1 / 20

Lattices in Crypt-analysis

Lattices in Crypt-analysis. A useful mathematical tool. Preview. Why Lattices? What is the Lattice? “Shortest Vector Problems”. Why Lattices?. RSA C = M e (mod N) <= Break semantic security + random pad C= (M||r) e (mod N) M from C???. What is the Lattice?.

mkelleher
Download Presentation

Lattices in Crypt-analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattices in Crypt-analysis A useful mathematical tool

  2. Preview • Why Lattices? • What is the Lattice? • “Shortest Vector Problems” Lattices in Crypt-analysis

  3. Why Lattices? • RSA • C = Me (mod N) • <= Break semantic security • + random pad • C= (M||r)e (mod N) • M from C??? Lattices in Crypt-analysis

  4. What is the Lattice? A basis for the lattice L(B) is also a basis for the vector space span(B). A basis for the vector space span(B) is not a basis for the lattice, seen by figure c. B is a set of vectors in R^n, which are not necessarily linearly independent in R^n. L(B) – generated by integer linear combinations Span(B) – generated by real linear combinations Lattices in Crypt-analysis

  5. Lattices – notorious hard problems • “Shortest Vector Problem” (SVP) • Search SVP • Optimization SVP • Decisional SVP • GCD • E.g., Approximate Integer Common Divisors Lattices in Crypt-analysis

  6. Lattice – Shortest Vector Problem • SVP • Given a lattice • Find a non-zero vector in this lattice • S.t. the norm is minimal. • It is well defined. • I.e., there exists a lattice vector with minimal norm (\lambda). Lattices in Crypt-analysis

  7. Proof Sketch – Well-defined SVP • The inf of the norm • lower-bounded • by the min of the vector after G-S. • =>Sufficiently close lattice vectors are the same. • Inf = Sufficiently many points close to SVP. • => they are the same vector with norm equal to inf Lattices in Crypt-analysis

  8. Lattice – Shortest Vector Problem • 2-dimensional SVP • Algorithm in polynomial time • N-dimensional SVP • No algorithm in polynomial time • An approximation algorithm => LLL

  9. Lattice – LLL Algorithm • Goal • Produce LLL reduced basis • The first vector in which is length upper-bounded • b_1 = b_1^* < \alpha^{(n-1)/2} \lambda • Description • Reduce • Swap • Repeat Lattices in Crypt-analysis

  10. Lattice – LLL Algorithm • Description (i+1th iteration) • Reduce: • compute b_{i+1}^* = b_{i+1} – its “closest” projection on LLL reduced basis • Swap: • swap b_{i+1} and b_i • if b_{i+1}^* is not longer than b_i^* • (by some factor) • Repeat: • go to 1. in ith iteration if Swap.

  11. Lattice – LLL Algorithm • Bounding number of iterations • Bounding running time of one iteration • Algorithm terminates in polynomial time!

  12. Lattices & univarite polynomial • Ultimate goal: • Find roots of univariate polynomial f mod N • Better solve it over integer (without modulus) • If f have “small” coefficients, small root of f mod N is root over integers

  13. Lattices & univarite polynomial • Goal (using lattice): • Find f’ such that • Every root of f mod N is a root of f’ mod N • f’ have “small” coefficients • Main idea: • Construct basis that each vector has property 1 • Reduce basis to find f’ with property 2 by LLL

  14. Lattices & univarite polynomial • Two constructions: • Hastad’s theorem • Coppersmith’s theorem

  15. Why Lattices? • RSA • C = Me (mod N) • + random pad • C= (M||r)e (mod N) • M from C??? For small e, yes! Lattices in Crypt-analysis

  16. Review • Lattices – preliminaries • Basis, G-S orthogonalization • Lattices – shortest vector problem • LLL algorithm • Lattices & univarite polynomial • Coppersmith’s method Lattices in Crypt-analysis

  17. References (Lattices) • Introduction to Lattices. Lecture notes from Oded Regev's course • Lecture notes from Daniele Micciancio’s course • http://cseweb.ucsd.edu/classes/wi10/cse206a • Lec 1, 2, 4.

  18. References (LLL and RSA) • http://people.csail.mit.edu/shaih/lattices-and-HE-class/coppersmith-notes.pdf • www.ams.org/notices/199902/boneh.pdf  • www.cits.rub.de/imperia/md/content/may/paper/lll.ps • 2000 Using LLL-Reduction for Solving RSA and Factorization Problems

  19. Q&A

  20. Thanks for your attention

More Related