Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC

Lattices (definition without bases) Lattice of ℤ n is a discrete subgroup of ( ℤ n,+)  ≠L  ℤ n called a lattice  (x, y  L  x-y  L) Subgroup of a lattice is a lattice Examples – ℤ n is a lattice – a 1,…,a n : integers, then L = {(x 1,…,x n )  ℤ n / a 1 x 1 +…+a n x n =0} is a lattice – a 1,…,a n, m: integers, then L = {(x 1,…,x n )  ℤ n / a 1 x 1 +…+a n x n  0 [mod m]} is a lattice

Lattices (definition with generating sets) Let b 1,…,b m  ℤ n, Let B be the m  n matrix whose rows are b 1,…,b m ;  Then the set of all integer combinations of the b i ’s is a lattice: L= ℤ m B={a 1 b 1 +…+a m b m ; a i  ℤ} B is a generating set of lattice L and we say L is spanned by b i ’s Examples – a,b: integers. The set a ℤ +b ℤ of all integer combinations of a and b is a lattice: it is actually gcd(a,b) ℤ.

Lattices (definition with bases) If b 1,…,b m  ℤ n are linearly independent, they span a lattice L, and all lattices of this type The m  n matrix B formed by the b i ’s is such that Gram(B)=det(BB T )>0. The matrix B is a basis of L There are infinitely many bases The dimension of L is m

Lattice volume Let L be a lattice in ℤ n, if using the definition with bases, then volume of lattice L: vol(L)=  Gram(B), where Gram(B)=det(BB T ) Examples – a,b: integers. The set of all integer linear combinations of a and b is a lattice. Its volume is gcd(a,b) – a 1,…,a n, m: integers. L={(x 1,…,x n )  ℤ n / a 1 x 1 +…+a n x n  0 [mod m]} is a lattice. And vol(L)=m/gcd(a 1,…,a n,m)

Successive minima Let L be a m-dimensional lattice in ℤ n, For all 1  k  m, the k th minimum k (L) is the smallest r>0 such that there exist k linearly independent vectors of L with norm  r A shortest non-zero vector of L has norm 1 (L) Theorem: 1 (L)  (  m)vol(L) 1/4 [Minkowski] If L is random, the one expects that k (L)=O(  d)vol(L) 1/4 and that a reduced basis satisfies ||b i ||=O( i (L)). H.Minkowski, Geometrie der Zahlen, Teubner-Verlag, Leizig, 1896

Lattice problems Let L be a m-dimensional lattice in ℤ n given by a random basis Shortest Vector Problem – SVP. Find x  L such that ||x||= 1 (L); or ||x||=O(vol(L) 1/4 ) Lattice Reduction. Find a basis not far from i (L)’s Closest Vector Problem – CVP. Given t in the linear span of L, find x  L minimizing ||x-t||; or ||x-t|| close to vol(L) 1/4.

Reduction notions The goal of lattice (basis) reduction is to prove the existence of nice lattice bases in very lattice. Such nice bases are called reduced. Two important notions: – Hermite-Korkine-Zolotazev reduction – HKZ notion – Lenstra-Lenstra-Lovasz reduction – LLL notion G.Hanrot and D.Stahle, Improved analysis of kannan’s shortest lattice vector algorithm, Advanced in cryptology, Proc. CRYPTO97, LNCS, vol.4622, Springer, 2007, pp A.K.Lenstra, H.W.Lenstra, and L.Lovasz, Factoring polynomials with rational coefficients, Mathematische Ann. 26 (1982),

Low-dimensional attacks underlying problem Problem: a 1 x 1 +…+a n x n  b [mod M] where – The size of unknown integer x i ’s is small – a 1,…,a n, b, M  ℤ : be known If n: small. Lattice reduction can efficiently find a solution (x 1,…,x n )  ℤ n : – b  0 [mod M]  finding a very short lattice vector – b≠0 [mod M]  finding a very close lattice vector If  (x 1,…,x n )  ℤ n such that x 1  …  x n <M, – b  0 [mod M]  there exists an exception short vector in a certain lattice – b≠0 [mod M]  there exist a vector in a certain lattice which is unusually close to a certain target vector

Low-dimensional attacks RSA with small secret exponent Assume that d is chosen small (to accelerate signature generation), and e=O(N). If p and q are balanced, then  (N)=N+O(  N) Since ed  1 [mod  (N)] for some k=O(d), ed=1+k(N+O(  N)),  ed-kN = O(d  N) Consider the 2-dimensional lattice L spanned by the rows of {(e,  N),(N,0)}, then L ∍ t=d  1 st row – k  2 nd row=(ed-kN,d  N), whose norm is  d  N, while vol(L) 1/2  N 3/4  t is expected to be the shortest vector of L if d  N 1/4 M.Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Theory 36 (1990), no. 3,

Low-dimensional attacks RSA signatures with constant-based padding signing protocol there is a constant P defining the padding a message m to sign: m  M<<N the sign s=(P+m) d [mod N] checking s e  (P+m) [mod N] Attack : assume s i =(P+m i ) d [mod N], (i=1,…,3) s 1  s 2 s 3  (P+m 1 )  (P+m 2 )(P+m 3 ) consider 2-rank lattice L of  (x,y)  Z 2 :x-y  where m 1 - m 2 , then {( ,1),(N,0)}: a base of L  find u=(u 1,u 2 ) whose distance to t=( ,0) is  vol(L) 1/2  N  m 1 =  -u 1, m 2 = -u 2 E.Brier, C.Clavier,J-S.Coron, and D.Naccache, Cryptanalysis of RSA signatures with fixed-pattern padding, Proc. CRYPTO01, LNCS, vol. 2139, IACR, Springer-Verlag, 2001, pp

Low-dimensional attacks Elgamal signature Elgamal signature in GnuPG select a random k: k<p 3/8, gcd(k,p-1)=1  the signature is (a,b) where a=g k mod p; b=(m-ax)k -1 mod (p-1) Given (a,b) b  (m-ax)k -1 [mod p-1]  bk+ax  m [mod p-1] consider 2-rank lattice L of ( ,  )  Z 2 : b  +a  0 [mod p- 1]  vol(L)= (p-1)/gcd(a,b,p-1)  p find u 1,u 2  Z : bu 1 +au 2  m [mod p-1] solve CVP  t=(u 1 -k,u 2 -x) is close u=(u 1,u 2 ) P.Q.Nguyen, Can we trust cryptographic software? Cryptographic flaws in GNU Privacy Guard v1.2.3, Advances in Cryptology – Proc. EUROCRYPT04, LNCS, vol. 3207, Springer, 2004, pp

Polynomial attacks univariate modular equation consider RSA encryption with a small e assume that m is of the form m=m 0 +2 k s, where m 0,k,s  Z +, but only s is secret c=m e mod N = (m 0 +2 k s) e mod N which after division by a suitable power of 2, can rewritten as P(s)  0 [mod N] where P(x)  Z [x] is a monic polynomial of degree e whose coefficients can be derived from c,k,m 0. theorem Let P(x)  Z [x] be a monic polynomial of degree  in one variable, and let N be an integer of unknown factorization. Then one can in time polynomial in (logN,  ) all integers x 0 such that P(x 0 )  0[mod N] and |x 0 |  N 1/ 

Polynomial attacks gcd generalization theorem Let P(x)  Z [x] be a monic polynomial of degree  in one variable, and let N be an integer of unknown factorization. Let  Q :0  1. Then one can find in time polynomial in (logN,  ) and the bit-zise of  all integers x 0 such that gcd(P(x 0 ),N)  N  and |x 0 |  N  x  / . factoring with a hint. given N=pq, p 0 :p=p 0 + , 0  <N 1/4. consider P(x)=p 0 +x  gcd(P(  ),N)=p>N 1/2 with e  N 1/4. factoring of N=p r q assume r is large; p,q need not be prime and p=p 0 +  consider P(x)=(p 0 +x) r  gcd(P(  ),N)=p r

Conclusion Consider a linear congruence a 1 x 1 +…+a n x n  b[mod m] If n small, then we can find a solution such that x i =O(m 1/n ) If there is a solution such that x 1  …  x n is such smaller than m, then it can probably be recovered in practice