finding small solutions to low degree polynomials and … · 2019-06-17 · finding small...
TRANSCRIPT
![Page 1: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/1.jpg)
Finding Small Solutions to Low Degree Polynomials andApplications
Aleksei Udovenko
SnT, University of Luxembourg
Seminar on Lattices in CryptographyJune 7, 2019
![Page 2: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/2.jpg)
Finding Small Solutions Applications to RSA Conclusion
Plan
Finding Small Solutions
Applications to RSA
Conclusion
0 / 25
![Page 3: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/3.jpg)
Finding Small Solutions Applications to RSA Conclusion
Goal
TheoremLet N be an integer and f ∈ ZN [x ] monic, deg f = d .Then we can efficiently find all
x ∈ Z : |x | ≤ B and f (x) ≡ 0 (mod N)
for B = N1/d .
1 / 25
![Page 4: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/4.jpg)
Finding Small Solutions Applications to RSA Conclusion
Main Idea
Finding roots over ZN ?
Finding roots over Z is easy.
Let’s find g ∈ Z[x ], such that
f (x) ≡ 0 (mod N) ⇒ g(x) = 0.
2 / 25
![Page 5: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/5.jpg)
Finding Small Solutions Applications to RSA Conclusion
Main Idea
Finding roots over ZN ?
Finding roots over Z is easy.
Let’s find g ∈ Z[x ], such that
f (x) ≡ 0 (mod N) ⇒ g(x) = 0.
2 / 25
![Page 6: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/6.jpg)
Finding Small Solutions Applications to RSA Conclusion
Main Idea
Finding roots over ZN ?
Finding roots over Z is easy.
Let’s find g ∈ Z[x ], such that
f (x) ≡ 0 (mod N) ⇒ g(x) = 0.
2 / 25
![Page 7: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/7.jpg)
Finding Small Solutions Applications to RSA Conclusion
Main Idea
How? We want to prevent overflowing N:
Let x ∈ Z, |x | < B.
If |g(x)| < N, theng(x) ≡ 0 (mod N)⇒ g(x) = 0.
3 / 25
![Page 8: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/8.jpg)
Finding Small Solutions Applications to RSA Conclusion
Main Idea
How? We want to prevent overflowing N:
Let x ∈ Z, |x | < B.
If |g(x)| < N, theng(x) ≡ 0 (mod N)⇒ g(x) = 0.
Letg(x) = xd + ad−1x
d−1 + . . .+ a1x + a0 ∈ Z[x ].
3 / 25
![Page 9: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/9.jpg)
Finding Small Solutions Applications to RSA Conclusion
Main IdeaHow? We want to prevent overflowing N:
Let x ∈ Z, |x | < B.
If |g(x)| < N, theng(x) ≡ 0 (mod N)⇒ g(x) = 0.
Letg(x) = xd + ad−1x
d−1 + . . .+ a1x + a0 ∈ Z[x ].
We want for all i and for all x with |x | ≤ B :
|aix i | <N
d + 1⇐ |ai | <
1B i
N
d + 1.
3 / 25
![Page 10: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/10.jpg)
Finding Small Solutions Applications to RSA Conclusion
Main IdeaHow? We want to prevent overflowing N:
Let x ∈ Z, |x | < B.
If |g(x)| < N, theng(x) ≡ 0 (mod N)⇒ g(x) = 0.
Letg(x) = xd + ad−1x
d−1 + . . .+ a1x + a0 ∈ Z[x ].
We want for all i and for all x with |x | ≤ B :
|aix i | <N
d + 1⇐ |ai | <
1B i
N
d + 1.
3 / 25
![Page 11: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/11.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider a (nonzero) multiple of f (x). It has same roots modulo N.
How to find a "good" multiple? Use LLL!
4 / 25Johan Håstad. 1988. Solving simultaneous modular equations of low degree.SIAM J. Comput. 17, 2 (April 1988), 336-341.
![Page 12: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/12.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider a (nonzero) multiple of f (x). It has same roots modulo N.
How to find a "good" multiple? Use LLL!
4 / 25Johan Håstad. 1988. Solving simultaneous modular equations of low degree.SIAM J. Comput. 17, 2 (April 1988), 336-341.
![Page 13: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/13.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider the lattice ℒ:⎛⎜⎜⎜⎜⎜⎜⎜⎝
N 0 · · · 0 a0
0 N. . . 0 a1
0 0. . . . . .
......
.... . . N ad−1
0 · · · · · · 0 1
⎞⎟⎟⎟⎟⎟⎟⎟⎠(d+1)×(d+1)
5 / 25
![Page 14: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/14.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider the lattice ℒ:⎛⎜⎜⎜⎜⎜⎜⎜⎝
N 0 · · · 0 a0
0 N. . . 0 a1
0 0. . . . . .
......
.... . . N ad−1
0 · · · · · · 0 1
⎞⎟⎟⎟⎟⎟⎟⎟⎠(d+1)×(d+1)
The last column corresponds to f (x).The other columns correspondto reductions mod N (into
[︀−N
2 ;N2
]︀) .
5 / 25
![Page 15: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/15.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider the lattice ℒ: a short vector v ∈ ℒ :⎛⎜⎜⎜⎜⎜⎜⎜⎝
N 0 · · · 0 a0
0 N. . . 0 a1
0 0. . . . . .
......
.... . . N ad−1
0 · · · · · · 0 1
⎞⎟⎟⎟⎟⎟⎟⎟⎠(d+1)×(d+1)
⎛⎜⎜⎜⎜⎜⎝ka0 mod Nka1 mod N
...kad−1 mod Nk mod N
⎞⎟⎟⎟⎟⎟⎠(d+1)x1
The last column corresponds to f (x).The other columns correspondto reductions mod N (into
[︀−N
2 ;N2
]︀) .
5 / 25
![Page 16: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/16.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider the lattice ℒ: a short vector v ∈ ℒ :⎛⎜⎜⎜⎜⎜⎜⎜⎝
N 0 · · · 0 a0
0 BN. . . 0 Ba1
0 0. . . . . .
......
.... . . Bd−1N Bd−1ad−1
0 · · · · · · 0 Bd
⎞⎟⎟⎟⎟⎟⎟⎟⎠
⎛⎜⎜⎜⎜⎜⎝ka0 mod N
(ka1 mod N)B...
(kad−1 mod N)Bd−1
(k mod N)Bd
⎞⎟⎟⎟⎟⎟⎠Recall that we want B ia′i <
Nd+1 (a′i is a coefficient in new polynomial).
6 / 25
![Page 17: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/17.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider the lattice ℒ: a short vector v ∈ ℒ :⎛⎜⎜⎜⎜⎜⎜⎜⎝
N 0 · · · 0 a0
0 BN. . . 0 Ba1
0 0. . . . . .
......
.... . . Bd−1N Bd−1ad−1
0 · · · · · · 0 Bd
⎞⎟⎟⎟⎟⎟⎟⎟⎠
⎛⎜⎜⎜⎜⎜⎝ka0 mod N
(ka1 mod N)B...
(kad−1 mod N)Bd−1
(k mod N)Bd
⎞⎟⎟⎟⎟⎟⎠Recall that we want B ia′i <
Nd+1 (a′i is a coefficient in new polynomial).
Scale coordinates! ⇒ minimize B ia′i = (kai mod N)B i .
6 / 25
![Page 18: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/18.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
Consider the lattice ℒ: a short vector v ∈ ℒ :⎛⎜⎜⎜⎜⎜⎜⎜⎝
N 0 · · · 0 a0
0 BN. . . 0 Ba1
0 0. . . . . .
......
.... . . Bd−1N Bd−1ad−1
0 · · · · · · 0 Bd
⎞⎟⎟⎟⎟⎟⎟⎟⎠
⎛⎜⎜⎜⎜⎜⎝ka0 mod N
(ka1 mod N)B...
(kad−1 mod N)Bd−1
(k mod N)Bd
⎞⎟⎟⎟⎟⎟⎠Upper-triangular structure:
det(ℒ) = N · BN · . . . · Bd−1N · Bd = NdBd(d+1)/2.
6 / 25
![Page 19: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/19.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
det(ℒ) = N · BN · . . . · Bd−1N · Bd = NdBd(d+1)/2.
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 2d4 · det(ℒ)
1d+1 = 2
d4 · Nd/(d+1)Bd/2.
Require ‖v1‖ < Nd+1 :
2d4 · Nd/(d+1)Bd/2 <
N
d + 1⇔ B <
(︃N1/(d+1)
(d + 1) · 2d/4
)︃ 2d
⇔ B <N
2d(d+1)
√2(d + 1)2/d
= 𝒪(N2
d(d+1) ).
7 / 25
![Page 20: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/20.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
det(ℒ) = N · BN · . . . · Bd−1N · Bd = NdBd(d+1)/2.
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 2d4 · det(ℒ)
1d+1 = 2
d4 · Nd/(d+1)Bd/2.
Require ‖v1‖ < Nd+1 :
2d4 · Nd/(d+1)Bd/2 <
N
d + 1⇔ B <
(︃N1/(d+1)
(d + 1) · 2d/4
)︃ 2d
⇔ B <N
2d(d+1)
√2(d + 1)2/d
= 𝒪(N2
d(d+1) ).
7 / 25
![Page 21: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/21.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
det(ℒ) = N · BN · . . . · Bd−1N · Bd = NdBd(d+1)/2.
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 2d4 · det(ℒ)
1d+1 = 2
d4 · Nd/(d+1)Bd/2.
Require ‖v1‖ < Nd+1 :
2d4 · Nd/(d+1)Bd/2 <
N
d + 1⇔ B <
(︃N1/(d+1)
(d + 1) · 2d/4
)︃ 2d
⇔ B <N
2d(d+1)
√2(d + 1)2/d
= 𝒪(N2
d(d+1) ).
7 / 25
![Page 22: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/22.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 1: Constant Multiples
det(ℒ) = N · BN · . . . · Bd−1N · Bd = NdBd(d+1)/2.
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 2d4 · det(ℒ)
1d+1 = 2
d4 · Nd/(d+1)Bd/2.
Require ‖v1‖ < Nd+1 :
2d4 · Nd/(d+1)Bd/2 <
N
d + 1⇔ B <
(︃N1/(d+1)
(d + 1) · 2d/4
)︃ 2d
⇔ B <N
2d(d+1)
√2(d + 1)2/d
= 𝒪(N2
d(d+1) ).
7 / 25
![Page 23: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/23.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
f (x) = 0 mod N ⇒ h(x)f (x) = 0 mod N,
for any h ∈ ZN [x ].
basis: x i f (x) for i ∈ {0, . . . , t}.
Let’s add x i f (x) to the lattice, for i ∈ {1, . . . , d − 1}.
Careful: increases degree!
8 / 25D. Coppersmith. 1997. Small solutions to polynomial equations, and low exponent RSA vulnerabilities.Journal of Cryptology, 10:233260, 1997.
![Page 24: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/24.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
f (x) = 0 mod N ⇒ h(x)f (x) = 0 mod N,
for any h ∈ ZN [x ].
basis: x i f (x) for i ∈ {0, . . . , t}.
Let’s add x i f (x) to the lattice, for i ∈ {1, . . . , d − 1}.
Careful: increases degree!
8 / 25D. Coppersmith. 1997. Small solutions to polynomial equations, and low exponent RSA vulnerabilities.Journal of Cryptology, 10:233260, 1997.
![Page 25: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/25.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
f (x) = 0 mod N ⇒ h(x)f (x) = 0 mod N,
for any h ∈ ZN [x ].
basis: x i f (x) for i ∈ {0, . . . , t}.
Let’s add x i f (x) to the lattice, for i ∈ {1, . . . , d − 1}.
Careful: increases degree!
8 / 25D. Coppersmith. 1997. Small solutions to polynomial equations, and low exponent RSA vulnerabilities.Journal of Cryptology, 10:233260, 1997.
![Page 26: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/26.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
f (x) = 0 mod N ⇒ h(x)f (x) = 0 mod N,
for any h ∈ ZN [x ].
basis: x i f (x) for i ∈ {0, . . . , t}.
Let’s add x i f (x) to the lattice, for i ∈ {1, . . . , d − 1}.
Careful: increases degree!
8 / 25D. Coppersmith. 1997. Small solutions to polynomial equations, and low exponent RSA vulnerabilities.Journal of Cryptology, 10:233260, 1997.
![Page 27: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/27.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
9 / 25
⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝
x0 x1 · · · xd−1 f (x) x · f (x) · · · xd−1 · f (x)1 N 0 0 0 a0 0 . . . 0
x 0 BN. . .
...... Ba0
. . ....
x2... 0
. . . 0...
.... . . 0
......
.... . . Bd−1N Bd−1ad−1
...... Bd−1a0
xd−1...
.... . . 0 Bd Bdad−1
......
xd...
.... . . . . . . . . Bd+1 . . .
......
......
. . . . . . . . . . . . . . . B2d−2ad−1x2d−1 0 0 · · · · · · 0 0 0 B2d−1
⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠
![Page 28: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/28.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
9 / 25
⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝
x0 x1 · · · xd−1 f (x) x · f (x) · · · xd−1 · f (x)1 N 0 0 0 a0 0 . . . 0
x 0 BN. . .
...... Ba0
. . ....
x2... 0
. . . 0...
.... . . 0
......
.... . . Bd−1N Bd−1ad−1
...... Bd−1a0
xd−1...
.... . . 0 Bd Bdad−1
......
xd...
.... . . . . . . . . Bd+1 . . .
......
......
. . . . . . . . . . . . . . . B2d−2ad−1x2d−1 0 0 · · · · · · 0 0 0 B2d−1
⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠
det(ℒ) = N · BN · . . . · Bd−1N · Bd · Bd+1 · . . . · B2d−1 = NdBd(2d−1).
![Page 29: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/29.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
det(ℒ) = NdBd(2d−1).
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 22d−1
4 · det(ℒ)12d = 2
2d−14 · N1/2B(2d−1)/2.
Require ‖v1‖ < N2d :
22d−1
4 · N1/2B(2d−1)/2 <N
2d⇔ B <
(︃N1/2
2d · 2(2d−1)/4
)︃ 22d−1
⇔ B <N
12d−1
2√
2 · d2/(2d−1)= 𝒪(N
12d−1 ).
10 / 25
![Page 30: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/30.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
det(ℒ) = NdBd(2d−1).
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 22d−1
4 · det(ℒ)12d = 2
2d−14 · N1/2B(2d−1)/2.
Require ‖v1‖ < N2d :
22d−1
4 · N1/2B(2d−1)/2 <N
2d⇔ B <
(︃N1/2
2d · 2(2d−1)/4
)︃ 22d−1
⇔ B <N
12d−1
2√
2 · d2/(2d−1)= 𝒪(N
12d−1 ).
10 / 25
![Page 31: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/31.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
det(ℒ) = NdBd(2d−1).
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 22d−1
4 · det(ℒ)12d = 2
2d−14 · N1/2B(2d−1)/2.
Require ‖v1‖ < N2d :
22d−1
4 · N1/2B(2d−1)/2 <N
2d⇔ B <
(︃N1/2
2d · 2(2d−1)/4
)︃ 22d−1
⇔ B <N
12d−1
2√
2 · d2/(2d−1)= 𝒪(N
12d−1 ).
10 / 25
![Page 32: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/32.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 2: Variable/Polynomial Multiples
det(ℒ) = NdBd(2d−1).
LLL: v1 ∈ ℒ : ‖v1‖ ≤ 22d−1
4 · det(ℒ)12d = 2
2d−14 · N1/2B(2d−1)/2.
Require ‖v1‖ < N2d :
22d−1
4 · N1/2B(2d−1)/2 <N
2d⇔ B <
(︃N1/2
2d · 2(2d−1)/4
)︃ 22d−1
⇔ B <N
12d−1
2√
2 · d2/(2d−1)= 𝒪(N
12d−1 ).
10 / 25
![Page 33: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/33.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
Idea 1: ℒ ← {f (x)} ∪{︁N,Nx ,Nx2, . . . ,Nxd−1
}︁.
Idea 2: ℒ ← . . . ∪{︁f (x), xf (x), . . . , xd−1f (x)
}︁(increase degree of the polynomials).
Idea 3: ℒ ← ???
11 / 25
![Page 34: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/34.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
Idea 1: ℒ ← {f (x)} ∪{︁N,Nx ,Nx2, . . . ,Nxd−1
}︁.
Idea 2: ℒ ← . . . ∪{︁f (x), xf (x), . . . , xd−1f (x)
}︁(increase degree of the polynomials).
Idea 3: increase degree of N :
consider polynomials mod Nm.
11 / 25
![Page 35: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/35.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
Idea 1: ℒ ← {f (x)} ∪{︁N,Nx ,Nx2, . . . ,Nxd−1
}︁.
Idea 2: ℒ ← . . . ∪{︁f (x), xf (x), . . . , xd−1f (x)
}︁(increase degree of the polynomials).
Idea 3: increase degree of N :
consider polynomials mod Nm.
powers of f (x) allow to lift:
ℒ ←{︀Nm−i f (x)ix j | 0 ≤ i ≤ m, 0 ≤ j ≤ d − 1
}︀.
covers Ideas 1 and 2!
11 / 25
![Page 36: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/36.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
12 / 25
Example: d = 2,m = 2
⎛⎜⎜⎜⎜⎜⎜⎝
N2x0 N2x1 N1x0f (x)1 N1x1f (x)1 x0f (x)2 x1f (x)2
x0 N2 ? ? ? ? ?x1 0 N2B1 ? ? ? ?x2 0 0 N1B2 ? ? ?x3 0 0 0 N1B3 ? ?x4 0 0 0 0 B4 ?x5 0 0 0 0 0 B5
⎞⎟⎟⎟⎟⎟⎟⎠
![Page 37: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/37.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
12 / 25
Example: d = 2,m = 2
⎛⎜⎜⎜⎜⎜⎜⎝
N2x0 N2x1 N1x0f (x)1 N1x1f (x)1 x0f (x)2 x1f (x)2
x0 N2 ? ? ? ? ?x1 0 N2B1 ? ? ? ?x2 0 0 N1B2 ? ? ?x3 0 0 0 N1B3 ? ?x4 0 0 0 0 B4 ?x5 0 0 0 0 0 B5
⎞⎟⎟⎟⎟⎟⎟⎠Same upper-triangular structure ⇒ easy calculation of det(ℒ).
![Page 38: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/38.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
dim(ℒ) = d(m + 1),
det(ℒ) = Ndm(m+1)/2B(d(m+1)−1)d(m+1)/2.
LLL: ‖v1‖ ≤ 2d(m+1)−1
4 · det(ℒ)1
d(m+1) = 2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2.
Require ‖v1‖ < Nm
d(m+1) :
2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2 <Nm
d(m + 1)⇔
⇔ B < 𝛼(d ,m) · Nm
d(m+1)−1 = 𝛼(d ,m) · N1d−Θ( 1
m).
13 / 25
![Page 39: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/39.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
dim(ℒ) = d(m + 1),
det(ℒ) = Ndm(m+1)/2B(d(m+1)−1)d(m+1)/2.
LLL: ‖v1‖ ≤ 2d(m+1)−1
4 · det(ℒ)1
d(m+1) = 2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2.
Require ‖v1‖ < Nm
d(m+1) :
2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2 <Nm
d(m + 1)⇔
⇔ B < 𝛼(d ,m) · Nm
d(m+1)−1 = 𝛼(d ,m) · N1d−Θ( 1
m).
13 / 25
![Page 40: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/40.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
dim(ℒ) = d(m + 1),
det(ℒ) = Ndm(m+1)/2B(d(m+1)−1)d(m+1)/2.
LLL: ‖v1‖ ≤ 2d(m+1)−1
4 · det(ℒ)1
d(m+1) = 2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2.
Require ‖v1‖ < Nm
d(m+1) :
2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2 <Nm
d(m + 1)⇔
⇔ B < 𝛼(d ,m) · Nm
d(m+1)−1 = 𝛼(d ,m) · N1d−Θ( 1
m).
13 / 25
![Page 41: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/41.jpg)
Finding Small Solutions Applications to RSA Conclusion
Idea 3: f -Multiples (mod Nm)
dim(ℒ) = d(m + 1),
det(ℒ) = Ndm(m+1)/2B(d(m+1)−1)d(m+1)/2.
LLL: ‖v1‖ ≤ 2d(m+1)−1
4 · det(ℒ)1
d(m+1) = 2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2.
Require ‖v1‖ < Nm
d(m+1) :
2d(m+1)−1
4 · Nm/2B(d(m+1)−1)/2 <Nm
d(m + 1)⇔
⇔ B < 𝛼(d ,m) · Nm
d(m+1)−1 = 𝛼(d ,m) · N1d−Θ( 1
m).
13 / 25
![Page 42: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/42.jpg)
Finding Small Solutions Applications to RSA Conclusion
Plan
Finding Small Solutions
Applications to RSA
Conclusion
13 / 25
![Page 43: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/43.jpg)
Finding Small Solutions Applications to RSA Conclusion
RSA - Recap
• p, q two (large) primes, private• n = p · q, public• exponents: e public, d private such that
ed ≡ 1 (mod lcm(p − 1, q − 1))
• encryption: c = me mod n
• decryption: m = cd mod n
14 / 25
![Page 44: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/44.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack
• Assume small e, e.g. e = 3.• Assume small m: m < N1/e .
• Then: c = me mod n = ... = me .• m = e
√c (over Z)!
Example
• Let e = 3,N = 1000003.• Let m = 100, then c = me mod N = 1000000.• Clearly, m = 3
√1000000 = 100.
15 / 25
![Page 45: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/45.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack
• Assume small e, e.g. e = 3.• Assume small m: m < N1/e .• Then: c = me mod n = ...
= me .• m = e
√c (over Z)!
Example
• Let e = 3,N = 1000003.• Let m = 100, then c = me mod N = 1000000.• Clearly, m = 3
√1000000 = 100.
15 / 25
![Page 46: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/46.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack
• Assume small e, e.g. e = 3.• Assume small m: m < N1/e .• Then: c = me mod n = ... = me .
• m = e√c (over Z)!
Example
• Let e = 3,N = 1000003.• Let m = 100, then c = me mod N = 1000000.• Clearly, m = 3
√1000000 = 100.
15 / 25
![Page 47: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/47.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack
• Assume small e, e.g. e = 3.• Assume small m: m < N1/e .• Then: c = me mod n = ... = me .• m = e
√c (over Z)!
Example
• Let e = 3,N = 1000003.• Let m = 100, then c = me mod N = 1000000.• Clearly, m = 3
√1000000 = 100.
15 / 25
![Page 48: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/48.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack
• Assume small e, e.g. e = 3.• Assume small m: m < N1/e .• Then: c = me mod n = ... = me .• m = e
√c (over Z)!
Example
• Let e = 3,N = 1000003.• Let m = 100, then c = me mod N = 1000000.• Clearly, m = 3
√1000000 = 100.
15 / 25
![Page 49: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/49.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack(Stereotyped messages)
• Assume small e, e.g. e = 3.• Assume m is close to a constant 𝛼: m = 𝛼+m0,m0 < N1/e .• Example: constant padding:
“today’s secret password is: lllattice” .
• More generally, c = L(m0)e mod N, where Li ∈ ZNi
[x ] is a public affine map.
• Coppersmith: L(m0)e is a degree-e polynomial, m0 < N
1e is a small root!
16 / 25
![Page 50: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/50.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack(Stereotyped messages)
• Assume small e, e.g. e = 3.• Assume m is close to a constant 𝛼: m = 𝛼+m0,m0 < N1/e .• Example: constant padding:
“today’s secret password is: lllattice” .• More generally, c = L(m0)
e mod N, where Li ∈ ZNi[x ] is a public affine map.
• Coppersmith: L(m0)e is a degree-e polynomial, m0 < N
1e is a small root!
16 / 25
![Page 51: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/51.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack(Stereotyped messages)
• Assume small e, e.g. e = 3.• Assume m is close to a constant 𝛼: m = 𝛼+m0,m0 < N1/e .• Example: constant padding:
“today’s secret password is: lllattice” .• More generally, c = L(m0)
e mod N, where Li ∈ ZNi[x ] is a public affine map.
• Coppersmith: L(m0)e is a degree-e polynomial, m0 < N
1e is a small root!
16 / 25
![Page 52: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/52.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack(Stereotyped messages) - Example
• Let e = 3,N = 2000003.• Let m = 1234567 + 7777777m0, where m0 = 50.
• Then c = me mod N =(1234567 + 7777777m0)
3 mod N = 39947.• We know thatme − c ≡ 892450m3
0 + 1866122m20 + 726335m0 + 302637 ≡ 0 (mod N),
m30 + 1684527m2
0 + 1652432m0 + 1942344 ≡ 0 (mod N).• Use Coppersmith’s method, get m0 = 50.
17 / 25
![Page 53: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/53.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack(Stereotyped messages) - Example
• Let e = 3,N = 2000003.• Let m = 1234567 + 7777777m0, where m0 = 50.• Then c = me mod N =(1234567 + 7777777m0)
3 mod N = 39947.
• We know thatme − c ≡ 892450m3
0 + 1866122m20 + 726335m0 + 302637 ≡ 0 (mod N),
m30 + 1684527m2
0 + 1652432m0 + 1942344 ≡ 0 (mod N).• Use Coppersmith’s method, get m0 = 50.
17 / 25
![Page 54: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/54.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack(Stereotyped messages) - Example
• Let e = 3,N = 2000003.• Let m = 1234567 + 7777777m0, where m0 = 50.• Then c = me mod N =(1234567 + 7777777m0)
3 mod N = 39947.• We know thatme − c ≡ 892450m3
0 + 1866122m20 + 726335m0 + 302637 ≡ 0 (mod N),
m30 + 1684527m2
0 + 1652432m0 + 1942344 ≡ 0 (mod N).
• Use Coppersmith’s method, get m0 = 50.
17 / 25
![Page 55: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/55.jpg)
Finding Small Solutions Applications to RSA Conclusion
“Cube” attack(Stereotyped messages) - Example
• Let e = 3,N = 2000003.• Let m = 1234567 + 7777777m0, where m0 = 50.• Then c = me mod N =(1234567 + 7777777m0)
3 mod N = 39947.• We know thatme − c ≡ 892450m3
0 + 1866122m20 + 726335m0 + 302637 ≡ 0 (mod N),
m30 + 1684527m2
0 + 1652432m0 + 1942344 ≡ 0 (mod N).• Use Coppersmith’s method, get m0 = 50.
17 / 25
![Page 56: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/56.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Simple
• Assume small e, e.g. e = 3.• Unrestricted m.
• Broadcasting scenario:the same message m is encrypted under e different modulos N1,N2, . . . ,Ne .
• c1 = me mod N1, . . . , ce = me mod Ne .• CRT: reconstruct C such that C = me mod N1N2 . . .Ne .• Note that m < N1 ⇒ me < N1N2 . . .Ne .• Again: m = e
√C , over Z.
18 / 25
![Page 57: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/57.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Simple
• Assume small e, e.g. e = 3.• Unrestricted m.• Broadcasting scenario:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne .
• c1 = me mod N1, . . . , ce = me mod Ne .• CRT: reconstruct C such that C = me mod N1N2 . . .Ne .• Note that m < N1 ⇒ me < N1N2 . . .Ne .• Again: m = e
√C , over Z.
18 / 25
![Page 58: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/58.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Simple
• Assume small e, e.g. e = 3.• Unrestricted m.• Broadcasting scenario:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne .• c1 = me mod N1, . . . , ce = me mod Ne .
• CRT: reconstruct C such that C = me mod N1N2 . . .Ne .• Note that m < N1 ⇒ me < N1N2 . . .Ne .• Again: m = e
√C , over Z.
18 / 25
![Page 59: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/59.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Simple
• Assume small e, e.g. e = 3.• Unrestricted m.• Broadcasting scenario:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne .• c1 = me mod N1, . . . , ce = me mod Ne .• CRT: reconstruct C such that C = me mod N1N2 . . .Ne .
• Note that m < N1 ⇒ me < N1N2 . . .Ne .• Again: m = e
√C , over Z.
18 / 25
![Page 60: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/60.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Simple
• Assume small e, e.g. e = 3.• Unrestricted m.• Broadcasting scenario:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne .• c1 = me mod N1, . . . , ce = me mod Ne .• CRT: reconstruct C such that C = me mod N1N2 . . .Ne .• Note that m < N1 ⇒ me < N1N2 . . .Ne .
• Again: m = e√C , over Z.
18 / 25
![Page 61: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/61.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Simple
• Assume small e, e.g. e = 3.• Unrestricted m.• Broadcasting scenario:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne .• c1 = me mod N1, . . . , ce = me mod Ne .• CRT: reconstruct C such that C = me mod N1N2 . . .Ne .• Note that m < N1 ⇒ me < N1N2 . . .Ne .• Again: m = e
√C , over Z.
18 / 25
![Page 62: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/62.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Assume small e, e.g. e = 3.• Unrestricted m.• Protected broadcasting:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne ,
but padded differently:e.g. m = (m0 + 2|m0|i).
• More generally, ci = Li (m0)e mod Ni , where Li ∈ ZNi
[x ] are public affine maps.• Can we break this?
19 / 25
![Page 63: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/63.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Assume small e, e.g. e = 3.• Unrestricted m.• Protected broadcasting:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne ,but padded differently:e.g. m = (m0 + 2|m0|i).
• More generally, ci = Li (m0)e mod Ni , where Li ∈ ZNi
[x ] are public affine maps.• Can we break this?
19 / 25
![Page 64: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/64.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Assume small e, e.g. e = 3.• Unrestricted m.• Protected broadcasting:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne ,but padded differently:e.g. m = (m0 + 2|m0|i).
• More generally, ci = Li (m0)e mod Ni , where Li ∈ ZNi
[x ] are public affine maps.
• Can we break this?
19 / 25
![Page 65: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/65.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Assume small e, e.g. e = 3.• Unrestricted m.• Protected broadcasting:
the same message m is encrypted under e different modulos N1,N2, . . . ,Ne ,but padded differently:e.g. m = (m0 + 2|m0|i).
• More generally, ci = Li (m0)e mod Ni , where Li ∈ ZNi
[x ] are public affine maps.• Can we break this?
19 / 25
![Page 66: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/66.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Let gi (x) := (Li (x)e − ci ) mod ∈ ZNi
[x ].• Note gi (m0) ≡ 0 (mod Ni ).
• Step 1 - CRT: find g ∈ ZN1N2...Ne [x ], deg g = e such that
g ≡ gi (mod Ni ).
• In particular, g(m0) ≡ 0 (mod N1N2 . . .Ne).• How? Simply apply CRT to the coefficients.
20 / 25
![Page 67: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/67.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Let gi (x) := (Li (x)e − ci ) mod ∈ ZNi
[x ].• Note gi (m0) ≡ 0 (mod Ni ).• Step 1 - CRT: find g ∈ ZN1N2...Ne [x ], deg g = e such that
g ≡ gi (mod Ni ).
• In particular, g(m0) ≡ 0 (mod N1N2 . . .Ne).• How? Simply apply CRT to the coefficients.
20 / 25
![Page 68: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/68.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Let gi (x) := (Li (x)e − ci ) mod ∈ ZNi
[x ].• Note gi (m0) ≡ 0 (mod Ni ).• Step 1 - CRT: find g ∈ ZN1N2...Ne [x ], deg g = e such that
g ≡ gi (mod Ni ).
• In particular, g(m0) ≡ 0 (mod N1N2 . . .Ne).
• How? Simply apply CRT to the coefficients.
20 / 25
![Page 69: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/69.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Let gi (x) := (Li (x)e − ci ) mod ∈ ZNi
[x ].• Note gi (m0) ≡ 0 (mod Ni ).• Step 1 - CRT: find g ∈ ZN1N2...Ne [x ], deg g = e such that
g ≡ gi (mod Ni ).
• In particular, g(m0) ≡ 0 (mod N1N2 . . .Ne).• How? Simply apply CRT to the coefficients.
20 / 25
![Page 70: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/70.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Step 2 - Coppersmith method:
• m0 < N1 < (N1N2 . . .Ne)1e .
• g(m0) ≡ 0 (mod N1N2 . . .Ne), deg g = e.• ⇒ recover m0!
21 / 25
![Page 71: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/71.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Step 2 - Coppersmith method:
• m0 < N1 < (N1N2 . . .Ne)1e .
• g(m0) ≡ 0 (mod N1N2 . . .Ne), deg g = e.• ⇒ recover m0!
21 / 25
![Page 72: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/72.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Step 2 - Coppersmith method:
• m0 < N1 < (N1N2 . . .Ne)1e .
• g(m0) ≡ 0 (mod N1N2 . . .Ne), deg g = e.
• ⇒ recover m0!
21 / 25
![Page 73: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/73.jpg)
Finding Small Solutions Applications to RSA Conclusion
Hastad Broadcast Attack - Harder
• Step 2 - Coppersmith method:
• m0 < N1 < (N1N2 . . .Ne)1e .
• g(m0) ≡ 0 (mod N1N2 . . .Ne), deg g = e.• ⇒ recover m0!
21 / 25
![Page 74: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/74.jpg)
Finding Small Solutions Applications to RSA Conclusion
Note on Sagemath!
22 / 25
![Page 75: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/75.jpg)
Finding Small Solutions Applications to RSA Conclusion
1. note 1: 𝛿 is the degree of the polynomial
2. warning 2: 𝜖 = 18 by default, and is not adjusted!!! (bug?)
3. you get X =⌈︀N1/d−1/8/2
⌉︀.
4. for example, d = 3⇒ X =⌈︀N5/24/2
⌉︀,
instead of “expected” N1/3 = N8/24!5. need to compute required 𝜖 manually before calling...
23 / 25
![Page 76: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/76.jpg)
Finding Small Solutions Applications to RSA Conclusion
1. note 1: 𝛿 is the degree of the polynomial2. warning 2: 𝜖 = 1
8 by default, and is not adjusted!!! (bug?)
3. you get X =⌈︀N1/d−1/8/2
⌉︀.
4. for example, d = 3⇒ X =⌈︀N5/24/2
⌉︀,
instead of “expected” N1/3 = N8/24!5. need to compute required 𝜖 manually before calling...
23 / 25
![Page 77: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/77.jpg)
Finding Small Solutions Applications to RSA Conclusion
1. note 1: 𝛿 is the degree of the polynomial2. warning 2: 𝜖 = 1
8 by default, and is not adjusted!!! (bug?)3. you get X =
⌈︀N1/d−1/8/2
⌉︀.
4. for example, d = 3⇒ X =⌈︀N5/24/2
⌉︀,
instead of “expected” N1/3 = N8/24!5. need to compute required 𝜖 manually before calling... 23 / 25
![Page 78: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/78.jpg)
Finding Small Solutions Applications to RSA Conclusion
1 from sage.all import *2
3 N = next_prime(10**50)4 E = 35 x = PolynomialRing(Zmod(N), names='x').gen()6
7 m0 = 10**12 + 20190607 # secret8 X = 2*10**12 # bound9
10 m = 1234567890 * m0 + 1122334455667788990011 c = pow(m, E, N)12
13 poly = (1234567890 * x + 11223344556677889900) ** E - c14 poly /= poly.leading_coefficient()15
16 epsilon = RR(1/poly.degree() - log(2*X, N))17 if epsilon <= 0:18 print "Too large bound X!"19 quit()20
21 print "epsilon:", "2^%f" % RR(log(epsilon, 2))22 for root in poly.small_roots(epsilon=epsilon):23 print "root", root
24 / 25
![Page 79: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/79.jpg)
Finding Small Solutions Applications to RSA Conclusion
Plan
Finding Small Solutions
Applications to RSA
Conclusion
24 / 25
![Page 80: Finding Small Solutions to Low Degree Polynomials and … · 2019-06-17 · Finding Small SolutionsApplications to RSAConclusion MainIdea FindingrootsoverZ N? FindingrootsoverZ iseasy](https://reader033.vdocuments.us/reader033/viewer/2022060315/5f0bc3557e708231d4321849/html5/thumbnails/80.jpg)
Finding Small Solutions Applications to RSA Conclusion
A good resource by David Wong:
github.com/mimoo/RSA-and-LLL-attacks
• implementation of univariate and bivariate Coppersmith algorithms in Sage(from scratch, using LLL);
• also a survey on lattice-based attacks with a good intro.
Another good resource:
Alexander May’s Dissertation
25 / 25