LLL Algorithm:

1. Let B ← SizeReduce(B)
2. Check each b_i in B. If Lovász condition doesn't hold:
   2.1 Swap b_i and b_{i+1} and go to (1)
   2.2 else output B

Function SizeReduce(B) → B:

  1. Compute Gram-Schmidt orthogonalization vectors:
  2. For , do:
    • for , do:
    • Let

After every iteration: , where W is a uni-triangular matrix with just one non-zero off-diagonal entry at .

Also, with

Proof: TODO

To prove: LLL terminates in

  • Each intermediate basis must get closer to the final result in order to prove above statement
  • Thus, “potential argument” is assigned to each basis
  • These statements to prove: a) potential of starting basis: b) potential of intermediate basis: c) Each iteration reduces potential by (actual)
    • Final time becomes

Potential Function: where

Claim: Initial input basis has at most potential Each intermediate lattice has potential at least 1.

Proof: Second statement is trivial. Notes states every intermediate lattice basis is integral, so . thus

Claim: If , is swapped, then the orthogonalization vector for the new basis is such that for and

Proof:

  • because for because these are the orthogonal components of
  • for , are same with , in reverse order.
  • for component which is orthogonal to , which is equal to

Lemma: If , is swapped, then for resulting basis :

Proof: Exercise for future me.

Above lemma proves LLL terminates and number of iterations = O(N). Although each iteration length depends on bit length of current basis.

Next thing to prove: sizes of all intermediate basis are fixed polynomial in size of original basis.

Another thing to note is that in Lovász just trade-offs approximation factor and number of steps.

Coppersmith’s Theorem: Polynomial-time algorithm to factor polynomial over composite N

Three Important Remarks:

  1. Efficient polynomial-time algorithms exist for factoring polynomials when N is prime (prime field) or when factoring over integers. Thus, Coppersmith’s claim to factor composite N is substantial.
  2. For composite N, number of roots are exponential in the bit length of N, i.e., proof if N = products of k primes. Thus, Coppersmith only finds “short” or small roots.
  3. Algorithm isn’t a solution to factoring. For example: knowing 2 square roots of a square residue modulo N reveals a non-trivial factor of N. Although it is proven that only one factor < exists and thus, not all roots can be found.

Theorem: There is a polynomial-time algorithm that given any d-monic integer polynomial and integer N, outputs all integers s.t. and .

Proof:

  • Part 1 starts with weaker assumption
  • Strategy is to find polynomial h(x) s.t.:
    • every root of f(x) mod N is a root of h(x)
    • polynomial h(Bx) is “short” i.e.

Steps:

Q1: How do we find out if h() = 0 over integers?
Ans:

summing over all

  1. Idea is to add multiples of polynomial to . Adding multiples of N shouldn’t change the roots of .
  2. Construct a lattice basis of degree d+1 with basis vectors corresponding to coefficients of polynomial and .

Q2: why and f(Bx)? why a Bx inside? Idea is to find short lattice vector of this basis and interpret as h(Bx).

  1. . By running LLL, obtain a vector v ∈ L(B) for which from LLL upper bound
  2. Define h(Bx) as the polynomial with coefficients given by v,
  3. Note: as is divided by . Question: Why?
  4. All roots of are also roots of by lattice construction. Why?
  5. . Why?
  6. If we take Q: How does the first inequality arise?

Full Coppersmith Theorem:

Equating in previous part came from creating a basis by adding multiples of to to preserve the roots.

To remove bound on , we will take higher powers of , i.e. for some predetermined such that: a) root of is a root of b) is “short” i.e.

Write a lattice with basis = coefficient of polynomial where , ,

  • and has leading coefficient

Running LLL: Setting (“short”)

I’ll convert these handwritten notes about RSA, Coppersmith’s method, and subset-sum cryptography into properly formatted Markdown with LaTeX. Let me break this down section by section:

RSA & Coppersmith’s Method

Define as the polynomial with coefficients given by .

Theorem: Let have bit length , let , let be padding length. Given two encryptions of message , with distinct pads , one can efficiently recover .

Proof:

  • Let
  • Let

Define two bi-variate polynomials s.t.:

Define resultant of two polynomials which is product of difference of all roots:

Note: For , consider them a polynomial with coefficients in . So, is a polynomial in .

3 Important Remarks:

  1. if have common root
  2. where = square dimension) matrix with entries as shifts of coefficients vectors of and
  3. in and in . According to matrix : in

Attack:

  • Note: is a root of .
  • Run Coppersmith on to obtain a list of “short” vectors, one of which must be
  • Set function . See that . Find the messages as where:

Other attacks:

  • Small decryption exponent
  • Partial secret key exposure
  • Larger powers of prime factors: when
  • ECDSA, EDDSA biased on non-uniform nonces

Subset-Sum Problem / Knapsack Cryptography

Subset-sum: Given integer weights and . Given . Find .

  • Used to encrypt message ‘x’ such that = ciphertext
  • To decrypt easily, a secret “trapdoor” in the weights are added that converts the unknown subset-sum to an easily solvable instance

Take:

  • Super-increasing sequence s.t.
  • Choose some modulus , a uniformly sampled random multiplier and uniformly random permutation on
  • Encryption of message : where
  • Trapdoor:
  • Decryption:

Solve subset-sum for since [true subset-sum]

Lattice Attacks

Density of subset-sum instance:

L083: Efficient algorithm that, given uniformly random where for some and for some arbitrary , outputs with probability over the choice of .

Proof:

  • TL;DR: Form a lattice with vectors parallel to scaled up vectors
  • Prove that is the only “short” vector possible to find from lattice reduction
  • Fix a and estimate probability that this vector not being a multiple of satisfies subset-sum
  • Prove that probability is negligible

The density analysis shows why certain parameters make the system vulnerable to lattice-based attacks. The L083 algorithm demonstrates an efficient method to break subset-sum instances when the parameters fall within specific bounds.

Some key insights from this section:

  1. The security depends heavily on the density of the subset-sum instance
  2. Lattice reduction techniques can be used to find short vectors that reveal the solution
  3. The probability of finding incorrect solutions that satisfy the subset-sum constraint is negligible under certain conditions

References