Embed Size (px)
Citation preview
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattices and their Applications to RSACryptosystemDiploma Thesis
Mol Petros
Department of Electrical and Computer Engineering,National Technical University of Athens
July 17, 2006
Supervisor: Stathis Zachos
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 1 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Outline
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 2 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Introduction
What is a Lattice?
Informally: A infinite regular arrangement of points in space.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 3 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Introduction
Where are the lattices used?
v In late 18th and 19th century mathematicians such asLagrange, Gauss and Hermite used lattices in the field ofalgebraic number theory.v In the 19th century, important results due to Minkowskimotivated the use of lattice theory in the theory and geometryof numbers.v More recently, lattices have become a topic of activeresearch in Computer Science.
In Cryptology...
3 Lattices have found applications both in Cryptography,where hard lattice problems are used to design securecryptosystems (GGH, NTRU and more) and5 in Cryptanalysis, where lattices are used to breakcryptosystems. (Merkle-Hellman, GGH, attacks against RSA).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 4 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Introduction
Where are the lattices used?
v In late 18th and 19th century mathematicians such asLagrange, Gauss and Hermite used lattices in the field ofalgebraic number theory.v In the 19th century, important results due to Minkowskimotivated the use of lattice theory in the theory and geometryof numbers.v More recently, lattices have become a topic of activeresearch in Computer Science.
In Cryptology...
3 Lattices have found applications both in Cryptography,where hard lattice problems are used to design securecryptosystems (GGH, NTRU and more) and5 in Cryptanalysis, where lattices are used to breakcryptosystems. (Merkle-Hellman, GGH, attacks against RSA).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 4 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Introduction
Some Motivating Questions
À RSA is based on the hardness of inverting the function
f (x) = xe mod N. However, if x < N1e the inversion is trivial.
What if someone encrypts x + s instead of x where s is known?
Can one still recover x provided that x < N1e ?
Á The problem of factoring N = p · q is considered to be hardin general. If we know some of the bits of p (or q) can we doanything to recover the full factorization of N?
And an Answer
Lattices give answers to the above (and many other) questionsin Cryptology.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 5 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Introduction
Some Motivating Questions
À RSA is based on the hardness of inverting the function
f (x) = xe mod N. However, if x < N1e the inversion is trivial.
What if someone encrypts x + s instead of x where s is known?
Can one still recover x provided that x < N1e ?
Á The problem of factoring N = p · q is considered to be hardin general. If we know some of the bits of p (or q) can we doanything to recover the full factorization of N?
And an Answer
Lattices give answers to the above (and many other) questionsin Cryptology.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 5 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Introduction
Presentation Overview
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 6 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries Definitions
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 7 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries Definitions
Lattice Formal Definition
Let B = {b1, b2, ..., bn} be a set of linearly independentvectors ∈ Rn. The lattice generated by B is the set
L(B) = {n∑
i=1
xi · ~bi : xi ∈ Z}.
Lattice is a discrete additive subgroup of Rn.
Basis
The set B is called basis and we can compactly represent it asan n × n matrix each column of which is a basis vector:
B = [b1, b2, ..., bn].
Obviously bi ∈ L for each i = 1, 2, ..., n.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 8 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries Definitions
Lattice Formal Definition
Let B = {b1, b2, ..., bn} be a set of linearly independentvectors ∈ Rn. The lattice generated by B is the set
L(B) = {n∑
i=1
xi · ~bi : xi ∈ Z}.
Lattice is a discrete additive subgroup of Rn.
Basis
The set B is called basis and we can compactly represent it asan n × n matrix each column of which is a basis vector:
B = [b1, b2, ..., bn].
Obviously bi ∈ L for each i = 1, 2, ..., n.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 8 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries Definitions
Example
Consider the following two different bases.
B =
[1 00 1
]and B ′ =
[1 21 1
]The above bases are equivalent, that is they produce the samelattice.
Figure: Another basis of Z2
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 9 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries Definitions
Unimodular Matrix
A matrix U ∈ Zn×n is called unimodular if detU = ±1.
Theorem (Bases Equivalence)
Two bases B1,B2 ∈ Rn×n are equivalent if and only ifB2 = B1 · U for some unimodular matrix U.
Elementary Column Operations
Each of the following elementary column operations on a basisB can be represented with a multiplication B · U where U is aunimodular matrix and vice versa.
1 bi ← bi + kbj for some k ∈ Z2 bi ↔ bj
3 bi ← −bi
Two bases B1,B2 are equivalent iff we can produce B2 byapplying the above elementary column operations to B1 andvice versa.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 10 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries Definitions
Determinant
The deteminant of a lattice L with basis B is defined as:
det(L) = |det(B)|.
Theorem
The determinant of a lattice is independent of the choice ofbasis b1, b2, ..., bn ∈ Rn.
Shortest Vector
I Let ‖ · ‖ be an arbitrary norm. The shortest vector of thelattice is defined as the non-zero vector ~u ∈ L such that itsnorm is minimal.I λ1(L) denotes the minimal norm.I The problem of finding such a ~u is known as ShortestVector problem (SVP) and is generally hard.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 11 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries Definitions
Determinant
The deteminant of a lattice L with basis B is defined as:
det(L) = |det(B)|.
Theorem
The determinant of a lattice is independent of the choice ofbasis b1, b2, ..., bn ∈ Rn.
Shortest Vector
I Let ‖ · ‖ be an arbitrary norm. The shortest vector of thelattice is defined as the non-zero vector ~u ∈ L such that itsnorm is minimal.I λ1(L) denotes the minimal norm.I The problem of finding such a ~u is known as ShortestVector problem (SVP) and is generally hard.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 11 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries LLL Reduction
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 12 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries LLL Reduction
Example
Consider the lattices produced by the following bases:
B1 =
[3 213 9
]and B2 =
[1 00 1
]
The above bases are equivalent. But the second one seemssimpler. This leads to the need for reduction.
Example (Reduction in Vector Space)
Figure: Gram-Schmidt Orthogonalization
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 13 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries LLL Reduction
Example
Consider the lattices produced by the following bases:
B1 =
[3 213 9
]and B2 =
[1 00 1
]The above bases are equivalent. But the second one seemssimpler. This leads to the need for reduction.
Example (Reduction in Vector Space)
Figure: Gram-Schmidt Orthogonalization
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 13 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries LLL Reduction
Example
Consider the lattices produced by the following bases:
B1 =
[3 213 9
]and B2 =
[1 00 1
]The above bases are equivalent. But the second one seemssimpler. This leads to the need for reduction.
Example (Reduction in Vector Space)
Figure: Gram-Schmidt Orthogonalization
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 13 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries LLL Reduction
Does it work for lattices?
NO. Let B =
[2 10 1
]. Then B∗ =
[2 00 1
].
But B∗ is not a basis for the lattice L(B). For example B∗
cannot produce b2 =
(11
).
A new notion for reduction
In 1982, A.K. Lenstra, H.W. Lenstra, and L. Lovasz presenteda new notion of reduction and a polynomial time reductionalgorithm, which is called LLL algorithm.
1 Does not guarantee to find the shortest lattice vector.
2 It guarantees to find in polynomial time a vector within afactor of the shortest vector.
3 In practice LLL algorithm often performs much better thanthe theoretical bound.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 14 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries LLL Reduction
Example
Figure: A ”Bad” Basis
Figure: A ”Good” BasisMol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 15 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Lattice Preliminaries LLL Reduction
Theorem
On input B = [~b1, ~b2, ..., ~bn], LLL algorithm returns inPolynomial Time an equivalent reduced basis
B ′ = [~b1′, ~b2
′, ..., ~bn
′] the vectors of which satisfy:
‖~b1′‖ ≤ 2
n−12 λ1(L) (LLL1)
‖~b1′‖ ≤ 2
n−14 · det(L)
1n (LLL2)
LLL execution entails only elementary column operations.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 16 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 17 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 18 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Problem
Given:
A large integer N of unknown factorization,
a polynomial f ∈ Z[x ] of degree d and
a modular equationf (x) = adxd + ad−1x
d−1 + ... + a1x + a0 ≡ 0 (mod N).
Goal:Find x0 ∈ Z such that f (x0) ≡ 0 (mod N).
Current Knowledge
v No known efficient algorithm for the general case.v However,”small” roots can be found efficiently using LLL(1996,Coppersmith[Cop96b]).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 19 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Problem
Given:
A large integer N of unknown factorization,
a polynomial f ∈ Z[x ] of degree d and
a modular equationf (x) = adxd + ad−1x
d−1 + ... + a1x + a0 ≡ 0 (mod N).
Goal:Find x0 ∈ Z such that f (x0) ≡ 0 (mod N).
Current Knowledge
v No known efficient algorithm for the general case.v However,”small” roots can be found efficiently using LLL(1996,Coppersmith[Cop96b]).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 19 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Notation
f (x) :=∑
i aixi : Univariate polynomial with coefficients
ai ∈ Z.
Vector representation of Polynomials: ifp(x) = 3x3 + 2x + 20 then p = (20, 2, 0, 3) is thecorresponding vector.
Euclidean norm of a polynomial f :‖f ‖2 :=∑
i a2i .
Definition (Root container polynomial)
A polynomial h is root container of a polynomial f if eachroot of f is also a root of h. When the roots are consideredmodulo N, we say that h is root container of f modulo N.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 20 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Notation
f (x) :=∑
i aixi : Univariate polynomial with coefficients
ai ∈ Z.
Vector representation of Polynomials: ifp(x) = 3x3 + 2x + 20 then p = (20, 2, 0, 3) is thecorresponding vector.
Euclidean norm of a polynomial f :‖f ‖2 :=∑
i a2i .
Definition (Root container polynomial)
A polynomial h is root container of a polynomial f if eachroot of f is also a root of h. When the roots are consideredmodulo N, we say that h is root container of f modulo N.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 20 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Looking inside the problem
â How can we recover the ”small” modular roots of f (x)?Ô By transforming the modular equation to an equation over
the integers.â How small are the roots we can extract?
Ô We would like to be able to efficiently find all roots x0 s.t|x0| < X for a bound X to be maximized.
Basic Idea
Find a polynomial h(x) ∈ Z[x ] such that h(x0) ≡ f (x0) ≡ 0
(mod N) and ‖h‖2 =∑deg(h)
i=0 h2i is small.
We still need...
1 A lemma that gives the conditions under which a modularequation can be transformed to an integer one.
2 An inequality that would determine the bound X .
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 21 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Looking inside the problem
â How can we recover the ”small” modular roots of f (x)?Ô By transforming the modular equation to an equation over
the integers.â How small are the roots we can extract?
Ô We would like to be able to efficiently find all roots x0 s.t|x0| < X for a bound X to be maximized.
Basic Idea
Find a polynomial h(x) ∈ Z[x ] such that h(x0) ≡ f (x0) ≡ 0
(mod N) and ‖h‖2 =∑deg(h)
i=0 h2i is small.
We still need...
1 A lemma that gives the conditions under which a modularequation can be transformed to an integer one.
2 An inequality that would determine the bound X .
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 21 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Looking inside the problem
â How can we recover the ”small” modular roots of f (x)?Ô By transforming the modular equation to an equation over
the integers.â How small are the roots we can extract?
Ô We would like to be able to efficiently find all roots x0 s.t|x0| < X for a bound X to be maximized.
Basic Idea
Find a polynomial h(x) ∈ Z[x ] such that h(x0) ≡ f (x0) ≡ 0
(mod N) and ‖h‖2 =∑deg(h)
i=0 h2i is small.
We still need...
1 A lemma that gives the conditions under which a modularequation can be transformed to an integer one.
2 An inequality that would determine the bound X .
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 21 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Lemma (Howgrave-Graham for Univariate Polynomials)
Let h(x) ∈ Z[x ] be a univariate polynomial with at most ωmonomials. Suppose in addition that h satisfies the followingtwo conditions:
1 h(x0) ≡ 0(mod N) where |x0| < X and
2 ‖h(xX )‖ ≤ N/√
ω.
Then h(x0) = 0 holds over the integers.
Maximizing the bound X
p Applying the second condition of the lemma for f may leadto small bounds.p We can push X to larger values by replacing f with a rootcontainer polynomial h and then demand ‖h(xX )‖ ≤ N/
√ω.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 22 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Early Constructions
ò Set of root container polynomials
Z1 = {g0(x) = N, g1(x) = Nx , ..., gd−1(x) = Nxd−1, gd = f (x)}.
Consider the following lattice L1 with basis
B1 =
2666666666664
N 0 · · · f0
0 XN. . . Xf1
0 0. . .
.
.
.
.
.
.
.
.
.. . . Xd−1fd−1
0 0 · · · Xd
3777777777775
(d+1)×(d+1)
í Each point of L1 corresponds to the coefficient vector of apolynomial h(xX ) =
∑di=0 cigi (xX ).
í f (x0) ≡ 0 (mod N) ⇒ h(x0) ≡ 0 (mod N).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 23 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Bounding X
Applying LLL to B1 we get an equivalent (reduced) basisB ′
1 = [b′1, b′2, ..., b
′n] where b′1 is the coefficient vector of a
h(xX ) such that:
‖b′1‖ = ‖h(xX )‖ ≤ 2d4 · det(L1)
1d+1 .
The second condition of Howgrave-Graham Lemma’s issatisfied if
2d4 · det(L1)
1d+1 <
N√d + 1
⇒ · · · ⇒ X ≤ k(d)N2
d(d+1) .
where k(d) is a small enough constant that depends only on d .Summarizing: If we use Z1 to construct the lattice, we can
find all roots x0 s.t f (x0) ≡ 0 (mod N) and |x0| < k(d)N2
d(d+1) .
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 24 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Can we do any better?
YES. (Coppersmith)1. Z2 = {N,Nx ,Nx2, ...,Nxd−1}
⋃{f (x), xf (x), ..., xd−1f (x)}
X ≤ l(d)N1
2d−1 .
2. Zh = {Nh−j−1f (x)jx i |0 ≤ i < d , 0 ≤ j < h}Take LIC of the above set modulo Nh−1 instead of modulo N.Bound achieved: X = N
1d .
Theorem (Coppersmith, Univariate Modular Equations)
l Let f (x) be a monic polynomial of degree d .l Let N be an integer of unknown factorization.
l If there exists a x0 s.t. f (x0) ≡ 0 (mod N) and |x0| < N1d .
èThen one can find x0 in time polynomial in (log N, d).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 25 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Univariate
Method Overview
Step 1: Given f (x) construct an appropriate basis B whichproduces a lattice L the points of which correspond topolynomials that are root containers of f .Step 2: Run LLL on B to take an equivalent basis B ′ with asmall first basis vector b′1.Step 3: Consider the polynomial h(x) that corresponds to b′1and solve the equation h(x) = 0 over the integers.Step 4: Test the roots obtained in step 3 and accept onlythose that satisfy f (x0) ≡ 0 (mod N).The preceding analysis guarantees that all the modular roots of
f (x) with |x0| < N1d will be found.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 26 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Multivariate
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 27 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Multivariate
Multivariate Case
df (~x) = f (x1, x2, ..., xk) ∈ Z[x1, ..., xk ]
f (~x) = f (x1, x2, ..., xk) =∑
i1,...,ik
ai1,...,akx i11 ...x ik
k ≡ 0 (mod N).
dIdea:Directly Extend the previous approach.
Problem
+Goal: Find the maximum bounds X1,X2, ...,Xk which makepossible the transformation of the modular equation to anequation over the integers.+Difference: Since we have k unknown variables, we nowneed k polynomials h1, ..., hk with sufficiently small coefficientand which contain all the ”small” roots of f .
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 28 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Modular Multivariate
Multivariate Case
df (~x) = f (x1, x2, ..., xk) ∈ Z[x1, ..., xk ]
f (~x) = f (x1, x2, ..., xk) =∑
i1,...,ik
ai1,...,akx i11 ...x ik
k ≡ 0 (mod N).
dIdea:Directly Extend the previous approach.
Problem
+Goal: Find the maximum bounds X1,X2, ...,Xk which makepossible the transformation of the modular equation to anequation over the integers.+Difference: Since we have k unknown variables, we nowneed k polynomials h1, ..., hk with sufficiently small coefficientand which contain all the ”small” roots of f .
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 28 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Integer Bivariate
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 29 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Integer Bivariate
The problem
Given: A bivariate polynomial p(x , y) =∑
i ,j pi ,j · x iy j withinteger coefficients.Goal: Find all integer pairs (x0, y0) such that p(x0, y0) = 0.t In general, there is no such efficient algorithm.s However , one can efficiently find small root pairs(Coppersmith [Cop96a]).
Theorem (Coppersmith, Bivariate Integer Equations)
m p(x , y) ∈ Z[x , y ] be irreducible with maximum degree δ inx , y separately.m X ,Y : upper bounds on the desired integer solution (x0, y0).m W = maxi ,j |pi ,j |X iY j .
ä Then, If XY ≤W23δ , one can find all integer pairs (x0, y0)
such that p(x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y in timepolynomial in log W and 2δ.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 30 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Integer Bivariate
The problem
Given: A bivariate polynomial p(x , y) =∑
i ,j pi ,j · x iy j withinteger coefficients.Goal: Find all integer pairs (x0, y0) such that p(x0, y0) = 0.t In general, there is no such efficient algorithm.s However , one can efficiently find small root pairs(Coppersmith [Cop96a]).
Theorem (Coppersmith, Bivariate Integer Equations)
m p(x , y) ∈ Z[x , y ] be irreducible with maximum degree δ inx , y separately.m X ,Y : upper bounds on the desired integer solution (x0, y0).m W = maxi ,j |pi ,j |X iY j .
ä Then, If XY ≤W23δ , one can find all integer pairs (x0, y0)
such that p(x0, y0) = 0, |x0| ≤ X and |y0| ≤ Y in timepolynomial in log W and 2δ.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 30 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Polynomial Equations Integer Bivariate
Current Knowledge
Problem Status Bound Simplification
f (x) ≡ 0 (mod N) Proven[Cop96b] N1d [HG97]
f (~x) ≡ 0 (mod N) Heuristic[Cop96b] − [HG97]
f (x , y) = 0 Proven[Cop96a] XY < W23δ [Cor04]
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 31 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA RSA
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 32 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA RSA
Choosing Parameters
1.Generate two large, random, distinct and balanced primes pand q.2.Compute N = p · q and φ(N) = (p − 1) · (q − 1).3.Select a random integer e, 1 < e < φ(N) such thatgcd(e, φ(N)) = 1.4. Compute the unique integer d , 1 < d < φ(N), such thate · d ≡ 1 (mod φ(N)).5. Public Key: (N, e); Private Key: d .
Encryption/Decryption Processes
Encryption:1.Represent the message as an integer m in the interval[0,N − 1].2. Compute and send c = me mod N.Decryption:1.Use the private key d to recover m = cd mod N.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 33 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA RSA
Choosing Parameters
1.Generate two large, random, distinct and balanced primes pand q.2.Compute N = p · q and φ(N) = (p − 1) · (q − 1).3.Select a random integer e, 1 < e < φ(N) such thatgcd(e, φ(N)) = 1.4. Compute the unique integer d , 1 < d < φ(N), such thate · d ≡ 1 (mod φ(N)).5. Public Key: (N, e); Private Key: d .
Encryption/Decryption Processes
Encryption:1.Represent the message as an integer m in the interval[0,N − 1].2. Compute and send c = me mod N.Decryption:1.Use the private key d to recover m = cd mod N.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 33 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Attacks
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 34 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Attacks
Overview
ã Since its initial publication, in 1977, RSA has beenextensively analyzed for vulnerabilities by many researchers.ã None of the attacks has proven devastating. The attacksmostly illustrate the danger of improper choices of the RSAparameters.ã Lattice theory and the invention of LLL has motivated anumber of lattice attacks.Still RSA, in its general setting,remains unbroken.ãThe attacks described below take advantage of insecurechoices of e or d or use partial information about p or d torecover the message or factor N and do not expose anyinherent flaws of the Cryptosystem itself.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 35 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Attacks
A Typical Communication Scenario
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 36 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small e
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 37 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small e
Motivation for using a small e
Simplify/Speed up the encryption process.Typical values e = 3 or e = 216 − 1.
A trivial Attack
For simplicity, let e = 3.
If we know that m < N13 then inverting c = m3 mod N is
trivial.If the message is m = B + x where B is known,we can thenapply Coppersmith theorem to the polynomial
f (x) = (B + x)3 − c and find x ,m provided that x < N13 .
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 38 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small e
Alternative Scenario
Using CRT, Eva can find the unique m,m3 < N1N2N3 s.tm3 ≡ ci (mod Ni ).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 39 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small e
Avoid the attack
Use user-specific padding to m before sending.For instance, ci = (i · 2h + m)3(modNi ).7 We can still break this system using Hastad’s attack.
Theorem (Hastad)
a Let N1,N2, ...,Nk be pairwise relatively prime,Nmin = mini Ni .a Let gi ∈ ZNi
[x ] be k polynomials of maximum degree d .Suppose that there exists a unique m < Nmin such thatgi (m) = ci (mod Ni ) for all i = 1, 2..., k. Then, if k ≥ d, onecan efficiently find m given (Ni , gi , ci )
ki=1.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 40 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small e
Avoid the attack
Use user-specific padding to m before sending.For instance, ci = (i · 2h + m)3(modNi ).7 We can still break this system using Hastad’s attack.
Theorem (Hastad)
a Let N1,N2, ...,Nk be pairwise relatively prime,Nmin = mini Ni .a Let gi ∈ ZNi
[x ] be k polynomials of maximum degree d .Suppose that there exists a unique m < Nmin such thatgi (m) = ci (mod Ni ) for all i = 1, 2..., k. Then, if k ≥ d, onecan efficiently find m given (Ni , gi , ci )
ki=1.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 40 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small e
Proof Sketch
ú Define gi (x) = (i · 2h + x)e − ci for 1 ≤ i ≤ k.ú gi (m) ≡ 0 (mod Ni )ú Set N = N1N2 · · ·Nk and using CRT, we can find Ti s.t.g(x) =
∑ki=1 Tihi (x) (mod N) and g(m) ≡ 0 (mod N)
ú Using Coppersmith’s theorem, we can recover m inpolynomial time.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 41 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Factoring N
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 42 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Factoring N
The challenge
Information: Some bits of p or q.Goal: Recover all of p (factor N).Result: The knowledge of half of the bits of p suffices tofactor N, provided that p, q are of the same bitsize.
Proof Sketch
Let n be the bitsize of N. Write p = p12n4 + p0 and
q = q12n4 + q0 where pi , qi < 2
n4 .
Define
f (x , y) =1
2n4
((x2n4 + p0)(y2
n4 + q0)− N)
= xy2n4 + q0x + p0y +
1
2n4
(p0q0 − N).
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 43 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Factoring N
Proof Sketch
F Given the n4 LSBs of p, we know p0 and thus q0 since
p0q0 ≡ N (mod 2n4 ).
F f (x , y) ∈ Z[x , y ] with degree d = 1 in x , y and f (p1, q1) = 0.
F Letting X = Y = N14−ε, then p1 < X , q1 < Y . In addition
W = ‖f (x , y)‖∞ ≈ N34 .
FThus XY = N12−2ε < (N
34 )
23 = W
23d .
P We can then apply Coppersmith’s theorem for the bivariatecase and recover p1, q1.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 44 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small d
Overview
1 Introduction
2 Lattice PreliminariesDefinitions and PropertiesLLL Reduction
3 Polynomial EquationsModular UnivariateModular MultivariateInteger Bivariate
4 Applications to RSARSA CryptosystemLattice Attacks on RSALow Public ExponentFactoring AttacksLow Private Exponent
5 Conclusions
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 45 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small d
Reducing the attack to a modular equation
Q Assume that gcd(p − 1, q − 1) = 2. Then the RSA equationcan be written ed + k
2φ(N) = 1 for some k ∈ Z.
Q ed + k(N+12 − p+q
2 ) = 1
Q Set s = −p+q2 ,A = N+1
2 .Q Assume that d = Nδ, e ≈ N.Q Define the polynomial f (k, s) = k(A + s)− 1 ≡ 0 (mod e)Q |s| < 2N0.5 and |k| < 2de
φ(N) ≤3deN ≈ eδ.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 46 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small d
Solving the equation
J We use the heuristic technique to solve the bivariatemodular equation.JBoneh and Durfee [BD99] proved that the attack can work assoon as δ ≤ 0.292.J The bound d < N0.292 is the best known bound for theprivate exponent.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 47 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Applications to RSA Small d
Attacks Overview
Category Ref Result CommentSmall e [Has88] rec ≥ e multiple messages
Factoring attacks [Cop96a] Half bits of p p, q balancedSmall d [BD99] d < N0.292 heuristic
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 48 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Conclusions
Review
4 We presented the basics on lattice theory and LLL algorithmwhich motivated several applications of lattices in CS.4 We showed how LLL can be used in finding small solutionsto polynomial equations.4 We demonstrated how one can mount real-time attacksagainst RSA utilizing the polynomial running time of LLL.
Look to the future
À Find conditions for the bounds Xi , under which the methodfor solving multivariate modular equations becomes provable.Á More effective attacks. For example,increase the low privateexponent bound to N0.5. Unify the approaches for modular and integer equations. Forinstance, in 2005, Blomer and May [BM05] showed that solvingunivariate modular equations can be reduced to solvingbivariate integer equations.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 49 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Conclusions
Review
4 We presented the basics on lattice theory and LLL algorithmwhich motivated several applications of lattices in CS.4 We showed how LLL can be used in finding small solutionsto polynomial equations.4 We demonstrated how one can mount real-time attacksagainst RSA utilizing the polynomial running time of LLL.
Look to the future
À Find conditions for the bounds Xi , under which the methodfor solving multivariate modular equations becomes provable.Á More effective attacks. For example,increase the low privateexponent bound to N0.5. Unify the approaches for modular and integer equations. Forinstance, in 2005, Blomer and May [BM05] showed that solvingunivariate modular equations can be reduced to solvingbivariate integer equations.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 49 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Conclusions
Dan Boneh and Glenn Durfee.
”Cryptanalysis of RSA with Private Key Less than 0.292”.In EUROCRYPT, pages 1–11, 1999.
Johannes Blomer and Alexander May.”A Tool Kit for Finding Small Roots of BivariatePolynomials over the Integers”.In Ronald Cramer, editor, EUROCRYPT, volume 3494 ofLecture Notes in Computer Science, pages 251–267.Springer, 2005.
Don Coppersmith.”Finding a Small Root of a Bivariate Integer Equation;Factoring with High Bits Known”.In EUROCRYPT, pages 178–189, 1996.
Don Coppersmith.”Finding a Small Root of a Univariate Modular Equation”.In EUROCRYPT, pages 155–165, 1996.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 49 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Conclusions
Jean-Sebastien Coron.”Finding Small Roots of Bivariate Integer PolynomialEquations Revisited”.In Christian Cachin and Jan Camenisch, editors,EUROCRYPT, volume 3027 of Lecture Notes in ComputerScience, pages 492–505. Springer, 2004.
Johan Hastad.”Solving simultaneous modular equations of low degree”.SIAM Journal on Computing, 17:336–341, 1988.URL: http://www.nada.kth.se/ johanh/papers.html.
Nick Howgrave-Graham.”Finding Small Roots of Univariate Modular EquationsRevisited”.In Michael Darnell, editor, IMA Int. Conf., volume 1355 ofLecture Notes in Computer Science, pages 131–142.Springer, 1997.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 49 / 49
Lattices andtheir
Applicationsto RSA
Cryptosystem
Mol Petros
Outline
Introduction
LatticePreliminaries
Definitions
LLL Reduction
PolynomialEquations
ModularUnivariate
ModularMultivariate
Integer Bivariate
Applicationsto RSA
RSA
Attacks
Small e
Factoring N
Small d
Conclusions
Conclusions
A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovasz.”Factoring polynomials with rational coefficients”.261:515–534, 1982.
Mol Petros (Department of Electrical and Computer Engineering, National Technical University of Athens)Lattices and their Applications to RSA Cryptosystem July 17, 2006 49 / 49
