Toward a Rigorous Variation of Coppersmith s Algorithm on Three Variables

Transcription

1 Toward a Rigorous Variation of Coppersmith s Algorithm on Three Variables Aurélie Bauer 1 Antoine Joux 1,2 1 University of Versailles Saint-Quentin-en-Yvelines PRISM Laboratory, France 2 DGA 23rd May 2007

2 Finding roots of polynomial equations over Z p 1 irreducible over Z[x 1,..., x n ] p 1 (x 0,1,..., x 0,n ) = 0 x 0,1 < X 1,..., x 0,n < X n Goal: To recover (x 0,1,..., x 0,n ) When n = 2: Coppersmith s exact method + Variants When n > 2: Heuristic methods only An integer lattice L (discrete subgroup of Z n ) L = Zb 1 Zb r LLL Algorithm (1982) Invariant: det L (b 1,..., b r ) (c 1,..., c r ) GSO : (c 1,..., c r )

3 Coppersmith s method on two variables Example: p 1 (x, y) = a + bx + cy x 0 < X, y 0 < Y Goal: To construct p 2 (x, y) such that { p2 (x 0, y 0 ) = 0 p 2 (p 1 ) y 2 M 1 0 S 1 2 Figure: S = {1, x, y} and M = {1, x, y, x 2, xy, y 2 } x Algebraic independence between p 1 and p 2 If p 2 has monomials in M p 2 (p 1 ) p 2 linear combination of p 1, xp 1, yp 1

4 Coppersmith s method on two variables L 1 lattice generated by the rows of M 1 M 1 = X. 1 Y 1 X XY 0 1 Y 2 p 1 xp 1 yp 1 a 0 0 b a 0 c 0 a 0 b 0 0 c b 0 0 c 1 x y x 2 xy y 2 r 0 = (1, x 0, y 0, x 2 0, x 0y 0, y 2 0 ) s 0 = r 0 M 1 L 1 s 0 short vector L 1 { s0 = (1, x 0 X, y 0 Y, ( x 0 X ) 2, x 0y 0 XY, ( y 0 Y ) 2, 0, 0, 0) s 0 2 6

5 Coppersmith s method on two variables Row ( operations on ) M 1 A1 Id N 1 = A 2 0 }L 1 Every vector u L 1 such that u {V p1, V xp1, V yp1 } Vector s 0 L 1 = (b 1,..., b r ) If s 0 2 < b r 2 then { (s0 b r ) = 0 p 2 (x 0, y 0 ) = 0 Algebraic independence between p 1 and p 2 } Otherwise p 2 (p 1 ) V p2 linear combination of V p1, V xp1, V yp1 IMPOSSIBLE

6 Problem with three variables p 1 (x 0, y 0, z 0 ) = 0 x 0 < X, y 0 < Y, z 0 < Z Coppersmith s method With x, y, z and (b r 1, b r ) Try to create (p 2, p 3 ) p 2 (x 0, y 0, z 0 ) = 0 p 3 (x 0, y 0, z 0 ) = 0 PROBLEM: heuristic method p 2 independent from p 1 and p 3 independent from p 1 BUT (p 1, p 2, p 3 ) not necessarily independent

7 How to ensure the independence Notion of independence p 1, p 2, p 3 algebraically independent if P(p 1, p 2, p 3 ) = 0 P = 0 Previous construction (p 1 ) is prime p 2 (p 1 ) If I = (p 1, p 2 ) prime and p 3 I INDEPENDENCE If I not prime replace it by another prime ideal I (primary decomposition of ideals, radical)

8 Translate in term of linear independence Need relation Algebraic indep. Linear indep. Given (p 1, p 2 ) want to find {r 1,..., r t } such that { p3 (p 1, p 2 ) and p 3 M } { p3 = t i=1 λ ir i with λ i Z } Use Gröbner bases for the construction If p 3 not a linear combination of the r i s (p 1, p 2, p 3 ) independent

9 Generalized Coppersmith s method Lattice L I : Rows of M I 0 M I = X f Y g Z h {z } (f,g,h) M... r 0 = (1, x 0, y 0, z 0,..., (x f 0 yg 0 zh 0 )) r 1,...,r t z } { 1 C A t 0 = (1, x 0 X, y 0 Y,..., 0,..., 0) {z } t t 0 L I = (c 1,..., c r ) If u L I u {V r1,..., V rt } If t 0 2 < c r 2 then { (t 0 c r ) = 0 p 3 (x 0, y 0, z 0 ) = 0 p 3 not a combination of the r i s (p 1, p 2, p 3 ) independent

10 Computing the bounds X,Y and Z In general Conditions hard to determine Difficulty to predict the determinant of a sublattice However For a particular shape of {r 1,..., r t } Known conditions on X, Y, Z Rigorous success

11 Application to a partial key exposure attack on RSA Partial Key Exposure Attacks on RSA Up to Full Size Exponents. Eurocrypt 2005 M. Ernst, E. Jochemsz, A. May and B. de Weger RSA modulus N = pq (e, d) : ed = 1 + k(n (p + q 1)) Part of d known d d N β d 0 = d d N δ Need to find roots in a polynomial equation p 1 (x, y, z) = ex yn + yz + R with R = e d 1 Root (x 0, y 0, z 0 ) = (d 0, k, p + q 1) Conditions: X = N δ, Y = N β and Z = 3 N.

12 Comparison between two possible attacks Heuristic attack Direct construction of a lattice Two short vectors (p 2, p 3 ) Our attack Using p 2 and our construction Obtain a new polynomial p 3

13 Experiments: Easy Case y N = 256 bits [As in Ernst et al.] 2 β = 0.35 d 90 bits x 2 M S z Size of d 0 Heuristic A. Our A. δ Bits % Indep. % Indep

14 Experiments: Harder Case y N = 256 bits [As in Ernst et al.] 3 β = 0.3 d 77 bits M S x 3 p1 z Size of d 0 Heuristic A. Our A. δ Bits % Indep. % Indep. Pb

15 Analysis of a bad case p 1 = x + ((z )y ) (x 0 = 233, y 0 = 482, z 0 = ) (X = 496, Y = 18080, Z = ) Gröbner basis of I = (p 1, p 2 ) gives: { q1 = xz /12x /6z /12 q 2 = y 12/197x 92158/197 As q 2 (x 0, y 0, z 0 ) = 0 then x 0 36 mod 197 We can recover x 0 after 2 tests: 36,233 Two polynomials sufficient to recover the root

16 Conclusion-Discussion Toward a rigorous variation of Coppersmith s algorithm No more problems of independence Possible generalization for more variables Future work: In theory: Conditions on X, Y, Z for the 2 nd phase More experiments on different shapes, parameters,...