LLL Algorithm:
1. Let B ← SizeReduce(B)
2. Check each b_i in B. If Lovász condition doesn't hold:
2.1 Swap b_i and b_{i+1} and go to (1)
2.2 else output B
Function SizeReduce(B) → B
:
- Compute Gram-Schmidt orthogonalization vectors:
- For , do:
- for , do:
- Let
After every iteration: , where W is a uni-triangular matrix with just one non-zero off-diagonal entry at .
Also, with
Proof: TODO
To prove: LLL terminates in
- Each intermediate basis must get closer to the final result in order to prove above statement
- Thus, “potential argument” is assigned to each basis
- These statements to prove:
a) potential of starting basis:
b) potential of intermediate basis:
c) Each iteration reduces potential by (actual)
- Final time becomes
Potential Function: where
Claim: Initial input basis has at most potential Each intermediate lattice has potential at least 1.
Proof: Second statement is trivial. Notes states every intermediate lattice basis is integral, so . thus
Claim: If , is swapped, then the orthogonalization vector for the new basis is such that for and
Proof:
- because for because these are the orthogonal components of
- for , are same with , in reverse order.
- for component which is orthogonal to , which is equal to
Lemma: If , is swapped, then for resulting basis :
Proof: Exercise for future me.
Above lemma proves LLL terminates and number of iterations = O(N). Although each iteration length depends on bit length of current basis.
Next thing to prove: sizes of all intermediate basis are fixed polynomial in size of original basis.
Another thing to note is that in Lovász just trade-offs approximation factor and number of steps.
Coppersmith’s Theorem: Polynomial-time algorithm to factor polynomial over composite N
Three Important Remarks:
- Efficient polynomial-time algorithms exist for factoring polynomials when N is prime (prime field) or when factoring over integers. Thus, Coppersmith’s claim to factor composite N is substantial.
- For composite N, number of roots are exponential in the bit length of N, i.e., proof if N = products of k primes. Thus, Coppersmith only finds “short” or small roots.
- Algorithm isn’t a solution to factoring. For example: knowing 2 square roots of a square residue modulo N reveals a non-trivial factor of N. Although it is proven that only one factor < exists and thus, not all roots can be found.
Theorem: There is a polynomial-time algorithm that given any d-monic integer polynomial and integer N, outputs all integers s.t. and .
Proof:
- Part 1 starts with weaker assumption
- Strategy is to find polynomial h(x) s.t.:
- every root of f(x) mod N is a root of h(x)
- polynomial h(Bx) is “short” i.e.
Steps:
Q1: How do we find out if h() = 0 over integers?
Ans:
summing over all
- Idea is to add multiples of polynomial to . Adding multiples of N shouldn’t change the roots of .
- Construct a lattice basis of degree d+1 with basis vectors corresponding to coefficients of polynomial and .
Q2: why and f(Bx)? why a Bx inside? Idea is to find short lattice vector of this basis and interpret as h(Bx).
- . By running LLL, obtain a vector v ∈ L(B) for which from LLL upper bound
- Define h(Bx) as the polynomial with coefficients given by v,
- Note: as is divided by . Question: Why?
- All roots of are also roots of by lattice construction. Why?
- . Why?
- If we take Q: How does the first inequality arise?
Full Coppersmith Theorem:
Equating in previous part came from creating a basis by adding multiples of to to preserve the roots.
To remove bound on , we will take higher powers of , i.e. for some predetermined such that: a) root of is a root of b) is “short” i.e.
Write a lattice with basis = coefficient of polynomial where , ,
- and has leading coefficient
Running LLL: Setting (“short”)
I’ll convert these handwritten notes about RSA, Coppersmith’s method, and subset-sum cryptography into properly formatted Markdown with LaTeX. Let me break this down section by section:
RSA & Coppersmith’s Method
Define as the polynomial with coefficients given by .
Theorem: Let have bit length , let , let be padding length. Given two encryptions of message , with distinct pads , one can efficiently recover .
Proof:
- Let
- Let
Define two bi-variate polynomials s.t.:
Define resultant of two polynomials which is product of difference of all roots:
Note: For , consider them a polynomial with coefficients in . So, is a polynomial in .
3 Important Remarks:
- if have common root
- where = square dimension) matrix with entries as shifts of coefficients vectors of and
- in and in . According to matrix : in
Attack:
- Note: is a root of .
- Run Coppersmith on to obtain a list of “short” vectors, one of which must be
- Set function . See that . Find the messages as where:
Other attacks:
- Small decryption exponent
- Partial secret key exposure
- Larger powers of prime factors: when
- ECDSA, EDDSA biased on non-uniform nonces
Subset-Sum Problem / Knapsack Cryptography
Subset-sum: Given integer weights and . Given . Find .
- Used to encrypt message ‘x’ such that = ciphertext
- To decrypt easily, a secret “trapdoor” in the weights are added that converts the unknown subset-sum to an easily solvable instance
Take:
- Super-increasing sequence s.t.
- Choose some modulus , a uniformly sampled random multiplier and uniformly random permutation on
- Encryption of message : where
- Trapdoor:
- Decryption:
Solve subset-sum for since [true subset-sum]
Lattice Attacks
Density of subset-sum instance:
L083: Efficient algorithm that, given uniformly random where for some and for some arbitrary , outputs with probability over the choice of .
Proof:
- TL;DR: Form a lattice with vectors parallel to scaled up vectors
- Prove that is the only “short” vector possible to find from lattice reduction
- Fix a and estimate probability that this vector not being a multiple of satisfies subset-sum
- Prove that probability is negligible
The density analysis shows why certain parameters make the system vulnerable to lattice-based attacks. The L083 algorithm demonstrates an efficient method to break subset-sum instances when the parameters fall within specific bounds.
Some key insights from this section:
- The security depends heavily on the density of the subset-sum instance
- Lattice reduction techniques can be used to find short vectors that reveal the solution
- The probability of finding incorrect solutions that satisfy the subset-sum constraint is negligible under certain conditions