Cryptosystem. Diploma Thesis. Mol Petros. July 17, 2006. Supervisor: Stathis Zachos

s and s and Diploma Thesis Department of Electrical and Computer Engineering, National Technical University of Athens July 17, 2006 Supervisor: Stathis Zachos ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 1 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 2 / 49

s and What is a? Informally: A infinite regular arrangement of points in space. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 3 / 49

s and Where are the lattices used? In late 18 th and 19 th century mathematicians such as Lagrange, Gauss and Hermite used lattices in the field of algebraic number theory. In the 19 th century, important results due to Minkowski motivated the use of lattice theory in the theory and geometry of numbers. More recently, lattices have become a topic of active research in Computer Science. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 4 / 49

s and Where are the lattices used? In late 18 th and 19 th century mathematicians such as Lagrange, Gauss and Hermite used lattices in the field of algebraic number theory. In the 19 th century, important results due to Minkowski motivated the use of lattice theory in the theory and geometry of numbers. More recently, lattices have become a topic of active research in Computer Science. In Cryptology... s have found applications both in Cryptography, where hard lattice problems are used to design secure cryptosystems (GGH, NTRU and more) and in Cryptanalysis, where lattices are used to break cryptosystems. (Merkle-Hellman, GGH, attacks against ). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 4 / 49

s and Some Motivating Questions ➀ is based on the hardness of inverting the function f (x) = x e mod N. However, if x < N 1 e the inversion is trivial. What if someone encrypts x + s instead of x where s is known? Can one still recover x provided that x < N 1 e? ➁ The problem of factoring N = p q is considered to be hard in general. If we know some of the bits of p (or q) can we do anything to recover the full factorization of N? ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 5 / 49

s and Some Motivating Questions ➀ is based on the hardness of inverting the function f (x) = x e mod N. However, if x < N 1 e the inversion is trivial. What if someone encrypts x + s instead of x where s is known? Can one still recover x provided that x < N 1 e? ➁ The problem of factoring N = p q is considered to be hard in general. If we know some of the bits of p (or q) can we do anything to recover the full factorization of N? And an Answer s give answers to the above (and many other) questions in Cryptology. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 5 / 49

s and Presentation Overview (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 6 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 7 / 49

s and Formal Definition Let B = {b 1, b 2,..., b n } be a set of linearly independent vectors R n. The lattice generated by B is the set n L(B) = { x i b i : x i Z}. i=1 is a discrete additive subgroup of R n. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 8 / 49

s and Formal Definition Let B = {b 1, b 2,..., b n } be a set of linearly independent vectors R n. The lattice generated by B is the set n L(B) = { x i b i : x i Z}. i=1 is a discrete additive subgroup of R n. Basis The set B is called basis and we can compactly represent it as an n n matrix each column of which is a basis vector: B = [b 1, b 2,..., b n ]. Obviously b i L for each i = 1, 2,..., n. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 8 / 49

s and Example Consider the following two different bases. [ ] [ ] 1 0 B = and B 1 2 = 0 1 1 1 The above bases are equivalent, that is they produce the same lattice. Figure: Another basis of Z 2 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 9 / 49

s and Unimodular Matrix A matrix U Z n n is called unimodular if detu = ±1. Theorem (Bases Equivalence) Two bases B 1, B 2 R n n are equivalent if and only if B 2 = B 1 U for some unimodular matrix U. Elementary Column Operations Each of the following elementary column operations on a basis B can be represented with a multiplication B U where U is a unimodular matrix and vice versa. 1 b i b i + kb j for some k Z 2 b i b j 3 b i b i Two bases B 1, B 2 are equivalent iff we can produce B 2 by applying the above elementary column operations to B 1 and vice versa. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 10 / 49

s and Determinant The deteminant of a lattice L with basis B is defined as: Theorem det(l) = det(b). The determinant of a lattice is independent of the choice of basis b 1, b 2,..., b n R n. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 11 / 49

s and Determinant The deteminant of a lattice L with basis B is defined as: Theorem det(l) = det(b). The determinant of a lattice is independent of the choice of basis b 1, b 2,..., b n R n. Shortest Vector Let be an arbitrary norm. The shortest vector of the lattice is defined as the non-zero vector u L such that its norm is minimal. λ 1 (L) denotes the minimal norm. The problem of finding such a u is known as Shortest Vector problem (SVP) and is generally hard. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 11 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 12 / 49

s and Example Consider the lattices produced by the following bases: [ ] [ ] 3 2 1 0 B 1 = and B 13 9 2 = 0 1 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 13 / 49

s and Example Consider the lattices produced by the following bases: [ ] [ ] 3 2 1 0 B 1 = and B 13 9 2 = 0 1 The above bases are equivalent. But the second one seems simpler. This leads to the need for reduction. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 13 / 49

s and Example Consider the lattices produced by the following bases: [ ] [ ] 3 2 1 0 B 1 = and B 13 9 2 = 0 1 The above bases are equivalent. But the second one seems simpler. This leads to the need for reduction. Example (Reduction in Vector Space) Figure: Gram-Schmidt Orthogonalization ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 13 / 49

s and Does it work for lattices? [ ] [ ] 2 1 2 0 NO. Let B =. Then B 0 1 =. 0 1 But B is not a basis ( for ) the lattice L(B). For example B 1 cannot produce b 2 =. 1 A new notion for reduction In 1982, A.K. Lenstra, H.W. Lenstra, and L. Lovasz presented a new notion of reduction and a polynomial time reduction algorithm, which is called LLL algorithm. 1 Does not guarantee to find the shortest lattice vector. 2 It guarantees to find in polynomial time a vector within a factor of the shortest vector. 3 In practice LLL algorithm often performs much better than the theoretical bound. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 14 / 49

s and Example Figure: A Bad Basis Figure: A Good Basis ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 15 / 49

s and Theorem On input B = [ b 1, b 2,..., b n ], LLL algorithm returns in Time an equivalent reduced basis B = [ b 1, b2,..., bn ] the vectors of which satisfy: b n 1 1 2 2 λ 1 (L) (LLL1) b n 1 1 2 4 det(l) 1 n (LLL2) LLL execution entails only elementary column operations. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 16 / 49

s and (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 17 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 18 / 49

s and Problem Given: A large integer N of unknown factorization, a polynomial f Z[x] of degree d and a modular equation f (x) = a d x d + a d 1 x d 1 +... + a 1 x + a 0 0 (mod N). Goal:Find x 0 Z such that f (x 0 ) 0 (mod N). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 19 / 49

s and Problem Given: A large integer N of unknown factorization, a polynomial f Z[x] of degree d and a modular equation f (x) = a d x d + a d 1 x d 1 +... + a 1 x + a 0 0 (mod N). Goal:Find x 0 Z such that f (x 0 ) 0 (mod N). Current Knowledge No known efficient algorithm for the general case. However, small roots can be found efficiently using LLL (1996,Coppersmith[Cop96b]). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 19 / 49

s and Notation f (x) := i a ix i : polynomial with coefficients a i Z. Vector representation of s: if p(x) = 3x 3 + 2x + 20 then p = (20, 2, 0, 3) is the corresponding vector. Euclidean norm of a polynomial f : f 2 := i a2 i. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 20 / 49

s and Notation f (x) := i a ix i : polynomial with coefficients a i Z. Vector representation of s: if p(x) = 3x 3 + 2x + 20 then p = (20, 2, 0, 3) is the corresponding vector. Euclidean norm of a polynomial f : f 2 := i a2 i. Definition (Root container polynomial) A polynomial h is root container of a polynomial f if each root of f is also a root of h. When the roots are considered modulo N, we say that h is root container of f modulo N. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 20 / 49

s and Looking inside the problem How can we recover the small modular roots of f (x)? By transforming the modular equation to an equation over the integers. How small are the roots we can extract? We would like to be able to efficiently find all roots x 0 s.t x 0 < X for a bound X to be maximized. (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 21 / 49

s and Looking inside the problem How can we recover the small modular roots of f (x)? By transforming the modular equation to an equation over the integers. How small are the roots we can extract? We would like to be able to efficiently find all roots x 0 s.t x 0 < X for a bound X to be maximized. Basic Idea Find a polynomial h(x) Z[x] such that h(x 0 ) f (x 0 ) 0 (mod N) and h 2 = deg(h) i=0 h 2 i is small. (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 21 / 49

s and Looking inside the problem How can we recover the small modular roots of f (x)? By transforming the modular equation to an equation over the integers. How small are the roots we can extract? We would like to be able to efficiently find all roots x 0 s.t x 0 < X for a bound X to be maximized. Basic Idea Find a polynomial h(x) Z[x] such that h(x 0 ) f (x 0 ) 0 (mod N) and h 2 = deg(h) i=0 h 2 i is small. We still need... 1 A lemma that gives the conditions under which a modular equation can be transformed to an integer one. 2 An inequality that would determine the bound X. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 21 / 49

s and Lemma (Howgrave-Graham for s) Let h(x) Z[x] be a univariate polynomial with at most ω monomials. Suppose in addition that h satisfies the following two conditions: 1 h(x 0 ) 0(mod N) where x 0 < X and 2 h(xx ) N/ ω. Then h(x 0 ) = 0 holds over the integers. Maximizing the bound X Applying the second condition of the lemma for f may lead to small bounds. We can push X to larger values by replacing f with a root container polynomial h and then demand h(xx ) N/ ω. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 22 / 49

s and Early Constructions Set of root container polynomials Z 1 = {g 0 (x) = N, g 1 (x) = Nx,..., g d 1 (x) = Nx d 1, g d = f (x)}. Consider the following lattice L 1 with basis B 1 = 2N 0 f 0.. 0 XN. Xf1..... 0 0. 6 4.. 0 0 X d... X d 1 fd 1 3 7 5 (d+1) (d+1) Each point of L 1 corresponds to the coefficient vector of a polynomial h(xx ) = d i=0 c ig i (xx ). f (x 0 ) 0 (mod N) h(x 0 ) 0 (mod N). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 23 / 49

s and Bounding X Applying LLL to B 1 we get an equivalent (reduced) basis B 1 = [b 1, b 2,..., b n] where b 1 is the coefficient vector of a h(xx ) such that: b 1 = h(xx ) 2 d 4 det(l1 ) 1 d+1. The second condition of Howgrave-Graham Lemma s is satisfied if 2 d 4 det(l1 ) 1 d+1 < N d + 1 X k(d)n 2 d(d+1). where k(d) is a small enough constant that depends only on d. Summarizing: If we use Z 1 to construct the lattice, we can find all roots x 0 s.t f (x 0 ) 0 (mod N) and x 0 < k(d)n 2 d(d+1). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 24 / 49

s and Can we do any better? YES. (Coppersmith) 1. Z 2 = {N, Nx, Nx 2,..., Nx d 1 } {f (x), xf (x),..., x d 1 f (x)} X l(d)n 1 2d 1. 2. Z h = {N h j 1 f (x) j x i 0 i < d, 0 j < h} Take LIC of the above set modulo N h 1 instead of modulo N. Bound achieved: X = N 1 d. Theorem (Coppersmith, ) Let f (x) be a monic polynomial of degree d. Let N be an integer of unknown factorization. If there exists a x 0 s.t. f (x 0 ) 0 (mod N) and x 0 < N 1 d. Then one can find x 0 in time polynomial in (log N, d). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 25 / 49

s and Method Overview Step 1: Given f (x) construct an appropriate basis B which produces a lattice L the points of which correspond to polynomials that are root containers of f. Step 2: Run LLL on B to take an equivalent basis B with a small first basis vector b 1. Step 3: Consider the polynomial h(x) that corresponds to b 1 and solve the equation h(x) = 0 over the integers. Step 4: Test the roots obtained in step 3 and accept only those that satisfy f (x 0 ) 0 (mod N). The preceding analysis guarantees that all the modular roots of f (x) with x 0 < N 1 d will be found. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 26 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 27 / 49

s and Case f ( x) = f (x 1, x 2,..., x k ) Z[x 1,..., x k ] f ( x) = f (x 1, x 2,..., x k ) = a i1,...,a k x i1 1...x i k k i 1,...,i k Idea:Directly Extend the previous approach. 0 (mod N). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 28 / 49

s and Case f ( x) = f (x 1, x 2,..., x k ) Z[x 1,..., x k ] f ( x) = f (x 1, x 2,..., x k ) = a i1,...,a k x i1 1...x i k k i 1,...,i k Idea:Directly Extend the previous approach. 0 (mod N). Problem Goal: Find the maximum bounds X 1, X 2,..., X k which make possible the transformation of the modular equation to an equation over the integers. Difference: Since we have k unknown variables, we now need k polynomials h 1,..., h k with sufficiently small coefficient and which contain all the small roots of f. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 28 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 29 / 49

s and The problem Given: A bivariate polynomial p(x, y) = i,j p i,j x i y j with integer coefficients. Goal: Find all integer pairs (x 0, y 0 ) such that p(x 0, y 0 ) = 0. In general, there is no such efficient algorithm. However, one can efficiently find small root pairs (Coppersmith [Cop96a]). (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 30 / 49

s and The problem Given: A bivariate polynomial p(x, y) = i,j p i,j x i y j with integer coefficients. Goal: Find all integer pairs (x 0, y 0 ) such that p(x 0, y 0 ) = 0. In general, there is no such efficient algorithm. However, one can efficiently find small root pairs (Coppersmith [Cop96a]). Theorem (Coppersmith, Bivariate Integer ) p(x, y) Z[x, y] be irreducible with maximum degree δ in x, y separately. X, Y : upper bounds on the desired integer solution (x 0, y 0 ). W = max i,j p i,j X i Y j. Then, If XY W 2 3δ, one can find all integer pairs (x 0, y 0 ) such that p(x 0, y 0 ) = 0, x 0 X and y 0 Y in time polynomial in log W and 2 δ. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 30 / 49

s and Current Knowledge Problem Status Bound Simplification f (x) 0 (mod N) Proven[Cop96b] N 1 d [HG97] f ( x) 0 (mod N) Heuristic[Cop96b] [HG97] f (x, y) = 0 Proven[Cop96a] XY < W 2 3δ [Cor04] ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 31 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 32 / 49

s and Choosing Parameters 1.Generate two large, random, distinct and balanced primes p and q. 2.Compute N = p q and φ(n) = (p 1) (q 1). 3.Select a random integer e, 1 < e < φ(n) such that gcd(e, φ(n)) = 1. 4. Compute the unique integer d, 1 < d < φ(n), such that e d 1 (mod φ(n)). 5. Public Key: (N, e); Private Key: d. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 33 / 49

s and Choosing Parameters 1.Generate two large, random, distinct and balanced primes p and q. 2.Compute N = p q and φ(n) = (p 1) (q 1). 3.Select a random integer e, 1 < e < φ(n) such that gcd(e, φ(n)) = 1. 4. Compute the unique integer d, 1 < d < φ(n), such that e d 1 (mod φ(n)). 5. Public Key: (N, e); Private Key: d. Encryption/Decryption Processes Encryption: 1.Represent the message as an integer m in the interval [0, N 1]. 2. Compute and send c = m e mod N. Decryption: 1.Use the private key d to recover m = c d mod N. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 33 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 34 / 49

s and Overview Since its initial publication, in 1977, has been extensively analyzed for vulnerabilities by many researchers. None of the attacks has proven devastating. The attacks mostly illustrate the danger of improper choices of the parameters. theory and the invention of LLL has motivated a number of lattice attacks.still, in its general setting, remains unbroken. The attacks described below take advantage of insecure choices of e or d or use partial information about p or d to recover the message or factor N and do not expose any inherent flaws of the itself. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 35 / 49

s and A Typical Communication Scenario ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 36 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 37 / 49

s and Motivation for using a small e Simplify/Speed up the encryption process. Typical values e = 3 or e = 2 16 1. A trivial Attack For simplicity, let e = 3. If we know that m < N 1 3 then inverting c = m 3 mod N is trivial. If the message is m = B + x where B is known,we can then apply Coppersmith theorem to the polynomial f (x) = (B + x) 3 c and find x, m provided that x < N 1 3. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 38 / 49

s and Alternative Scenario Using CRT, Eva can find the unique m, m 3 < N 1 N 2 N 3 s.t m 3 c i (mod N i ). ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 39 / 49

s and Avoid the attack Use user-specific padding to m before sending. For instance, c i = (i 2 h + m) 3 (modn i ). We can still break this system using Hastad s attack. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 40 / 49

s and Avoid the attack Use user-specific padding to m before sending. For instance, c i = (i 2 h + m) 3 (modn i ). We can still break this system using Hastad s attack. Theorem (Hastad) Let N 1, N 2,..., N k be pairwise relatively prime, N min = min i N i. Let g i Z Ni [x] be k polynomials of maximum degree d. Suppose that there exists a unique m < N min such that g i (m) = c i (mod N i ) for all i = 1, 2..., k. Then, if k d, one can efficiently find m given (N i, g i, c i ) k i=1. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 40 / 49

s and Proof Sketch Define g i (x) = (i 2 h + x) e c i for 1 i k. g i (m) 0 (mod N i ) Set N = N 1 N 2 N k and using CRT, we can find T i s.t. g(x) = k i=1 T ih i (x) (mod N) and g(m) 0 (mod N) Using Coppersmith s theorem, we can recover m in polynomial time. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 41 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 42 / 49

s and The challenge Information: Some bits of p or q. Goal: Recover all of p (factor N). Result: The knowledge of half of the bits of p suffices to factor N, provided that p, q are of the same bitsize. Proof Sketch Let n be the bitsize of N. Write p = p 1 2 n 4 + p 0 and q = q 1 2 n 4 + q 0 where p i, q i < 2 n 4. Define f (x, y) = 1 ((x2 n 2 n 4 + p0 )(y2 n 4 + q0 ) N) 4 = xy2 n 4 + q0 x + p 0 y + 1 (p 2 n 0 q 0 N). 4 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 43 / 49

s and Proof Sketch Given the n 4 LSBs of p, we know p 0 and thus q 0 since p 0 q 0 N (mod 2 n 4 ). f (x, y) Z[x, y] with degree d = 1 in x, y and f (p 1, q 1 ) = 0. Letting X = Y = N 1 4 ɛ, then p 1 < X, q 1 < Y. In addition W = f (x, y) N 3 4. Thus XY = N 1 2 2ɛ < (N 3 4 ) 2 3 = W 2 3d. We can then apply Coppersmith s theorem for the bivariate case and recover p 1, q 1. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 44 / 49

s and 1 2 and Properties 3 4 on Low Public Exponent Factoring Low Private Exponent 5 ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 45 / 49

s and Reducing the attack to a modular equation Assume that gcd(p 1, q 1) = 2. Then the equation can be written ed + k 2 φ(n) = 1 for some k Z. ed + k( N+1 2 p+q 2 ) = 1 Set s = p+q 2, A = N+1 2. Assume that d = N δ, e N. Define the polynomial f (k, s) = k(a + s) 1 0 (mod e) s < 2N 0.5 and k < 2de φ(n) 3de N eδ. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 46 / 49

s and Solving the equation We use the heuristic technique to solve the bivariate modular equation. Boneh and Durfee [BD99] proved that the attack can work as soon as δ 0.292. The bound d < N 0.292 is the best known bound for the private exponent. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 47 / 49

s and Overview Category Ref Result Comment [Has88] rec e multiple messages Factoring attacks [Cop96a] Half bits of p p, q balanced [BD99] d < N 0.292 heuristic ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 48 / 49

s and Review We presented the basics on lattice theory and LLL algorithm which motivated several applications of lattices in CS. We showed how LLL can be used in finding small solutions to polynomial equations. We demonstrated how one can mount real-time attacks against utilizing the polynomial running time of LLL. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 49 / 49

s and Review We presented the basics on lattice theory and LLL algorithm which motivated several applications of lattices in CS. We showed how LLL can be used in finding small solutions to polynomial equations. We demonstrated how one can mount real-time attacks against utilizing the polynomial running time of LLL. Look to the future ➀ Find conditions for the bounds X i, under which the method for solving multivariate modular equations becomes provable. ➁ More effective attacks. For example,increase the low private exponent bound to N 0.5. ➂ Unify the approaches for modular and integer equations. For instance, in 2005, Blömer and May [BM05] showed that solving univariate modular equations can be reduced to solving bivariate integer equations. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 49 / 49

s and Dan Boneh and Glenn Durfee. Cryptanalysis of with Private Key Less than 0.292. In EUROCRYPT, pages 1 11, 1999. Johannes Blömer and Alexander May. A Tool Kit for Finding Small Roots of Bivariate s over the Integers. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 251 267. Springer, 2005. Don Coppersmith. Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In EUROCRYPT, pages 178 189, 1996. Don Coppersmith. Finding a Small Root of a Equation. In EUROCRYPT, pages 155 165, 1996. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 49 / 49

s and Jean-Sébastien Coron. Finding Small Roots of Bivariate Integer Revisited. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT, volume 3027 of Lecture Notes in Computer Science, pages 492 505. Springer, 2004. Johan Hastad. Solving simultaneous modular equations of low degree. SIAM Journal on Computing, 17:336 341, 1988. URL: http://www.nada.kth.se/ johanh/papers.html. Nick Howgrave-Graham. Finding Small Roots of Revisited. In Michael Darnell, editor, IMA Int. Conf., volume 1355 of Lecture Notes in Computer Science, pages 131 142. Springer, 1997. ol Petros (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 49 / 49

s and A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász. Factoring polynomials with rational coefficients. 261:515 534, 1982. (Department of Electrical and Computer sengineering, and National Technical University of Athens) July 17, 2006 49 / 49