On the cryptographic applications of Gr obner bases and ...ssdnm.mimuw.edu.pl/pliki/wyklady/skrypt-gutierrez.pdf · The lectures will be primarily focused on the algorithmic aspects

.

On the cryptographic applications

ofGrobner bases and Lattice Theory

University of Maria Curie-Sklodowska

Faculty of Mathematics, Physics and Computer Science

Lublin, 2-14 December 2012

Jaime GutierrezUniversity of Cantabria

Santander

This course will give a general introduction to the Grobner basis and Lattice Theory, and cover the main applications toboth cryptography and cryptanalysis. The main goal of this course is to show interactions between Cryptology and

Symbolic Computation; the two important tools are lattices and Grobner bases.

The most famous example of such an interaction is probably the so called Lenstra, Lenstra, and Lovasz (LLL) latticebasis reduction algorithm, it was a key ingredient to solve a computer algebra problem (factoring polynomials overthe rational numbers); since then, it was used in numerous attacks in cryptology. Informally speaking a lattice isa set of points in n-dimensional space with a periodic structure. Historically, lattices were investigated since thelate 18th century by mathematicians such as Lagrange, Gauss, and later Minkowski. More recently, lattices havebecome an active topic of research in computer science. At the beginning lattice reduction techniques were wereused in cryptography principally to prove cryptographic insecurity. We will cover several of these negative resultsin particular:

• breaking of knapsack-based cryptosystems

• breaking the linear congruential pseudorandom generator.

• breaking the security of padded RSA

The lectures will be primarily focused on the algorithmic aspects of the lattice theory, which lattice problem canbe solved in polynomial time, and which problems seems to be intractable. And also, presenting applications topredicting pseudorandom number generators and integer factoring.

The second important symbolic computation tool is the theory of Grobner basis. A Grobner basis is a set ofmultivariate polynomials that has desirable algorithmic properties. Every set of polynomials can be transformed intoa Grobner basis. This process generalizes three familiar techniques: Gaussian elimination for solving linear systemsof equations, the Euclidean algorithm for computing the greatest common divisor of two univariate polynomials, andthe Simplex Algorithm for linear programming. It is a powerful technique for solving problems in algebraic geometrythat was introduced by Bruno Buchberger, who named them after his advisor Wolfgang Grobner. Grobner basesprovide a uniform approach for solving problems that can be expressed in terms of systems of multivariate polynomialequations. It happens that many practical problems, can be transformed into sets of polynomials, thus solved usingGrobner bases method. For instance, in cryptology the ciphers are rewritten to systems of multivariate equationsthat are solved for variables representing, for example, key bits. Algebraic attacks apply to a variety of ciphers,ranging from

• blockciphers, like AES and Serpent,

• streamciphers, like Toyocrypt and Bluetoot,

• Asymmetric cryptosystems, like Hidden Field Equation (HHE),

• hash functions, like multivariate polynomial for hashing.

The course will give a short theoretical and algorithmic background on Grobner bases, including the Buchberger’salgorithm for computing a such basis, and then shows several applications to cryptology, including the asymmetriccryptographic primitives based on multivariate polynomials over finite fields. Those schemes are often consideredto be good candidates for post-quantum cryptography, once quantum computers can break the current schemes.

Organization Basic bibliography Cryptology Criterion for Cryptosystem

On the cryptographic applications of Grobnerbases and Lattice Theory

University of Maria Curie-Sklodowska.Faculty of Mathematics, Physics and Computer Science.


Jaime Gutierrez (University of Cantabria)

University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012

On the cryptographic applications of Grobner bases and Lattice Theory


I Grobner bases:I Affine varieties and idealsI Division algorithmI Buchberger’s Algorithm. Extensions F4 and F5I Elimination theory: How to solve system of equationsI Common cryptosystems and Algebraic cryptanalysisI AES (Advanced Encryption Standard )I HFE (Hidden Field Equations)I Stream Ciphers: Trivium, Bivium

I Lattices:I DefinitionsI Minkowski theorem.I Computational problems: SVP, CVPI LLL Reduced Lattice BasisI Knapsack-based cryptosystems and Lattice-based cryptanalysis.I Small roots of integers polynomials:

I Predicting pseudorandom number generatorsI Security of RSA with small decryption exponent




I Douglas Stinson, Cryprography: theory and practice.Chapman and Hall/CRC 2006.

I D. Cox, J. Little, and D. O’Shea, Ideals, Varieties andAlgorithms: An introduction to Computational AlgebraicGeometry and Commutative Algebra, Springer-Verlag, 1996.

I M. Grotschel, L. Lovasz and A. Schrijver, Geometricalgorithms and combinatorial optimization, Springer-Verlag,Berlin, 1993.

I Antoine Joux, Algorithmic Cryptanalysis. Chapman andHall/CRC 2009.

Sage: Open Source Mathematics Software




I CryptographyI Private KeyI Public key

I Cryptanalysis




C.E. Shannon (1916 – 2001)

Communication Theory of Secrecy Systems, Bell System TechnicalJournal (1949).

“as much work as solving a system of simultaneousequations in a large number of unknowns of acomplex type.”



General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition

Grobner bases in public key cryptography

University of Maria Curie-Sklodowska.Faculty of Mathematics, Physics and Computer Science.


Jaime Gutierrez (University of Cantabria)




The public key is a set of polynomial equations over a finite field K

y1= f1(x1, . . . , xn),y2= f2(x1, . . . , xn),

...yn= fn(x1, . . . , xn).

I Encryption: Evaluating the polynomials fi in: plaintextx = (x1, . . . , xn) ∈ Kn, → ciphertext y = (y1, . . . , yn) ∈ Kn

I Attacking: Solving the system of equations.

TheoremDeciding if an arbitrary system of multivariate, quadratic equationsover a finite field is solvable is NP-complete.




Keying material

I K = Fq a finite field of characteristic a prime number p.I HFE polynomial:

f (x) =∑

i ,j

βi ,jxqθi,j+q

φi,j+

∑

l

αlxqεl + µ ∈ Fqn [x ]

βi ,j , αl , µ ∈ Fqn and θi ,j , φi ,j , εl ∈ NI For an irreducible polynomial g(x) ∈ K[x ]:

K [x ]/ < g(x) > ∼= Fqn

The elements of Fqn are represented as n-tuples over K .

f (x1, . . . , xn) = (p′1(x1, . . . , xn), p′2(x1, . . . , xn . . . , p′n(x1, . . . , xn))

p′i (x1, . . . , xn) ∈ K[x1, . . . , xn] are quadratic polynomials.I Two affine bijections s and t as vector spaces: Kn → Kn.

t(f (s(x1, . . . , xn))) = (p1(x1, . . . , pn(x1, . . . , xn))




The protocol

I Public key: K, n and pi (x1, . . . , xn).

I Private key: f , s, t and the representation of Fqn

over K.

I Encrypt: Plaintext x = (x1, . . . , xn) compute the ciphertexty = (y1, . . . , yn):

y = p1(x1, . . . , pn(x1, . . . , xn))

I Decrypt: Find all solutions to the equation

f (z) = t−1(y)

and x ′ = s−1(z)




Main properties

Matsumoto-Imai (1988), J. Patarin, H (1996), N. Koblitz, 1997.

I Encryption and Decryption can be computed efficiently:I Public transformation: O(n5)I Private: O(n4(n + log n)

I The inverse quadratic polynomial map may have a muchhigher degree.

I Algebraic Cryptanalysis







The problem




References

I J. von zur Gathen, J. Gutierrez, R. Rubio MultivariatePolynomial Decomposition. Applicable Algebra inEngineering, Communication and Computing, 2004.

I D.F. Ye, Z.D. Dai, K.Y. Lam. (u = n) Decomposing Attackson Asymmetric Cryptography Based on MappingCompositions. Journal of Cryptology, 2001.

I E. Biham. Cryptanalysis of Patarin’s 2-Round Public KeySystem with S-Boxes (2R). CRYPTO 2000.

I J.C Faugere, L. Perret An Efficient Algorithm forDecomposing Multivariate Polynomials and its Applications toCryptography. 2010.



Lattices in Algorithmic

and

Cryptography

Jaime Gutierrez

ALGORITHMIC MATHEMATICS AND CRYPTOGRAPHY

University of Cantabria

LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.1/72

ORGANIZATION

Lattices.

Cryptographic Knapsack Scheme

RSA and integer factoring with extra information.

Pseudorandom number generators over Elliptic curves.

Ideal decomposition and intermediate subfields.

Cayley graphs of cyclic groups.


LATTICES


LATTICES


LATTICES


LATTICES

B = [b1| · · · |bn], l.i.

L(B) := {Bx / x ∈ Zn}


b1, . . . ,bn ∈ Rm, l.i.

L = L([b1| · · · |bn]) =

=

{n∑

i=1

λibi

∣∣∣∣∣ λi ∈ Z

}.

B = (b1, . . . ,bn) is a basis of L.L([(1, 0), (0, 1)] =L([(2006, 1), (2007, 1)]) = Z2

L([(3, 1), (2, 4)]) ={(x, y) ∈ Z2 : 3x+ y ≡ 0 mod 10}

[LAGRANGE, GAUSS, MINSKOWSKI]

b1

b2


DISCRETE SUBGROUPS

In general, L(B) is not a lattice:B := (2,

√2)

2√2

Lattices are discrete subgroups.

λ1 := min{‖v‖ / v ∈ L\{0}}


THE VOLUME OF A LATTICE

Fundamental Parallelepiped

(associated to a basis)volL =

√|BtB|


MAIN BOUNDS

Norm ℓ∞:λ1 ≤ (volL)1/n

Norm ℓ1:λ1 ≤ (n! volL)1/n

Norm ℓ2:λ1 ≤

√γn(volL)1/n

n

2eπ+ o(n) ≤ γn ≤

1′744eπ

n+ o(n)

Gauss Heuristic


MAIN PROBLEMS

SVPmin{‖v‖ / v ∈ L\{0}}

NP hard ??

CVPmin{‖v − t‖ / v ∈ L}

NP hard

Fixed n is polynomial: [KANNAN (1987)]

Approximation: [LLL = A. LENSTRA, H. LENSTRA, L. LOVACS (1982)],

[T. BABAI (1986)], [M. AJTAI (1998)]LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.11/72

LLL-REDUCTION

B = [b1| · · · |bn] is a δ-LLL reduced basis of L if

|µi,j| ≤ 1/2

δ‖b∗i ‖ ≥ ‖µi+1,ib

∗i + b∗

i+1‖,where 1/4 < δ < 1 y b∗

1, . . . ,b∗n is the Gram-Schmidt

orthogonal basis : b∗i := bi −

∑j<i µijbj , µi,j :=

<bi,b∗j>

<b∗j ,b

∗j>

.

‖b1‖ ≤(

1

δ − 1/4

)n−12

λ1

LLL-algorithm is polynomial in M = max{n, log(maxi ‖bi‖)}.LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.12/72

OUR LATTICES

L consist of integer solutions x = (x0, . . . , xs−1) ∈ Zs of asystem of congruences

s−1∑

i=0

aijxi ≡ 0 mod qj , j = 1, . . . ,m,

modulo the intergers q1, . . . , qm.

Typically, vol(L) = Q = q1 . . . qm.

SVP and CVP are polynomials in logQ.


CRYPTOGRAPHIC KNAPSACK

SCHEME


THE KNAPSACK PROBLEM

(a1, a2, . . . , an) a finite sequence of positive integers (theweights)

Given a natural s compute, if it exists, x1, x2, . . . , xn,where xi{0, 1} such that

s = x1a1 + x2a2 + · · · + xnan

NP-complete problem


SUPER-INCREASING SEQUENCES

The sequence (a1, a2, . . . , an) is super-increasing if satisfies:

ai > a1 + a2 + · · · + ai−1

Example :ai := ki

In this case it is simple


THE MERKLE-HELLMAN CRYPTOSYSTEMA (b1, b2, . . . , bn) super-increasing sequence

Two co-prime positive integers U and V such that

U >

n∑

i=1

bi, V < U.

ai = biV mod U.

PUBLIC KEY: (a1, a2, . . . , an)

PRIVATE KEY: (b1, b2, . . . , bn), U, V )


THE MERKLE-HELLMAN CRYPTOSYSTEM

ENCRYPTION:The plaintext x, 0 ≤ x < 2n

x = [x1, . . . , xn] binary representation

The cipher text is y =∑n

i xiai

DECRYPTION.The ciphertext y, 0 ≤ y < 2n

Compute s = yV −1 mod U =∑

xibi

x =∑n

i=1 xi2i−1


THE MERKLE-HELLMAN CRYPTOSYSTEM

Several variations of this scheme.

It is easy to implement.

It is faster than RSA

Broken by Shamir in 1982

Chor-Rivest Scheme


LLL AND MERKLE-HELLMAN CRYPTOSYSTEM

Given a knapsack problem with coefficients (c1, c2, . . . , cn)and s. Let L be the lattice generated by A:

A =

−a1 a2 . . . −an s

1 0 . . . 0 0

0 1 . . . 0 0

... ... . . . ... ...

0 0 . . . 1 0

∈ Z(n+1)×(n+1),

If x = (x1, . . . , xn) :∑n

i xici = s→ vector v ∈ L is small:

v = (0, x1, . . . , xn).


RSA and INTEGERSFACTORIZATION


Integers factorization

THE PROBLEM

INPUT : N = PQ and the high-order h bits of P .



THE PROBLEM

INPUT : N = PQ and the high-order h bits of P .

OUTPUT: The factorization of N , i.e, P and Q.



WHY STUDY THIS PROBLEM ?



WHY TO STUDY THIS PROBLEM ?

because I like it,



WHY TO STUDY THIS PROBLEM ?because I like it,

RSAloss of the equipment that generated P and Q,explicit release of partial extra information as part ofa protocol, for instance exchange of secret,timing measurements,routine usage of P and Q to decrypt mail, signmessages, etc.,poor physical security to guard P and Q,any other heuristic attack . . .

[RIVEST AND SHAMIR (1986)], [COPPERSMITH (1995-1998)], [ BONEH AND

HOWGRAVE-GRAHAM (1999)], [MAY AND CORON (2005)]



FORMALIZATION AND NOTATION

DEFINITION. We say that an integer w is a ∆-approximation to theinteger u when |w − u| ≤ ∆.We can build a ∆-approximation P0 to P , by taking the hhigh-order bits of P and ⌊logP ⌋ + 1− h zeroes. In this case,∆ = 2⌊logP ⌋+1−h − 1, that is,

P − P0 ≤ ∆ ∼= P

2h.

By dividing N into P0, we obtain a ∆1-approximation Q0

to Q:

|Q−Q0| ≤ ∆1∼= Q∆

P.


Integers factorization and attacking RSA

FORMALIZATION AND NOTATION

Let ε0 = P − P0 and ε1 = Q−Q0. From N = PQ we obtain:

f(ε0, ε1) = 0,

wheref(ε0, ε1) = (P0 + ε0)(Q0 + ε1)−N.

And with|ε0| ≤ ∆, |ε1| ≤ ∆1.

The main objective is to find small roots of this innocentpolynomial f(ε0, ε1).


Small roots of integer polynomials

THE COPPERSMITH’S RESULT

THEOREM. [D. COPPERSMITH (1997)]Let p(ε0, ε1) be an irreducible polynomial in two variables over Z, ofmaximum degree δ in each variable separately. Let ∆,∆1 be bounds onthe desired solutions x0, y0. Define p∗(ε0, ε1) = p(ε0∆, ε1∆1) and letW be the absolute value of the largest coefficient of p∗(ε0, ε1). If

∆∆1 ≤ W 2/(3δ)−ǫ2−14δ/3,

then in polynomial time in (logW, δ, 1/ǫ) we can find all integer pairs(x0, y0) with p(x0, y0) = 0 bounded by |x0| ≤ ∆, |y0| ≤ ∆1.



ADAPTING COPPERSMITH’S RESULT

We suppose that we know N = PQ and the high-orderh = 1

4 log2N bits of P . We apply the previous result topolynomial f(ε0, ε1) and take:

|ε0| < P0N−1/4 = ∆,

|ε1| < Q0N−1/4 = ∆1,

δ = 1, W = N3/4.

Corollary . [D. COPPERSMITH (1997)]In polynomial time we can find the factorization of N = PQ if we know

the high-order (14 log2N) bits of P



TWO ITERATION TECHNIQUE

(P0 + ε0)(Q0 + ε1) = N,

|ε0| ≤ ∆, |ε1| ≤ ∆1

(P0Q0 −N)∆1∆+Q0∆x1 + P0∆1x2 + x3 = 0,

x1 ≡ 0 mod ∆,

x2 ≡ 0 mod ∆1.



TWO ITERATIONS TECHNIQUE

e = (∆1ε0,∆ε1, ε0ε1).

f solution of the CVP. Check if e = f , otherwise:

u,v LLL reduced basis of lattice:

Q0∆x1 + P0∆1x2 + x3 = 0,

x1 ≡ 0 mod ∆,

x2 ≡ 0 mod ∆1.

f = (∆1f1,∆f2, f3),

u = (∆1u1,∆u2, u3),

v = (∆1v1,∆v2, v3),LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.32/72


TWO ITERATIONS TECHNIQUE

e = f + αu+ βv

⇓

ε0 = f1 + αu1 + βv1,

ε1 = f2 + αu2 + βv2,

ε0ε1 = f3 + αu3 + βv3,

⇓(f1 + αu1 + βv1)(f2 + αu2 + βv2) = f3 + αu3 + βv3

This is a new equation in α, β



TWO ITERATIONS RESULT

THEOREM. [D. GOMEZ AND J. G. AND A. IBEAS (2006)]

For a prime P and natural numbers ∆, ∆1, there is a setV(∆,∆1) ⊂ ZP of cardinality

#V(∆,∆1) = O

((∆7∆4

1)

P 3

)

with the following property. Given N, P0, Q0, ∆1 and ∆, whereN = PQ, P0 is a ∆-approximation of P and Q0 a ∆1-approximation ofQ then if Q 6∈ V(∆,∆1) there is an algorithm such that recover P andQ in polynomial time in the size of N .



PRACTICAL APPLICATION: TWO ITERATIONS

P ≡ Q ≡√N , then O

((∆7∆4

1)P 3

)< P implies 3/10 logN < h

P,Q ≡ 21000

This method requires :636 bits of P .

The dimension of the lattice is 8.

For the same known bits, Coppersmith method requiresa lattice of dimension 199.



NUMERICAL RESULTS

Bits of P Bits of Q Bits known Iterations Time100 100 66 1 3.675 sec100 100 60 2 10.271 sec512 512 306 2 11.392 sec512 512 300 3 14.025 sec512 512 292 3 15.339 sec1024 1024 624 2 7.240 sec1024 1024 600 3 29. 357 sec1024 1024 580 3 1 m. 35 sec


LINEAR GENERATOR

over

ELLIPTIC CURVES


Linear generators over elliptic curves

STREAM CIPHERS

A B

Insecure channel

m m⊕ k m⊕ k m

k = · · ·



LINEAR CONGRUENTIAL GENERATOR

a ∈ F∗p, c ∈ Fp

u0 ∈ Fp (seed)

un+1 ≡p aun + c

k = · · ·

u0 u1 u2



LINEAR GENERATOR ON ELLIPTIC CURVES

This generator employs the usualabelian group operation (⊕) on theset of points of an elliptic curve:

A prime p.

An elliptic curveE : Y 2 = X3 + AX2 +B over Fp.

The seed U0 ∈ E.

The parameter G ∈ E, which we callcomposer .

Un+1 = Un ⊕G,∀n ≥ 0.



LINEAR GENERATOR ON ELLIPTIC CURVES

Toy example with a 7-periodic generator inan elliptic curve with 35points over F31.

E : Y 2 = X3 −X2 + 1

Un+1 = n(5, 11)⊕ (8, 3)



CRYPTOGRAPHICALLY SECURE GENERATOR

A PRBG is cryptographically secure if there is no polynomial timealgorithm which on input of the first l bits of an output sequence s canpredict the (l + 1)st bit of s with probability significant greater than 1/2.

[YAO (1982)], [ BLUM AND BLUM AND SHUB (1998)]

k = · · ·

u0 u1 u2



CRYPTOGRAPHICALLY SECURE GENERATOR

A PRBG is cryptographically secure if there is no polynomial timealgorithm which on input of the first l bits of an output sequence s canpredict the (l + 1)st bit of s with probability significant greater than 1/2.

[YAO (1982)], [ BLUM AND BLUM AND SHUB (1998)]

k =

ε0 ε1 ε2

· · ·

u0 u1 u2

[S. BLACKBURN AND D. GOMEZ AND J. G. AND I. SHPARLINSKI (2005)]

[D. GOMEZ AND J. G. AND A. IBEAS (2006)], [KNUTH (1985)]LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.43/72


METHOD SKETCHWe assume access to:

Approximations W0,W1 to the first two values U0, U1:Ui = (xi, yi),Wi = (αi, βi),xi = αi + ei, yi = βi + fi, |ei|, |fi| ≤ ∆.

