1 / 30

Lattice Based Attacks on RSA

Lattice Based Attacks on RSA. Outline. Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack Franklin-Reiter Attack Extension to Wiener ’ s Attack. Lattices and Lattice reduction. Given a set of m linearly independent vectors, {b 1 , … ,b m } in R n .

annis
Download Presentation

Lattice Based Attacks on RSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice Based Attacks on RSA

  2. Outline • Lattices and Lattice reduction • Lattice Based Attacks on RSA • Hastad’s Attack • Franklin-Reiter Attack • Extension to Wiener’s Attack Lattice Based Attacks on RSA

  3. Lattices and Lattice reduction • Given a set of m linearly independent vectors, {b1,…,bm} in Rn. • The set of all real linear combinations of these vectors, , is a vector subspace. Lattice Based Attacks on RSA

  4. Gram-Schmidt process: takes one basis {b1,…,bm} and produces a basis {b1*,…,bm*} which is pairwise orthogonal. • b1*=b1 Lattice Based Attacks on RSA

  5. Example: Lattice Based Attacks on RSA

  6. Given a set of basis vectors {b1,…,bm} in Rn, and m<=n. • A lattice is a set of all integer linear combinations of the bi. Lattice Based Attacks on RSA

  7. Definition 1: A basis {b1,…,bm} is called LLL reduced if the associated Gram-Schmidt basis {b1*,…,bm*} satisfies Lattice Based Attacks on RSA

  8. For all non-zero , we have Lattice Based Attacks on RSA

  9. Lattice Based Attacks on RSA • Original problem: Given a polynomial over the integers of degree d and the side information that there exists a root x0 modulo N which is small, say |x0|<N1/d, can one efficiently find the small root x0? Lattice Based Attacks on RSA

  10. The answer is YES • Basic idea: find a polynomial s.t. , and should be small Lattice Based Attacks on RSA

  11. Lemma 2: Let of degree at most n and let X and N be positive integers. Suppose , then if |x0|<X satisfies h(x0) = 0 (mod n) then h(x0)=0 over the integers and not just modulo N Lattice Based Attacks on RSA

  12. f(x0) = 0 (mod N) => f(x0)k = 0 (mod Nk) • For some given value of m: then gu,v(x0) = 0 (mod Nm) for all 0<=u<d and 0<=v<=m Lattice Based Attacks on RSA

  13. We wish to find au,v s.t. h satisfies Lattice Based Attacks on RSA

  14. example • f(x)=x2+ax+b • wish to find an x0 s.t. f(x0) = 0 (mod N) • Set m=2: Lattice Based Attacks on RSA

  15. Lattice Based Attacks on RSA

  16. det(A)=N6X15 Lattice Based Attacks on RSA

  17. Theorem 3 (Coppersmith): • Let be a monic polynomial of degree d • Let N be an integer • If there is some root x0 of f modulo N s.t. • Then one can find x0 in time a polynomial in log N and 1/ε, for fixed values of d Lattice Based Attacks on RSA

  18. Lemma 4: • Let be a sum of at most w monomials • h(x0,y0)=0 (mod Ne) for some positive integers N and e where integers x0 and y0 satisfy |x0|<X and |y0|<Y • Then h(x0,y0) holds over the integers Lattice Based Attacks on RSA

  19. Hastad’s Attack • Given 3 public keys (Ni,ei) with the same ei=3 • If a user sent the same message to all 3 public keys => can recover the plaintext using CRT Lattice Based Attacks on RSA

  20. Receiver 1 (N1,e) c1=me mod N1 User Message: m Receiver 1 (N2,e) c2=me mod N2 Receiver 1 (N3,e) c3=me mod N3 Lattice Based Attacks on RSA

  21. Now we pad some user-specific data before a message m • For user i, ci=(i • 2h+m)3 (mod Ni) => can still break this system using Hastad’s attack Lattice Based Attacks on RSA

  22. gi(m)=0 (mod Ni) • Set N=N1N2…Nk and using CRT, we can find ti s.t. and g(m)=0 (mod N) • Using Thm 3 we can recover m in polynomial time Lattice Based Attacks on RSA

  23. Franklin-Reiter Attack c1=m1e mod N Bob Message: m1,m2 m2=f(m1) mod N Alice (N,e) c2=m2e mod N Lattice Based Attacks on RSA

  24. Let g1(x)=xe-c1, g2(x)=f(x)e-c2 • Let s(x)=gcd(g1(x),g2(x)) • m1 is a root of s(x) • Example: f(x)=ax+b, e=3 • g1(x)=x3-c1=x3-m13 • g2(x)=f(x)3-c2 =f(x)3-m23 • s(x)=x-m1 Lattice Based Attacks on RSA

  25. We can append radom bits to the message: • m’=2n-km+r • Suppose Bob sends the same message to Alice twice: • m1=2n-km+r1 • m2=2n-km+r2 Lattice Based Attacks on RSA

  26. The attacker sets y0=r2-r1 and solve the equations • g1(x,y)=xe-c1 • g2(x,y)=(x+y)e-c2 • The attacker forms the resultant h(y) of g1 and g2 w.r.t. x. Lattice Based Attacks on RSA

  27. y0=r2-r1 is a small root of h(y), which has degree e2 • Using Thm 3 the attacker can recover y0 and then recover m1 using Franklin-Reiter Attack Lattice Based Attacks on RSA

  28. Extension to Wiener’s Attack • N=pq with q<p<2q; p,q are prime • ed=1 (mod Φ), where • d is small and • Wiener’s Attack works when • ed+(k/2)Φ=1 Lattice Based Attacks on RSA

  29. ed+(k/2)Φ=1 • Set Lattice Based Attacks on RSA

  30. We can using Lemma 4 to solve the problem • This problem has a solution when δ<=0.292 • This attack works when d<N0.292 Lattice Based Attacks on RSA

More Related