Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC

Published byFelicia Hunter Modified over 9 years ago

Similar presentations

Presentation on theme: "Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC"— Presentation transcript:

1 Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC ndthuc@fit.hcmus.edu.vn

2 Lattices (definition without bases) Lattice of ℤ n is a discrete subgroup of ( ℤ n,+)  ≠L  ℤ n called a lattice  (x, y  L  x-y  L) Subgroup of a lattice is a lattice Examples – ℤ n is a lattice – a 1,…,a n : integers, then L = {(x 1,…,x n )  ℤ n / a 1 x 1 +…+a n x n =0} is a lattice – a 1,…,a n, m: integers, then L = {(x 1,…,x n )  ℤ n / a 1 x 1 +…+a n x n  0 [mod m]} is a lattice

3 Lattices (definition with generating sets) Let b 1,…,b m  ℤ n, Let B be the m  n matrix whose rows are b 1,…,b m ;  Then the set of all integer combinations of the b i ’s is a lattice: L= ℤ m B={a 1 b 1 +…+a m b m ; a i  ℤ} B is a generating set of lattice L and we say L is spanned by b i ’s Examples – a,b: integers. The set a ℤ +b ℤ of all integer combinations of a and b is a lattice: it is actually gcd(a,b) ℤ.

4 Lattices (definition with bases) If b 1,…,b m  ℤ n are linearly independent, they span a lattice L, and all lattices of this type The m  n matrix B formed by the b i ’s is such that Gram(B)=det(BB T )>0. The matrix B is a basis of L There are infinitely many bases The dimension of L is m

5 Lattice volume Let L be a lattice in ℤ n, if using the definition with bases, then volume of lattice L: vol(L)=  Gram(B), where Gram(B)=det(BB T ) Examples – a,b: integers. The set of all integer linear combinations of a and b is a lattice. Its volume is gcd(a,b) – a 1,…,a n, m: integers. L={(x 1,…,x n )  ℤ n / a 1 x 1 +…+a n x n  0 [mod m]} is a lattice. And vol(L)=m/gcd(a 1,…,a n,m)

6 Successive minima Let L be a m-dimensional lattice in ℤ n, For all 1  k  m, the k th minimum k (L) is the smallest r>0 such that there exist k linearly independent vectors of L with norm  r A shortest non-zero vector of L has norm 1 (L) Theorem: 1 (L)  (  m)vol(L) 1/4 [Minkowski] If L is random, the one expects that k (L)=O(  d)vol(L) 1/4 and that a reduced basis satisfies ||b i ||=O( i (L)). H.Minkowski, Geometrie der Zahlen, Teubner-Verlag, Leizig, 1896

7 Lattice problems Let L be a m-dimensional lattice in ℤ n given by a random basis Shortest Vector Problem – SVP. Find x  L such that ||x||= 1 (L); or ||x||=O(vol(L) 1/4 ) Lattice Reduction. Find a basis not far from i (L)’s Closest Vector Problem – CVP. Given t in the linear span of L, find x  L minimizing ||x-t||; or ||x-t|| close to vol(L) 1/4.

8 Reduction notions The goal of lattice (basis) reduction is to prove the existence of nice lattice bases in very lattice. Such nice bases are called reduced. Two important notions: – Hermite-Korkine-Zolotazev reduction – HKZ notion – Lenstra-Lenstra-Lovasz reduction – LLL notion G.Hanrot and D.Stahle, Improved analysis of kannan’s shortest lattice vector algorithm, Advanced in cryptology, Proc. CRYPTO97, LNCS, vol.4622, Springer, 2007, pp. 170-186. A.K.Lenstra, H.W.Lenstra, and L.Lovasz, Factoring polynomials with rational coefficients, Mathematische Ann. 26 (1982), 513-534

9 Low-dimensional attacks underlying problem Problem: a 1 x 1 +…+a n x n  b [mod M] where – The size of unknown integer x i ’s is small – a 1,…,a n, b, M  ℤ : be known If n: small. Lattice reduction can efficiently find a solution (x 1,…,x n )  ℤ n : – b  0 [mod M]  finding a very short lattice vector – b≠0 [mod M]  finding a very close lattice vector If  (x 1,…,x n )  ℤ n such that x 1  …  x n <M, – b  0 [mod M]  there exists an exception short vector in a certain lattice – b≠0 [mod M]  there exist a vector in a certain lattice which is unusually close to a certain target vector

10 Low-dimensional attacks RSA with small secret exponent Assume that d is chosen small (to accelerate signature generation), and e=O(N). If p and q are balanced, then  (N)=N+O(  N) Since ed  1 [mod  (N)] for some k=O(d), ed=1+k(N+O(  N)),  ed-kN = O(d  N) Consider the 2-dimensional lattice L spanned by the rows of {(e,  N),(N,0)}, then L ∍ t=d  1 st row – k  2 nd row=(ed-kN,d  N), whose norm is  d  N, while vol(L) 1/2  N 3/4  t is expected to be the shortest vector of L if d  N 1/4 M.Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Theory 36 (1990), no. 3, 553-558

11 Low-dimensional attacks RSA signatures with constant-based padding signing protocol there is a constant P defining the padding a message m to sign: m  M<<N the sign s=(P+m) d [mod N] checking s e  (P+m) [mod N] Attack : assume s i =(P+m i ) d [mod N], (i=1,…,3) s 1  s 2 s 3  (P+m 1 )  (P+m 2 )(P+m 3 ) consider 2-rank lattice L of  (x,y)  Z 2 :x-y  where m 1 - m 2 , then {( ,1),(N,0)}: a base of L  find u=(u 1,u 2 ) whose distance to t=( ,0) is  vol(L) 1/2  N  m 1 =  -u 1, m 2 = -u 2 E.Brier, C.Clavier,J-S.Coron, and D.Naccache, Cryptanalysis of RSA signatures with fixed-pattern padding, Proc. CRYPTO01, LNCS, vol. 2139, IACR, Springer-Verlag, 2001, pp. 433-439

12 Low-dimensional attacks Elgamal signature Elgamal signature in GnuPG select a random k: k<p 3/8, gcd(k,p-1)=1  the signature is (a,b) where a=g k mod p; b=(m-ax)k -1 mod (p-1) Given (a,b) b  (m-ax)k -1 [mod p-1]  bk+ax  m [mod p-1] consider 2-rank lattice L of ( ,  )  Z 2 : b  +a  0 [mod p- 1]  vol(L)= (p-1)/gcd(a,b,p-1)  p find u 1,u 2  Z : bu 1 +au 2  m [mod p-1] solve CVP  t=(u 1 -k,u 2 -x) is close u=(u 1,u 2 ) P.Q.Nguyen, Can we trust cryptographic software? Cryptographic flaws in GNU Privacy Guard v1.2.3, Advances in Cryptology – Proc. EUROCRYPT04, LNCS, vol. 3207, Springer, 2004, pp. 555-570

13 Polynomial attacks univariate modular equation consider RSA encryption with a small e assume that m is of the form m=m 0 +2 k s, where m 0,k,s  Z +, but only s is secret c=m e mod N = (m 0 +2 k s) e mod N which after division by a suitable power of 2, can rewritten as P(s)  0 [mod N] where P(x)  Z [x] is a monic polynomial of degree e whose coefficients can be derived from c,k,m 0. theorem Let P(x)  Z [x] be a monic polynomial of degree  in one variable, and let N be an integer of unknown factorization. Then one can in time polynomial in (logN,  ) all integers x 0 such that P(x 0 )  0[mod N] and |x 0 |  N 1/ 

14 Polynomial attacks gcd generalization theorem Let P(x)  Z [x] be a monic polynomial of degree  in one variable, and let N be an integer of unknown factorization. Let  Q :0  1. Then one can find in time polynomial in (logN,  ) and the bit-zise of  all integers x 0 such that gcd(P(x 0 ),N)  N  and |x 0 |  N  x  / . factoring with a hint. given N=pq, p 0 :p=p 0 + , 0  <N 1/4. consider P(x)=p 0 +x  gcd(P(  ),N)=p>N 1/2 with e  N 1/4. factoring of N=p r q assume r is large; p,q need not be prime and p=p 0 +  consider P(x)=(p 0 +x) r  gcd(P(  ),N)=p r

15 Conclusion Consider a linear congruence a 1 x 1 +…+a n x n  b[mod m] If n small, then we can find a solution such that x i =O(m 1/n ) If there is a solution such that x 1  …  x n is such smaller than m, then it can probably be recovered in practice

Download ppt "Public-key cryptanalysis: lattice attacks Nguyen Dinh Thuc University of Science, HCMC"

Similar presentations

5.1 Real Vector Spaces.

5.1 Real Vector Spaces.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.

Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
CSE115/ENGR160 Discrete Mathematics 03/15/12

CSE115/ENGR160 Discrete Mathematics 03/15/12
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Section 4.6 (Rank).

Section 4.6 (Rank).
Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)

Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Lesson 2.6 Pre-Calc Part 2 When trying to ‘factor’ a quadratic into two binomials, we only ever concern ourselves with the factors of the ‘a’ --- leading.

Lesson 2.6 Pre-Calc Part 2 When trying to ‘factor’ a quadratic into two binomials, we only ever concern ourselves with the factors of the ‘a’ --- leading.
7. Asymmetric encryption-

7. Asymmetric encryption-
ENGG2013 Unit 11 Row-Rank Feb, 2011..

ENGG2013 Unit 11 Row-Rank Feb,
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Simple Backdoors for RSA Key Generation Scott Dial.

Simple Backdoors for RSA Key Generation Scott Dial.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.

Complexity1 Pratt’s Theorem Proved. Complexity2 Introduction So far, we’ve reduced proving PRIMES  NP to proving a number theory claim. This is our next.
Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.

Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack.

Similar presentations

Ads by Google