lattice based attacks on rsa
DESCRIPTION
Lattice Based Attacks on RSA. Outline. Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack Franklin-Reiter Attack Extension to Wiener ’ s Attack. Lattices and Lattice reduction. Given a set of m linearly independent vectors, {b 1 , … ,b m } in R n . - PowerPoint PPT PresentationTRANSCRIPT
Lattice Based Attacks on RSA
2004/9/22 Lattice Based Attacks on RSA 2
Outline Lattices and Lattice reduction Lattice Based Attacks on RSA
Hastad’s Attack Franklin-Reiter Attack Extension to Wiener’s Attack
2004/9/22 Lattice Based Attacks on RSA 3
Lattices and Lattice reduction Given a set of m linearly independent vectors, {b1,…,bm} in Rn. The set of all real linear combinations of these vectors, , is a vector subspace.
m
iiii RabaV
1
:
2004/9/22 Lattice Based Attacks on RSA 4
Gram-Schmidt process: takes one basis {b1,…,bm} and produces a basis {b1*,…,bm*} which is pairwise orthogonal. b1*=b1
nijbb
bb
jj
jiji 1for ,
,
,**
*
,
1
1
*,
*i
jjjiii bbb
2004/9/22 Lattice Based Attacks on RSA 5
Example:
11
and 02
21 bb
02
1*1 bb
21
,
,*1
*1
*12
1,2 bb
bb
10
1,22*2 bb
2004/9/22 Lattice Based Attacks on RSA 6
Given a set of basis vectors {b1,…,bm} in Rn, and m<=n. A lattice is a set of all integer linear combinations of the bi.
m
iiii ZabaL
1
:
2004/9/22 Lattice Based Attacks on RSA 7
Definition 1:A basis {b1,…,bm} is called LLL reduced if the associated Gram-Schmidt basis {b1*,…,bm*} satisfies
mijji 1for 21
,
mibb iiii
1for
43 2*
12
1,
2*
2004/9/22 Lattice Based Attacks on RSA 8
For all non-zero , we have
Lx
xb m 2)1(1 2
2/1/14/1 )det( , 2 BBb Tmm
2004/9/22 Lattice Based Attacks on RSA 9
Lattice Based Attacks on RSA Original problem: Given a polynomial
over the integers of degree d and the side information that there exists a root x0 modulo N which is small, say |x0|<N1/d, can one efficiently find the small root x0?
ddd xxfxffxf
1110 ...)(
2004/9/22 Lattice Based Attacks on RSA 10
The answer is YES Basic idea: find a polynomial
s.t. , and should be small
][)( xZxh
) mod( 0)()( 00 nxfxh
)deg(
0
22h
iihh
2004/9/22 Lattice Based Attacks on RSA 11
Lemma 2:Let of degree at most n and let X and N be positive integers. Suppose , thenif |x0|<X satisfies h(x0) = 0 (mod n) then h(x0)=0 over the integers and not just modulo N
][)( xZxh
nNxXh )(
2004/9/22 Lattice Based Attacks on RSA 12
f(x0) = 0 (mod N)=> f(x0)k = 0 (mod Nk) For some given value of m:
then gu,v(x0) = 0 (mod Nm)for all 0<=u<d and 0<=v<=m
vuvmvu xfxNxg )()(,
2004/9/22 Lattice Based Attacks on RSA 13
We wish to find au,v s.t. h satisfies
0 0
,, )()(u
m
vvuvu xgaxh
)1()( mdNxXh m
2004/9/22 Lattice Based Attacks on RSA 14
example f(x)=x2+ax+b wish to find an x0 s.t. f(x0) = 0
(mod N) Set m=2:
55443322222,1
443322222,0
33221,1
221,0
20,1
20,0
2)2(2)(
,2)2(2)(
,)(
,)(
,)(
,)(
xXxaXxXbaxbaXXxbxXg
xXxaXxXbabaXxbxXg
xNXxaNXbNXxxXg
xNXaXNxbNxXg
xXNxXg
NxXg
2004/9/22 Lattice Based Attacks on RSA 15
5
44
3233
22222
22
22
0000020000
)2(20002)2(00
20000
XaXX
XbaaXNXabXXbaaNXNX
XbabXbNXaNXXNbbNN
A
2004/9/22 Lattice Based Attacks on RSA 16
det(A)=N6X15
2/52/36/14/61 2)det(2 NXAb
)(...)()()( 2,1)6(
10,1)2(
10,0)1(
1 xgbxgbxgbxh
62)( 2/52/31 NNXbxXh
nNxXh )(
:2 Lemmaby
2004/9/22 Lattice Based Attacks on RSA 17
Theorem 3 (Coppersmith): Let be a monic polynomial of degree d Let N be an integer If there is some root x0 of f modulo N s.t. Then one can find x0 in time a polynomial in log N and 1/ε, for fixed values of d
][xZf
dNXx /10
2004/9/22 Lattice Based Attacks on RSA 18
Lemma 4: Let be a sum of at most w monomials h(x0,y0)=0 (mod Ne) for some positive integers N and e where integers x0 and y0 satisfy |x0|<X and |y0|<Y Then h(x0,y0) holds over the integers
],[),( yxZyxh
wNyYxXh e),(
2004/9/22 Lattice Based Attacks on RSA 19
Hastad’s Attack Given 3 public keys (Ni,ei) with the same ei=3 If a user sent the same message to all 3 public keys
=> can recover the plaintext using CRT
2004/9/22 Lattice Based Attacks on RSA 20
UserMessage: m
Receiver 1
(N1,e)Receiver
1(N2,e)
Receiver 1
(N3,e)
c1=me mod N1
c2=me mod N2
c3=me mod N3
2004/9/22 Lattice Based Attacks on RSA 21
Now we pad some user-specific data before a message m For user i, ci=(i • 2h+m)3 (mod Ni)=> can still break this system using Hastad’s attack
2004/9/22 Lattice Based Attacks on RSA 22
gi(m)=0 (mod Ni) Set N=N1N2…Nk and using CRT, we can find ti s.t.
and g(m)=0 (mod N) Using Thm 3 we can recover m in polynomial time
kicxixg ieh
i 1 , )2()(
k
iii xgtxg
1
)()(
2004/9/22 Lattice Based Attacks on RSA 23
Franklin-Reiter Attack
BobMessage: m1,m2
m2=f(m1) mod N
Alice(N,e)
c1=m1e mod N
c2=m2e mod N
2004/9/22 Lattice Based Attacks on RSA 24
Let g1(x)=xe-c1, g2(x)=f(x)e-c2 Let s(x)=gcd(g1(x),g2(x)) m1 is a root of s(x) Example: f(x)=ax+b, e=3
g1(x)=x3-c1=x3-m13 g2(x)=f(x)3-c2 =f(x)3-m23 s(x)=x-m1
2004/9/22 Lattice Based Attacks on RSA 25
We can append radom bits to the message: m’=2n-km+r
Suppose Bob sends the same message to Alice twice: m1=2n-km+r1 m2=2n-km+r2
2004/9/22 Lattice Based Attacks on RSA 26
The attacker sets y0=r2-r1 and solve the equations g1(x,y)=xe-c1 g2(x,y)=(x+y)e-c2
The attacker forms the resultant h(y) of g1 and g2 w.r.t. x.
2004/9/22 Lattice Based Attacks on RSA 27
y0=r2-r1 is a small root of h(y), which has degree e2 Using Thm 3 the attacker can recover y0 and then recover m1 using Franklin-Reiter Attack
2004/9/22 Lattice Based Attacks on RSA 28
Extension to Wiener’s Attack N=pq with q<p<2q; p,q are prime ed=1 (mod Φ), where d is small and Wiener’s Attack works when ed+(k/2)Φ=1
)(NNe
4/1
31 Nd
2004/9/22 Lattice Based Attacks on RSA 29
ed+(k/2)Φ=1
Set
21 ,
2
NAqps
) (mod 01)(),( esAkskf e
NdedekeNs
32 and 22 5.05.0
122
1
qpNked
2004/9/22 Lattice Based Attacks on RSA 30
We can using Lemma 4 to solve the problem
This problem has a solution when δ<=0.292
This attack works when d<N0.292