Réduction de réseau et cryptologie.
|
|
- Loren Young
- 5 years ago
- Views:
Transcription
1 Réduction de réseau et cryptologie Séminaire CCA Nicolas Gama Ensicaen 8 janvier 2010 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
2 Outline 1 Example of lattice problems and lattice-based cryptosystems 2 Lattice reduction and LLL algorithm 3 Application to fundamental problems of arithmetic Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
3 Lattice problems Why using lattice-based crypto Simple description, look almost linear Very Dicult to solve (NP-Hard, Worst case to average case red) No quantum algorithm known Cryptanalysis Many problems can be eciently reduced to lattices problems Lattice attacks: RSA, Knapsacks Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
4 NTRU Cryptosystem Created in 1998 Allow both encryption and digital signature Since 10 years of active research, the underlying problem has not (yet) been broken Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
5 NTRU Problem toy parameters - demo 3D q = 11 N = 7 dr = 2 lowest sec parameters (1998) q = 64 N = 167 dr = 20 keys public: H = 8 + 8X + X 2 + 9X 3 + X 4 + 6X 5 mod (X 7 1) mod 11 private: f small such that f H = g is small Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
6 NTRU Problem toy parameters - demo 3D q = 11 N = 7 dr = 2 lowest sec parameters (1998) q = 64 N = 167 dr = 20 keys public: H = 8 + 8X + X 2 + 9X 3 + X 4 + 6X 5 mod (X 7 1) mod 11 private: f small such that f H = g is small f = 1 + X 2 + X 6 X 4 X 5 mod (X 7 1) mod 11 g = 1 + X 4 + X 5 mod (X 7 1) mod 11 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
7 NTRU Problem toy parameters - demo 3D q = 11 N = 7 dr = 2 lowest sec parameters (2009) q = 1024 N = 400 dr = 43 keys public: H = 8 + 8X + X 2 + 9X 3 + X 4 + 6X 5 mod (X 7 1) mod 11 private: f small such that f H = g is small f = 1 + X 2 + X 6 X 4 X 5 mod (X 7 1) mod 11 g = 1 + X 4 + X 5 mod (X 7 1) mod 11 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
8 Lattice representation - public Public basis: q q q 0 0 h 0 h 1 h N h N h 0 h N h 1 h N h Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
9 Lattice representation - public Public basis:??? f 0 f 1 f N q q q 0 0 h 0 h 1 h N h N h 0 h N h 1 h N h Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
10 Lattice representation - private Private basis: g 0 g 1 g N f 0 f 1 f N???????????????????????????????????????????????????????? Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
11 Lattice representation - private Private basis: g 0 g 1 g N f 0 f 1 f N g N g 0 g N 1 f N f 0 f N 1 g 1 g N g 0 f 1 f N f 0???????????????????????????????? Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
12 Lattice representation - private Private basis: g 0 g 1 g N f 0 f 1 f N g N g 0 g N 1 f N f 0 f N 1 g 1 g N g 0 f 1 f N f 0 G 0 G 1 G N F 0 F 1 F N G N G 0 G N 1 F N F 0 F N 1 G 1 G N G 0 F 1 F N F 0 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
13 Is the NTRU problem hard? Question of the century Is the NTRU problem truely hard Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
14 NP-Hardness Subset Sum Problem given a rectangular matrix n m, nd two subsets of columns whose sum are equal (in Z or mod q) Find a vector in its kernel with coecients in { 1, 0, 1} Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
15 NP-Hardness Subset Sum Problem given a rectangular matrix n m, nd two subsets of columns whose sum are equal (in Z or mod q) Find a vector in its kernel with coecients in { 1, 0, 1} Hardness results NP-Hard (even with one row, xor small integers) Hard in average Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
16 Matrix representation (Row) Basis B = q q 0 0 h 1,1 h 1,n h 2,1 h 2,n h m,1 h m,n Search v = [ 1, 0, 1, 1, 0,, 1, 0] L(B)? Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
17 Lattice problems Part 1 Hard lattice problems Theory of Lattice reduction Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
18 Lattice 0 Denitions Lattice Basis Dimension Volume (vol(l)) Minima (λ i (L)) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
