Revisiting Lattice Attacks on overstretched NTRU parameters
|
|
- Alan Reynolds
- 5 years ago
- Views:
Transcription
1 Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT /01/17 1
2 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3. Simplification and Generalization 4. Prediction of our Attacks 2
3 NTRUEncrypt Key Generation R = Z[X]/(X n + 1), modulus q, width σ Sample f D R,σ (invertible mod q) Encrypt m {0, 1} Decrypt c R q Sample g D R,σ Publish h = [g/f] q Sample s, e D R,χ, D R,χ Return c = 2(h s + e) + m m = f c = 2(g s + f e) + f m Return m mod 2 = f m mod 2 3
4 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4
5 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4
6 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4
7 NTRU lattice Λ q h Recovering the secret key from the public key A = ( ) qin M h 0 I n The lattice Λ q h defined by A an NTRU instance for parameters R, q, σ has dimension 2n and volume q n If h were uniformly random, the Gaussian heuristic predicts the shortest vectors of Λ q h have norm nq While f g nσ nq unusually short vectors: n vectors rotated of (f, g), (x i f, x i g). SS11 : for σ q, h is statistically indistinguisable from uniform, but NTRU chooses f, g { 1, 0, 1} n! 4
8 NTRU Assumptions and Applications Definition (NTRU Assumption) It is hard to find a short vector in the R-module Λ q h = {(x, y) R2 s.t. hx y = 0 mod q} R = Z[X]/(P(X)) and the promise a short solution (f, g) exists. The NTRU assumption has been used for signature scheme: BLISS (Ducas, Durmus, Lepoint, Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) fully homomorphic encryption: LTV (Lopez-Alt, Tromer and Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) multilinear Maps from Ideal Lattices: GGH13 With very large modulus q compared to NTRUEncrypt! 5
9 NTRU Assumptions and Applications Definition (NTRU Assumption) It is hard to find a short vector in the R-module Λ q h = {(x, y) R2 s.t. hx y = 0 mod q} R = Z[X]/(P(X)) and the promise a short solution (f, g) exists. The NTRU assumption has been used for signature scheme: BLISS (Ducas, Durmus, Lepoint, Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) fully homomorphic encryption: LTV (Lopez-Alt, Tromer and Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) multilinear Maps from Ideal Lattices: GGH13 With very large modulus q compared to NTRUEncrypt! 5
10 NTRU Assumptions and Applications Definition (NTRU Assumption) It is hard to find a short vector in the R-module Λ q h = {(x, y) R2 s.t. hx y = 0 mod q} R = Z[X]/(P(X)) and the promise a short solution (f, g) exists. The NTRU assumption has been used for signature scheme: BLISS (Ducas, Durmus, Lepoint, Lyubashevsky), based on IBE (Ducas, Prest, Lyubashevsky) fully homomorphic encryption: LTV (Lopez-Alt, Tromer and Vaikuntanathan), YASHE (Bos, Lauter, Loftus, Naehrig) multilinear Maps from Ideal Lattices: GGH13 With very large modulus q compared to NTRUEncrypt! 5
11 Current Attacks on NTRU Recovering a short enough vector larger than (f, g) is sufficient to recover the secret key Finding a o(q) vector would break many applications such as encryption Previous Lattice attacks: 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure 2. May increases the λ 1 (L)/λ 2 (L) by avoiding the rotated vectors and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: first reduces a submatrice in the middle of the lattice L Asymptotically BKW variant: heuristic complexity of 2Θ(n/ log log q) 6
12 Current Attacks on NTRU Recovering a short enough vector larger than (f, g) is sufficient to recover the secret key Finding a o(q) vector would break many applications such as encryption Previous Lattice attacks: 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure 2. May increases the λ 1 (L)/λ 2 (L) by avoiding the rotated vectors and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: first reduces a submatrice in the middle of the lattice L Asymptotically BKW variant: heuristic complexity of 2Θ(n/ log log q) 6
13 Current Attacks on NTRU Recovering a short enough vector larger than (f, g) is sufficient to recover the secret key Finding a o(q) vector would break many applications such as encryption Previous Lattice attacks: 1. Direct Approach: we need a strong lattice reduction and NTRU is still secure 2. May increases the λ 1 (L)/λ 2 (L) by avoiding the rotated vectors and reduces the dimension by projecting the lattice 3. Howgrave-Graham combines lattice-reduction and MITM: first reduces a submatrice in the middle of the lattice L Asymptotically BKW variant: heuristic complexity of 2Θ(n/ log log q) 6
14 Subfield Attack Lattice reduction in a subfield to attack the NTRU assumption for large moduli q and σ < q 1/4 Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfield (dim. n/2) 2. Apply lattice reduction 3. Lift the solution to the full field Albrecht, Bai, Ducas rediscovered this attack already sketched by Gentry, Szydlo, Jonsson, Nguyen and Stern Cheon, Jeong and Lee discovered a variant using the Trace instead of the Norm Work with any coefficient of the characteristic polynomial 7
15 Subfield Attack Lattice reduction in a subfield to attack the NTRU assumption for large moduli q and σ < q 1/4 Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfield (dim. n/2) 2. Apply lattice reduction 3. Lift the solution to the full field Albrecht, Bai, Ducas rediscovered this attack already sketched by Gentry, Szydlo, Jonsson, Nguyen and Stern Cheon, Jeong and Lee discovered a variant using the Trace instead of the Norm Work with any coefficient of the characteristic polynomial 7
16 Subfield Attack Lattice reduction in a subfield to attack the NTRU assumption for large moduli q and σ < q 1/4 Strategy: Reducing the dimension allows faster algorithms 1. Map a NTRU instance to the chosen subfield (dim. n/2) 2. Apply lattice reduction 3. Lift the solution to the full field Albrecht, Bai, Ducas rediscovered this attack already sketched by Gentry, Szydlo, Jonsson, Nguyen and Stern Cheon, Jeong and Lee discovered a variant using the Trace instead of the Norm Work with any coefficient of the characteristic polynomial 7
17 Cyclotomic Number Field K = Q[ω n ] Q[X]/(Φ n (X)) where ω n = exp(2iπ/n) L = Q(ω n + ω n ): maximal real subfield of K of dim. (n 1)/2 Conjugate: ā = a 0 + ϕ(n) 1 i=1 a i X ϕ(n) i for a = ϕ(n) 1 i=0 a i X i N K/L (a) = aā L More generally, if L subfield of K of dim. m and r = n/m, N K/L (a) = Π σ H σ(a) for H fixing L Ring of integers: O K = Z[ω n ] = {a K : fq a Z[X]} where is the monic irreducible minimal polynomial of a over Q f a Q Ideal go K can be represented by a lattice: multiplication matrix by g in O K 8
18 Cyclotomic Number Field K = Q[ω n ] Q[X]/(Φ n (X)) where ω n = exp(2iπ/n) L = Q(ω n + ω n ): maximal real subfield of K of dim. (n 1)/2 Conjugate: ā = a 0 + ϕ(n) 1 i=1 a i X ϕ(n) i for a = ϕ(n) 1 i=0 a i X i N K/L (a) = aā L More generally, if L subfield of K of dim. m and r = n/m, N K/L (a) = Π σ H σ(a) for H fixing L Ring of integers: O K = Z[ω n ] = {a K : fq a Z[X]} where is the monic irreducible minimal polynomial of a over Q f a Q Ideal go K can be represented by a lattice: multiplication matrix by g in O K 8
19 Cyclotomic Number Field K = Q[ω n ] Q[X]/(Φ n (X)) where ω n = exp(2iπ/n) L = Q(ω n + ω n ): maximal real subfield of K of dim. (n 1)/2 Conjugate: ā = a 0 + ϕ(n) 1 i=1 a i X ϕ(n) i for a = ϕ(n) 1 i=0 a i X i N K/L (a) = aā L More generally, if L subfield of K of dim. m and r = n/m, N K/L (a) = Π σ H σ(a) for H fixing L Ring of integers: O K = Z[ω n ] = {a K : fq a Z[X]} where is the monic irreducible minimal polynomial of a over Q f a Q Ideal go K can be represented by a lattice: multiplication matrix by g in O K 8
20 Analysis Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (N K/L (f), N K/L (g)) is contained in this lattice. expect short vector q n/(2n) 2n/(2πre) = qn/(πre) For L real subfield of K, if f > n and as f f f 2 = n, but since n q/2, the attack does not work on NTRU parameters But with very large modulus q, N K/L (f) = f f is smaller than the expected short vector! 9
21 Analysis Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (N K/L (f), N K/L (g)) is contained in this lattice. expect short vector q n/(2n) 2n/(2πre) = qn/(πre) For L real subfield of K, if f > n and as f f f 2 = n, but since n q/2, the attack does not work on NTRU parameters But with very large modulus q, N K/L (f) = f f is smaller than the expected short vector! 9
22 Analysis Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (N K/L (f), N K/L (g)) is contained in this lattice. expect short vector q n/(2n) 2n/(2πre) = qn/(πre) For L real subfield of K, if f > n and as f f f 2 = n, but since n q/2, the attack does not work on NTRU parameters But with very large modulus q, N K/L (f) = f f is smaller than the expected short vector! 9
23 Subfield attack Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (f = N K/L (f), g = N K/L (g)) Λ(A norm ) f (σn) r where r = [K : L] solution returned by BKZ: (x, y ) β Θ(n/βr) (nσ) Θ(r) if (x, y ) < q/ (f, g ), (x, y ) = v(f, g ) for v O L Efficient: small dimension (2n/r) and lifting the solution to K 10
24 Subfield attack Consider the lattice generated by this matrix A norm = ( qin/r M O ) L N K/L (h) 0 I n/r where N K/L (h) O L. (f = N K/L (f), g = N K/L (g)) Λ(A norm ) f (σn) r where r = [K : L] solution returned by BKZ: (x, y ) β Θ(n/βr) (nσ) Θ(r) if (x, y ) < q/ (f, g ), (x, y ) = v(f, g ) for v O L Efficient: small dimension (2n/r) and lifting the solution to K 10
25 Subfield attack Condition to work: q = β Θ(2n/(rβ)) n Θ(r) when σ = poly(n) 1. Faster than the direct attack with dim. 2n when q super-polynomial: Subfield: β/ log β = Θ(n log n/ log 2 q) for r = Θ(log q/ log n) Direct: β/ log β = Θ(n/ log q) Reparations 2. Quasi-polynomial time when q is exponential in n R = Z[X]/(X p X 1) as suggested by Bernstein et al.: NTRUprime K = Q(ζ p + ζ p ) with safe prime p: Galois with no subfield 11
26 Subfield attack Condition to work: q = β Θ(2n/(rβ)) n Θ(r) when σ = poly(n) 1. Faster than the direct attack with dim. 2n when q super-polynomial: Subfield: β/ log β = Θ(n log n/ log 2 q) for r = Θ(log q/ log n) Direct: β/ log β = Θ(n/ log q) Reparations 2. Quasi-polynomial time when q is exponential in n R = Z[X]/(X p X 1) as suggested by Bernstein et al.: NTRUprime K = Q(ζ p + ζ p ) with safe prime p: Galois with no subfield 11
27 New Subring Attack ( qi A = n M O ) L h 0 I n/r Original lattice but we put M O L h For any g O, N K/L (g) go O L in a subring of O K We show that (fn K/L (g)/g, N K/L (g)) Λ(A) and is short Efficiency? Subfield attack dim. is 2n/r instead n + n/r? 12
28 New Subring Attack Runtime of lattice reduction depends on the dimension and approx. factor (slope of the line) Increase the volume of the lattice Use a projected lattice to reduce the dimension! 13
29 New Subring Attack Runtime of lattice reduction depends on the dimension and approx. factor (slope of the line) Increase the volume of the lattice Use a projected lattice to reduce the dimension! 13
30 New Subring Attack ( qi A = n M O ) L h 0 I n/r This approach is more flexible: it allows to reduce the dimension and the number of coordinates! Projected Lattice: extract the last d rows and columns Heuristic: If the algorithm finds a vector shorter than the Minkowski bound, it is a multiple of the key if log σ = Θ(log n), poly-time algo when q = 2 Ω( n log log n) if σ = Θ( n), faster algo. as soon as q n Θ( log log n) β/ log β = Θ(n log σ/ log 2 q) and d 2n/r 14
31 New Subring Attack ( qi A = n M O ) L h 0 I n/r This approach is more flexible: it allows to reduce the dimension and the number of coordinates! Projected Lattice: extract the last d rows and columns Heuristic: If the algorithm finds a vector shorter than the Minkowski bound, it is a multiple of the key if log σ = Θ(log n), poly-time algo when q = 2 Ω( n log log n) if σ = Θ( n), faster algo. as soon as q n Θ( log log n) β/ log β = Θ(n log σ/ log 2 q) and d 2n/r 14
32 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n There are n short vectors rotated of (f, g), (x i f, x i g). Finding a vector in a sublattice of low volume for lattice reduction algo. depends on the rank of the sublattice Previous analysis restrict to the special case of rank one Pataki & Tural: the volume of the sublattice generated by r vectors is larger than the product of the r smallest GS norms 15
33 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n There are n short vectors rotated of (f, g), (x i f, x i g). Finding a vector in a sublattice of low volume for lattice reduction algo. depends on the rank of the sublattice Previous analysis restrict to the special case of rank one Pataki & Tural: the volume of the sublattice generated by r vectors is larger than the product of the r smallest GS norms 15
34 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n There are n short vectors rotated of (f, g), (x i f, x i g). Finding a vector in a sublattice of low volume for lattice reduction algo. depends on the rank of the sublattice Previous analysis restrict to the special case of rank one Pataki & Tural: the volume of the sublattice generated by r vectors is larger than the product of the r smallest GS norms 15
35 Simplification and Generalization Are these attacks better than other practical attacks NTRU: the lattice reduction step of the hybrid attack? ( qi A = n M O ) K h 0 I n 1. We reduce the middle of the matrix A 2. Same efficiency w/o subfield with an orthogonal basis of O Recovery: half of fo and go and heuristically the middle matrix is a basis of (f, g)o 16
36 Experiments on NTRU log n log q log r Success Method Coordinates Origin Yes ABD Yes Ours No Ours Yes ABD Yes Ours No Ours No Ours 860 YASHE Yes Ours No Ours Yes ABD Yes Ours 430 YASHE Yes Ours No Ours Yes Ours 512 Dowlin Yes Ours 470 YASHE 17
37 Experiments and Prediction log n log q log r Success Method Coordinates Origin Yes Ours 470 YASHE Yes Ours 512 Doroz Yes Ours 660 YASHE Yes Ours 820 YASHE log n Prediction log r
38 Experiments on NTRUprime with Large Moduli log n log q l Success Yes Yes No Yes No Yes No Yes Yes Yes log n l Prediction
39 Conclusion Provable Security and Attack The property that we use is present until σ nq Stehlé and Steinfeld prove security for σ n 3 q Attack: more efficient on NTRU than Ring-LWE σ q/n Standard cryptography (signature, key exchange and IBE) use modulus q n 2 and attack doesn t apply 20
40 Conclusion Subfield attack and our subring attack are slower than the direct attack with projection We broke many instantiations of FHE schemes in practice First time: n rotated small vectors are useful to analyze the security of NTRU! 21
A subfield lattice attack on overstretched NTRU assumptions
A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes Martin R. Albrecht, Shi Bai and Léo Ducas London-ish Lattice Coding and Cryptography Meeting,
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters Paul Kirchner 1,2 and Pierre-Alain Fouque 2,3 1 École normale supérieure 2 IRISA 3 Université de Rennes 1 & Institut Universitaire de France
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationComputing Generator in Cyclotomic Integer Rings
A subfield algorithm for the Principal Ideal Problem in L 1 K 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul
More informationAn Algorithm for NTRU Problems
An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationNTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven
NTRU Prime Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal Technische Universiteit Eindhoven 25 August 2016 Tanja Lange NTRU Prime https://eprint.iacr.org/2016/461
More informationA history of the development of NTRU
A history of the development of NTRU Brown University EUROCRYPT 2014, Copenhagen A one way function from number theory Let D be a large square free integer, and let p 1, p 2, p 3,... be a sequence of primes
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationRing-LWE security in the case of FHE
Chair of Naval Cyber Defense 5 July 2016 Workshop HEAT Paris Why worry? Which algorithm performs best depends on the concrete parameters considered. For small n, DEC may be favourable. For large n, BKW
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationFully Homomorphic Encryption from the Finite Field Isomorphism Problem
Fully Homomorphic Encryption from the Finite Field Isomorphism Problem Yarkın Doröz 1, Jeffrey Hoffstein 2, Jill Pipher 2, Joseph H. Silverman 2, Berk Sunar 1, William Whyte 3, and Zhenfei Zhang 3 1 Worcester
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationHomomorphic AES Evaluation Using the Modified LTV Scheme
Noname manuscript No. (will be inserted by the editor) Homomorphic AES Evaluation Using the Modified LTV Scheme Yarkın Doröz Yin Hu Berk Sunar the date of receipt and acceptance should be inserted later
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationOn Error Distributions in Ring-based LWE
Submitted exclusively to the London Mathematical Society doi:10.111/0000/000000 On Error Distributions in Ring-based LWE W. Castryck, I. Iliashenko and F. Vercauteren Abstract Since its introduction in
More informationCryptanalysis of the Revised NTRU Signature Scheme
Cryptanalysis of the Revised NTRU Signature Scheme Craig Gentry 1 and Mike Szydlo 2 1 DoCoMo USA Labs, San Jose, CA, USA cgentry@docomolabs-usa.com 2 RSA Laboratories, Bedford, MA, USA mszydlo@rsasecurity.com
More informationComputing generator in cyclotomic integer rings
Computing generator in cyclotomic integer rings A L K (1/2) algorithm for the Principal Ideal Problem and application to the cryptanalysis of a FHE scheme Thomas Espitau 1, Pierre-Alain Fouque 2, Alexandre
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationWeak Instances of PLWE
Weak Instances of PLWE Kirsten Eisenträger 1, Sean Hallgren 2, and Kristin Lauter 3 1 Department of Mathematics, The Pennsylvania State University, University Park, PA 16802, USA, and Harvard University.
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationRecovering Short Generators of Principal Ideals: Extensions and Open Problems
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short
More informationNew Chosen-Ciphertext Attacks on NTRU
New Chosen-Ciphertext Attacks on NTRU Nicolas Gama 1,Phong Q. Nguyen 1 École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr CNRS/École normale supérieure, DI, 45 rue d Ulm,
More informationComputing generator in cyclotomic integer rings
Computing generator in cyclotomic integer rings Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque, Alexandre Gélin, Paul Kirchner To cite this version: Jean-François Biasse, Thomas Espitau, Pierre-Alain
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de
More informationA signature scheme from the finite field isomorphism problem
A signature scheme from the finite field isomorphism problem Jeffrey Hoffstein 1, Joseph H. Silverman 1, William Whyte 2, and Zhenfei Zhang 2 1 Brown University, Providence, USA {jhoff,jhs}@math.brown.edu
More informationAn Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University (SNU), Republic of Korea Abstract.
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationAn Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero Jung Hee Cheon Jinhyuck Jeong Changmin Lee Seoul National University (SNU) Republic of Korea
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationLearning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures
Author manuscript, published in "ASIACRYPT 2012 7658 (2012) 433-450" DOI : 10.1007/978-3-642-34961-4_27 Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures Léo Ducas and Phong Q. Nguyen
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationApplications of Lattice Reduction in Cryptography
Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationLattice Reductions over Euclidean Rings with Applications to Cryptanalysis
IMACC 2017 December 12 14, 2017 Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis Taechan Kim and Changmin Lee NTT Secure Platform Laboratories, Japan and Seoul National University,
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationEvaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems
Rochester Institute of Technology RIT Scholar Works Presentations and other scholarship 3-31-2016 Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems Peizhao Hu Rochester
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationMaking NTRU as Secure as Worst-Case Problems over Ideal Lattices
Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé 1 and Ron Steinfeld 2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d Italie, 69364 Lyon Cedex
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationFalcon: Fast-Fourier Lattice-based Compact Signatures over NTRU
Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU Specifications v1.0 Pierre-Alain Fouque Jeffrey Hoffstein Paul Kirchner Vadim Lyubashevsky Thomas Pornin Thomas Prest Thomas Ricosset Gregor
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationIdentifying Ideal Lattices
Identifying Ideal Lattices Jintai Ding 1 and Richard Lindner 2 1 University of Cincinnati, Department of Mathematical Sciences PO Box 2125, Cincinnati, OH 45221-25, USA jintaiding@ucedu 2 Technische Universität
More informationPROVABLY WEAK INSTANCES OF RING-LWE
PROVABLY WEAK INSTANCES OF RING-LWE YARA ELIAS, KRISTIN E. LAUTER, EKIN OZMAN, AND KATHERINE E. STANGE Abstract. The ring and polynomial learning with errors problems (Ring-LWE and Poly-LWE) have been
More information6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree
Quadratic extensions Definition: Let R, S be commutative rings, R S. An extension of rings R S is said to be quadratic there is α S \R and monic polynomial f(x) R[x] of degree such that f(α) = 0 and S
More informationRing-SIS and Ideal Lattices
Ring-SIS and Ideal Lattices Noah Stephens-Davidowitz (for Vinod Vaikuntanathan s class) 1 Recalling h A, and its inefficiency As we have seen, the SIS problem yields a very simple collision-resistant hash
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationLectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002
Lectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002 J. Pipher Brown University, Providence RI 02912 1 Lecture 1 1.1 Integer lattices Lattices have been studied by
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationMulti-Key FHE from LWE, Revisited
Multi-Key FHE from LWE, Revisited Chris Peikert Sina Shiehian August 24, 2016 Abstract Traditional fully homomorphic encryption (FHE) schemes only allow computation on data encrypted under a single key.
More information(January 14, 2009) q n 1 q d 1. D = q n = q + d
(January 14, 2009) [10.1] Prove that a finite division ring D (a not-necessarily commutative ring with 1 in which any non-zero element has a multiplicative inverse) is commutative. (This is due to Wedderburn.)
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationProgressive lattice sieving
Progressive lattice sieving Thijs Laarhoven and Artur Mariano t s tt t s PQCrypto 2018, Fort Lauderdale (FL), USA (April 10, 2018) Lattices What is a lattice? Lattices What is a lattice? b 1 b 2 Lattices
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationProvably Weak Instances of Ring-LWE
Provably Weak Instances of Ring-LWE Yara Elias 1, Kristin E. Lauter 2, Ekin Ozman 3, and Katherine E. Stange 4 1 Department of Mathematics And Statistics, McGill University, Montreal, Quebec, Canada, yara.elias@mail.mcgill.ca
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationHomomorphic Encryption for Approximate Matrix Arithmetic
Homomorphic Encryption for Approximate Matrix Arithmetic Jung Hee Cheon 1, Andrey Kim 1 Seoul National University, Republic of Korea {jhcheon, kimandrik}@snu.ac.kr Abstract. Homomorphic Encryption for
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationAlgorithms for the Approximate Common Divisor Problem
Submitted exclusively to the London Mathematical Society doi:10.1112/0000/000000 Algorithms for the Approximate Common Divisor Problem Steven D. Galbraith, Shishay W. Gebregiyorgis and Sean Murphy Abstract
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationCryptanalysis of the Co-ACD Assumption
Cryptanalysis of the Co-ACD Assumption Pierre-Alain Fouque 1, Moon Sung Lee 2, Tancrède Lepoint 3, and Mehdi Tibouchi 4 1 Université de Rennes 1 and Institut Universitaire de France fouque@irisa.fr 2 Seoul
More informationMaking NTRU as Secure as Worst-Case Problems over Ideal Lattices
Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé 1 and Ron Steinfeld 2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d'italie, 69364 Lyon Cedex
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationKey Recovery for LWE in Polynomial Time
Key Recovery for LWE in Polynomial Time Kim Laine 1 and Kristin Lauter 2 1 Microsoft Research, USA kimlaine@microsoftcom 2 Microsoft Research, USA klauter@microsoftcom Abstract We discuss a higher dimensional
More informationBKZ 2.0: Better Lattice Security Estimates
BKZ 2.0: Better Lattice Security Estimates Yuanmi Chen and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d Ulm, 75005 Paris, France. http://www.eleves.ens.fr/home/ychen/ 2 INRIA and ENS, Dept. Informatique,
More informationA Toolkit for Ring-LWE Cryptography
A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky Chris Peikert Oded Regev May 16, 2013 Abstract Recent advances in lattice cryptography, mainly stemming from the development of ring-based primitives
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationDetermination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes
Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes Vincent Migliore, Guillaume Bonnoron, Caroline Fontaine To cite this version: Vincent
More information1. a) Let ω = e 2πi/p with p an odd prime. Use that disc(ω p ) = ( 1) p 1
Number Theory Mat 6617 Homework Due October 15, 018 To get full credit solve of the following 7 problems (you are welcome to attempt them all) The answers may be submitted in English or French 1 a) Let
More information