Applications of Lattice Reduction in Cryptography

Similar documents
A new attack on RSA with a composed decryption exponent

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

A New Attack on RSA with Two or Three Decryption Exponents

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

New attacks on RSA with Moduli N = p r q

New Partial Key Exposure Attacks on RSA Revisited

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

New Partial Key Exposure Attacks on RSA

New Partial Key Exposure Attacks on RSA

Partial Key Exposure Attacks on RSA Up to Full Size Exponents

Lattice Reduction of Modular, Convolution, and NTRU Lattices

On the Security of Multi-prime RSA

Cryptanalysis via Lattice Techniques

Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem

Another Generalization of Wiener s Attack on RSA

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

NTRU Cryptosystem and Its Analysis

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

How to Generalize RSA Cryptanalyses

The security of RSA (part 1) The security of RSA (part 1)

COMP4109 : Applied Cryptography

A new security notion for asymmetric encryption Draft #12

arxiv: v3 [cs.it] 14 Nov 2012

A New Generalization of the KMOV Cryptosystem

Partial Key Exposure: Generalized Framework to Attack RSA

Looking back at lattice-based cryptanalysis

5199/IOC5063 Theory of Cryptology, 2014 Fall

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Implicit factorization of unbalanced RSA moduli

Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

MaTRU: A New NTRU-Based Cryptosystem

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

A new security notion for asymmetric encryption Draft #10

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices

Key Encapsulation Mechanism From Modular Multivariate Linear Equations

A new security notion for asymmetric encryption Draft #8

Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices

On the Design of Rebalanced RSA-CRT

Approximate Integer Common Divisor Problem relates to Implicit Factorization

MATH 158 FINAL EXAM 20 DECEMBER 2016

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

RSA. Ramki Thurimella

Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA

On the Optimality of Lattices for the Coppersmith Technique

Post-Quantum Cryptography

Mathematics of Cryptography

CRYPTANALYSIS OF RSA WITH LATTICE ATTACKS ANDREW HOON SUK

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

RSA Cryptosystem and Factorization

A new lattice construction for partial key exposure attack for RSA

A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions

Algorithmic Number Theory and Public-key Cryptography

Open problems in lattice-based cryptography

Elliptic Curve Cryptography

Exercise Sheet Cryptography 1, 2011

NUMBER THEORY FOR CRYPTOGRAPHY

10 Modular Arithmetic and Cryptography

Implementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm

Congruence of Integers

CRYPTOGRAPHY AND NUMBER THEORY

Cryptography: Joining the RSA Cryptosystem

Public Key Encryption

2 More on Congruences

CIS 551 / TCOM 401 Computer and Network Security

New RSA Vulnerabilities Using Lattice Reduction Methods

RSA RSA public key cryptosystem

Post Quantum Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

9 Knapsack Cryptography

Public Key Cryptography

Lectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002

STRU: A Non Alternative and Multidimensional Public Key Cryptosystem

On estimating the lattice security of NTRU

LLL lattice basis reduction algorithm

RSA ENCRYPTION USING THREE MERSENNE PRIMES

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

CPSC 467: Cryptography and Computer Security

An Efficient Broadcast Attack against NTRU

A Unified Framework for Small Secret Exponent Attack on RSA

Réduction de réseau et cryptologie.

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

CPSC 467b: Cryptography and Computer Security

Implementation Tutorial on RSA

Lattices, Cryptography, and NTRU. An introduction to lattice theory and the NTRU cryptosystem. Ahsan Z. Zahid

Ideal Lattices and NTRU

Transcription:

Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 1 / 42

Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 2 / 42

Multivariate linear equations Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 3 / 42

Multivariate linear equations Linear diophantine equation We want to solve x 1 e 1 +... + x n e n = S, for small values with max( x 1,, x n ) < X. We transform the equation x 1 e 1 +... + x n e n S = 0 using the matrix 1 0 0 0 e 1 0 1 0 0 e 2 0 0 1 0 e 3 M(L) =......... 0 0 0. 1 e n 0 0 0. 0 S Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 4 / 42

Multivariate linear equations Linear diophantine equation From the matrix, we deduce the vectors b 1 = (1, 0, 0,, 0, e 1 ), b 2 = (0, 1, 0,, 0, e 2 ), b 3 = (0, 0, 1,, 0, e 3 ),... b n = (0, 0, 0,, 1, e n ), b n+1 = (0, 0, 0,, 0, S), Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 5 / 42

Multivariate linear equations Linear diophantine equation We have v 0 = x 1 b 1 +... x n+1 b n+1 = (x 1, x 2,..., x n, x 1 e 1 +... + x n e n S). We define the lattice L := {v = a 1 b 1 +... a n+1 b n+1 a i Z}. Then dim(l) = n + 1 and det(l) = S. We have v 0 = x 2 1 +... + x2 n nx 2 = X n. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 6 / 42

Multivariate linear equations Linear diophantine equation By applying the LLL algorithm to the lattice L, it outputs a basis (u 1,..., u n+1 ) such that u 1 2 n 4 det(l) 1 n+1. To find v 0 among the vectors (u 1,..., u n+1 ), we set Since det(l) = S, we get v 0 X n 2 n 4 det(l) 1 n+1. X 2 n 4 n S 1 n+1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 7 / 42

Multivariate linear equations Linear diophantine equation Theorem Let x 1 e 1 +... + x n e n = S be a linear equation with max( x 1,, x n ) < X. If X 2 n 4 n S 1 n+1, then one can solve the equation in polynomial time. The LLL algorithm has been applied to break the knapsack cryptosystem. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 8 / 42

Multivariate linear equations Example Let 340x 1 + 257x 2 + 378x 3 + 251x 4 = 9138 be a linear equation with max( x 1,, x 4 ) < X. We have 2 n 4 n S 1 n+1 6.196, Set b 1 := [1, 0, 0, 0, 340]; b 2 := [0, 1, 0, 0, 257]; b 3 := [0, 0, 1, 0, 378]; b 4 := [0, 0, 0, 1, 251]; b 5 := [0, 0, 0, 0, 9138]. Applying the LLL algorithm, we get the vectors [3, 2, 2, 1, 1]; [0, 1, 2, 2, 3]; [0, 0, 2, 3, 3]; The solution is [9, 7, 8, 5, 0] [ 4, 4, 3, 5, 1]; [9, 7, 8, 5, 0] Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 9 / 42

Application to NTRU Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 10 / 42

Application to NTRU NTRU NTRU Invented by Hoffstein, Pipher et Silverman in 1996. Security based on the Shortest Vector Problem (SVP). Various versions between 1996 and 2001. Definition The Shortest Vector Problem (SVP): Given a basis matrix B for L, compute a non-zero vector v L such that v is minimal, that is v = λ 1 (L). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 11 / 42

Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42

Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42

Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42

Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Convolution f = (f 0, f 1,, f N 1 ), g = (g 0, g 1,, g N 1 ). }{{} f g = h = (h 0, h 1,, h N 1 ) 1 X X k X N 1 f 0 g 0 f 0 g 1 f 0 g k f 0 g N 1 + f 1 g N 1 f 1 g 0 f 1 g k 1 f 1 g N 2 + f 2 g N 2 f 2 g N 1 f 2 g k 2 f 2 g N 3..... + f N 2 g 2 f N 2 g 3 f N 2 g k+2 f N 2 g 1 + f N 1 g 1 f N 1 g 2 f N 1 g k+1 f N 1 g 0 h = h 0 h 1 h k h N 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 13 / 42

NTRU Parameters Application to NTRU N = a prime number (e.g. N = 167, 251, 347, 503). q = a large modulus (e.g. q = 128, 256). p = a small modulus (e.g. p = 3). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 14 / 42

NTRU Algorithms Application to NTRU Key Generation: Randomly choose two private polynomials f and g. Compute the inverse of f modulo q: f f q = 1 (mod q). Compute the inverse of f modulo p: f f p = 1 (mod p). Compute the public key h = f q g (mod q). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 15 / 42

NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42

NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42

NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42

Application to NTRU NTRU The lattice Using h f q g (mod q), we get h f g (mod q). Hence f h q u = g for a polynomial u P. Consider the lattice L = { (f, g) P 2 u P, f h q u = g }. Using a matrix, we get [ ] 1 h (f, u) = (f, g). 0 q Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 17 / 42

Application to NTRU NTRU Using f = (f 0, f 1,, f N 1 ), h = (h 0, h 1,, h N 1 ) and u = (u 0, u 1,, u N 1 ), we get f 0 f 1. f N 1 u 1 u 2. u N 1 1 0 0 h 0 h 1 h N 1 0 1 0 h N 1 h 0 h N 2............ 0 0 1 h 1 h 2 h 0 0 0 0 q 0 0 0 0 0 0 q 0............ 0 0 0 0 0 q = f 0 f 1. f N 1 g 0 g 1. g N 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 18 / 42

Application to NTRU NTRU Hence the matrix of the lattice is 1 0 0 h 0 h 1 h N 1 0 1 0 h N 1 h 0 h N 2............ 0 0 1 h 1 h 2 h 0 0 0 0 q 0 0 0 0 0 0 q 0............ 0 0 0 0 0 q. with determinant dim(l) and det(l) = q N. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 19 / 42

Application to NTRU NTRU The lattice Since f and g have d f and d g coefficient that are equal to ±1 and the the other coefficients are equal to 0, then (f, g) = ( N 1 i=0 ) N 1 1/2 fi 2 + g 2 i d f + d g. Applying the LLL algorithm, we get a basis with a vector v 1 such that v 1 2 2N 1 4 det(l) 1 2N. Hence, (f, g) will be among the vectors of the reduced basis if df + d g 2 2N 1 4 det(l) 1 2N i=0 = df + d g 2 2N 1 2 det(l) 1 2N 1 N = 2 2 q. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 20 / 42

Application to NTRU NTRU Theorem (Coppersmith, Shamir) Let d f be the number of ±1 in f and d g the number of ±1 in g. If d f + d g 2 2N 1 2 q, Then f and g can be found in polynomial time. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 21 / 42

Application to RSA Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 22 / 42

Application to RSA RSA The Key Equation Problem Given N = pq and e satisfying ed kφ(n) = 1. Find d, k and φ(n). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 23 / 42

Application to RSA Coppersmith s method 1 Define the norm of f (x 1,..., x n ) = a i1...i n x i 1 1... x in n to be f (x 1,..., x n ) = a 2 i 1...i n. 2 Consider the congruence equation f (x 1,..., x n ) 0 (mod N). We want to find the solutions (x (0) 1,..., x(0) n ) such that x (0) i < X i for i = 1,..., n. 3 Find an expression of each X i in terms of N so that X i = N δ i. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 24 / 42

Application to RSA Coppersmith s method 1 Let l be the monomial in f with maximal weight. Usually, l, is called the leading monomial of f. If the coefficient of l is a l, then we can assume that gcd(n, al) = 1. Therefore, we can use fa 1 l (mod N) instead of f so that the coefficient of l becomes 1. Throughout this paper, we consider that the coefficient of l is 1. 2 Let m be a positive integer. Find the monomials x i 1 1 x in n of f m. 3 For 0 k m, find the monomials x i 1 1 xn in of f m k. 4 For t 0, find the set M k = {x i 1+j 1 xn in x i 1 1 xn in is a monomial of f m and 0 j t x i 1 1 xn in l k is a monomial of f m k }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 25 / 42

Application to RSA Coppersmith s method 1 Similarly, for t 0, find the set M k+1 = {x i 1+j 1 xn in x i 1 1 xn in monomial of f m and 0 j t 2 For 0 k m, find the set M k Mk+1. 3 For 0 k m, define the polynomials x i 1 1 xn in l k+1 monomial of f m (k+1) }. g k,i1,...,i n (x 1,..., x n ) = xi 1 1... xn in f (x 1,..., x n ) k N m k 4 Then g k,i1,...,i n (x 1,..., x n ) 0 (mod N m ). l k with x i 1 1... x in n M k Mk+1. 5 For 0 k m, define the polynomials g k,i1,...,i n (x 1 X 1,..., x n X n ). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 26 / 42

Application to RSA Coppersmith s method 1 Let L denote the lattice spanned by the coefficient vectors of the polynomials g k,i1,...,i n (x 1 X 1,..., x n X n ). The ordering of the monomials is such that the matrix M is triangular. 2 Compute the dimension ω of the lattice L and its determinant det(l) = N en X e 1 1 Xen n. 3 Compute e N and the exponents e i, 1 i n, in terms of m and t. 4 Let t = mτ. Compute an approximation of e N and the exponents e i, 1 i n, in terms of m and τ by neglecting all terms of low degrees. 5 Apply the LLL algorithm to obtain a reduced basis (b 1,..., b n ) such that b 1 2 ω 2 det(l) 1 ω. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 27 / 42

Application to RSA Coppermith s method Theorem (Howgrave-Graham) Let h(x 1,, x n ) Z[x 1,, x n ] be a polynomial with at most ω monomials. Suppose that ( ) 1 h x (0) 1,, x(0) n 0 (mod N m ) where x (0) i < X i for i = 1,..., n, ω. 2 h(x 1 X 1,, x n X n ) < Nm ( ) Then h x (0) 1,, x(0) n = 0 holds over the integers. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 28 / 42

Application to RSA Coppersmith s method 1 Combine Howgrave-Graham s bound f (x 1 X 1,..., x n X n ) < Nm ω and LLL to form the inequation 2 ω 2 det(l) 1 ω < N m ω 2 Neglecting 2 ω 2 and ω, consider the condition or equivalently, det(l) < N mω, N en X e 1 1 Xen n = N en N e 1δ1 N enδn < N mω. 3 Taking logarithms, we get the inequation e N + e 1 δ 1 +... + e n δ n < mω. The next task is to solve this inequation. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 29 / 42

Application to RSA Coppersmith s method: example We want to solve the equation ed kφ(n) = 1. 1 We have ed k(n + 1 p q) = 1 and then k(p + q) + (N + 1)k + 1 0 (mod e). 2 Set k = x, p + q = y and N + 1 = a. Then the congruence becomes f (x, y) = xy + ax + 1 0 3 Let e = N β, p + q = N 1/2 and d = N δ. Then Hence k = N δ. k = ed 1 φ(n) < ed φ(n) < d. (mod e). 4 Let l = xy be the leading monomial of f (x, y) = xy + ax + 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 30 / 42

Application to RSA Coppersmith s method: example 1 We have f m (x, y) = (x(y + a) + 1)) m m ( ) m = x i 1 (y + a) i 1 = = i 1 =0 i 1 m ( ) m x i 1 i 1 =0 m i 1 i 1 i 1 =0 i 1 =0 ( m i 1 i 1 ( i1 i 2 i 2 =0 )( ) i1 2 Hence the monomials of f m are in the form i 2 ) y i 2 a i 1 i 2 x i 1 y i 2 a i 1 i 2. f m = { x i 1 y i 2, i 1 = 0,..., m, i 2 = 0,..., i 1 }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 31 / 42

Application to RSA Coppersmith s method: example 1 From the monomials of f m, we easily deduce the monomials of f m k : f m k = { x i 1 y i 2, i 1 = 0,..., m k, i 2 = 0,..., i 1 }. 2 For t 0 and k m, let consider extra shifts in y, that is, we consider the set M k = {x i 1 y i 2+j x i 1 y i 2 monomial of f m and 0 j t 0 j t x i 1y i 2 l k monomial of f m k }. 3 Since l = xy, then M k = {x i 1 y i 2+j x i 1 y i 2 monomial of f m and x i 1 k y i 2 k monomial of f m k }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 32 / 42

Application to RSA Coppersmith s method: example 1 Hence x i 1 y i 2 M k i 1 = k,..., m, i 2 = k,..., i 1 + t. 2 Similarly, for t 0, we get x i 1 y i 2 M k+1 i 1 = k + 1,..., m, i 2 = k + 1,..., i 1 + t. 3 For 0 k m, we find that x i 1 1 y i 2 M k Mk+1 if and only if { { i1 =k,..., m, i1 =k, or i 2 =k, i 2 =k + 1,..., i 1 + t. 4 For 0 k m, we define the polynomials g k,i1,i 2 (x, y) = xi 1y i 2 (xy) k f (x, y)k e m k with x i 1 y i 2 M k Mk+1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 33 / 42

Application to RSA Coppersmith s method: example 1 For i 1 = k,..., m and i 2 = k, the polynomials reduce to g k,i1,k(x, y) = G k,i1 (x, y) = x i 1 k f (x, y) k e m k for i 1 = k,..., m. For i 1 = k and i 2 = k + 1,..., i 1 + t = k + t, the polynomials reduce to g k,k,i2 (x 1, y) = H k,i2 (x, y) = y i 2 k f (x, y) k e m k for i 2 = k+1,..., k+t. 2 For 0 k m, we define the polynomials G k,i1 (xx, yy) = x i 1 k X i 1 k f (xx, yy) k e m k for i 1 = k,..., m, H k,i2 (xx, yy) = y i 2 k Y i 2 k f (xx, yy) k e m k for i 2 = k + 1,..., k + t. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 34 / 42

Application to RSA Coppersmith s method: example 1 x x 2 x 3 y xy x 2 y x 3 y xy 2 x 2 y 2 x 3 y 2 x 2 y 3 x 3 y 3 x 3 y 4 G 0,0 e 3 0 0 0 0 0 0 0 0 0 0 0 0 0 G 0,1 0 Xe 3 0 0 0 0 0 0 0 0 0 0 0 0 G 0,2 0 0 X 2 e 3 0 0 0 0 0 0 0 0 0 0 0 G 0,3 0 0 0 X 3 e 3 0 0 0 0 0 0 0 0 0 0 H 0,1 0 0 0 0 Ye 3 0 0 0 0 0 0 0 0 0 G 1,1 0 0 0 XYe 2 0 0 0 0 0 0 0 0 G 1,2 0 0 0 0 X 2 Ye 2 0 0 0 0 0 0 0 G 1,3 0 0 0 0 0 X 3 Ye 2 0 0 0 0 0 0 H 1,2 0 0 0 0 0 0 XY 2 e 2 0 0 0 0 0 G 2,2 0 0 0 0 X 2 Y 2 0 0 0 0 G 2,3 0 0 0 0 0 X 3 Y 2 e 0 0 0 H 2,3 0 0 0 0 0 0 X 2 Y 3 e 0 0 G 3,3 0 0 0 X 3 Y 3 0 H 3,4 0 0 0 0 0 X 3 Y 4 Table: The coefficient matrix for the case m = 3, t = 1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 35 / 42

Application to RSA Coppersmith s method: example 1 The dimension of L is ω = m k=0 i 1 =k m 1 + 2 The determinant of L is m k+t k=0 i 2 =k+1 1 = 1 (m + 1)(m + 2t + 2). 2 det(l) = e e 0 X e 1 Y e 2. 3 From the construction of the polynomials G k,i1 (xx, yy) and H k,i2 (xx, yy), we get e 0 = m k=0 i 1 =k m (m k) + m k+t k=0 i 2 =k+1 (m k) = 1 m(m + 1)(2m + 3t + 4). 6 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 36 / 42

Application to RSA Coppersmith s method: example 1 Similarly, we have and e 2 = e 1 = m m k=0 i 1 =k k=0 i 1 =k m k + m i 1 + m m k+t k=0 i 2 =k+1 k+t k=0 i 2 =k+1 k = 1 m(m + 1)(2m + 3t + 4), 6 i 2 = 1 6 (m + 1)(m2 + 3mt + 3t 2 + 2m + 3t). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 37 / 42

Application to RSA Coppersmith s method: example 1 Let t = mτ. Then ω = 1 2 (m + 1)(m + 2mτ + 2) = 1 2 (1 + 2τ)m2 + o ( m 2), and e 0 = 1 6 m(m + 1)(2m + 3mτ + 4) = 1 6 (2 + 3τ)m3 + o ( m 3). Similarly, we have e 1 = 1 6 m(m + 1)(2m + 3mτ + 4) = 1 6 (2 + 3τ)m3 + o ( m 3), and e 2 = 1 6 (m + 1)(m2 + 3m 2 τ + 3m 2 τ 2 + 2m + 3mτ) = 1 6 (1 + 3τ + 3τ 2 )m 3 + o ( m 3). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 38 / 42

Application to RSA Coppersmith s method: example 1 Apply the LLL algorithm to obtain a reduced basis (b 1,..., b n ) such that b 1 2 ω 2 det(l) 1 ω. 2 Combining Howgrave-Graham s bound f (x 1 X 1,..., x n X n ) < em ω and LLL, we get the inequation 2 ω 2 det(l) 1 ω 3 Neglecting 2 ω 2 and ω, we get or equivalently, < e m ω det(l) < e mω, e e 0 X e 1 Y e 2 < e mω. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 39 / 42

Application to RSA Coppersmith s method: example 1 Since e = N β, Y = N 1/2 and X = N δ. Then N βe0 N δe1 N e 2/2 < N mβω. 2 Taking logarithms, we get the inequation βe 0 + δe 1 + e 2 2 < mβω. 3 Plugging the values of e 0, e 1 and ω, we get 1 6 (2 + 3τ)β + 1 1 (2 + 3τ)δ + 6 12 (1 + 3τ + 3τ 2 ) 1 (1 + 2τ)β < 0. 2 4 The optimal value for τ in the left side is τ = β δ 1 2, which leads to 12δ 2 + 4(1 + 6β)δ 12β 2 + 4β + 1 < 0. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 40 / 42

Application to RSA Coppersmith s method: example 1 Solving for δ, we get δ < β + 1 6 1 3 6β + 1. 2 A typical example is the case e N, that is β = 1. Then, the former bound gives d < 7 6 1 3 7 0.284. This is a famous bound found by Boneh and Durfee. Theorem (Boneh,Durfee, 1998) Let (N, e) be an RSA public key with private decryption exponent d. If d < 7 6 1 3 7, then one can factor the RSA modulus N. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 41 / 42

Application to RSA Thank you Terima kasih Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 42 / 42

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback