• Home

  • Science

  • Attacks on RSA using Lattice reduction techniques (LLL)
58
Lattice Reduction Techniques To Attack RSA David Wong March 2015 University of Bordeaux

Attacks on RSA using Lattice reduction techniques (LLL)

Embed Size (px)

Citation preview

Page 1: Attacks on RSA using Lattice reduction techniques (LLL)

Lattice Reduction Techniques To Attack

RSADavid Wong

March 2015

University of Bordeaux

Page 2: Attacks on RSA using Lattice reduction techniques (LLL)
Page 3: Attacks on RSA using Lattice reduction techniques (LLL)
Page 4: Attacks on RSA using Lattice reduction techniques (LLL)
Page 5: Attacks on RSA using Lattice reduction techniques (LLL)
Page 6: Attacks on RSA using Lattice reduction techniques (LLL)

ATTACKS

Page 7: Attacks on RSA using Lattice reduction techniques (LLL)

Attacks on the Implementation or the Mathematics.

•Recover the plaintext•Recover the private key

Page 8: Attacks on RSA using Lattice reduction techniques (LLL)

A Relaxed Model

• We know a part of the message• We know an approximation of one of

the prime• The private exponent is too small

Page 9: Attacks on RSA using Lattice reduction techniques (LLL)

LATTICE

Page 10: Attacks on RSA using Lattice reduction techniques (LLL)
Page 11: Attacks on RSA using Lattice reduction techniques (LLL)
Page 12: Attacks on RSA using Lattice reduction techniques (LLL)
Page 13: Attacks on RSA using Lattice reduction techniques (LLL)
Page 14: Attacks on RSA using Lattice reduction techniques (LLL)
Page 15: Attacks on RSA using Lattice reduction techniques (LLL)
Page 16: Attacks on RSA using Lattice reduction techniques (LLL)

COPPERSMITH

Page 17: Attacks on RSA using Lattice reduction techniques (LLL)
Page 18: Attacks on RSA using Lattice reduction techniques (LLL)

« le password du jour : cupcake »

Page 19: Attacks on RSA using Lattice reduction techniques (LLL)

« le password du jour : cupcake »

Page 20: Attacks on RSA using Lattice reduction techniques (LLL)
Page 21: Attacks on RSA using Lattice reduction techniques (LLL)

HOWGRAVE-GRAHAM

Page 22: Attacks on RSA using Lattice reduction techniques (LLL)

HOWGRAVE-GRAHAM

Page 23: Attacks on RSA using Lattice reduction techniques (LLL)
Page 24: Attacks on RSA using Lattice reduction techniques (LLL)

LLL reduction:• It only does integer linear

operations on the basis vectors

• The shortest vector of the output basis is bound

Page 25: Attacks on RSA using Lattice reduction techniques (LLL)
Page 26: Attacks on RSA using Lattice reduction techniques (LLL)
Page 27: Attacks on RSA using Lattice reduction techniques (LLL)

Those polynomials achieve two things:• They have the same root 𝑥0 but modulo 𝑁𝑚

• Each iteration introduce a new monomial

Page 28: Attacks on RSA using Lattice reduction techniques (LLL)
Page 29: Attacks on RSA using Lattice reduction techniques (LLL)
Page 30: Attacks on RSA using Lattice reduction techniques (LLL)
Page 31: Attacks on RSA using Lattice reduction techniques (LLL)
Page 32: Attacks on RSA using Lattice reduction techniques (LLL)
Page 33: Attacks on RSA using Lattice reduction techniques (LLL)
Page 34: Attacks on RSA using Lattice reduction techniques (LLL)
Page 35: Attacks on RSA using Lattice reduction techniques (LLL)
Page 36: Attacks on RSA using Lattice reduction techniques (LLL)

COPPERSMITH

Page 37: Attacks on RSA using Lattice reduction techniques (LLL)

BONEH-DURFEE

Page 38: Attacks on RSA using Lattice reduction techniques (LLL)
Page 39: Attacks on RSA using Lattice reduction techniques (LLL)
Page 40: Attacks on RSA using Lattice reduction techniques (LLL)
Page 41: Attacks on RSA using Lattice reduction techniques (LLL)
Page 42: Attacks on RSA using Lattice reduction techniques (LLL)
Page 43: Attacks on RSA using Lattice reduction techniques (LLL)
Page 44: Attacks on RSA using Lattice reduction techniques (LLL)
Page 45: Attacks on RSA using Lattice reduction techniques (LLL)

HOWGRAVE-GRAHAM

Page 46: Attacks on RSA using Lattice reduction techniques (LLL)
Page 47: Attacks on RSA using Lattice reduction techniques (LLL)
Page 48: Attacks on RSA using Lattice reduction techniques (LLL)
Page 49: Attacks on RSA using Lattice reduction techniques (LLL)
Page 50: Attacks on RSA using Lattice reduction techniques (LLL)

HERRMAN AND MAY: UNRAVELLED LINEARIZATION

Page 51: Attacks on RSA using Lattice reduction techniques (LLL)
Page 52: Attacks on RSA using Lattice reduction techniques (LLL)
Page 53: Attacks on RSA using Lattice reduction techniques (LLL)

BONEH-DURFEE BOUND

Page 54: Attacks on RSA using Lattice reduction techniques (LLL)

CONCLUSIONS

Page 55: Attacks on RSA using Lattice reduction techniques (LLL)
Page 56: Attacks on RSA using Lattice reduction techniques (LLL)
Page 57: Attacks on RSA using Lattice reduction techniques (LLL)
Page 58: Attacks on RSA using Lattice reduction techniques (LLL)

Lattice Basis Reduction techniques based on the LLL algorithmtonchev/Khadka.pdf · 1 Introduction 2 Goal 3 Basis Reduction 4 Lattice Diffusion and Sublattice Fusion Algorithm 5 Hill

Lattice Basis Reduction techniques based on the LLL algorithmtonchev/Khadka.pdf · 1 Introduction 2 Goal 3 Basis Reduction 4 Lattice Diffusion and Sublattice Fusion Algorithm 5 Hill

Documents
Bal K. Khadka and Spyros S. Magliveras arXiv:1702.03364v1 ... · reduce a lattice basis B. If we apply LLL lattice basis reduction after randomly (or systematically) reordering the

Bal K. Khadka and Spyros S. Magliveras arXiv:1702.03364v1 ... · reduce a lattice basis B. If we apply LLL lattice basis reduction after randomly (or systematically) reordering the

Documents
lll lll lll lll lll lll ll l - Oriental Institute · PDF fileCHICAGO DEMOTIC DICTIONARY L (29 JUNE 2001): 01.1 CDD L (01.1): Page 5 E? G Wadi Ham 1, 4 e Á w. extended meaning

lll lll lll lll lll lll ll l - Oriental Institute · PDF fileCHICAGO DEMOTIC DICTIONARY L (29 JUNE 2001): 01.1 CDD L (01.1): Page 5 E? G Wadi Ham 1, 4 e Á w. extended meaning

Documents
LLL lattice basis reduction algorithm · algebra methods and matrix properties for the LLL algorithm. I won’t give a complete and precise view of the lattice theory but favor the

LLL lattice basis reduction algorithm · algebra methods and matrix properties for the LLL algorithm. I won’t give a complete and precise view of the lattice theory but favor the

Documents
ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ ......ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ~I!IIIIjlllljlllljlllljllll!ll ANNUAL STATEMENT For the Year

ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ ......ll!lll~lll~lllljlll~IIIIJIII ~llljlllljllllllll~llljiiiiJ~I!IIIIjlllljlllljlllljllll!ll ANNUAL STATEMENT For the Year

Documents
llll~ll~llulllll~~lulll~lll~lll~lll~~ll · .’ llll~ll~llulllll~~lulll~lll~lll~lll~~ll '535.0060 . HSS: jlh Mr. Gordon P. Adelnan Mr. Itchest 23. Gustafson Legal Section (916) 445-4982

llll~ll~llulllll~~lulll~lll~lll~lll~~ll · .’ llll~ll~llulllll~~lulll~lll~lll~lll~~ll '535.0060 . HSS: jlh Mr. Gordon P. Adelnan Mr. Itchest 23. Gustafson Legal Section (916) 445-4982

Documents
lll VERANSTALTUNGEN l SOCIAL ACTIVITIES lll · lll VERANSTALTUNGEN l SOCIAL ACTIVITIES lll HEFT NR: ... 'Battle Hymn of the Republic'. A ... Oscar Peterson, is called 'Hymn to songs,

lll VERANSTALTUNGEN l SOCIAL ACTIVITIES lll · lll VERANSTALTUNGEN l SOCIAL ACTIVITIES lll HEFT NR: ... 'Battle Hymn of the Republic'. A ... Oscar Peterson, is called 'Hymn to songs,

Documents
Formalizing the LLL Basis Reduction Algorithm and the LLL ... · factorization · Shortest vector problem · Verified LLL implementation 1Introduction The LLL basis reduction algorithm

Formalizing the LLL Basis Reduction Algorithm and the LLL ... · factorization · Shortest vector problem · Verified LLL implementation 1Introduction The LLL basis reduction algorithm

Documents
New RSA Vulnerabilities Using Lattice Reduction Methodsdmst/teaching/... · 1 Introduction 6 2 RSA and Lattices 13 ... RSA encryption function are indeed one-way functions. Even worse,

New RSA Vulnerabilities Using Lattice Reduction Methodsdmst/teaching/... · 1 Introduction 6 2 RSA and Lattices 13 ... RSA encryption function are indeed one-way functions. Even worse,

Documents
CRYPTANALYSE DE RSA - Abderrahmane Nitaj · Introduction `a RSA Cryptanalyse de RSA par les fractions continues Cryptanalyse de RSA par l’algorithme LLL Principes de RSA Cryptanalyses

CRYPTANALYSE DE RSA - Abderrahmane Nitaj · Introduction `a RSA Cryptanalyse de RSA par les fractions continues Cryptanalyse de RSA par l’algorithme LLL Principes de RSA Cryptanalyses

Documents
RSA- ,RSA- ,RSA- and RSA- .Thereareprizesforfactoring ...dstinson/CS_758/F13/RSAattacks.pdfOther Attacks on RSA 201 numbers in the new RSA challenge: RSA- ,RSA-,RSA-,RSA-, RSA- ,RSA-

RSA- ,RSA- ,RSA- and RSA- .Thereareprizesforfactoring ...dstinson/CS_758/F13/RSAattacks.pdfOther Attacks on RSA 201 numbers in the new RSA challenge: RSA- ,RSA-,RSA-,RSA-, RSA- ,RSA-

Documents
Using the LLL-algorithm to Break the RSA Cryptosystem

Using the LLL-algorithm to Break the RSA Cryptosystem

Documents
lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ...lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ll Dl lli US 20130169464A1 (19) United States (12) Patent Application

lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ...lll lll a llDl DID lll DIII DD lll Dll lDl lD lll 100 lllD ll Dl lli US 20130169464A1 (19) United States (12) Patent Application

Documents
Lattice and their Cryptologic Applicationspmol/Publications/thesis.pdfoverview of the most representative lattice-based attacks mounted against RSA since its publication. Key Words:

Lattice and their Cryptologic Applicationspmol/Publications/thesis.pdfoverview of the most representative lattice-based attacks mounted against RSA since its publication. Key Words:

Documents
lll Southbound - Indiana 8 Stop 11... · 2019-10-30 · lll 3 Lanes Southbound lll 3 Lanes Northbound lll Edgewood Avenue Under I-69 3 Lanes Northbound lll 4 Lanes Southbound c lll

lll Southbound - Indiana 8 Stop 11... · 2019-10-30 · lll 3 Lanes Southbound lll 3 Lanes Northbound lll Edgewood Avenue Under I-69 3 Lanes Northbound lll 4 Lanes Southbound c lll

Documents
1 LIFELONG LEARNING IN TURKEY. LLL Concept LLL Stakeholders MoNE – LLL Structure DG LLL Vision DG LLL Mission Some Statistics LLL Strategy Paper 2 LIFELONG

1 LIFELONG LEARNING IN TURKEY. LLL Concept LLL Stakeholders MoNE – LLL Structure DG LLL Vision DG LLL Mission Some Statistics LLL Strategy Paper 2 LIFELONG

Documents
Solving RSA Problems with Lattice Reductioncecc08/slides/cecc08_slides...Solving RSA Problems with Lattice Reduction Alexander May Faculty for Mathematics Horst-Görtz Institute Ruhr-University

Solving RSA Problems with Lattice Reductioncecc08/slides/cecc08_slides...Solving RSA Problems with Lattice Reduction Alexander May Faculty for Mathematics Horst-Görtz Institute Ruhr-University

Documents
LLL Annual Report - LLL Australia savings accounts

LLL Annual Report - LLL Australia savings accounts

Documents
Pizza Roulette - OWASP SNI 2 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048

Pizza Roulette - OWASP SNI 2 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048 RSA 2048

Documents
Gauss Sieve on GPUs - RSA Conference Agenda Motivation Lattice-based Cryptography and Cryptanalysis Sieve Algorithm Lifting Technique Parallel Method Results

Gauss Sieve on GPUs - RSA Conference Agenda Motivation Lattice-based Cryptography and Cryptanalysis Sieve Algorithm Lifting Technique Parallel Method Results

Documents
lll lll I I I lI ll I

lll lll I I I lI ll I

Documents
perso.ens-lyon.fr › damien.stehle › epit13 › Euclide-Gauss-EPIT.pdf · Lattice Reduction Algorithms: EUCLID, GAUSS, LLL ...Lattice Reduction Algorithms: EUCLID, GAUSS, LLL Description

perso.ens-lyon.fr › damien.stehle › epit13 › Euclide-Gauss-EPIT.pdf · Lattice Reduction Algorithms: EUCLID, GAUSS, LLL ...Lattice Reduction Algorithms: EUCLID, GAUSS, LLL Description

Documents
ALTO 26 - 2 · 2012. 11. 18. · 26 - 2 by. John Coltrane arr. by Brownman Composed and arranged by Nick (the brownman) Ali, ... 26 l lll lll ll l lll lll ll l lll lll ll =& =====

ALTO 26 - 2 · 2012. 11. 18. · 26 - 2 by. John Coltrane arr. by Brownman Composed and arranged by Nick (the brownman) Ali, ... 26 l lll lll ll l lll lll ll l lll lll ll =& =====

Documents
The LLL Algorithm - Ionica Smeets · 2019-04-24 · Algorithmic Number Theory Symposium (ANTS VII) held in Berlin in July 2006, ... to cryptanalysis: lattice attacks on the RSA cryptosystem,

The LLL Algorithm - Ionica Smeets · 2019-04-24 · Algorithmic Number Theory Symposium (ANTS VII) held in Berlin in July 2006, ... to cryptanalysis: lattice attacks on the RSA cryptosystem,

Documents
insol Package Vignette - meteoexploration · 2014. 8. 19. · l ll llll l lll lll l l ll l ll ll l ll l l ll l ll ll ll l lll lll l lll ll lllllll lll ll ll l l ll lll llll llll lll

insol Package Vignette - meteoexploration · 2014. 8. 19. · l ll llll l lll lll l l ll l ll ll l ll l l ll l ll ll ll l lll lll l lll ll lllllll lll ll ll l l ll lll llll llll lll

Documents
1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

Documents
Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack

Lattice Based Attacks on RSA. 2004/9/22Lattice Based Attacks on RSA2 Outline Lattices and Lattice reduction Lattice Based Attacks on RSA Hastad ’ s Attack

Documents
lll lll lll lll lll lll ll l - The Oriental Institute of ...oi.uchicago.edu/sites/oi.uchicago.edu/files/uploads/shared/docs/... · CHICAGO DEMOTIC DICTIONARY L (29 JUNE 2001): 01.1

lll lll lll lll lll lll ll l - The Oriental Institute of ...oi.uchicago.edu/sites/oi.uchicago.edu/files/uploads/shared/docs/... · CHICAGO DEMOTIC DICTIONARY L (29 JUNE 2001): 01.1

Documents
(lll 1'1: .. ;

(lll 1'1: .. ;

Documents
Lattices and their Applications to RSA Cryptosystem ...pmol/Talks/Thesis_Presentation.pdf · In Cryptology... Lattices have found applications both in Cryptography, where hard lattice

Lattices and their Applications to RSA Cryptosystem ...pmol/Talks/Thesis_Presentation.pdf · In Cryptology... Lattices have found applications both in Cryptography, where hard lattice

Documents