Lattices and Cryptography:An Overview of Recent Results ...In Cryptology... Lattices have found...

Lattices and Cryptography:An Overview of RecentResults with Emphasis on RSA and NTRU

Cryptosystems.

Petros Mol

NYU Crypto Seminar

October 12, 2006

Petros Mol (NYU Crypto Seminar) Lattices and Cryptography:An Overview of Recent Results with Emphasis on RSA and NTRU Cryptosystems.October 12, 2006 1 / 61

Outline

1 Lattice PreliminariesDefinitions and PropertiesLLL Reduction

2 Coppersmith’s techniqueModular EquationsInteger Equations

3 Applications to RSALattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent

4 Lattice-Based CryptographyOverviewNTRU CryptosystemAttacks on NTRU

5 Conclusions


Outline

What is a Lattice?

Informally: A infinite regular arrangement of points in space.


Outline

Where are the lattices used?

v In late 18th and 19th century mathematicians such as Lagrange, Gaussand Hermite used lattices in the field of algebraic number theory.v In the 19th century, important results due to Minkowski motivated theuse of lattice theory in the theory and geometry of numbers.v More recently, lattices have become a topic of active research inComputer Science.

In Cryptology...

3 Lattices have found applications both in Cryptography, where hardlattice problems are used to design secure cryptosystems(Ajtai-Dwork,GGH, NTRU) and3 in Cryptanalysis, where lattices are used to break cryptosystems.(Merkle-Hellman, GGH, attacks against RSA,NTRU).


Outline

Where are the lattices used?

v In late 18th and 19th century mathematicians such as Lagrange, Gaussand Hermite used lattices in the field of algebraic number theory.v In the 19th century, important results due to Minkowski motivated theuse of lattice theory in the theory and geometry of numbers.v More recently, lattices have become a topic of active research inComputer Science.

In Cryptology...

3 Lattices have found applications both in Cryptography, where hardlattice problems are used to design secure cryptosystems(Ajtai-Dwork,GGH, NTRU) and3 in Cryptanalysis, where lattices are used to break cryptosystems.(Merkle-Hellman, GGH, attacks against RSA,NTRU).


Outline

Some Motivating Questions

RSA

m RSA is based on the hardness of inverting f(x) = xe mod N. If

x < N1e the inversion is trivial. If someone encrypts x + s instead of x

where s is known,can one still recover x provided that x < N1e ?

m RSA is also based on the problem of factoring a large modulusN = p · q which is believed to be hard in the general case. If we knowsome of the bits of p (or q) can we recover the rest of it?

Constructing Cryptographic Primitives

mCertain RSA instances are easier to break than others (e.g small publicor private exponent, easy to factor modulus N).Can we constructCryptographic schemes with worst-case/average-case equivalence?

And an Answer...

, Lattice Theory gives answers to such questions in Cryptology.


Outline

Some Motivating Questions

RSA

m RSA is based on the hardness of inverting f(x) = xe mod N. If

x < N1e the inversion is trivial. If someone encrypts x + s instead of x

where s is known,can one still recover x provided that x < N1e ?

m RSA is also based on the problem of factoring a large modulusN = p · q which is believed to be hard in the general case. If we knowsome of the bits of p (or q) can we recover the rest of it?


mCertain RSA instances are easier to break than others (e.g small publicor private exponent, easy to factor modulus N).Can we constructCryptographic schemes with worst-case/average-case equivalence?

And an Answer...

, Lattice Theory gives answers to such questions in Cryptology.


Lattice Preliminaries Definitions and Properties

Overview





5 ConclusionsPetros Mol (NYU Crypto Seminar) Lattices and Cryptography:An Overview of Recent Results with Emphasis on RSA and NTRU Cryptosystems.October 12, 2006 6 / 61


Lattice Formal Definition

Let B = {b1, b2, ..., bn} be a set of linearly independent vectors ∈ Rn.The lattice generated by B is the set

L(B) = {n∑

i=1

xi ·~bi : xi ∈ Z}.

Lattice is a discrete additive subgroup of Rn.

Basis

The set B is called basis and we can compactly represent it as an n× nmatrix each column of which is a basis vector:

B = [b1, b2, ..., bn].

Obviously bi ∈ L for each i = 1, 2, ..., n.



Lattice Formal Definition

Let B = {b1, b2, ..., bn} be a set of linearly independent vectors ∈ Rn.The lattice generated by B is the set

L(B) = {n∑

i=1

xi ·~bi : xi ∈ Z}.

Lattice is a discrete additive subgroup of Rn.

Basis

The set B is called basis and we can compactly represent it as an n× nmatrix each column of which is a basis vector:

B = [b1, b2, ..., bn].

Obviously bi ∈ L for each i = 1, 2, ..., n.



Example

Consider the following two different bases.

B =[1 00 1

]and B′ =

[1 21 1

]The above bases are equivalent, that is they produce the same lattice.

Figure: Another basis of Z2



Unimodular Matrix

A matrix U ∈ Zn×n is called unimodular if detU = ±1.

Theorem (Bases Equivalence)

Two bases B1, B2 ∈ Rn×n are equivalent if and only if B2 = B1 · U forsome unimodular matrix U .

Elementary Column Operations

Each of the following elementary column operations on a basis B can berepresented with a multiplication B · U where U is a unimodular matrixand vice versa.

1 bi ← bi + kbj for some k ∈ Z2 bi ↔ bj

3 bi ← −bi

Two bases B1, B2 are equivalent iff we can produce B2 by applying theabove elementary column operations to B1 and vice versa.



Determinant

The deteminant of a lattice L with basis B is defined as:

det(L) = |det(B)|.

Theorem (Invariance of the Determinant)

The determinant of a lattice is independent of the choice of basisb1, b2, ..., bn ∈ Rn.



Shortest Vector Problem

Given a lattice L, find ~u ∈ L\{~0} s.t ‖~u‖ ≤ ‖~v‖ ∀~v ∈ L\{~0}.

Figure: SVP

Current Knowledge: NP-Hard for l∞ norm (Van Emde Boas 1981)NP-Hard for l2 under randomized reductions (Ajtai 1998)NP-Hard to approximate within a constant (Micciancio 1998).



Closest Vector Problem

Given a lattice L and a target ~t ∈ Rn\L find ~u ∈ L s.t ‖~t− ~u‖ ≤ ‖~t− ~v‖∀~v ∈ L.

Figure: CVP

Current Knowledge: NP-Hard (Van Emde Boas 1981)NP-Hard to approximate within a constant (Arora,Babai,Stern,Sweedyk1997).


Lattice Preliminaries LLL Reduction

Overview







Example

Consider the lattices produced by the following bases:

B1 =[

3 213 9

]and B2 =

[1 00 1

]

The above bases are equivalent. But the second one seems simpler. Thisleads to the need for reduction.

Example (Reduction in Vector Spaces)

Figure: Gram-Schmidt Orthogonalization



Example


B1 =[

3 213 9

]and B2 =

[1 00 1

]The above bases are equivalent. But the second one seems simpler. Thisleads to the need for reduction.





Example


B1 =[

3 213 9

]and B2 =

[1 00 1

]The above bases are equivalent. But the second one seems simpler. Thisleads to the need for reduction.





Does it work for lattices?

NO. Let B =[2 10 1

]. Then B∗ =

[2 00 1

].

But B∗ is not a basis for the lattice L(B). For example B∗ cannot

produce b2 =(

11

).

A new notion for reduction

In 1982, A.K. Lenstra, H.W. Lenstra, and L. Lovasz presented a newnotion of reduction and a polynomial time reduction algorithm, which iscalled LLL algorithm after their names and:

1 does not guarantee to find the shortest lattice vector.

2 it guarantees to find in polynomial time a vector within a factor of theshortest vector.

3 In practice LLL algorithm often performs much better than thetheoretical bound.



Does it work for lattices?

NO. Let B =[2 10 1

]. Then B∗ =

[2 00 1

].

But B∗ is not a basis for the lattice L(B). For example B∗ cannot

produce b2 =(

11

).

A new notion for reduction

In 1982, A.K. Lenstra, H.W. Lenstra, and L. Lovasz presented a newnotion of reduction and a polynomial time reduction algorithm, which iscalled LLL algorithm after their names and:

1 does not guarantee to find the shortest lattice vector.

2 it guarantees to find in polynomial time a vector within a factor of theshortest vector.

3 In practice LLL algorithm often performs much better than thetheoretical bound.



Example

Figure: A ”Bad” Basis

Figure: A ”Good” BasisPetros Mol (NYU Crypto Seminar) Lattices and Cryptography:An Overview of Recent Results with Emphasis on RSA and NTRU Cryptosystems.October 12, 2006 16 / 61


Theorem (LLL reduction)

On input B = [~b1, ~b2, ..., ~bn], LLL algorithm returns in Polynomial Time

an equivalent reduced basis B′ = [~b1′, ~b2

′, ..., ~bn

′] the vectors of which

satisfy:

‖~b1′‖ ≤ 2

n−12 λ1(L) (LLL1)

‖~b1′‖ ≤ 2

n−14 · det(L)

1n (LLL2)

where λ1(L) denotes the norm of the shortest vector in L.LLL execution entails only elementary column operations.


Coppersmith’s technique Modular Equations

Overview









Problem

Given:

A large integer N of unknown factorization,

a polynomial f ∈ Z[x] of degree d and

a modular equationf(x) = adx

d + ad−1xd−1 + ... + a1x + a0 ≡ 0 (mod N).

Goal:Find x0 ∈ Z such that f(x0) ≡ 0 (mod N).

Current Knowledge

ò No known efficient algorithm for the general case.ò However,”small” roots can be found efficiently using LLL(1996,Coppersmith[Cop96b]).



Problem

Given:

A large integer N of unknown factorization,

a polynomial f ∈ Z[x] of degree d and

a modular equationf(x) = adx

d + ad−1xd−1 + ... + a1x + a0 ≡ 0 (mod N).

Goal:Find x0 ∈ Z such that f(x0) ≡ 0 (mod N).

Current Knowledge

ò No known efficient algorithm for the general case.ò However,”small” roots can be found efficiently using LLL(1996,Coppersmith[Cop96b]).



Notation

f(x) :=∑

i aixi: Univariate polynomial with coefficients ai ∈ Z.

Vector representation of Polynomials: if p(x) = 3x3 + 2x + 20 thenp = (20, 2, 0, 3) is the corresponding vector.

Euclidean norm of a polynomial f :‖f‖2 :=∑

i a2i .

Definition (Root container polynomial)

A polynomial h is root container of a polynomial f if each root of f isalso a root of h. When the roots are considered modulo N , we say that his root container of f modulo N.



Notation

f(x) :=∑

i aixi: Univariate polynomial with coefficients ai ∈ Z.

Vector representation of Polynomials: if p(x) = 3x3 + 2x + 20 thenp = (20, 2, 0, 3) is the corresponding vector.

Euclidean norm of a polynomial f :‖f‖2 :=∑

i a2i .

Definition (Root container polynomial)

A polynomial h is root container of a polynomial f if each root of f isalso a root of h. When the roots are considered modulo N , we say that his root container of f modulo N.



Looking inside the problem

â How can we recover the ”small” modular roots of f(x)?Ô By transforming the modular equation to an equation over the

integers.â How small are the roots we can extract?

Ô We would like to be able to efficiently find all roots x0 s.t |x0| < Xfor a bound X to be maximized.

Basic Idea

Find a polynomial h(x) ∈ Z[x] such that h(x0) ≡ f(x0) ≡ 0 (mod N) and

‖h‖2 =∑deg(h)

i=0 h2i is small.

We still need...

1 The condition under which a modular equation can be transformed toan integer one.

2 An inequality for the calculation of the bound X.







Basic Idea


‖h‖2 =∑deg(h)

i=0 h2i is small.

We still need...









Basic Idea


‖h‖2 =∑deg(h)

i=0 h2i is small.

We still need...





Example

Let p(x) = x2 + ax + b, a, b > 0 and consider the modular equationp(x) ≡ 0 (mod N).We want to determine the bound X s.t |p(x)| < N for all x with |x| < X.Then all roots x ∈ [−X, X] can be recovered by solving p(x) = 0 over theintegers.Consider now the polynomials p0(x) = N, p1(x) = Nx. Leth(x) = h0 + h1x + h2x

2 be a linear combination of the polynomialsp, p0, p1. We then have

|h(x)| = |h0 + h1x + h2x2| ≤ |h0|+ |h1||x|+ |h2||x|2

≤ |h0|+ |h1|X + |h2|X2 ≤√

3‖h(xX)‖

We want to compute X s.t√

3‖h(xX)‖ < N .Idea: Construct the lattice of all linear combination of p(xX), p0(xX) andp1(xX) and apply LLL to get a new polynomial h with small ‖h(xX)‖



Example (cont.)

L =

N 0 b0 NX aX0 0 X2

LLL returns a polynomial h s.t ‖h(xX)‖ ≤ 2

3−14 det(L)

13 =√

2N23 X.

Thus, if√

3√

2N23 X < N ⇒ X < N

13√6, all modular roots of h (and thus

of f) in [−X, X] can be easily found.

Lemma (Howgrave-Graham for Univariate Polynomials)

Let h(x) ∈ Z[x] be a univariate polynomial with at most ω monomials.Suppose in addition that h satisfies the following two conditions:

(i) h(x0) ≡ 0(mod N) where |x0| < X and

(ii) ‖h(xX)‖ ≤ N/√

ω.

Then h(x0) = 0 holds over the integers.



Generalizing...

ò Set of root container polynomials

Z1 = {g0(x) = N, g1(x) = Nx, ..., gd−1(x) = Nxd−1, gd = f(x)}.

Consider the following lattice L1 with basis

B1 =

N 0 · · · f0

0 XN. . . Xf1

0 0. . .

.

.

.

.

.

.

.

.

.. . . Xd−1fd−1

0 0 · · · Xd

(d+1)×(d+1)

í Each point of L1 corresponds to the coefficient vector of a polynomialh(xX) =

∑di=0 cigi(xX).

í f(x0) ≡ 0 (mod N) ⇒ h(x0) ≡ 0 (mod N).



Bounding X

Applying LLL to B1 we get an equivalent (reduced) basisB′

1 = [b′1, b′2, ..., b

′n] where b′1 is the coefficient vector of a h(xX) such that:

‖b′1‖ = ‖h(xX)‖ ≤ 2d4 · det(L1)

1d+1 .

The second condition of Howgrave-Graham Lemma’s is satisfied if

2d4 · det(L1)

1d+1 <

N√d + 1

⇒ · · · ⇒ X ≤ k(d)N2

d(d+1) .

where k(d) is a small enough constant that depends only on d.Summarizing: If we use Z1 to construct the lattice, we can find all roots

x0 s.t f(x0) ≡ 0 (mod N) and |x0| < k(d)N2

d(d+1) .



Can we do any better?

YES. (Coppersmith)1. Z2 = {N,Nx, Nx2, ..., Nxd−1}

⋃{f(x), xf(x), ..., xd−1f(x)}

X ≤ l(d)N1

2d−1 .

2. Zh = {Nh−j−1f(x)jxi|0 ≤ i < d, 0 ≤ j < h}Take LIC of the above set modulo Nh−1 instead of modulo N.Bound achieved: X = N

1d .

Theorem (Coppersmith, Univariate Modular Equations)

l Let f(x) be a monic polynomial of degree d.l Let N be an integer of unknown factorization.l If there exists a x0 s.t. f(x0) ≡ 0 (mod N) and |x0| < N

1d .

èThen one can find x0 in time polynomial in (log N, d).



Method Overview

Step 1: Given f(x) construct an appropriate basis B which produces alattice L the points of which correspond to polynomials that are rootcontainers of f.Step 2: Run LLL on B to take an equivalent basis B′ with a small firstbasis vector b′1.Step 3: Consider the polynomial h(x) that corresponds to b′1 and solvethe equation h(x) = 0 over the integers.Step 4: Test the roots obtained in step 3 and accept only those thatsatisfy f(x0) ≡ 0 (mod N).The preceding analysis guarantees that all the modular roots of f(x) with

|x0| < N1d will be found.


Coppersmith’s technique Integer Equations

Overview







The problem

Given: A bivariate polynomial p(x, y) =∑

i,j pi,j · xiyj with integercoefficients.Goal: Find all integer pairs (x0, y0) such that p(x0, y0) = 0.t In general, there is no such efficient algorithm.s However , one can efficiently find small root pairs (Coppersmith[Cop96a]).

Theorem (Coppersmith, Bivariate Integer Equations)

m p(x, y) ∈ Z[x, y] be irreducible with maximum degree δ in x, yseparately.m X, Y : upper bounds on the desired integer solution (x0, y0).m W = maxi,j |pi,j |XiY j .

ä Then, If XY ≤W23δ , one can find all integer pairs (x0, y0) such that

p(x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y in time polynomial in log W and 2δ.



The problem

Given: A bivariate polynomial p(x, y) =∑

i,j pi,j · xiyj with integercoefficients.Goal: Find all integer pairs (x0, y0) such that p(x0, y0) = 0.t In general, there is no such efficient algorithm.s However , one can efficiently find small root pairs (Coppersmith[Cop96a]).

Theorem (Coppersmith, Bivariate Integer Equations)

m p(x, y) ∈ Z[x, y] be irreducible with maximum degree δ in x, yseparately.m X, Y : upper bounds on the desired integer solution (x0, y0).m W = maxi,j |pi,j |XiY j .

ä Then, If XY ≤W23δ , one can find all integer pairs (x0, y0) such that

p(x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y in time polynomial in log W and 2δ.



Current Status

Problem Status Bound Simplification

f(x) ≡ 0 (mod N) Proven[Cop96b] N1d [HG97]

f(~x) ≡ 0 (mod N) Heuristic[Cop96b] − [HG97]f(x, y) = 0 Proven[Cop96a] XY < W

23δ [Cor04]


Applications to RSA Lattice Attacks on RSA

Overview







Overview

ã Since its initial publication, in 1977, RSA has been extensively analyzedfor vulnerabilities by many researchers.ã None of the attacks has proven devastating. The attacks mostlyillustrate the danger of improper choices of the RSA parameters.ã Lattice theory and the invention of LLL has motivated a number oflattice attacks.Still RSA, in its general setting, remains unbroken.ãThe attacks described below take advantage of insecure choices of e ord or use partial information about p or d to recover the message or factorN and do not expose any inherent flaws of the Cryptosystem itself.



