RSA as Hidden Subgroup Problem

▍The Hidden Subgroup Problem is an important problem from Computer Science / Mathematics and actually covers several well known problems as a special case. The formal statement of the problem is:

Definition [Hidden Subgroup Problem (HSP)] Let $\mathbb{G}$ be a group and $\mathbb{H}$ an unknown subgroup of $\mathbb{G}$, i.e., $\mathbb{H} \leq \mathbb{G}$. Let $S$ be any set and $f$ be a function that maps the group elements of $\mathbb{G}$ to $S$, i.e., $f: \mathbb{G} \rightarrow S$. The function $S$ has the special property that it can distinguish cosets of $\mathbb{H}$: $$ f(e_1) = f(e_2) \Leftrightarrow e_1\mathbb{H} = e_2\mathbb{H} $$ The Problem is, given $\mathbb{G}$ and access to the function $f$, to determine a generating set for the subgroup $\mathbb{H}$ ∎ 

The notation $e\mathbb{H}$ denotes the coset $$e\mathbb{H} = \left\{eh | h \in \mathbb{H}\right\}$$. Problems that can be described as an instance of the HSP are for example:

1. Integer Factorization Problem
2. Discrete Logarithm Problem
3. Shortest Vector Problem
4. Deutsch Problem
5. Simon's Problem

and probably many more. The definition of the HSP above seems very abstract, but the subgroup $\mathbb{H}$ actually covers the usual integers of interest, e.g. divisors of $\varphi(N)$ in case of the Factorization Problem or multiples of the exponents in question in case of the Discrete Logarithm Problem. Shors Algorithm is a special instance of an HSP-Solver that finds the period of the function $g^x \pmod{N}$, i.e., it finds divisors of $\varphi(N)$. However, his algorithm only works in the ablian case. How to solve the HSP efficiently for non abelian groups is not known, also for quantum computers. The Shortest Vector Problem is a hard problem for quantum computers. So it is no surprise, that the reduction from SVP to HSP brings into play a non abelian group, the dihidral group.

LCS35 Challenge [SOLVED - April 2019]

LCS35 IS SOLVED. It had been confirmed that Bernard Fabrot solved the challenge using a Core i7-6700, the GNU Multiple Precision Arithmetic Library and 3,5 years of time.

The LCS35 challenge (see also Scienceblogs) is a neat little and still unsolved challenge posed by Ron Rivest, one of the inventors of the famous RSA cryptosystem, back in the year 1999. It consists of a single task: Given 2048-bit RSA integer $n$ and an exponent $t$, compute the following value $W$: $$W \equiv 2^{(2^t)}  \pmod{N}$$ The actual values for the challenge are:

n = 631446608307288889379935712613129233236329881833084137558899
    077270195712892488554730844605575320651361834662884894808866
    350036848039658817136198766052189726781016228055747539383830
    826175971321892666861177695452639157012069093997368008972127
    446466642331918780683055206795125307008202024124623398241073
    775370512734449416950118097524189066796385875485631980550727
    370990439711973361466670154390536015254337398252457931357531
    765364633198906465140213398526580034199190398219284471021246
    488745938885358207031808428902320971090703239693491996277899
    532332018406452247646396635593736700936921275809208629319872
    7008292431243681

t = 79685186856218

Additionally, there is an integer $z$, which has to be xor'ed with $W$ to reveal the actual 'plaintext', i.e.: $$\text{Plaintext} \leftarrow z \otimes W $$ The given value for $z$ is:

z = 427338526681239414707099486152541907807623930474842759553127
    699575212802021361367225451651600353733949495680760238284875
    258690199022379638588291839885522498545851997481849074579523
    880422628363751913235562086585480775061024927773968205036369
    669785002263076319003533000450157772067087172252728016627835
    400463807389033342175518988780339070669313124967596962087173
    533318107116757443584187074039849389081123568362582652760250
    029401090870231288509578454981440888629750522601069337564316
    940360631375375394366442662022050529545706707758321979377282
    989361374561414204719371297211725179287931039547753581030226
    7611143659071382

As written in [1], the plaintext consists of two parts. One is a secret message and the second part is a hint towards the factorisation of $n$, i.e., the exponent $E$, such that $\text{nextPrime}(5^E \text{ mod }2^{1024})$ is a divisor of $n$. They designed the challenge such that, even when considering Moore's Law, it will probably first be solved around the year 2035. The reason that this might probably be true is, that this problem is non parallelizable. It is a linear operation that only involves squaring the previous output. $$ (2^{2^0})^2 = 2^{(2^1)} \rightarrow (2^{(2^1)})^2 = 2^{(2^2)} \rightarrow (2^{(2^2)})^2 = 2^{(2^3)}\rightarrow \ldots \rightarrow (2^{(2^{t-1})})^2 = 2^{(2^t)}$$ It is compareable to the Proof-Of-Work method, modern crypto currency use to mine their coins. If the factorisation of $n$ is known, than this task would be very easy, even if $t$ would be much larger, say around the size of $n$. One simply computes $$2^t \equiv e \pmod{\varphi(n)}$$ and afterward $2^e \equiv W\pmod{N}$. Since $e < \varphi(n) < n$, this is of complexity $\mathcal{O}(\text{log}_2 n)$ and thus can be computed in milliseconds on modern PCs.

Homomorphic encryption using Ring Fixpoints

❚ In the previous post, i gave a short introduction about homomorphic encryption and presented the DGHV scheme [5] as an example. The scheme was published in 2010 and got several important updates from Coron et al. in the following papers:

[1], 2011 : The first improvement enhances the original system by reducing the size of the public key from $\mathcal{\tilde{O}}(\lambda^{10})$ to $\mathcal{\tilde{O}}(\lambda^{7})$. The idea is, to publish fewer elements that can be combined on-the-fly to reach a larger public key if necessary. To achieve this, they need the already discussed optimization to set $x_0 = pq_0$, hence they settle the system on the stronger partial approximate common divisor problem.

[2], 2012 : In this paper, they further reduce the size of the public key down to $\mathcal{\tilde{O}}(\lambda^5)$. Instead of storing the large numbers $r_i+pq_i$, they only store a public seed $\text{se}$ and a set of small $\delta_i$ values that are of size $~p$. To recover the original public key, the seed $\text{se}$ is fed into the PRNG and it is $x_i = \text{PRNG}_i(\text{se}) - \delta_i$. The published $\delta_i$ are chosen that way that $$x_i = \text{PRNG}_i(\text{se}) - \delta_i \equiv r_i\pmod{q}, r_i\;\text{small}$$ The $\delta_i$ are now of the same bitsize as $p$ which is much smaller than the $x_i$ values, that were stored previously. Additionally, the apply the concept of modulus switching to the DGHV scheme. Modulus switching is a technique to reduce the noise level of a ciphertext. It does not allow infinitely many homomorphic operations, but reduces the noise grow rate from exponentially to linear (i.e. a leveled scheme), which is huge.

[3], 2013 : In this paper, the authors enhance the performance of the DGHV scheme, by converting it to a batch scheme, i.e., a scheme which allows to simultaneously process a vector of plaintexts bits. Just view this technique as some kind of parallel execution. In a simplified form, their idea is not to use a single prime $p$ as their secret key, but to use several such primes $p_0,p_1,...,p_{l-1}$. Hence their public key consists not of integers $x_i = r_i+q_ip$ but $x_i = r_i+q_i\prod^{l-1}_{j=0} p_j$. Each $p_j$ is responsible for another plaintext bit, and the ciphertext is then $$c= \text{CRT}_{p_0,...,p_{l-1}}(2r_0+m_0,...,2r_{l-1}+m_{r-1}) + q\prod^{l-1}_{j=0} p_j$$ (CRT = Chinese Remainder Theorem). Each bit can be recovered individually by computing $c$ mod $p_j$.

[4], 2014 : In this paper, the authors apply the scale-invariant property to the DGHV scheme. This technique allows get linear noise grow rate but without modulus switching. The key trick is, given a ciphertext $c$, that the message is not anymore encoded in the least significant bit of $c\;\text{mod}\;p$ but in the most significant bit of $c\;\text{mod}\;p$. A ciphertext $c$ has the form $$\text{TYPE-1:}\;\;c = r + (m+2r')\frac{p-1}{2}+qp^2$$ After multiplication of two ciphertexts $c_1$ and $c_2$ one gets a ciphertext of the form $$\text{TYPE-2:}\;\;2c_1c_2 = r'' + m_1m_2\frac{p^2-1}{2}+q'p^2$$. Then they show how publicly convert a TYPE-2 ciphertext back to TYPE-1.

Below the fold, i show how to use fixpoints of a RSA modul for homomorphic encryption.