Cryptography and Lattices

We present a lattice attack on low exponent RSA with short secret exponent d = N for every δ < 0.29. The attack is a variation of an approach by Boneh and Durfee [4] based on lattice reduction techniques and Coppersmith’s method for finding small roots of modular polynomial equations. Although our results are slightly worse than the results of Boneh and Durfee they have several interesting features. We partially analyze the structure of the lattices we are using. For most δ < 0.29 our method requires lattices of smaller dimension than the approach by Boneh and Durfee. Hence, we get a more practical attack on low exponent RSA. We demonstrate this by experiments, where δ > 0.265. Our method, as well as the method by Boneh and Durfee, is heuristic, since the method is based on Coppersmith’s approach for bivariate polynomials. Coppersmith [6] pointed out that this heuristic must fail in some cases. We argue in this paper, that a (practically not interesting) variant of the Boneh/Durfee attack proposed in [4] always fails. Many authors have already stressed the necessity for rigorous proofs of Coppersmith’s method in the multivariate case. This is even more evident in light of these results.

[1]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[2]  Claus-Peter Schnorr,et al.  Segment LLL-Reduction of Lattice Bases , 2001, CaLC.

[3]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[4]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[5]  Daniele Micciancio Lattice Based Cryptography: A Global Improvement , 1999, IACR Cryptol. ePrint Arch..

[6]  Ernest F. Brickell,et al.  Solving Low Density Knapsacks , 1983, CRYPTO.

[7]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[8]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[9]  Claus-Peter Schnorr,et al.  An Optimal, Stable Continued Fraction Algorithm for Arbitrary Dimension , 1996, Electron. Colloquium Comput. Complex..

[10]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[11]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[12]  O. Goldreich Public-key cryptography from lattice reduction problems , 1997, CRYPTO 1997.

[13]  Jacques Stern,et al.  The Hardness of Approximate Optima in Lattices, Codes, and Systems of Linear Equations , 1997, J. Comput. Syst. Sci..

[14]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[15]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[16]  Antoine Joux,et al.  A Chosen-Ciphertext Attack against NTRU , 2000, CRYPTO.

[17]  Jean-François Misarsky,et al.  A Multiplicative Attack Using LLL Algorithm on RSA Signatures with Redundancy , 1997, CRYPTO.

[18]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[19]  Dan Boneh,et al.  Finding smooth integers in short intervals using CRT decoding , 2000, STOC '00.

[20]  Anne Canteaut,et al.  Cryptanalysis of the Original McEliece Cryptosystem , 1998, ASIACRYPT.

[21]  S. Konyagin,et al.  On polynomial congruences , 1994 .

[22]  Phong Q. Nguyen,et al.  Noisy Polynomial Interpolation and Noisy Chinese Remaindering , 2000, EUROCRYPT.

[23]  V. Sidelnikov,et al.  On insecurity of cryptosystems based on generalized Reed-Solomon codes , 1992 .

[24]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[25]  Elwyn R. Berlekamp,et al.  Algebraic coding theory , 1984, McGraw-Hill series in systems science.

[26]  James L. Massey,et al.  Shift-register synthesis and BCH decoding , 1969, IEEE Trans. Inf. Theory.

[27]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[28]  Daniele Micciancio,et al.  On the hardness of the shortest vector problem , 1998 .

[29]  Jin-Yi Cai,et al.  Some recent progress on the complexity of lattice problems , 1999, Proceedings. Fourteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat.No.99CB36317).

[30]  N. J. A. Sloane,et al.  Sphere Packings, Lattices and Groups , 1987, Grundlehren der mathematischen Wissenschaften.

[31]  Jeffrey C. Lagarias,et al.  Solving low density subset sum problems , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[32]  Brigitte Vallée,et al.  How to Guess l-th Roots Modulo n by Reducing Lattice Bases , 1988, AAECC.

[33]  Igor E. Shparlinski,et al.  On the Security of Diffie-Hellman Bits , 2000, Electron. Colloquium Comput. Complex..

[34]  Claus-Peter Schnorr,et al.  Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction , 1995, EUROCRYPT.

[35]  Daniel Bleichenbacher On the Security of the KMOV Public Key Cryptosystem , 1997, CRYPTO.

[36]  Mihir Bellare,et al.  "Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case , 1997, CRYPTO.

[37]  Ramarathnam Venkatesan,et al.  Speeding up Discrete Log and Factoring Based Schemes via Precomputations , 1998, EUROCRYPT.

[38]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[39]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[40]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[41]  Phong Q. Nguyen A Montgomery-Like Square Root for the Number Field Sieve , 1998, ANTS.

[42]  D. Boneh,et al.  Factoring N = pr q for large r , 1999 .

[43]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[44]  Jin-Yi Cai,et al.  The Complexity of Some Lattice Problems , 2000, ANTS.

[45]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 2003, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[46]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[47]  M. Halberstam,et al.  Notes from a lecture. , 1973, Connecticut medicine.

[48]  Adi Shamir,et al.  Lattice Attacks on NTRU , 1997, EUROCRYPT.

[49]  Nicholas A. Howgrave-Graham Computational mathematics inspired by RSA , 1998 .

[50]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[51]  Claus-Peter Schnorr,et al.  Segment LLL-Reduction with Floating Point Orthogonalization , 2001, CaLC.

[52]  Peter L. Montgomery,et al.  Square roots of products of algebraic numbers , 1994 .

[53]  Jin-Yi Cai,et al.  A Lattice-Based Public-Key Cryptosystem , 1998, Inf. Comput..

[54]  Brigitte Vallée,et al.  An affine point of view on minima finding in integer lattices of lower dimensions , 1987, EUROCAL.

[55]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[56]  L. Lovász,et al.  Geometric Algorithms and Combinatorial Optimization , 1981 .

[57]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[58]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[59]  Bogdan Warinschi,et al.  A linear space algorithm for computing the hermite normal form , 2001, ISSAC '01.

[60]  Antoine Joux,et al.  Why Textbook ElGamal and RSA Encryption Are Insecure , 2000, ASIACRYPT.

[61]  Wolfgang M. Schmidt,et al.  Construction and estimation of bases in function fields , 1991 .

[62]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[63]  C. A. Rogers,et al.  An Introduction to the Geometry of Numbers , 1959 .

[64]  Jeffrey C. Lagarias The Computational Complexity of Simultaneous Diophantine Approximation Problems , 1985, SIAM J. Comput..

[65]  Claus-Peter Schnorr,et al.  A More Efficient Algorithm for Lattice Basis Reduction , 1988, J. Algorithms.

[66]  Charanjit S. Jutla,et al.  On Finding Small Solutions of Modular Multivariate Polynomial Equations , 1998, EUROCRYPT.

[67]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[68]  Oded Goldreich,et al.  On the limits of non-approximability of lattice problems , 1998, STOC '98.

[69]  J. Cassels,et al.  Rational Quadratic Forms , 1978 .

[70]  Hendrik W. Lenstra,et al.  Integer Programming with a Fixed Number of Variables , 1983, Math. Oper. Res..

[71]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[72]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[73]  R. Kannan ALGORITHMIC GEOMETRY OF NUMBERS , 1987 .

[74]  E. Brickell,et al.  Cryptanalysis: a survey of recent results , 1988, Proc. IEEE.

[75]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[76]  Claus-Peter Schnorr,et al.  Approximating Integer Lattices by Lattices with Cyclic Factor Groups , 1987, ICALP.

[77]  Leonard M. Adleman,et al.  On breaking generalized knapsack public key cryptosystems , 1983, STOC.

[78]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..

[79]  Ronald L. Rivest,et al.  A knapsack-type public key cryptosystem based on arithmetic in finite fields , 1988, IEEE Trans. Inf. Theory.

[80]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[81]  Graham H. Norton,et al.  On Shortest Linear Recurrences , 1999, J. Symb. Comput..

[82]  Phong Q. Nguyen Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97 , 1999, CRYPTO.

[83]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[84]  Brigitte Vallée,et al.  An Upper Bound on the Average Number of Iterations of the LLL Algorithm , 1994, Theor. Comput. Sci..

[85]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[86]  Serge Vaudenay,et al.  Cryptanalysis of the Chor-Rivest Cryptosystem , 1998, CRYPTO.

[87]  George Labahn,et al.  Asymptotically fast computation of Hermite normal forms of integer matrices , 1996, ISSAC '96.

[88]  M. Ajtai The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[89]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[90]  Bettina Helfrich,et al.  Algorithms to Construct Minkowski Reduced an Hermite Reduced Lattice Bases , 1985, Theor. Comput. Sci..

[91]  Daniele Micciancio,et al.  The hardness of the closest vector problem with preprocessing , 2001, IEEE Trans. Inf. Theory.

[92]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[93]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[94]  J. Hoffstein,et al.  The NTRU Signature Scheme : Theory and Practice , 2001 .

[95]  C. Siegel,et al.  Lectures on the Geometry of Numbers , 1989 .

[96]  A. Odlyzko,et al.  Lattice points in high-dimensional spheres , 1990 .

[97]  László Lovász,et al.  Algorithmic theory of numbers, graphs and convexity , 1986, CBMS-NSF regional conference series in applied mathematics.

[98]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[99]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[100]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[101]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[102]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[103]  Jean-Pierre Seifert,et al.  Tensor-Based Trapdoors for CVP and Their Application to Public Key Cryptography , 1999, IMACC.

[104]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[105]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[106]  Jean-Pierre Seifert,et al.  On the complexity of computing short linearly independent vectors and short bases in a lattice , 1999, STOC '99.

[107]  Ernest F. Brickell,et al.  Breaking Iterated Knapsacks , 1985, CRYPTO.

[108]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[109]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[110]  Robert H. Deng,et al.  On the equivalence of McEliece's and Niederreiter's public-key cryptosystems , 1994, IEEE Trans. Inf. Theory.

[111]  Tatsuaki Okamoto,et al.  How to Enhance the Security of Public-Key Encryption at Minimum Cost , 1999, Public Key Cryptography.

[112]  A. Shamir A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1982, FOCS 1982.

[113]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[114]  Igor E. Shparlinski,et al.  On the Generalised Hidden Number Problem and Bit Security of XTR , 2001, AAECC.

[115]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[116]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[117]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[118]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.