Analyzing Blockwise Lattice Algorithms using Dynamical Systems
Size: px
Start display at page:

Download "Analyzing Blockwise Lattice Algorithms using Dynamical Systems"

Transcription

1 Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehlé ENS Lyon, LIP (CNRS ENSL INRIA UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 1/16

2 Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

3 Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

4 Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

5 Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

6 Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

7 Contributions We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

8 Contributions We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

9 Contributions We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

10 Lattices a 1 a 2 (SVP) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

11 Lattices b 1 b 2 (SVP)Lattice reduction(svp) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

12 Lattices b 1 b 2 (SVP)Determinant(SVP) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

13 Lattices b 1 b 2 Hermite factor of B: HF(b 1,...,b n ) = b 1 (detl) 1/n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector 0, then HF(b 1,...,b n ) γ n, with γ n = Hermite constant n. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

14 Lattices b 1 b 2 Hermite factor of B: HF(b 1,...,b n ) = b 1 (detl) 1/n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector 0, then HF(b 1,...,b n ) γ n, with γ n = Hermite constant n. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

15 Lattices b 1 b 2 Hermite factor of B: HF(b 1,...,b n ) = b 1 (detl) 1/n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector 0, then HF(b 1,...,b n ) γ n, with γ n = Hermite constant n. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

16 Hierarchy of lattice reductions in dimension n x i = log b i for i n (b 1,...,b n = Gram-Schmidt basis of B). Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

17 Hierarchy of lattice reductions in dimension n x i = log b i for i n (b 1,...,b n = Gram-Schmidt basis of B). HKZ Hermite-Korkine-Zolorareff BKZ β Block Korkine-Zolotareff LLL Lenstra-Lenstra-Lovász x 1 x 2 x 3 x 4 x 5 x 6 HF: γ n (γ β ) n 2β (γ 2 ) n 2 Time: 2 O(n) 2 O(β)? Poly(n) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

18 Hierarchy of lattice reductions in dimension n x i = log b i for i n (b 1,...,b n = Gram-Schmidt basis of B). HKZ Hermite-Korkine-Zolorareff BKZ β Block Korkine-Zolotareff LLL Lenstra-Lenstra-Lovász x 1 x 2 x 3 x 4 x 5 x 6 x 6 HF: γ n (γ β ) n 2β (γ 2 ) n 2 Time: 2 O(n) 2 O(β)? Poly(n) x 1 x 2 x 3 x 4 x 5 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

19 Hierarchy of lattice reductions in dimension n x i = log b i for i n (b 1,...,b n = Gram-Schmidt basis of B). HKZ Hermite-Korkine-Zolorareff BKZ β Block Korkine-Zolotareff LLL Lenstra-Lenstra-Lovász x 1 x 2 x 3 x 4 x 5 x 6 x 1 x 2 x 3 x 4 x 5 x 6 x 1 x 2 x 3 x 4 x 5 x 6 HF: γ n (γ β ) n 2β (γ 2 ) n 2 Time: 2 O(n) 2 O(β)? Poly(n) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

20 Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is 25. Other reductions in time 2 O(β) Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction....but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

21 Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is 25. Other reductions in time 2 O(β) Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction....but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

22 Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is 25. Other reductions in time 2 O(β) Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction....but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

23 Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is 25. Other reductions in time 2 O(β) Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction....but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

24 Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is 25. Other reductions in time 2 O(β) Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction....but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

25 BKZ Algorithm (BKZ β, modified version) Input: B of dimension n. Repeat... times For i from 1 to n β +1 do Size-reduce B. HKZ-reduce a projection of the block (b i,...,b i+β 1 ). Report the transformation on B. Termination? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

26 BKZ Algorithm (BKZ β, modified version) Input: B of dimension n. Repeat... times For i from 1 to n β +1 do Size-reduce B. HKZ-reduce a projection of the block (b i,...,b i+β 1 ). Report the transformation on B. Termination? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

27 BKZ Algorithm (BKZ β, modified version) Input: B of dimension n. Repeat... times For i from 1 to n β +1 do Size-reduce B. HKZ-reduce a projection of the block (b i,...,b i+β 1 ). Report the transformation on B. Termination? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

28 Progress made during the execution of BKZ Quality of BKZ output BKZ Hermite factor ^ (1 / n) Number of tours Experience on 64 LLL-reduced knapsack-like matrices (n = 108, β = 24). Analyzing Blockwise Lattice Algorithms using Dynamical Systems 8/16

29 Progress made during the execution of BKZ Quality of BKZ output BKZ Hermite factor ^ (1 / n) Number of tours Experience on 64 LLL-reduced knapsack-like matrices (n = 108, β = 24). Analyzing Blockwise Lattice Algorithms using Dynamical Systems 8/16

30 Our result γ β = Hermite constant β. L a lattice with basis (b 1,...,b n ). Theorem ( n 3 After O β 2 ( log n ǫ +loglogmax b i (detl) 1/n BKZ β returns a basis C of L such that: HF(C) (1+ǫ)γ β n 1 2(β 1) )) calls to HKZ β, Analyzing Blockwise Lattice Algorithms using Dynamical Systems 9/16

31 Sandpile model We consider only x i = log bi for i n. We assume that HKZ-reductions correspond to a fixed pattern. The information on the initial x i s fully determines the x i s after a call to HKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 10/16

32 Sandpile model We consider only x i = log bi for i n. We assume that HKZ-reductions correspond to a fixed pattern. The information on the initial x i s fully determines the x i s after a call to HKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 10/16

33 Sandpile model We consider only x i = log bi for i n. We assume that HKZ-reductions correspond to a fixed pattern. The information on the initial x i s fully determines the x i s after a call to HKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 10/16

34 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

35 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

36 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

37 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

38 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

39 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

40 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

41 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

42 Matrix interpretation X = (x 1,...,x n ) T X 0.5 A 1 X X 1 A 1 X +Γ 1 X 2 A 2 X 1 +Γ 2... X k = A k X k +Γ k with k = n β +1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 A full tour: X AX +Γ Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

43 Matrix interpretation x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 X = (x 1,...,x n ) T X 0.5 A 1 X X 1 A 1 X +Γ 1 X 2 A 2 X 1 +Γ 2... X k = A k X k +Γ k with k = n β +1 A full tour: X AX +Γ Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

44 Matrix interpretation x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 X = (x 1,...,x n ) T X 0.5 A 1 X X 1 A 1 X +Γ 1 X 2 A 2 X 1 +Γ 2... X k = A k X k +Γ k with k = n β +1 A full tour: X AX +Γ Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

45 Matrix interpretation X = (x 1,...,x n ) T X 0.5 A 1 X X 1 A 1 X +Γ 1 X 2 A 2 X 1 +Γ 2... X k = A k X k +Γ k with k = n β +1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 A full tour: X AX +Γ Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

46 Matrix interpretation X = (x 1,...,x n ) T X 0.5 A 1 X X 1 A 1 X +Γ 1 X 2 A 2 X 1 +Γ 2... X k = A k X k +Γ k with k = n β +1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 A full tour: X AX +Γ Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

47 Matrix interpretation X = (x 1,...,x n ) T X 0.5 A 1 X X 1 A 1 X +Γ 1 X 2 A 2 X 1 +Γ 2... X k = A k X k +Γ k with k = n β +1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 A full tour: X AX +Γ Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

48 Quality of the output Method: study the fixed point of: X = AX +Γ The β last x i s have the shape of an HKZ-reduced basis. Asymptotically, line of slope logγ β β 1. x i O((logβ) 2 ) Corresponds to a Hermite factor close to γ n 1 2(β 1) β. i Analyzing Blockwise Lattice Algorithms using Dynamical Systems 13/16

49 Quality of the output Method: study the fixed point of: X = AX +Γ The β last x i s have the shape of an HKZ-reduced basis. Asymptotically, line of slope logγ β β 1. (n β) logγ β β 1 x i O((logβ) 2 ) Corresponds to a Hermite factor close to γ n 1 2(β 1) β. i Analyzing Blockwise Lattice Algorithms using Dynamical Systems 13/16

50 Quality of the output Method: study the fixed point of: X = AX +Γ The β last x i s have the shape of an HKZ-reduced basis. Asymptotically, line of slope logγ β β 1. (n β) logγ β β 1 x i O((logβ) 2 ) Corresponds to a Hermite factor close to γ n 1 2(β 1) β. i Analyzing Blockwise Lattice Algorithms using Dynamical Systems 13/16

51 Fast convergence Dynamical system: X AX +Γ Method: study of the eigenvalues of A T A. Result: the largest eigenvalue of A T A smaller than 1 is 1 1 β 2 2 n 2. X X decreases by a constant factor every n2 β 2 tours. leads to the claimed complexity bound. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 14/16

