Diophantine equations via weighted LLL algorithm

Similar documents
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Lattice Reduction Attack on the Knapsack

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

A Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus)

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Background: Lattices and the Learning-with-Errors problem

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Simple Matrix Scheme for Encryption (ABC)

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Computers and Mathematics with Applications

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

New attacks on RSA with Moduli N = p r q

Lattice Reduction of Modular, Convolution, and NTRU Lattices

9 Knapsack Cryptography

A new attack on RSA with a composed decryption exponent

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Looking back at lattice-based cryptanalysis

Gentry s SWHE Scheme

MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis

Reduction of Smith Normal Form Transformation Matrices

Public Key Cryptography

Public-Key Cryptosystems CHAPTER 4

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

A New Trapdoor in Modular Knapsack Public-Key Cryptosystem

Lattice Basis Reduction Part 1: Concepts

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

A new lattice construction for partial key exposure attack for RSA

New Cryptosystem Using The CRT And The Jordan Normal Form

Introduction to Cybersecurity Cryptography (Part 5)

A Digital Signature Scheme based on CVP

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Solving All Lattice Problems in Deterministic Single Exponential Time

Sieving for Shortest Vectors in Ideal Lattices:

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Notes for Lecture 15

Notes for Lecture 16

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors

The Cryptanalysis of a New Public-Key Cryptosystem based on Modular Knapsacks

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Post-quantum key exchange for the Internet based on lattices

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

Ideal Lattices and NTRU

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Open problems in lattice-based cryptography

The Shortest Vector Problem (Lattice Reduction Algorithms)

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Post-Quantum Cryptography

A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Cryptanalysis via Lattice Techniques

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018

Introduction to Cryptology. Lecture 2

A New Attack on RSA with Two or Three Decryption Exponents

Parameter selection in Ring-LWE-based cryptography

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Hard Instances of Lattice Problems

1 Shortest Vector Problem

Cryptography IV: Asymmetric Ciphers

Lattice-Based Cryptography

Dimension-Preserving Reductions Between Lattice Problems

Adapting Density Attacks to Low-Weight Knapsacks

Lecture 1: Introduction to Public key cryptography

Cryptanalysis of two knapsack public-key cryptosystems

A variant of the F4 algorithm

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

Improving BDD cryptosystems in general lattices

A Lattice-Based Public-Key Cryptosystem

RSA. Ramki Thurimella

How to Generalize RSA Cryptanalyses

Cryptography and Security Midterm Exam

HFERP - A New Multivariate Encryption Scheme

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Introduction to Cybersecurity Cryptography (Part 4)

Division Property: a New Attack Against Block Ciphers

Multivariate Public Key Cryptography

Solution to Midterm Examination

2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ

Post Quantum Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

My brief introduction to cryptography

CSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

A Unified Framework for Small Secret Exponent Attack on RSA

Approximate Integer Common Divisor Problem relates to Implicit Factorization

Public Key Encryption

Post-Quantum Cryptography & Privacy. Andreas Hülsing

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Transcription:

Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory Seminar 1 st September, 2016 @ Kyushu University, JAPAN This is a joint work with Jintai Ding, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao.

Contents 1. Introduction This talk is based on the paper Jintai Ding, Momonari Kudo, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao, Cryptanalysis of a public key ctyptosystem based on Diophantine equations via weighted LLL reduction, IACR Cryptology eprint Archive 2015/1229, 2015. A short paper version has been accepted by the refereed-international conference IWSEC 2016, and it will be published.

1-1. Diophantine equations and Cryptography Diophantine Problem / Q For a given f Z x 1,, x n, find a 1,, a n Q n s.t. f(a 1,, a n ) = 0. In general, there is no algorithm to test Diophantine equations for solvability in Z [1]. apply Some cryptographic protocols based on the difficulty of solving Diophantine Equations have been proposed as Post-Quantum Cryptosystems (PQC). Q. How secure are these cryptosystems? [1] M. Davis, Y. Matijasevi c and J. Robinson, Hilbert s tenth problem, Diophantine equations: positive aspects of a negative solution, In: Mathematical Developments Arising from Hilbert Problem Browder, F.E.(ed.) AMS, Providence, RI., pp. 323-378 (1976).

1-2. Previous Works E.g. A public key cryptosystem [2] in 1995 Key exchange protocols [3, 4, 5] in 2011-2013 Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009 Impractical In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory. [2] C. H. Lin, C. C. Chang, R. C. T. Lee, A new public-key cipher system based upon the diophantine equations, IEEE Trans. Comp. 44, 13-19 (1995). [3] A. Bérczes, L. Hajdu, N. Hirata-Kohno, T. Kovács, A. Pethö, A key exchange protocol based on Diophantine equations and S-integers, JSIAM Letters Vol.6, 85--88 (2014). [4] N. Hirata-Kohno, A. Pethӧ, On a key exchange protocol based on Diophantine equations, Infocommunications Journal 5, 17--21 (2013). [5] H. Yosh, The key exchange cryptosystem used with higher order Diophantine equations, IJNSA Journal 3, 43--50 (2011). [6] K. Akiyama, Y. Goto, H. Miyake, Algebraic Surface Cryptosystem, In : Proceedings of PKC'09, Lecture Notes in Comput. Sci., 5443, 425--442 (2009). [7] J. -C. Faugere, P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem, In: Proceedings of PKC'10, Lecture Notes in Comput. Sci., 6056, 35--52 (2010).

1-3. Previous Works A public key cryptosystem [2] in 1995 Key exchange protocols [3, 4, 5] in 2011-2013 Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009 Impractical In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory. Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC: A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC). Expected to have resistance against the ideal decomposition attack (and other attacks). [Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pac. Journal of Math. for Industry, 7 (4), pp. 33-45 (2015).

1-4. Our Problem Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC: Function field Number field Section finding problem Diophantine problem Algebraic Surface Cryptosystem (ASC) Broken by the ideal decomposition attack Diophantine Equation Cryptosystem (DEC) What s new : ``twisting plaintext (to avoid the ideal decomposition attack) A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC). Expected to have resistance against the ideal decomposition attack (and other attacks), and to be one of PQC. Q. How secure is DEC? [Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pac. Journal of Math. for Industry, 7 (4), pp. 33-45 (2015).

1-5. Our Main Contribution We call it ``weighted LLL algorithm. Apply a variant of the LLL algorithm to the cryptanalysis. Break the one-wayness of instances of DEC via weighted LLL.

Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

2-1. DEC scheme To simplify the notation, assume n = 2 throughout this talk. Public key Secret key d, e Z >0, X Z[x, y] with certain conditions (a, b) Z 2 s.t. X a d, b d = 0. Plaintext polynomial m Z[x, y] ``twist m by e, N Z Encrypt Ciphertext (3 polynomials and N Z) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X Crucial Remark (1) The sets of the monomials of X, m, m, f, s j, r j are same and known. (2) The bit length of the coefficients of X, m, m, f, s j, r j are known. (3) The coefficients of s j, X are much smaller than those of the others. some randomness N, f, s j, r j

2-2. Notation For a polynomial f x, y = c i,j x i y j Z x, y {0}, define 1. c i,j f : = c i,j. Non-zero coefficient of the monomial x i y j in f 2. f: = (c i1,j 1 f,, c iq,j q f ). The vector consisting of all the non-zero coefficients of f, with (i 1, j 1 ) (i q, j q ) : lexicographical order Bold style

2-3. Toy Example of DEC (Key Generation) λ : security parameter (In this example, λ 4) Public key d = 5 e = 15 X = 25x 3 4y 19416 Z[x, y] Secret key a, b = (46,64) Z 2 chosen so that gcd ab, d = 1, gcd e, φ(d) = 1, (φ : Euler s function) X a d, b d = 0, 2 λ 2λ+1 d max{ a, b } < d, φ(d) φ(d) Remark [Oku15] suggests λ = 128. d 2 λ 2, e λ + 1 + λ +1 deg X. 2

2-4. Toy Example of DEC (Encryption) Plaintext (polynomial) m = 3x 3 + 3y + 3 Encryption 1 < c i,j m < d, gcd c i,j m, d = 1. Step 1. Twist the plaintext m Choose an N Z >0 s.t. Nd > 2 λ max i,j c i,j X. N = 62144 (Nd = 310720) Put c i,j m c i,j m e (mod Nd). c 3,0 m 3 15 (mod 310720) m: = 55787x 3 + 55787y 55787 = 55787 Recall X = 25x 3 4y 19416 d = 5 e = 15

2-5. Toy Example of DEC (Encryption) Step 2. Choose some polynomials Recall uniformly at random. X = 25x 3 4y 19416 f = 133943x 3 + 258040y + 152992 s 1 = 28x 3 + 4y + 29060, s 2 = 26x 3 + 7y + 26541, s 3 = 28x 3 + 5y + 22594, Crucial Remark s j : very short r 1 = 259965x 3 + 186583y + 209414, r 2 = 204762x 3 + 134840y + 144822, r 3 = 141410x 3 + 226856y + 153282. f, s j, r j are chosen so that certain conditions hold. e.g. the coefficients of s j and X have the same bit sizes.

2-6. Toy Example of DEC (Encryption) Step 3. Make a ciphertext (polynomials) Put F 1 m + s 1 f + r 1 X, F 2 m + s 2 f + r 2 X, F 3 m + s 3 f + r 3 X, F 1 = 10249529x 6 + 11385607x 3 y 1145521947x 3 + 285828y 2 + 3875776971y + 380021083, F 2 = 8601568x 6 + 10198593x 3 y 413023700x 3 + 1266920y 2 + 4231133643y + 1248752507, Send (F 1, F 2, F 3, N). F 3 = 7285654x 6 + 13000595x 3 y + 288863195x 3 +382776y 2 + 1425727283y + 480633723. Remark 1 One can decrypt the ciphertext as in Sections 3.4 and 3.5 of [Oku15]. In this talk we omit the decryption process. Remark 2 We mention the recommended (and estimated) parameter size later.

Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

3-1. Idea of Our Attack Ciphertext (3 polynomials) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X X, F 1, F 2, F 3 : known m, f, s j, r j : unknown Crucial Remark (1) The sets of the monomials of X, m, m, f, s j, r j are same and known. (2) The bit length of the coefficients of X, m, m, f, s j, r j are known. (3) The coefficients of s j, X are much smaller than those of the others.

3-2. Idea of Our Attack Ciphertext (3 polynomials) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X X, F 1, F 2, F 3 : known m, f, s j, r j : unknown Put F 1 F 1 F 2, F 2 F 2 F 3, s 1 s 1 s 2, s 2 s 2 s 3, r 1 r 1 r 2, r 2 r 2 r 3. From the above equalities s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2.

3-3. Idea of Our Attack F 1 F 1 F 2, F 2 F 2 F 3, s 1 s 1 s 2, s 2 s 2 s 3, r 1 r 1 r 2, r 2 r 2 r 3. s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. X, F 1, F 2 : known s j, g : unknown However, the monomials of s 1, s 2, g are known. First step of our attack is to find s 1, s 2. Regarding the unknown coefficients of s 1, s 2, g as indeterminates derives a linear system over Z.

3-4. Outline of Our Attack It is sufficient for breaking DEC to find m. Step 1. Step 2. Find s 1 s 1 s 2 and s 2 s 2 s 3 by the weighted LLL. Find f satisfying F 1 = s 1 f + r 1 X, F 2 = s 2 f + r 2 X by using s 1 and s 2 obtained in Step 1. We fix such f. Focus on Step 1 in this talk. Step 3. Find s 1 by Babai s nearest plane algorithm. After that, recover m by linear algebra technique and modular arithmetic. In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.

3-5. SVP and LLL algorithm LLL alg. is an algorithm to (approximately) solve the SVP: Definition (Shortest Vector Problem). Given: B = {b 1,, b n } ; a basis of a lattice L R m ; a norm on R m (typically the Euclidean norm is chosen) SVP is to find the shortest vector u L w.r.t., i.e., u w for all w L {0}.

3-6. SVP and LLL algorithm LLL alg. is an algorithm proposed in 1982 to (approximately) solve the SVP. In this talk, let us omit to describe its detail (see [8, 9]), but review some properties. LLL algorithm Input: a (ordered) basis A = {a 1,, a n } of a lattice L Q m, and a real number 1 4 < δ < 1 Output: an LLL-reduced basis B = {b 1,, b n } of L for the factor δ Remark: An LLL-reduced basis is defined as a sufficiently close to orthogonal basis for a lattice, see [8, 9] for details (1) B is LLL-reduced with δ = 3/4 b 1 < 2 (n 1)/2 min{ w : w L {0}} Note: In practice, LLL seeks the shortest vector with high probability for random lattices of low rank (2) LLL terminates in polynomial time for rank and dimension of the input lattice basis [8] A. K. Lenstra, H. W. Lenstra and L. Lovasz, Factoring polynomials with rational coefficients, In: Mathematische Annalen 261 (4), 515-534 (1982). [9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012).

