practical cryptanalysis of a public-key encryption … ·...
TRANSCRIPT
Practical Cryptanalysis ofa Public-key Encryption Scheme
Based on Non-linear Indeterminate Equationsat SAC 2017
Keita Xagawa (草川 恵太)
NTT Secure Platform Laboratories
2018/04/09
c© 2018 NTT corp. All Rights Reserved 1/24
Agenda
Post-Quatnum Crypgraphy
IEC/Giophantus as Lattice-based PKE
Attack against IEC with n = 80
Attack against IEC with prime n
Summary
c© 2018 NTT corp. All Rights Reserved 2/24
NIST PQC Round 1 Candidates
We have 69 candidates on 21 Dec. 2017.Code, Lattice, MQ, Isogeny, SymKey, Others
PKE/KEM 49: BIG QUAKE, BIKE, CFPKM, Classic McEliece,
Compact LWE, CRYSTALS-Kyber, DAGS, Ding Key Exchange, DME,
Edon-K, EMBLEM and R.EMBLEM, FrodoKEM, Giophantus,
GuessAgain, Hila5, HK17, HQC, KCL, KINDI, LAC, LAKE, LEDAkem,
LEDApkc, Lepton, Lima, Lizard, LOCKER, LOTUS, McNie,
Mersenne-756839, NewHope, NTRUEncrypt, NTRU-HRSS-KEM, NTRU
Prime, NTS-KEM, Odd Manhattan, Ouroboros-R, Post-Quantum
RSA-Encryption, QC-MDPC KEM, Ramstake, RLCE-KEM, Round2,
RQC, RVB, SABER, SIKE, SRTPI, Three Bears, Titanium
Sig. 22: CRYSTALS-Dilithium, DME, DRS, DualModeMS, Falcon,
GeMSS, Gravity-SPHINCS, Gui, HiMQ-3, LUOV, MQDSS, pqNTRUsign,
Picnic, Post-Quantum RSA-Signature, pqsigRM, qTESLA, RaCoSS,
Rainbow, RankSign, SPHINCS+, SRTPI, WalnutDSA
c© 2018 NTT corp. All Rights Reserved 3/24
Summary
IEC/Giophantus proposes CPA/CCA-secure PKEbased on IE-LWE (= a special Module-LWE)
n deg XIEC in Aug. 2017 80 1 or 2IEC in Sep. 2017 83 1 or 2
Giophantus in Dec. 2017 ≥ 1201 1
Akiyama et al. changed parameter values by reflecting our attacks.I IEC in Aug. 2017
I Key Recovery in ≈ 30 s (deg X = 1)I Distinguishing in ≈ 0.5 s (deg X = 1)I Distinguishing in ≈ 30 s (deg X = 2)
I IEC in Sep. 2017I Plaintext Recovery in ≈ 17 h (deg X = 2)I Distinguishing in ≈ 4 days for large n ≤ 110 (deg X = 2)
c© 2018 NTT corp. All Rights Reserved 4/24
Summary
IEC/Giophantus proposes CPA/CCA-secure PKEbased on IE-LWE (= a special Module-LWE)
n deg XIEC in Aug. 2017 80 1 or 2IEC in Sep. 2017 83 1 or 2
Giophantus in Dec. 2017 ≥ 1201 1
Akiyama et al. changed parameter values by reflecting our attacks.I IEC in Aug. 2017
I Key Recovery in ≈ 30 s (deg X = 1)I Distinguishing in ≈ 0.5 s (deg X = 1)I Distinguishing in ≈ 30 s (deg X = 2)
I IEC in Sep. 2017I Plaintext Recovery in ≈ 17 h (deg X = 2)I Distinguishing in ≈ 4 days for large n ≤ 110 (deg X = 2)
c© 2018 NTT corp. All Rights Reserved 4/24
Agenda
Post-Quatnum Crypgraphy
IEC/Giophantus as Lattice-based PKE
Attack against IEC with n = 80
Attack against IEC with prime n
Summary
c© 2018 NTT corp. All Rights Reserved 5/24
LWE [Reg09]
I Learning with Errors (LWE) Problem: DistinguishingI (A, ®r A + ®e) (A← Zn×mq , ®r ← Znq, ®e← χm)
I (A, ®b) (A← Zn×mq , ®b← Zmq )
A ∈ Zn×mq
Real: ®r A + ®e or Random
®b
Example of χ: Discrete Gaussian
c© 2018 NTT corp. All Rights Reserved 6/24
GPV-like PKE [GPV08]
ek = A, dk = ®u with A · ®u = 0, ‖ ®u‖ ≤ B, and u0 = 1ct = ®b = ®r A + p®e + (M, 0, . . . , 0) with ‖ ®e‖ ≤ B
A ∈ Zn×mq
Enc: ®r, ®e
®b +M
®b · ®u> = M + (®r A + p®e) · ®u>
= M + p®e · ®u> (in Z if p(1 + B2) < q/2)
Thus, M := (®b · ®u>mod∗ q) mod p
c© 2018 NTT corp. All Rights Reserved 7/24
GPV-like PKE [GPV08]
ek = A, dk = ®u with A · ®u = 0, ‖ ®u‖ ≤ B, and u0 = 1ct = ®b = ®r A + p®e + (M, 0, . . . , 0) with ‖ ®e‖ ≤ B
A ∈ Zn×mq
Enc: ®r, ®e
®b +M
®b · ®u> = M + (®r A + p®e) · ®u>
= M + p®e · ®u> (in Z if p(1 + B2) < q/2)
Thus, M := (®b · ®u>mod∗ q) mod p
c© 2018 NTT corp. All Rights Reserved 7/24
Module-LWE-based GPV-like PKE
A ∈ Zhn×wnq is made from a1,1, . . . , ah,w ∈ Zq[t]/(tn + 1)
ek = A, dk = ®u with A · ®u = 0, ‖ ®u‖ ≤ B, and u0 = 1ct = ®b = ®r A + p®e + (M, 0, . . . , 0) with ‖ ®e‖ ≤ B
Enc: ®r, ®e
®b +M
®b · ®u> = M + (®r A + p®e) · ®u>
= M + p®e · ®u> (in Z)
Thus, M := (®b · ®u>mod∗ q) mod p
c© 2018 NTT corp. All Rights Reserved 8/24
IEC/Giophantus
A ∈ Zhn×wnq is made from few a1,1, . . . , ah,w ∈ Zq[t]/(tn + 1)
ek = A, dk = ®u with A · ®u = 0, ui ∈ [0, p), and u0 = 1ct = ®b = ®r A + p®e + (M, 0, . . . , 0) with ei ∈ [0, p)
Enc: ®r, ®e
®b +M
®b · ®u> = M + (®r A + p®e) · ®u>
= M + p®e · ®u> (in Z)
Thus, M := (®b · ®u> mod q) mod p
c© 2018 NTT corp. All Rights Reserved 9/24
IEC (deg X = 1)
I Key GenerationI dk: “Short” ux, uy ∈ Zq[t]/(tn − 1)I ek: X(x, y) = a10x + a01y + a00I a10, a01 ← Zq[t]/(tn − 1) and set a00 = −(a10ux + a01uy)
I Encryption: A plaintext is “short” M ∈ Zq[t]/(tn − 1)I Choose random r(x, y) = r10x + r01y + r00I Choose “short” e(x, y) = e20x2 + · · · + e00I A ciphertext is c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)
A =©«
1 x y x2 xy y2
1 A00 A10 A01
x A00 A10 A01
y A00 A10 A01
ª®®®¬,®u =
( 1 x y x2 xy y2
1 1 ux uy u2x uxuy u2y)
c© 2018 NTT corp. All Rights Reserved 10/24
IEC (deg X = 1)
I Key GenerationI dk: “Short” ux, uy ∈ Zq[t]/(tn − 1)I ek: X(x, y) = a10x + a01y + a00I a10, a01 ← Zq[t]/(tn − 1) and set a00 = −(a10ux + a01uy)
I Encryption: A plaintext is “short” M ∈ Zq[t]/(tn − 1)I Choose random r(x, y) = r10x + r01y + r00I Choose “short” e(x, y) = e20x2 + · · · + e00I A ciphertext is c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)
A =©«
1 x y x2 xy y2
1 A00 A10 A01
x A00 A10 A01
y A00 A10 A01
ª®®®¬,®u =
( 1 x y x2 xy y2
1 1 ux uy u2x uxuy u2y)c© 2018 NTT corp. All Rights Reserved 10/24
PT-Recovery Attack against IEC (deg X = 1)
I ek: X(x, y) = a10x + a01y + a00I ct: c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)
A = ©«1 x y x2 xy y2
1 A00 A10 A01
x A00 A10 A01
y A00 A10 A01
ª®¬ ∈ Z240×480q
I Solve a 480-dim. CVP instance (Λq(A), ®b),
Λq(A) = {®y ∈ Z480 | ∃®r ∈ Z240 : ®r · A ≡ ®y},®b = ®r · A + (p®e + (M, 0, . . . , 0)) mod q
→ Success if the diff. is p®e + (M, 0, . . . , 0)
→ But, (experimentally) hard for LLL/BKZ to find the diff.
c© 2018 NTT corp. All Rights Reserved 11/24
Agenda
Post-Quatnum Crypgraphy
IEC/Giophantus as Lattice-based PKE
Attack against IEC with n = 80
Attack against IEC with prime n
Summary
c© 2018 NTT corp. All Rights Reserved 12/24
Gentry’s “Origami” Attack [Gen01]
The core of his attackIf d |n,
θ : Z[t]/(tn−1) → Z[t]/(td−1) : f =∑
i fiti 7→∑d−1
i=0
(∑n/d−1j=0 fjd+i
)ti
is a ring homomorphism.
The dim.: n→ d and the norm: a→≤ (n/d)a.
f
f0 fd f2d f3d fn−1+
θ( f )
c© 2018 NTT corp. All Rights Reserved 13/24
PT-Recovery Attack on IEC (deg X = 1)
I ek: X(x, y) = a10x + a01y + a00I ct: c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)
A = ©«1 x y x2 xy y2
1 A00 A10 A01
x A00 A10 A01
y A00 A10 A01
ª®¬ ∈ Z240×480q
I Solve a 480-dim. CVP instance (Λq(A), ®b),
Λq(A) = {®y ∈ Z480 | ∃®r ∈ Z240 : ®r · A ≡ ®y},®b = ®r · A + (p®e + (M, 0, . . . , 0)) mod q
→ Success if the diff. is p®e + (M, 0, . . . , 0)
I But, (experimentally) hard for LLL/BKZ to find the diff.
c© 2018 NTT corp. All Rights Reserved 14/24
“Origami” Dist. Attack on IEC (deg X = 1)
I ek: X(x, y) = a10x + a01y + a00I ct: c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)
I Let d = 10 and apply θ : Z[t]/(t80 − 1) → Z[t]/(t10 − 1)
A′ = ©«1 x y x2 xy y2
1 A′00 A′10 A′01x A′00 A′10 A′01y A′00 A′10 A′01
ª®¬ ∈ Z30×60q
I Solve a 60-dim. CVP instance (Λq(A′), ®b′)
Λq(A′) = {®y ∈ Z60 | ∃®r ∈ Z30 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q
→ We can find the diff. = pθ(®e) + (θ(M), 0, . . . , 0)I This leaks θ(M) mod p!
c© 2018 NTT corp. All Rights Reserved 15/24
“Origami” Dist. Attack on IEC (deg X = 1)
I ek: X(x, y) = a10x + a01y + a00I ct: c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)I Let d = 10 and apply θ : Z[t]/(t80 − 1) → Z[t]/(t10 − 1)
A′ = ©«1 x y x2 xy y2
1 A′00 A′10 A′01x A′00 A′10 A′01y A′00 A′10 A′01
ª®¬ ∈ Z30×60q
I Solve a 60-dim. CVP instance (Λq(A′), ®b′)
Λq(A′) = {®y ∈ Z60 | ∃®r ∈ Z30 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q
→ We can find the diff. = pθ(®e) + (θ(M), 0, . . . , 0)I This leaks θ(M) mod p!
c© 2018 NTT corp. All Rights Reserved 15/24
“Origami” Dist. Attack on IEC (deg X = 1)
I ek: X(x, y) = a10x + a01y + a00I ct: c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)I Let d = 10 and apply θ : Z[t]/(t80 − 1) → Z[t]/(t10 − 1)
A′ = ©«1 x y x2 xy y2
1 A′00 A′10 A′01x A′00 A′10 A′01y A′00 A′10 A′01
ª®¬ ∈ Z30×60q
I Solve a 60-dim. CVP instance (Λq(A′), ®b′)
Λq(A′) = {®y ∈ Z60 | ∃®r ∈ Z30 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q
→ We can find the diff. = pθ(®e) + (θ(M), 0, . . . , 0)I This leaks θ(M) mod p!
c© 2018 NTT corp. All Rights Reserved 15/24
Agenda
Post-Quatnum Crypgraphy
IEC/Giophantus as Lattice-based PKE
Attack against IEC with n = 80
Attack against IEC with prime n
Summary
c© 2018 NTT corp. All Rights Reserved 17/24
PT-Recovery Attack on IEC (deg X = 1)
I The “origami” attack seems not work if n is prime(Note: Castryck and Vercauteren showed a dist. attackwhen d = 1 and q = 231 − 1 for Giophantus)
I Is there another good subring?
I Fixing y = 0 yields a subring R[x]!I Let us consider
π : Rn,q[x, y] → Rn,q[x] : f (x, y) 7→ f (x, 0)
I The problem is finding M from
X(x, 0) = a10x + a00c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)
c© 2018 NTT corp. All Rights Reserved 18/24
PT-Recovery Attack on IEC (deg X = 1)
I The “origami” attack seems not work if n is prime(Note: Castryck and Vercauteren showed a dist. attackwhen d = 1 and q = 231 − 1 for Giophantus)
I Is there another good subring?
I Fixing y = 0 yields a subring R[x]!I Let us consider
π : Rn,q[x, y] → Rn,q[x] : f (x, y) 7→ f (x, 0)
I The problem is finding M from
X(x, 0) = a10x + a00c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)
c© 2018 NTT corp. All Rights Reserved 18/24
Subring Attack on IEC (deg X = 1)
I Apply π : Rn,q[x, y] → Rn,q[x]
I ek′: X(x, 0) = a10x + a00I ct′: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)
A =©«
1 x y x2 xy y2
1 A00 A10 A01
x A00 A10 A01
y A00 A10 A01
ª®®®¬ ∈ Z240×480q
→ A′ =
( 1 x x2
1 A00 A10
x A00 A10
)∈ Z160×240q .
c© 2018 NTT corp. All Rights Reserved 19/24
Subring Attack on IEC (deg X = 1)
I Apply π : Rn,q[x, y] → Rn,q[x]I ek′: X(x, 0) = a10x + a00I ct′: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)
A =©«
1 x y x2 xy y2
1 A00 A10 A01
x A00 A10 A01
y A00 A10 A01
ª®®®¬ ∈ Z240×480q
→ A′ =
( 1 x x2
1 A00 A10
x A00 A10
)∈ Z160×240q .
c© 2018 NTT corp. All Rights Reserved 19/24
Subring Attack on IEC (deg X = 1)
I Apply π : Rn,q[x, y] → Rn,q[x]I ek: X(x, 0) = a10x + a00I ct: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)
A′ =
( 1 x x2
1 A00 A10
x A00 A10
)∈ Z160×240q .
I Solve a 240-dim. CVP instance (Λq(A′), ®b′)
Λq(A′) = {®y ∈ Z240 | ∃®r ∈ Z160 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q
→ Success if the diff. = pπ(®e) + (M, 0, . . . , 0)I Unfortunately, (experimentally) hard for LLL/BKZ
to find the diff if deg X = 1.
c© 2018 NTT corp. All Rights Reserved 20/24
Subring Attack on IEC (deg X = 2)
I Apply π : Rn,q[x, y] → Rn,q[x]I ek: X(x, 0) = a20x2 + a10x + a00I ct: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)
A′ =©«
1 x x2 x3 x4
1 A00 A10 A20
x A00 A10 A20
x2 A00 A10 A20
ª®®®¬ ∈ Z240×400q .
I Solve a 400-dim. CVP instance (Λq(A′), ®b′)
Λq(A′) = {®y ∈ Z400 | ∃®r ∈ Z240 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q
c© 2018 NTT corp. All Rights Reserved 21/24
Subring Attack on IEC (deg X = 2)
I Apply π : Rn,q[x, y] → Rn,q[x]I ek: X(x, 0) = a20x2 + a10x + a00I ct: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)
A′ =©«
1 x x2 x3 x4
1 A00 A10 A20
x A00 A10 A20
x2 A00 A10 A20
ª®®®¬ ∈ Z240×400q .
I Solve a 400-dim. CVP instance (Λq(A′), ®b′)
Λq(A′) = {®y ∈ Z400 | ∃®r ∈ Z240 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q
c© 2018 NTT corp. All Rights Reserved 21/24
Subring Attack on IEC (deg X = 2)
I Solve a 400-dim. CVP instance (Λq(A′), ®b′)
Λq(A′) = {®y ∈ Z400 | ∃®r ∈ Z240 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q
→ We can find the diff. = pπ(®e) + (M, 0, . . . , 0) in 17 hours!
I because q is too big to make IEC perfectly correct.
c© 2018 NTT corp. All Rights Reserved 22/24
Agenda
Post-Quatnum Crypgraphy
IEC/Giophantus as Lattice-based PKE
Attack against IEC with n = 80
Attack against IEC with prime n
Summary
c© 2018 NTT corp. All Rights Reserved 23/24
Summary
IEC/Giophantus proposes CPA/CCA-secure PKEbased on IE-LWE (= a special Module-LWE)
n deg XIEC in Aug. 2017 80 1 or 2IEC in Sep. 2017 83 1 or 2
Giophantus in Dec. 2017 ≥ 1201 1
They changed parameter values by reflecting our attacks.I The origami attacks on IEC in Aug. 2017
I Key Recovery in ≈ 30 s (deg X = 1)I Distinguishing in ≈ 0.5 s (deg X = 1)I Distinguishing in ≈ 30 s (deg X = 2)
I The subring attacks on IEC in Sep. 2017I Plaintext Recovery in ≈ 17 h (deg X = 2)I Distinguishing for large n ≥ 100
c© 2018 NTT corp. All Rights Reserved 24/24