Cryptanalysis of the Double-Moduli Cryptosystem

,


Introduction
Lattice-based cryptography has become a research topic more and more studied nowadays.It may offer a good alternative to cryptographic schemes based on classical number-theory problems (e.g.discrete logarithm, factorization) that are easily solved on quantum computers.
Lattices have proven to provide securely hard problems on which we can build cryptographic schemes but also good tools for cryptanalysis.There are several lattice attacks [2,3] done on NTRU [4].The main tool of these attacks is the LLL algorithm [5].In order to overcome this, there are variants of NTRU which base their security on lattice hard problems [6].
In this article we present a lattice attack done on a NTRU-like scheme introduced by Verkhovsky in [1].
Based on the relation between the public and private key, we construct an attack which allows any passive adversary to decrypt the encrypted messages.Moreover, our attack is efficient and provides good experimental results.

Preliminaries
We present in this section the essential background in lattices and Gaussian integers and the algorithms we use in our attack.
Notation.We use small letters and capital letters, and , to denote vectors and matrices, respectively.Capital letters like are also used for Gaussian integers.In order to avoid confusion, we use the Gaussian integers in the following form 1 2 . We denote by

Background
Given n linearly independent vectors 1 2 , a lattice is the set of all linear combinations of b i 's with integral coefficients: , , , , , , .
We say that 1 2 is the basis of the lattice , is the rank and is the dimension of the lattice .If We define the norm, a , of a vector to be the Euclidean norm.
The orthogonal lattice L  of is the set of vectors orthogonal with all the vectors from : It makes sense to speak about orthogonal lattice only for non full-rank lattices, where .The lattice n m  L  has dimension and rank m .m n  One important tool in cryptanalysis, LLL algorithm [5] was published in 1982 and since then couple of schemes were broken [7][8][9] by using it.Several improvements that reduce its complexity appeared in [10,11].Given a basis of a lattice , the aim of the LLL algorithm is to provide a LLL reduced basis where the first vector gives an approximation of the shortest non-zero vector of , It is possible to apply the LLL algorithm for the orthogonal lattice L  (See Algorithm 2.1) .
The notation

Gaussian Integers
Gaussian integers are represented by the set The norm of a Gaussian integer , denoted by R

 
N R , is defined as .The units of with unique remainder we need the following definition: Definition 1([1]).Given two Gaussian integers, 1 2 A a a i    and , we say that 1 2

R r r i   
A is a primary residue modulo if the following 4 inequalities are satisfied: a All primary residues modulo R re located inside the square with vertices

.
N R This definition allows us to have the following theorem: Theorem 1.For any two Gaussian integers For completeness, we provide in this section all the definitions used in the formalization of the scheme for which we construct an attack.
Definition 2. Primes in R   i  can be expressed by one of the following forms:

Double Moduli Cryptosystem
The cryptosystem introduced by Verkhovsky in [1], for which we construct an attack, is described in this section.We assume an a priori agreed large integer .Apart from the value , which is an integer, all the other parameters and inputs are Gaussian integers.n 3.1.Encryption/Decryption Algorithms Algorithm 3.1 presents the steps followed by a participant with the aim of obtaining its public and private keys.The private key consists of two parts, P an , wh are relatively prime.Here, P is invertible modulo n .The public key, U , is obtaine by multiplying R with the inverse of P modulo n ., one has to pre-condition the plaintext so that it is a primary residue modulo , where is part of the private key.Since is not known to the sender, a threshold is imposed so that the inequalities from Definition 1 hold.The pre-conditioned plaintext must be selected such that the upper bound of the real and imaginary parts is The algorithms of pre-conditioning and recovery of a plaintext are described afterwards.
Algorithm 3.2 shows how to encrypt a pre-conditioned plaintext W .Besides the public key U , the sender chooses periodically a new value After hiding the value of the public key, by multiplying it with , the ciphertext is obtained by adding this new value to the plaintext.

S
After receiving the ciphertext and provided that it has the correct private keys, the receiver is able to decrypt the message by following the steps from Algorithm 3.3.After the first step of the algorithm the receiver will compute as D PW RS  .In the second step, he is able to compute as the inverse of modulo , as and were chosen such that they are relatively prime.Finally, in the last step, the pre-conditioned plaintext is Private key:   obtained.Afterwards, the receiver will run the algorithm of plaintext recovery, algorithm illustrated later.

Plaintext Pre-Conditioning
As aforementioned, the plaintext is pre-conditioned before being encrypted.Similarly, a plaintext recovery algorithm is necessary in order to obtain the original message after decryption.These two transformations are illustrated in Algorithms 3.4 and 3.5.As must be a primary residue modulo the sender must ensure that the original plaintext W , R M is split into blocks of appropriate sizes.

Using LLL to Break the Scheme
This section presents our lattice attack.We prove that the double moduli scheme is insecure as any passive adversary that observes the encrypted messages can decrypt them with a non-negligible probability. .

Lattice Attack
An attacker is a probabilistic algorithm which runs in polynomial time.From Algorithm 3.1 an attacker can observe the following relation between , and namely . Using this relation he is able to obtain an equivalent private key.This equivalent key is not necessary the private key   , P R , but can be used to decrypt correctly the encrypted message.We write the aforementioned relation for the imaginary and real parts and separate the known parts from those unknown.We obtain the following equation: With the design constraints of the scheme where both components of the private key are of size n and the public key is of size , both and should be of size are linearly independent and are also orthogonal.They form the basis, , of a lattice Algorithm 2.1 to obtain a reduced basis of B L  .The four vectors from B should be small in the sense that their norm should be at most   1 4 det L [12].As 1 and 2 v are orthogonal, the determinant of can be easily computed as Thus, the vectors of the reduced basis of L  should have norm at most   Comparing this value with the norm of the vector 1 which is also of order o n indicates that 1 o may not be the shortest vector from L  Nevertheless, using the vectors from we can find an equivalent key B   that decrypts correctly the ciphertext .C With the results we have so far, we can design a decryption strategy for an attacker illustrated in Algorithm 4.1.Algorithm 4.2 follows.
The following lemma proves that the experiment works correctly: given the ciphertext and the public key, the attacker is able to obtain an equivalent private We can bound the value of x from equality N x  which gives us possibilities for 13 x .Using the last equality and computing , we obtain that If we analyze the complexity of Algorithm 4.1, we easily see that each step is completed in polynomial time.By running Algorithm 4.1, an adversary is able to decrypt any message with a high probability.Thus, the scheme is not secure (i.e.not even one-way encryption secure).

Experimental Results
The experiments were done on an INTEL Q9550 GHz processor, running a 32-bit version of Windows 7.

2.83
The implementation of the scheme and of the attack was done in the PARI-GP environment.The structure of the scheme was respected as it is described in Algo- In almost all the cases one of the candidates messages was the original plaintext.The very few cases when the message is not recovered is due to possible two scenarios.It may happen that all four possible values of R are smaller than the message and an attacker loses the value of the message by performing the operation .The second scenario may be that none of the four possible values of and are relatively prime.This can be repaired by constructing a new private key as the linear combination of the four possible private keys, using small coefficients.
, a b the inner product of two vectors and .a b

,
the lattice is called a full-rank lattice.
are relatively prime if they have no prime factors in common.The greatest (in the sense of the norm) common divisor of any two elements of  