A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, - - PowerPoint PPT Presentation

a new algorithm for the variants of acd problem
SMART_READER_LITE
LIVE PREVIEW

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, - - PowerPoint PPT Presentation

Nov 11, 2022 153 likes •459 views

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik Kang, Jiseung Kim, Changmin Lee ENS de Lyon June 27, 2019 Changmin Lee Analysis of CRT-ACD June 27, 2019 1 / 23 Approximate Common-Divisor

slide-1
SLIDE 1

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM

Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik Kang, Jiseung Kim, Changmin Lee

ENS de Lyon

June 27, 2019

Changmin Lee Analysis of CRT-ACD June 27, 2019 1 / 23

slide-2
SLIDE 2

Approximate Common-Divisor Problem[HG01]

Partial Approximate Common Divisor problem(PACD): a0 = pq0 a1 = pq1 + r1 ≡ r1 mod p . . . . . . aℓ = pqℓ + rℓ ≡ rℓ mod p where p is a big secret prime and ri ≪ p. Question : Given (a0, . . . , aℓ), Can we recover p ? Answer : SDA, OLA, Coppersmith Method

Changmin Lee Analysis of CRT-ACD June 27, 2019 2 / 23

slide-3
SLIDE 3

Approximate Common-Divisor Problem[HG01]

Partial Approximate Common Divisor problem(PACD): a0 = pq0 a1 = pq1 + r1 ≡ r1 mod p . . . . . . aℓ = pqℓ + rℓ ≡ rℓ mod p where p is a big secret prime and ri ≪ p. Question : Given (a0, . . . , aℓ), Can we recover p ? Answer : SDA, OLA, Coppersmith Method

Changmin Lee Analysis of CRT-ACD June 27, 2019 2 / 23

slide-4
SLIDE 4

Approximate Common-Divisor Problem[HG01]

Application: J.-S. Coron, A. Mandal, D. Naccache, M. Tibouchi. Fully homomorphic encryption over the integers with shorter public keys. CRYPTO 2011. J.-S. Coron, D. Naccache, M. Tibouchi. Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the

  • Integers. EUROCRYPT 2012.
  • J. H. Cheon, D. Stehle. Fully Homomorphic Encryption over the

Integers Revisited. EUROCRYPT 2015.

Changmin Lee Analysis of CRT-ACD June 27, 2019 3 / 23

slide-5
SLIDE 5

Chinese Remainder Theorem-ACD Problem[CCK+13]

CRT-ACD (Simple version): N =

n

  • i=1

pi a1 ≡ ri1 mod pi . . . aℓ ≡ riℓ mod pi where pi are big secret primes (η-bit) and rij (ρ-bit) ≪ pi. Question : Given (N, a1, . . . , aℓ), Can we recover pi ? What if n = 2?

Changmin Lee Analysis of CRT-ACD June 27, 2019 4 / 23

slide-6
SLIDE 6

Chinese Remainder Theorem-ACD Problem[CCK+13]

CRT-ACD (Simple version): N =

n

  • i=1

pi a1 ≡ ri1 mod pi . . . aℓ ≡ riℓ mod pi where pi are big secret primes (η-bit) and rij (ρ-bit) ≪ pi. Question : Given (N, a1, . . . , aℓ), Can we recover pi ? What if n = 2?

Changmin Lee Analysis of CRT-ACD June 27, 2019 4 / 23

slide-7
SLIDE 7

Chinese Remainder Theorem-ACD Problem[CCK+13]

Application:

  • J. H. Cheon, J.-S. Coron, J. Kim, M. S. Lee, T. Lepoint, M.

Tibouchi, A. Yun. Batch Fully Homomorphic Encryption over the

  • Integers. EUROCRYPT 2013.

J.-S. Coron, T. Lepoint, M. Tibouchi, Practical Multilinear Maps over the Integers. CRYPTO13 J.-S. Coron, T. Lepoint, M. Tibouchi, New Multilinear Maps Over the

  • Integers. CRYPTO15

Changmin Lee Analysis of CRT-ACD June 27, 2019 5 / 23

slide-8
SLIDE 8

Varinant of Chinese Remainder Theorem-ACD Problem

CRT-ACD with a dual instance(CRT-ACDwDI): N =

n

  • i=1

pi a1 ≡ ri1 mod pi . . . aℓ ≡ riℓ mod pi D =

  • i

di · N/pi where pi are big secret primes (η-bit) and rij (ρ-bit), di ≪ pi. Question : Given (N, a1, . . . , aℓ, D), Can we recover pi ? Answer : Yes!

Changmin Lee Analysis of CRT-ACD June 27, 2019 6 / 23

slide-9
SLIDE 9

Varinant of Chinese Remainder Theorem-ACD Problem

CRT-ACD with a dual instance(CRT-ACDwDI): N =

n

  • i=1

pi a1 ≡ ri1 mod pi . . . aℓ ≡ riℓ mod pi D =

  • i

di · N/pi where pi are big secret primes (η-bit) and rij (ρ-bit), di ≪ pi. Question : Given (N, a1, . . . , aℓ, D), Can we recover pi ? Answer : Yes!

Changmin Lee Analysis of CRT-ACD June 27, 2019 6 / 23

slide-10
SLIDE 10

Result

Current Status There are 3 types of algorithms for solving PACD Algorithms for PACD cannot be applied to CRT-ACD. There is no algebraic algorithm to solve the CRT-ACD problem.

It is not known which parameter is safe.

CRT-ACDwDI is solved in polynomial time in n, η [CHLRS15]. Our results We present an algorithm to solve the CRT-ACD problem It is solved in polynomial time if n ≤ η − 4 · ρ. We provide the first guideline to set n.

Changmin Lee Analysis of CRT-ACD June 27, 2019 7 / 23

slide-11
SLIDE 11

Result

Current Status There are 3 types of algorithms for solving PACD Algorithms for PACD cannot be applied to CRT-ACD. There is no algebraic algorithm to solve the CRT-ACD problem.

It is not known which parameter is safe.

CRT-ACDwDI is solved in polynomial time in n, η [CHLRS15]. Our results We present an algorithm to solve the CRT-ACD problem It is solved in polynomial time if n ≤ η − 4 · ρ. We provide the first guideline to set n.

Changmin Lee Analysis of CRT-ACD June 27, 2019 7 / 23

slide-12
SLIDE 12

Cryptanalysis of CRT-ACD

Changmin Lee Analysis of CRT-ACD June 27, 2019 8 / 23

slide-13
SLIDE 13

Notation

Notation: CRT(pi)(ri) defined as the unique integer in

  • −1

2

n

  • i=1

pi, 1 2

n

  • i=1

pi

  • which is congruent to ri mod pi for all i ∈ {1, . . . , n}

N =

n

  • i=1

pi ˆ pi = N/pi. Note that we assume n = 2 for the sake of simplicity. So we use the notation CRT(p1,p2)(ri,1, ri,2) as well.

Changmin Lee Analysis of CRT-ACD June 27, 2019 9 / 23

slide-14
SLIDE 14

Definition of CRT-ACD and Dual instance

Definition (CRT-ACD Problem, Simple version)

Let p1 and p2 be η-bit integers and ri,1 and ri,2 be ρ-bit integers with ρ < η. The CRT-ACD problem is: Given many samples CRT(p1,p2)(ri,1, ri,2) and N, find p1, p2.

Definition (Dual instance, Simple version)

Let p1 and p2 be parameters of CRT-ACD problem. Dual instance of CRT-ACD is defined as an integer that is expressed in the following form. D =

n

  • i

di · ˆ pi = d1 · p2 + d2 · p1, where |di| ≤ 2η−3ρ−log n = 2η−3ρ−log 2.

Changmin Lee Analysis of CRT-ACD June 27, 2019 10 / 23

slide-15
SLIDE 15

Attack Outline

Our results We present an algorithm to solve the CRT-ACD problem Our algorithm consists of 2 steps The first step is to obtain a dual instance only from the CRT-ACD samples. Using the previous algorithm for CRT-ACDwDI, all the factors pi can be recovered.

Changmin Lee Analysis of CRT-ACD June 27, 2019 11 / 23

slide-16
SLIDE 16

Observation

Put bj := CRT(p1,p2)(rj,1, rj,2) = p1 · qj,1 + rj,1 = p2 · qj,2 + rj,2. For any dual instance d = d1 · ˆ p1 + d2 · ˆ p2, the followings hold: [d · bj]N ≡ [d1 · ˆ p1 · (p1 · qj,1 + rj,1) + d2 · ˆ p2 · (p2 · qj,2 + rj,2)]N ≡ [d1 · ˆ p1 · rj,1 + d2 · ˆ p2 · rj,2]N = d1 · ˆ p1 · rj,1 + d2 · ˆ p2 · rj,2 Small! compared to N ∵ |di| ≤ 2η−3ρ−log 2, | 2

i=1 di · rj,i · ˆ

pi| ≤ 22η−2ρ ≪ N/2

Changmin Lee Analysis of CRT-ACD June 27, 2019 12 / 23

slide-17
SLIDE 17

Step 1: How to find a dual instance

Consider a lattice L generated by the following matrix: B =       1 b1 N b2 N b3 N b4 N       ([d]N, [d · b1]N, [d · b2]N, [d · b3]N, [d · b4]N)T is a short vector in a lattice L if d is a dual instance. We will show that the first entry of any short vectors in a lattice L is a dual instance.

Changmin Lee Analysis of CRT-ACD June 27, 2019 13 / 23

slide-18
SLIDE 18

Step 1: Idea Sketch

Let E = (E1, E2, E3, E4, E5)T be a lattice point of L. We hold: For any element E1 ∈ Z can be written as e1 · ˆ p1 + e2 · ˆ p2. Ei = [E1 · bi]N = e1 · ri,1 · ˆ p1 + e2 · ri,2 · ˆ p2 mod N. Hence, we have the following relation: E = (E1, E2, E3, E4, E5) = (e1, e2) · ˆ p1 ˆ p2

  • ·

1 r1,1 r2,1 r3,1 r4,1 1 r1,2 r2,2 r3,2 r4,2

  • =

E · ˆ P · R mod N We want to show that E · ˆ P mod N∞ is small. It implies that E∞ is small.

Changmin Lee Analysis of CRT-ACD June 27, 2019 14 / 23

slide-19
SLIDE 19

Step 1: Idea Sketch

Let E = (E1, E2, E3, E4, E5)T be a lattice point of L. We hold: For any element E1 ∈ Z can be written as e1 · ˆ p1 + e2 · ˆ p2. Ei = [E1 · bi]N = e1 · ri,1 · ˆ p1 + e2 · ri,2 · ˆ p2 mod N. Hence, we have the following relation: E = (E1, E2, E3, E4, E5) = (e1, e2) · ˆ p1 ˆ p2

  • ·

1 r1,1 r2,1 r3,1 r4,1 1 r1,2 r2,2 r3,2 r4,2

  • =

E · ˆ P · R mod N We want to show that E · ˆ P mod N∞ is small. It implies that E∞ is small.

Changmin Lee Analysis of CRT-ACD June 27, 2019 14 / 23

slide-20
SLIDE 20

Step 1: Idea Sketch

We obtain the inequality as follows: E · ˆ P mod N∞ = E · R−1 mod N∞ ≤ E · R−1∞ ≤ E∞ · R−1∞ · n, where R−1 is a right inverse of R. We show that the smallness of E∞ with a lattice reduction algorithm. (It is possible when n ≤ η − 4 · ρ.) R−1∞ with Gaussian Heuristics. From the equation, the size of ei · ˆ pi is bounded for all i.

Changmin Lee Analysis of CRT-ACD June 27, 2019 15 / 23

slide-21
SLIDE 21

Result

Let n, η, ρ be parameters of the CRT-ACD Problem. When 2n instances are given, we can find a dual instance under the condition n ≤ η − 4ρ in polynomial time with LLL algorithm n ≤

β−1 2 log β · (η − 4ρ) in 2O(β) time with BKZ algorithm

Changmin Lee Analysis of CRT-ACD June 27, 2019 16 / 23

slide-22
SLIDE 22

Experimental Results

CRT-ACD η ρmax1 time 150 70 5m 300 110 1h 450 190 2h Our result 600 300 3.1h 750 370 4.1h 900 450 6.2h 1500 700 10h Here the number of prime factors, n, is set to be 50.

1The ρmax value corresponding to η is the maximum ρ value on which the experiment

succeeded.

Changmin Lee Analysis of CRT-ACD June 27, 2019 17 / 23

slide-23
SLIDE 23

Step2 [CHLRS15]

Product of b = CRT(pi) (ri) and d = e1 · p2 + e2 · p1: [b · d]N = e1 · r1 · p2 + e2 · r2 · p1. (an integer equation!) We can compute it with b1 · b2 · b3 · d: [b1 · b2 · b3 · d]N = r11r12r13e1p2 + r21r22r23e2p1 =

  • r11

r21

  • ·

r13 r23

  • ·

e1p2 e2p1

  • ·

r12 r22

  • .

for bi = CRT(rij).

Changmin Lee Analysis of CRT-ACD June 27, 2019 18 / 23

slide-24
SLIDE 24

Step2 [CHLRS15]

Product of b = CRT(pi) (ri) and d = e1 · p2 + e2 · p1: [b · d]N = e1 · r1 · p2 + e2 · r2 · p1. (an integer equation!) We can compute it with b1 · b2 · b3 · d: [b1 · b2 · b3 · d]N = r11r12r13e1p2 + r21r22r23e2p1 =

  • r11

r21

  • ·

r13 r23

  • ·

e1p2 e2p1

  • ·

r12 r22

  • .

for bi = CRT(rij).

Changmin Lee Analysis of CRT-ACD June 27, 2019 18 / 23

slide-25
SLIDE 25

Build Equations

Changing the indices j and k, compute [bj · bk · b3 · d]N, and compose a matrix W1 W1 =

  • r11

r21 r12 r22

  • ·
  • r13

r23

  • ·
  • e1p2

e2p1

  • ·
  • r12

r11 r22 r21

  • .

= ˆ R · diag((r13)e1p2, (r23)e2p1) · R It is a matrix composed of secret parameter!

Changmin Lee Analysis of CRT-ACD June 27, 2019 19 / 23

slide-26
SLIDE 26

Build Equations

By removing b3 [b1 · b2 · b3 · d]N → [b1 · b2 · d]N, we obtain W2 = ˆ R · diag(e1p2, e2p1) · R W1 and W2 are of the same form except for the middle matrix. W1 · W −1

2

= ˆ R · diag(r13, r23) · ˆ R−1. Its eigenvalues are r13, r23.

Changmin Lee Analysis of CRT-ACD June 27, 2019 20 / 23

slide-27
SLIDE 27

Solve Equations

Recover pi: By definition,

p1 divides b3 − r13 and N = p1 · p2.

Hence, one can recover p1 by computing GCD. By repeating this, we can find all the secret pi’s.

Changmin Lee Analysis of CRT-ACD June 27, 2019 21 / 23

slide-28
SLIDE 28

Summary

We present a reduction from CRT-ACD problem to CRT-ACDwDI problem Combining the previous result, we solve the CRT-ACD problem under some constraints. We also provide an algorithm for distinguishing between CRT-ACD instnaces and random instances. Please refer to our paper. It would be an interesting problem to extend solvable parameter conditions.

Changmin Lee Analysis of CRT-ACD June 27, 2019 22 / 23

slide-29
SLIDE 29

Thank you for your attention.

Changmin Lee Analysis of CRT-ACD June 27, 2019 23 / 23