Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris - PowerPoint PPT Presentation

Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012

Outline • LLL sketch • Application to Subset Sum • Application to SIS • Application to LWE • Lattice Reduction in Practice Lattice-Based Crypto & Applications 2 Bar-Ilan University, Israel 2012

SIVP BDD quantum Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures How hard are these problems?? Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 3 Bar-Ilan University, Israel 2012

LLL [Lenstra, Lenstra, Lovasz ‘82] Lattice-Based Crypto & Applications 4 Bar-Ilan University, Israel 2012

Lattice Bases Lattice-Based Crypto & Applications 5 Bar-Ilan University, Israel 2012

The Goal of Lattice Reduction Obtain a basis B in which the Gram-Schmidt vectors are not decreasing too quickly This roughly means that the basis vectors are somewhat orthogonal to each other Lattice-Based Crypto & Applications 6 Bar-Ilan University, Israel 2012

LLL Reduced Basis B 1 μ 2,1 μ 3,1 … μ n,1 … 0 1 μ 3,2 … μ n,2 … B = … 0 1 … μ n,3 b̃ 1 b̃ 2 b̃ 3 … b̃ n … … … … … … 0 0 0 … 1 … μ i,j = ( b i ∙ b̃ j )/ || b̃ j || 2 An LLL-reduced basis has: 1. All | μ i,j |≤ 0.5 || b̃ i+1 || 2 ≥ 0.5 || b̃ i || 2 2. 0.75 || b̃ i || 2 ≤ || μ i+1,i b̃ i + b̃ i+1 || 2 Lattice-Based Crypto & Applications 7 Bar-Ilan University, Israel 2012

Short Vector in an LLL-reduced Basis Thm: The vector b 1 in an LLL-reduced basis has length at most 2 (n-1)/2 ∙λ 1 (L( B )) Proof: || b̃ n || 2 ≥ 0.5 || b̃ n-1 || 2 ≥ … ≥ 0.5 n-1 || b̃ 1 || 2 = 0.5 n-1 || b 1 || 2 || b 1 || ≤ 2 (n-1)/2 || b̃ i || for all i Since, min i || b̃ i || ≤ λ 1 (L( B )), we have || b 1 || ≤ 2 (n-1)/2 ∙λ 1 (L( B )) Lattice-Based Crypto & Applications 8 Bar-Ilan University, Israel 2012

LLL Algorithm … … 1 μ 2,1 μ 3,1 … μ n,1 … … 0 1 μ 3,2 … μ n,2 = b 1 b 2 b 3 … b n … 0 1 … μ n,3 b̃ 1 b̃ 2 b̃ 3 … b̃ n … … … … … … … 0 0 0 … 1 … … An LLL-reduced basis has: 1. All | μ i,j |≤ 0.5 2. 0.75 || b̃ i || 2 ≤ || μ i+1,i b̃ i + b̃ i+1 || 2 Lattice-Based Crypto & Applications 9 Bar-Ilan University, Israel 2012

LLL Algorithm … … 1 ≤ ½ ≤ ½ … ≤ ½ … … 0 1 ≤ ½ … ≤ ½ = b 1 b 2 b 3 … b n … 0 1 … ≤ ½ b̃ 1 b̃ 2 b̃ 3 … b̃ n … … … … … … … 0 0 0 … 1 … … An LLL-reduced basis has: 1. All | μ i,j |≤ 0.5 2. 0.75 || b̃ i || 2 ≤ || μ i+1,i b̃ i + b̃ i+1 || 2 Lattice-Based Crypto & Applications 10 Bar-Ilan University, Israel 2012

LLL Algorithm swap … … 1 ≤ ½ ≤ ½ … ≤ ½ … … 0 1 ≤ ½ … ≤ ½ = b 1 b 2 b 3 … b n … 0 1 … ≤ ½ b̃ 1 b̃ 2 b̃ 3 … b̃ n … … … … … … … 0 0 0 … 1 … … An LLL-reduced basis has: 1. All | μ i,j |≤ 0.5 2. 0.75 || b̃ i || 2 ≤ || μ i+1,i b̃ i + b̃ i+1 || 2 Lattice-Based Crypto & Applications 11 Bar-Ilan University, Israel 2012

LLL Algorithm swap … … 1 μ 2,1 μ 3,1 … μ n,1 … … 0 1 μ 3,2 … μ n,2 = b 1 b 2 b 3 … b n … 0 1 … μ n,3 b̃ 1 b̃ 2 b̃ 3 … b̃ n … … … … … … … 0 0 0 … 1 … … An LLL-reduced basis has: 1. All | μ i,j |≤ 0.5 2. 0.75 || b̃ i || 2 ≤ || μ i+1,i b̃ i + b̃ i+1 || 2 Lattice-Based Crypto & Applications 12 Bar-Ilan University, Israel 2012

APPLICATION OF LLL: THE SUBSET SUM PROBLEM Lattice-Based Crypto & Applications 13 Bar-Ilan University, Israel 2012

Subset Sum Problem a i , T in Z M a i are chosen randomly T is a sum of a random subset of the a i a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Lattice-Based Crypto & Applications 14 Bar-Ilan University, Israel 2012

Subset Sum Problem a i , T in Z 49 a i are chosen randomly T is a sum of a random subset of the a i 15 31 24 3 14 11 15 + 31 + 14 = 11 (mod 49) Lattice-Based Crypto & Applications 15 Bar-Ilan University, Israel 2012

How Hard is Subset Sum? a i , T in Z M a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Hardness Depends on: • Size of n and M • Relationship between n and M Lattice-Based Crypto & Applications 16 Bar-Ilan University, Israel 2012

Complexity of Solving Subset Sum M 2 log²(n) 2 n 2 n log(n) 2 n² 2 Ω(n) poly(n) poly(n) run-time “generalized birthday attacks” “lattice reduction attacks” [FlaPrz05,Lyu06,Sha08] [LagOdl85,Fri86] Lattice-Based Crypto & Applications 17 Bar-Ilan University, Israel 2012

Subset Sum and Lattices a 1 a 2 a 3 … a n T=( Σ a i x i mod M) for x i in {0,1} a = (a 1 , a 2 , … , a n , -T) L ⊥ ( a ) = { y in Z n+1 : a ∙ y = 0 mod M} Notice that x =(x 1 , x 2 , … ,x n ,1) is in L ⊥ ( a ) || x || < √(n+1) Want to use LLL to find this x Lattice-Based Crypto & Applications 18 Bar-Ilan University, Israel 2012

When Will LLL Solve Subset Sum? L ⊥ ( a ) = { y in Z n+1 : a ∙ y = 0 mod M} Notice that x =(x 1 , x 2 , … , x n ,1) is in L ⊥ ( a ), || x || < √(n+ 1) LLL can find a vector < δ n+1 λ 1 (L ⊥ ( a ) ) < δ n+1 √(n+ 1) So if there are no other vectors in L ⊥ ( a ) of length < δ n+1 √(n+ 1), LLL must find x =(x 1 , x 2 , … , x n ,1) ! Caveat: ± x , ± 2 x , ± 3 x , … are all in L ⊥ ( a ), but we could recover x from these Good vectors: (kx 1 , kx 2 , … ,kx n ,k) Lattice-Based Crypto & Applications 19 Bar-Ilan University, Israel 2012

The “Bad” Vectors y =(y 1 , … , y n ,k) such that || y || < δ n+1 √(n+ 1) = r and a 1 y 1 + … + a n y n - kT = 0 mod M a 1 y 1 + … + a n y n - k(a 1 x 1 + … + a n x n ) = 0 mod M a 1 (y 1 - kx 1 ) + … + a n (y n - kx n ) = 0 mod M (and for some i, y i - kx i ≠ 0 mod M) Lattice-Based Crypto & Applications 20 Bar-Ilan University, Israel 2012

Probability of a Bad Lattice Vector S r = { y in Z n+1 , || y || < r} For any (x 1 ,…, x n ) in {0,1} n and (y 1 , … , y n ,k) in S r : Pr a 1 , … ,a n [a 1 (y 1 - kx 1 ) + … + a n (y n - kx n ) = 0 mod M] = 1/M unless (y i - kx i ) = 0 mod M for all i (the last line assumes that M is prime) Lattice-Based Crypto & Applications 21 Bar-Ilan University, Israel 2012

Probability of a Bad Lattice Vector S r = { y in Z n+1 , || y || < r} For all (x 1 ,…, x n ) in {0,1} n and (y 1 , … , y n ,k) in S r such that y i - kx i ≠ 0 mod M for some i : Pr a 1 , … ,a n [a 1 (y 1 - kx 1 ) + … + a n (y n - kx n ) = 0 mod M] ≤ | S r | ∙ 2 n /M Want |S r | ∙ 2 n << M Lattice-Based Crypto & Applications 22 Bar-Ilan University, Israel 2012

Number of Z n Points in a Sphere # of integer points in a sphere of radius r ≈ volume of sphere of radius r ≈ ( π n) -1/2 (2 π e/n) n/2 r n (r needs to be at least n 1/2+ ε ) Lattice-Based Crypto & Applications 23 Bar-Ilan University, Israel 2012

Probability of a Bad Lattice Vector Want |S r | ∙ 2 n << M, where r = δ n+1 √(n+1) |S r | ∙ 2 n < 9 n+1 ∙ δ (n+1) 2 If M > 9 n+1 ∙ δ (n+1) 2 , subset sum can be solved in poly-time (for all but a negligible number of instances) Lattice-Based Crypto & Applications 24 Bar-Ilan University, Israel 2012

APPLICATION OF LLL: THE SIS PROBLEM Lattice-Based Crypto & Applications 25 Bar-Ilan University, Israel 2012

The SIS Problem n x m , Given a random A in Z q Find a “small” s such that As = 0 mod q A = 0 (mod q) n s m (We will only consider m ≥ 2n and q > m) Lattice-Based Crypto & Applications 26 Bar-Ilan University, Israel 2012

Finding “Small” Vectors Using LLL L ⊥ ( A ) = { y in Z m : Ay = 0 mod q} What is the shortest vector of L ⊥ ( A ) ? Minkowski’s Theorem: λ 1 (L ⊥ ( A )) ≤ √m det(L ⊥ ( A )) 1/m What is det(L ⊥ ( A )) 1/m ? Lattice-Based Crypto & Applications 27 Bar-Ilan University, Israel 2012

Determinant of an Integer Lattice If L is an integer lattice, then det(L) = # ( Z m / L ) 1. #( Z m / L ⊥ ( A )) ≤ q n For any x 1 , x 2 in Z m , if Ax 1 = Ax 2 mod q, then x 1 , x 2 are in the same coset of Z m / L ⊥ ( A ). 2. If A has n linearly-independent columns, then #( Z m / L ⊥ ( A )) = q n For every y in Z q n , there is an x in Z m such that Ax = y mod q Lattice-Based Crypto & Applications 28 Bar-Ilan University, Israel 2012

Shortest Vector in L ⊥ ( A ) Minkowski’s Theorem: λ 1 (L ⊥ ( A )) ≤ √m det(L ⊥ ( A )) 1/m For almost all A , det(L ⊥ ( A )) = q n Thus, λ 1 (L ⊥ ( A )) ≤ √m q n/m Can it be much smaller?? If q n/m >> √ 2 π e , then No. Lattice-Based Crypto & Applications 29 Bar-Ilan University, Israel 2012

Shortest Vector in L ⊥ ( A ) S r = { y in Z m , || y || < r} For any s ≠ 0 mod q in S r , Pr A [ As = 0 mod q] = 1/q n For all s ≠ 0 mod q in S r , Pr A [ As = 0 mod q] ≤ | S r |/q n ≈ (π m) -1/2 (2 π e/m) m/2 r m / q n r needs to be ≈ √ m/(2 π e) q n/m (since we assumed, q n/m >> √ 2 π e, we have r >> √ m, and so # of integer points in a sphere of radius r ≈ volume of sphere of radius r) Lattice-Based Crypto & Applications 30 Bar-Ilan University, Israel 2012