Skip to content
Cryptography
Fundamentals
Lattices

Lattices

This section was made using A Gentle Tutorial for Lattice-Based Cryptanalysis and the Cryptohack lattice section.

Lattices definition

Lattice

Given linarly independent vectors v1,v2,,vnRmv_1, v_2, \dots, v_n \in \mathbb{R}^m, the lattice generated by b1,b2,,bnb_1, b_2, \dots, b_n is the set of all integer linear combinations of b1,b2,,bnb_1, b_2, \dots, b_n:

L={x1b1+x2b2++xnbn:xiZ}L = \lbrace x_1b_1 + x_2b_2 + \dots + x_nb_n : x_i \in \mathbb{Z} \rbrace

Lattice based problems

Many cryptography problems can be reduced to lattice-based problems. These probleme can then be seen as a lattice problem, usually SVP or CVP which can be solved using the LLL algorithm.

Lattice-based problems
Finding small roots of polynomials
Knapsack problem
Hidden number problem
Extended HNP

Finding small roots of polynomials

Finding small roots of polynomials modulo a composite integer can be solved using Coppersmith’s method.

Small roots problem

Given an integer NN and a monic polynomial f(x)f(x) of degree dd with coefficients in ZN\mathbb{Z}_N, find all xx\in ZN\mathbb{Z}_N such that f(x)0modNf(x) \equiv 0 \mod N and x<B\vert x \vert < B. This means solving:

f(x)=xd+ad1xd1++a1x+a00modNf(x) = x^d + a_{d-1} x^{d-1} + \dots + a_1 x + a_0 \equiv 0 \mod N

This problem can be solved using the LLL algorithm on:

(NBNB2NBd1Na0a1a2ad1Bd) \left(\begin{array}{cc} N & & & & & \\\\ & BN & & & & \\\\ & & B^2N & & & \\\\ & & & \ddots & & \\\\ & & & & B^{d-1}N & \\\\ a_0 & a_1 & a_2 & \dots & a_{d-1} & B^d \end{array}\right)

Subset sum problem

The subset sum problem is a special case of the knapsack problem.

Subset sum problem

Given a set of integers S={s1,s2,,sn}S = \lbrace s_1, s_2, \dots, s_n \rbrace and a target integer tt, find a subset SSS' \subseteq S such that

siSsi=t\sum_{s_i \in S'} s_i = t

Hidden number problem

Hidden number problem

Given a a prime pp and a secret integer αZp\alpha \in \mathbb{Z}_p, the hidden number problem is to find xx mm pairs of integers (ti,ai)(t_i, a_i) for i=1,2,,mi = 1, 2, \dots, m such that

βitiα+ai0modp \beta_i - t_i \alpha + a_i \equiv 0 \mod p

where βi\beta_i are unknown small integers: βi<B\vert \beta_i \vert < B with BB a bound on the size of the βi\beta_i.

This problem can be solved using the LLL algorithm on:

(pppt1t2tmB/pa1a2amB/p) \left(\begin{array}{cc} p & & & & & \\\\ & p & & & & \\\\ & & \ddots & & & \\\\ & & & p & & \\\\ t_1 & t_2 & \dots & t_m & B/p & \\\\ a_1 & a_2 & \dots & a_m & & B/p \end{array}\right)

which will have (β1,β2,,βm,αB/p,B)(\beta_1, \beta_2, \dots, \beta_m, \alpha B / p, -B) as a short vector.

Use this python script for a quick implementation of this. If you need to be more precise, use this github repository