Advanced Cryptography Reading Assignment Lattice-Based Cryptanalysis
Advanced Cryptography Reading Assignment Lattice-Based Cryptanalysis
Advanced Cryptography Reading Assignment Lattice-Based Cryptanalysis
Lattice-based Cryptanalysis
Christophe Petit
University of Oxford
January 14, 2016
The purpose of the following questions is to develop your knowledge and critical
thinking on particular topics related to lattice-based cryptanalysis. You are required to read the papers cited below and to prepare a 40 min group presentation
answering all questions. The presentation will be interrupted by discussions to
check your understanding of the material covered. You are encouraged to split
the work between you, but everybody must have a good understanding of the whole
content. Your understanding of this material will be assessed in the mini-project.
The presentation will take place in Week 5, Friday, 10am.
1
1.1
1.2
In Sage, lattices are stored as matrices, where the row vectors of a matrix
generate the lattice. You can generate random matrices with the function
random matrix and apply LLL on them with the function LLL.
Apply the LLL algorithm on random matrices, varying the sizes of the random matrices and the parameter in LLL. Study the impact of these parameters
on the shortest vector found and on the running time of LLL. Can you explain
your observations from the theory?
The following Sage code implements a knapsack-based hash function. The first
program Parameters(n,mu) generates params used for hashing values from
{0, 1}n . Larger values of mu increase the output length of the hash function.
The second program KnapsackHash(A,x) computes the hash of x.
d e f Parameters ( n ,mu ) :
A = list ();
f o r i in range (0 , n ) :
A. append ( r a n d i n t ( 0 , 2 mu1))
r e t u r n [ v e c t o r (A) , n ,mu]
d e f KnapsackHash ( params , x ) :
A = params [ 0 ]
n = params [ 1 ]
mu = params [ 2 ]
k = c e i l ( l o g ( n , 2 ) ) +mu
i f n != l e n ( x ) :
r e t u r n The i n p u t v e c t o r s a r e not t h e same l e n g t h !
z = 0;
f o r i in range (0 , len ( x ) ) :
z = z + A[ i ] x [ i ] ;
z = z . bits ()
while len ( z ) < k :
z . append ( 0 )
return z
1. Write a program which takes the output of Parameters and finds a collision on the resulting hash function using the LLL algorithm.
2. Test your program on params = Parameters(n,mu) for (n, mu) = (10, 10), (20, 20), (40, 40).
What are the largest values of (n, mu) for which your program finds a collision?
Study Boneh-Durfees paper [1] and describe one of their attacks. Implement the
attack in Sage. Study the performances of your implementation experimentally
and compare them with the theoretical predictions.
References
[1] Dan Boneh and Glenn Durfee. Cryptanalysis of RSA with private key d
less than N 0.292 . In Jacques Stern, editor, Advances in Cryptology - EU2