50 research outputs found
Approximate common divisors via lattices
We analyze the multivariate generalization of Howgrave-Graham's algorithm for
the approximate common divisor problem. In the m-variable case with modulus N
and approximate common divisor of size N^beta, this improves the size of the
error tolerated from N^(beta^2) to N^(beta^((m+1)/m)), under a commonly used
heuristic assumption. This gives a more detailed analysis of the hardness
assumption underlying the recent fully homomorphic cryptosystem of van Dijk,
Gentry, Halevi, and Vaikuntanathan. While these results do not challenge the
suggested parameters, a 2^(n^epsilon) approximation algorithm with epsilon<2/3
for lattice basis reduction in n dimensions could be used to break these
parameters. We have implemented our algorithm, and it performs better in
practice than the theoretical analysis suggests.
Our results fit into a broader context of analogies between cryptanalysis and
coding theory. The multivariate approximate common divisor problem is the
number-theoretic analogue of multivariate polynomial reconstruction, and we
develop a corresponding lattice-based algorithm for the latter problem. In
particular, it specializes to a lattice-based list decoding algorithm for
Parvaresh-Vardy and Guruswami-Rudra codes, which are multivariate extensions of
Reed-Solomon codes. This yields a new proof of the list decoding radii for
these codes.Comment: 17 page
RSA, DH, and DSA in the Wild
This book chapter outlines techniques for breaking cryptography by taking advantage of implementation mistakes made in practice, with a focus on those that exploit the mathematical structure of the most widely used public-key primitives
Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies
In this paper, we compute hundreds of Bitcoin private keys and dozens of Ethereum, Ripple, SSH, and HTTPS private keys by carrying out cryptanalytic attacks against digital signatures contained in public blockchains and Internet-wide scans. The ECDSA signature algorithm requires the generation of a per-message secret nonce. If this nonce is not generated uniformly at random, an attacker can potentially exploit this bias to compute the long-term signing key. We use a lattice-based algorithm for solving the hidden number problem to efficiently compute private ECDSA keys that were used with biased signature nonces due to multiple apparent implementation vulnerabilities
The Hidden Number Problem with Small Unknown Multipliers: Cryptanalyzing MEGA in Six Queries and Other Applications
In recent work, Backendal, Haller, and Paterson identified several exploitable vulnerabilities in the cloud storage provider MEGA. They demonstrated an RSA key recovery attack in which a malicious server could recover a client\u27s private RSA key after 512 client login attempts. We show how to exploit additional information revealed by MEGA\u27s protocol vulnerabilities to give an attack that requires only six client logins to recover the secret key.
Our optimized attack combines several cryptanalytic techniques. In particular, we formulate and give a solution to a variant of the hidden number problem with small unknown multipliers, which may be of independent interest. We show that our lattice construction for this problem can be used to give improved results for the implicit factorization problem of May and Ritzenhofen
Fast Practical Lattice Reduction through Iterated Compression
We introduce a new lattice basis reduction algorithm with approximation guarantees analogous to the LLL algorithm and practical performance that far exceeds the current state of the art. We achieve these results by iteratively applying precision management techniques within a recursive algorithm structure and show the stability of this approach. We analyze the asymptotic behavior of our algorithm, and show that the heuristic running time is for lattices of dimension , bounding the cost of size reduction, matrix multiplication, and QR factorization, and bounding the log of the condition number of the input basis . This yields a running time of for precision in common applications. Our algorithm is fully practical, and we have published our implementation. We experimentally validate our heuristic, give extensive benchmarks against numerous classes of cryptographic lattices, and show that our algorithm significantly outperforms existing implementations
Recovering cryptographic keys from partial information, by example
Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this tutorial, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas
The Proof is in the Pudding: Proofs of Work for Solving Discrete Logarithms
We propose a proof of work protocol that computes the discrete logarithm of an element in a cyclic group. Individual provers generating proofs of work perform a distributed version of the Pollard rho algorithm. Such a protocol could capture the computational power expended to construct proof-of-work-based blockchains for a more useful purpose, as well as incentivize advances in hardware, software, or algorithms for an important cryptographic problem. We describe our proposed construction and elaborate on challenges and potential trade-offs that arise in designing a practical proof of work
Optimally Robust Private Information Retrieval
We give a protocol for multi-server information-theoretic private information retrieval which achieves the theoretical limit for Byzantine robustness. That is, the protocol can allow a client to successfully complete queries and identify server misbehavior in the presence of the maximum possible number of malicious servers. We have implemented our scheme and it is extremely fast in practice: up to thousands of times faster than previous work. We achieve these improvements by using decoding algorithms for error-correcting codes that take advantage of the practical scenario where the client is interested in multiple blocks of the database