The composer G = (xG, yG).

From U0 ⊕G = U1 when U0 6∈ {G,−G} , we obtain (over Fp ):

x3G + x1x2G − x0x

2G − 2x1xGx0 − xGx

20 + x30 + 2yGy0 + x1 = 0,

y1xG − y1x0 − yGx0 + yGx1 − y0x1 + y0xG = 0.



METHOD SKETCHTranslate previous equations into a linear system in theapproximation errors e0, e1, f0, f1.

Find the smaller integer solution to the system (CVP)

Check if the obtained solution is valid.

THEOREM. [J. G. AND A. IBEAS (2007)]

If the algorithm outputs a wrong solution, the first coordinatex0 of the first value must satisfy a certain equation. Thisleads to the bound O(∆6) for the possibilities for x0 in afailure example. So, when ∆ < p1/6 we can expect with highprobability the success of the guessing algorithm.



UNKNOWN COMPOSERWe take three approximations Wi = (αi, βi) to any threevalues (consecutive or not): Ui = (xi, yi)

y2i = x3i + Axi + B, i = 0, 1, 2.

Eliminating the curve parameters A,B and assuming thatU0 6∈ {U1,−U1} (that is, x0 6= x1), we obtain the followingequation:

−y22x1+y22x0+x32x1−x32x0−x2y20+x2x30+x2y

21−x2x31−y21x0+x31x0+x1y

20−

Substituting xi = αi + ei, yi = βi + fi for i = 0, 1, 2, we obtaina threshold of p1/46 for the tolerance below wich we canexpect successful guessing.



SMALL ROOTS OF MODULAR POLYNOMIALS

THEOREM. [J. G. (2007)]

There exists an algorithm with the following properties. Let p be a prime

number and ∆ a positive integer such that p > ∆ ≥ 1. Let

f(X,Y ) =∑m1,m2

i=0,j=0 ai,jXiY j ∈ Fp[X,Y ] be an irreduclible

polynomial of degree m1 ≥ 2 in X and degree m2 ≥ 2 in Y over Fp.

The algorithm, when given f and ∆-approximations w0, w1 to v0, v1

where f(v0, v1) ≡ 0 mod p, recovers v0, v1 in time polynomial in

m1,m2 and log q provided that v0 does not lie in a certain set V(f) ⊆ Fp

of cardinality:

V(f) = (2√(m1 + 1)(m2 + 1)λ(m1+1)(m2+1))

(m1+1)(m2+1)∆ωm1,m2

ωm1,m2 =m2

1

2(2m2 + 1) +

m22

2(2m1 + 1) +m1m2.


IDEAL DECOMPOSITION

and

INTERMEDIATE FIELDS


Ideal decomposition and intermediate fields

THE PROBLEM

Given:f(x) polynomial in Q[x]

Find:g(x), h(x), f(x) ∈ Q[x] verifying

f(x)f(x) = g(h(x)),

1 < deg g, deg h < deg f.



POLYNOMIAL DECOMPOSITION AND RATIONAL SUBFIELDSIf deg f = 0, then

f(x) = g(h(x)).Luroth’s Theorem. [A. SCHINZEL (1982)]Let F be a field such that K ⊂ F ⊂ K(x1, . . . , xn) andtr.deg.(F/K) = 1. Then there exists h ∈ K(x1, . . . , xn) such thatF = K(h). Also, if the field contains a polynomial, then a polynomialgenerator exists.

{[(g, h)] : f = g(h)} ←→ {F : K(f) ⊂ F ⊂ K(x)}[(g, h)] ←→ F = K(h).

[LANDAU-KOZEN-VON ZUR GATHEN (19889)], [GIESBRECHT (1990)],

[J. G. AND R. RUBIO AND D. SEVILLA (98-2005)]LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.50/72


ALGEBRAIC SUBFIELDSIf f(x) is irreducible and f(α) = 0, then the followingstatements are equivalent:

f is an ideal decomposable.

GalQ(f) acts imprimitively on the roots of f .

A proper subfield, Q(β), exists with

Q ⊂ Q(β) ⊂ Q(α).

{[(f , g, h)] : ff = g(h)} ←→ {F : Q ⊂ F ⊂ Q(α)}[(f , g, h)

]←→ F = Q(h(α)).

[S. LANDAU AND G. MILLER (1985)], [J. KLUNERS AND M. POHST (1997)][J. G. AND D. SEVILLA (2006)]



THE ALGORITHMWe divide the problem into two parts:

1. Compute candidates polynomial h(x).

2. Given f(x) and h(x), compute (if it exists) f(x), g(x) :

f(x)f(x) = g(h(x))

Compute f(x), g(x) from f(x) and h(x) is solving alinear system of equations.

The hard part is compute h(x).



THE BASIC IDEAFrom

f(x)f(x) = g(h(x)),

There are two distintict roots of f(x), say αi and αj for which

h(αi) = h(αj)

h(x) =∑s

k=1 hkxk ∈ Z[x] for some s with: 1 < s < deg f

Find the coefficients h1, h2, . . . , hs in Z satisfying

h1(αi − αj) + h2(α2i − α2

j ) + · · · + hs(αsi − αs

j).



INTEGER RELATIONSA nonzero vector h = (h1, . . . , hs) ∈ Zs is called an INTEGER

RELATION for the real numbers γ1, . . . , γs if

h1γ1 + · · · + hsγs = 0.

Given γ1, . . . , γs complex numbers approximating to thealgebraic numbers γ1, . . . , γs, and a parameter ǫ

either finds an integer relation for γ1, . . . , γs or

proves that no relation of Euclidean length shorterthan 1/ǫ exists.



INTEGER RELATIONS AMONG ALGEBRAIC NUMBERS

L([b1| · · · |bs]) ⊂ Qs+2 the lattice spanned

b1= (1, 0, . . . , 0, C ·Re(γ1), C · Im(γ1))...

bs= (0, . . . , 0, 1, C ·Re(γs), C · Im(γs)

C is a large integer depend on ǫ, the height of (γ1, . . . , γs)and [Q(γ1, . . . , γs) : Q].

Let b be the first vector of the LLL-basis:b = (m1, . . . ,ms, C ·

∑si=1miRe(γi), C ·

∑si=1miIm(γi)).

If ‖b‖ < 2n/ǫ2, then (m1, . . . ,ms) is a solution.Otherwise, no solution shorter than 1/ǫ exists.

[J. HASTAD AND B. JUST AND J. LAGARIAS AND C. SCHNORR (1989)]



BOUNDS ON THE COEFFICIENTS OF h(x)

Given a non-trivial ideal decomposition of polyno-mial f ∈ Z[x], i.e

f(x)f(x) = g(h(x))find an upper bound on the height Ht(h(x)) ofh(x).

POLYNOMIAL DECOMPOSITION, i.e., f(x) = 1, thenHt(h(x)) < CHt(f(x)).

If f(x) is irreducible: [J. DIXON (1990)], [J. MCKAY (1996)],

Ht(h(x)) < CHt(f(x))deg f ,

where C is a constant

In general, ???LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.56/72

CAYLEY GRAPHS

of

CYCLIC GROUPS


Cayley graphs of cyclic groups

CIRCULANT DI-GRAPHS

Vertices : G = (ZN ,+)

Edges - Set of jumps H = {j1, . . . , jr}0

1

2

3

45

6

7

8

9

N = 10

H = {1, 3}

(x, x+ ji mod N),

x ∈ ZN , 1 ≤ i ≤ r

Connected graph : gcd(j1, . . . , jr, N) = 1LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.58/72


ADJANCENCY MATRIXCirculant Matrix :

RN =

0 1

1. . . 0

1

CN (j1, . . . , jr),

r∑

i=1

RjiN

Undirected : CN (±j1, . . . ,±jr)

01

2

3

45

6

7

8

9



DISTRIBUTED LOOP COMPUTER NETWORKSApplication to distributing an parallel computation.

A extremely simple description.

O (r logN)

small diameter.

Routing algorithms and fault tolerance.

The two jump case is widely studied.

[C. K. WONG AND D. COPPERSMITH (1974)]

[J.C. BERMOND AND F. COMELLAS AND D. F. HSU (1995)]



PATHS IN A CIRCULANT

Directed Undirected

x = (x1, . . . , xr) ∈ Nr x = (x1, . . . , xr) ∈ Zr

01

2

3

45

6

7

8

90

1

2

3

45

6

7

8

9

(2,2) (1,-1)



THE LATTICE OF A CIRCULANT GRAPHGiven the jumps j1, . . . , jr and the number of nodes N :

LC = {(x1, . . . , xr) ∈ Zr : j1x1+ · · ·+ jrxr ≡ 0 mod N.}

A shortest path from node α to node β:

Undirected : x = (x1, . . . , xr) ∈ LC (with minimal ‖x‖1 ).

Directed: x = (x1, . . . , xr) ∈ LC⋂Nr (with minimal ‖x‖1)

r∑

i=1

xiji ≡ α− β mod N.



SHORTEST PATH FOR TWO JUMPS

01

2

3

45

6

7

8

9



PATH DESCRIPTION

CN (a, b)

w = (x1, x2) / ax1 + bx2 ≡ c mod N

L := {x ∈ Z2 / ax1 + bx2 ≡ 0 mod N}CA(c) = w + L

The total amount of jumps of the path w is ‖w‖1.



THE COMPLEXITYTHEOREM. [D. GOMEZ AND J. G. AND A. IBEAS (2005)]

INPUT: a, b,N, c

Description of the set of paths CA(c).w + Z < u,v > O(logN)

Recduction of the basis L.w + Z < u,v > O(logN)

Iterative reduction.w′ O(logN)

Discrete searching.w′′ O(1)

O(log2N log logN log log logN))



THE POLYNOMIAL IDEAL OF A LATTICE

IL := ( xa+ − xa−: a ∈ L ) ⊂ K[X1, . . . , Xr].

a = a+ − a− = (a1, . . . , ar) ∈ Zr, a+ = (a+1 , . . . , a+r ),

a+i = max{ai, 0}, a− = (a−1 , . . . , a−r ), a

−i = max{−ai, 0}.

[B. STURMFELS AND R. WEISMANTEL AND G. M. ZIEGLER (1995)]


ILC= ( xN1 xN2 · · · xNr − 1, xa+ − xa−

, (a ∈ S) ),

S = {(Nα1, . . . , Nαr), (α1j1 − 1, α2j2, . . . , αrjr),

(α1j1, α2j2 − 1, . . . , αrjr), . . . , (α1j1, . . . , αr−1jr−1αrjr − 1)}.αi ∈ Z, (i = 1, . . . , r), 1 = α1j1 + · · · + αrjr + βN



GROEBNER BASES AND ROUTING


Fixed any grade monomial ordering ≺:Let G be a Gröbner basis of ILC

with respcet ≺ and c a pathfrom 0 to j ∈ ZN .

The normal form ofxc − 1

with respect G isxd − 1,

where d is a shortest path.


GROEBNER BASES

and

LLL-REDUCED BASES


Groebner Bases and LLL-reduced bases

GROEBNER BASIS VERSUS LLL-REDUCED BASIS

Definition Let I be an ideal of K[x1, . . . , xn].G = {g1, . . . , gs} ⊂ I is a Groebner Basis if and only if ∀f ∈ I

f =∑s

i=1 figi with fi ∈ K[x1, . . . , xn], gi ∈ G andlm(f) ≥ lm(figi)





f =∑s


Definition Let L be a lattice of Zn. G = {b1, . . . ,bs} ⊂ L is aG-Reduced Basis if and only if ∀v ∈ L

x =∑s

i=1 αibi with αi ∈ Z, bi ∈ G and ‖x‖ ≥ ‖αibi‖





f =∑s


Definition Let L be a lattice of Zn. G = {b1, . . . ,bs} ⊂ L is aG-Reduced Basis if and only if ∀v ∈ L

x =∑s

i=1 αibi with αi ∈ Z, bi ∈ G and ‖x‖ ≥ ‖αibi‖

LLL-Reduced 6⇒ G-reduced




THEOREM [D. GOMEZ (2005)]Let {b1, . . . ,bs} be a LLL reduced basis of a lattice L with repect to δ,1/4 < δ < 1. Let x ∈ L such that:

x = α1b1 + · · · + αsbs,

then we have the following inequality:

‖αibi‖ ≤ 23s‖x‖,for all i = 1, ..., s.


Documents

On the cryptographic applications of Gr obner bases and ...ssdnm.mimuw.edu.pl/pliki/wyklady/skrypt-gutierrez.pdf · The lectures will be primarily focused on the algorithmic aspects