3-7. CVP and Babai s nearest plane algorithm Babai s nearest plane alg. is an algorithm to (approximately) solve the CVP: Definition (Closest Vector Problem). Given: B = {b 1,, b n } ; a basis of a lattice L R m v R m ; a vector in R m with v L ; a norm on R m (typically the Euclidean norm is chosen) CVP is to find the closest lattice point u L to v w.r.t., i.e., u v w v for all w L. b 1 b 2 v u

3-8. CVP and Babai s nearest plane algorithm Babai s nearest plane alg. is an algorithm to (approximately) solve the CVP. In this talk, let us omit to describe its detail (see [9, 10]), but review some properties. Babai s nearest plane algorithm (Babai NPA) Input: a basis B = {b 1,, b n } of a lattice L Z m, and v Span b 1,, b n Output: a vector u L b (1) B is LLL-reduced with δ = 3/4 1 v u < 2 n/2 v w for all w L Note: In practice, NPA outputs a lattice point very b 2 close to v for many cases (2) Babai NPA terminates in polynomial time for rank and dimension of the input lattice basis [9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012). [10] L. Babai, On Lovasz lattice reduction and the nearest lattice point problem, Combinatorica 6 (1), 1-13 (1986). Q m with v L u v

3-9. Detail of Step 1 In the following, we use blue symbols for unknown objects. s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. The monomials with non-zero coefficients of s 1, s 2 and g are known. We obtain a linear system from. L 1 : the lattice defined as the nullspace of the system Clearly, s 1, s 2, g L 1. We can estimate the bit length of all entries of s 1 and s 2 from X.

3-10. Example In the previous example, F 1 = 10249529x 6 + 11385607x 3 y 1145521947x 3 + 285828y 2 + 3875776971y + 380021083, F 2 = 8601568x 6 + 10198593x 3 y 413023700x 3 + 1266920y 2 + 4231133643y + 1248752507, F 3 = 7285654x 6 + 13000595x 3 y + 288863195x 3 + 382776y 2 + 1425727283y + 480633723. F 1 = F 1 F 2 = 1647961x 6 + 1187014x 3 y 732498247x 3 981092y 2 355356672y 868731424, F 2 = F 2 F 3 = 1315914x 6 2802002x 3 y 701886895x 3 + 884144y 2 + 2805406360y + 768118784.

3-11. Example s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. Put s 1 c 1 x 3 + c 2 y + c 3, s 2 c 4 x 3 + c 5 y + c 6, g: = c 7 x 6 + c 8 x 3 y + c 9 x 3 + c 10 y 2 + c 11 y + c 12, X = 25x 3 4y 19416 (Public Key), F 1 = 1647961x 6 + 1187014x 3 y 732498247x 3 981092y 2 355356672y 868731424, F 2 = 1315914x 6 2802002x 3 y 701886895x 3 + 884144y 2 + 2805406360y + 768118784. By ( ), c 1, c 2,, c 12 A = 0 ; linear system over Z

3-12. Example c 1, c 2,, c 12 A = 0 ; linear system L 1 Ker A = {u Z 12 ; ua = 0} Basis Matrix : c 1 c 2 c 3 c 4 c 5 c 6 c 7 c 8 1 32 49644 0 67 101807 0 0 0 1 32 49644 0 67 101807 0 0 0 24 24 47364 0 42 59843 25 4 19416 24 24 47364 0 42 59843 25 4 19416 Cut s 1 c 1 x 3 + c 2 y + c 3, s 2 c 4 x 3 + c 5 y + c 6, g: = c 7 x 6 + c 8 x 3 y + c 9 x 3 + c 10 y 2 + c 11 y + c 12, Remark s 1, s 2 : very short. (s 1, s 2 ) : very short.

3-13. Recall (unknown objects) s 1 = 28x 3 + 4y + 29060, s 2 = 26x 3 + 7y + 26541, s 3 = 28x 3 + 5y + 22594, s 1 s 1 s 2 = 2x 3 3y + 2519, s 2 s 2 s 3 = 2x 3 + 2y + 3947, s s 1, s 2 = 2 3 2519 2 2 3947. Remark The bit length of the entries of s can be estimated because known from the encryption process the bit length of the entries of s 1, s 2 are the same as those of a public key X.

3-14. Does the usual LLL work well? u 1 u 2 u 3 : = c 1 c 2 c 3 c 4 c 5 c 6 1 32 49644 0 67 101807 0 0 0 24 24 47364 0 42 59843 25 4 19416 s 1 c 1 x 3 + c 2 y + c 3 s 2 c 4 x 3 + c 5 y + c 6 L 1 u 1, u 2, u 3 Z Z 6 s : = (s 1, s 2 ) L 1 : very short. s = 2 3 2519 2 3 3947. Shortest vector??

3-15. Does the usual LLL work well? u 1 u 2 u 3 : = c 1 c 2 c 3 c 4 c 5 c 6 1 32 49644 0 67 101807 0 0 0 LLL 24 24 47364 0 42 59843 25 4 19416 s 1 c 1 x 3 + c 2 y + c 3 s 2 c 4 x 3 + c 5 y + c 6 L 1 u 1, u 2, u 3 Z Z 6 s : = (s 1, s 2 ) L 1 : very short. s = 2 3 2519 2 3 3947. v 1 v 2 v 3 = 283 190 114 363 243 933 1497 1006 2042 167 64 438 212 82 519 878 340 2714 Shortest vector?? No!

3-16. Why does the usual LLL work less? s (s 1, s 2 ) L 1 s = 2 3 2519 2 2 3947. small small large? small small large? s is relatively short but not shortest (with unbalanced entries) because of the existence of certain large entries. Nevertheless, we predict s is a shortest vector ``in some sense. Apply a weighted norm instead of the Euclidean norm.

3-17. Idea of Weighted LLL Algorithm s (s 1, s 2 ) = 2 3 2519 2 2 3947. small small large? small small large? Recall The coefficients of s j and X have the same bit sizes. The entries of s 1, s 2 and X have ``near (or the same) bit sizes. X = (25, 4, 19416) ; Public Key 25 Ratio : 19416 (absolute values) From this, set 1 4854 : : w: = 2 lg 19416 25 2 1 lg 4854 1 1 2 lg 19416 25 2 lg 4854 1 1 = 2 9 2 12 1 2 9 2 12 1

3-18. Idea of Weighted LLL Algorithm w = 2 9 2 12 1 2 9 2 12 1 W W i : the diagonal matrix defined by W i = w i u 1 u 2 u 3 : = 1 32 49644 0 67 101807 0 0 0 24 24 47364 0 42 59843 25 4 19416 W u 1 W u 2 W u 3 W : = 512 131072 49644 0 274432 101807 0 0 0 12288 98304 47364 0 172032 59843 12800 16384 19416

3-19. Idea of Weighted LLL Algorithm w = 2 9 2 12 1 2 9 2 12 1 W W i u 1 W u 2 W = u 3 W u 1 u 2 u 3 : the diagonal matrix defined by W i = w i : = 512 131072 49644 0 274432 101807 0 0 0 LLL 1024 12288 2519 1024 12288 2519 11776 4096 21935 12288 98304 47364 0 172032 59843 12800 16384 19416 1024 8192 3947 11776 8192 15469 1024 8192 3947 W 1 Just the same as s 1, s 2! u 1 W 1 u 2 W 1 u 3 W 1 = 2 3 2519 2 3 2519 23 1 21935 2 2 3947 23 2 15469 2 2 3947

3-20. Assumption of (s 1, s 2 ) What should we assume that (s 1, s 2 ) is, theoretically? Definition (weighted norm and weighted lattice). For a lattice L R m and a vector w = w 1,, w m define an weighted norm w for w as follows: R >0 m, we u w (u 1 w 1 ) 2 + (u m w m ) 2 (u L). Then w is a norm on L R m, and we call L a weighted lattice for w. We denote L by L w depending on the situation.

3-21. Assumption of (s 1, s 2 ) Lemma (shortest vectors with a weight). Let L w R m be a lattice with the weight w = w 1,, w m R m >0. We set W as the following diagonal matrix. w 1 0 W, f W R m R m ; x xw. 0 w m Then the following are equivalent for any x L w : 1. The vector x is a shortest vector in L w with respect to the norm w. 2. The vector xw is a shortest vector in Im(f W ) with respect to the Euclidean norm. From this, we may assume that (s 1, s 2 ) is a shortest vector in L 1 w w.r.t. the norm w.

3-22. Summary of Weighted LLL Target (3-rank case) s L 1 : relatively short vector with entries of unbalanced sizes. (not a shortest) L 1 u 1, u 2, u 3 Z ``Weighted LLL reduced basis u 1 W 1, u 2 W 1, u 3 W 1 of L 1 f W u uw. f W 1 : u u W 1. f W (L 1 ) = u 1 W, u 2 W, u 3 W Z LLL LLL reduced basis u 1, u 2, u 3 of f W (L 1 ) We generalize this method to an algorithm (let us omit to mention it precisely in this talk). The algorithm terminates in polynomial time w.r.t. the rank and the dimension of a lattice.

3-23. Outline of Our Attack It is sufficient for breaking DEC to find m. Step 1. Step 2. Find s 1 s 1 s 2 and s 2 s 2 s 3 by the weighted LLL. Find f satisfying F 1 = s 1 f + r 1 X, F 2 = s 2 f + r 2 X by using s 1 and s 2 obtained in Step 1. We fix such f. Focused on Step 1 in this talk. Step 3. Find s 1 by Babai s nearest plane algorithm. After that, recover m by linear algebra technique and modular arithmetic. In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.

Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

4-1. Complexity of Our Algorithm Parameters : λ and w deg X Main Computation Computation common to all steps Step 1 Weighted LLL Solving linear systems (by Hermite Normal form) Step 2 LLL Arithmetic over Z[x 1, x n ] Step 3 (dominant) Babai nearest plane with LLL Modular arithmetic Under certain assumptions*, Considering the seize of ciphertext, Theorem w should not be so large. The worst case total bit complexity of our attack algorithm is O(w 11 λ 2 + w 5 λ 3 ). Consequently, the attack performs in polynomial time for λ and w. *e.g. assume that the coefficient explosion does not happen in computation of HNF.

4-2. Experimental Results 1 Table 1* : Results of our attack for the parameters suggested in [Oku15] with n = 3 and λ = 128 w {term of X} Success Times Average Time (seconds) Step 1 Step 2 Step 3 5 3 75 75 27 0.072408 5 4 78 78 26 0.1009 5 5 91 91 36 0.13494 7 3 79 79 17 0.11106 7 4 75 75 22 0.15900 7 7 87 87 32 0.35841 10 3 73 73 27 0.18237 10 4 78 78 27 0.27500 10 7 84 84 29 0.61914 10 10 91 91 32 2.0475 Step 1 : More than 70 % by weighted LLL Break the one way-ness of instances almost 30 % in practical time. It is sufficiently high probability for cryptanalysis. *EV: Magma V2.20-10, Windows 8.1 Pro OS 64 bit. 2.60 GHz CPU (Intel Core i5) and 8 GB memory

4-3. Experimental Results 2 Table 2* : Results in the case of increasing w (with n = 3 and λ = 128) w {term of X} Average Time (seconds) Size of Secret Key (bit) Size of Public key (bit) Size of Ciphertext (bit) 5 5 0.13494 201 759 30121 10 10 2.04750 198 1460 165895 15 15 10.75300 198 2155 461314 20 20 35.86000 198 2859 1050407 25 25 69.56900 201 3574 1951801 30 30 303.10000 201 4275 3257461 35 35 544.59000 201 4899 5049308 40 40 1200.00000 201 5717 7420943 45 45 1641.00000 200 6316 10224888 Required time is expected to be more shorter than the estimated complexity. The computation of HNF, estimated to be most expensive, does not take much time because the coefficient matrices obtained in our attack are sparse in many cases.

Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary

5-1. Summary DEC has resistance against recovering the secret key directly (difficulty of solving Diophantine equations). However, the one-wayness of the system is transformed to finding a relatively shorter but not a shortest vector in lattices of low ranks. Our experimental results show that our attack with the weighted LLL can find such vectors. As a consequence, the one-wayness of DEC can be broken with high probability in polynomial time for the parameters suggested in [Oku15].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback