On the security of a Public Key Cryptosystem based on Diophantine equations of Degree Increasing Type

2016 Symposium on Cryptography and Information Security

19th January, 2016

* Department of Mathematics, University of Cincinnati

ƚ Graduate School of Mathematics, Kyushu University

ǂ Institute of Mathematics for Industry, Kyushu University

§ South China University of Technology

Jintai Ding, ◎Momonari Kudo, Shinya Okumura, Tsuyoshi Takagi and Chengdong Taoƚ* ǂ ǂ §

Contents

1. Introduction

[DKOTT15] Jintai Ding, Momonari Kudo, Shinya Okumura, Tsuyoshi Takagi, Chengdong Tao,Cryptanalysis of a public key cryptosystem based on Diophantine equationsvia weighted LLL reduction,IACR Crypto. ePrint archive 2015/1229 (2015).

1-1. Diophantine Equations and Cryptography

Q. How secure are these cryptosystems?

Given 𝑓 ∈ ℤ 𝑥1, … , 𝑥𝑛 , find 𝑎1, … , 𝑎𝑛 ∈ ℚ𝑛 s.t. 𝑓(𝑎1, … , 𝑎𝑛) = 0.

Diophantine Problem / ℚ

No algorithm to test Diophantine equations for solvability in ℤ [DMR76].

apply

[DMR76] M. Davis, Y. Matijasevi c and J. Robinson, Hilbert’s tenth problem, Diophantine equations:positive aspects of a negative solution, In: Mathematical Developments Arising from Hilbert Problem Browder, F.E.(ed.)AMS, Providence, RI., 323-378 (1976).

Some cryptosystems as candidates of Post-Quantum Cryptosystems （PQC）

[AGM09] K. Akiyama, Y. Goto, H. Miyake, Algebraic Surface Cryptosystem, In : Proc. of PKC'09, LNCS. 5443, 425--442 (2009).[BHHKP13] A. Bérczes, L. Hajdu, N. Hirata-Kohno, T. Kovács, A. Pethö, A key exchange protocol based on Diophantine equations

and S-integers, JSIAM Letters 6, 85--88 (2014).[HP13] N. Hirata-Kohno, A. Pethӧ, On a key exchange protocol based on Diophantine equations, Infocommunications J.

5, 17--21 (2013).[LCL95] C. H. Lin, C. C. Chang, R. C. T. Lee, A new public-key cipher system based upon the diophantine equations,

IEEE Trans. Comp. 44, 13-19 (1995).[Yos11] H. Yosh, The key exchange cryptosystem used with higher order Diophantine equations, IJNSA Journal 3, 43--50 (2011).

• A public key cryptosystem [LCL95]

• Key exchange protocols [BHHKP13], [HP13] and [Yos11]

• Algebraic Surface Cryptosystem （ASC） [AGM09] (and its previous versions)

1-2. History of Cryptosystems based on Diophantine problem

e.g.,

• Algebraic Surface Cryptosystem (ASC) [AGM09] (and its previous versions)

1-3. ASC and its analogue ``DEC’’

A new public key cryptosystem as an analogue of ASC by Okumura [Oku15]:

``A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC)’’

Fully broken by several attacks [UT07], [Vol07], [Iwa08], [FS10].

[FS10] J. -C. Faugere, P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem,In: Proc. of PKC'10, LNCS 6056, 35--52 (2010).

[Iwa08] M. Iwami, A reduction Attack on Algebraic Surface Cryptosystems, LNCS 5081, 323—332 (2008).[Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type,

Pacific J. of Math. for Industry 7 (2015). [UT07] S. Uchiyama, H. Tokunaga, On the Security of the Algebraic Surface Public-key Cryptosystems (in Japanese),

In : Proc. of SCIS 2007, CD-ROM, 2C1-2 (2007).[Vol07] F. Voloch, Breaking the Akiyama-Goto cryptosystem, Comtemporary mathematics,

Arithmetic, Geometry, Cryptography and Coding Theory 487, 113—118, AMS, Providence, RI. (2007).

1-4. Our Problem

Q. How secure is DEC ?

A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC)

[Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type,Pacific J. of Math. for Industry 7 (2015).

- become one of PQC

Section finding problem

Function field Number field

Algebraic Surface Cryptosystem（ASC） Diophantine Equation Cryptosystem（DEC）

Diophantine problem

Broken by several attacks What’s new : ``twisting’’ plaintext

- avoid the analogues of the attacks against ASCExpected to

• Apply a variant of the LLL algorithm to our cryptanalysis of DEC

• Break the one-wayness of instances of DEC via weighted LLL

1-5. Our Contributions

We call it ``weighted LLL’’*.

* ``Weighted LLL’’ is known.e.g., [FGR13] J. -C. Faugere, C. Goyet, G. Renault, Attacking (EC)DSA Given Only an Implicit Hint, In: Proceedings of SAC 2012,

Lecture Notes in Computer Science, 7707, 252--274, Springer-Berlin Heidelberg (2013).

Contents

1. Introduction

2. Overview of DEC

3. Cryptanalysis of DEC via weighted LLL

4. Experimental Results

5. Conclusion

2. Overview of DEC

Ciphertext（3 polynomials and 𝑁）

𝐹1 = 𝑚 + 𝑠1 𝑓 + 𝑟1 𝑋𝐹2 = 𝑚 + 𝑠2 𝑓 + 𝑟2 𝑋𝐹3 = 𝑚 + 𝑠3 𝑓 + 𝑟3 𝑋

Encrypt

Plaintext : polynomial 𝑚

some randomness 𝑁, 𝑓, 𝑠𝑗 , 𝑟𝑗

``twist’’ 𝑚by 𝑒, 𝑁

Secret key

Public key

𝑑, 𝑒 ∈ ℤ>0,𝑋 ∈ ℤ[𝑥, 𝑦].

(𝑎, 𝑏) ∈ ℤ2 s.t. 𝑋𝑎

𝑑,𝑏

𝑑= 0.

Crucial Remark for Our Attack (Some Facts known by the construction)

（1） The sets of the monomials of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 and 𝑟𝑗,

（3） The coefficients of 𝑠𝑗, and 𝑋 are much smaller than those of the others.

（𝑛 = 2）

（2） The bit length of the coefficients of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 and 𝑟𝑗,

Contents

1. Introduction

2. Overview of DEC

3. Cryptanalysis of DEC via weighted LLL

4. Experimental Results

5. Conclusion

Step 1. Find 𝑠𝑖′ ≔ 𝑠𝑖 − 𝑠𝑖+1 by the weighted LLL.

Step 2.

𝐹1′ = 𝑠1

′𝑓 + 𝑟1′𝑋,

𝐹2′ = 𝑠2

′𝑓 + 𝑟2′𝑋,

Find 𝑓 satisfying

Step 3. Find 𝑠1 from 𝐹1 = 𝑚 + 𝑠1𝑓 + 𝑟1𝑋.After that, one can recover 𝑚 and 𝑚 by (fundamental) computations.

In each step, a linear system 𝐴𝐱 = 𝐛 is obtained by regarding unknown coefficients as variables.（Ker(𝐴) : a lattice of low rank (2 or 3).）

3-1. Outline of Our Attack

Focus on Step 1 in this talk.

where 𝑟𝑖′ ≔ 𝑟𝑖 − 𝑟𝑖+1.

Ciphertext of DEC : 𝐹𝑖 = 𝑚 + 𝑠𝑖𝑓 + 𝑟𝑖𝑋 (𝑖 = 1, 2, 3), where

𝑚 : twisted plaintext, 𝑠𝑖, 𝑟𝑖, 𝑓 : randomness.𝑋 : public key,unknown

𝑠2′ 𝐹1

′ − 𝑠1′ 𝐹2

′ = 𝑔 𝑋⋯ ∗ ,

In the following, we use blue symbols for unknown objects.

- The monomials of 𝑠1′ , 𝑠2

′ and 𝑔 : known- ℒ′ ≔ Ker(𝐴′) (Clearly 𝐬1

′ , 𝐬2′ , 𝐠 ∈ ℒ′),

(𝐬𝑖′, 𝐠 : vectors consisting of the coefficients of 𝑠𝑖

′ and 𝑔, respectively)

2. Bit length of all entries of 𝐬1′ and 𝐬2

′ (approximately known)

3-2. Detail of Step 1

Our aim : Find (𝐬1′ , 𝐬2

′ ) from the following known objects.

1. Basis of ℒ′

where 𝑔 ≔ 𝑠2′ 𝑟1

′ − 𝑠1′ 𝑟2′,

𝑟𝑖′ ≔ 𝑟𝑖 − 𝑟𝑖+1, 𝐹𝑖′ ≔ 𝐹𝑖 − 𝐹𝑖+1.

Obtain a linear system 𝐴′𝐱 = 𝟎,

3-3. Step 1 in a certain caseℒ′ ≔ Ker 𝐴 = {𝐮 ∈ ℤ12 ; 𝐮𝐴 = 0},

Basis matrix of ℒ′:

1 32 −496440 67 −1018070 0 0

24 −24 −473640 −42 −5984325 −4 −19416

⋯ ⋯ ⋯⋯ ⋯ ⋯⋯ ⋯ ⋯

𝐮1𝐮2𝐮3

: =1 32 −496440 67 −1018070 0 0

24 −24 −473640 −42 −5984325 −4 −19416

Our target (unknown) : 𝐬′ ≔ 𝐬1′ , 𝐬2

′ = 2 −3 2519 −2 2 3947 .

Note : 𝑠′ ∈ ℒ ≔ 𝐮1, 𝐮2, 𝐮3 ℤ.

𝐬1′ , 𝐬2

′ , 𝐠 ∈ ℒ′.

(Public key : 𝐗 = (25, −4, −19416), 𝐗 will be used later.)

3-4. Our observation for finding 𝐬′

𝐬′ : relatively short but not shortest （with unbalanced entries）- certain large entries (2519 and 3947).

Nevertheless, we predict that 𝐬′ is a shortest vector ``in some sense’’.

Apply a weighted norm instead of the Euclidean norm.

𝐬′ = 2 −3 2519 −2 2 3947 ∈ ℒ.small small small small

From the way to the encryption, most of the entries of 𝐬′ : always small.

𝐬′ : a shortest vector in ℒ (w.r.t. the Euclidean norm) ?

No! Actually the 1st row vector obtained by LLL is shorter than 𝐬′.

Our observation :

3-5. Applying Weighted LLL ①𝐬′ ≔ (𝐬1

′ , 𝐬2′ ) = 2 −3 2519 −2 2 3947 .

small small large? small small large?

𝐗 = (25, −4, −19416) in this case

Recall

Ratio :25

19416

1

48541

𝐰:= 2lg1941625 2

lg48541 1 2

lg1941625 2

lg48541 1

= 29 212 1 29 212 1 ,

: :

The entries of 𝐬𝑖 and 𝐗 : same bit sizes.(𝐗 : a public key of DEC)

The entries of 𝐬1′ , 𝐬2

′ and 𝐗 have ``near’’ （or the same） bit sizes.

𝐬𝑖′ ≔ 𝐬𝑖 − 𝐬𝑖+1, 𝑖 = 1, 2.

where lg 𝑟 ≔ log2 𝑟 (𝑟 ∈ ℝ>0).

3-6. Applying Weighted LLL ②

𝐰 = 𝑤𝑖 = 29 212 1 29 212 1

𝑊 ≔ 𝑊𝑖,𝑗 : the diagonal matrix defined by 𝑊𝑖,𝑖 = 𝑤𝑖

𝐮1′

𝐮2′

𝐮3′

: =1024 −12288 2519−1024 12288 −251911776 −4096 −21935

−1024 8192 3947−11776 8192 154691024 −8192 −3947

𝐮1𝑊𝐮2𝑊𝐮3𝑊

=512 131072 −496440 274432 −1018070 0 0

12288 −98304 −473640 −172032 −59843

12800 −16384 −19416

LLL

𝐮1′𝑊−1

𝐮2′𝑊−1

𝐮3′𝑊−1

=2 −3 2519−2 3 −251923 −1 −21935

−2 2 3947−23 2 154692 −2 −3947

×𝑊−1

Just the same as 𝐬1′ , 𝐬2

′ !

3-7. Summary of Weighted LLL

ℒ ≔ 𝐮1, 𝐮2, 𝐮3 ℤ

LLL

𝐬′ ∈ ℒ : relatively short vector** with entries of unbalanced sizes.（not a shortest）

𝑓𝑊 ∶ 𝐮 ⟼ 𝐮𝑊.

𝑓𝑊(ℒ) = 𝐮1𝑊,𝐮2𝑊,𝐮3𝑊 ℤ

LLL reduced basis𝐮1′ , 𝐮2

′ , 𝐮3′ of 𝑓𝑊(ℒ)

𝑓𝑊−1: 𝐮′ ⟼ 𝐮′𝑊−1.

``Weighted’’ LLL reduced basis𝐮1′𝑊−1, 𝐮2

′𝑊−1, 𝐮3′𝑊−1 of ℒ

Target

（3-rank case）

𝑊 : diagonal matrix defined by an appropriate weight vector 𝐰

** 𝑓𝑊 𝐬′ : a shortest vector in 𝑓𝑊(ℒ) w.r.t. the Euclidean norm

𝐬′ : a shortest vector in ℒ w.r.t. a weighted norm induced by 𝐰⟺

Contents

1. Introduction

2. Overview of DEC

3. Cryptanalysis of DEC via weighted LLL

4. Experimental Results

5. Conclusion

CautionIn [Oku15], no asymptotic parameter is defined in the cryptosystem.（Some values of 𝑛, deg𝑋 are suggested in [Oku15]）.

It does not need to discuss the asymptotic complexity of our attack.

4. Experimental Results

Recommended parameters for DEC in [Oku15] Experimental results

Total degree ofa public key 𝑋

Number of monomials of 𝑋 Number of successes of our attack /100 Average time（sec.）Step 1 (weighted LLL) Step 2 Step 3

10 3 80 80 27 0.02

10 4 79 79 23 0.03

10 5 87 87 24 0.04

10 6 87 87 22 0.06

10 7 93 93 29 0.08

10 8 96 96 40 0.10

10 9 88 88 30 0.16

10 10 92 92 36 0.24

Table*** : Results of our attack against DEC with 3 variables and 128bit security

Probability of successes of our attack : 20 to 40% in practical time

***EV： Magma V2.21-3, Mac OS X 64bit, 2.60GHz CPU （Intel Corei5） and 16GB memory

Sufficiently high

Contents

1. Introduction

2. Overview of DEC

3. Cryptanalysis of DEC via weighted LLL

4. Experimental Results

5. Conclusion

• The one-wayness of DEC is transformed to

finding a relatively short but not a shortest vector in lattices of low ranks.

（The ``usual’’ LLL does not work well.）

• Weighted LLL, a variant of LLL, can be applied to find such a special vector.

• Our experimental results show that

our attack via weighted LLL can break the one-wayness of instances of DEC

with high probability for the parameters suggested in [Oku15]

Lessons Learned in this work- Method to solve lattice problems- Diophantine equations- Computational techniques in linear algebra

Conclusion

apply

Further study in cryptography

- Lattice-based cryptography,LWE (learning with errors)