Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack."— Presentation transcript:

1 Lattice Based Attacks on RSA

2 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack Franklin-Reiter Attack Extension to Wiener ’ s Attack

3 2004/9/22Lattice Based Attacks on RSA3 Lattices and Lattice reduction Given a set of m linearly independent vectors, {b 1, …,b m } in R n. The set of all real linear combinations of these vectors,, is a vector subspace.

4 2004/9/22Lattice Based Attacks on RSA4 Gram-Schmidt process: takes one basis {b 1, …,b m } and produces a basis {b 1 *, …,b m * } which is pairwise orthogonal. b 1 * =b 1

5 2004/9/22Lattice Based Attacks on RSA5 Example:

6 2004/9/22Lattice Based Attacks on RSA6 Given a set of basis vectors {b 1, …,b m } in R n, and m<=n. A lattice is a set of all integer linear combinations of the b i.

7 2004/9/22Lattice Based Attacks on RSA7 Definition 1: A basis {b 1, …,b m } is called LLL reduced if the associated Gram-Schmidt basis {b 1 *, …,b m * } satisfies

8 2004/9/22Lattice Based Attacks on RSA8 For all non-zero, we have

9 2004/9/22Lattice Based Attacks on RSA9 Original problem: Given a polynomial over the integers of degree d and the side information that there exists a root x 0 modulo N which is small, say |x 0 |<N 1/d, can one efficiently find the small root x 0 ?

10 2004/9/22Lattice Based Attacks on RSA10 The answer is YES Basic idea: find a polynomial s.t., and should be small

11 2004/9/22Lattice Based Attacks on RSA11 Lemma 2: Let of degree at most n and let X and N be positive integers. Suppose, then if |x 0 |<X satisfies h(x 0 ) = 0 (mod n) then h(x 0 )=0 over the integers and not just modulo N

12 2004/9/22Lattice Based Attacks on RSA12 f(x 0 ) = 0 (mod N) => f(x 0 ) k = 0 (mod N k ) For some given value of m: then g u,v (x 0 ) = 0 (mod N m ) for all 0<=u<d and 0<=v<=m

13 2004/9/22Lattice Based Attacks on RSA13 We wish to find a u,v s.t. h satisfies

14 2004/9/22Lattice Based Attacks on RSA14 example f(x)=x 2 +ax+b wish to find an x 0 s.t. f(x 0 ) = 0 (mod N) Set m=2:

15 2004/9/22Lattice Based Attacks on RSA15

16 2004/9/22Lattice Based Attacks on RSA16 det(A)=N 6 X 15

17 2004/9/22Lattice Based Attacks on RSA17 Theorem 3 (Coppersmith): Let be a monic polynomial of degree d Let N be an integer If there is some root x 0 of f modulo N s.t. Then one can find x 0 in time a polynomial in log N and 1/ε, for fixed values of d

18 2004/9/22Lattice Based Attacks on RSA18 Lemma 4: Let be a sum of at most w monomials h(x 0,y 0 )=0 (mod N e ) for some positive integers N and e where integers x 0 and y 0 satisfy |x 0 |<X and |y 0 |<Y Then h(x 0,y 0 ) holds over the integers

19 2004/9/22Lattice Based Attacks on RSA19 Hastad ’ s Attack Given 3 public keys (N i,e i ) with the same e i =3 If a user sent the same message to all 3 public keys => can recover the plaintext using CRT

20 2004/9/22Lattice Based Attacks on RSA20 User Message: m Receiver 1 (N 1,e) Receiver 1 (N 2,e) Receiver 1 (N 3,e) c 1 =m e mod N 1 c 2 =m e mod N 2 c 3 =m e mod N 3

21 2004/9/22Lattice Based Attacks on RSA21 Now we pad some user-specific data before a message m For user i, c i =(i 2 h +m) 3 (mod N i ) => can still break this system using Hastad ’ s attack

22 2004/9/22Lattice Based Attacks on RSA22 g i (m)=0 (mod N i ) Set N=N 1 N 2 … N k and using CRT, we can find t i s.t. and g(m)=0 (mod N) Using Thm 3 we can recover m in polynomial time

23 2004/9/22Lattice Based Attacks on RSA23 Franklin-Reiter Attack Bob Message: m 1,m 2 m 2 =f(m 1 ) mod N Alice (N,e) c 1 =m 1 e mod N c 2 =m 2 e mod N

24 2004/9/22Lattice Based Attacks on RSA24 Let g 1 (x)=x e -c 1, g 2 (x)=f(x) e -c 2 Let s(x)=gcd(g 1 (x),g 2 (x)) m 1 is a root of s(x) Example: f(x)=ax+b, e=3 g 1 (x)=x 3 -c 1 =x 3 -m 1 3 g 2 (x)=f(x) 3 -c 2 =f(x) 3 -m 2 3 s(x)=x-m 1

25 2004/9/22Lattice Based Attacks on RSA25 We can append radom bits to the message: m ’ =2 n-k m+r Suppose Bob sends the same message to Alice twice: m 1 =2 n-k m+r 1 m 2 =2 n-k m+r 2

26 2004/9/22Lattice Based Attacks on RSA26 The attacker sets y 0 =r 2 -r 1 and solve the equations g 1 (x,y)=x e -c 1 g 2 (x,y)=(x+y) e -c 2 The attacker forms the resultant h(y) of g1 and g2 w.r.t. x.

27 2004/9/22Lattice Based Attacks on RSA27 y 0 =r 2 -r 1 is a small root of h(y), which has degree e 2 Using Thm 3 the attacker can recover y 0 and then recover m 1 using Franklin- Reiter Attack

28 2004/9/22Lattice Based Attacks on RSA28 Extension to Wiener ’ s Attack N=pq with q<p<2q; p,q are prime ed=1 (mod Φ), where d is small and Wiener ’ s Attack works when  ed+(k/2)Φ=1 

29 2004/9/22Lattice Based Attacks on RSA29  ed+(k/2)Φ=1  Set 

30 2004/9/22Lattice Based Attacks on RSA30 We can using Lemma 4 to solve the problem This problem has a solution when δ<=0.292  This attack works when d<N 0.292

Download ppt "Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack."

Similar presentations

RSA.

RSA.
Rational Root Theorem.

Rational Root Theorem.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Chapter 5 Orthogonality

Chapter 5 Orthogonality
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Basis of a Vector Space (11/2/05)

Basis of a Vector Space (11/2/05)
Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.

Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.
Orthogonality and Least Squares

Orthogonality and Least Squares
Finite fields.

Finite fields.
Using secret sharing for searching in encrypted data.

Using secret sharing for searching in encrypted data.
2.4 – Zeros of Polynomial Functions

2.4 – Zeros of Polynomial Functions
Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Modular e’th roots Online Cryptography Course Dan Boneh.
Asymmetric encryption. Asymmetric encryption, often called public key encryption, allows Alice to send Bob an encrypted message without a shared secret.

Asymmetric encryption. Asymmetric encryption, often called "public key" encryption, allows Alice to send Bob an encrypted message without a shared secret.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Polynomial Factorization Olga Sergeeva Ferien-Akademie 2004, September 19 – October 1.

Polynomial Factorization Olga Sergeeva Ferien-Akademie 2004, September 19 – October 1.

Similar presentations

Ads by Google