52 Fast convergence Dynamical system: X AX +Γ Method: study of the eigenvalues of A T A. Result: the largest eigenvalue of A T A smaller than 1 is 1 1 β 2 2 n 2. X X decreases by a constant factor every n2 β 2 tours. leads to the claimed complexity bound. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 14/16

53 Fast convergence Dynamical system: X AX +Γ Method: study of the eigenvalues of A T A. Result: the largest eigenvalue of A T A smaller than 1 is 1 1 β 2 2 n 2. X X decreases by a constant factor every n2 β 2 tours. leads to the claimed complexity bound. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 14/16

54 From the model to the real algorithm The results from the previous section cannot be used directly. By averaging the x i s, a rigorous adaptation becomes possible. Working on the averages suffices to get the result. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 15/16

55 From the model to the real algorithm The results from the previous section cannot be used directly. By averaging the x i s, a rigorous adaptation becomes possible. Working on the averages suffices to get the result. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 15/16

56 From the model to the real algorithm The results from the previous section cannot be used directly. By averaging the x i s, a rigorous adaptation becomes possible. Working on the averages suffices to get the result. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 15/16

57 Conclusion First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

58 Conclusion First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

59 Conclusion First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

60 Conclusion First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

61 Conclusion First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

Similar documents

Measuring, simulating and exploiting the head concavity phenomenon in BKZ

Measuring, simulating and exploiting the head concavity phenomenon in BKZ Measuring, simulating and exploiting the head concavity phenomenon in BKZ Shi Bai 1, Damien Stehlé 2, and Weiqiang Wen 2 1 Department of Mathematical Sciences, Florida Atlantic University. Boca Raton.

More information

Practical, Predictable Lattice Basis Reduction

Practical, Predictable Lattice Basis Reduction Practical, Predictable Lattice Basis Reduction Daniele Micciancio and Michael Walter University of California, San Diego {miwalter,daniele}@eng.ucsd.edu Abstract. Lattice reduction algorithms are notoriously

More information

Solving the Shortest Lattice Vector Problem in Time n

Solving the Shortest Lattice Vector Problem in Time n Solving the Shortest Lattice Vector Problem in Time.465n Xavier Pujol 1 and Damien Stehlé 1 Université de Lyon, Laboratoire LIP, CNRS-ENSL-INRIA-UCBL, 46 Allée d Italie, 69364 Lyon Cedex 07, France CNRS,

More information

Analyzing Blockwise Lattice Algorithms Using Dynamical Systems

Analyzing Blockwise Lattice Algorithms Using Dynamical Systems Analyzing Blockwise Lattice Algorithms Using Dynamical Systems Guillaume Hanrot 1,XavierPujol 1, and Damien Stehlé 2 1 ÉNSLyon,LaboratoireLIP(ULyon,CNRS,ENSLyon,INRIA,UCBL), 46 Allée d Italie, 69364 Lyon

More information

Practical, Predictable Lattice Basis Reduction

Practical, Predictable Lattice Basis Reduction Practical, Predictable Lattice Basis Reduction Daniele Micciancio UCSD daniele@eng.ucsd.edu Michael Walter UCSD miwalter@eng.ucsd.edu Abstract Lattice reduction algorithms are notoriously hard to predict,

More information

Predicting Lattice Reduction

Predicting Lattice Reduction Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite

More information

Predicting Lattice Reduction

Predicting Lattice Reduction Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite

More information

Lattice Reduction for Modular Knapsack

Lattice Reduction for Modular Knapsack Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University

More information

Lattice Reduction Algorithms: Theory and Practice

Lattice Reduction Algorithms: Theory and Practice Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction

More information

BKZ 2.0: Better Lattice Security Estimates

BKZ 2.0: Better Lattice Security Estimates BKZ 2.0: Better Lattice Security Estimates Yuanmi Chen and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d Ulm, 75005 Paris, France. http://www.eleves.ens.fr/home/ychen/ 2 INRIA and ENS, Dept. Informatique,

More information

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Lattice Reduction of Modular, Convolution, and NTRU Lattices Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe

More information

Lattice reduction for modular knapsack

Lattice reduction for modular knapsack University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Lattice reduction for modular knapsack Thomas

More information

A Hybrid Method for Lattice Basis Reduction and. Applications

A Hybrid Method for Lattice Basis Reduction and. Applications A Hybrid Method for Lattice Basis Reduction and Applications A HYBRID METHOD FOR LATTICE BASIS REDUCTION AND APPLICATIONS BY ZHAOFEI TIAN, M.Sc. A THESIS SUBMITTED TO THE DEPARTMENT OF COMPUTING AND SOFTWARE

More information

Improved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract)

Improved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract) Improved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract) Guillaume Hanrot 1 and Damien Stehlé 2 1 LORIA/INRIA Lorraine, Technopôle de Nancy-Brabois, 615 rue du jardin botanique,

More information

On estimating the lattice security of NTRU

On estimating the lattice security of NTRU On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim

More information

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science

More information

Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems

Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems Thijs Laarhoven Joop van de Pol Benne de Weger September 10, 2012 Abstract This paper is a tutorial introduction to the present

More information

Finding shortest lattice vectors faster using quantum search

Finding shortest lattice vectors faster using quantum search Finding shortest lattice vectors faster using quantum search Thijs Laarhoven Michele Mosca Joop van de Pol Abstract By applying a quantum search algorithm to various heuristic and provable sieve algorithms

More information

Euclidean lattices: algorithms and cryptography

Euclidean lattices: algorithms and cryptography Euclidean lattices: algorithms and cryptography Damien Stehlé To cite this version: Damien Stehlé. Euclidean lattices: algorithms and cryptography. Cryptography and Security [cs.cr]. Ecole normale supérieure

More information

Solving shortest and closest vector problems: The decomposition approach

Solving shortest and closest vector problems: The decomposition approach Solving shortest and closest vector problems: The decomposition approach Anja Becker 1, Nicolas Gama 2, and Antoine Joux 3 1 EPFL, École Polytechnique Fédérale de Lausanne, Switzerland 2 UVSQ, Université

More information

Dimension-Preserving Reductions Between Lattice Problems

Dimension-Preserving Reductions Between Lattice Problems Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract

More information

Random Sampling for Short Lattice Vectors on Graphics Cards

Random Sampling for Short Lattice Vectors on Graphics Cards Random Sampling for Short Lattice Vectors on Graphics Cards Michael Schneider, Norman Göttert TU Darmstadt, Germany mischnei@cdc.informatik.tu-darmstadt.de CHES 2011, Nara September 2011 Michael Schneider

More information

Improved Analysis of Kannan s Shortest Lattice Vector Algorithm

Improved Analysis of Kannan s Shortest Lattice Vector Algorithm mproved Analysis of Kannan s Shortest Lattice Vector Algorithm Abstract The security of lattice-based cryptosystems such as NTRU GGH and Ajtai-Dwork essentially relies upon the intractability of computing

More information

Isodual Reduction of Lattices

Isodual Reduction of Lattices Isodual Reduction of Lattices Nicholas A. Howgrave-Graham nhowgravegraham@ntru.com NTRU Cryptosystems Inc., USA Abstract We define a new notion of a reduced lattice, based on a quantity introduced in the

More information

Réduction de réseau et cryptologie.

Réduction de réseau et cryptologie. Réduction de réseau et cryptologie Séminaire CCA Nicolas Gama Ensicaen 8 janvier 2010 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier 2010 1 / 54 Outline 1 Example of lattice problems

More information

Lattice Basis Reduction Part 1: Concepts

Lattice Basis Reduction Part 1: Concepts Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012

More information

The Shortest Vector Problem (Lattice Reduction Algorithms)

The Shortest Vector Problem (Lattice Reduction Algorithms) The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm

More information

Creating a Challenge for Ideal Lattices

Creating a Challenge for Ideal Lattices Creating a Challenge for Ideal Lattices Thomas Plantard 1 and Michael Schneider 2 1 University of Wollongong, Australia thomaspl@uow.edu.au 2 Technische Universität Darmstadt, Germany mischnei@cdc.informatik.tu-darmstadt.de

More information

Algorithmic Geometry of Numbers: LLL and BKZ

Algorithmic Geometry of Numbers: LLL and BKZ Algorithmic Geometry of Numbers: LLL and BKZ Léo Ducas CWI, Amsterdam, The Netherlands HEAT Summer-School on FHE and MLM Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 1 / 28 A gift from Johannes

More information

Classical hardness of Learning with Errors

Classical hardness of Learning with Errors Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our

More information

A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming

A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming Bala Krishnamoorthy William Webb Nathan Moyer Washington State University ISMP 2006 August 2, 2006 Public Key

More information

Looking back at lattice-based cryptanalysis

Looking back at lattice-based cryptanalysis September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis

More information

On the smallest ratio problem of lattice bases

On the smallest ratio problem of lattice bases On the smallest ratio problem of lattice bases Jianwei Li KLMM, Academy of Mathematics and Systems Science, The Chinese Academy of Sciences, Beijing 0090, China lijianwei05@amss.ac.cn Abstract Let (b,...,

More information

DIMACS Workshop on Parallelism: A 2020 Vision Lattice Basis Reduction and Multi-Core

DIMACS Workshop on Parallelism: A 2020 Vision Lattice Basis Reduction and Multi-Core DIMACS Workshop on Parallelism: A 2020 Vision Lattice Basis Reduction and Multi-Core Werner Backes and Susanne Wetzel Stevens Institute of Technology 29th March 2011 Work supported through NSF Grant DUE

More information

Orthogonalized Lattice Enumeration for Solving SVP

Orthogonalized Lattice Enumeration for Solving SVP Orthogonalized Lattice Enumeration for Solving SVP Zhongxiang Zheng 1, Xiaoyun Wang 2, Guangwu Xu 3, Yang Yu 1 1 Department of Computer Science and Technology,Tsinghua University, Beijing 100084, China,

More information

Extended Lattice Reduction Experiments using the BKZ Algorithm

Extended Lattice Reduction Experiments using the BKZ Algorithm Extended Lattice Reduction Experiments using the BKZ Algorithm Michael Schneider Johannes Buchmann Technische Universität Darmstadt {mischnei,buchmann}@cdc.informatik.tu-darmstadt.de Abstract: We present

More information

Reduction of Smith Normal Form Transformation Matrices

Reduction of Smith Normal Form Transformation Matrices Reduction of Smith Normal Form Transformation Matrices G. Jäger, Kiel Abstract Smith normal form computations are important in group theory, module theory and number theory. We consider the transformation

More information

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis IMACC 2017 December 12 14, 2017 Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis Taechan Kim and Changmin Lee NTT Secure Platform Laboratories, Japan and Seoul National University,

More information

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Practical Analysis of Key Recovery Attack against Search-LWE Problem Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate

More information

Implicit Factoring with Shared Most Significant and Middle Bits

Implicit Factoring with Shared Most Significant and Middle Bits Implicit Factoring with Shared Most Significant and Middle Bits Jean-Charles Faugère, Raphaël Marinier, and Guénaël Renault UPMC, Université Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, SALSA Project-team

More information

Finding shortest lattice vectors faster using quantum search

Finding shortest lattice vectors faster using quantum search Des. Codes Cryptogr. (2015) 77:375 400 DOI 10.1007/s10623-015-0067-5 Finding shortest lattice vectors faster using quantum search Thijs Laarhoven 1 Michele Mosca 2,3,4 Joop van de Pol 5 Received: 15 October

More information

1 Shortest Vector Problem

1 Shortest Vector Problem Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance

More information

A Linearithmic Time Algorithm for a Shortest Vector Problem in Compute-and-Forward Design

A Linearithmic Time Algorithm for a Shortest Vector Problem in Compute-and-Forward Design A Linearithmic Time Algorithm for a Shortest Vector Problem in Compute-and-Forward Design Jing Wen and Xiao-Wen Chang ENS de Lyon, LIP, CNRS, ENS de Lyon, Inria, UCBL), Lyon 69007, France, Email: jwen@math.mcll.ca

More information

HKZ and Minkowski Reduction Algorithms for Lattice-Reduction-Aided MIMO Detection

HKZ and Minkowski Reduction Algorithms for Lattice-Reduction-Aided MIMO Detection IEEE TRANSACTIONS ON SIGNAL PROCESSING, VOL. 60, NO. 11, NOVEMBER 2012 5963 HKZ and Minkowski Reduction Algorithms for Lattice-Reduction-Aided MIMO Detection Wen Zhang, Sanzheng Qiao, and Yimin Wei Abstract

More information

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology. Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b

More information

Lattice Basis Reduction in Infinity Norm

Lattice Basis Reduction in Infinity Norm Technische Universität Darmstadt Department of Computer Science Cryptography and Computeralgebra Bachelor Thesis Lattice Basis Reduction in Infinity Norm Vanya Sashova Ivanova Technische Universität Darmstadt

More information

Estimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation

Estimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation Estimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation Yoshitatsu Matsuda 1, Tadanori Teruya, and Kenji Kashiwabara 1 1 Department of General Systems Studies, Graduate

More information

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD Ha Tran, Dung H. Duong, Khuong A. Nguyen. SEAMS summer school 2015 HCM University of Science 1 / 31 1 The LLL algorithm History Applications of

More information

Classical hardness of Learning with Errors

Classical hardness of Learning with Errors Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our

More information

Classical hardness of the Learning with Errors problem

Classical hardness of the Learning with Errors problem Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness

More information

Solving BDD by Enumeration: An Update

Solving BDD by Enumeration: An Update Solving BDD by Enumeration: An Update Mingjie Liu, Phong Q. Nguyen To cite this version: Mingjie Liu, Phong Q. Nguyen. Solving BDD by Enumeration: An Update. Ed Dawson. CT-RSA 2013 - The Cryptographers

More information

Low-Density Attack Revisited

Low-Density Attack Revisited Low-Density Attack Revisited Tetsuya Izu Jun Kogure Takeshi Koshiba Takeshi Shimoyama Secure Comuting Laboratory, FUJITSU LABORATORIES Ltd., 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki 211-8588, Japan.

More information

9 Knapsack Cryptography

9 Knapsack Cryptography 9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and

More information

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic

More information

A Lattice Basis Reduction Algorithm

A Lattice Basis Reduction Algorithm A Lattice Basis Reduction Algorithm Franklin T. Luk Department of Mathematics, Hong Kong Baptist University Kowloon Tong, Hong Kong Sanzheng Qiao Department of Computing and Software, McMaster University

More information

Faster Fully Homomorphic Encryption

Faster Fully Homomorphic Encryption Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010

More information

Floating-Point LLL: Theoretical and Practical Aspects

Floating-Point LLL: Theoretical and Practical Aspects Chapter 1 Floating-Point LLL: Theoretical and Practical Aspects Damien Stehlé Abstract The text-book LLL algorithm can be sped up considerably by replacing the underlying rational arithmetic used for the

More information

Tuple Lattice Sieving

Tuple Lattice Sieving Tuple Lattice Sieving Shi Bai, Thijs Laarhoven and Damien Stehlé IBM Research Zurich and ENS de Lyon August 29th 2016 S. Bai, T. Laarhoven & D. Stehlé Tuple Lattice Sieving 29/08/2016 1/25 Main result

More information

Block Korkin{Zolotarev Bases. and Successive Minima. C.P. Schnorr TR September Abstract

Block Korkin{Zolotarev Bases. and Successive Minima. C.P. Schnorr TR September Abstract Block Korkin{Zolotarev Bases and Successive Minima P Schnorr TR-9-0 September 99 Abstract A lattice basis b ; : : : ; b m is called block Korkin{Zolotarev with block size if for every consecutive vectors

More information

REDUCTION ALGORITHMS FOR THE CRYPTANALYSIS OF LATTICE BASED ASYMMETRICAL CRYPTOSYSTEMS

REDUCTION ALGORITHMS FOR THE CRYPTANALYSIS OF LATTICE BASED ASYMMETRICAL CRYPTOSYSTEMS REDUCTION ALGORITHMS FOR THE CRYPTANALYSIS OF LATTICE BASED ASYMMETRICAL CRYPTOSYSTEMS A Thesis Submitted to the Graduate School of Engineering and Sciences of İzmir Institute of Technology in Partial

More information

Lattice Basis Reduction and the LLL Algorithm

Lattice Basis Reduction and the LLL Algorithm Lattice Basis Reduction and the LLL Algorithm Curtis Bright May 21, 2009 1 2 Point Lattices A point lattice is a discrete additive subgroup of R n. A basis for a lattice L R n is a set of linearly independent

More information

Sieving for Shortest Vectors in Ideal Lattices

Sieving for Shortest Vectors in Ideal Lattices Sieving for Shortest Vectors in Ideal Lattices Michael Schneider Technische Universität Darmstadt, Germany mischnei@cdc.informatik.tu-darmstadt.de Abstract. Lattice based cryptography is gaining more and

More information

Rankin s Constant and Blockwise Lattice Reduction

Rankin s Constant and Blockwise Lattice Reduction Ranin s Constant and Blocwise Lattice Reduction Nicolas Gama 1, Nic Howgrave-Graham, Henri Koy 3, and Phong Q. Nguyen 4 1 École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr

More information

Shortest Vector from Lattice Sieving: a Few Dimensions for Free

Shortest Vector from Lattice Sieving: a Few Dimensions for Free Shortest Vector from Lattice Sieving: a Few Dimensions for Free Léo Ducas Cryptology Group, CWI, Amsterdam, The Netherlands Abstract. Asymptotically, the best known algorithms for solving the Shortest

More information

BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS

BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies

More information

Improved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem

Improved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem Improved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem Xiaoyun Wang,, Mingjie Liu, Chengliang Tian and Jingguo Bi Institute for Advanced Study, Tsinghua University, Beijing 84, China

More information

c 2009 Society for Industrial and Applied Mathematics AND DAMIEN STEHLÉ

c 2009 Society for Industrial and Applied Mathematics AND DAMIEN STEHLÉ SIAM J. COMPUT. Vol. 39, No. 3, pp. 874 903 c 009 Society for Industrial and Applied Mathematics AN LLL ALGORITHM WITH QUADRATIC COMPLEXITY PHONG Q. NGUYEN AND DAMIEN STEHLÉ Abstract. The Lenstra Lenstra

More information

Attacks on LWE. Martin R. Albrecht Oxford Lattice School

Attacks on LWE. Martin R. Albrecht Oxford Lattice School Attacks on LWE Martin R. Albrecht Oxford Lattice School Outline BKZ Refresher LWE Dual Lattice Attack Primal Lattice Attack (usvp Version) BKZ Refresher BKZ Input basis is LLL reduced, the first block

More information

Solving LWE with BKW

Solving LWE with BKW Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March

More information

Progress on LLL and Lattice Reduction

Progress on LLL and Lattice Reduction Progress on LLL and Lattice Reduction Claus Peter Schnorr Abstract We surview variants and extensions of the LLL-algorithm of Lenstra, Lenstra Lovász, extensions to quadratic indefinite forms and to faster

More information

arxiv: v1 [cs.cr] 25 Jan 2013

arxiv: v1 [cs.cr] 25 Jan 2013 Solving the Shortest Vector Problem in Lattices Faster Using Quantum Search Thijs Laarhoven 1, Michele Mosca 2, and Joop van de Pol 3 arxiv:1301.6176v1 [cs.cr] 25 Jan 2013 1 Dept. of Mathematics and Computer

More information

arxiv: v1 [cs.ds] 2 Nov 2013

arxiv: v1 [cs.ds] 2 Nov 2013 On the Lattice Isomorphism Problem Ishay Haviv Oded Regev arxiv:1311.0366v1 [cs.ds] 2 Nov 2013 Abstract We study the Lattice Isomorphism Problem (LIP), in which given two lattices L 1 and L 2 the goal

More information

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr

More information

PAPER On the Hardness of Subset Sum Problem from Different Intervals

PAPER On the Hardness of Subset Sum Problem from Different Intervals IEICE TRANS FUNDAMENTALS, VOLE95 A, NO5 MAY 202 903 PAPER On the Hardness of Subset Sum Problem from Different Intervals Jun KOGURE a), Noboru KUNIHIRO, Members, and Hirosuke YAMAMOTO, Fellow SUMMARY The

More information

New Practical Algorithms for the Approximate Shortest Lattice Vector

New Practical Algorithms for the Approximate Shortest Lattice Vector New Practical Algorithms for the Approximate Shortest Lattice Vector Claus Peter Schnorr Fachbereiche Mathemati/Informati, Universität Franfurt, PSF 493, D-60054 Franfurt am Main, Germany. schnorr@cs.uni-franfurt.de

More information

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010 47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture Date: 03/18/010 We saw in the previous lecture that a lattice Λ can have many bases. In fact, if Λ is a lattice of a subspace L with

More information

Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012

Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of

More information

Estimation of the Hardness of the Learning with Errors Problem with a Given Number of Samples

Estimation of the Hardness of the Learning with Errors Problem with a Given Number of Samples Estimation of the Hardness of the Learning with Errors Problem with a Given Number of Samples Abschätzung der Schwierigkeit des Learning with Errors Problem mit gegebener fester Anzahl von Samples Master-Thesis

