Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

Similar documents
Practical Analysis of Key Recovery Attack against Search-LWE Problem

The Shortest Vector Problem (Lattice Reduction Algorithms)

Graduate Preliminary Examination

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

Math 547, Exam 1 Information.

Computational algebraic number theory tackles lattice-based cryptography

Weaknesses in Ring-LWE

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

A Course in Computational Algebraic Number Theory

Computational algebraic number theory tackles lattice-based cryptography

Lattice Basis Reduction and the LLL Algorithm

Reducing number field defining polynomials: An application to class group computations

Algebra Exam Topics. Updated August 2017

Construction of quasi-cyclic self-dual codes

6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree

The complexity of factoring univariate polynomials over the rationals

Short generators without quantum computers: the case of multiquadratics

Number Theory Fall 2016 Problem Set #3

Linear Algebra Massoud Malek

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Extended Tower Number Field Sieve with Application to Finite Fields of Arbitrary Composite Extension Degree

D-MATH Algebra I HS17 Prof. Emmanuel Kowalski. Solution 12. Algebraic closure, splitting field

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

Revisiting Lattice Attacks on overstretched NTRU parameters

12x + 18y = 30? ax + by = m

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d

Further Results on Implicit Factoring in Polynomial Time

Algebra Homework, Edition 2 9 September 2010

Some algebraic number theory and the reciprocity map

Cyclotomic Polynomials in Ring-LWE Homomorphic Encryption Schemes

Thus, the integral closure A i of A in F i is a finitely generated (and torsion-free) A-module. It is not a priori clear if the A i s are locally

1 Shortest Vector Problem

A new attack on RSA with a composed decryption exponent

Algebraic number theory

A Hybrid Method for Lattice Basis Reduction and. Applications

Lecture 7.5: Euclidean domains and algebraic integers

Open problems in lattice-based cryptography

COS 598D - Lattices. scribe: Srdjan Krstic

Diophantine equations via weighted LLL algorithm

An Algorithm for NTRU Problems

Looking back at lattice-based cryptanalysis

1: Introduction to Lattices

ALGEBRA EXERCISES, PhD EXAMINATION LEVEL

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

TWO CLASSES OF NUMBER FIELDS WITH A NON-PRINCIPAL EUCLIDEAN IDEAL

RINGS: SUMMARY OF MATERIAL

Algebra Qualifying Exam Solutions. Thomas Goller

Background: Lattices and the Learning-with-Errors problem

Gauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1

Galois theory (Part II)( ) Example Sheet 1

Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields

MINKOWSKI THEORY AND THE CLASS NUMBER

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Analyzing Blockwise Lattice Algorithms using Dynamical Systems

DISCRIMINANTS IN TOWERS

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Solutions of exercise sheet 11

Polynomial Selection Using Lattices

Practice Algebra Qualifying Exam Solutions

EXERCISES IN MODULAR FORMS I (MATH 726) (2) Prove that a lattice L is integral if and only if its Gram matrix has integer coefficients.

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

Linear Algebra. Min Yan

ADVANCED COMMUTATIVE ALGEBRA: PROBLEM SETS

Chapter 14: Divisibility and factorization

A BRIEF INTRODUCTION TO LOCAL FIELDS

Homework 4 Solutions

Computing Invariant Factors

9 Knapsack Cryptography

Algebraic Number Theory and Representation Theory

Lattice Reduction for Modular Knapsack

These warmup exercises do not need to be written up or turned in.

Galois Theory TCU Graduate Student Seminar George Gilbert October 2015

2. THE EUCLIDEAN ALGORITHM More ring essentials

A General Polynomial Selection Method and New Asymptotic Complexities for the Tower Number Field Sieve Algorithm

Algebra Exam Syllabus

An Additive Characterization of Fibers of Characters on F p

Sample algebra qualifying exam

THE DIFFERENT IDEAL. Then R n = V V, V = V, and V 1 V 2 V KEITH CONRAD 2 V

Elementary linear algebra

Math 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille

Introduction to Arithmetic Geometry Fall 2013 Lecture #7 09/26/2013

Computing generator in cyclotomic integer rings

A construction of 3-dimensional lattice sieve for number field sieve over GF(p n )

Math 2070BC Term 2 Weeks 1 13 Lecture Notes

6 Ideal norms and the Dedekind-Kummer theorem

ALGEBRAIC NUMBER THEORY - COURSE NOTES

The p-adic Numbers. Akhil Mathew

Department of Mathematics, University of California, Berkeley

Material covered: Class numbers of quadratic fields, Valuations, Completions of fields.

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

ALGEBRA PH.D. QUALIFYING EXAM SOLUTIONS October 20, 2011

Algebra Questions. May 13, Groups 1. 2 Classification of Finite Groups 4. 3 Fields and Galois Theory 5. 4 Normal Forms 9

On error distributions in ring-based LWE

The Kronecker-Weber Theorem

The p-adic Numbers. Akhil Mathew. 4 May Math 155, Professor Alan Candiotti

A Field Extension as a Vector Space

Hardness and advantages of Module-SIS and Module-LWE

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Inner products and Norms. Inner product of 2 vectors. Inner product of 2 vectors x and y in R n : x 1 y 1 + x 2 y x n y n in R n

Ring-LWE security in the case of FHE

Transcription:

IMACC 2017 December 12 14, 2017 Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis Taechan Kim and Changmin Lee NTT Secure Platform Laboratories, Japan and Seoul National University, Korea T. Kim & C. Lee LLL over ring 0 / 21

Backgrounds Lattice-based cryptography post-quantum cryptography fully homomorphic encryption many other applications Lattices (classical) M: a free Z-module, i.e. closed under addition/multiplication by Z A free Z-module has a Z-basis (b 1,..., b n ) M n s.t. M = Zb 1 Zb n M has infinitely many number of basis n, the size of the basis, is invariant under the choice of the basis. n: the rank (or dimension) of M, written as n := rk(m) T. Kim & C. Lee LLL over ring 1 / 21

Backgrounds Lattice reduction Some basis of lattices are good, but some are not. Many lattice problems (SVP/CVP) are easier to solve, if a good basis is given. Informally, a good basis consists of reasonably small and almost orthogonal components. Lattice reduction is to find such a good basis from an arbitrary basis. LLL-algorithm is one of the most popular algorithms for lattice reduction. A key tool not only for lattice-based crypto, but also for various cryptanalysis (e.g. RSA attack) T. Kim & C. Lee LLL over ring 2 / 21

LLL-algorithm LLL-algorithm (classical) Given a Z-basis of a lattice M, find an LLL-reduced basis. (Gram-Schmidt orthogonalization) Given a basis (b 1,..., b n ) Q n, (b 1,..., b n) R m is GS orthogonalization, if b 1 = b 1 and b i i 1 = b i µ i,j bj for µ i,j = b i, bj / bj, bj. j=1 (LLL-reduced basis) A basis (b 1,..., b n ) is LLL-reduced w.r.t δ > 0 if µ i,j 1/2 for 1 j < i n (size reduced), b i 2 (δ µ 2 i,i 1) b i 1 for 1 < i n (Lovasz conditions) Note LLL algorithm outputs a small vector of lattices If (b 1,..., b n ) is LLL-reduced w.r.t. δ = 3/4, then b 1 2 (n 1)/4 det(m) 1/n. Its running time depends on the size of the dimension, n. T. Kim & C. Lee LLL over ring 3 / 21

Notations Number fields h Z[t]: an irreducible polynomial of degree n. L := Q[t]/h(t): a number field of degree n. Z L : a ring of integers of L (e.g. Z Q = Z) Ideal lattices An ideal I L is a Z L -submodule of L, thus trivially a Z-module. I is free, since Z is a PID (Principal Ideal Domain). Thus, it is a Z-lattice and called as ideal-lattice. Typically, rk(i) = n = [L : Q]. T. Kim & C. Lee LLL over ring 4 / 21

Motivations In cryptography, L typically has a proper subfield K Q. E.g. l-th cyclotomic field L = Q[t]/(t l + 1) has a subfield K = Q[t]/(t k + 1), where l = 2 l for some l > 0 and k l. Ideal lattice as a Z K -module An ideal I L is also a Z K -module for a subfield K L. If Z K is a PID, then I is a free Z K -module (Z K -lattice), thus I = Z K β 1 Z K β d for a basis (β 1,..., β d ) L d and d = [L : K]. Matrices of Lattices We consider a Z K -lattice as a d d matrix M I = [β 1... β d ] K d d, instead of [b 1... b n ] Q n n, where n = [L : Q] and d = [L : K]. T. Kim & C. Lee LLL over ring 5 / 21

Our goal Motivation If a Z-lattice M L can also be considered as a free Z K -module, rk ZK (M) = [L : K] = d is smaller than rk Z (M) = [L : Q] = n. Smaller dimension, faster LLL-algorithm? LLL algorithm over Z K We restrict our concern to norm-euclidean domain Z K (that is, Euclidean domain w.r.t. algebraic norm N K/Q ). We propose two heuristic LLL algorithms running over Z K -lattices. Technical hurdles For GS orthogonalization, one needs to define inner product over K d K d. What would be analogous notions for size reduced and Lovasz conditions? T. Kim & C. Lee LLL over ring 6 / 21

Related works Related works (Napias 96) over Gaussian integers, more generally, quadratic norm-euclidean domain use Hermitian product ; Euclidean norm (induced by Hermitian product) and algebraic norm coincides, i.e. N K/Q (a + bι) = a 2 + b 2 = (a, b) 2. (Fieker-Phost 96) over arbitrary Dedekind domain, using pseudo-basis inner product induced by Hermitian product; in a size-reduction step, given a K, tried to find q Z K s.t. Tr K/Q ((a q)(a q)) is minimal (in general, not easy to do so). (Gan-Ling-Mow 09) over complex fields basically the same as Napias s; does not consider the number field structures. (Fieker-Stehlé 10) over arbitrary Dedekind domain, using pseudo-basis convert Z K -lattice into Z-lattice of a higher dimension; LLL-algorithm is carried over Z-lattice. T. Kim & C. Lee LLL over ring 7 / 21

Euclidean domain Mathematical Background A ring R is Euclidean if φ : R N s.t. φ(a) φ(ab) for 0 a, b R and there exists q and r R s.t. a = bq + r with r = 0 or φ(r) < φ(b). E.g. Z with φ(a) = a and division algorithm Norm-Euclidean domain If Z K in K is Euclidean w.r.t. φ(a) = N K/Q (a), then Z K is called norm-euclidean. (Example 1.) Z K for K = Q(ζ k ), the k-th cyclotomic field, is norm-euclidean iff k {1, 3, 4, 5, 7, 8, 9, 11, 12, 15, 16, 20, 24} a (Example 2.) Z K for K = Q( α, β) is norm-euclidean iff α = 1, β = 2, 3, 5, 7; α = 2, β = 3, 5; α = 3, β = 2, 5, 7, 11, 17, 19; α = 7, β = 5. b a [Lenstra 75, Masley 75, Ojala 79] T. Kim b [Lemmermeyer & C. Lee LLL 11] over ring 8 / 21

Mathematical Background Euclidean minimum norm-euclideanity leads us to consider Euclidean minimum of K, M(K). For any ξ K, q Z K s.t. N K/Q (ξ q) < M(K) < 1. E.g. M(Q) = 1/2 Euclidean minimum of K = Q(ζ k ) k 1 3 4 5 7 8 9 12 15 16 20 24 M(Q(ζ k )) 1 2 1 3 1 2 1 5 1 7 1 2 1 3 1 4 1 16 1 2 1 5 1 4 Table: Euclidean minimum of k-th cyclotomic fields [Lezowski 14] Euclidean minimum of K = Q( α, β) (α, β) (1,2) (1,3) (1,5) (1,7) (2,-3) (2,5) (3,2) M(Q( α, β)) 1 1 5 1 1 11 2 4 16 2 3 16 (α, β) (3,5) (3,-7) (3,-11) (3,17) (3,-19) (7,5) M(Q( α, β)) 1 4 4 9 0.46 13 16 < 0.95 9 16 Table: Euclidean minimum of biquadratic fields [Lemmermeyer 11] 1 4 T. Kim & C. Lee LLL over ring 9 / 21

Size reduction over norm-euclidean ring Size reduction (classical) Size reduction is actually the same as for any given µ Q, find q Z s.t. µ q < 1/2. This can be done by a simple rounding, i.e. q = µ. Note that M(Q) = 1/2 and is the Euclidean function for Z. Recall, in size reduction step, b i is set to be b i q j b j, where q j = µ i,j for µ i,j Q. Rounding function in norm-euclidean ring For size reduction in K, we need an algorithm, for any ξ K, to find q Z K s.t. N K/Q (ξ q) M(K) (Rounding function) For a K, we write a = n 1 i=0 a iζ i where a i Q. Define a := i a i ζ i. However, N K/Q (a a ) < M(K) does not hold in general. T. Kim & C. Lee LLL over ring 10 / 21

Rounding algorithm for norm-euclidean ring Algorithm 1 Rounding algorithm for norm-euclidean rings Input A norm-euclidean number field K, its Euclidean minimum M(K), the unit group K of K, and an element a K Output q Z K such that N K/Q (a q) M(K) 1: Compute r := a a 2: if N K/Q (r) M(K) then 3: return q := a 4: else 5: repeat 6: u $ K 7: until N K/Q (ur ur ) M(K) 8: end if 9: return q := a + u 1 ur T. Kim & C. Lee LLL over ring 11 / 21

Notes Notes on the rounding algorithm The algorithm may not terminate, but it is unlikely to happen. In our experiments, the unit u is chosen from a power of a fundamental unit, e.g. u v i for a fundamental unit v. In the case of K = Q(ζ 16 ), For 97% of 200,000 uniformly chosen random elements, it suffices to run the simple rounding (i.e. q = a is the desired output). For the rests, it was enough to work with only a few units of the form v i for 1 i 3, where v = (ζ16 6 + ζ4 16 + ζ2 16 ) is a fundamental unit. T. Kim & C. Lee LLL over ring 12 / 21

Hermitian product LLL-algorithm over norm-euclidean rings Define a blinear map H : K d K d K by (v, w) d v i w i, i=1 where denotes the complex conjugation. GS-orthogonalization is analogously defined w.r.t. H. LLL-reduced condition A basis (β 1,..., β d ) K d is called Z K -LLL-reduced w.r.t δ > 0 if N K/Q (µ i,j ) M(K) for 1 j < i n (size reduced) N K/Q ( Bi + µ i,i 1 µ i,i 1 B i 1 ) δ NK/Q (B i 1 ) for 1 < i n (Lovasz condition), where B i = H(β i, β i ). Cautions Unlike the classical case, the Lovasz condition cannot be replaced with N K/Q ( Bi ) ( δ µi,i 1 µ i,i 1 ) NK/Q (B i 1 ). This is because the triangle inequality does not hold w.r.t. N K/Q. T. Kim & C. Lee LLL over ring 13 / 21

LLL-algorithm over norm-euclidean rings Input a basis {b 1,, b d } K d, M(K), the unit group K, and δ > 0. Output LLL-reduced basis {b 1,, b d }. 1: Compute the Gram-Schmidt basis {b 1,, b d } with respect to the bilinear map H(, ) 2: Compute the coefficients µ i,j = H(b i, b j )/H(b j, b j ) for 1 j < i d and B i = H(b i, b i ) for 1 i d. 3: Set k = 2 4: while k d do 5: for j = k 1to 1 do 6: Compute q j Z K such that N K/Q (µ k,j q j ) M(K) using Algorithm 1 7: Set b k = b k q j b j 8: Update µ k,j = H(b k, b j )/H(b j, b j ) and B k for 1 j k 9: end for( ) 10: if N K/Q Bk + µ k,k 1 µ k,k 1 B k 1 δ NK/Q (B k 1 ) then 11: k = k + 1 12: else 13: Swap b k and b k 1 14: Update b k, b k 1, B k, B k 1, and µ i,j for 1 i, j s 15: k = min{2, k 1} 16: end if 17: end while T. Kim & C. Lee LLL over ring 14 / 21

Experimental Results Lattices The lattice L is generated by rows of the matrix in K d d, q 0 0 γ 1 1 0 γ 2 0 1... 0,....... γ d 1 0 1 where q and γ i Z K. This shape of the lattice basis appears in several cryptanalysis. Parameter choices We carried out the reduction of lattices over K = Q(ζ k ) for k = 5, 8, 16 of dimension 10 d 50. If the lattices are considered as Z-lattices, the dimension 50 over Z K corresponds to the dimension 200 over Z when k = 5 or 8, or 400 when k = 16. δ = 3/4 T. Kim & C. Lee LLL over ring 15 / 21

Output quality Experimental Results Theoretically, we have no guarantee on the output quality. In biquadratic case, it is possible to guarantee output quality using a different type of inner product, but its practical performance is worse than general case that uses Hermitian product (see our paper). Let n = d [K : Q], a dimension of L over Z For v := (v 1,..., v d ) K d, define v = max i v i. As a measure of output quality, we use C := b 1 N K/Q (det(l)) 1/n, where the volume of L over Z is the same as N K/Q (det(l)) = N K/Q (q). The classical Hermite factor is defined with 2 norm. Heuristically, we observe that C 1.02 n. Taking v 2 n v into account, the Hermite constant of our reduction is 1.02n 1/2n. As n grows, Hermite constant becomes close to the average Hermite factor 1.02. T. Kim & C. Lee LLL over ring 16 / 21

Timing results time on average 150 100 50 Z K -lattices Z-lattices 10 20 30 40 50 Z K -dimension d Experimental Results time on average 150 100 50 Z K -lattices Z-lattices 10 20 30 40 50 Z K -dimension d (a) Z K = Z[ζ 5 ] (b) Z K = Z[ζ 8 ] Figure: Time comparison of running time Note Our Z K -lattice reduction is about 3 times faster than the classical reduction done over Z. We did not attempt to compare our naive implementation with already well-optimized LLL implementation. For the consistency of the comparison, we used our own implementation for both Z and Z K -reduction (see our SAGE codes in Appendix). T. Kim & C. Lee LLL over ring 17 / 21

Sieving in extnfs (by K.-Barbulescu) Applications extnfs is a best known algorithm to solve the DLP over F p n (n: composite, p: not small). In a step called special-q method in extnfs method, we need to consider: find a small basis of the lattice M Q := (a τ 1 0,..., a τ 1 ) Z[ι] τ : a i α f 0 mod Q, where Q is a prime ideal in Z L for L = K[α] = K[x]/f (x) and K = Q[ι] = Q[t]/h(t). M Q is the τ-dimensional Z K -lattice. A classical approach is to consider the lattice as Z-lattice. Parameters for BN curves Set h(t) = Φ 5 (t) = t 4 + t 3 + t 2 + t + 1 so that K = Q(ζ 5 ) and Z K = Z[ζ 5 ]. Set f (x) = x 3 x 2 u, where p = P(u) and P(x) = 36x 4 + 36x 3 + 24x 2 + 6x + 1 and u = 2 158 2 128 2 68 + 1 Set L = K[x]/f (x). i=0 T. Kim & C. Lee LLL over ring 18 / 21

Special-q in BN curve parameters Example (cont.) Take a prime ideal Q = q, α f γ L and τ = 2. where, q = (q) = ( 461479ζ5 3 383970ζ5 2 265505ζ 5 303923 ) ; Then M Q = We obtained LLL (M Q ) = ( q 0 γ 1 γ = 16946578643505257763313. ). 532ζ3 5 + 850ζ2 5 + 179ζ 5 464 224ζ5 3 + 132ζ2 5 13ζ 5 + 367 649ζ5 3 + 186ζ2 5 + 661ζ 5 + 73 11ζ5 3 264ζ2 5 + 35ζ 5 71. Note that log 2 (850) 9.73 and log 2 ( NK/Q (q) 1 τm ) 9.29. T. Kim & C. Lee LLL over ring 19 / 21

Future works Open questions Apply to cryptanalysis of lattice-based cryptography BKZ, lattice enumeration over Euclidean ring? Prove the output quality T. Kim & C. Lee LLL over ring 20 / 21

Thanks for your attention! T. Kim & C. Lee LLL over ring 21 / 21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback