cryptanalysis of dec - 九州大学(kyushu …m-kudo/slides/cryptanalysis_of...cryptanalysis of a...
TRANSCRIPT
Cryptanalysis of a public key cryptosystem based onDiophantine equations via weighted LLL algorithm
Momonari Kudo
Graduate School of Mathematics, Kyushu University, JAPAN
Kyushu University Number Theory Seminar
1st September, 2016 @ Kyushu University, JAPAN
This is a joint work with Jintai Ding, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao.
Contents
1. Introduction
This talk is based on the paper Jintai Ding, Momonari Kudo, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao, “Cryptanalysis of a public key ctyptosystem based on Diophantine equations via weighted LLL reduction”,IACR Cryptology ePrint Archive 2015/1229, 2015.
A short paper version has been accepted by the refereed-international conference IWSEC 2016,and it will be published.
1-1. Diophantine equations and Cryptography
Q. How secure are these cryptosystems?
For a given 𝑓 ∈ ℤ 𝑥1, … , 𝑥𝑛 , find 𝑎1, … , 𝑎𝑛 ∈ ℚ𝑛 s.t. 𝑓(𝑎1, … , 𝑎𝑛) = 0.
Diophantine Problem / ℚ
In general, there is no algorithm to test Diophantine equations for solvability in ℤ [1].
apply
[1] M. Davis, Y. Matijasevi c and J. Robinson, Hilbert’s tenth problem, Diophantine equations: positive aspects of a negative solution, In: Mathematical Developments Arising from Hilbert Problem Browder, F.E.(ed.) AMS, Providence, RI., pp. 323-378 (1976).
Some cryptographic protocols based on the difficulty of solving Diophantine Equations have been proposed as Post-Quantum Cryptosystems (PQC).
[2] C. H. Lin, C. C. Chang, R. C. T. Lee, A new public-key cipher system based upon the diophantine equations, IEEE Trans. Comp. 44, 13-19 (1995).[3] A. Bérczes, L. Hajdu, N. Hirata-Kohno, T. Kovács, A. Pethö, A key exchange protocol based on Diophantine equations and S-integers,
JSIAM Letters Vol.6, 85--88 (2014).[4] N. Hirata-Kohno, A. Pethӧ, On a key exchange protocol based on Diophantine equations, Infocommunications Journal 5, 17--21 (2013).[5] H. Yosh, The key exchange cryptosystem used with higher order Diophantine equations, IJNSA Journal 3, 43--50 (2011).[6] K. Akiyama, Y. Goto, H. Miyake, Algebraic Surface Cryptosystem, In : Proceedings of PKC'09, Lecture Notes in Comput. Sci., 5443, 425--442 (2009).[7] J. -C. Faugere, P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem, In: Proceedings of PKC'10, Lecture Notes
in Comput. Sci., 6056, 35--52 (2010).
• A public key cryptosystem [2] in 1995
• Key exchange protocols [3, 4, 5] in 2011-2013
• Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009
1-2. Previous Works
Impractical
In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory.
E.g.
1-3. Previous Works
Impractical
Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC:
A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC).
In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory.
[Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type,Pac. Journal of Math. for Industry, 7 (4), pp. 33-45 (2015).
Expected to have resistance against the ideal decomposition attack (and other attacks).
• A public key cryptosystem [2] in 1995
• Key exchange protocols [3, 4, 5] in 2011-2013
• Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009
1-4. Our Problem
Q. How secure is DEC ?
Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC:
A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC).Expected to have resistance against the ideal decomposition attack (and other attacks),and to be one of PQC.
Section finding problem
Function field Number field
Algebraic Surface Cryptosystem (ASC) Diophantine Equation Cryptosystem (DEC)
Diophantine problem
Broken by the ideal decomposition attack What’s new : ``twisting’’ plaintext(to avoid the ideal decomposition attack)
[Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type,Pac. Journal of Math. for Industry, 7 (4), pp. 33-45 (2015).
• Apply a variant of the LLL algorithm to the cryptanalysis.
• Break the one-wayness of instances of DEC via weighted LLL.
1-5. Our Main Contribution
We call it ``weighted LLL algorithm’’.
Contents
1. Introduction
2. Overview of DEC
3. Cryptanalysis of DEC via the weighted LLL algorithm
4. Complexity Analysis and Experimental Results
5. Summary
2-1. DEC scheme
Ciphertext (3 polynomials and 𝑁 ∈ ℤ)
𝐹1 = 𝑚 + 𝑠1 𝑓 + 𝑟1 𝑋𝐹2 = 𝑚 + 𝑠2 𝑓 + 𝑟2 𝑋𝐹3 = 𝑚 + 𝑠3 𝑓 + 𝑟3 𝑋
Encrypt
Plaintext polynomial 𝑚 ∈ ℤ[𝑥, 𝑦]
some randomness 𝑁, 𝑓, 𝑠𝑗 , 𝑟𝑗
``twist’’ 𝑚by 𝑒, 𝑁 ∈ ℤ
Secret key
Public key
𝑑, 𝑒 ∈ ℤ>0,𝑋 ∈ ℤ[𝑥, 𝑦]with certain conditions
(𝑎, 𝑏) ∈ ℤ2 s.t. 𝑋𝑎
𝑑,𝑏
𝑑= 0.
Crucial Remark(1) The sets of the monomials of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are same and known.
(3) The coefficients of 𝑠𝑗 , 𝑋 are much smaller than those of the others.
(2) The bit length of the coefficients of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are known.
To simplify the notation, assume 𝑛 = 2 throughout this talk.
2-2. Notation
𝑓 𝑥, 𝑦 = 𝑐𝑖,𝑗 𝑥𝑖𝑦𝑗 ∈ ℤ 𝑥, 𝑦 ∖ {0},For a polynomial define
1. 𝑐𝑖,𝑗 𝑓 := 𝑐𝑖,𝑗. Non-zero coefficient of the monomial 𝑥𝑖𝑦𝑗 in 𝑓
2. 𝐟: = (𝑐𝑖1,𝑗1 𝑓 ,… , 𝑐𝑖𝑞,𝑗𝑞 𝑓 ). The vector consisting of all the non-zero coefficients of 𝑓, with
Bold style (𝑖1, 𝑗1) ≻ ⋯ ≻ (𝑖𝑞 , 𝑗𝑞) : lexicographical order
2-3. Toy Example of DEC (Key Generation)
Secret key ・ 𝑎, 𝑏 = (46,64) ∈ ℤ2
Public key
・𝑋 = 25𝑥3 − 4𝑦 − 19416 ∈ ℤ[𝑥, 𝑦]
・ 𝑑 = 5
・ 𝑒 = 15
gcd 𝑎𝑏, 𝑑 = 1, gcd 𝑒, 𝜑(𝑑) = 1, (𝜑 : Euler’s function)chosen so that
𝜆 : security parameter (In this example, 𝜆 ≔ 4)
𝑋𝑎
𝑑,𝑏
𝑑= 0,
𝑑 ≥ 2𝜆
2 , 𝑒 ≥ 𝜆 + 1 + 𝜆
2+1 deg𝑋.
2𝜆
𝜑(𝑑)𝑑 ≤ max{ 𝑎 , 𝑏 } < 2𝜆+1
𝜑(𝑑)𝑑,
Remark [Oku15] suggests 𝜆 = 128.
2-4. Toy Example of DEC (Encryption)
Plaintext (polynomial)
・𝑚 = 3𝑥3 + 3𝑦 + 3
𝑑 = 5
𝑁 = 62144 (𝑁𝑑 = 310720)
𝑚:= 55787𝑥3 + 55787𝑦 − 55787
𝑐3,0 𝑚 ≔ 315 (mod 310720)
1 < 𝑐𝑖,𝑗 𝑚 < 𝑑,
gcd 𝑐𝑖,𝑗 𝑚 , 𝑑 = 1.Encryption
Step 1. Twist the plaintext 𝑚
・ Choose an 𝑁 ∈ ℤ>0 s.t. 𝑁𝑑 > 2𝜆max𝑖,𝑗 𝑐𝑖,𝑗 𝑋 .
・ Put 𝑐𝑖,𝑗 𝑚 ≔ 𝑐𝑖,𝑗 𝑚 𝑒 (mod 𝑁𝑑) .
= 55787
𝑒 = 15
∙∙∙
𝑋 = 25𝑥3 − 4𝑦 − 19416
Recall
2-5. Toy Example of DEC (Encryption)
Step 2. Choose some polynomialsuniformly at random. 𝑋 = 25𝑥3 − 4𝑦 − 19416
Recall
・ 𝑠1 = 28𝑥3 + 4𝑦 + 29060,・ 𝑠2 = 26𝑥3 + 7𝑦 + 26541,・ 𝑠3 = 28𝑥3 + 5𝑦 + 22594,
・ 𝑓 = 133943𝑥3 + 258040𝑦 + 152992
・ 𝑟1 = 259965𝑥3 + 186583𝑦 + 209414,・ 𝑟2 = 204762𝑥3 + 134840𝑦 + 144822,・ 𝑟3 = 141410𝑥3 + 226856𝑦 + 153282.
𝐬𝑗 : very short
Crucial Remark
𝑓, 𝑠𝑗 , 𝑟𝑗 are chosen so that certain conditions hold.
e.g. the coefficients of 𝑠𝑗 and 𝑋 have the same bit sizes.
2-6. Toy Example of DEC (Encryption)
Step 3. Make a ciphertext (polynomials)
・ 𝐹1 = 10249529𝑥6 + 11385607𝑥3𝑦 − 1145521947𝑥3
+ 285828𝑦2 + 3875776971𝑦 + 380021083,
・ 𝐹2 = 8601568𝑥6 + 10198593𝑥3𝑦 − 413023700𝑥3
+ 1266920𝑦2 + 4231133643𝑦 + 1248752507,
・ 𝐹3 = 7285654𝑥6 + 13000595𝑥3𝑦 + 288863195𝑥3
+382776𝑦2 + 1425727283𝑦 + 480633723.
𝐹1 ≔ 𝑚 + 𝑠1𝑓 + 𝑟1𝑋,𝐹2 ≔ 𝑚 + 𝑠2𝑓 + 𝑟2𝑋,𝐹3 ≔ 𝑚 + 𝑠3𝑓 + 𝑟3𝑋,
Send (𝐹1, 𝐹2, 𝐹3, 𝑁).
Put
One can decrypt the ciphertext as in Sections 3.4 and 3.5 of [Oku15].In this talk we omit the decryption process.
Remark 1
Remark 2We mention the recommended (and estimated) parameter size later.
Contents
1. Introduction
2. Overview of DEC
3. Cryptanalysis of DEC via the weighted LLL algorithm
4. Complexity Analysis and Experimental Results
5. Summary
𝐹1 = 𝑚 + 𝑠1 𝑓 + 𝑟1 𝑋𝐹2 = 𝑚 + 𝑠2 𝑓 + 𝑟2 𝑋𝐹3 = 𝑚 + 𝑠3 𝑓 + 𝑟3 𝑋
Ciphertext (3 polynomials)
3-1. Idea of Our Attack
𝑋, 𝐹1, 𝐹2, 𝐹3 : known
𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 : unknown
Crucial Remark
(1) The sets of the monomials of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are same and known.
(3) The coefficients of 𝑠𝑗 , 𝑋 are much smaller than those of the others.
(2) The bit length of the coefficients of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are known.
𝐹1 = 𝑚 + 𝑠1 𝑓 + 𝑟1 𝑋𝐹2 = 𝑚 + 𝑠2 𝑓 + 𝑟2 𝑋𝐹3 = 𝑚 + 𝑠3 𝑓 + 𝑟3 𝑋
Ciphertext (3 polynomials)
3-2. Idea of Our Attack
𝑋, 𝐹1, 𝐹2, 𝐹3 : known
𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 : unknown
𝐹1′ ≔ 𝐹1 − 𝐹2,
𝐹2′ ≔ 𝐹2 − 𝐹3,
𝑠1′ ≔ 𝑠1 − 𝑠2,𝑠2′ ≔ 𝑠2 − 𝑠3,𝑟1′ ≔ 𝑟1 − 𝑟2,𝑟2′ ≔ 𝑟2 − 𝑟3.
𝑠2′ 𝐹1
′ − 𝑠1′ 𝐹2
′ = 𝑔 𝑋,where 𝑔 ≔ 𝑠2
′ 𝑟1′ − 𝑠1
′ 𝑟2′.
Put
From the above equalities
3-3. Idea of Our Attack
𝑋, 𝐹1′, 𝐹2
′ : known
𝑠𝑗′, 𝑔 : unknown
𝐹1′ ≔ 𝐹1 − 𝐹2,
𝐹2′ ≔ 𝐹2 − 𝐹3,
𝑠1′ ≔ 𝑠1 − 𝑠2,𝑠2′ ≔ 𝑠2 − 𝑠3,𝑟1′ ≔ 𝑟1 − 𝑟2,𝑟2′ ≔ 𝑟2 − 𝑟3.
𝑠2′ 𝐹1
′ − 𝑠1′ 𝐹2
′ = 𝑔 𝑋,where 𝑔 ≔ 𝑠2
′ 𝑟1′ − 𝑠1
′ 𝑟2′.
First step of our attack is to find 𝑠1′ , 𝑠2
′ .Regarding the unknown coefficients of 𝑠1
′ , 𝑠2′ , 𝑔 as indeterminates
derives a linear system over ℤ.
However, the monomials of 𝑠1′ , 𝑠2
′ , 𝑔 are known.
※ It is sufficient for breaking DEC to find 𝑚.
Step 1. Find 𝑠1′ ≔ 𝑠1 − 𝑠2 and 𝑠2
′ ≔ 𝑠2 − 𝑠3 by the weighted LLL.
Step 2.
by using 𝑠1′ and 𝑠2
′ obtained in Step 1. We fix such 𝑓.
𝐹1′ = 𝑠1
′𝑓 + 𝑟1′𝑋,
𝐹2′ = 𝑠2
′𝑓 + 𝑟2′𝑋
Find 𝑓 satisfying
Step 3. Find 𝑠1 by Babai’s nearest plane algorithm.After that, recover 𝑚 by linear algebra technique and modular arithmetic.
In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.
3-4. Outline of Our Attack
Focus on Step 1 in this talk.
3-5. SVP and LLL algorithm
Definition (Shortest Vector Problem).
Given: ℬ = {𝐛1, … , 𝐛𝑛} ; a basis of a lattice ℒ ⊂ ℝ𝑚
|| ⋅ || ; a norm on ℝ𝑚 (typically the Euclidean norm is chosen)
SVP is to find the shortest vector 𝐮 ∈ ℒ w.r.t. || ⋅ ||,i.e., | 𝐮 | ≤ | 𝐰 | for all 𝐰 ∈ ℒ ∖ {𝟎}.
LLL alg. is an algorithm to (approximately) solve the SVP:
3-6. SVP and LLL algorithm
LLL alg. is an algorithm proposed in 1982 to (approximately) solve the SVP.In this talk, let us omit to describe its detail (see [8, 9]), but review some properties.
Input: a (ordered) basis 𝒜 = {𝐚1, … , 𝐚𝑛} of a lattice ℒ ⊂ ℚ𝑚, and a real number 1
4< 𝛿 < 1
Output: an LLL-reduced basis ℬ = {𝐛1, … , 𝐛𝑛} of ℒ for the factor 𝛿
LLL algorithm
(1) ℬ is LLL-reduced with 𝛿 = 3/4⟹ 𝐛1 < 2(𝑛−1)/2min{ 𝐰 :𝐰 ∈ ℒ ∖ {𝟎}}
(2) LLL terminates in polynomial time for rank and dimension of the input lattice basis
Note: In practice, LLL seeks the shortest vector with high probabilityfor random lattices of low rank
[8] A. K. Lenstra, H. W. Lenstra and L. Lovasz, Factoring polynomials with rational coefficients, In: Mathematische Annalen 261 (4), 515-534 (1982).[9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012).
Remark: An LLL-reduced basis is defined as a “sufficiently close to orthogonal” basis for a lattice, see [8, 9] for details
3-7. CVP and Babai’s nearest plane algorithm
Definition (Closest Vector Problem).
Given: ℬ = {𝐛1, … , 𝐛𝑛} ; a basis of a lattice ℒ ⊂ ℝ𝑚
𝐯 ∈ ℝ𝑚 ; a vector in ℝ𝑚 with 𝐯 ∉ ℒ|| ⋅ || ; a norm on ℝ𝑚 (typically the Euclidean norm is chosen)
CVP is to find the closest lattice point 𝐮 ∈ ℒ to 𝐯 w.r.t. || ⋅ ||,i.e., | 𝐮 − 𝐯 | ≤ | 𝐰 − 𝐯 | for all 𝐰 ∈ ℒ. 𝐛1
𝐛2𝐯
𝐮
Babai’s nearest plane alg. is an algorithm to (approximately) solve the CVP:
3-8. CVP and Babai’s nearest plane algorithm
𝐛1
𝐛2𝐯
𝐮
Babai’s nearest plane alg. is an algorithm to (approximately) solve the CVP.In this talk, let us omit to describe its detail (see [9, 10]), but review some properties.
Input: a basis ℬ = {𝐛1, … , 𝐛𝑛} of a lattice ℒ ⊂ ℤ𝑚, and 𝐯 ∈ Span 𝐛1, … , 𝐛𝑛 ∩ ℚ𝑚 with 𝐯 ∉ ℒOutput: a vector 𝐮 ∈ ℒ
Babai’s nearest plane algorithm (Babai NPA)
(1) ℬ is LLL-reduced with 𝛿 = 3/4⟹ 𝐯 − 𝐮 < 2𝑛/2 𝐯 − 𝐰 for all 𝐰 ∈ ℒ
(2) Babai NPA terminates in polynomial time for rank and dimension of the input lattice basis
Note: In practice, NPA outputs a lattice point very close to 𝐯 for many cases
[9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012).[10] L. Babai, On Lovasz lattice reduction and the nearest lattice point problem, Combinatorica 6 (1), 1-13 (1986).
𝑠2′ 𝐹1
′ − 𝑠1′ 𝐹2
′ = 𝑔 𝑋⋯ ∗ ,where 𝑔 ≔ 𝑠2
′ 𝑟1′ − 𝑠1
′ 𝑟2′.
In the following, we use blue symbols for unknown objects.
The monomials with non-zero coefficients of 𝑠1′ , 𝑠2
′ and 𝑔 are known. We obtain a linear system from ∗ .ℒ1′ : the lattice defined as the nullspace of the system
Clearly,
𝐬1′ , 𝐬2
′ , 𝐠 ∈ ℒ1′ .
We can estimate the bit length of all entries of 𝐬1′ and 𝐬2
′ from 𝑋.
3-9. Detail of Step 1
・ 𝐹1 = 10249529𝑥6 + 11385607𝑥3𝑦 − 1145521947𝑥3 + 285828𝑦2 + 3875776971𝑦 + 380021083,
・ 𝐹2 = 8601568𝑥6 + 10198593𝑥3𝑦 − 413023700𝑥3 + 1266920𝑦2 + 4231133643𝑦 + 1248752507,
・ 𝐹3 = 7285654𝑥6 + 13000595𝑥3𝑦 + 288863195𝑥3 + 382776𝑦2 + 1425727283𝑦 + 480633723.
In the previous example,
・ 𝐹1′ = 𝐹1 − 𝐹2 = 1647961𝑥6 + 1187014𝑥3𝑦 − 732498247𝑥3 − 981092𝑦2 − 355356672𝑦 − 868731424,
・ 𝐹2′ = 𝐹2 − 𝐹3 = 1315914𝑥6 − 2802002𝑥3𝑦 − 701886895𝑥3 + 884144𝑦2 + 2805406360𝑦 + 768118784.
3-10. Example
𝑠2′ 𝐹1
′ − 𝑠1′ 𝐹2
′ = 𝑔 𝑋⋯ ∗ , where 𝑔 ≔ 𝑠2′ 𝑟1
′ − 𝑠1′ 𝑟2′.
3-11. Example
𝑠1′ ≔ 𝑐1𝑥
3 + 𝑐2𝑦 + 𝑐3,
𝑠2′ ≔ 𝑐4𝑥
3 + 𝑐5𝑦 + 𝑐6,
𝑔:= 𝑐7𝑥6 + 𝑐8𝑥
3𝑦 + 𝑐9𝑥3 + 𝑐10𝑦
2 + 𝑐11𝑦 + 𝑐12,
Put
・ 𝑋 = 25𝑥3 − 4𝑦 − 19416 (Public Key),
・ 𝐹1′ = 1647961𝑥6 + 1187014𝑥3𝑦 − 732498247𝑥3 − 981092𝑦2 − 355356672𝑦 − 868731424,
・ 𝐹2′ = 1315914𝑥6 − 2802002𝑥3𝑦 − 701886895𝑥3 + 884144𝑦2 + 2805406360𝑦 + 768118784.
By (∗), 𝑐1, 𝑐2, … , 𝑐12 𝐴 = 𝟎 ; ∃ linear system over ℤ
3-12. Example
𝑠1′ ≔ 𝑐1𝑥
3 + 𝑐2𝑦 + 𝑐3,
𝑠2′ ≔ 𝑐4𝑥
3 + 𝑐5𝑦 + 𝑐6,
𝑔:= 𝑐7𝑥6 + 𝑐8𝑥
3𝑦 + 𝑐9𝑥3
+ 𝑐10𝑦2 + 𝑐11𝑦 + 𝑐12,
𝑐1, 𝑐2, … , 𝑐12 𝐴 = 𝟎 ; ∃ linear system
ℒ1′ ≔ Ker 𝐴 = {𝐮 ∈ ℤ12 ; 𝐮𝐴 = 0}
Basis Matrix :
1 32 −496440 67 −1018070 0 0
24 −24 −473640 −42 −5984325 −4 −19416
⋯ ⋯ ⋯⋯ ⋯ ⋯⋯ ⋯ ⋯
𝑐1 𝑐2 𝑐3 𝑐4 𝑐5 𝑐6 𝑐7 𝑐8 ⋯
1 32 −496440 67 −1018070 0 0
24 −24 −473640 −42 −5984325 −4 −19416
Cut
Remark
𝐬1, 𝐬2 : very short.⇒
(𝐬1′ , 𝐬2
′ ) : very short.
・ 𝑠1 = 28𝑥3 + 4𝑦 + 29060,・ 𝑠2 = 26𝑥3 + 7𝑦 + 26541,・ 𝑠3 = 28𝑥3 + 5𝑦 + 22594,
3-13. Recall (unknown objects)
・𝑠1′ ≔ 𝑠1 − 𝑠2 = 2𝑥3 − 3𝑦 + 2519,
・𝑠2′ ≔ 𝑠2 − 𝑠3 = −2𝑥3 + 2𝑦 + 3947,
𝐬′ ≔ 𝐬1′ , 𝐬2
′ = 2 −3 2519 −2 2 3947 .
RemarkThe bit length of the entries of 𝐬′ can be estimated because
the bit length of the entries of 𝐬1, 𝐬2 are the same as those of a public key 𝐗.
known from the encryption process
3-14. Does the usual LLL work well ?
𝑠1′ ≔ 𝑐1𝑥
3 + 𝑐2𝑦 + 𝑐3
𝑠2′ ≔ 𝑐4𝑥
3 + 𝑐5𝑦 + 𝑐6
𝑐1 𝑐2 𝑐3 𝑐4 𝑐5 𝑐6𝐮1𝐮2𝐮3
: =1 32 −496440 67 −1018070 0 0
24 −24 −473640 −42 −5984325 −4 −19416
𝐬′: = (𝐬1′ , 𝐬2
′ ) ∈ ℒ1 : very short.
Shortest vector ??
ℒ1 ≔ 𝐮1, 𝐮2, 𝐮3 ℤ ⊆ ℤ6
𝐬′ = 2 −3 2519 −2 3 3947 .
3-15. Does the usual LLL work well ?
𝑠1′ ≔ 𝑐1𝑥
3 + 𝑐2𝑦 + 𝑐3
𝑠2′ ≔ 𝑐4𝑥
3 + 𝑐5𝑦 + 𝑐6
𝑐1 𝑐2 𝑐3 𝑐4 𝑐5 𝑐6𝐮1𝐮2𝐮3
: =1 32 −496440 67 −1018070 0 0
24 −24 −473640 −42 −5984325 −4 −19416
Shortest vector ??
ℒ1 ≔ 𝐮1, 𝐮2, 𝐮3 ℤ ⊆ ℤ6
𝐯1𝐯2𝐯3
=283 −190 114363 −243 −9331497 −1006 2042
167 64 −438212 82 519878 340 2714
LLL
No!
𝐬′: = (𝐬1′ , 𝐬2
′ ) ∈ ℒ1 : very short.
𝐬′ = 2 −3 2519 −2 3 3947 .
3-16. Why does the usual LLL work less ?
𝐬′ ≔ (𝐬1′ , 𝐬2
′ ) ∈ ℒ1
𝐬′ is relatively short but not shortest (with unbalanced entries) because of the existence of certain large entries.
Nevertheless, we predict 𝐬′ is a shortest vector ``in some sense’’.
Apply a weighted norm instead of the Euclidean norm.
𝐬′ = 2 −3 2519 −2 2 3947 .small small large? small small large?
3-17. Idea of Weighted LLL Algorithm
𝐬′ ≔ (𝐬1′ , 𝐬2
′ ) = 2 −3 2519 −2 2 3947 .small small large? small small large?
𝐗 = (25, −4, −19416) ; Public Key
Recall
Ratio :25
19416
1
4854 1
𝐰:= 2lg1941625 2
lg48541 1 2
lg1941625 2
lg48541 1
= 29 212 1 29 212 1
From this, set
: :
The coefficients of 𝑠𝑗 and 𝑋 have the same bit sizes.
The entries of 𝐬1′ , 𝐬2
′ and 𝑋 have ``near’’ (or the same) bit sizes.
(absolute values)
3-18. Idea of Weighted LLL Algorithm
𝐰 = 29 212 1 29 212 1
𝑊 ≔ 𝑊𝑖 : the diagonal matrix defined by 𝑊𝑖 = 𝑤𝑖
𝐮1𝐮2𝐮3
: =1 32 −496440 67 −1018070 0 0
24 −24 −473640 −42 −5984325 −4 −19416
𝐮1𝑊𝐮2𝑊𝐮3𝑊
:=512 131072 −496440 274432 −1018070 0 0
12288 −98304 −473640 −172032 −59843
12800 −16384 −19416
×𝑊
3-19. Idea of Weighted LLL Algorithm
𝐰 = 29 212 1 29 212 1𝑊 ≔ 𝑊𝑖 : the diagonal matrix defined by 𝑊𝑖 = 𝑤𝑖
𝐮1′
𝐮2′
𝐮3′
: =1024 −12288 2519−1024 12288 −251911776 −4096 −21935
−1024 8192 3947−11776 8192 154691024 −8192 −3947
𝐮1𝑊𝐮2𝑊𝐮3𝑊
=512 131072 −496440 274432 −1018070 0 0
12288 −98304 −473640 −172032 −59843
12800 −16384 −19416
LLL
𝐮1′𝑊−1
𝐮2′𝑊−1
𝐮3′𝑊−1
=2 −3 2519−2 3 −251923 −1 −21935
−2 2 3947−23 2 154692 −2 −3947
×𝑊−1
Just the same as 𝐬1′ , 𝐬2
′ !
Definition (weighted norm and weighted lattice).
For a lattice ℒ ⊂ ℝ𝑚 and a vector 𝐰 = 𝑤1, … , 𝑤𝑚 ∈ ℝ>0𝑚, we
define an weighted norm ∥ ∙ ∥𝐰 for 𝐰 as follows:
∥ 𝐮 ∥𝐰≔ (𝑢1𝑤1)2+⋯(𝑢𝑚𝑤𝑚)
2
Then ∥ ∙ ∥𝐰 is a norm on ℒ ⊂ ℝ𝑚, and we call ℒ a weighted lattice for 𝐰. We denote ℒ by ℒ𝐰 depending on the situation.
(𝐮 ∈ ℒ).
3-20. Assumption of (𝐬1′ , 𝐬2
′ )
What should we assume that (𝐬1′ , 𝐬2
′ ) is, theoretically ?
From this, we may assume that (𝐬1′ , 𝐬2
′ ) is a shortest vector in ℒ1𝐰 w.r.t. the norm ∥ ∙ ∥𝐰.
Lemma (shortest vectors with a weight).
Let ℒ𝐰 ⊂ ℝ𝑚 be a lattice with the weight 𝐰 = 𝑤1, … , 𝑤𝑚 ∈ ℝ>0𝑚.
We set 𝑊 as the following diagonal matrix.
𝑊 ≔𝑤1 ⋯ 0⋮ ⋱ ⋮0 ⋯ 𝑤𝑚
,
Then the following are equivalent for any 𝐱 ∈ ℒ𝐰:
1. The vector 𝐱 is a shortest vector in ℒ𝐰 with respect to the norm ∥ ∙ ∥𝐰.
2. The vector 𝐱𝑊 is a shortest vector in Im(𝑓𝑊) with respect to the Euclidean norm.
𝑓𝑊 ∶ ℝ𝑚 ⟶ℝ𝑚 ; 𝐱 ⟼ 𝐱𝑊.≅
3-21. Assumption of (𝐬1′ , 𝐬2
′ )
3-22. Summary of Weighted LLL
ℒ1 ≔ 𝐮1, 𝐮2, 𝐮3 ℤ
LLL
𝐬 ∈ ℒ1 : relatively short vector with entries of unbalanced sizes.(not a shortest)
𝑓𝑊 ∶ 𝐮 ⟼ 𝐮𝑊.
𝑓𝑊(ℒ1) = 𝐮1𝑊,𝐮2𝑊,𝐮3𝑊 ℤ
LLL reduced basis𝐮1′ , 𝐮2
′ , 𝐮3′ of 𝑓𝑊(ℒ1)
𝑓𝑊−1: 𝐮′ ⟼ 𝐮′𝑊−1.
``Weighted’’ LLL reduced basis𝐮1′𝑊−1, 𝐮2
′𝑊−1, 𝐮3′𝑊−1 of ℒ1
Target
(3-rank case)
We generalize this method to an algorithm (let us omit to mention it precisely in this talk).The algorithm terminates in polynomial time w.r.t. the rank and the dimension of a lattice.
※ It is sufficient for breaking DEC to find 𝑚.
Step 1. Find 𝑠1′ ≔ 𝑠1 − 𝑠2 and 𝑠2
′ ≔ 𝑠2 − 𝑠3 by the weighted LLL.
Step 2.
by using 𝑠1′ and 𝑠2
′ obtained in Step 1. We fix such 𝑓.
𝐹1′ = 𝑠1
′𝑓 + 𝑟1′𝑋,
𝐹2′ = 𝑠2
′𝑓 + 𝑟2′𝑋
Find 𝑓 satisfying
Step 3. Find 𝑠1 by Babai’s nearest plane algorithm.After that, recover 𝑚 by linear algebra technique and modular arithmetic.
In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.
3-23. Outline of Our Attack
Focused on Step 1 in this talk.
Contents
1. Introduction
2. Overview of DEC
3. Cryptanalysis of DEC via the weighted LLL algorithm
4. Complexity Analysis and Experimental Results
5. Summary
Main Computation Computation common to all steps
Step 1 Weighted LLL ・ Solving linear systems (by Hermite Normal form)・ Arithmetic over ℤ[𝑥1, … 𝑥𝑛]Step 2 LLL
Step 3(dominant)
・ Babai nearest plane with LLL・ Modular arithmetic
*e.g. assume that the coefficient explosion does not happen in computation of HNF.
Parameters : 𝜆 and 𝑤 ≔ deg𝑋
4-1. Complexity of Our Algorithm
TheoremThe worst case total bit complexity of our attack algorithm is 𝑂(𝑤11𝜆2 + 𝑤5𝜆3).
Consequently, the attack performs in polynomial time for 𝜆 and 𝑤.
Under certain assumptions*,Considering the seize of ciphertext, 𝑤 should not be so large.
4-2. Experimental Results 1
𝑤 ⋕ {term of 𝑋} Success Times Average Time(seconds)Step 1 Step 2 Step 3
5 3 75 75 27 0.072408
5 4 78 78 26 0.1009
5 5 91 91 36 0.13494
7 3 79 79 17 0.11106
7 4 75 75 22 0.15900
7 7 87 87 32 0.35841
10 3 73 73 27 0.18237
10 4 78 78 27 0.27500
10 7 84 84 29 0.61914
10 10 91 91 32 2.0475
Table 1* : Results of our attack for the parameters suggested in [Oku15] with 𝑛 = 3 and 𝜆 = 128
Step 1 : More than 70 % by weighted LLL
Break the one way-ness of instancesalmost 30 % in practical time.It is sufficiently high probabilityfor cryptanalysis.
*EV: Magma V2.20-10, Windows 8.1 Pro OS 64 bit. 2.60 GHz CPU (Intel Core i5) and 8 GB memory
4-3. Experimental Results 2
𝑤 ⋕ {term of 𝑋} Average Time(seconds)
Size of Secret Key(bit)
Size of Public key(bit)
Size of Ciphertext(bit)
5 5 0.13494 201 759 30121
10 10 2.04750 198 1460 165895
15 15 10.75300 198 2155 461314
20 20 35.86000 198 2859 1050407
25 25 69.56900 201 3574 1951801
30 30 303.10000 201 4275 3257461
35 35 544.59000 201 4899 5049308
40 40 1200.00000 201 5717 7420943
45 45 1641.00000 200 6316 10224888
Table 2* : Results in the case of increasing 𝑤 (with 𝑛 = 3 and 𝜆 = 128)
Required time is expected to be more shorter than the estimated complexity.The computation of HNF, estimated to be most expensive, does not take much time because the coefficient matrices obtained in our attack are sparse in many cases.
Contents
1. Introduction
2. Overview of DEC
3. Cryptanalysis of DEC via the weighted LLL algorithm
4. Complexity Analysis and Experimental Results
5. Summary
5-1. Summary
• DEC has resistance against recovering the secret key directly
(difficulty of solving Diophantine equations).
• However, the one-wayness of the system is transformed to
finding a relatively shorter but not a shortest vector in lattices of low ranks.
• Our experimental results show that our attack with the weighted LLL can find
such vectors. As a consequence, the one-wayness of DEC can be broken with
high probability in polynomial time for the parameters suggested in [Oku15].