Attacks on RSA using Lattice reduction techniques (LLL)

58
Lattice Reduction Techniques To Attack RSA David Wong March 2015 University of Bordeaux

Transcript of Attacks on RSA using Lattice reduction techniques (LLL)

Page 1: Attacks on RSA using Lattice reduction techniques (LLL)

Lattice Reduction Techniques To Attack

RSADavid Wong

March 2015

University of Bordeaux

Page 2: Attacks on RSA using Lattice reduction techniques (LLL)
Page 3: Attacks on RSA using Lattice reduction techniques (LLL)
Page 4: Attacks on RSA using Lattice reduction techniques (LLL)
Page 5: Attacks on RSA using Lattice reduction techniques (LLL)
Page 6: Attacks on RSA using Lattice reduction techniques (LLL)

ATTACKS

Page 7: Attacks on RSA using Lattice reduction techniques (LLL)

Attacks on the Implementation or the Mathematics.

•Recover the plaintext•Recover the private key

Page 8: Attacks on RSA using Lattice reduction techniques (LLL)

A Relaxed Model

• We know a part of the message• We know an approximation of one of

the prime• The private exponent is too small

Page 9: Attacks on RSA using Lattice reduction techniques (LLL)

LATTICE

Page 10: Attacks on RSA using Lattice reduction techniques (LLL)
Page 11: Attacks on RSA using Lattice reduction techniques (LLL)
Page 12: Attacks on RSA using Lattice reduction techniques (LLL)
Page 13: Attacks on RSA using Lattice reduction techniques (LLL)
Page 14: Attacks on RSA using Lattice reduction techniques (LLL)
Page 15: Attacks on RSA using Lattice reduction techniques (LLL)
Page 16: Attacks on RSA using Lattice reduction techniques (LLL)

COPPERSMITH

Page 17: Attacks on RSA using Lattice reduction techniques (LLL)
Page 18: Attacks on RSA using Lattice reduction techniques (LLL)

« le password du jour : cupcake »

Page 19: Attacks on RSA using Lattice reduction techniques (LLL)

« le password du jour : cupcake »

Page 20: Attacks on RSA using Lattice reduction techniques (LLL)
Page 21: Attacks on RSA using Lattice reduction techniques (LLL)

HOWGRAVE-GRAHAM

Page 22: Attacks on RSA using Lattice reduction techniques (LLL)

HOWGRAVE-GRAHAM

Page 23: Attacks on RSA using Lattice reduction techniques (LLL)
Page 24: Attacks on RSA using Lattice reduction techniques (LLL)

LLL reduction:• It only does integer linear

operations on the basis vectors

• The shortest vector of the output basis is bound

Page 25: Attacks on RSA using Lattice reduction techniques (LLL)
Page 26: Attacks on RSA using Lattice reduction techniques (LLL)
Page 27: Attacks on RSA using Lattice reduction techniques (LLL)

Those polynomials achieve two things:• They have the same root 𝑥0 but modulo 𝑁𝑚

• Each iteration introduce a new monomial

Page 28: Attacks on RSA using Lattice reduction techniques (LLL)
Page 29: Attacks on RSA using Lattice reduction techniques (LLL)
Page 30: Attacks on RSA using Lattice reduction techniques (LLL)
Page 31: Attacks on RSA using Lattice reduction techniques (LLL)
Page 32: Attacks on RSA using Lattice reduction techniques (LLL)
Page 33: Attacks on RSA using Lattice reduction techniques (LLL)
Page 34: Attacks on RSA using Lattice reduction techniques (LLL)
Page 35: Attacks on RSA using Lattice reduction techniques (LLL)
Page 36: Attacks on RSA using Lattice reduction techniques (LLL)

COPPERSMITH

Page 37: Attacks on RSA using Lattice reduction techniques (LLL)

BONEH-DURFEE

Page 38: Attacks on RSA using Lattice reduction techniques (LLL)
Page 39: Attacks on RSA using Lattice reduction techniques (LLL)
Page 40: Attacks on RSA using Lattice reduction techniques (LLL)
Page 41: Attacks on RSA using Lattice reduction techniques (LLL)
Page 42: Attacks on RSA using Lattice reduction techniques (LLL)
Page 43: Attacks on RSA using Lattice reduction techniques (LLL)
Page 44: Attacks on RSA using Lattice reduction techniques (LLL)
Page 45: Attacks on RSA using Lattice reduction techniques (LLL)

HOWGRAVE-GRAHAM

Page 46: Attacks on RSA using Lattice reduction techniques (LLL)
Page 47: Attacks on RSA using Lattice reduction techniques (LLL)
Page 48: Attacks on RSA using Lattice reduction techniques (LLL)
Page 49: Attacks on RSA using Lattice reduction techniques (LLL)
Page 50: Attacks on RSA using Lattice reduction techniques (LLL)

HERRMAN AND MAY: UNRAVELLED LINEARIZATION

Page 51: Attacks on RSA using Lattice reduction techniques (LLL)
Page 52: Attacks on RSA using Lattice reduction techniques (LLL)
Page 53: Attacks on RSA using Lattice reduction techniques (LLL)

BONEH-DURFEE BOUND

Page 54: Attacks on RSA using Lattice reduction techniques (LLL)

CONCLUSIONS

Page 55: Attacks on RSA using Lattice reduction techniques (LLL)
Page 56: Attacks on RSA using Lattice reduction techniques (LLL)
Page 57: Attacks on RSA using Lattice reduction techniques (LLL)
Page 58: Attacks on RSA using Lattice reduction techniques (LLL)

Elliptic Curves over Prime and Binary Fields in Cryptography · PDF filePartnerships with leading industry players including ARM, MIPS, RSA, Impinj, Lattice

Elliptic Curves over Prime and Binary Fields in Cryptography · PDF filePartnerships with leading industry players including ARM, MIPS, RSA, Impinj, Lattice

ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ ......ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ~I!IIIIjlllljlllljlllljllll!ll ANNUAL STATEMENT For the Year

ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ ......ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ~I!IIIIjlllljlllljlllljllll!ll ANNUAL STATEMENT For the Year

LLL Annual Report - LLL Australia savings accounts

LLL Annual Report - LLL Australia savings accounts

lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ...lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ll Dl lli US 20130169464A1 (19) United States (12) Patent Application

lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ...lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ll Dl lli US 20130169464A1 (19) United States (12) Patent Application

Lattice-Based Fault Attacks on RSA Signatures · 1.Linearize: using standard lattice reduction technique la Nguyen-Stern, nd vectors u j = (u 1j;:::;u ‘j) such that u j a 0 (mod

Lattice-Based Fault Attacks on RSA Signatures · 1.Linearize: using standard lattice reduction technique la Nguyen-Stern, nd vectors u j = (u 1j;:::;u ‘j) such that u j a 0 (mod

Lattices and their Applications to RSA Cryptosystem ...pmol/Talks/Thesis_Presentation.pdf · In Cryptology... Lattices have found applications both in Cryptography, where hard lattice

Lattices and their Applications to RSA Cryptosystem ...pmol/Talks/Thesis_Presentation.pdf · In Cryptology... Lattices have found applications both in Cryptography, where hard lattice

New RSA Vulnerabilities - Lattice Reduction Methods

New RSA Vulnerabilities - Lattice Reduction Methods

Formalizing the LLL Basis Reduction Algorithm and the LLL ... · factorization · Shortest vector problem · Verified LLL implementation 1Introduction The LLL basis reduction algorithm

Formalizing the LLL Basis Reduction Algorithm and the LLL ... · factorization · Shortest vector problem · Verified LLL implementation 1Introduction The LLL basis reduction algorithm

perso.ens-lyon.fr › damien.stehle › epit13 › Euclide-Gauss-EPIT.pdf · Lattice Reduction Algorithms: EUCLID, GAUSS, LLL ...Lattice Reduction Algorithms: EUCLID, GAUSS, LLL Description

perso.ens-lyon.fr › damien.stehle › epit13 › Euclide-Gauss-EPIT.pdf · Lattice Reduction Algorithms: EUCLID, GAUSS, LLL ...Lattice Reduction Algorithms: EUCLID, GAUSS, LLL Description

lll Southbound - Indiana 8 Stop 11... · 2019-10-30 · lll 3 Lanes Southbound lll 3 Lanes Northbound lll Edgewood Avenue Under I-69 3 Lanes Northbound lll 4 Lanes Southbound c lll

lll Southbound - Indiana 8 Stop 11... · 2019-10-30 · lll 3 Lanes Southbound lll 3 Lanes Northbound lll Edgewood Avenue Under I-69 3 Lanes Northbound lll 4 Lanes Southbound c lll

The LLL Algorithm - Ionica Smeets · 2019-04-24 · Algorithmic Number Theory Symposium (ANTS VII) held in Berlin in July 2006, ... to cryptanalysis: lattice attacks on the RSA cryptosystem,

The LLL Algorithm - Ionica Smeets · 2019-04-24 · Algorithmic Number Theory Symposium (ANTS VII) held in Berlin in July 2006, ... to cryptanalysis: lattice attacks on the RSA cryptosystem,

New RSA Vulnerabilities Using Lattice Reduction Methodsdmst/teaching/... · 1 Introduction 6 2 RSA and Lattices 13 ... RSA encryption function are indeed one-way functions. Even worse,

New RSA Vulnerabilities Using Lattice Reduction Methodsdmst/teaching/... · 1 Introduction 6 2 RSA and Lattices 13 ... RSA encryption function are indeed one-way functions. Even worse,

Pizza Roulette - OWASP SNI 2 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048

Pizza Roulette - OWASP SNI 2 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048

Survey: Lattice Reduction Attacks on RSA - David Wong · Survey: Lattice Reduction Attacks on RSA David Wong supervised by Guilhem Castagnos University of Bordeaux, March 2015 Abstract

Survey: Lattice Reduction Attacks on RSA - David Wong · Survey: Lattice Reduction Attacks on RSA David Wong supervised by Guilhem Castagnos University of Bordeaux, March 2015 Abstract

Lll Lllll,,

Lll Lllll,,

Gauss Sieve on GPUs - RSA Conference Agenda Motivation Lattice-based Cryptography and Cryptanalysis Sieve Algorithm Lifting Technique Parallel Method Results

Gauss Sieve on GPUs - RSA Conference Agenda Motivation Lattice-based Cryptography and Cryptanalysis Sieve Algorithm Lifting Technique Parallel Method Results

Lattice Basis Reduction techniques based on the LLL …tonchev/Khadka.pdf · Introduction Goal Basis Reduction Lattice Diffusion and Sublattice Fusion Algorithm Hill Climbing Algorithm

Lattice Basis Reduction techniques based on the LLL …tonchev/Khadka.pdf · Introduction Goal Basis Reduction Lattice Diffusion and Sublattice Fusion Algorithm Hill Climbing Algorithm

lll lll lll lll lll lll ll l - The Oriental Institute of ...oi.uchicago.edu/sites/oi.uchicago.edu/files/uploads/shared/docs/... · CHICAGO DEMOTIC DICTIONARY L (29 JUNE 2001): 01.1

lll lll lll lll lll lll ll l - The Oriental Institute of ...oi.uchicago.edu/sites/oi.uchicago.edu/files/uploads/shared/docs/... · CHICAGO DEMOTIC DICTIONARY L (29 JUNE 2001): 01.1

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

(lll 1'1: .. ;

(lll 1'1: .. ;