More information

COS 598D - Lattices. scribe: Srdjan Krstic

COS 598D - Lattices. scribe: Srdjan Krstic COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific

More information

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &

More information

Background: Lattices and the Learning-with-Errors problem

Background: Lattices and the Learning-with-Errors problem Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b

More information

Lecture 5: CVP and Babai s Algorithm

Lecture 5: CVP and Babai s Algorithm NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,

More information

On the concrete hardness of Learning with Errors

On the concrete hardness of Learning with Errors On the concrete hardness of Learning with Errors Martin R. Albrecht 1, Rachel Player 1, and Sam Scott 1 Information Security Group, Royal Holloway, University of London Abstract. The Learning with Errors

More information

Tensor-based Trapdoors for CVP and their Application to Public Key Cryptography

Tensor-based Trapdoors for CVP and their Application to Public Key Cryptography Tensor-based Trapdoors for CVP and their Application to Public Key Cryptography (Extended Version) Roger Fischlin and Jean-Pierre Seifert Fachbereich Mathematik (AG 7.2) Johann Wolfgang Goethe-Universität

More information

Solving NTRU Challenges Using the New Progressive BKZ Library

Solving NTRU Challenges Using the New Progressive BKZ Library Solving NTRU Challenges Using the New Progressive BKZ Library Erik Mårtensson Department of Electrical and Information Technology Lund University Advisors: Professor Thomas Johansson and Qian Guo 2016-08-24

More information

Tuple Lattice Sieving

Tuple Lattice Sieving Tuple Lattice Sieving Shi Bai 1, Thijs Laarhoven 2, and Damien Stehlé 1 1 ENS de Lyon, Laboratoire LIP, U. Lyon, CNRS, ENSL, INRIA, UCBL, Lyon, France shi.bai@ens-lyon.fr, damien.stehle@ens-lyon.fr 2 IBM

More information

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.

More information

Post-Quantum Cryptography

Post-Quantum Cryptography Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike

More information

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Practical Analysis of Key Recovery Attack against Search-LWE Problem Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a

More information

On the Asymptotic Complexity of Solving LWE

On the Asymptotic Complexity of Solving LWE On the Asymptotic Complexity of Solving LWE Gottfried Herold, Elena Kirshanova, and Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr University Bochum, Germany elena.kirshanova@rub.de

More information

Lattice-based Cryptography

Lattice-based Cryptography Lattice-based Cryptography Oded Regev Tel Aviv University, Israel Abstract. We describe some of the recent progress on lattice-based cryptography, starting from the seminal work of Ajtai, and ending with

More information

A Note on the Density of the Multiple Subset Sum Problems

A Note on the Density of the Multiple Subset Sum Problems A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,

More information

Solving All Lattice Problems in Deterministic Single Exponential Time

Solving All Lattice Problems in Deterministic Single Exponential Time Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory

More information

Diophantine equations via weighted LLL algorithm

Diophantine equations via weighted LLL algorithm Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory

More information

Worst case complexity of the optimal LLL algorithm

Worst case complexity of the optimal LLL algorithm Worst case complexity of the optimal LLL algorithm ALI AKHAVI GREYC - Université de Caen, F-14032 Caen Cedex, France aliakhavi@infounicaenfr Abstract In this paper, we consider the open problem of the

More information

Cryptanalysis of two knapsack public-key cryptosystems

Cryptanalysis of two knapsack public-key cryptosystems Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information

More information

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

GGHLite: More Efficient Multilinear Maps from Ideal Lattices GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease

More information

A Lattice-Based Public-Key Cryptosystem

A Lattice-Based Public-Key Cryptosystem A Lattice-Based Public-Key Cryptosystem Jin-Yi Cai and Thomas W. Cusick 1 Department of Computer Science State University of New York at Buffalo, Buffalo, NY 1460 cai@cs.buffalo.edu Department of Mathematics

More information

COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective

COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio

More information

Basis Reduction, and the Complexity of Branch-and-Bound

Basis Reduction, and the Complexity of Branch-and-Bound Basis Reduction, and the Complexity of Branch-and-Bound Gábor Pataki and Mustafa Tural Department of Statistics and Operations Research, UNC Chapel Hill Abstract The classical branch-and-bound algorithm

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback