Broadcast Attacks against Lattice-based Cryptosystems*

More documents

Recommendations

Info

12 Thomas Plantard and Willy SusiloAlgorithm 3: Broadcast Attack on Knapsack ChallengeInput : (a i , s i ) k knapsack challenges.Output: m ∈ [0, 1] n .begin( )Id aTCompute B i = i 0.0 s 1Compute L = ⋂ ki=1 L(B i).Find ( m 0 1 ) shortest vector of L.endExample 3. The examples of practical schemes that are susceptible against ourattack are as follows. We refer to the survey of Odlysko [17] for knapsack cryptosystemsthat are susceptible against this attack. However, we also refer to [16]for one of the ‘rare’ non-broken knapsack cryptosystems that are also susceptibleagainst this attack. The recent proposition of [58] is also concerned.Remark 8. We remark that the dimension of L decreases further when k increases.Practically, we have dim(L) = n − k with a high probability 4 . It isbecause each L(B i ) have a dimension smaller than n, dim(L(B i )) = n − 1 . Thisdecrease will obviously stop at a dimension of 1 with a lattice of a basis onlycomposed by ( m 0 1 ) .4.4 A Second Broadcast Attack on Knapsack CryptosystemsInspired by the previous remark (Remark 8), we notice that if we have n equationsma T i = s i , we can concatenate these equations to obtain mA = s withA ∈ Z n,n and s ∈ Z n . Moreover, these equations can be solved with high probability.Algorithm 4: Broadcast Attack on Knapsack Challenges without LatticeReductionInput : (a i , s i ) n knapsack challenges.Output: m ∈ [0, 1] n .beginCompute A = ( )a T 1 . . . a T n .Compute s = ( )s 1 . . . s n .Compute m = sA −1 .endThe main advantage of our second attack is to avoid the use of any latticereduction. The impact of this gain will enable us to use the attack in a hugedimension where the use of LLL will be computationally expensive. However,its drawback is the number of challenge required. The first attack will requirepractically less challenges to reveal the plaintext.4 under the probability that ∀1 ≤ i 1, i 2 ≤ k, 1 ≤ j ≤ n, a i1 [j] ≠ a i2 [j].
Broadcast Attacks against Lattice-based Cryptosystems 13This method is also heuristic as A can be singular 5 and A −1 does not exist.However, probability of such a situation is extremely low and will be less probablewith more knapsack challenges.5 Practical ResultIn this section, we present result of the previously presented techniques to attackdifferent lattice-based cryptosystems. To perform these attacks, we use theembedding method with a lattice reduction done with LLL 6 . Cryptosystems andattacks were implemented under the MAGMA library [59]. Tests were made 20times, for each 10 dimensions between 10 and 300. For each test, a randommessage is encrypted with a different random public basis repetitively until theattack is successful. Cryptosystems are implemented as close as possible to theinitial paper. The list of different cryptosystems analyzed is as follows:1. The initial GGH cryptosystem (Type A) attacked with Algorithm 1.2. The second GGH cryptosystem (Type B) attacked with Algorithm 2.3. A knapsack problem of density 1.0. This problem does not correspond toa real cryptosystem but to any knapsack cryptosystem which use such aproblem. This attack is more general that the previous ones.4. A knapsack problem of density 2.0. This problem is an extreme case. As wedo not know if some trapdoor functions can be created for such a problem,for instance due to the reason of unicity. However, it gives us a securitybound as problems with lower density will be easier to attack.5. A random lattice CVP problem. This problem is the one which gives us areference. For this one, we have created random lattice and a vector withdist ∼ λ12to assure that at least the existence of a decryption algorithm. Tocreate a random lattice, we use the same technique proposed in [48,50] usingthe results on random lattice from [47]. This problem corresponds to thegeneral situation to a lattice-based cryptosystem which have the possibilityto decrypt even if some trapdoors may not exist. This problem correspondsto a security upper bound for CVP based cryptosystems.The purpose of those tests is not to give some security parameter bounds (as morepowerfull SV P solver can be used than LLL, BKZ for example) but to show howevolves the difficulty of those problems with more and more challenges. Figure 1summarizes our results.6 Conclusion and CountermeasuresIn this paper, we proposed an efficient way to simplify lattice problems whichhave the same solution. This technique leads to some heuristic and efficient attackson the existing lattice or knapsack cryptosystems. However, some latticebasedcryptosystems naturally resist to those attacks. Ajtai-Dwork cryptosystem[19] and its different improvements, such as [21,22,23] or [24,25,26], are not5 det(A) = 06 with δ = 0.9999 for LLL utilization parameter.
Page 1 and 2: Broadcast Attacks against Lattice-b
Page 4 and 5: 4 Thomas Plantard and Willy Susilop
Page 6 and 7: 6 Thomas Plantard and Willy SusiloD
Page 8 and 9: 8 Thomas Plantard and Willy SusiloD
Page 10 and 11: 10 Thomas Plantard and Willy Susilo

Broadcast Attacks against Lattice-based Cryptosystems*

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?