practical cryptanalysis of a public-key encryption … ·...

Practical Cryptanalysis ofa Public-key Encryption Scheme

Based on Non-linear Indeterminate Equationsat SAC 2017

Keita Xagawa (草川　恵太)

NTT Secure Platform Laboratories

2018/04/09

c© 2018 NTT corp. All Rights Reserved 1/24

Agenda

Post-Quatnum Crypgraphy

IEC/Giophantus as Lattice-based PKE

Attack against IEC with n = 80

Attack against IEC with prime n

Summary


NIST PQC Round 1 Candidates

We have 69 candidates on 21 Dec. 2017.Code, Lattice, MQ, Isogeny, SymKey, Others

PKE/KEM 49: BIG QUAKE, BIKE, CFPKM, Classic McEliece,

Compact LWE, CRYSTALS-Kyber, DAGS, Ding Key Exchange, DME,

Edon-K, EMBLEM and R.EMBLEM, FrodoKEM, Giophantus,

GuessAgain, Hila5, HK17, HQC, KCL, KINDI, LAC, LAKE, LEDAkem,

LEDApkc, Lepton, Lima, Lizard, LOCKER, LOTUS, McNie,

Mersenne-756839, NewHope, NTRUEncrypt, NTRU-HRSS-KEM, NTRU

Prime, NTS-KEM, Odd Manhattan, Ouroboros-R, Post-Quantum

RSA-Encryption, QC-MDPC KEM, Ramstake, RLCE-KEM, Round2,

RQC, RVB, SABER, SIKE, SRTPI, Three Bears, Titanium

Sig. 22: CRYSTALS-Dilithium, DME, DRS, DualModeMS, Falcon,

GeMSS, Gravity-SPHINCS, Gui, HiMQ-3, LUOV, MQDSS, pqNTRUsign,

Picnic, Post-Quantum RSA-Signature, pqsigRM, qTESLA, RaCoSS,

Rainbow, RankSign, SPHINCS+, SRTPI, WalnutDSA


Summary

IEC/Giophantus proposes CPA/CCA-secure PKEbased on IE-LWE (= a special Module-LWE)

n deg XIEC in Aug. 2017 80 1 or 2IEC in Sep. 2017 83 1 or 2

Giophantus in Dec. 2017 ≥ 1201 1

Akiyama et al. changed parameter values by reflecting our attacks.I IEC in Aug. 2017

I Key Recovery in ≈ 30 s (deg X = 1)I Distinguishing in ≈ 0.5 s (deg X = 1)I Distinguishing in ≈ 30 s (deg X = 2)

I IEC in Sep. 2017I Plaintext Recovery in ≈ 17 h (deg X = 2)I Distinguishing in ≈ 4 days for large n ≤ 110 (deg X = 2)


Agenda





Summary


LWE [Reg09]

I Learning with Errors (LWE) Problem: DistinguishingI (A, ®r A + ®e) (A← Zn×mq , ®r ← Znq, ®e← χm)

I (A, ®b) (A← Zn×mq , ®b← Zmq )

A ∈ Zn×mq

Real: ®r A + ®e or Random

®b

Example of χ: Discrete Gaussian


GPV-like PKE [GPV08]

ek = A, dk = ®u with A · ®u = 0, ‖ ®u‖ ≤ B, and u0 = 1ct = ®b = ®r A + p®e + (M, 0, . . . , 0) with ‖ ®e‖ ≤ B

A ∈ Zn×mq

Enc: ®r, ®e

®b +M

®b · ®u> = M + (®r A + p®e) · ®u>

= M + p®e · ®u> (in Z if p(1 + B2) < q/2)

Thus, M := (®b · ®u>mod∗ q) mod p


Module-LWE-based GPV-like PKE

A ∈ Zhn×wnq is made from a1,1, . . . , ah,w ∈ Zq[t]/(tn + 1)

ek = A, dk = ®u with A · ®u = 0, ‖ ®u‖ ≤ B, and u0 = 1ct = ®b = ®r A + p®e + (M, 0, . . . , 0) with ‖ ®e‖ ≤ B

Enc: ®r, ®e

®b +M

®b · ®u> = M + (®r A + p®e) · ®u>

= M + p®e · ®u> (in Z)

Thus, M := (®b · ®u>mod∗ q) mod p


IEC/Giophantus

A ∈ Zhn×wnq is made from few a1,1, . . . , ah,w ∈ Zq[t]/(tn + 1)

ek = A, dk = ®u with A · ®u = 0, ui ∈ [0, p), and u0 = 1ct = ®b = ®r A + p®e + (M, 0, . . . , 0) with ei ∈ [0, p)

Enc: ®r, ®e

®b +M

®b · ®u> = M + (®r A + p®e) · ®u>

= M + p®e · ®u> (in Z)

Thus, M := (®b · ®u> mod q) mod p


IEC (deg X = 1)

I Key GenerationI dk: “Short” ux, uy ∈ Zq[t]/(tn − 1)I ek:　X(x, y) = a10x + a01y + a00I a10, a01 ← Zq[t]/(tn − 1) and set a00 = −(a10ux + a01uy)

I Encryption: A plaintext is “short” M ∈ Zq[t]/(tn − 1)I Choose random r(x, y) = r10x + r01y + r00I Choose “short” e(x, y) = e20x2 + · · · + e00I A ciphertext is c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)

A =©«

1 x y x2 xy y2

1 A00 A10 A01

x A00 A10 A01

y A00 A10 A01

ª®®®¬,®u =

( 1 x y x2 xy y2

1 1 ux uy u2x uxuy u2y)


IEC (deg X = 1)

I Key GenerationI dk: “Short” ux, uy ∈ Zq[t]/(tn − 1)I ek:　X(x, y) = a10x + a01y + a00I a10, a01 ← Zq[t]/(tn − 1) and set a00 = −(a10ux + a01uy)

I Encryption: A plaintext is “short” M ∈ Zq[t]/(tn − 1)I Choose random r(x, y) = r10x + r01y + r00I Choose “short” e(x, y) = e20x2 + · · · + e00I A ciphertext is c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)

A =©«

1 x y x2 xy y2

1 A00 A10 A01

x A00 A10 A01

y A00 A10 A01

ª®®®¬,®u =

( 1 x y x2 xy y2

1 1 ux uy u2x uxuy u2y)c© 2018 NTT corp. All Rights Reserved 10/24

PT-Recovery Attack against IEC (deg X = 1)

I ek: X(x, y) = a10x + a01y + a00I ct: c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)

A = ©«1 x y x2 xy y2

1 A00 A10 A01

x A00 A10 A01

y A00 A10 A01

ª®¬ ∈ Z240×480q

I Solve a 480-dim. CVP instance (Λq(A), ®b),

Λq(A) = {®y ∈ Z480 | ∃®r ∈ Z240 : ®r · A ≡ ®y},®b = ®r · A + (p®e + (M, 0, . . . , 0)) mod q

→ Success if the diff. is p®e + (M, 0, . . . , 0)

→ But, (experimentally) hard for LLL/BKZ to find the diff.


Agenda





Summary


Gentry’s “Origami” Attack [Gen01]

The core of his attackIf d |n,

θ : Z[t]/(tn−1) → Z[t]/(td−1) : f =∑

i fiti 7→∑d−1

i=0

(∑n/d−1j=0 fjd+i

)ti

is a ring homomorphism.

The dim.: n→ d and the norm: a→≤ (n/d)a.

f

f0 fd f2d f3d fn−1+

θ( f )


PT-Recovery Attack on IEC (deg X = 1)


A = ©«1 x y x2 xy y2

1 A00 A10 A01

x A00 A10 A01

y A00 A10 A01

ª®¬ ∈ Z240×480q

I Solve a 480-dim. CVP instance (Λq(A), ®b),

Λq(A) = {®y ∈ Z480 | ∃®r ∈ Z240 : ®r · A ≡ ®y},®b = ®r · A + (p®e + (M, 0, . . . , 0)) mod q

→ Success if the diff. is p®e + (M, 0, . . . , 0)

I But, (experimentally) hard for LLL/BKZ to find the diff.


“Origami” Dist. Attack on IEC (deg X = 1)


I Let d = 10 and apply θ : Z[t]/(t80 − 1) → Z[t]/(t10 − 1)

A′ = ©«1 x y x2 xy y2

1 A′00 A′10 A′01x A′00 A′10 A′01y A′00 A′10 A′01

ª®¬ ∈ Z30×60q

I Solve a 60-dim. CVP instance (Λq(A′), ®b′)

Λq(A′) = {®y ∈ Z60 | ∃®r ∈ Z30 : ®r · A′ ≡ ®y},®b′ = ®r ′ · A′ + (p®e′ + (M ′, 0, . . . , 0)) mod q

→ We can find the diff. = pθ(®e) + (θ(M), 0, . . . , 0)I This leaks θ(M) mod p!


“Origami” Dist. Attack on IEC (deg X = 1)

I ek: X(x, y) = a10x + a01y + a00I ct: c(x, y) = M + p · e(x, y) + r(x, y) · X(x, y)I Let d = 10 and apply θ : Z[t]/(t80 − 1) → Z[t]/(t10 − 1)

A′ = ©«1 x y x2 xy y2

1 A′00 A′10 A′01x A′00 A′10 A′01y A′00 A′10 A′01

ª®¬ ∈ Z30×60q



→ We can find the diff. = pθ(®e) + (θ(M), 0, . . . , 0)I This leaks θ(M) mod p!


Demo.


Agenda





Summary


PT-Recovery Attack on IEC (deg X = 1)

I The “origami” attack seems not work if n is prime(Note: Castryck and Vercauteren showed a dist. attackwhen d = 1 and q = 231 − 1 for Giophantus)

I Is there another good subring?

I Fixing y = 0 yields a subring R[x]!I Let us consider

π : Rn,q[x, y] → Rn,q[x] : f (x, y) 7→ f (x, 0)

I The problem is finding M from

X(x, 0) = a10x + a00c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)


Subring Attack on IEC (deg X = 1)

I Apply π : Rn,q[x, y] → Rn,q[x]

I ek′: X(x, 0) = a10x + a00I ct′: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)

A =©«

1 x y x2 xy y2

1 A00 A10 A01

x A00 A10 A01

y A00 A10 A01

ª®®®¬ ∈ Z240×480q

→ A′ =

( 1 x x2

1 A00 A10

x A00 A10

)∈ Z160×240q .



I Apply π : Rn,q[x, y] → Rn,q[x]I ek′: X(x, 0) = a10x + a00I ct′: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)

A =©«

1 x y x2 xy y2

1 A00 A10 A01

x A00 A10 A01

y A00 A10 A01

ª®®®¬ ∈ Z240×480q

→ A′ =

( 1 x x2

1 A00 A10

x A00 A10

)∈ Z160×240q .



I Apply π : Rn,q[x, y] → Rn,q[x]I ek: X(x, 0) = a10x + a00I ct: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)

A′ =

( 1 x x2

1 A00 A10

x A00 A10

)∈ Z160×240q .



→ Success if the diff. = pπ(®e) + (M, 0, . . . , 0)I Unfortunately, (experimentally) hard for LLL/BKZ

to find the diff if deg X = 1.



I Apply π : Rn,q[x, y] → Rn,q[x]I ek: X(x, 0) = a20x2 + a10x + a00I ct: c(x, 0) = M + p · e(x, 0) + r(x, 0) · X(x, 0)

A′ =©«

1 x x2 x3 x4

1 A00 A10 A20

x A00 A10 A20

x2 A00 A10 A20

ª®®®¬ ∈ Z240×400q .







→ We can find the diff. = pπ(®e) + (M, 0, . . . , 0) in 17 hours!

I because q is too big to make IEC perfectly correct.


Agenda





Summary


Summary

IEC/Giophantus proposes CPA/CCA-secure PKEbased on IE-LWE (= a special Module-LWE)

n deg XIEC in Aug. 2017 80 1 or 2IEC in Sep. 2017 83 1 or 2

Giophantus in Dec. 2017 ≥ 1201 1

They changed parameter values by reflecting our attacks.I The origami attacks on IEC in Aug. 2017

I Key Recovery in ≈ 30 s (deg X = 1)I Distinguishing in ≈ 0.5 s (deg X = 1)I Distinguishing in ≈ 30 s (deg X = 2)

I The subring attacks on IEC in Sep. 2017I Plaintext Recovery in ≈ 17 h (deg X = 2)I Distinguishing for large n ≥ 100


practical cryptanalysis of a public-key encryption … ·...

Documents