Tran Dinh Long et al TẠP CHÍ KHOA HỌC ĐHSP TPHCM _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ON THE HEURISTIC GUESS OF 2-DIMENSION LATTICE ATTACK ON LOW PRIVATE EXPONENT RSA TRAN DINH LONG*, NGUYEN DINH THUC**, TRAN DAN THU** ABSTRACT In two dimension lattice attack on low private exponent RSA cryptosystem, the reasonable and nonprovable guess shows that the private exponent d could be recovered by finding a shortest vector of a 2dimension lattice by Gaussian reduction algorithm The paper considers the determination of the attack by giving a precise interval of private d where the heuristic guess in 2-dimension lattice attack on RSA holds and gives a proof for that heuristic guess Keywords: lattice, lattice reduction algorithm, RSA cryptosystem TĨM TẮT Về dự đốn cách cơng dùng dàn hai chiều vào hệ mã RSA có khóa riêng nhỏ Trong việc cơng dàn hai chiều vào hệ mã RSA có khóa riêng nhỏ,một dự đốn hợp lí khơng chứng minh khóa riêng d hệ mã RSA tìm cách tìm vector ngắn dàn hai chiều thuật toán Gauss Bài viết khảo sát tính tất định việc cơng cách khoảng xác cho khóa riêng d nằm khoảng việc công RSA dàn hai chiều thành công, đồng thời đưa cách chứng minh chặt chẽ cho điều Từ khóa: dàn, thuật tốn tìm sở thu gọn dàn, hệ mã hóa RSA Introduction Besides constructing new variants of RSA, cryptanalysing on RSA cryptosystem has been concerned by many authors Some early attacks on RSA had been considered by G.J.Simmons [7], J.M.DeLaurentis [4]… A remarkable result was made by M Wiener in 1990; by considering the continued fraction expansion of � , Wiener showed in [8] that one can recover � in the case � < 1 � �4, where �, � and � are public key, private key and the modulus of the cryptosystem, respectively Lattice reduction based attacks on RSA was first presented by Coppersmith at Eurocrypt '96 [3] Lattice reduced algorithms such as Gauss or LLL algorithms can be applied to recover the private exponent � in low exponent private key RSA cryptosystem D Boneh and G * MSc, Faculty of Mathematics, College of Science, Hue University; Email: trandinhlong1963@yahoo.com.vn ** Assoc, PhD, Faculty of Information Technology, Ho Chi Minh University of Science Durfee [2] considered the case where � < �0.292, then by solving small inverse problem using LLL algorithm, one can recover � Modifying the attack of D Boneh and G Durfee, Blomer and May [1] had improved 0.292 to √6−1 − s, where s is the term can be made arbitrary small by considering sufficiently large modulus � High dimension lattice attacks are based on LLL algorithm while two dimension lattice attacks are based on Gaussian algorithm Lattice now is an effective tool in cryptanalysing on RSA We wish to investigate the heuristic attack on low private exponent RSA using two dimension lattice This attack is indeed mounted from Wiener attack (see [5]) and based on Gaussian algorithm Section is devoted to some basic properties of lattices The heuristic attack will be recalled in Section together with our work, which considers the determination of the attack The last section gives comment about our approach to the problem Lattices 2.1 Background A lattice of ℝ� is a discrete subgroup of (ℝ�, +), that is a subgroup of (ℝ�, +) which has the discreteness property Like vector spaces, a lattice has a basis and each element in lattice can be represented as a integral linear combination of vectors in basis If {�1, �2, … , ��} is a basis of the lattice � ⊂ ℝ�, then � � = {∑ �i�i: �1, �2, … , �� ∈ ℤ } i=1 The fundamental domain for � corresponding to the basis {�1, �2, … , ��} is the set ℱ(�1, �2, … , ��) = {�1�1 + �2�2 + ⋯ + ����: �i ∈ ℝ, ≤ �i < 1} The n-dimension volume of ℱ(�1, �2, … , ��) is called the determinant of � and denoted by ���(�) We have the Hadamard’s Inequality as follows ���(�) ≤ ‖�1‖‖�2‖ … ‖��‖, where ‖�‖ is the Euclidean norm of a vector � ∈ ℝ� Some problems on lattices sush as finding shortest vector problem, finding closest vector problem… can be easily solved when an orthogonal basis of lattice is determined Unfortunately, a lattice may not have an orthogonal basis Therefore, finding a “near orthogonal” basis, or an “optimal basis” is a problem has been concerned by many authors Two famous algorithms for finding such basis are Gaussian and LLL algorithms, we call those algorithms as lattice reduction algorithm 2.2 Gaussian algorithm We recall Gaussian algorithm in this section For a vector � ∈ ℝ2, we denote ‖�‖ for the Euclidean norm of � and 〈�1, �2〉 for the inner product of two vectors �1, �2 ∈ ℝ2 Let �1, �2 be two independent vectors in ℝ2 and � ⊂ ℝ2 be the lattice spanned by �1 , �2 Gaussian algorithm is applied to basis �1 , �2 and yields a good basis �̅ 1̅, �̅ ̅2 for � Input: a basis {�1, �2} of a lattice � ⊂ ℝ2 loop if‖�2‖ < ‖�1‖then swap �1 and �2 end if Compute � = 〈�1,�2〉 �2 = �2 − ⌊� + 0.5⌋�1 ‖�1‖2 until ‖�1‖ < ‖�2‖ �̅ 1̅ = �1 , �̅ 2̅ = �2 Output: a reduced basis {̅�̅1̅, ̅�̅2̅} of � Gaussian algorithm �̅ 1̅ is a shortest vector in � and the angle � between �̅ 1̅ and ̅�2̅ satisfies |��s�| ‖�̅̅1̅‖ ≤ , so in particular we have will 2‖̅�̅2̅‖ terminate in at most [l�g1+√2 � ≤�≤ 2� or │〈�̅ 1,̅ ̅�̅2̅〉│ ≤ The Gaussian algorithm ‖�1 ‖2 (‖�1‖)] + iterations [9], where 𝜆2 ఒ2 is the second minima of �.For more details on Gaussian algorithm, we refer the reader to [8] 2.3 Properties of reduced basis in two dimension lattice case Suppose that {�̅ 1̅, �̅̅2 } is the reduced basis of lattice � when applying Gaussian algorithm to a basis {�1 , �2 } of � We first show that �̅ 2̅ is the shortest vector which is independent to � ̅ 1̅ ̅, it means that there is no � ∈ � such that ‖�‖ < ‖�2‖ and ̅�̅1̅, � are independent Proposition Suppose that � ⊂ ℝ2 is the lattice spanned by two independent vectors �1, �2 ∈ ℝ2 Apply Gaussian algorithm to basis {�1, �2} of � and yield basis {�̅̅1̅, ̅�̅2̅} If � ∈ �, � ≠ satisfying ‖�‖ < ‖�̅ 2̅‖ then � = s�̅ 1̅ with s ∈ ℤ Proof Since � ∈ � , then � = s�̅ 1̅ + with s, � ∈ ℤ Assume the contrary ��̅ ̅2 that � ≠ 0, consider three following cases ● Case of |s| = and |�| = 1: In this case we have ‖�‖2 = ‖s�̅ 1̅ + �̅�̅2 ‖2 = ‖�̅ ̅1 ± ̅�̅2 ‖2 = ‖�̅ 1̅‖2 + ‖�̅ ̅2 ‖2 ± 2〈�̅ 1̅, �̅ ̅2〉 〈�̅ 1̅,�̅ 2̅〉 = ‖̅�̅ ‖2 + 2‖�̅ ̅‖2 (1 ± ) 〈�̅̅1,̅ �̅ 2̅〉 Since │ │ ≤ , then ‖�1‖2 ‖�‖2 = ‖�̅ ̅2‖2 ‖�1‖2 ± 〈̅�̅1̅,�̅ 2̅〉 ≥ Hence, ‖�1‖2 〈�̅ 1̅, ̅�̅2 〉 + ) 2‖ �̅ ̅1 ‖2 ( ‖�1 ‖2 ± ≥ ‖�̅ ̅2 ‖2 ● Case of |s| > or |�| > 1: If |s| = |�| then ‖�‖2 = s ‖̅�̅1 ± �̅̅2 ‖2 ≥ s ‖�̅ 2̅‖2 ≥ ‖̅�̅2 ‖2 If |s| ≠ |�| then ‖�‖2 = s ‖̅�̅1 ‖2 + �2 ‖̅�̅2 ‖2 + 2s�〈�̅ 1̅, �̅ ̅2 〉 ≥ s ‖�̅ 1̅‖2 + � ‖�̅ ̅2 ‖2 − 2|s�| |〈�̅ 1̅, �̅ ̅2 〉| ‖�̅̅2‖2 + s ‖�̅ ̅1 ‖2 + (�2 − 1)‖̅�̅2̅‖2 − 2|s�| |〈�̅ 1̅, ̅�̅2 〉| ≥ ‖̅�̅2 ‖2 + s ‖�̅ 1̅‖2 + (� − 1)‖�̅̅2 ‖2 − |s�| ‖�̅ 1̅‖2 = ‖�̅ ̅2 ‖2 + (s + � − |s�| − 1)‖�̅ ̅1 ‖2 = ‖̅�̅2 ‖2 + ((|s| − |�|)2 + |s�| − 1)‖�̅ 1̅‖2 ≥ ‖�̅ ̅2 ‖2 since (|s| − |�|)2 − ≥ ● Case of s = 0: In this case, ‖�‖ = ‖��̅ ̅2 ‖ ≥ ‖�̅̅2 ‖ since � ≠ Thus, all three cases above lead to ‖�‖ ≥ ‖̅�̅2‖, a contradiction Therefore, we must have � = or � = s̅�̅1̅ ■ Two dimension lattice attack on RSA cryptosystem 3.1 The heuristic attack Consider the RSA cryptosystem, where the modulus � is the product of two distinct primes � and �, � and � are public and private keys, respectively We recall the argument of reasonable guess in 2-dimension lattice attack on RSA in the case � < �4 in [6] as follows Suppose that � and � are balanced, then � = 𝑂(√�) and � = 𝑂(√�), therefore �(�) = (� − 1)(� − 1) = � + 𝑂(√�) Since �� ≡ 1(��� �(�)) then there exists � = 𝑂(�) such that �� = + ��(�) = + �(� + 𝑂(√�)) It deduces that �� − �� = �𝑂(√�) Denote l = �� − �� then l = 𝑂(�√�) Consider the lattice � ⊂ ℝ2 spanned by two vector �1 = (�, √�) and �2 = (�, 0), then � contains � = ��1 − ��2 = (l, �√�) Since ‖�‖ = √l2 + ��2 ≈ �√� and (��l(�))2 = �4, then � could be a shortest vector in � if Tran Dinh Long et al TẠP CHÍ KHOA HỌC ĐHSP TPHCM _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ �√� < �4, or � < �4 So in the case � < �4, one can find out � by Gaussian reduced basis algorithm and hence, the private key � could be recovered 3.2 Experimental study In our experiments, two balanced primes �and � are generated then both shortest vector in L as well � are computed We discovered many cases where the heuristic guess above does not holds In the argument in section 3.1, the relation 𝑂 could miss some constants, then some factor in the condition� < �4 could be ignored We are thus led to the following problem: find a constant α such that if � < α�4 then � is a shortest vector in � The determination of the heuristic attack Consider the RSA cryptosystem as mentioned in 3.1 Assume that � and � are balanced, as in [2] we use the condition 2√� < �, � < 2√� for this Typically, we can suppose that < �, � < �(�) = (� − 1)(� − 1) Since �� ≡ 1(��� �(�)), then �� = + ��(�) with � ∈ ℤ We firstly estimate � and �� − �� as follows Proposition Suppose that � = �� is the product of two distinct primes � and �, � and � are positive integers satisfying < �, � < �(�) and �� = + ��(�) Then a) � < � b) |�� − ��| < √� � Proof The proof is straightforward as follows a) − Since � < �(�) then + ��(�) = �� < ��(�) Hence, � < � < � �(�) b) We have �� = + ��(�) = + �(� − 1)(� − 1) = + �(� + − � − �) � 1 Denote � = then � = �√�, � = √� and < � < Then � √� |�� − ��| = |�(� + � − 1) − 1| < |�(� + �)| √ = � ��(� + ) 1 It is easy to check that � for all � ∈ Therefore, ( , 2) +1 < |�� − ��| < �√� (� + )� < �√� < �2√� ■ � 2 As in 3.1, from now on we denote �1 = (�, √�), �2 = (�, 0) and consider the lattice Số 2(67) năm 2015 TẠP CHÍ KHOA HỌC ĐHSP TPHCM _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ � ⊂ ℝ2 spanned by �1, �2 Then � = ��1 − ��2 = (�� − ��, �√�) is a vector in � Apply Gaussian algorithm for basis {�1 , �2 } of � then yield a basis {�̅ 1̅, �̅ ̅2 } The following proposition estimates the norms of � and ̅�̅2 Proposition Let �, �, � be the integers as in Proposition 2, � denote the lattice in ℝ2 spanned by two vectors �1 = (�, √�), �2 = (�, 0) and � = ��1 − ��2 = (�� − ��, � √�) ∈ � Suppose that {�̅ 1̅, �̅ ̅2 } Gaussian is the reduced basis when applying algorithm to basis {�1, �2} of � Then 29 a) ‖�‖ < b) ‖�̅ ̅2‖ ≥ � √ �√ � Proof a) It follows from the Proposition that 2+ ‖�‖ = √(�� − ��)2 + (�√�)2 < �√�) (�√�) √ ( b) = √2 �√� � � We have ���(�) = |��� ( √ )| = �√� � According Hadamard inequality, ���(�) ≤ ‖�̅ ̅1 ‖ ‖�̅ ̅2 ‖ It yields that �√� ≤ ‖�̅ ̅1‖ ‖̅�̅2‖ ≤ ‖�̅ ̅2 ‖2 Therefore, �4 ≤ ‖̅�̅2‖ ■ Proposition Under the assumptions in Proposition 3, if � is a vector in � satisfying � = s� with s ∈ ℤ then s = ±1 Proof Note that g��(�, �) = since �� = + �(� − 1)(� − 1) Since � ∈ � then � = ��1 + ��2 = (�� + ��, �√�) with �, � ∈ ℤ It follows from � = s� that { �� − �� = s(�� + ��) �√� = s�√� Thus, �� − �� = s�� + s��, (1) and � = s� (2) Replace � from (2) into (1) implies that �s� − �� = s�� + s��, or � = −s� (3) It deduces from (2) and (3) that s is a common divisor of � and � Combining this with g��(�, �) = leads to s = ±1.■ Số 2(67) năm 2015 TẠP CHÍ KHOA HỌC ĐHSP TPHCM _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Proposition Under the assumptions in Proposition 2, if � < a shortest vector in � _ _ _ _ _ _ �4 then � is √29 Proof According to Proposition and Proposition we have ‖�‖ = √(�� − ��)2 + (�√�)2 < √( + (�√�) 2 �√�) = √29 �√� √29 ≤ � √� √29 = �4 ≤ ‖�̅ ̅2‖ It follows from Proposition that � = s�̅ 1̅ and then deduces from Proposition that s = ±1 Therefore, � = ±�̅ 1̅ is a shortest vector in � ■ Conclusions The paper shows that in the case � < �4 then the private key � in √29 RSA crytpsystem can be recovered from the vector � = (�� − ��, �√�) which is found by Gaussian algorithm The constant can be larged depending on some conditions If √29 we use the condition � < � < 2� for the balance of � and � then we obtain � < √�, � < √2� and � + � < (1 + √2)√� By similar argument, if � < shortest vector in � √4+2 √ �4 then � is a As mentioned above, if � < �4 then the heuristic guess in 2-dimension lattice attack on RSA does not always holds However, experiments have showned that if � ≈ �4 then that heuristic guess still holds in many cases We constructed RSA cryptosystems where �, � are two consecutive 32-bit primes and the private exponent � 1 satisfying �4 < � < �4 then the percentage of the cases where the heuristic guess holds is 65% This arises an following open problem: find out some extra condition which ensures the heuristic guess in 2-dimension lattice attack on RSA 10 REFERENCES J Blomer and A May (2003), “New partial key explosure attacks on RSA”, CRYPTO, Vol 2729 of Lecture Notes in Computer Science, pp 27-43, Springer D Boneh and G Durfee (1999), “Cryptanalysis of RSA with private key d less than �0.292”, Proceedings of Eurocrypt'99 D Coppersmith, M Franklin, J Patarin, and M Reiter (1996), “Low exponent RSA with related messages”, Proceedings of Eurocrypt 96 J M DeLaurentis (1984), “A further weakness in the common modulus protocol for the RSA crypto algorithm”, Cryptologia, 8(3):253-259 M Jason Hinek (2009), Cryptanalysis of RSA and its variants, Chapman and Hall_CRC, pp.71-72 Phong Q Nguyen (2008), “Public key cryptanalysis”, Recent trends in cryptography, Contemporary Mathematics series, AMS-RSME G J Simmons (1983), “A weak privacy protocol using the RSA crypto algorithm”, Cryptologia, 7(2):180-182 M Wiener (1990), “Cryptanalysis of short RSA secret exponents”, IEEE Transactions on Information Theory, 36:553-558 C P Schorr, Gittertheori und Kryptographie (1994), Ausarbreitung, JohannWolfgang-Goethe-Univesitat Franfurt, Main (Received: 14/01/2015; Revised: 28/01/2015; Accepted: 12/02/2015) ... Gaussian algorithm Lattice now is an effective tool in cryptanalysing on RSA We wish to investigate the heuristic attack on low private exponent RSA using two dimension lattice This attack is indeed... We recall the argument of reasonable guess in 2-dimension lattice attack on RSA in the case � < �4 in [6] as follows Suppose that � and � are balanced, then � =