Broadcast Attacks against Lattice-based Cryptosystems*

More documents

Recommendations

Info

10 Thomas Plantard and Willy SusiloWe prove that α(L 1 ∩ L 2 ) ≥ α(L 1 ).Let’s compare α(L 1 ∩ L 2 ) with α(L 1 ). We have proved that λ 1 (L 1 ∩ L 2 ) =‖v‖ = λ 1 (L 1 ). Suppose that we have two independent vectors v 1 , v 2 ∈ L 1 ∩ L 2such that max(‖v 1 ‖, ‖v 2 ‖) = λ 2 (L 1 ∩ L 2 ). Then, since v 1 , v 2 are also two independentvectors of L 1 , we obtain λ 2 (L 1 ) ≤ max(‖v 1 ‖, ‖v 2 ‖). We have λ 2 (L 1 ) ≤max(‖v 1 ‖, ‖v 2 ‖) = λ 2 (L 1 ∩ L 2 ). Finally, we obtain( ) ( )λ2 (L 1 ∩ L 2 ) λ2 (L 1 )α(L 1 ∩ L 2 ) =≥= α(L 1 ).λ 1 (L 1 ∩ L 2 ) λ 1 (L 1 )The same proof can be performed with L 2 , and consequently, we obtainα(L 1 ∩ L 2 ) ≥ α(L 1 ), α(L 2 ).□Theorem 7 is crucial as it demonstrates that to solve the shortest vectorproblem on the intersection of lattices will be at least easier that in the initiallattice. We will see in Section 5 that practical problems become a lot easier.Nevertheless, the practical efficiency can not be shown in a general theorem asTheorem 7. This is simply because if L 1 = L 2 , we obtain L 1 ∩ L 2 = L 1 = L 2 ,γ(L 1 ∩ L 2 ) = γ(L 1 ) = γ(L 2 )andα(L 1 ∩ L 2 ) = α(L 1 ) = α(L 2 ).Remark 7. For cryptosystems based on CVP, we will use the embedding methodto model as a SVP before applying Theorem 7.4 Practical Broadcast AttacksIn this section, we adapt the general method (Theorem 7) to different latticeor knapsack cryptosystems. For convenience, we will always firstly recall the‘challenge’ in the cryptosystem involved followed by our proposed attack. All ofour attacks are heuristic.4.1 A Broadcast Attack on GGH Type AProblem 4 (GGH A Challenge). Let B ∈ Z n,n a basis and c ∈ Z n a vector suchthat there exist two vectors r, m ∈ Z n with c = rB + m. Then, the GGH Achallenge (B, c) is to find m.Algorithm 1: Broadcast Attack on GGH A ChallengesInput : (B i , c i ) k GGH A challenges.Output: m ∈ Z n .begin( )Compute B i ′ = Bi 0.c i 1Compute L = ⋂ ki=1 L(B′ i ).Find ( m 1 ) shortest vector of L.end
Broadcast Attacks against Lattice-based Cryptosystems 11Example 1. The initial proposition in [27] is obviously concerned by this attack.However, we will refer to Micciancio cryptosystems [31] as a non-broken cryptosystemthat will also be susceptible against this attack.4.2 A Broadcast Attack on GGH Type BProblem 5 (GGH B Challenge). Let B ∈ Z n,n a basis and c ∈ Z n a vector suchthat there exist two vectors m, r ∈ Z n with c = mB + r. Then, the GGH Bchallenge (B, c) is to find m.The idea here is a bit different. As we have mB 1 +r 1 = c 1 and mB 2 +r 2 = c 2 ,we construct a third challenge mB 3 +r 3 = c 3 with B 3 = B 1 +B 2 and c 3 = c 1 +c 2 .Practically, the fact that ‖r‖ grows will be less important than the growth of B.Algorithm 2: Broadcast Attack on GGH B ChallengesInput : (B i , c i ) k GGH B challenges.Output: m ∈ Z n .beginCompute B = ∑ ki=1 B i.Compute c = ∑ ki=1 c i.Find the closest vector v of c in L(B).Compute m = vB −1 .endAlgorithm 2 do not use Theorem 7 and cannot be proved to have a simplerproblem as the λ 1 (L(B 1 + B 2 )) can be bigger than λ 1 (L(B 1 )). However, we willsee than practically λ 1 (L(B 1 + B 2 )) will be bigger. Practically, we will also usethe embedding method for the third step of Algorithm 2.Example 2. Cryptosystems concerned with this attack include [30] and the morerecent work of [32].4.3 A First Broadcast Attack on Knapsack CryptosystemsProblem 6 (Knapsack Challenge). Let a ∈ N n a positive integer vector and s ∈ Nan integer such that there exists m ∈ [0, 1] n a boolean vector such ma T = s.Then, the Knapsack challenge (a, s) is to find m.The attack proposed here is an adaptation of Algorithm 1 to the knapsackchallenge as it has been already modelled by [10] in a lattice problem. Othermodellings can been also adapted with the same technique.
Page 1 and 2: Broadcast Attacks against Lattice-b
Page 4 and 5: 4 Thomas Plantard and Willy Susilop
Page 6 and 7: 6 Thomas Plantard and Willy SusiloD
Page 8 and 9: 8 Thomas Plantard and Willy SusiloD
Page 12 and 13: 12 Thomas Plantard and Willy Susilo

Broadcast Attacks against Lattice-based Cryptosystems*

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?