Presentation Overview


Applications to RSA Low Public Exponent

Overview







Motivation for using a small e

Simplify/Speed up the encryption process.Typical values e = 3 or e = 216 − 1.

A trivial Attack

For simplicity, let e = 3.If we know that m < N

13 then inverting c = m3 mod N is trivial.

Stereotyped MessagesIf the message is m = B + x where B is known,we can then applyCoppersmith theorem to the polynomial f(x) = (B + x)3 − c and find

x,m provided that x < N13 .

Practically, this means that if the length of the stereotyped part is largerthan the 2

3 of the length of the whole message, the use of e = 3 should beavoided.



Alternative Scenario

Using CRT, the attacker can find the unique m,m3 < N1N2N3 s.tm3 ≡ ci (mod Ni).



Avoid the attack

Use user-specific padding to m before sending.For instance, ci = (i · 2h + m)3(modNi).We can still break this system using Hastad’s attack ,

Theorem (Hastad)

a Let N1, N2, ..., Nk be pairwise relatively prime, Nmin = mini Ni.a Let gi ∈ ZNi [x] be k polynomials of maximum degree d.Suppose that there exists a unique m < Nmin such thatgi(m) = ci (mod Ni) for all i = 1, 2..., k.We can then efficiently find m given (Ni, gi, ci)k

i=1 provided that k ≥ d.



Avoid the attack

Use user-specific padding to m before sending.For instance, ci = (i · 2h + m)3(modNi).We can still break this system using Hastad’s attack ,

Theorem (Hastad)

a Let N1, N2, ..., Nk be pairwise relatively prime, Nmin = mini Ni.a Let gi ∈ ZNi [x] be k polynomials of maximum degree d.Suppose that there exists a unique m < Nmin such thatgi(m) = ci (mod Ni) for all i = 1, 2..., k.We can then efficiently find m given (Ni, gi, ci)k

i=1 provided that k ≥ d.



Proof Sketch

ú Define hi(x) = gi(x)− ci for 1 ≤ i ≤ k.ú hi(m) ≡ 0 (mod Ni)ú Use CRT to find Ti s.t

Ti =

{1 mod Nj if i = j

0 mod Nj if i 6= j

Then the polynomial h(x) =∑k

i=1 Tihi(x) (mod N) :

1 has degree d as the sum of polynomials of degree d,

2 is monic since∑k

i=1 Ti = 1 (mod Ni) and thus∑k

i=1 Ti = 1 (mod N)3 h(m) ≡ 0 (mod N).

Since m < mini Ni and d ≤ k we finally

md ≤ mk <

k∏i=1

Ni = N ⇒ m < N1d .


Applications to RSA Factoring N

Overview







The challenge

Information: Some bits of p or q.Goal: Recover all of p (factor N).Result: The knowledge of half of the bits of p suffices to factor N,provided that p, q are of the same bitsize.

Proof Sketch

Let n be the bitsize of N. Write p = p12n4 + p0 and q = q12

n4 + q0 where

pi, qi < 2n4 .

Define

f(x, y) =1

2n4

((x2n4 + p0)(y2

n4 + q0)−N)

= xy2n4 + q0x + p0y +

12

n4

(p0q0 −N).



Proof Sketch

F Given the n4 LSBs of p, we know p0 and thus q0 since p0q0 ≡ N (mod

2n4 ).

F f(x, y) ∈ Z[x, y] with degree d = 1 in x, y and f(p1, q1) = 0.

F Letting X = Y = N14−ε, then p1 < X, q1 < Y. In addition

W = ‖f(x, y)‖∞ ≈ N34 .

FThus XY = N12−2ε < (N

34 )

23 = W

23d .

P We can then apply Coppersmith’s theorem for the bivariate case andrecover p1, q1.


Applications to RSA Small d

Overview







Reducing the attack to a modular equation

Q Assume that gcd(p− 1, q − 1) = 2. Then the RSA equation can bewritten ed + k

2φ(N) = 1 for some k ∈ Z.Q ed + k(N+1

2 − p+q2 ) = 1

Q Set s = −p+q2 , A = N+1

2 , we assume that p, q are balanced.Q Assume that d = N δ, e ≈ N.Q Define the polynomial f(k, s) = k(A + s)− 1 ≡ 0 (mod e)Q |s| < 2N0.5 and |k| < 2de

φ(N) ≤3deN ≈ eδ.

Solving the equation

J We use the heuristic technique to solve the bivariate modular equation.JBoneh and Durfee [BD99] proved that the attack can work as soon asδ ≤ 0.292.J The bound d < N0.292 is the best known bound for the privateexponent.



Attacks Overview

Category Reference Result CommentSmall e [Has88] rec ≥ e multiple receivers

Factoring attacks [Cop96a] Half bits of p p, q balancedSmall d [BD99] d < N0.292 heuristic

Is that all?

NO. Lattices and Coppersmith’s technique are behind many otherapplications to RSA such as

Partial Key Exposure Attacks (part of the private key d known).

Factoring and low private exponent attacks against RSA Schemeswith modulus N = pr · q.Recently (2004) May [May04] used Coppersmith’s technique forbivariate integer equations to prove the deterministic polynomial timeequivalence between computing the private key d and factoring.


Lattice-Based Cryptography Overview

Overview







Why lattice Cryptography?

Lattice-Based Cryptography ”Classic” Cryptography

3 Based on hardness of latticeproblems

7Based on hardness of factor-ing,discrete log ,ec etc.

3Average-case/worst-caseEquivalence

7Based on average-case hard-ness assumption

3 (Still) resists quantum algo-rithms

7 Vulnerable to quantum algo-rithms

3 Fast Encryption,Decryption 7 Require modular exponenta-tion (significantly slower)

Table: Lattice vs ”Classic” Cryptography




n 1996,Ajtai’s worst-case/average-case equivalence result motivated theconstruction of lattice-based Cryptographic Primitives.nAjtai proved that the existence of a (probabilistic) polynomial timealgorithm which solves SVP in a random lattice of dimension m impliesthe existence of (probabilistic) polynomial time algorithms that solve(thought-to-be) hard problems in any lattice of dimension n(m).

Ajtai,Dwork Cryptosystem

3 Inspired by the above result,Ajtai and Dwork (1996) constructed aCryptosystem the security of which was based on the worst-case hardnessof the ”unique-SVP”.7 Major Drawback: The cryptosystem is impractical (O(N4) for bothencryption/decryption and keysize length).For the proposed parameter set, the cryptosystem was broken by Nguyenand Stern in 1998.




n 1996,Ajtai’s worst-case/average-case equivalence result motivated theconstruction of lattice-based Cryptographic Primitives.nAjtai proved that the existence of a (probabilistic) polynomial timealgorithm which solves SVP in a random lattice of dimension m impliesthe existence of (probabilistic) polynomial time algorithms that solve(thought-to-be) hard problems in any lattice of dimension n(m).

Ajtai,Dwork Cryptosystem

3 Inspired by the above result,Ajtai and Dwork (1996) constructed aCryptosystem the security of which was based on the worst-case hardnessof the ”unique-SVP”.7 Major Drawback: The cryptosystem is impractical (O(N4) for bothencryption/decryption and keysize length).For the proposed parameter set, the cryptosystem was broken by Nguyenand Stern in 1998.



Goldreich,Goldwasser,Halevi (GGH) Cryptosystem

ä Related to CVP.ä Private key: A ”good” basis R for L.Public key: A ”random” basis B (B = U1 · · ·Uk ·R for unimodular Uis).ä Encryption: ~c = B · ~m + ~e (~e ∈R {δ,−δ}n.)Decryption: The legitimate receiver has to solve an easy instance of CVP(since R is appropriately chosen).

Remarks

3GGH is practical (O(n2) encryption/decryption and key size).7 No CVP-counterpart for Ajtai’s result.7 Trade-off between security− Pr[correct decryption]. (larger δ, harderdecryption for both the attacker and the legitimate receiver.)7 ~c leaks information on ~m. Based on that inherent flaw, Nguyen managedto break several instances of the cryptosystem.



Cryptanalysis of GGH (Nguyen, 1999)

Let ~u = [δ, ..., δ]T . Then

~c = B · ~m + ~e⇒ ~c + ~u ≡ B · ~m (mod 2δ)

With high probability one can recover ~m′ ≡ ~m (mod 2δ) by solving theabove system of linear congruences.This gives

~c−B · ~m′ = B · (~m− ~m′) + ~e⇒ ~c−B · ~m′

2δ= B · m +

~e

2δ

which is an easier CVP instance since the error vector is 2δ times shorter.


Lattice-Based Cryptography NTRU Cryptosystem

Overview







In Brief...

/Developped by Hoffstein,Pipher and Silverman during 1994-1996./It is in fact a Lattice-Based Cryptosystem based on the difficulty of SVP.

Notation

mR:Ring of polynomials Z[X]/(XN − 1).m a(x) = a0 + a1X... + aN−1X

N−1 = [a0, a1, ..., aN−1] = ~amMultiplication in R (cyclic convolution product):f(x) ∗ g(x) = h(x) where hk =

∑i+j≡k(modN) fi · gi.

The operator ’*’ is both commutative and associative.m fq, fp ∈ R : Inverse polynomials of f mod q and mod p respectively.That is

fq ∗ f ≡ 1(mod q), fp ∗ f ≡ 1(mod p).

fq, fp can easily be computed using the Euclidean algorithm and Hensel’slemma.



Key Generation

(a) Fix a prime number N and p, q such that (p, q) = 1.

(b) Choose polynomials f, g randomly such that ‖f‖, ‖g‖ are small.

(c) Compute fq ≡ f−1 (mod q) and fp ≡ f−1 (mod p). If one of theinverses does not exist, go to previous step.

(d) Compute h ≡ fq ∗ g (mod q).(e) h is the public key. The pair (f, fq) is the private key.

Encryption Process

1 Encode (according to a public encoding function) the message M toa polynomial m with binary coefficients.

2 Choose a random polynomial r (blinding polynomial).

3 Send the ciphertext e ≡ p ∗ r ∗ h + m (mod q).



Key Generation

(a) Fix a prime number N and p, q such that (p, q) = 1.

(b) Choose polynomials f, g randomly such that ‖f‖, ‖g‖ are small.

(c) Compute fq ≡ f−1 (mod q) and fp ≡ f−1 (mod p). If one of theinverses does not exist, go to previous step.

(d) Compute h ≡ fq ∗ g (mod q).(e) h is the public key. The pair (f, fq) is the private key.

Encryption Process

1 Encode (according to a public encoding function) the message M toa polynomial m with binary coefficients.

2 Choose a random polynomial r (blinding polynomial).

3 Send the ciphertext e ≡ p ∗ r ∗ h + m (mod q).



Decryption Process

1 Compute a ≡ e ∗ f (mod q).(a ≡ p ∗ r ∗ h ∗ f + f ∗m ≡ p ∗ r ∗ g + f ∗m (mod q))

2 Choose the coefficients of a to satisfy A ≤ ai < A + q (A dependingon the centering algorithm and the specific values of parameters)

3 Compute fp ∗ a (mod p)(fp ∗ a ≡ fp ∗ p ∗ r ∗ g + fp ∗ f ∗m) ≡ m (mod p).

Remarks

(i) Let b = p ∗ r ∗ h + f ∗m. In order to have a correct reduction mod p(in the last step) and thus a correct decryption, a should equal b notonly mod q but over the integers.

(ii) The centering (Step 2) and the choice of the polynomials f, g so that‖f‖, ‖g‖ are small, guarantee that the decryption process will give mwith very high probability.



Typical Values of Parameters

f: df coefficients set to 1 and N − df set to 0.

g: dg coefficients set to 1 and N − dg set to 0.

r: dr coefficients set to 1 and N − dr set to 0.

p: p = 3 or (as recently proposed) p = 2 + x.

q: q = 2k (k = 6, 7 or 8). In any case (p, q) = 1.

Security N q p df dg dr

Moderate 107 64 3 (or 2 + x) 32 31 32Medium 251 128 3 (or 2 + x) 72 71 72

High 347 128 3 (or 2 + x) 64 173 64Highest 503 256 3 (or 2 + x) 420 251 170



Properties

1 Fast 4

2 Has Small Keys 4

NTRU RSA GGH

Encryption Speed N2 N3 N2

Decryption Speed N2 N3 N2

Public Key N N N2

Private Key N N N2

3 Different ,

4 Secure ??



Properties

1 Fast 4

2 Has Small Keys 4

NTRU RSA GGH

Encryption Speed N2 N3 N2

Decryption Speed N2 N3 N2

Public Key N N N2

Private Key N N N2

3 Different ,4 Secure ??


Lattice-Based Cryptography Attacks on NTRU

Overview







Coppersmith & Shamir Attack

h ≡ fq ∗ g (mod q)⇒ f ∗ h ≡ g (mod q) where f, g are ”small”.This motivates the construction of the lattice

LCS =

1 0 · · · 0 0 0 · · · 00 1 · · · 0 0 0 · · · 0...

.... . .

......

.... . .

...0 0 · · · 1 0 0 · · · 0h0 hN−1 · · · h1 q 0 · · · 0h1 h0 · · · h2 0 q · · · 0...

.... . .

......

.... . .

...hN−1 hN−2 · · · h0 0 0 · · · q

Notice that the original pair (f, g) belongs to the lattice. Indeed

[f0, ..., fN−1, g0, ..., gN−1]T = L · [f0, ..., fN−1,−u0, ...,−uN−1]T

where

u(x) =f(x) ∗ h(x)− g(x)

q



CS Attack (cont.)

LCS = {(a, b) ∈ Z2N : a ∗ h ≡ b (mod q)}.l Since the original f, g are small, we expect that the vector (~f ||~g) issmall so it can be possibly returned by a reduction algorithm.l Even if the the returned vector (f ′, g′) 6= (f, g), the attack can stillwork if ‖(f ′, g′)‖ is small (correct decryption).Countermeasure: Choose lattice parameters so that such an attack isinfeasible using contemporary lattice reduction techniques.

May’s attack

Let λ1, λ2 the first two successive minima.Idee: Increase the ratio λ2

λ1. Then a reduction algorithm is more likely to

return a vector with length λ1.Assumption:There is a unique ”run” of r zeros in g (i.e there exists aunique index i ∈ [0, 1, ..., N − 1] s.t gi = ... = gi+r−1 = 0.)



CS Attack (cont.)

LCS = {(a, b) ∈ Z2N : a ∗ h ≡ b (mod q)}.l Since the original f, g are small, we expect that the vector (~f ||~g) issmall so it can be possibly returned by a reduction algorithm.l Even if the the returned vector (f ′, g′) 6= (f, g), the attack can stillwork if ‖(f ′, g′)‖ is small (correct decryption).Countermeasure: Choose lattice parameters so that such an attack isinfeasible using contemporary lattice reduction techniques.

May’s attack

Let λ1, λ2 the first two successive minima.Idee: Increase the ratio λ2

λ1. Then a reduction algorithm is more likely to

return a vector with length λ1.Assumption:There is a unique ”run” of r zeros in g (i.e there exists aunique index i ∈ [0, 1, ..., N − 1] s.t gi = ... = gi+r−1 = 0.)



May’s attack (cont.)

LM =

1 · · · 0 0 · · · 0 0 · · · 0

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.0 · · · 1 0 · · · 0 0 · · · 0

θ · h0 · · · θ · h1 θ · q · · · 0 0 · · · 0

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.θ · hr−1 · · · θ · hr 0 · · · θ · q 0 · · · 0

hr · · · hr+1 0 · · · 0 q · · · 0

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.

.

.

.. . .

.

.

.hN−1 · · · h0 0 · · · 0 0 · · · q

Let σ : [a1, ..., an]→ [an, a1, ..., an−1]

Under the ”unique zero-run” assumption , choosing θ = q + 1 makes allshifted vectors (σk(f)||σk(g)) have length at least√

df + dg + (q + 1)2 − r except from one which will still have length√df + dg.

May managed to break NTRU at the moderate level of security in 1999.


Conclusions

Current-Trends-Look to the future

, Attacks,Attacks,Attacks...

Find more effective ways to attack RSA. Increase the bounds on theparameters up to which the attacks can be mounted in polynomialtime.

Invent a more sophisticated (lattice) attack against NTRU.

, Construct secure lattice-based cryptographic primitives.Try to incorporate worst-case/average-case equivalence without sacrificingefficiency., Extend the constructions or adjust them in order to get secure andefficient signature schemes., Investigate in depth the relationship between ’classic’ and lattice-basedcryptography. For example, can we factor integers or solve DLP using SVPor approximate-SVP oracles?


Conclusions

Dan Boneh and Glenn Durfee.

”Cryptanalysis of RSA with Private Key Less than 0.292”.In EUROCRYPT, pages 1–11, 1999.

Johannes Blomer and Alexander May.”A Tool Kit for Finding Small Roots of Bivariate Polynomials over theIntegers”.In Ronald Cramer, editor, EUROCRYPT, volume 3494 of LectureNotes in Computer Science, pages 251–267. Springer, 2005.

Don Coppersmith.”Finding a Small Root of a Bivariate Integer Equation; Factoring withHigh Bits Known”.In EUROCRYPT, pages 178–189, 1996.

Don Coppersmith.”Finding a Small Root of a Univariate Modular Equation”.In EUROCRYPT, pages 155–165, 1996.

Jean-Sebastien Coron.


Conclusions

”Finding Small Roots of Bivariate Integer Polynomial EquationsRevisited”.In Christian Cachin and Jan Camenisch, editors, EUROCRYPT,volume 3027 of Lecture Notes in Computer Science, pages 492–505.Springer, 2004.

Johan Hastad.”Solving simultaneous modular equations of low degree”.SIAM Journal on Computing, 17:336–341, 1988.URL: http://www.nada.kth.se/ johanh/papers.html.

Nick Howgrave-Graham.”Finding Small Roots of Univariate Modular Equations Revisited”.In Michael Darnell, editor, IMA Int. Conf., volume 1355 of LectureNotes in Computer Science, pages 131–142. Springer, 1997.

A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovasz.”Factoring polynomials with rational coefficients”.261:515–534, 1982.


Conclusions

Alexander May.”Computing the RSA Secret Key Is Deterministic Polynomial TimeEquivalent to Factoring”.In CRYPTO, pages 213–219, 2004.


Date post:	06-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Lattices and Cryptography:An Overview of Recent Results ...In Cryptology... Lattices have found...

Documents