Upload File

using the lll-algorithm to break the rsa cryptosystem

  • Home
  • Documents
  • Using the LLL-algorithm to Break the RSA Cryptosystem
1
Using the LLL-algorithm to Break the RSA Cryptosystem Khoa Bui Concordia University of Edmonton Department of Mathematical and Physical Sciences Using the LLL-algorithm to Break the RSA Cryptosystem Khoa Bui Concordia University of Edmonton Department of Mathematical and Physical Sciences Abstract The Rivest-Shamir-Adleman (RSA) cryptosystem is one of the most popular cryptosystems being used in secure data transmission. Until today, the cryptosys- tem is still considered to be safe due to the hardness of the factorization problem. The Lenstra-Lenstra-Lov´ asz (LLL) algorithm offers various methods to attack the RSA cryptosystem, even going as far as potentially breaking the system by solv- ing the factorization problem. In this presentation, we will discuss how a weak parameter creates deadly vulnerabilities in the RSA cryptosystem, and the usage of LLL-algorithm in the factorization problem. Fig. 1: Source: Hartnett K. https://www.quantamagazine.org/mathematicians-seal-back-door-to-breaking-rsa-encryption-20181217/ Definitions 1. Lattice: Let n 1 and let ~x 1 ,~x 2 , ...,~x n be a basis in the euclidean space R n . The lattice with dimension n and basis ~x 1 ,~x 2 , ...,~x n is the set L of all linear combinations of the basis vectors with integrals coefficients [2]. Fig. 2: Graphical representation of a lattice 2. The Lenstra–Lenstra–Lov´ asz(LLL)-algorithm [2]: Input : A basis ~x 1 ,~x 2 , ...,~x n of the lattice L R n , and a reduction parameter α R in the range 1 4 <α< 1. Output : A new basis with short vectors of lattice L. Fig. 3: Graphical representation of the LLL algorithm. How does RSA work? The RSA cryptosystem is an asymmetric cryptosystem, which means that it requires 2 keys, a public key and a private key, for the system to work. The public key is widely distributed for the purpose of encrypting information, while the private key is kept secret for the sake of security and decryption. Fig. 4: Asymmetric cryptography. Source: https://cheapsslsecurity.com/p/what-is-public-key-and-private-key-cryptography-and-how-does-it-work/ It is computationally very difficult to factor a large integer into its prime com- ponents; conversely, it is easy to find the product of two large prime numbers [3]. The RSA cryptosystem utilizes this fact to guarantee safe data transmission. Using the LLL-algorithm to attack RSA The Coppersmith’s method is a LLL-algorithm based attack on low-public ex- ponent RSA cryptosystems [1]. We have the following steps to the Coppersmith’s method: 1. Translate RSA’s encryption process m = c e mod N into a monic polynomial equation. 2. Construct a Coppersmith’s matrix. 3. Apply the LLL algorithm to the Coppersmith’s matrix reducing it down to a polynomial. 4. Solve for the small roots of the polynomial. Consequently [1], the root is the unknown part of the of the plaintext m. The LLL-algorithm in Coppersmith’s method Fig. 5: Growth in percentage of lattice reduction steps Experimental result suggests that the running time from the LLL algorithm steps quickly dominates the Coppersmith’s method growing from half of the time to more than 90% of the Coppersmith’s method. Running time as a function of integer h and degree d Fig. 6: Change in running time as a function of integer h In Figure 6 the colours indicate the degree d corresponding with the integer h. Fig. 7: Change in running time as a function of degree d Conclusion and future work Coppersmith’s method offers an interesting use of the LLL-algorithm in attacking low ex- ponent RSA cryptosystem. While the RSA cryptosystem is still secure for now, advancement in quantum computing might threaten the security of the system. On the LLL-algorithm, we can expect to see more applications of it in cryptography research in the near future. Acknowledgement My acknowledgement goes out to Dr. Tran, Dr. Huntemann, Dr. Guelzow, as well as my peers for advising and supervising this project. References [1] Don Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. In: Journal of Cryptology 10.4 (1997), pp. 233–260. [2] Arjen K Lenstra, Hendrik Willem Lenstra, and L´ aszl´ o Lov´ asz. Factoring polynomials with rational coeffi- cients. In: Mathematische Annalen 261.ARTICLE (1982), pp. 515–534. [3] Ronald L Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public- key cryptosystems. In: Communications of the ACM 21.2 (1978), pp. 120–126.

Upload: others

Post on 26-Feb-2022

13 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Using the LLL-algorithm to Break the RSA Cryptosystem

Using the LLL-algorithm to Break the RSA Cryptosystem

Khoa Bui

Concordia University of EdmontonDepartment of Mathematical and Physical Sciences

Using the LLL-algorithm to Break the RSA Cryptosystem

Khoa Bui

Concordia University of EdmontonDepartment of Mathematical and Physical Sciences

Abstract

The Rivest-Shamir-Adleman (RSA) cryptosystem is one of the most popularcryptosystems being used in secure data transmission. Until today, the cryptosys-tem is still considered to be safe due to the hardness of the factorization problem.The Lenstra-Lenstra-Lovasz (LLL) algorithm offers various methods to attack theRSA cryptosystem, even going as far as potentially breaking the system by solv-ing the factorization problem. In this presentation, we will discuss how a weakparameter creates deadly vulnerabilities in the RSA cryptosystem, and the usageof LLL-algorithm in the factorization problem.

Fig. 1: Source: Hartnett K.

https://www.quantamagazine.org/mathematicians-seal-back-door-to-breaking-rsa-encryption-20181217/

Definitions

1. Lattice: Let n ≥ 1 and let ~x1, ~x2, ..., ~xn be a basis in the euclidean space Rn.The lattice with dimension n and basis ~x1, ~x2, ..., ~xn is the set L of all linearcombinations of the basis vectors with integrals coefficients [2].

Fig. 2: Graphical representation of a lattice

2. The Lenstra–Lenstra–Lovasz(LLL)-algorithm [2]:

• Input : A basis ~x1, ~x2, ..., ~xn of the lattice L ⊂ Rn, and a reduction parameterα ∈ R in the range 1

4 < α < 1.

•Output : A new basis with short vectors of lattice L.

Fig. 3: Graphical representation of the LLL algorithm.

How does RSA work?

The RSA cryptosystem is an asymmetric cryptosystem, which means that itrequires 2 keys, a public key and a private key, for the system to work. Thepublic key is widely distributed for the purpose of encrypting information, whilethe private key is kept secret for the sake of security and decryption.

Fig. 4: Asymmetric cryptography.

Source: https://cheapsslsecurity.com/p/what-is-public-key-and-private-key-cryptography-and-how-does-it-work/

It is computationally very difficult to factor a large integer into its prime com-ponents; conversely, it is easy to find the product of two large prime numbers [3].The RSA cryptosystem utilizes this fact to guarantee safe data transmission.

Using the LLL-algorithm to attack RSA

The Coppersmith’s method is a LLL-algorithm based attack on low-public ex-ponent RSA cryptosystems [1]. We have the following steps to the Coppersmith’smethod:

1. Translate RSA’s encryption process m = ce mod N into a monic polynomialequation.

2. Construct a Coppersmith’s matrix.

3. Apply the LLL algorithm to the Coppersmith’s matrix reducing it down to apolynomial.

4. Solve for the small roots of the polynomial.

Consequently [1], the root is the unknown part of the of the plaintext m.

The LLL-algorithm in Coppersmith’s method

Fig. 5: Growth in percentage of lattice reduction steps

Experimental result suggests that the running time from the LLL algorithmsteps quickly dominates the Coppersmith’s method growing from half of the timeto more than 90% of the Coppersmith’s method.

Running time as a function of integer h and degree d

Fig. 6: Change in running time as a function of integer h

In Figure 6 the colours indicate the degree d corresponding with the integer h.

Fig. 7: Change in running time as a function of degree d

Conclusion and future work

Coppersmith’s method offers an interesting use of the LLL-algorithm in attacking low ex-ponent RSA cryptosystem. While the RSA cryptosystem is still secure for now, advancementin quantum computing might threaten the security of the system. On the LLL-algorithm, wecan expect to see more applications of it in cryptography research in the near future.

Acknowledgement

My acknowledgement goes out to Dr. Tran, Dr. Huntemann, Dr. Guelzow, as well as mypeers for advising and supervising this project.

References

[1] Don Coppersmith. “Small solutions to polynomial equations, and low exponent RSA vulnerabilities”. In:Journal of Cryptology 10.4 (1997), pp. 233–260.

[2] Arjen K Lenstra, Hendrik Willem Lenstra, and Laszlo Lovasz. “Factoring polynomials with rational coeffi-cients”. In: Mathematische Annalen 261.ARTICLE (1982), pp. 515–534.

[3] Ronald L Rivest, Adi Shamir, and Leonard Adleman. “A method for obtaining digital signatures and public-key cryptosystems”. In: Communications of the ACM 21.2 (1978), pp. 120–126.

CRYPTOGRAPHY - FCAMPENAfrancisjosephcampena.weebly.com/.../cryptographyslidenocone.pdf · utilizing a basic implementation of the RSA cryptosystem: ... Cryptography and cryptanalysis

Contents - cs.virginia.edu · 12. 2/22: Public Key Cryptography and RSA 30 12.1. El Gamal Cryptosystem 30 12.2. RSA Trapdoor Permutation 31 ... cryptography) and (ii)

An Application of Number Theory, the RSA Cryptosystemfaculty.washington.edu/moishe/hanoiex/Number Theory Applications/Number-Theory...An Application of Number Theory, the RSA Cryptosystem

Understanding Cryptography Chptr 7---The RSA Cryptosystem

The RSA cryptosystem and its pitfallss1251909/talks/PG Colloquia/PG_colloquium_R… · The RSA cryptosystem and its pitfalls ... Encryption: message mis encrypted by Alice to c:=

Network and Computer Security (CS 475) Modular Arithmetic and the RSA Public Key Cryptosystem

COMP 170 L2 Page 1 L06: The RSA Algorithm l Objective: n Present the RSA Cryptosystem n Prove its correctness n Discuss related issues

The RSA Cryptosystem - Stanford Universitycrypto.stanford.edu/~dabo/courses/cs255_winter03/rsa-lecture.pdf · Page 2 The RSA cryptosystem Ø First published: • Scientific American,

Two mathematical security aspects of the rsa cryptosystem

RSA Asymmetric Key Cryptosystem

Improved Cryptanalysis of the KMOV Elliptic Curve Cryptosystem · Both attacks improve the existing attacks on the KMOV cryptosystem. 1 Introduction The RSA cryptosystem [21], invented

The RSA Cryptosystem

Applied Symbolic Computation (CS 300) Modular Arithmetic and the RSA Public Key Cryptosystem

The RSA Cryptosystem Dan Boneh Stanford University

Cryptography - UPC Universitat Politècnica de Catalunyajordicf/Teaching/AP2/pdf/15_Cryptography.… · Implement an RSA cryptosystem •Given two primes, and , design an RSA cryptosystem

The RSA Cryptosystem and Factoring Integers (I)

Design and Development of an E-Commerce Security Using RSA Cryptosystem

AN ANALYSIS OF KEY GENERATION EFFICIENCY OF RSA ...library.iyte.edu.tr/tezler/master/bilgisayaryazilimi/T000406.pdf · EFFICIENCY OF RSA CRYPTOSYSTEM IN DISTRIBUTED ENVIRONMENTS

An efficient variant of the RSA cryptosystem · An efficient variant of the RSA cryptosystem Cesar Alison Monteiro Paixao˜ ∗1, Decio Luiz Gazzoni Filho´ 2 1Instituto de Matematica

Attacking RSA Brian Winant [email protected]. Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical

The LLL Algorithm - Ionica Smeets · 2019-04-24 · Algorithmic Number Theory Symposium (ANTS VII) held in Berlin in July 2006, ... to cryptanalysis: lattice attacks on the RSA cryptosystem,

Section 4.4: The RSA Cryptosystem

Cryptosystem An Implementation of RSA Using Verilog

Factoring integers, Producing primes and the RSA cryptosystem · RSA cryptosystem University of Kathmandu, December 14, 2005 12 Bob: Key generation - He chooses randomly p and q primes

A Survey on RSA Security Enhancement - IJARIIEijariie.com/AdminUploadPdf/A_Survey_on_RSA_Security_Enhanceme… · The most common public key algorithm is RSA cryptosystem used for

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions

The Mathematical Cryptography of the RSA Cryptosystem · 2.2 The basic RSA cryptosystem The RSA cryptosystem was created in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman [10]

Implementation of the RSA Public-Key Cryptosystemsms.math.nus.edu.sg/smsmedley/Vol-19-2/RSA public-key cryptosyst… · RSA Public-Key Cryptosystem * Tham Kine Thong St Andrew's Junior

Public Key Ciphers: The RSA Cryptosystemcse.iitkgp.ac.in/~debdeep/courses_iitkgp/Crypto/slides/RSA1.pdf · 1 Public Key Ciphers: The RSA Cryptosystem Debdeep Mukhopadhyay IIT Kharagpur

Public Key Cryptography and the RSA Cryptosystem...1 Public Key Cryptography and the RSA Cryptosystem A Computational Science Module Supported by National Science Foundation, NSF CCLI

IJIRIS:: Design and Development of an E-Commerce Security Using RSA Cryptosystem

1 RSA Public Key Encryption Algorithm The best known public key cryptosystem is RSA - named after its authors, Rivest, Shamir and Adelman Key Generation

RSA CRYPTOSYSTEM: AN ANALYSIS AND PYTHONSIMULATOR … Ciscily Spring 2017.pdf · the entire RSA cryptosystem using the Python programming language. Contents 1 Background 1 2 How RSA

Modular Arithmetic and the RSA Cryptosystem

New Attacks on the RSA Cryptosystem · lattice basis reduction techniques. Similarly, Bl omer and May [2] proposed an extension of Wiener’s attack and showed that the RSA cryptosystem