Lattice Based Attacks on RSA
Outline
Lattices and Lattice reduction
Lattice Based Attacks on RSA
2004/9/22
Hastad’s Attack
Franklin-Reiter Attack
Extension to Wiener’s Attack
Lattice Based Attacks on RSA
2
Lattices and Lattice reduction
Given a set of m linearly independent
vectors, {b1,…,bm} in Rn.
The set of all real linear
combinations of
m
V
a
b
:
a
R
these vectors,
i i i
, is a
i 1
vector subspace.
2004/9/22
Lattice Based Attacks on RSA
3
Gram-Schmidt process: takes one basis
{b1,…,bm} and produces a basis
{b1*,…,bm*} which is pairwise
orthogonal.
b1*=b1
i , j
bi , b*j
*
j
b ,b
*
j
, for 1 j i n
i 1
2004/9/22
b bi i , j b*j
*
i
j 1
Lattice Based Attacks on RSA
4
2
1
Example: b1 and b2
0
1
2
b b1
0
*
1
2,1
b2 , b1*
b1* , b1*
1
2
0
b b2 2,1
1
*
2
2004/9/22
Lattice Based Attacks on RSA
5
Given a set of basis vectors {b1,…,bm}
in Rn, and m<=n.
m
A lattice L aibi : ai Z is a set of all
i 1
integer linear combinations of the bi.
2004/9/22
Lattice Based Attacks on RSA
6
Definition 1:
A basis {b1,…,bm} is called LLL reduced
if the associated Gram-Schmidt basis
{b1*,…,bm*} satisfies
2004/9/22
1
i , j for 1 j i m
2
3
* 2
* 2
2
bi i ,i 1 bi 1 for 1 i m
4
Lattice Based Attacks on RSA
7
For all non-zero x L, we have
b1 2( m1) 2 x
b1 2
2004/9/22
m/4
1/ m
, det( B B)
T
1/ 2
Lattice Based Attacks on RSA
8
Lattice Based Attacks on RSA
Original problem: Given a polynomial
f ( x) f 0 f1 x ... f d 1 x d 1 x d
over the integers of degree d and the
side information that there exists a root
x0 modulo N which is small, say
|x0|<N1/d, can one efficiently find the
small root x0?
2004/9/22
Lattice Based Attacks on RSA
9
The answer is YES
Basic idea: find a polynomial h( x) Z [ x]
s.t. h( x0 ) f ( x0 ) 0 (mod n) , and
deg(h )
2
h hi2 should be small
i 0
2004/9/22
Lattice Based Attacks on RSA
10
Lemma 2:
Let h( x) Z [ x] of degree at most n and
let X and N be positive integers.
Suppose h( xX ) N n , then
if |x0|<X satisfies h(x0) = 0 (mod n)
then h(x0)=0 over the integers and not
just modulo N
2004/9/22
Lattice Based Attacks on RSA
11
f(x0) = 0 (mod N)
=> f(x0)k = 0 (mod Nk)
For some given value of m:
g u , v ( x ) N m v x u f ( x) v
then gu,v(x0) = 0 (mod Nm)
for all 0<=u<d and 0<=v<=m
2004/9/22
Lattice Based Attacks on RSA
12
m
h( x) au ,v g u ,v ( x)
u 0 v 0
We wish to find au,v s.t. h satisfies
h( xX ) N m
2004/9/22
d (m 1)
Lattice Based Attacks on RSA
13
example
f(x)=x2+ax+b
wish to find an x0 s.t. f(x0) = 0 (mod N)
Set m=2:
2
g 0, 0 ( xX ) N ,
g1, 0 ( xX ) XN 2 x,
g 0,1 ( xX ) bN aXNx NX 2 x 2 ,
g1,1 ( xX ) bNXx aNX 2 x 2 NX 3 x 3 ,
g 0, 2 ( xX ) b 2 2baXx (a 2 2b) X 2 x 2 2aX 3 x 3 X 4 x 4 ,
g1, 2 ( xX ) b 2 Xx 2baX 2 x 2 (a 2 2b) X 3 x 3 2aX 4 x 4 X 5 x 5
2004/9/22
Lattice Based Attacks on RSA
14
N2
0
0
A
0
0
0
2004/9/22
0
bN
0
b2
N2X
aNX
bNX
2abX
0
NX 2
aNX 2
(a 2 2b) X 2
0
0
NX 3
2aX 3
0
0
0
X4
0
0
0
0
Lattice Based Attacks on RSA
2
b X
2abX 2
(a 2 2b) X 3
4
2aX
X5
0
15
det(A)=N6X15
b1 26 / 4 det( A)1/ 6 23/ 2 NX 5 / 2
h( x) b1(1) g0,0 ( x) b1( 2) g1,0 ( x) ... b1(6) g1, 2 ( x)
h( xX ) b1 23 / 2 NX 5 / 2 N
2004/9/22
Lattice Based Attacks on RSA
6
by Lemma 2 :
h( xX ) N
n
16
Theorem 3 (Coppersmith):
2004/9/22
Let f Z [x] be a monic polynomial of
degree d
Let N be an integer
If there is some root x0 of f modulo N s.t.
x0 X N 1/ d
Then one can find x0 in time a polynomial
in log N and 1/ε, for fixed values of d
Lattice Based Attacks on RSA
17
Lemma 4:
2004/9/22
Let h( x, y ) Z [ x, y ] be a sum of at most w
monomials
h(x0,y0)=0 (mod Ne) for some positive
integers N and e where integers x0 and y0
satisfy |x0|<X and |y0|<Y
h( xX , yY ) N e
w
Then h(x0,y0) holds over the integers
Lattice Based Attacks on RSA
18
Hastad’s Attack
Given 3 public keys (Ni,ei) with the
same ei=3
If a user sent the same message to all 3
public keys
=> can recover the plaintext using CRT
2004/9/22
Lattice Based Attacks on RSA
19
Receiver 1
c1=me mod N1
User
c2=me mod N2
Message: m
(N1,e)
Receiver 1
(N2,e)
c3=me mod N3
Receiver 1
(N3,e)
2004/9/22
Lattice Based Attacks on RSA
20
Now we pad some user-specific data
before a message m
For user i, ci=(i • 2h+m)3 (mod Ni)
=> can still break this system using
Hastad’s attack
2004/9/22
Lattice Based Attacks on RSA
21
g i ( x) (i 2 h x) e ci , 1 i k
gi(m)=0 (mod Ni)
Set N=N1N2…Nk and using CRT, we can
find ti s.t.
k
g ( x ) ti g i ( x )
i 1
and g(m)=0 (mod N)
Using Thm 3 we can recover m in
polynomial time
2004/9/22
Lattice Based Attacks on RSA
22
Franklin-Reiter Attack
c1=m1e mod N
Bob
Alice
Message: m1,m2
(N,e)
m2=f(m1) mod N
c2=m2e mod N
2004/9/22
Lattice Based Attacks on RSA
23
Let g1(x)=xe-c1, g2(x)=f(x)e-c2
Let s(x)=gcd(g1(x),g2(x))
m1 is a root of s(x)
Example: f(x)=ax+b, e=3
2004/9/22
g1(x)=x3-c1=x3-m13
g2(x)=f(x)3-c2 =f(x)3-m23
s(x)=x-m1
Lattice Based Attacks on RSA
24
We can append radom bits to the
message:
m’=2n-km+r
Suppose Bob sends the same message
to Alice twice:
2004/9/22
m1=2n-km+r1
m2=2n-km+r2
Lattice Based Attacks on RSA
25
The attacker sets y0=r2-r1 and solve the
equations
g1(x,y)=xe-c1
g2(x,y)=(x+y)e-c2
The attacker forms the resultant h(y) of
g1 and g2 w.r.t. x.
2004/9/22
Lattice Based Attacks on RSA
26
y0=r2-r1 is a small root of h(y), which
has degree e2
Using Thm 3 the attacker can recover y0
and then recover m1 using FranklinReiter Attack
2004/9/22
Lattice Based Attacks on RSA
27
Extension to Wiener’s Attack
N=pq with q<p<2q; p,q are prime
ed=1 (mod Φ), where (N )
d is small and e N
1 1/ 4
N
Wiener’s Attack works when d
3
ed+(k/2)Φ=1
2004/9/22
Lattice Based Attacks on RSA
28
ed+(k/2)Φ=1
N 1 p q
ed k
1
2
2
pq
N 1
s
, A
2
2
Set
f (k , s) k ( A s) 1 0 (mod e)
s 2N
2004/9/22
0.5
2e
0.5
2de 3de
and k
e
N
Lattice Based Attacks on RSA
29
We can using Lemma 4 to solve the
problem
This problem has a solution when
δ<=0.292
This attack works when d<N0.292
2004/9/22
Lattice Based Attacks on RSA
30
© Copyright 2026 Paperzz