Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

Similar documents
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Cryptanalysis via Lattice Techniques

Algorithmic Number Theory and Public-key Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

2 reduction algorithms as shortest vector oracles, Coppersmith applied the LLL algorithm to determine a subspace containing all reasonably short latti

A new lattice construction for partial key exposure attack for RSA

Lattice Reduction on Low-Exponent RSA

New Partial Key Exposure Attacks on RSA

On the Provable Security of an Efficient RSA-Based Pseudorandom Generator

Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

Partial Key Exposure: Generalized Framework to Attack RSA

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Approximate Integer Common Divisor Problem relates to Implicit Factorization

New Partial Key Exposure Attacks on RSA

On the Optimality of Lattices for the Coppersmith Technique

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

New attacks on RSA with Moduli N = p r q

Lattice-Based Fault Attacks on RSA Signatures

On the Provable Security of an Efficient RSA-Based Pseudorandom Generator

MaTRU: A New NTRU-Based Cryptosystem

Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

New Partial Key Exposure Attacks on RSA Revisited

On the Design of Rebalanced RSA-CRT

On the Security of Multi-prime RSA

Fault Attacks Against emv Signatures

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Hidden Field Equations

On the cryptographic applications of Gröbner bases and Lattice Theory

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Applications of Lattice Reduction in Cryptography

A new attack on RSA with a composed decryption exponent

Pseudo-random Number Generation. Qiuliang Tang

Introduction to Cybersecurity Cryptography (Part 5)

Factoring N = p 2 q. Abstract. 1 Introduction and Problem Overview. =±1 and therefore

A New Related Message Attack on RSA

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

Integers and Division

How to Generalize RSA Cryptanalyses

Twenty Years of Attacks on the RSA Cryptosystem

Breaking Plain ElGamal and Plain RSA Encryption

A New Attack on RSA with Two or Three Decryption Exponents

Cryptanalysis of RSA Signatures with Fixed-Pattern Padding

Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?

Introduction to Cryptology. Lecture 20

A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants

Lattice Reduction Algorithms: Theory and Practice

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Public Key Cryptography

Lecture 6: Cryptanalysis of public-key algorithms.,

An Efficient Broadcast Attack against NTRU

Finding Small Solutions to Small Degree Polynomials

On estimating the lattice security of NTRU

Applied Cryptography and Computer Security CSE 664 Spring 2018

Hybrid Approach : a Tool for Multivariate Cryptography

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Mathematics for Cryptography

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

A variant of Coppersmith s Algorithm with Improved Complexity and Efficient Exhaustive Search

RSA. Ramki Thurimella

Inoculating Multivariate Schemes Against Differential Attacks

New RSA Vulnerabilities Using Lattice Reduction Methods

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

Implicit Factoring with Shared Most Significant and Middle Bits

Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

part 2: detecting smoothness part 3: the number-field sieve

Partial Key Exposure Attacks on RSA Up to Full Size Exponents

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Introduction to Cybersecurity Cryptography (Part 4)

Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits

Chapter 4 Finite Fields

Mathematics of Cryptography

On the Security of EPOC and TSH-ESIGN

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

Public-Key Cryptosystems CHAPTER 4

Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions

New Directions in Multivariate Public Key Cryptography

On the Bit Security of Elliptic Curve Diffie Hellman

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

The attack of the RSA Subgroup Assumption

CS 355: Topics in Cryptography Spring Problem Set 5.

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

Gröbner Bases in Public-Key Cryptography

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

The Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Introduction to Cybersecurity Cryptography (Part 4)

What is The Continued Fraction Factoring Method

Another Generalization of Wiener s Attack on RSA

Transcription:

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faugère, P. Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014 - Buenos Aires, Argentina

1 Coppersmith s Method 2 Speeding up Coppersmith s Algorithm by Rounding 3 Speeding up Exhaustive Search by Chaining PKC 2014 2 / 27

Core Ideas of Rounding and Chaining Rounding: The problem: a f b Rather consider a/c instead of a. Chaining: f f f The problem: a 1 b 1, a 2 b 2, a 3 b 3,... Rather do a 1 f b 1, f (b 1 ) f b 2, f (b 2 ) f b 3,... Rounding and Chaining can also be combined. PKC 2014 3 / 27

Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ 1 + + a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. PKC 2014 4 / 27

Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ 1 + + a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. Coppersmith s Method (1996) Find small integer roots. PKC 2014 4 / 27

Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ 1 + + a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. Coppersmith s Theorem for the Univariate Modular case The solutions x 0 can be found in time poly (log N, δ) if: x 0 < N 1/δ. PKC 2014 4 / 27

Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ 1 + + a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. The problem is easy without the modulo N. Find a polynomial g such that g(x 0 ) = 0 over Z. PKC 2014 4 / 27

Applications in cryptology Cryptanalysis of RSA Factoring with high bits known. Coppersmith, 1996. Security proof of RSA-OAEP. Shoup, 2001. Equivalence: factoring / computing d. Coron, May, 2007. Stereotyped messages. Coppersmith, 1996. RSA Pseudorandom Generator Fischlin, Schnorr, 2000. Affine Padding. Coppersmith, Franklin, Patarin, Reiter, 1996. Polynomially related messages (Hastad). Coppersmith, 1997. Finding smooth numbers and Factoring. Boneh, 2001. Coppersmith in the wild. Bernstein et al., 2013. PKC 2014 5 / 27

About Coppersmith s Method Euclidean Lattices Find a new small polynomial equation LLL Reduction. A matter of Bound Coppersmith s bound x 0 < N 1/δ Exhaustive search. PKC 2014 6 / 27

About Coppersmith s Method Euclidean Lattices Find a new small polynomial equation LLL Reduction. A matter of Bound Coppersmith s bound x 0 < N 1/δ Exhaustive search. In practice The LLL-reduction can be costly. The exhaustive search can be prohibitive. PKC 2014 6 / 27

Rounding and Chaining LLL Our Approach Use structure to improve Coppersmith s method. Two Speedups: Rounding and Chaining Asymptotical speed-up of LLL-reduction: δ 2 log 9 N log 7 N Heuristic speed-up of the exhaustive search. Core Ideas of Rounding and Chaining Rounding: Apply LLL on a matrix with smaller coefficients Divide all coefficients in Coppersmith s matrix. Chaining: Reuse previous computation Apply a small transformation on the last reduced matrix. PKC 2014 7 / 27

Rounding and Chaining LLL Our Approach Use structure to improve Coppersmith s method. Two Speedups: Rounding and Chaining Asymptotical speed-up of LLL-reduction: δ 2 log 9 N log 7 N Heuristic speed-up of the exhaustive search. Timings for a typical instance ( log 2 (N) = 2048 and δ = 3) Original method: 4 years. Our new method: 2.6 days. PKC 2014 7 / 27

Coppersmith s Method (Howgrave-Graham) The problem: find all small integers x 0 s.t. f (x 0 ) 0 mod N. The idea: find a small polynomial g s.t. g(x 0 ) = 0 over Z. How to find the polynomial g: Family of Polynomials (with parameter h) B LLL B R g g(x 0 ) 0 mod N h 1 g(x 0 ) < N h 1 } g(x 0 ) = 0 over Z. PKC 2014 8 / 27

Complexity / Practical Results of Coppersmith s Method State-of-the-art Analysis Complexity using L 2 : O(log 9 (N)/δ 2 ). In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x 0 2 492 2 496 2 500 2 503 2 504 2 505... 2 512 Lattice Dimension n = hδ + 1 29 35 51 71 77 87... NA Size of elements in B (bits) 15360 18432 26624 36864 39936 45056... NA Time for LLL (seconds) 10.6 35.2 355 2338 4432 11426... NA Remark: All tests were performed using Magma V2.19-5. [L 2 ] An LLL Algorithm with Quadratic Complexity. P. Q. Nguyen and D. Stehlé, SIAM J. of Computing, 2009. PKC 2014 9 / 27

Using Structure: A First Result State-of-the-art Analysis Complexity using L 2 : O(log 9 (N)/δ 2 ). New Preliminary Result Using Structure [1] Complexity using L 2 : O(log 8 (N)/δ). [1] An Upper Bound on the Average Number of Iterations of the LLL Algorithm. Hervé Daudé, Brigitte Vallée, 1994. PKC 2014 10 / 27

Speeding up Coppersmith s Algorithm by Rounding Use Coppersmith s matrix structure. PKC 2014 11 / 27

Speeding up Coppersmith s Algorithm by Rounding The idea: Perform computations with most significant bits A B A c B c PKC 2014 12 / 27

B = N h 1 XN h 1 Speeding up Coppersmith s Algorithm by Rounding... X δ 1 N h 1 a 0 N h 2... X δ N h 2 a 0 XN h 2... X δ+1 N h 2...... a 0 X δ 1 N h 2... X 2δ 1 N h 2...... Largest a δ 0...... X δ(h 1) a δ 0 X...... X δ(h 1)+1...... a δ 0 X δ 1...... X δh 1... Smallest Since X < N 1 δ, all diagonal elements lie between N h 2 and N h. PKC 2014 13 / 27

Speeding up Coppersmith s Algorithm by Rounding First step of rounding method Size-reduce B so that subdiagonal coefficients are smaller than diagonal coefficients. B = Size-Reduce(B) = b 1 < b 1 b 2 < b 1 < b 2 b 3 < b 1 < b 2 < b 3...... < b 1 < b 2 < b 3... b n PKC 2014 14 / 27

Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c B /c B/c LLL T, B/c R PKC 2014 15 / 27

Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c B /c B/c LLL T B/c PKC 2014 15 / 27

Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c : first vector of unimodular matrix is x. Compute v = xb and solve v over Z. B /c B/c LLL x T B/c ( x ) B = ( v ) PKC 2014 15 / 27

Complexity of Rounding Method Theorem: Rounding Method Complexity using L 2 : O(log 7 N). Remainder on Coppersmith s method complexity: State-of-the-art complexity: O(log 9 (N)/δ 2 ). New preliminary complexity: O(log 8 (N)/δ). PKC 2014 16 / 27

Timings with Rounding Improvement In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x 0 2 492 2 496 2 500 2 503 2 504 2 505... 2 512 Lattice Dimension 29 35 51 71 77 87... NA Size of elements in B (bits) 15360 18432 26624 36864 39936 45056... NA Size of elements in B/c 2131 2127 2119 2119 2120 2123... NA Original LLL (seconds) 10.6 35.2 355 2338 4432 11426... NA Rounding LLL (seconds) 1.6 3.5 18.8 94 150 436... NA Dim 77: Speed-up of 30. PKC 2014 17 / 27

Speeding up Exhaustive Search by Chaining Use hidden algebraic structure. PKC 2014 18 / 27

Exhaustive Search Performing exhaustive search Split the variable x into α and x. x α x The new variable is x. Perform an exhaustive search on α. PKC 2014 19 / 27

Exhaustive Search Coppersmith Matrices α = 0 α = 1 α = 2... α = 255 B 1 B 2... B 255 B 0... LLL-Reduced Matrices B R 0 B R 1 B R 2... B R 255 x 0... PKC 2014 20 / 27

Exhaustive Search Coppersmith Matrices α = 0 α = 1 α = 2... α = 255 B 1 B 2... B 255 B 0... Costly Costly Costly Costly LLL-Reduced Matrices B R 0 B R 1 B R 2... B R 255 x 0... PKC 2014 20 / 27

A New Exhaustive Search Scheme α = 0 α = 1 α = 2... B 0 B 1 P B 2 P... LLL-Reduced Matrices B R 0 B R 1 B R 2 PKC 2014 21 / 27

Transformation P is the Pascal Matrix Proposition The matrix B R i P is a basis for the case α = i + 1, where P = 1 1 1 1 2 1 1 3 3 1 1 4 6 4 1.......... is the Lower Triangular Pascal Matrix. Consequence on B R i P Vectors in B R i P are close to the ones of B R i. PKC 2014 22 / 27

Combining Chaining and Rounding α = 0 α = 1 α = 2... B 0 B 1 P B 2 P... LLL-Reduced Matrices B R 0 B R 1 B R 2 x 0 PKC 2014 23 / 27

Combining Chaining and Rounding Chaining and Rounding Method Create a new rounded matrix B 1 /c. Apply LLL on matrix B 1 /c : Get T 1 and B 1 /c R. Compute B1 R = T 1 B 1. B 1 /c B 1 /c LLL T 1 B 1 /c T 1 B 1 = B R 1 PKC 2014 24 / 27

Complexity of Rounding+Chaining Method Heuristic: Rounding+Chaining Method Complexity using L 2 : O(log 7 N). Remark: Same complexity as for Rounding Method alone. PKC 2014 25 / 27

Timings with Rounding and Chaining Improvements In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x 0 2 492 2 496 2 500 2 503 2 504 2 505... 2 512 Lattice Dimension 29 35 51 71 77 87... NA Original LLL (sec.) 10.6 35.2 355 2338 4432 11426... NA Rounding LLL (sec.) 1.6 3.5 18.8 94 150 436... NA Rounding + Chaining (sec.) 0.04 0.12 1.4 9.9 15.1 46.5... NA Dim 77: Speed-up of 300. PKC 2014 26 / 27

Conclusion/Perspectives Conclusion This work reduces: the complexity of performing LLL on Coppersmith matrix, the time of exhaustive search to reach Coppersmith bound. It allows to reach Coppersmith s bound. It is easy to implement. PKC 2014 27 / 27

Conclusion/Perspectives Conclusion This work reduces: the complexity of performing LLL on Coppersmith matrix, the time of exhaustive search to reach Coppersmith bound. It allows to reach Coppersmith s bound. It is easy to implement. Perspectives Generalization to the multivariate case (approximate gcd). Refine complexity for Chaining + Rounding method. PKC 2014 27 / 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback