Lattice Based Attacks on RSA

2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack Franklin-Reiter Attack Extension to Wiener ’ s Attack

2004/9/22Lattice Based Attacks on RSA3 Lattices and Lattice reduction Given a set of m linearly independent vectors, {b 1, …,b m } in R n. The set of all real linear combinations of these vectors,, is a vector subspace.

2004/9/22Lattice Based Attacks on RSA4 Gram-Schmidt process: takes one basis {b 1, …,b m } and produces a basis {b 1 *, …,b m * } which is pairwise orthogonal. b 1 * =b 1

2004/9/22Lattice Based Attacks on RSA5 Example:

2004/9/22Lattice Based Attacks on RSA6 Given a set of basis vectors {b 1, …,b m } in R n, and m<=n. A lattice is a set of all integer linear combinations of the b i.

2004/9/22Lattice Based Attacks on RSA7 Definition 1: A basis {b 1, …,b m } is called LLL reduced if the associated Gram-Schmidt basis {b 1 *, …,b m * } satisfies

2004/9/22Lattice Based Attacks on RSA8 For all non-zero, we have

2004/9/22Lattice Based Attacks on RSA9 Original problem: Given a polynomial over the integers of degree d and the side information that there exists a root x 0 modulo N which is small, say |x 0 |<N 1/d, can one efficiently find the small root x 0 ?

2004/9/22Lattice Based Attacks on RSA10 The answer is YES Basic idea: find a polynomial s.t., and should be small

2004/9/22Lattice Based Attacks on RSA11 Lemma 2: Let of degree at most n and let X and N be positive integers. Suppose, then if |x 0 |<X satisfies h(x 0 ) = 0 (mod n) then h(x 0 )=0 over the integers and not just modulo N

2004/9/22Lattice Based Attacks on RSA12 f(x 0 ) = 0 (mod N) => f(x 0 ) k = 0 (mod N k ) For some given value of m: then g u,v (x 0 ) = 0 (mod N m ) for all 0<=u<d and 0<=v<=m

2004/9/22Lattice Based Attacks on RSA13 We wish to find a u,v s.t. h satisfies

2004/9/22Lattice Based Attacks on RSA14 example f(x)=x 2 +ax+b wish to find an x 0 s.t. f(x 0 ) = 0 (mod N) Set m=2:

2004/9/22Lattice Based Attacks on RSA15

2004/9/22Lattice Based Attacks on RSA16 det(A)=N 6 X 15

2004/9/22Lattice Based Attacks on RSA17 Theorem 3 (Coppersmith): Let be a monic polynomial of degree d Let N be an integer If there is some root x 0 of f modulo N s.t. Then one can find x 0 in time a polynomial in log N and 1/ε, for fixed values of d

2004/9/22Lattice Based Attacks on RSA18 Lemma 4: Let be a sum of at most w monomials h(x 0,y 0 )=0 (mod N e ) for some positive integers N and e where integers x 0 and y 0 satisfy |x 0 |<X and |y 0 |<Y Then h(x 0,y 0 ) holds over the integers

2004/9/22Lattice Based Attacks on RSA19 Hastad ’ s Attack Given 3 public keys (N i,e i ) with the same e i =3 If a user sent the same message to all 3 public keys => can recover the plaintext using CRT

2004/9/22Lattice Based Attacks on RSA20 User Message: m Receiver 1 (N 1,e) Receiver 1 (N 2,e) Receiver 1 (N 3,e) c 1 =m e mod N 1 c 2 =m e mod N 2 c 3 =m e mod N 3

2004/9/22Lattice Based Attacks on RSA21 Now we pad some user-specific data before a message m For user i, c i =(i 2 h +m) 3 (mod N i ) => can still break this system using Hastad ’ s attack

2004/9/22Lattice Based Attacks on RSA22 g i (m)=0 (mod N i ) Set N=N 1 N 2 … N k and using CRT, we can find t i s.t. and g(m)=0 (mod N) Using Thm 3 we can recover m in polynomial time

2004/9/22Lattice Based Attacks on RSA23 Franklin-Reiter Attack Bob Message: m 1,m 2 m 2 =f(m 1 ) mod N Alice (N,e) c 1 =m 1 e mod N c 2 =m 2 e mod N

2004/9/22Lattice Based Attacks on RSA24 Let g 1 (x)=x e -c 1, g 2 (x)=f(x) e -c 2 Let s(x)=gcd(g 1 (x),g 2 (x)) m 1 is a root of s(x) Example: f(x)=ax+b, e=3 g 1 (x)=x 3 -c 1 =x 3 -m 1 3 g 2 (x)=f(x) 3 -c 2 =f(x) 3 -m 2 3 s(x)=x-m 1

2004/9/22Lattice Based Attacks on RSA25 We can append radom bits to the message: m ’ =2 n-k m+r Suppose Bob sends the same message to Alice twice: m 1 =2 n-k m+r 1 m 2 =2 n-k m+r 2

2004/9/22Lattice Based Attacks on RSA26 The attacker sets y 0 =r 2 -r 1 and solve the equations g 1 (x,y)=x e -c 1 g 2 (x,y)=(x+y) e -c 2 The attacker forms the resultant h(y) of g1 and g2 w.r.t. x.

2004/9/22Lattice Based Attacks on RSA27 y 0 =r 2 -r 1 is a small root of h(y), which has degree e 2 Using Thm 3 the attacker can recover y 0 and then recover m 1 using Franklin- Reiter Attack

2004/9/22Lattice Based Attacks on RSA28 Extension to Wiener ’ s Attack N=pq with q<p<2q; p,q are prime ed=1 (mod Φ), where d is small and Wiener ’ s Attack works when  ed+(k/2)Φ=1 

2004/9/22Lattice Based Attacks on RSA29  ed+(k/2)Φ=1  Set 

2004/9/22Lattice Based Attacks on RSA30 We can using Lemma 4 to solve the problem This problem has a solution when δ<=0.292  This attack works when d<N 0.292