + 2mτ + 2) = 1 2 (1 + 2τ)m2 + o ( m 2), and e 0 = 1 6 m(m + 1)(2m + 3mτ + 4) = 1 6 (2 + 3τ)m3 + o ( m 3). Similarly, we have e 1 = 1 6 m(m + 1)(2m + 3mτ + 4) = 1 6 (2 + 3τ)m3 + o ( m 3), and e 2 = 1 6 (m + 1)(m2 + 3m 2 τ + 3m 2 τ 2 + 2m + 3mτ) = 1 6 (1 + 3τ + 3τ 2 )m 3 + o ( m 3). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 38 / 42

43 Application to RSA Coppersmith s method: example 1 Apply the LLL algorithm to obtain a reduced basis (b 1,..., b n ) such that b 1 2 ω 2 det(l) 1 ω. 2 Combining Howgrave-Graham s bound f (x 1 X 1,..., x n X n ) < em ω and LLL, we get the inequation 2 ω 2 det(l) 1 ω 3 Neglecting 2 ω 2 and ω, we get or equivalently, < e m ω det(l) < e mω, e e 0 X e 1 Y e 2 < e mω. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 39 / 42

44 Application to RSA Coppersmith s method: example 1 Since e = N β, Y = N 1/2 and X = N δ. Then N βe0 N δe1 N e 2/2 < N mβω. 2 Taking logarithms, we get the inequation βe 0 + δe 1 + e 2 2 < mβω. 3 Plugging the values of e 0, e 1 and ω, we get 1 6 (2 + 3τ)β (2 + 3τ)δ (1 + 3τ + 3τ 2 ) 1 (1 + 2τ)β < The optimal value for τ in the left side is τ = β δ 1 2, which leads to 12δ 2 + 4(1 + 6β)δ 12β 2 + 4β + 1 < 0. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 40 / 42

45 Application to RSA Coppersmith s method: example 1 Solving for δ, we get δ < β β A typical example is the case e N, that is β = 1. Then, the former bound gives d < This is a famous bound found by Boneh and Durfee. Theorem (Boneh,Durfee, 1998) Let (N, e) be an RSA public key with private decryption exponent d. If d < , then one can factor the RSA modulus N. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 41 / 42

46 Application to RSA Thank you Terima kasih Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 42 / 42

A new attack on RSA with a composed decryption exponent

A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr