cryptanalysis of dec - 九州大学（kyushu …m-kudo/slides/cryptanalysis_of...cryptanalysis of a...

Cryptanalysis of a public key cryptosystem based onDiophantine equations via weighted LLL algorithm

Momonari Kudo

Graduate School of Mathematics, Kyushu University, JAPAN

Kyushu University Number Theory Seminar

1st September, 2016 @ Kyushu University, JAPAN

This is a joint work with Jintai Ding, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao.

Contents

1. Introduction

This talk is based on the paper Jintai Ding, Momonari Kudo, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao, “Cryptanalysis of a public key ctyptosystem based on Diophantine equations via weighted LLL reduction”,IACR Cryptology ePrint Archive 2015/1229, 2015.

A short paper version has been accepted by the refereed-international conference IWSEC 2016,and it will be published.

1-1. Diophantine equations and Cryptography

Q. How secure are these cryptosystems?

For a given 𝑓 ∈ ℤ 𝑥1, … , 𝑥𝑛 , find 𝑎1, … , 𝑎𝑛 ∈ ℚ𝑛 s.t. 𝑓(𝑎1, … , 𝑎𝑛) = 0.

Diophantine Problem / ℚ

In general, there is no algorithm to test Diophantine equations for solvability in ℤ [1].

apply

[1] M. Davis, Y. Matijasevi c and J. Robinson, Hilbert’s tenth problem, Diophantine equations: positive aspects of a negative solution, In: Mathematical Developments Arising from Hilbert Problem Browder, F.E.(ed.) AMS, Providence, RI., pp. 323-378 (1976).

Some cryptographic protocols based on the difficulty of solving Diophantine Equations have been proposed as Post-Quantum Cryptosystems (PQC).

[2] C. H. Lin, C. C. Chang, R. C. T. Lee, A new public-key cipher system based upon the diophantine equations, IEEE Trans. Comp. 44, 13-19 (1995).[3] A. Bérczes, L. Hajdu, N. Hirata-Kohno, T. Kovács, A. Pethö, A key exchange protocol based on Diophantine equations and S-integers,

JSIAM Letters Vol.6, 85--88 (2014).[4] N. Hirata-Kohno, A. Pethӧ, On a key exchange protocol based on Diophantine equations, Infocommunications Journal 5, 17--21 (2013).[5] H. Yosh, The key exchange cryptosystem used with higher order Diophantine equations, IJNSA Journal 3, 43--50 (2011).[6] K. Akiyama, Y. Goto, H. Miyake, Algebraic Surface Cryptosystem, In : Proceedings of PKC'09, Lecture Notes in Comput. Sci., 5443, 425--442 (2009).[7] J. -C. Faugere, P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem, In: Proceedings of PKC'10, Lecture Notes

in Comput. Sci., 6056, 35--52 (2010).

• A public key cryptosystem [2] in 1995

• Key exchange protocols [3, 4, 5] in 2011-2013

• Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009

1-2. Previous Works

Impractical

In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory.

E.g.

1-3. Previous Works

Impractical

Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC:

A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC).

In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory.

[Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type,Pac. Journal of Math. for Industry, 7 (4), pp. 33-45 (2015).

Expected to have resistance against the ideal decomposition attack (and other attacks).

• A public key cryptosystem [2] in 1995

• Key exchange protocols [3, 4, 5] in 2011-2013

• Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009

1-4. Our Problem

Q. How secure is DEC ?

Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC:

A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC).Expected to have resistance against the ideal decomposition attack (and other attacks),and to be one of PQC.

Section finding problem

Function field Number field

Algebraic Surface Cryptosystem (ASC) Diophantine Equation Cryptosystem (DEC)

Diophantine problem

Broken by the ideal decomposition attack What’s new : ``twisting’’ plaintext(to avoid the ideal decomposition attack)

[Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type,Pac. Journal of Math. for Industry, 7 (4), pp. 33-45 (2015).

• Apply a variant of the LLL algorithm to the cryptanalysis.

• Break the one-wayness of instances of DEC via weighted LLL.

1-5. Our Main Contribution

We call it ``weighted LLL algorithm’’.

Contents

1. Introduction

2. Overview of DEC

3. Cryptanalysis of DEC via the weighted LLL algorithm

4. Complexity Analysis and Experimental Results

5. Summary

2-1. DEC scheme

Ciphertext (3 polynomials and 𝑁 ∈ ℤ)

𝐹1 = 𝑚 + 𝑠1 𝑓 + 𝑟1 𝑋𝐹2 = 𝑚 + 𝑠2 𝑓 + 𝑟2 𝑋𝐹3 = 𝑚 + 𝑠3 𝑓 + 𝑟3 𝑋

Encrypt

Plaintext polynomial 𝑚 ∈ ℤ[𝑥, 𝑦]

some randomness 𝑁, 𝑓, 𝑠𝑗 , 𝑟𝑗

``twist’’ 𝑚by 𝑒, 𝑁 ∈ ℤ

Secret key

Public key

𝑑, 𝑒 ∈ ℤ>0,𝑋 ∈ ℤ[𝑥, 𝑦]with certain conditions

(𝑎, 𝑏) ∈ ℤ2 s.t. 𝑋𝑎

𝑑,𝑏

𝑑= 0.

Crucial Remark(1) The sets of the monomials of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are same and known.

(3) The coefficients of 𝑠𝑗 , 𝑋 are much smaller than those of the others.

(2) The bit length of the coefficients of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are known.

To simplify the notation, assume 𝑛 = 2 throughout this talk.

2-2. Notation

𝑓 𝑥, 𝑦 = 𝑐𝑖,𝑗 𝑥𝑖𝑦𝑗 ∈ ℤ 𝑥, 𝑦 ∖ {0},For a polynomial define

1. 𝑐𝑖,𝑗 𝑓 := 𝑐𝑖,𝑗. Non-zero coefficient of the monomial 𝑥𝑖𝑦𝑗 in 𝑓

2. 𝐟: = (𝑐𝑖1,𝑗1 𝑓 ,… , 𝑐𝑖𝑞,𝑗𝑞 𝑓 ). The vector consisting of all the non-zero coefficients of 𝑓, with

Bold style (𝑖1, 𝑗1) ≻ ⋯ ≻ (𝑖𝑞 , 𝑗𝑞) : lexicographical order

2-3. Toy Example of DEC (Key Generation)

Secret key ・ 𝑎, 𝑏 = (46,64) ∈ ℤ2

Public key

・𝑋 = 25𝑥3 − 4𝑦 − 19416 ∈ ℤ[𝑥, 𝑦]

・ 𝑑 = 5

・ 𝑒 = 15

gcd 𝑎𝑏, 𝑑 = 1, gcd 𝑒, 𝜑(𝑑) = 1, (𝜑 : Euler’s function)chosen so that

𝜆 : security parameter (In this example, 𝜆 ≔ 4)

𝑋𝑎

𝑑,𝑏

𝑑= 0,

𝑑 ≥ 2𝜆

2 , 𝑒 ≥ 𝜆 + 1 + 𝜆

2+1 deg𝑋.

2𝜆

𝜑(𝑑)𝑑 ≤ max{ 𝑎 , 𝑏 } < 2𝜆+1

𝜑(𝑑)𝑑,

Remark [Oku15] suggests 𝜆 = 128.

2-4. Toy Example of DEC (Encryption)

Plaintext (polynomial)

・𝑚 = 3𝑥3 + 3𝑦 + 3

𝑑 = 5

𝑁 = 62144 （𝑁𝑑 = 310720）

𝑚:= 55787𝑥3 + 55787𝑦 − 55787

𝑐3,0 𝑚 ≔ 315 (mod 310720)

1 < 𝑐𝑖,𝑗 𝑚 < 𝑑,

gcd 𝑐𝑖,𝑗 𝑚 , 𝑑 = 1.Encryption

Step 1. Twist the plaintext 𝑚

・ Choose an 𝑁 ∈ ℤ>0 s.t. 𝑁𝑑 > 2𝜆max𝑖,𝑗 𝑐𝑖,𝑗 𝑋 .

・ Put 𝑐𝑖,𝑗 𝑚 ≔ 𝑐𝑖,𝑗 𝑚 𝑒 (mod 𝑁𝑑) .

= 55787

𝑒 = 15

∙∙∙

𝑋 = 25𝑥3 − 4𝑦 − 19416

Recall


Step 2. Choose some polynomialsuniformly at random. 𝑋 = 25𝑥3 − 4𝑦 − 19416

Recall

・ 𝑠1 = 28𝑥3 + 4𝑦 + 29060,・ 𝑠2 = 26𝑥3 + 7𝑦 + 26541,・ 𝑠3 = 28𝑥3 + 5𝑦 + 22594,

・ 𝑓 = 133943𝑥3 + 258040𝑦 + 152992

・ 𝑟1 = 259965𝑥3 + 186583𝑦 + 209414,・ 𝑟2 = 204762𝑥3 + 134840𝑦 + 144822,・ 𝑟3 = 141410𝑥3 + 226856𝑦 + 153282.

𝐬𝑗 : very short

Crucial Remark

𝑓, 𝑠𝑗 , 𝑟𝑗 are chosen so that certain conditions hold.

e.g. the coefficients of 𝑠𝑗 and 𝑋 have the same bit sizes.


Step 3. Make a ciphertext (polynomials)

・ 𝐹1 = 10249529𝑥6 + 11385607𝑥3𝑦 − 1145521947𝑥3

+ 285828𝑦2 + 3875776971𝑦 + 380021083,

・ 𝐹2 = 8601568𝑥6 + 10198593𝑥3𝑦 − 413023700𝑥3

+ 1266920𝑦2 + 4231133643𝑦 + 1248752507,

・ 𝐹3 = 7285654𝑥6 + 13000595𝑥3𝑦 + 288863195𝑥3

+382776𝑦2 + 1425727283𝑦 + 480633723.

𝐹1 ≔ 𝑚 + 𝑠1𝑓 + 𝑟1𝑋,𝐹2 ≔ 𝑚 + 𝑠2𝑓 + 𝑟2𝑋,𝐹3 ≔ 𝑚 + 𝑠3𝑓 + 𝑟3𝑋,

Send (𝐹1, 𝐹2, 𝐹3, 𝑁).

Put

One can decrypt the ciphertext as in Sections 3.4 and 3.5 of [Oku15].In this talk we omit the decryption process.

Remark 1

Remark 2We mention the recommended (and estimated) parameter size later.

Contents

1. Introduction

2. Overview of DEC



5. Summary


Ciphertext (3 polynomials)

3-1. Idea of Our Attack

𝑋, 𝐹1, 𝐹2, 𝐹3 : known

𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 : unknown

Crucial Remark

(1) The sets of the monomials of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are same and known.

(3) The coefficients of 𝑠𝑗 , 𝑋 are much smaller than those of the others.

(2) The bit length of the coefficients of 𝑋,𝑚, 𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 are known.


Ciphertext (3 polynomials)


𝑋, 𝐹1, 𝐹2, 𝐹3 : known

𝑚, 𝑓, 𝑠𝑗 , 𝑟𝑗 : unknown

𝐹1′ ≔ 𝐹1 − 𝐹2,

𝐹2′ ≔ 𝐹2 − 𝐹3,

𝑠1′ ≔ 𝑠1 − 𝑠2,𝑠2′ ≔ 𝑠2 − 𝑠3,𝑟1′ ≔ 𝑟1 − 𝑟2,𝑟2′ ≔ 𝑟2 − 𝑟3.

𝑠2′ 𝐹1

′ − 𝑠1′ 𝐹2

′ = 𝑔 𝑋,where 𝑔 ≔ 𝑠2

′ 𝑟1′ − 𝑠1

′ 𝑟2′.

Put

From the above equalities


𝑋, 𝐹1′, 𝐹2

′ : known

𝑠𝑗′, 𝑔 : unknown

𝐹1′ ≔ 𝐹1 − 𝐹2,

𝐹2′ ≔ 𝐹2 − 𝐹3,

𝑠1′ ≔ 𝑠1 − 𝑠2,𝑠2′ ≔ 𝑠2 − 𝑠3,𝑟1′ ≔ 𝑟1 − 𝑟2,𝑟2′ ≔ 𝑟2 − 𝑟3.

𝑠2′ 𝐹1

′ − 𝑠1′ 𝐹2

′ = 𝑔 𝑋,where 𝑔 ≔ 𝑠2

′ 𝑟1′ − 𝑠1

′ 𝑟2′.

First step of our attack is to find 𝑠1′ , 𝑠2

′ .Regarding the unknown coefficients of 𝑠1

′ , 𝑠2′ , 𝑔 as indeterminates

derives a linear system over ℤ.

However, the monomials of 𝑠1′ , 𝑠2

′ , 𝑔 are known.

※ It is sufficient for breaking DEC to find 𝑚.

Step 1. Find 𝑠1′ ≔ 𝑠1 − 𝑠2 and 𝑠2

′ ≔ 𝑠2 − 𝑠3 by the weighted LLL.

Step 2.

by using 𝑠1′ and 𝑠2

′ obtained in Step 1. We fix such 𝑓.

𝐹1′ = 𝑠1

′𝑓 + 𝑟1′𝑋,

𝐹2′ = 𝑠2

′𝑓 + 𝑟2′𝑋

Find 𝑓 satisfying

Step 3. Find 𝑠1 by Babai’s nearest plane algorithm.After that, recover 𝑚 by linear algebra technique and modular arithmetic.

In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.

3-4. Outline of Our Attack

Focus on Step 1 in this talk.

3-5. SVP and LLL algorithm

Definition (Shortest Vector Problem).

Given: ℬ = {𝐛1, … , 𝐛𝑛} ; a basis of a lattice ℒ ⊂ ℝ𝑚

|| ⋅ || ; a norm on ℝ𝑚 (typically the Euclidean norm is chosen)

SVP is to find the shortest vector 𝐮 ∈ ℒ w.r.t. || ⋅ ||,i.e., | 𝐮 | ≤ | 𝐰 | for all 𝐰 ∈ ℒ ∖ {𝟎}.

LLL alg. is an algorithm to (approximately) solve the SVP:

3-6. SVP and LLL algorithm

LLL alg. is an algorithm proposed in 1982 to (approximately) solve the SVP.In this talk, let us omit to describe its detail (see [8, 9]), but review some properties.

Input: a (ordered) basis 𝒜 = {𝐚1, … , 𝐚𝑛} of a lattice ℒ ⊂ ℚ𝑚, and a real number 1

4< 𝛿 < 1

Output: an LLL-reduced basis ℬ = {𝐛1, … , 𝐛𝑛} of ℒ for the factor 𝛿

LLL algorithm

(1) ℬ is LLL-reduced with 𝛿 = 3/4⟹ 𝐛1 < 2(𝑛−1)/2min{ 𝐰 :𝐰 ∈ ℒ ∖ {𝟎}}

(2) LLL terminates in polynomial time for rank and dimension of the input lattice basis

Note: In practice, LLL seeks the shortest vector with high probabilityfor random lattices of low rank

[8] A. K. Lenstra, H. W. Lenstra and L. Lovasz, Factoring polynomials with rational coefficients, In: Mathematische Annalen 261 (4), 515-534 (1982).[9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012).

Remark: An LLL-reduced basis is defined as a “sufficiently close to orthogonal” basis for a lattice, see [8, 9] for details

3-7. CVP and Babai’s nearest plane algorithm

Definition (Closest Vector Problem).

Given: ℬ = {𝐛1, … , 𝐛𝑛} ; a basis of a lattice ℒ ⊂ ℝ𝑚

𝐯 ∈ ℝ𝑚 ; a vector in ℝ𝑚 with 𝐯 ∉ ℒ|| ⋅ || ; a norm on ℝ𝑚 (typically the Euclidean norm is chosen)

CVP is to find the closest lattice point 𝐮 ∈ ℒ to 𝐯 w.r.t. || ⋅ ||,i.e., | 𝐮 − 𝐯 | ≤ | 𝐰 − 𝐯 | for all 𝐰 ∈ ℒ. 𝐛1

𝐛2𝐯

𝐮

Babai’s nearest plane alg. is an algorithm to (approximately) solve the CVP:

3-8. CVP and Babai’s nearest plane algorithm

𝐛1

𝐛2𝐯

𝐮

Babai’s nearest plane alg. is an algorithm to (approximately) solve the CVP.In this talk, let us omit to describe its detail (see [9, 10]), but review some properties.

Input: a basis ℬ = {𝐛1, … , 𝐛𝑛} of a lattice ℒ ⊂ ℤ𝑚, and 𝐯 ∈ Span 𝐛1, … , 𝐛𝑛 ∩ ℚ𝑚 with 𝐯 ∉ ℒOutput: a vector 𝐮 ∈ ℒ

Babai’s nearest plane algorithm (Babai NPA)

(1) ℬ is LLL-reduced with 𝛿 = 3/4⟹ 𝐯 − 𝐮 < 2𝑛/2 𝐯 − 𝐰 for all 𝐰 ∈ ℒ

(2) Babai NPA terminates in polynomial time for rank and dimension of the input lattice basis

Note: In practice, NPA outputs a lattice point very close to 𝐯 for many cases

[9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012).[10] L. Babai, On Lovasz lattice reduction and the nearest lattice point problem, Combinatorica 6 (1), 1-13 (1986).

𝑠2′ 𝐹1

′ − 𝑠1′ 𝐹2

′ = 𝑔 𝑋⋯ ∗ ,where 𝑔 ≔ 𝑠2

′ 𝑟1′ − 𝑠1

′ 𝑟2′.

In the following, we use blue symbols for unknown objects.

The monomials with non-zero coefficients of 𝑠1′ , 𝑠2

′ and 𝑔 are known. We obtain a linear system from ∗ .ℒ1′ : the lattice defined as the nullspace of the system

Clearly,

𝐬1′ , 𝐬2

′ , 𝐠 ∈ ℒ1′ .

We can estimate the bit length of all entries of 𝐬1′ and 𝐬2

′ from 𝑋.

3-9. Detail of Step 1

・ 𝐹1 = 10249529𝑥6 + 11385607𝑥3𝑦 − 1145521947𝑥3 + 285828𝑦2 + 3875776971𝑦 + 380021083,

・ 𝐹2 = 8601568𝑥6 + 10198593𝑥3𝑦 − 413023700𝑥3 + 1266920𝑦2 + 4231133643𝑦 + 1248752507,

・ 𝐹3 = 7285654𝑥6 + 13000595𝑥3𝑦 + 288863195𝑥3 + 382776𝑦2 + 1425727283𝑦 + 480633723.

In the previous example,

・ 𝐹1′ = 𝐹1 − 𝐹2 = 1647961𝑥6 + 1187014𝑥3𝑦 − 732498247𝑥3 − 981092𝑦2 − 355356672𝑦 − 868731424,

・ 𝐹2′ = 𝐹2 − 𝐹3 = 1315914𝑥6 − 2802002𝑥3𝑦 − 701886895𝑥3 + 884144𝑦2 + 2805406360𝑦 + 768118784.

3-10. Example

𝑠2′ 𝐹1

′ − 𝑠1′ 𝐹2

′ = 𝑔 𝑋⋯ ∗ , where 𝑔 ≔ 𝑠2′ 𝑟1

′ − 𝑠1′ 𝑟2′.

3-11. Example

𝑠1′ ≔ 𝑐1𝑥

3 + 𝑐2𝑦 + 𝑐3,

𝑠2′ ≔ 𝑐4𝑥

3 + 𝑐5𝑦 + 𝑐6,

𝑔:= 𝑐7𝑥6 + 𝑐8𝑥

3𝑦 + 𝑐9𝑥3 + 𝑐10𝑦

2 + 𝑐11𝑦 + 𝑐12,

Put

・ 𝑋 = 25𝑥3 − 4𝑦 − 19416 (Public Key),

・ 𝐹1′ = 1647961𝑥6 + 1187014𝑥3𝑦 − 732498247𝑥3 − 981092𝑦2 − 355356672𝑦 − 868731424,

・ 𝐹2′ = 1315914𝑥6 − 2802002𝑥3𝑦 − 701886895𝑥3 + 884144𝑦2 + 2805406360𝑦 + 768118784.

By （∗）, 𝑐1, 𝑐2, … , 𝑐12 𝐴 = 𝟎 ; ∃ linear system over ℤ

3-12. Example

𝑠1′ ≔ 𝑐1𝑥

3 + 𝑐2𝑦 + 𝑐3,

𝑠2′ ≔ 𝑐4𝑥

3 + 𝑐5𝑦 + 𝑐6,

𝑔:= 𝑐7𝑥6 + 𝑐8𝑥

3𝑦 + 𝑐9𝑥3

+ 𝑐10𝑦2 + 𝑐11𝑦 + 𝑐12,

𝑐1, 𝑐2, … , 𝑐12 𝐴 = 𝟎 ; ∃ linear system

ℒ1′ ≔ Ker 𝐴 = {𝐮 ∈ ℤ12 ; 𝐮𝐴 = 0}

Basis Matrix :

1 32 −496440 67 −1018070 0 0

24 −24 −473640 −42 −5984325 −4 −19416

⋯ ⋯ ⋯⋯ ⋯ ⋯⋯ ⋯ ⋯

𝑐1 𝑐2 𝑐3 𝑐4 𝑐5 𝑐6 𝑐7 𝑐8 ⋯

1 32 −496440 67 −1018070 0 0

24 −24 −473640 −42 −5984325 −4 −19416

Cut

Remark

𝐬1, 𝐬2 : very short.⇒

(𝐬1′ , 𝐬2

′ ) : very short.

・ 𝑠1 = 28𝑥3 + 4𝑦 + 29060,・ 𝑠2 = 26𝑥3 + 7𝑦 + 26541,・ 𝑠3 = 28𝑥3 + 5𝑦 + 22594,

3-13. Recall (unknown objects)

・𝑠1′ ≔ 𝑠1 − 𝑠2 = 2𝑥3 − 3𝑦 + 2519,

・𝑠2′ ≔ 𝑠2 − 𝑠3 = −2𝑥3 + 2𝑦 + 3947,

𝐬′ ≔ 𝐬1′ , 𝐬2

′ = 2 −3 2519 −2 2 3947 .

RemarkThe bit length of the entries of 𝐬′ can be estimated because

the bit length of the entries of 𝐬1, 𝐬2 are the same as those of a public key 𝐗.

known from the encryption process

3-14. Does the usual LLL work well ?

𝑠1′ ≔ 𝑐1𝑥

3 + 𝑐2𝑦 + 𝑐3

𝑠2′ ≔ 𝑐4𝑥

3 + 𝑐5𝑦 + 𝑐6

𝑐1 𝑐2 𝑐3 𝑐4 𝑐5 𝑐6𝐮1𝐮2𝐮3

: =1 32 −496440 67 −1018070 0 0

24 −24 −473640 −42 −5984325 −4 −19416

𝐬′: = (𝐬1′ , 𝐬2

′ ) ∈ ℒ1 : very short.

Shortest vector ??

ℒ1 ≔ 𝐮1, 𝐮2, 𝐮3 ℤ ⊆ ℤ6

𝐬′ = 2 −3 2519 −2 3 3947 .

3-15. Does the usual LLL work well ?

𝑠1′ ≔ 𝑐1𝑥

3 + 𝑐2𝑦 + 𝑐3

𝑠2′ ≔ 𝑐4𝑥

3 + 𝑐5𝑦 + 𝑐6

𝑐1 𝑐2 𝑐3 𝑐4 𝑐5 𝑐6𝐮1𝐮2𝐮3

: =1 32 −496440 67 −1018070 0 0

24 −24 −473640 −42 −5984325 −4 −19416

Shortest vector ??

ℒ1 ≔ 𝐮1, 𝐮2, 𝐮3 ℤ ⊆ ℤ6

𝐯1𝐯2𝐯3

=283 −190 114363 −243 −9331497 −1006 2042

167 64 −438212 82 519878 340 2714

LLL

No!

𝐬′: = (𝐬1′ , 𝐬2

′ ) ∈ ℒ1 : very short.

𝐬′ = 2 −3 2519 −2 3 3947 .

3-16. Why does the usual LLL work less ?

𝐬′ ≔ (𝐬1′ , 𝐬2

′ ) ∈ ℒ1

𝐬′ is relatively short but not shortest (with unbalanced entries) because of the existence of certain large entries.

Nevertheless, we predict 𝐬′ is a shortest vector ``in some sense’’.

Apply a weighted norm instead of the Euclidean norm.

𝐬′ = 2 −3 2519 −2 2 3947 .small small large? small small large?

3-17. Idea of Weighted LLL Algorithm

𝐬′ ≔ (𝐬1′ , 𝐬2

′ ) = 2 −3 2519 −2 2 3947 .small small large? small small large?

𝐗 = (25, −4, −19416) ; Public Key

Recall

Ratio :25

19416

1

4854 1

𝐰:= 2lg1941625 2

lg48541 1 2

lg1941625 2

lg48541 1

= 29 212 1 29 212 1

From this, set

: :

The coefficients of 𝑠𝑗 and 𝑋 have the same bit sizes.

The entries of 𝐬1′ , 𝐬2

′ and 𝑋 have ``near’’ (or the same) bit sizes.

(absolute values)


𝐰 = 29 212 1 29 212 1

𝑊 ≔ 𝑊𝑖 : the diagonal matrix defined by 𝑊𝑖 = 𝑤𝑖

𝐮1𝐮2𝐮3

: =1 32 −496440 67 −1018070 0 0

24 −24 −473640 −42 −5984325 −4 −19416

𝐮1𝑊𝐮2𝑊𝐮3𝑊

:=512 131072 −496440 274432 −1018070 0 0

12288 −98304 −473640 −172032 −59843

12800 −16384 −19416

×𝑊


𝐰 = 29 212 1 29 212 1𝑊 ≔ 𝑊𝑖 : the diagonal matrix defined by 𝑊𝑖 = 𝑤𝑖

𝐮1′

𝐮2′

𝐮3′

: =1024 −12288 2519−1024 12288 −251911776 −4096 −21935

−1024 8192 3947−11776 8192 154691024 −8192 −3947

𝐮1𝑊𝐮2𝑊𝐮3𝑊

=512 131072 −496440 274432 −1018070 0 0

12288 −98304 −473640 −172032 −59843

12800 −16384 −19416

LLL

𝐮1′𝑊−1

𝐮2′𝑊−1

𝐮3′𝑊−1

=2 −3 2519−2 3 −251923 −1 −21935

−2 2 3947−23 2 154692 −2 −3947

×𝑊−1

Just the same as 𝐬1′ , 𝐬2

′ !

Definition (weighted norm and weighted lattice).

For a lattice ℒ ⊂ ℝ𝑚 and a vector 𝐰 = 𝑤1, … , 𝑤𝑚 ∈ ℝ>0𝑚, we

define an weighted norm ∥ ∙ ∥𝐰 for 𝐰 as follows:

∥ 𝐮 ∥𝐰≔ (𝑢1𝑤1)2+⋯(𝑢𝑚𝑤𝑚)

2

Then ∥ ∙ ∥𝐰 is a norm on ℒ ⊂ ℝ𝑚, and we call ℒ a weighted lattice for 𝐰. We denote ℒ by ℒ𝐰 depending on the situation.

(𝐮 ∈ ℒ).

3-20. Assumption of (𝐬1′ , 𝐬2

′ )

What should we assume that (𝐬1′ , 𝐬2

′ ) is, theoretically ?

From this, we may assume that (𝐬1′ , 𝐬2

′ ) is a shortest vector in ℒ1𝐰 w.r.t. the norm ∥ ∙ ∥𝐰.

Lemma (shortest vectors with a weight).

Let ℒ𝐰 ⊂ ℝ𝑚 be a lattice with the weight 𝐰 = 𝑤1, … , 𝑤𝑚 ∈ ℝ>0𝑚.

We set 𝑊 as the following diagonal matrix.

𝑊 ≔𝑤1 ⋯ 0⋮ ⋱ ⋮0 ⋯ 𝑤𝑚

,

Then the following are equivalent for any 𝐱 ∈ ℒ𝐰:

1. The vector 𝐱 is a shortest vector in ℒ𝐰 with respect to the norm ∥ ∙ ∥𝐰.

2. The vector 𝐱𝑊 is a shortest vector in Im(𝑓𝑊) with respect to the Euclidean norm.

𝑓𝑊 ∶ ℝ𝑚 ⟶ℝ𝑚 ; 𝐱 ⟼ 𝐱𝑊.≅

3-21. Assumption of (𝐬1′ , 𝐬2

′ )

3-22. Summary of Weighted LLL

ℒ1 ≔ 𝐮1, 𝐮2, 𝐮3 ℤ

LLL

𝐬 ∈ ℒ1 : relatively short vector with entries of unbalanced sizes.(not a shortest)

𝑓𝑊 ∶ 𝐮 ⟼ 𝐮𝑊.

𝑓𝑊(ℒ1) = 𝐮1𝑊,𝐮2𝑊,𝐮3𝑊 ℤ

LLL reduced basis𝐮1′ , 𝐮2

′ , 𝐮3′ of 𝑓𝑊(ℒ1)

𝑓𝑊−1: 𝐮′ ⟼ 𝐮′𝑊−1.

``Weighted’’ LLL reduced basis𝐮1′𝑊−1, 𝐮2

′𝑊−1, 𝐮3′𝑊−1 of ℒ1

Target

(3-rank case)

We generalize this method to an algorithm (let us omit to mention it precisely in this talk).The algorithm terminates in polynomial time w.r.t. the rank and the dimension of a lattice.

※ It is sufficient for breaking DEC to find 𝑚.

Step 1. Find 𝑠1′ ≔ 𝑠1 − 𝑠2 and 𝑠2

′ ≔ 𝑠2 − 𝑠3 by the weighted LLL.

Step 2.

by using 𝑠1′ and 𝑠2

′ obtained in Step 1. We fix such 𝑓.

𝐹1′ = 𝑠1

′𝑓 + 𝑟1′𝑋,

𝐹2′ = 𝑠2

′𝑓 + 𝑟2′𝑋

Find 𝑓 satisfying

Step 3. Find 𝑠1 by Babai’s nearest plane algorithm.After that, recover 𝑚 by linear algebra technique and modular arithmetic.

In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.

3-23. Outline of Our Attack

Focused on Step 1 in this talk.

Contents

1. Introduction

2. Overview of DEC



5. Summary

Main Computation Computation common to all steps

Step 1 Weighted LLL ・ Solving linear systems (by Hermite Normal form)・ Arithmetic over ℤ[𝑥1, … 𝑥𝑛]Step 2 LLL

Step 3(dominant)

・ Babai nearest plane with LLL・ Modular arithmetic

*e.g. assume that the coefficient explosion does not happen in computation of HNF.

Parameters : 𝜆 and 𝑤 ≔ deg𝑋

4-1. Complexity of Our Algorithm

TheoremThe worst case total bit complexity of our attack algorithm is 𝑂(𝑤11𝜆2 + 𝑤5𝜆3).

Consequently, the attack performs in polynomial time for 𝜆 and 𝑤.

Under certain assumptions*,Considering the seize of ciphertext, 𝑤 should not be so large.

4-2. Experimental Results 1

𝑤 ⋕ {term of 𝑋} Success Times Average Time（seconds）Step 1 Step 2 Step 3

5 3 75 75 27 0.072408

5 4 78 78 26 0.1009

5 5 91 91 36 0.13494

7 3 79 79 17 0.11106

7 4 75 75 22 0.15900

7 7 87 87 32 0.35841

10 3 73 73 27 0.18237

10 4 78 78 27 0.27500

10 7 84 84 29 0.61914

10 10 91 91 32 2.0475

Table 1* : Results of our attack for the parameters suggested in [Oku15] with 𝑛 = 3 and 𝜆 = 128

Step 1 : More than 70 % by weighted LLL

Break the one way-ness of instancesalmost 30 % in practical time.It is sufficiently high probabilityfor cryptanalysis.

*EV： Magma V2.20-10, Windows 8.1 Pro OS 64 bit. 2.60 GHz CPU (Intel Core i5) and 8 GB memory

4-3. Experimental Results 2

𝑤 ⋕ {term of 𝑋} Average Time(seconds)

Size of Secret Key(bit)

Size of Public key(bit)

Size of Ciphertext(bit)

5 5 0.13494 201 759 30121

10 10 2.04750 198 1460 165895

15 15 10.75300 198 2155 461314

20 20 35.86000 198 2859 1050407

25 25 69.56900 201 3574 1951801

30 30 303.10000 201 4275 3257461

35 35 544.59000 201 4899 5049308

40 40 1200.00000 201 5717 7420943

45 45 1641.00000 200 6316 10224888

Table 2* : Results in the case of increasing 𝑤 (with 𝑛 = 3 and 𝜆 = 128)

Required time is expected to be more shorter than the estimated complexity.The computation of HNF, estimated to be most expensive, does not take much time because the coefficient matrices obtained in our attack are sparse in many cases.

Contents

1. Introduction

2. Overview of DEC



5. Summary

5-1. Summary

• DEC has resistance against recovering the secret key directly

(difficulty of solving Diophantine equations).

• However, the one-wayness of the system is transformed to

finding a relatively shorter but not a shortest vector in lattices of low ranks.

• Our experimental results show that our attack with the weighted LLL can find

such vectors. As a consequence, the one-wayness of DEC can be broken with

high probability in polynomial time for the parameters suggested in [Oku15].

cryptanalysis of dec - 九州大学（kyushu …m-kudo/slides/cryptanalysis_of...cryptanalysis of a...

Documents