19 SVP/CVP SVP: Given a lattice basis B, nd the shortest non-zero vector of L(B) CVP: Given a lattice basis B M n,m (Z) and a target vector v R m, nd the lattice vector of L(B) closest to v v 0 0 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
20 SVP/CVP SVP: Given a lattice basis B, nd the shortest non-zero vector of L(B) CVP: Given a lattice basis B M n,m (Z) and a target vector v R m, nd the lattice vector of L(B) closest to v v 0 0 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
21 Approximation problems Hardness of exact problems Some problems cannot be solved exactly (SVP? CVP?) Approximations Problems Approx-SVP nd v L shorter than α λ 1 (L) Hermite-SVP nd v L shorter than α vol(l) 1/n Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
22 Some complexity results Exact 1/ log log(n) n n Approx of SVP anything when n < n n log(n) exp(o(n/ log(n))) Worst-case Avg case N P co-n P N P Hard P Practical Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
23 Solving SVP: Mathematics Minkowski's theorem and Hermite's constant Lattice invariants Any lattice can be viewed as a sphere packing (diameter λ 1 (L)) Each sphere is smaller than the lattice volume (vol(l)) Minkowski's theorem λ 1 (L) 2 Γ( n/2+1) 1/n π vol(l) 1/n Hermite Constant: γn 2 Γ( n/2+1) 1/n π Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
24 Solving SVP: exhaustive search Principle: enumerate every lattice vector whose norm is γ n n det(b) return the shortest of them Why does it work: The intersection of a compact set and a lattice is nite let d i = distance(b i, vect(b\b i )) > 0 Then n j=1 u j b j ui d i Finite number of choices for each u i Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
25 Exhaustive search algorithm Require: A basis B = [b 1,, b n ] Ensure: A shortest vector v of L(B) 1: v b 1 2: for u n = u min n to u max n do 3: for u n 1 = u min n 1 4: [] 5: for u 1 = u min to umax n 1 do 6: 1 to u max 1 do v shortest(v, n j=1 u jb j ) 7: end for 8: [] 9: end for 10: end for 11: return v n nested for loops hope that the number of candidates is 0 or 1 2 exponential Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
26 Lattice basis reduction Goal Method shortest vectors possible most orthogonal elementary operations swap: B i B i+1 transvections: B i B i + αb j where j < i Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
27 Lagrange's algorithm (1773, dim=2) b 2 (Sw) b 1 Output Hermite factor ( b1 vol(l) 1/2 ) 2 4/3 b 1 b 2 b 1 (Tr) b 1 b 2 b 2 Mathematic analogue γ 2 4/3 Connection lattice reduction algorithm bound on Hermite Constant ( )? Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
28 Lagrange's algorithm (1773, dim=2) b 2 Output Hermite factor ( b1 vol(l) 1/2 ) 2 4/3 Mathematic analogue b 1 γ 2 4/3 Connection lattice reduction algorithm bound on Hermite Constant ( )? Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
29 Higher dimension Orthogonalization Triangular isometric representation Gram Schmidt b 2 b 1 = b 1 b 3 b 2 b 3 Givens, HouseHolder QR (LQ) decomposition B b 1 0 0? b 2?? 0 Q??? b n Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
30 Reduction criterion: slope of the GSL 1e+06 pas reduit B b 1 0 0? b 2?? 0??? b n e-06 1e-08 1e Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
31 Reduction criterion: slope of the GSL B b 1 0 0? b 2?? 0??? b n 1e e-06 pas reduit LLL reduit Ultra reduit 1e-08 1e Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
32 LLL: a divide and conquer algorithm B [1,2] Divide the basis (and conquer) n 1 blocks of dim 2 B [2,3] B [3,4] Quality improve locally each 2 dim-blocks The global basis will be reduced B triang B [n 1,n] Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
33 LLL: a divide and conquer algorithm Complexity 1 Potential: n 1 i=1 vol(b [1,i]) 2 N 2 Can only decrease 3 Allow a factor 1 + ε of imperfection B [1,2] B [2,3] B [3,4] Decreases geometrically! (LLL82) B triang B [n 1,n] Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
34 Quality of LLL Algorithmic meets mathematics Hermite inequality γ n γ n 1 2 Maths Hermite s Inequality 1847 Hermite factor ( b1 vol(l) 1/n ) 2 (γ2 (1 + ε)) n 1 Algo LLL 1982 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
35 Quality of LLL Algorithmic meets mathematics Hermite inequality γ n γ n 1 2 Maths Hermite s Inequality 1847 Hermite factor ( b1 vol(l) 1/n ) 2 (γ2 (1 + ε)) n 1 Algo LLL 1982 Tight Worst case bases: echelon bases Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
36 Practical quality Theory: The Quality factors of LLL are exponential in the dimension ex: HF = γ 2 n n LLL reduit Worst case LLL 001 Practice They are indeed exponential But much smaller: HF 1022 n 1e Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
37 Practical quality Theory: The Quality factors of LLL are exponential in the dimension ex: HF = γ 2 n n Practice 1 They are indeed exponential But much smaller: HF 1022 n 025 Hermite Factor LLL bound dimension Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
38 Towards a practical SVP oracle Theory: LLL solves SVP in dim 2 only Practice: in average, LLL solves SVP up to dim 30 with 30% success success rate 100 LLL dimension Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
39 Consequences of LLL the exhaustive search algorithm LLL time: seconds Reducing the basis helps the exhaustive search algorithm blocksize Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
40 Consequences of LLL the exhaustive search algorithm time: seconds LLL BKZ 20 BKZ 25 DEEP 40 Reducing the basis helps the exhaustive search algorithm Exhaustive search algorithm helps reducing the basis blocksize Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
41 Oracle based algorithms SVP Oracle dim=k Polynomial Quality Reduction Algorithm Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
42 Possible bloc extensions of LLL the mathematics point of view Maths Hermite s Inequality Mordell s inequality Algo LLL 1982 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
43 Possible bloc extensions of LLL the mathematics point of view Hermite's inequality: Mordell's inequality: γ n γ n 1 2 γ n γ (n 1)/(k 1) k Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
44 Blockwise reduction Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
45 Blockwise reduction Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
46 Blockwise reduction Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
47 Blockwise reduction Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
48 Blockwise reduction Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
49 Primal HKZ reduction Goal: HKZ reduction is not regular GSL looks concave beginning more reduced than the end dierences of geometry between blocks Make the reduction uniform (GSL) log( b i ) 1 k 2k Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
50 Reverse Duality (GSL) log( b i ) Duality B (BB t ) t B GSO T??? 1 k 2k Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
51 Reverse Duality (GSL) log( b i ) Duality R n = B R n (BB t ) t B GSO T R n T t R n 1 k 2k Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
52 Reverse Duality (GSL) log( b i ) Duality R n = B R n (BB t ) t B GSO T R n T t R n 1 k 2k Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
53 Reverse Duality (GSL) log( b i ) Duality R n = B R n (BB t ) t B GSO T R n T t R n 1 k 2k Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
54 Blockwise reduction Building Blocks 1 size-reduction 2 l-svp-reduction, 2 l k 3 l-dsvp-reduction, 2 l k Z LLL reduction Z HKZ reduction Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
55 Example: BKZ-2 B [1,2] B [2,3] Example: BKZ-2 i [1; n 1], B [i,i+1] is 2-reduced B [3,4] B triang B [n 1,n] Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
56 Example: BKZ-k Example: BKZ-k i [2; k], B [n i+1,n] is i-dsvp-reduced i [k; n k], B [i,i+k 1] is k-dsvp-reduced BKZ Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
57 Example: dual-bkz-k Example: dual-bkz-k i [2; k 1], B [1,i] is i-dsvp-reduced i [k; n], B [i k+1,i] is k-dsvp-reduced dual BKZ Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
58 Example: Slide-k Example: slide-k p [0; n/k 1] i [2; k], B [pk+1,pk+i] is i-svp-reduced p [0; n/k 2], B [pk+2,pk+k+1] is k-dsvp-reduced Slide Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
59 Lattice reduction: summary Approximations of SVP ( n): seems very dicult (NP-hard?) only exponential algorithms known Θ( n): estimated security level of NTRU > n: at most NP co NP GSO/GSL slope is enough γ (n 1)/(k 1) k : Achieved by k-blockwize algorithms (Slide) underexp if k log(n) reasonable time if k n : Achieveable in practice (LLL) 101 n : Achieveable in practice (Blockwise algos) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
60 Part 2 part 2 Application of lattice reduction to arithmetic problems Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
61 Application of lattice reduction to arithmetic problems Solving modular polynomials: Small integer roots of univariate polynomials modulo N (Coppersmith, 1997) Small integer roots of univariate polynomials modulo a divisor of N (Boneh Durfee, 1999) Small integer roots of multivariate polynomials modulo a divisor of N (May, 2008) Small rational roots of polynomials modulo a divisor of N (now) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
62 Idea Problem: Find u v = c mod q with N = p qr with u U and v V log(q) and log(p) are known Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
63 Method Let P (X, Y ) = X cy Z[X, Y ] P (u, v) = u cv Z = 0 mod q Consider the polynomials: Q k = N t k max(0, r ) P (X, Y ) k Y m k for k = 0m Properties: k [0, m], Q k (u, v) = 0 mod q t R Q 0 Z + Q 1 Z + Q 2 Z + + Q m Z R(u, v) = 0 mod q t Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
64 Lattice Mapping Basis of expression in R m+1 : Mapping B = ( Y m XY m 1 V,, m X2 Y m 2,, Xm UV m 1 U 2 V m 2 U ) m Polynomial R(X, Y ) = m k=0 α kx k Y m k vector v R = (α 0 U 0 V m, α 1 U 1 V m 1,, α m U m V 0 ) Norm: u U, v V, R(u, v) v R 2 m Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
65 The Lattice Group: Q 0 Z + Q 1 Z + Q 2 Z + + Q m Z Basis: 2 N max(0, r t ) V m l m N max(0, t 1 ) r UV m l m N max(0, t 2 ) r UV m N max(0, Volume: vol(l) N t2 2r (UV ) m2 2 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
66 Epilogue Find S(X, Y ) such that v s is small S(u,v) q t Optimizations: m ApproxF (N t 2 2rm q t )(UV ) m 2 choose m large enough choose t = mr log(q) log(n) Resolution constraint: ( ) 2 S(u,v) m q t We know: S(u, v) = 0 mod q t Then: S(u, v)=0 in Z < (1 + ε) AF 2 log qr m (q log N ) (UV ) <? 1 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
67 Example: factorize pq r Original Boneh Durfee: q = ??????????? 2 r ) log(n) write q = c + x with x < q log(q Solve the equation c + X = 0 mod q (for each guess of c) requires: r = O(log(p)) Randomized-integer Boneh-Durfee: Pick a random c mod N Try to solve q = c + x with x < q log(q r ) log(n) polynomial probabilistic complexity when r = O(log(p)/log(log(N))) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
68 Example: factorize pq r Randomized-integer Boneh-Durfee: Pick a random c mod N Try to solve q = c + x with x < q log(q r ) log(n) polynomial probabilistic complexity when r = O(log(p)/log(log(N))) Randomized-rational Boneh-Durfee: Pick a random c mod N Try to solve q = c + u log(q v with uv < q log(n) polynomial probabilistic complexity when r = O(log(p)/log(log(N))) r ) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
69 Example: Nice Cryptosystem Cryptanalyses: CaLa09, CJLJN09, N = pq 2 where p is a Schinzel sleeper One can compute in polynomial time: a quadratic form f(x, y) = ax 2 + bxy + cy 2 of discriminant b 2 4ac = N such that (u, v) Z 2 with uv N 1/6, f(u, v) = q 2 note: f(x, y) = a(x + b 2a y)2 N 4a = a(x + b 2a y)2 mod q 2 f(u, v) = 0 mod q 2 u v + b 2a = 0 mod q Attack rational Boneh-Durfee: uv <? q log(q 2 ) log(n) = N 2 9 OK, with m = 9, t = 6, even with LLL! Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
70 Example: NTRU The NTRU problem: H = 0 mod q (take N = q and r = 1) g f 1 ) log(n) rational Boneh-Durfee: fg < q log(q f, g, H are no integers! absolute value/ euclidean norm? lattice mapping and reduction? = q if we nd P (f, g) = 0, can we nd f, g? Do the current parameters pass the bounds? Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
71 absolute-value, euclidean norm representation: a circulant block p 0 p 1 p N p Z[X]/(X N p N p 0 p N 1 1) [p] = p 1 p N p 0 operations: +,,, / abs: we want f k = f k = take the spectral radius: max f(exp( 2ikπ n )) eucl norm: take the euclidean norm of the eigenvalues (equivalently the euclidean norm of the coecients) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
72 Lattice mapping and reduction Build a block-circulant lattice: [ ] [q] 0 m = 2 [H] [1] (public basis) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
73 Lattice mapping and reduction Build a block-circulant lattice: m = 3 [q 2 ] 0 0 [qh] [q] 0 [ H 2 ] [ 2H] [1] Warning Huge dimension! Cannot nd the SVP, only approximations! Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
74 P (f, g) = 0 = f, g? Recover f, g from P (f, g) = 0 1 one can approximate g(η)/f(η) with signicant digits 2 from there, one can retrieve the secret sub-lattice 3 This seems to be enough to break NTRU Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
75 example (3X 3 + 1) f 2 + (2X 4 3X + 1) fg + ( 3X X 32+7 ) g 2 = 0 mod (X 53 1) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
76 example (3X 3 + 1) f 2 + (2X 4 3X + 1) fg + ( 3X X 32+7 ) g 2 = 0 mod (X 53 1) (3η 3 + 1) + (2η 4 3η + 1) (g/f)(η) + ( 3η η 32+7 ) (g/f)(η) 2 = 0 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
77 example (3η 3 + 1) + (2η 4 3η + 1) (g/f)(η) + ( 3η η 32+7 ) (g/f)(η) 2 = 0 (g/f)(η) = ν i Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
78 example (g/f)(η) = ν i R(ν) 10 9 I(ν) R(νη) 10 9 I(νη) R(νη p ) 10 9 I(νη p ) Reduce R(1) 10 9 I(1) R(η) 10 9 R(η) R(η p ) 10 9 R(η p ) Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
79 example 2 R(ν) 10 9 I(ν) R(νη) 10 9 I(νη) R(νη p ) 10 9 I(νη p ) Reduce R(1) 10 9 I(1) R(η) 10 9 R(η) R(η p ) 10 9 R(η p ) ˆ Search [ small small ] Deduce small small f 1 f 2 f p g 1 g 2 g p not so fast!! Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
80 example ˆ Search [ small small ] Deduce small small f 1 f 2 f p g 1 g 2 g p not soˆfast!! small small small small small small small small Search Deduce the secret half-lattice Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
81 example ˆ Search small small small small small small small small Deduce the secret half-lattice Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
82 Do the current NTRU parameters pass the bounds? overview: fg <? q: new parameters = yes! but: True bound: (1 + ε) ApproxFactor 2 m (q 1 f g ) <? 1 High dimension, ApproxFactor not negligible! Approx-Factor 101 dim : doesn't work Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
83 Do the current NTRU parameters pass the bounds? overview: fg <? q: new parameters = yes! but: True bound: (1 + ε) ApproxFactor 2 m (q 1 f g ) <? 1 High dimension, ApproxFactor not negligible! Approx-Factor 101 dim : doesn't work must be at most subexponential: polynomial? Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
84 Do the current NTRU parameters pass the bounds? overview: fg <? q: new parameters = yes! but: True bound: (1 + ε) ApproxFactor 2 m (q 1 f g ) <? 1 High dimension, ApproxFactor not negligible! Approx-Factor 101 dim : doesn't work must be at most subexponential: polynomial? And even with that, NTRU is not designed to be asymptoticly sure! Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
85 Summary Exact 1/ log log(n) n n Approx of SVP anything when n < n n log(n) exp(o(n/ log(n))) Worst-case Avg case N P co-n P N P Hard P Practical Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier / 54
Predicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationApplications of Lattice Reduction in Cryptography
Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More information2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ
Corrected version of Algorithmic Number Theory { Proceedings of ANTS-IV (July 3{7, 2000, Leiden, Netherlands) W. Bosma (Ed.), vol.???? of Lecture Notes in Computer Science, pages???{??? cspringer-verlag
More informationSolving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems
Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems Thijs Laarhoven Joop van de Pol Benne de Weger September 10, 2012 Abstract This paper is a tutorial introduction to the present
More informationApplications of Lattices in Telecommunications
Applications of Lattices in Telecommunications Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013 1 Sphere Decoder Algorithm Rotated Signal Constellations
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationM4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD
M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD Ha Tran, Dung H. Duong, Khuong A. Nguyen. SEAMS summer school 2015 HCM University of Science 1 / 31 1 The LLL algorithm History Applications of
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationAnalyzing Blockwise Lattice Algorithms using Dynamical Systems
Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehlé ENS Lyon, LIP (CNRS ENSL INRIA UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationCSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationOn the smallest ratio problem of lattice bases
On the smallest ratio problem of lattice bases Jianwei Li KLMM, Academy of Mathematics and Systems Science, The Chinese Academy of Sciences, Beijing 0090, China lijianwei05@amss.ac.cn Abstract Let (b,...,
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationEnumeration. Phong Nguyễn
Enumeration Phong Nguyễn http://www.di.ens.fr/~pnguyen March 2017 References Joint work with: Yoshinori Aono, published at EUROCRYPT 2017: «Random Sampling Revisited: Lattice Enumeration with Discrete
More informationNew Partial Key Exposure Attacks on RSA Revisited
New Partial Key Exposure Attacks on RSA Revisited M. Jason Hinek School of Computer Science, University of Waterloo Waterloo, Ontario, N2L-3G, Canada mjhinek@alumni.uwaterloo.ca March 7, 2004 Abstract
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationHow to Generalize RSA Cryptanalyses
How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru Kunihiro The University of Tokyo, Japan AIST, Japan {a-takayasu@it., kunihiro@}k.u-tokyo.ac.jp Abstract. Recently, the security of RSA variants
More informationand the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that
Sampling short lattice vectors and the closest lattice vector problem Miklos Ajtai Ravi Kumar D. Sivakumar IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120. fajtai, ravi, sivag@almaden.ibm.com
More informationA Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming
A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming Bala Krishnamoorthy William Webb Nathan Moyer Washington State University ISMP 2006 August 2, 2006 Public Key
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationLattice Reduction Algorithms: Theory and Practice
Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationCryptanalysis of Unbalanced RSA with Small CRT-Exponent
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent Alexander May Department of Mathematics and Computer Science University of Paderborn 3310 Paderborn, Germany alexx@uni-paderborn.de Abstract. We
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationLower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices
Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices Jingguo Bi 1 and Qi Cheng 2 1 Lab of Cryptographic Technology and Information Security School of Mathematics
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationFinding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem
Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem Shixiong Wang 1, Longjiang Qu 2,3, Chao Li 1,3, and Shaojing Fu 1,2 1 College of Computer,
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationInteger Factorization using lattices
Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/anr CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010 Plan Introduction Plan Introduction Outline of the algorithm
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationIsodual Reduction of Lattices
Isodual Reduction of Lattices Nicholas A. Howgrave-Graham nhowgravegraham@ntru.com NTRU Cryptosystems Inc., USA Abstract We define a new notion of a reduced lattice, based on a quantity introduced in the
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationLattice Basis Reduction Part 1: Concepts
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationCOMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio
More information47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010
47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture Date: 03/18/010 We saw in the previous lecture that a lattice Λ can have many bases. In fact, if Λ is a lattice of a subspace L with
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationfrom Lattice Reduction Problems MIT - Laboratory for Computer Science November 12, 1996 Abstract
Public-Key Cryptosystems from Lattice Reduction Problems Oded Goldreich Sha Goldwasser y Shai Halevi z MIT - Laboratory for Computer Science November 12, 1996 Abstract We present a new proposal for a trapdoor
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationLattice Basis Reduction Part II: Algorithms
Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao November 8, 2011, revised February
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationFactoring N = p 2 q. Abstract. 1 Introduction and Problem Overview. =±1 and therefore
Factoring N = p 2 Nathan Manohar Ben Fisch Abstract We discuss the problem of factoring N = p 2 and survey some approaches. We then present a specialized factoring algorithm that runs in time Õ( 0.1 ),
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationBALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS
BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies
More informationA Hybrid Method for Lattice Basis Reduction and. Applications
A Hybrid Method for Lattice Basis Reduction and Applications A HYBRID METHOD FOR LATTICE BASIS REDUCTION AND APPLICATIONS BY ZHAOFEI TIAN, M.Sc. A THESIS SUBMITTED TO THE DEPARTMENT OF COMPUTING AND SOFTWARE
More informationSymplectic Lattice Reduction and NTRU
Symplectic Lattice Reduction and NTRU Nicolas Gama 1, Nick Howgrave-Graham 2, and Phong Q. Nguyen 3 1 École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France Nicolas.Gama@ens.fr 2 NTRU Cryptosystems,
More informationLecture 5: CVP and Babai s Algorithm
NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,
More informationRankin s Constant and Blockwise Lattice Reduction
Ranin s Constant and Blocwise Lattice Reduction Nicolas Gama 1, Nic Howgrave-Graham, Henri Koy 3, and Phong Q. Nguyen 4 1 École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationA Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073
A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 Ellen Jochemsz 1 and Alexander May 2 1 Department of Mathematics and Computer Science, TU Eindhoven, 5600 MB Eindhoven, the
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationCSC 2414 Lattices in Computer Science October 11, Lecture 5
CSC 244 Lattices in Computer Science October, 2 Lecture 5 Lecturer: Vinod Vaikuntanathan Scribe: Joel Oren In the last class, we studied methods for (approximately) solving the following two problems:
More informationCryptanalysis of the Revised NTRU Signature Scheme
Cryptanalysis of the Revised NTRU Signature Scheme Craig Gentry 1 and Mike Szydlo 2 1 DoCoMo USA Labs, San Jose, CA, USA cgentry@docomolabs-usa.com 2 RSA Laboratories, Bedford, MA, USA mszydlo@rsasecurity.com
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationBKZ 2.0: Better Lattice Security Estimates
BKZ 2.0: Better Lattice Security Estimates Yuanmi Chen and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d Ulm, 75005 Paris, France. http://www.eleves.ens.fr/home/ychen/ 2 INRIA and ENS, Dept. Informatique,
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationAlgorithms for ray class groups and Hilbert class fields
(Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationPractical, Predictable Lattice Basis Reduction
Practical, Predictable Lattice Basis Reduction Daniele Micciancio UCSD daniele@eng.ucsd.edu Michael Walter UCSD miwalter@eng.ucsd.edu Abstract Lattice reduction algorithms are notoriously hard to predict,
More informationA new security notion for asymmetric encryption Draft #10
A new security notion for asymmetric encryption Draft #10 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationOded Regev Courant Institute, NYU
Fast er algorithm for the Shortest Vector Problem Oded Regev Courant Institute, NYU (joint with Aggarwal, Dadush, and Stephens-Davidowitz) A lattice is a set of points Lattices L={a 1 v 1 + +a n v n a
More information