Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faug` ere, P . Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014 - Buenos Aires, Argentina
Coppersmith’s Method 1 2 Speeding up Coppersmith’s Algorithm by Rounding Speeding up Exhaustive Search by Chaining 3 PKC 2014 2 / 27
Core Ideas of Rounding and Chaining Rounding: f − → b • The problem: a ☞ Rather consider a / c instead of a . Chaining: f f f − → b 1 , a 2 → b 2 , − − → b 3 , . . . • The problem: a 1 a 3 f f f − → b 1 , f ′ ( b 1 ) − → b 2 , f ′ ( b 2 ) − → b 3 , . . . ☞ Rather do a 1 ☞ Rounding and Chaining can also be combined. PKC 2014 3 / 27
Coppersmith’s Theorem The Problem (Univariate Modular Case): • Input: • A polynomial f ( x ) = x δ + a δ − 1 x δ − 1 + · · · + a 1 x + a 0 . • N an integer of unknown factorization. • Find: • All integers x 0 such that f ( x 0 ) ≡ 0 mod N . PKC 2014 4 / 27
Coppersmith’s Theorem The Problem (Univariate Modular Case): • Input: • A polynomial f ( x ) = x δ + a δ − 1 x δ − 1 + · · · + a 1 x + a 0 . • N an integer of unknown factorization. • Find: • All integers x 0 such that f ( x 0 ) ≡ 0 mod N . Coppersmith’s Method (1996) • Find small integer roots. PKC 2014 4 / 27
Coppersmith’s Theorem The Problem (Univariate Modular Case): • Input: • A polynomial f ( x ) = x δ + a δ − 1 x δ − 1 + · · · + a 1 x + a 0 . • N an integer of unknown factorization. • Find: • All integers x 0 such that f ( x 0 ) ≡ 0 mod N . Coppersmith’s Theorem for the Univariate Modular case • The solutions x 0 can be found in time poly ( log N , δ ) if: | x 0 | < N 1 /δ . PKC 2014 4 / 27
Coppersmith’s Theorem The Problem (Univariate Modular Case): • Input: • A polynomial f ( x ) = x δ + a δ − 1 x δ − 1 + · · · + a 1 x + a 0 . • N an integer of unknown factorization. • Find: • All integers x 0 such that f ( x 0 ) ≡ 0 mod N . The problem is easy without the modulo N . ☞ Find a polynomial g such that g ( x 0 ) = 0 over Z . PKC 2014 4 / 27
Applications in cryptology Cryptanalysis of RSA • Factoring with high bits known. Coppersmith, 1996. • Security proof of RSA-OAEP . Shoup, 2001. • Equivalence: factoring / computing d . Coron, May, 2007. • Stereotyped messages. Coppersmith, 1996. • RSA Pseudorandom Generator Fischlin, Schnorr, 2000. • Affine Padding. Coppersmith, Franklin, Patarin, Reiter, 1996. • Polynomially related messages (Hastad). Coppersmith, 1997. • Finding smooth numbers and Factoring. Boneh, 2001. • Coppersmith in the wild. Bernstein et al., 2013. PKC 2014 5 / 27
About Coppersmith’s Method Euclidean Lattices Find a new small polynomial equation ☞ LLL Reduction . A matter of Bound Coppersmith’s bound | x 0 | < N 1 /δ ☞ Exhaustive search . PKC 2014 6 / 27
About Coppersmith’s Method Euclidean Lattices Find a new small polynomial equation ☞ LLL Reduction . A matter of Bound Coppersmith’s bound | x 0 | < N 1 /δ ☞ Exhaustive search . In practice • The LLL-reduction can be costly. • The exhaustive search can be prohibitive. PKC 2014 6 / 27
Rounding and Chaining LLL Our Approach • Use structure to improve Coppersmith’s method. Two Speedups: Rounding and Chaining • Asymptotical speed-up of LLL-reduction: δ − 2 log 9 N → log 7 N • Heuristic speed-up of the exhaustive search. Core Ideas of Rounding and Chaining • Rounding: Apply LLL on a matrix with smaller coefficients ☞ Divide all coefficients in Coppersmith’s matrix. • Chaining: Reuse previous computation ☞ Apply a small transformation on the last reduced matrix. PKC 2014 7 / 27
Rounding and Chaining LLL Our Approach • Use structure to improve Coppersmith’s method. Two Speedups: Rounding and Chaining • Asymptotical speed-up of LLL-reduction: δ − 2 log 9 N → log 7 N • Heuristic speed-up of the exhaustive search. Timings for a typical instance ( ⌈ log 2 ( N ) ⌉ = 2048 and δ = 3) • Original method: 4 years. • Our new method: 2.6 days. PKC 2014 7 / 27
Coppersmith’s Method (Howgrave-Graham) The problem: find all small integers x 0 s.t. f ( x 0 ) ≡ 0 mod N . The idea: find a small polynomial g s.t. g ( x 0 ) = 0 over Z . How to find the polynomial g : g LLL Family of B R Polynomials B (with parameter h ) • g ( x 0 ) ≡ 0 mod N h − 1 � ⇒ g ( x 0 ) = 0 over Z . • g ( x 0 ) < N h − 1 PKC 2014 8 / 27
Complexity / Practical Results of Coppersmith’s Method State-of-the-art Analysis O ( log 9 ( N ) /δ 2 ) . • Complexity using L 2 : In practice, for ⌈ log 2 ( N ) ⌉ = 1024 and δ = 2 2 492 2 496 2 500 2 503 2 504 2 505 2 512 Upper bound for x 0 ... Lattice Dimension n = h δ + 1 29 35 51 71 77 87 ... NA 15360 18432 26624 36864 39936 45056 ... NA Size of elements in B (bits) Time for LLL (seconds) 10.6 35.2 355 2338 4432 11426 ... NA Remark: All tests were performed using Magma V2.19-5. [ L 2 ] An LLL Algorithm with Quadratic Complexity. P . Q. Nguyen and D. Stehl´ e, SIAM J. of Computing, 2009 . PKC 2014 9 / 27
Using Structure: A First Result State-of-the-art Analysis O ( log 9 ( N ) /δ 2 ) . • Complexity using L 2 : New Preliminary Result Using Structure [1] O ( log 8 ( N ) /δ ) . • Complexity using L 2 : [1] An Upper Bound on the Average Number of Iterations of the LLL Algorithm. Herv´ e Daud´ e, Brigitte Vall´ ee, 1994. PKC 2014 10 / 27
Speeding up Coppersmith’s Algorithm by Rounding ☞ Use Coppersmith’s matrix structure. PKC 2014 11 / 27
Speeding up Coppersmith’s Algorithm by Rounding The idea: Perform computations with most significant bits A B A B ⇒ � � � � c c PKC 2014 12 / 27
Speeding up Coppersmith’s Algorithm by Rounding N h − 1 XN h − 1 Largest ... X δ − 1 N h − 1 a 0 N h − 2 X δ N h − 2 . . . a 0 XN h − 2 X δ + 1 N h − 2 . . . ... ... B = a 0 X δ − 1 N h − 2 X 2 δ − 1 N h − 2 Smallest . . . ... . . . . . . a δ X δ ( h − 1 ) 0 . . . . . . a δ X δ ( h − 1 )+ 1 0 X . . . . . . ... ... a δ 0 X δ − 1 X δ h − 1 . . . . . . δ , all diagonal elements lie between N h − 2 and N h . 1 ☞ Since X < N PKC 2014 13 / 27
Speeding up Coppersmith’s Algorithm by Rounding First step of rounding method • Size-reduce B so that subdiagonal coefficients are smaller than diagonal coefficients. b 1 < b 1 b 2 < b 1 < b 2 b 3 < b 1 < b 2 < b 3 B = Size-Reduce ( B ) = ... . . . < b 1 < b 2 < b 3 . . . b n PKC 2014 14 / 27
Speeding up Coppersmith’s Algorithm by Rounding Second step of the rounding method • Create a new rounded matrix ⌊ B / c ⌋ . • Apply LLL on ⌊ B / c ⌋ / c LLL ⌊ B / c ⌋ ⌊ B / c ⌋ R B T , PKC 2014 15 / 27
Speeding up Coppersmith’s Algorithm by Rounding Second step of the rounding method • Create a new rounded matrix ⌊ B / c ⌋ . • Apply LLL on ⌊ B / c ⌋ / c LLL ⌊ B / c ⌋ × ⌊ B / c ⌋ B T PKC 2014 15 / 27
Speeding up Coppersmith’s Algorithm by Rounding Second step of the rounding method • Create a new rounded matrix ⌊ B / c ⌋ . • Apply LLL on ⌊ B / c ⌋ : first vector of unimodular matrix is x . • Compute v = x B and solve v over Z . / c LLL x ⌊ B / c ⌋ × ⌊ B / c ⌋ B T = ) × ( x B ( v ) PKC 2014 15 / 27
Complexity of Rounding Method Theorem: Rounding Method O ( log 7 N ) . • Complexity using L 2 : Remainder on Coppersmith’s method complexity: O ( log 9 ( N ) /δ 2 ) . • State-of-the-art complexity: O ( log 8 ( N ) /δ ) . • New preliminary complexity: PKC 2014 16 / 27
Timings with Rounding Improvement In practice, for ⌈ log 2 ( N ) ⌉ = 1024 and δ = 2 2 492 2 496 2 500 2 503 2 504 2 505 2 512 . . . Upper bound for x 0 Lattice Dimension 29 35 51 71 77 87 . . . NA Size of elements in B (bits) 15360 18432 26624 36864 39936 45056 ... NA Size of elements in ⌊ B / c ⌋ 2131 2127 2119 2119 2120 2123 ... NA Original LLL (seconds) 10.6 35.2 355 2338 4432 11426 . . . NA Rounding LLL (seconds) 1.6 3.5 18.8 94 150 436 . . . NA Dim 77: Speed-up of ≈ 30. ☞ PKC 2014 17 / 27
Speeding up Exhaustive Search by Chaining ☞ Use hidden algebraic structure. PKC 2014 18 / 27
Exhaustive Search Performing exhaustive search • Split the variable x into α and x ′ . x ′ x α • The new variable is x ′ . • Perform an exhaustive search on α . PKC 2014 19 / 27
Recommend
More recommend
