A congruential public key cryptosystem¶

Alice:

• Choose large integer mod $q$
• choose secret $f, g$ with $f<\sqrt{q/2}, \sqrt{q/4} < g < \sqrt{q/2}$ and $\gcd(f, qg) = 1$
• Compute $h \equiv f^{-1}g \ mod \ q$
• Publish $(q, h)$

Encryption (Bob):

• choose plaintext $m$ with $m<\sqrt{q/4}$
• choose random $r < \sqrt{q/2}$
• Compute $e \equiv rh + m \ mod \ q$
• Send e

Decryption (Alice):

• Compute $a \equiv fe \ mod \ q $ with $ 0 < a < q$
• Compute $b \equiv f^{-1}e \ mod \ q $ with $ 0 < b < g$
• Then $b = m$

Proof: $b = f^{-1}e \equiv f^{-1}(rg + fm) \equiv f^{-1}fm \equiv m \ mod \ g $ with $0 < b < g$

Example¶

Where are the lattices tho?¶

Try to find $(f, g)$ from $(q, h)$ => find $(F, G): Fh \equiv G \ mod \ q$ where $F, G = \mathcal{O}(\sqrt{q}) <=> $
$<=>\begin{align*} Fh &= G + qR \\ F &= F + 0 \end{align*}<=> F \begin{bmatrix} 1 \\ h \end{bmatrix} - R \begin{bmatrix} 0 \\ q \end{bmatrix} = \begin{bmatrix} F \\ G \end{bmatrix}$

so $v1 = \begin{bmatrix} 1 \\ h \end{bmatrix}$, $v2 = \begin{bmatrix} 0 \\ q \end{bmatrix}$, $w = \begin{bmatrix} F \\ G \end{bmatrix}$

=> find a linear combination $w =a_1v_1 + a_2v_2$ =>
=> Find shortest vector in the set $L = \{a_1v_1 + a_2v_2 | a_1, a_2 \in \mathbb{Z}\}$ = two dimensional lattice

Subset-sum problems¶

Subset-Sum Problem

Suppose that you are given a list of positive integers $(M_1,M_2,...,M_n)$ and another integer $S$. Find a subset of the elements in the list whose sum is S. (You may assumethat there is at least one such subset.)

Proposition
Let $M = (M_1,M_2,...,M_n)$, $(M,S)$ = Subset-sum problem
For all sets $I \subset\{i | \ 1 \leq i \leq n/2\}$ and $J \subset\{j | \ n/2 < j \leq n\}$ compute and make a list of values $A_I = \sum_{i\in I}M_i$ and $B_J = S - \sum_{j \in J}M_j$

Then $\exists (I_0, J_0)$ with $A_{I_0} = B_{J_0}$ => $S = \sum_{i\in I}M_i + \sum_{j \in J}M_j$

From here we might create a collision algorithm that breaks the system in $\mathcal{O}(2^{n/2})$

Superincreasing Sequence

$r=(r_1,r_2,...,r_n)$ with the property that $r_i+1 ≥ 2r_i$ for all $1≤i≤n−1$.

Algorithm for $(M, S)$¶

Cryptosystem based on superincreasing seq (Merkle and Hellman)¶

Key creation(Alice):

• Choose superincreasing $r=(r_1,...,r_n)$
• Choose $A$ and $B$ with $B>2r_n$ and $\gcd(A, B)=1$
• Compute $M_i=Ar_i(modB)$ for $1≤i≤n $
• Publish the public key $M=(M1,...,Mn)$

Encryption(Bob):

• Choose plaintext $x$
• $S = x * M$
• Send S

Decryption (Alice):

• $S' \equiv A^{-1}S \ mod \ B$
• solve $(S', r)$ => $x$

Proof: $S' \equiv A^{-1}S \equiv A^{-1} \sum^n_{i = 1}x_iAr_i \equiv \sum^n_{i = 1}x_ir_i \ mod \ b$

Some observations make this algorithm impractical

• we need $r_1 > 2^n$ => $r_n > 2^{2n} => B>2r_n = 2^{2n+1} => M_i = \mathcal{O}(2^{2n}) ; S = \mathcal{O}(2^{2n})$
• Big public key: for $n = 160 => 2n^2 = 51200$ bits (Ex: DH: 1k bits)
• weak to LLL

The lattice please¶

Suppose you want to write $S$ as a subset-sum from the set $M = (m_1, ...,m_n)$. Consider the matrix

$\begin{bmatrix} 2&0&\dots&0&m_1 \\ 2&0&\dots&0&{m_2} \\ \vdots&\vdots&\ddots&\vdots&\vdots \\ 0&0&\dots&2&m_n \\ 1&1&\dots&1&S \end{bmatrix} => \begin{align*} v_1&=(2,0,0,...,0,m_1) \\ v_2&=(0,2,0,...,0,m_2) \\ &\vdots \ \vdots \\ v_n&=(0,0,0,...,2,m_n) \\ v_{n+1}&=(1,1,1,...,1,S) \end{align*} \Bigg{\}}=> L=\{a_1v_1+a_2v_2+···+a_nv_n+a_{n+1}v_{n+1} \ | \ a_1,a_2,...,a_{n+1}∈ \mathbb{Z}\} $

Suppose $x = (x_1, x_2, ... x_n)$ is a solution => L contains
$t = \sum^n_{i=1}x_iv_i - v_{n+1} = (2x_1 -1, 2x_2 -1, \dots, 2x_n -1, 0)$

Last coord of $t$ is 0 because $S = x_1m_1 + \dots + x_nm_n$

$x_i \in {0, 1} => t_i \in {-1, 1} => \|t\| = \sqrt{n} = $ short
since $m_i = \mathcal{O}(2^{2n}); S = \mathcal{O}(2^{2n})$ => is likely that $t$ is the shortest vector => LLL

Vector space recap¶

I'll just assume you know the basics. I'll put only concept names

• Linear combinations
• Independence
• Basis that spans a vector space

Prop 1
Let $v_1,...,v_n$ be a basis for $V$ and let $w_1,...,w_n$ be another set of $n$ vectors in $V$ .Write each $w_j$ as a linear combination of the $v_i$

$\begin{align*} w_1 &= α_{11}v_1+α_{12}v_2+···+α_{1n}v_n \\ w_2&=α_{21}v_1+α_{22}v_2+···+α_{2n}v_n \\ \vdots \ \vdots \\ w_n&=α_{n1}v_1+α{n2}v_2+···+α_{nn}v_n \end{align*} $

=> Then $w_1,..., w_n$ is also a basis for $V$ <=> $\det(A) = \begin{vmatrix} α_{11}&α_{12}&···&α_{1n}\\ α_{21}&α_{22}&···&α_{2n}\\ \vdots &\vdots&\ddots &\vdots \\ α_{n1} & α_{n2}&···&α_{nn} \end{vmatrix} \neq 0$

• dot product; $v*w = 0 => v \perp w $
• norm; $\|v\|^2 = v * v$
• angle $ \cos(\theta) =\frac{v*w}{\|v\| * \|w\|}$
• Cauchy Schwartz $|v * w| \leq \|v\| * \|w\| $
• orthogonal basis => $v=a_1v_1+···+a_nv_n => ‖v‖^2=‖a_1v_1+···+a_nv_n‖^2$ where $v_1,...,v_n$ = orthogonal basis
• orthonormal basis

Gram schmidt algorithm = basis => orthogonal basis

Lattices¶

Let $v_1,...,v_n$ be a set of linear independent vectors. Then
$L = \{a_1v_1 +...+ a_nv_n | a_1,..., a_n \in \mathbb{Z}\}$

• $\dim L = n$

we try the same as Prop 1 =>
$1 = \det(I) = \det(AA^{−1}) = \det(A)\det(A^{-1})$ where $\det(A), \det(A^{-1}) \in \mathbb{Z} => \det(A) = \pm1$

Prop 2
Any two bases for a lattice $L$ are related by a matrix having integer coefficients and determinant equal to $±1$

Fundamental domain

Let $L$ be a lattice of dimension $n$ and let $v_1,v_2,...,v_n$ be a basis for $L$. The fundamental domain for $L$ corresponding to this basis is the set
$\mathcal{F}(v_1,...,v_n)=\{t_1v_1+t_2v_2+···+t_nv_n:0≤t_i<1\}$.

=> Every vector $w∈R^n$ can be written in the form $w=t+v$ for a unique $t∈\mathcal{F}$ and a unique $v∈L$.

Equivalently, the union of the translated fundamental domains $F+v={t+v:t∈F}$ exactly covers $Rn$

• $\det(L) = \det(F)$ where $F =$ the coordinate matrix of $\mathcal{F}(v_1,...,v_n)$

Hadamard's inequality
$\det(L) = \text{Vol}(\mathcal{F}) \leq \|v_1\|*...*\|v_n\|$

• $\forall \ \mathcal{F} $ for $L => \text{Vol}\mathcal{F} = \text{const}$ <=> every fundamental domain for L has the same volume => INVARIANT

Short vectors in lattices¶

Problems¶

• Shortest vector problem (SVP)

Find $v \in L$ that minimizes $||v||$

• Closest vector problem (CVP)

Given $w \in \mathbb{R}^m; \ w\notin L$ find $v \in L$ that minimizes $||w-v||$

• Shortest basis problem (SBP)

Given $L$ find a basis $\{v_1, ..., v_n\}$ that is "shortest" in some sense
Ex: $\underset{1 \leq i \leq n}{\max}||v_i||$ or $\sum_{i = 1}^n ||v||^2$

• ApprSVP

Let $\psi(n) = function$ where $n = \dim L$ Find $v$ such that $||v|| \leq \psi(n)||v_{shortest}||$

• ApprCVP

same idea

Minkowski theorem:
Let $L \subset \mathbb{R}^n, \dim L = n; S \subset \mathbb{R}^n, S = $bounded symmetrical convex set whose volume satisfies
$\text{Vol}(S) > 2^n\det(L)$
Then S contains a nonzero lattice vector

watch 12 mins for intuition https://www.youtube.com/watch?v=tZx7K0Or70Y&list=PLgKuh-lKre12CuCYPwpfH77-K6U_3JweQ

Babai's algorithm¶

Remark
if L has an orthogonal basis => SVP and CVP are easy:

• SVP: the vector is found in the basis
• CVP:

$\begin{align*} w&=t_1v_1+t_2v_2+···+t_nv_n \text{with} \ t_1,...,t_n∈\mathbb{R}. \\ v&=a_1v_1+···+a_n \ v_n∈L \end{align*} \Big \} ‖v−w‖^2=(a_1−t_1)^2‖v_1‖^2+(a_2−t_2)^2‖v_2‖^2+···+(a_n−t_n)^2‖v_n‖^2 => $

=>we take $a_i$ to be the closest integer to $t_i$

For a near-orthogonal base this might work

But if you have a bad base, shit like this might happen:

Intuition:
Find a translation $(\mathcal{F} + v)$ that contains $w$ and take the closest vertex
$w=v+\epsilon_1v_1+\epsilon_2v_2+···+\epsilon_nv_n$ with $\epsilon \in \{0, 1\}$

Hadamards ratio
$\mathcal{H}(\mathcal{B}) = \left( \frac{\det L}{||v_1||*\dots*||v_n||} \right) ^{1/n} \in (0, 1]$

The closest this value is to 1, the more orthogonal the vectors are

GGH Cryptosystem¶

Key creation (Alice):

• Choose a good basis $V = \{v_1, \dots, v_n\}$
• Choose integer matrix $U$ with $\det(U) = \pm1$
• Compude a bad basis $W = \{w_1, ... ,w_n\} = UV$
• Publish $W$

Encryption (Bob):

• choose small plaintext vector $m$
• choose random small vector $r$
• $e = m_1w_1 + ... + x_nw_n + r$
• Send $e$

Decryption (Alice):

• Use Babai's algo to compute the closest vector $v\in L$ to $e$
• $v*W^{-1} = m$

An alternative version of GGH reverses the roles of $m$ and $r$,so the ciphertext has the form $e=rW+m$.
Alice finds $rW$ by computing the lattice vector closest to $e$, and then she recovers the plaintext as $m=e−rW$

GO TO THE SAGE NB FOR NTRU ENCRYPT¶

and come back when you're told

Breaking stuff¶

we remake the algorithms in python

congruential¶

$v_1 = [1, h], v_2 = [0, q]$

Knapsacks¶

GGH¶

GO TO THE SAGE NB FOR NTRU¶

TO DO¶

• Efficient LLL
• Babai's closest plane
• NTRUDSA