easing coppersmith methods using analytic combinatorics
play

Easing Coppersmith Methods using Analytic Combinatorics: - PowerPoint PPT Presentation

Jul 24, 2023 •132 likes •797 views

Easing Coppersmith Methods using Analytic Combinatorics: Applications to Public-Key Cryptography with Weak Pseudorandomness Fabrice Benhamouda , Cline Chevalier, Adrian Thillard, and Damien Vergnaud cole normale suprieure, CNRS, INRIA,

  1. Easing Coppersmith Methods using Analytic Combinatorics: Applications to Public-Key Cryptography with Weak Pseudorandomness Fabrice Benhamouda , Céline Chevalier, Adrian Thillard, and Damien Vergnaud École normale supérieure, CNRS, INRIA, PSL, Université Panthéon-Assas, ANSSI, Paris, France R E S E A R C H U N I V E R S I T Y PKC 2016, Taipei, Taiwan

  2. Introduction Analytic Combinatorics Application Coppersmith Methods Quick History Introduced by Coppersmith in 1996 to find: small roots of univariate modular polynomials [Cop96b]; small roots of bivariate polynomials [Cop96a]; Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

  3. Introduction Analytic Combinatorics Application Coppersmith Methods Quick History Introduced by Coppersmith in 1996 to find: small roots of univariate modular polynomials [Cop96b]; e.g., decrypt RSA with known plaintext MSB β : ( 2 k · β + x ) e mod N = c with | x | ≤ 2 k small roots of bivariate polynomials [Cop96a]; Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

  4. Introduction Analytic Combinatorics Application Coppersmith Methods Quick History Introduced by Coppersmith in 1996 to find: small roots of univariate modular polynomials [Cop96b]; e.g., decrypt RSA with known plaintext MSB β : ( 2 k · β + x ) e mod N = c with | x | ≤ 2 k extension of small plaintext: x e mod N = c ; small roots of bivariate polynomials [Cop96a]; Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

  5. Introduction Analytic Combinatorics Application Coppersmith Methods Quick History Introduced by Coppersmith in 1996 to find: small roots of univariate modular polynomials [Cop96b]; e.g., decrypt RSA with known plaintext MSB β : ( 2 k · β + x ) e mod N = c with | x | ≤ 2 k extension of small plaintext: x e mod N = c ; small roots of bivariate polynomials [Cop96a]; e.g., factorizing with known primes MSB: ( 2 k · α + x ) · ( 2 k · β + y ) = N with | x | , | y | ≤ 2 k Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

  6. Introduction Analytic Combinatorics Application Coppersmith Methods Quick History Introduced by Coppersmith in 1996 to find: small roots of univariate modular polynomials [Cop96b]; e.g., decrypt RSA with known plaintext MSB β : ( 2 k · β + x ) e mod N = c with | x | ≤ 2 k extension of small plaintext: x e mod N = c ; small roots of bivariate polynomials [Cop96a]; e.g., factorizing with known primes MSB: ( 2 k · α + x ) · ( 2 k · β + y ) = N with | x | , | y | ≤ 2 k Further extensions: more variables [HG97, BM05, JM06]; multiple polynomials and moduli [MR08, MR09, Rit10]. Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

  7. Introduction Analytic Combinatorics Application Coppersmith Methods Quick History Introduced by Coppersmith in 1996 to find: small roots of univariate modular polynomials [Cop96b]; e.g., decrypt RSA with known plaintext MSB β : ( 2 k · β + x ) e mod N = c with | x | ≤ 2 k extension of small plaintext: x e mod N = c ; small roots of bivariate polynomials [Cop96a]; e.g., factorizing with known primes MSB: ( 2 k · α + x ) · ( 2 k · β + y ) = N with | x | , | y | ≤ 2 k Further extensions: more variables [HG97, BM05, JM06]; multiple polynomials and moduli [MR08, MR09][Rit10]. Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 2 / 18

  8. Introduction Analytic Combinatorics Application Coppersmith Methods Goal Solve:  f 1 ( x 1 , . . . , x n ) = 0 mod N 1   .  . .   f s ( x 1 , . . . , x n ) = 0 mod N s  with | x 1 | ≤ X 1 | x n | ≤ X n . . . Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 3 / 18

  9. Introduction Analytic Combinatorics Application Coppersmith Methods Goal Solve:  f 1 ( x 1 , . . . , x n ) = 0 mod N 1   .  . .   f s ( x 1 , . . . , x n ) = 0 mod N s  with | x 1 | ≤ X 1 | x n | ≤ X n . . . Question: which bounds X 1 , . . . , X n work? Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 3 / 18

  10. Introduction Analytic Combinatorics Application Coppersmith Methods Overview 1 Construction of polynomials ˜ f i , j such that: mod N k i , j ˜ f i , j ( x 1 , . . . , x n ) = 0 i for any original solution ( x 1 , . . . , x n ) . Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 4 / 18

  11. Introduction Analytic Combinatorics Application Coppersmith Methods Overview 1 Construction of polynomials ˜ f i , j such that: mod N k i , j ˜ f i , j ( x 1 , . . . , x n ) = 0 i for any original solution ( x 1 , . . . , x n ) . 2 Use LLL to find an integer system:  g 1 ( x 1 , . . . , x n ) = 0   .  . .   g n ( x 1 , . . . , x n ) = 0  such that: any original solution is satisfied; 1 it has only a finite number of solutions. 2 Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 4 / 18

  12. Introduction Analytic Combinatorics Application Coppersmith Methods Overview 1 Construction of polynomials ˜ f i , j such that: mod N k i , j ˜ f i , j ( x 1 , . . . , x n ) = 0 i for any original solution ( x 1 , . . . , x n ) . 2 Use LLL to find an integer system:  g 1 ( x 1 , . . . , x n ) = 0   .  . .   g n ( x 1 , . . . , x n ) = 0  such that: any original solution is satisfied; 1 it has only a finite number of solutions. 2 3 Solve the system (using Groebner basis). Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 4 / 18

  13. Introduction Analytic Combinatorics Application Coppersmith Methods Condition and Combinatorics Success condition = combinatorial condition on the number of polynomials ˜ f i , j the number of monomials in ˜ f i , j the moduli N k i , j i the bounds X i Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

  14. Introduction Analytic Combinatorics Application Coppersmith Methods Condition and Combinatorics Success condition = combinatorial condition on the number of polynomials ˜ f i , j the number of monomials in ˜ f i , j the moduli N k i , j i the bounds X i Complexity: idem Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

  15. Introduction Analytic Combinatorics Application Coppersmith Methods Condition and Combinatorics Success condition = combinatorial condition on the number of polynomials ˜ f i , j the number of monomials in ˜ f i , j the moduli N k i , j i the bounds X i Complexity: idem Difficult to compute when s and n non-constant Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

  16. Introduction Analytic Combinatorics Application Coppersmith Methods Condition and Combinatorics Success condition = combinatorial condition on the number of polynomials ˜ f i , j the number of monomials in ˜ f i , j the moduli N k i , j i the bounds X i Complexity: idem Difficult to compute when s and n non-constant Our solution Use analytic combinatorics! Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 5 / 18

  17. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  18. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  19. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Update Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  20. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Update v 1 Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  21. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Update v 1 w 1 Output Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  22. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Update v 1 w 1 Output Update Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  23. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Update v 1 w 1 Output Update v 2 Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  24. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Update v 1 w 1 Output Update v 2 w 2 Output Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  25. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output Update v 1 w 1 Output Update v 2 w 2 Output . . . Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

  26. Introduction Analytic Combinatorics Application Pseudorandom Generator (PRG) v 0 w 0 Output ≈ $ Update v 1 w 1 Output ≈ $ Update v 2 w 2 Output ≈ $ . . . Fabrice Benhamouda (ENS) Coppersmith and Analytic Combinatorics PKC 2016 6 / 18

Recommend

5. Analytic Combinatorics http://aofa.cs.princeton.edu Analytic combinatorics is a calculus for

5. Analytic Combinatorics http://aofa.cs.princeton.edu Analytic combinatorics is a calculus for

A N A L Y T I C C O M B I N A T O R I C S P A R T O N E 5. Analytic Combinatorics http://aofa.cs.princeton.edu Analytic combinatorics is a calculus for the quantitative study of large combinatorial structures. Features : Analysis begins

1.26k views • 64 slides
A . Symbolic Methods Philippe Flajolet, INRIA, Rocquencourt http://algo.inria.fr/flajolet ., 2007

A . Symbolic Methods Philippe Flajolet, INRIA, Rocquencourt http://algo.inria.fr/flajolet ., 2007

Santiago de Chile DEC 2006 SINGULAR COMBINATORICS A . Symbolic Methods Philippe Flajolet, INRIA, Rocquencourt http://algo.inria.fr/flajolet ., 2007 + . Based on Analytic Combinatorics , Flajolet & Sedgewick, C.U.P 1 ANALYTIC COMBINATORICS

1.02k views • 100 slides
Analytic Combinatorics A Calculus of Discrete Structures Philippe Flajolet INRIA

Analytic Combinatorics A Calculus of Discrete Structures Philippe Flajolet INRIA

Part A. SYMBOLIC METHODS Part B. Complex asymptotics Part C. Distributions Part D. Frontiers Analytic Combinatorics A Calculus of Discrete Structures Philippe Flajolet INRIA Rocquencourt, France SODA07 , New Orleans, January 2007 1 / 38

851 views • 38 slides
Analytic Combinatorics in Several Variables Robin Pemantle and Mark Wilson A of A conference, 30

Analytic Combinatorics in Several Variables Robin Pemantle and Mark Wilson A of A conference, 30

Analytic Combinatorics in Several Variables Robin Pemantle and Mark Wilson A of A conference, 30 May, 2013 Pemantle Analytic Combinatorics in Several Variables About the book Pemantle Analytic Combinatorics in Several Variables Pemantle

1.23k views • 89 slides
Lets do some Computer Algebra and Combinatorics! SYMBOLIC-NUMERIC TOOLS FOR ANALYTIC

Lets do some Computer Algebra and Combinatorics! SYMBOLIC-NUMERIC TOOLS FOR ANALYTIC

SYMBOLIC-NUMERIC TOOLS FOR ANALYTIC COMBINATORICS IN SEVERAL VARIABLES Stephen Melczer ENS Lyon / Inria & University of Waterloo Joint work with Bruno Salvy Lets do some Computer Algebra and Combinatorics! SYMBOLIC-NUMERIC TOOLS

489 views • 38 slides
7. Applications of Singularity Analysis http://ac.cs.princeton.edu Analytic combinatorics

7. Applications of Singularity Analysis http://ac.cs.princeton.edu Analytic combinatorics

A N A L Y T I C C O M B I N A T O R I C S P A R T T W O 7. Applications of Singularity Analysis http://ac.cs.princeton.edu Analytic combinatorics overview specification A. SYMBOLIC METHOD 1. OGFs 2. EGFs GF equation 3. MGFs

725 views • 59 slides
Plan for second half of the course Lectures from Analytic Combinatorics One or two lectures,

Plan for second half of the course Lectures from Analytic Combinatorics One or two lectures,

Plan for second half of the course Lectures from Analytic Combinatorics One or two lectures, posted weekly. Emphasis on lectures, with reference to the book. More creative exercises May require code. (Slightly) more emphasis on

247 views • 11 slides
On (un)-balanced Plya urns: Analytic Combinatorics strikes again Basile Morcrette May, 30

On (un)-balanced Plya urns: Analytic Combinatorics strikes again Basile Morcrette May, 30

On (un)-balanced Plya urns: Analytic Combinatorics strikes again Basile Morcrette May, 30 AofA 2013, Spain Dedicated to Philippe Flajolet. 1/16 Knuths strings Start with m loops in a box. At each step, pick one at random, cut it and

779 views • 31 slides
Generating Function Computations in Probability and Combinatorics Robin Pemantle ICERM tutorial,

Generating Function Computations in Probability and Combinatorics Robin Pemantle ICERM tutorial,

Overview of generating functions and the base case Rate functions and methods of computational algebra Analytic methods for sharp asymptotics Generating Function Computations in Probability and Combinatorics Robin Pemantle ICERM tutorial,

1.99k views • 188 slides
Data Stream Analysis: a (new) triumph for Analytic Combinatorics Dedicated to the memory of

Data Stream Analysis: a (new) triumph for Analytic Combinatorics Dedicated to the memory of

Data Stream Analysis: a (new) triumph for Analytic Combinatorics Dedicated to the memory of Philippe Flajolet (1948-2011) Conrado Martnez Universitat Politcnica de Catalunya ALEA in Europe Workshop, Vienna (Austria) October 2017 Outline

1.67k views • 150 slides
Analytic combinatorics of chord and hyperchord diagrams with k crossings Vincent Pilaud Juanjo

Analytic combinatorics of chord and hyperchord diagrams with k crossings Vincent Pilaud Juanjo

Analytic combinatorics of chord and hyperchord diagrams with k crossings Vincent Pilaud Juanjo Ru CNRS & LIX, FU Berlin cole Polytechnique AofA14, Paris Planar chord configurations Structural properties The simplicial complex of

650 views • 32 slides
3. Combinatorial Parameters and MGFs http://ac.cs.princeton.edu Analytic combinatorics

3. Combinatorial Parameters and MGFs http://ac.cs.princeton.edu Analytic combinatorics

A N A L Y T I C C O M B I N A T O R I C S P A R T T W O 3. Combinatorial Parameters and MGFs http://ac.cs.princeton.edu Analytic combinatorics overview specification A. SYMBOLIC METHOD 1. OGFs 2. EGFs GF equation 3. MGFs SYMBOLIC

969 views • 64 slides
Plya Urns An analytic combinatorics approach Basile Morcrette Algorithms project, INRIA

Plya Urns An analytic combinatorics approach Basile Morcrette Algorithms project, INRIA

Plya Urns An analytic combinatorics approach Basile Morcrette Algorithms project, INRIA Rocquencourt. LIP6, UPMC CALIN Seminar 07/02/2012 1/35 Outline 1. Urn model 2. An exact approach boolean formulas 3. Singularity analysis family of

985 views • 63 slides
Analytic Combinatorics of the Mabinogion and OK-Corral Urns Philippe Flajolet Based on joint work

Analytic Combinatorics of the Mabinogion and OK-Corral Urns Philippe Flajolet Based on joint work

Urn models Ehrenfest and Mabinogion Friedman and OK-Corral Analytic Combinatorics of the Mabinogion and OK-Corral Urns Philippe Flajolet Based on joint work with Thierry Huillet and Vincent Puyhaubert ALEA08 , Maresias, Brazil, April 2008 1

315 views • 20 slides
Analytic Combinatorics of the Mabinogion and OK-Corral Urns Philippe Flajolet Based on joint work

Analytic Combinatorics of the Mabinogion and OK-Corral Urns Philippe Flajolet Based on joint work

Urn models Ehrenfest and Mabinogion Friedman and OK-Corral Analytic Combinatorics of the Mabinogion and OK-Corral Urns Philippe Flajolet Based on joint work with Thierry Huillet and Vincent Puyhaubert ALEA08 , Maresias, Brazil, April 2008 1

518 views • 27 slides
2. Labelled structures and EGFs http://ac.cs.princeton.edu Analytic combinatorics overview

2. Labelled structures and EGFs http://ac.cs.princeton.edu Analytic combinatorics overview

A N A L Y T I C C O M B I N A T O R I C S P A R T T W O 2. Labelled structures and EGFs http://ac.cs.princeton.edu Analytic combinatorics overview specification A. SYMBOLIC METHOD 1. OGFs 2. EGFs GF equation 3. MGFs SYMBOLIC

842 views • 81 slides
ICS 667 Advanced HCI Design Methods 08. Intro to Evaluation Analytic Evaluation Dan Suthers

ICS 667 Advanced HCI Design Methods 08. Intro to Evaluation Analytic Evaluation Dan Suthers

ICS 667 Advanced HCI Design Methods 08. Intro to Evaluation Analytic Evaluation Dan Suthers Spring 2005 Outline Introduction to Evaluation Types of Evaluation etc. Usability Specifications Analytic Methods Metrics and

519 views • 21 slides
8. Saddle-Point Asymptotics http://ac.cs.princeton.edu Analytic combinatorics overview

8. Saddle-Point Asymptotics http://ac.cs.princeton.edu Analytic combinatorics overview

A N A L Y T I C C O M B I N A T O R I C S P A R T T W O 8. Saddle-Point Asymptotics http://ac.cs.princeton.edu Analytic combinatorics overview specification A. SYMBOLIC METHOD 1. OGFs 2. EGFs GF equation 3. MGFs SYMBOLIC METHOD

861 views • 52 slides
ANALYTIC COMBINATORICS Philippe FLAJOLET Bologna, June 2010 Wednesday, June 2, 2010 1

ANALYTIC COMBINATORICS Philippe FLAJOLET Bologna, June 2010 Wednesday, June 2, 2010 1

ANALYTIC COMBINATORICS Philippe FLAJOLET Bologna, June 2010 Wednesday, June 2, 2010 1 Counting... Wednesday, June 2, 2010 2 Counting (and asymptotics) Binary trees => Catalan numbers Formula is Growth rate is ( asymptotics ) Wednesday,

850 views • 57 slides
Tutorial Verification Numerical Simulation Analytic and Numerical Methods in ODEs Further

Tutorial Verification Numerical Simulation Analytic and Numerical Methods in ODEs Further

BENG 221 Lecture 4 Tutorial BENG 221 Mathematical Methods in Bioengineering Overview Example: Ring Oscillator Dynamics Lecture 4 Analytic ODE Solution Numerical Tutorial Verification Numerical Simulation Analytic and Numerical

423 views • 21 slides
1. Early combinatorics Robin Wilson 1. Early combinatorics 2. European combinatorics: Middle

1. Early combinatorics Robin Wilson 1. Early combinatorics 2. European combinatorics: Middle

1. Early combinatorics Robin Wilson 1. Early combinatorics 2. European combinatorics: Middle Ages to Renaissance 3. Eulers combinatorics 4. Magic squares, Latin squares & triple systems 5. The 19th century 6. Colouring maps

563 views • 39 slides
Complex Analytic Methods in Free vvb Probability Theory Hari Bercovici BIRS, January 2008

Complex Analytic Methods in Free vvb Probability Theory Hari Bercovici BIRS, January 2008

f ( z ) , , etc. H. Bercovici Free convolutions Analytic apparatus Limit theorems Regularity Extensions Omissions Complex Analytic Methods in Free vvb Probability Theory Hari Bercovici BIRS, January 2008 Random variables f (

1.57k views • 107 slides
ALTERNATIVE PAYMENT METHODS: MASSACHUSETTS AGGREGATE DATA Ashley Storms, Analytic Reporting

ALTERNATIVE PAYMENT METHODS: MASSACHUSETTS AGGREGATE DATA Ashley Storms, Analytic Reporting

ALTERNATIVE PAYMENT METHODS: MASSACHUSETTS AGGREGATE DATA Ashley Storms, Analytic Reporting Manager November 7, 2019 CENTER FOR HEALTH INFORMATION AND ANALYSIS Alternative Payment Methods (APMs) APMs are methods of payment in which some of

391 views • 10 slides
Combinatorics on polynomial equations: do they describe nice varieties? Joachim von zur Gathen

Combinatorics on polynomial equations: do they describe nice varieties? Joachim von zur Gathen

Combinatorics on polynomial equations: do they describe nice varieties? Joachim von zur Gathen Bonn Joint work with Guillermo Matera Overview Combinatorics on polynomials Task Some results Methods Open questions 21/23

666 views • 65 slides

More recommend