A Digital Signature Scheme based on CVP
|
|
- Britton Payne
- 5 years ago
- Views:
Transcription
1 A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong thomaspl Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 1 / 29
2 Lattice Based Cryptography Tools Lattice Theory Closest Vector Problem l -norm Objectives Digital Signature Efficiency and Security Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 2 / 29
3 Outline 1 Lattice Theory Lattice Inclusion Closest Vector Problem 2 New Vector Reduction Rectangular Matrix Algorithm 3 GGH Digital Signature Lattice Based Cryptography GGHSign Scheme 4 Analysis and Comparison Time Complexity Space Complexity Security 5 Conclusion Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 3 / 29
4 Lattice Theory 1 Lattice Theory Lattice Inclusion Closest Vector Problem 2 New Vector Reduction Rectangular Matrix Algorithm 3 GGH Digital Signature Lattice Based Cryptography GGHSign Scheme 4 Analysis and Comparison Time Complexity Space Complexity Security 5 Conclusion Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 4 / 29
5 Lattice Definition of a Lattice All the integral conbinations of d n linearly independant vectors over R L = Z b Z b d = {λ 1 b λ d b d : λ i Z} d dimension. B = (b 1,..., b d ) is a basis. An Example d = 2 n = «B = (1) In this work Full-rank lattice : d = n Integer Basis: B Z n,n Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 5 / 29
6 Example A lattice L B = « (2) An infinity of basis Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 6 / 29
7 Example A lattice L «« UB = = « (3) An infinity of basis Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 6 / 29
8 Example A lattice L «« UB = = « (4) An infinity of basis Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 6 / 29
9 Example A lattice L «« UB = = « (5) An infinity of basis Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 6 / 29
10 Inclusion Problem: v? L Input: A vector v Z n Input: A basis B Z n,n of a lattice L(B) Output: YES if there exists a vector k? Z n, kb = v Solution k = vb 1, k? Z n k = vb 1 mod 1, k =? 0 Polynomial with any basis Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 7 / 29
11 Inclusion Example Input: A vector v = (20, 20) «8 5 Input: A basis B = 5 16 Solution 16 k = vb 1 5 «= (20, 20) = ( , ) k = vb 1 mod 1 = ( , ) 0 (20, 20) L(B) Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 8 / 29
12 Vector Reduction Problem Input: A vector v Z n Input: A basis B Z n,n of a lattice L(B) Output: A vector w v (mod L) with w minimal. w = v + kb k Z n with w minimal Complexity NP-Hard under any norm (EmdeBoas 81) with Precomputation (Regev and Rosen 06) O(n n 2 ) deterministic (Kannan 83, Hanrot and Stehle 07) O(2 + 1 ɛ )n probabilistic (Blomer and Naewe 07) Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 9 / 29
13 Norms l p -Norm l p-norm v p of a vector v v p =! n 1 1/p X v i p i=0 Used Norm Euclidian Norm v 2 of a vector v v u v 2 = t n 1 X (v i ) 2 i=0 Infinity Norm v of a vector v v = n 1 max i=0 v i Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 10 / 29
14 Vector Reduction An Example A Vector: (20, 20) B = « (6) Closest Vector Problem Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 11 / 29
15 Vector Reduction An Example B = A Vector: (20, 20) (20, 20) (5, 16) = (15, 4) « (6) Closest Vector Problem Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 11 / 29
16 Vector Reduction An Example B = A Vector: (20, 20) (15, 4) (8, 5) = (7, 1) « (6) Closest Vector Problem Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 11 / 29
17 Vector Reduction An Example B = A Vector: (20, 20) (7, 1) (8, 5) = ( 1, 6) « (6) Closest Vector Problem Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 11 / 29
18 Vector Reduction An Example A Vector: (20, 20) ( 1, 6) (mod L) B = « (6) Closest Vector Problem Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 11 / 29
19 Closest Vector Problem A Solution: Babai s Round-Off 1 k = vb 1 2 w = v k B A good Approximation of CVP Polynomial Time Quality depends on B Babai s use a LLL-reduction of B (Lenstra,Lenstra and Lovasz 82) Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 12 / 29
20 Closest Vector Problem Example Input: A vector v = (20, 20) «8 5 Input: A basis B = 5 16 A Solution 16 k = vb 1 5 = (20, 20) w = k B = (20, 20) (2, 1) (20, 20) ( 1, 6) «= ( , 60 «103 ) = (20, 20) (21, 26) Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 13 / 29
21 New Vector Reduction 1 Lattice Theory Lattice Inclusion Closest Vector Problem 2 New Vector Reduction Rectangular Matrix Algorithm 3 GGH Digital Signature Lattice Based Cryptography GGHSign Scheme 4 Analysis and Comparison Time Complexity Space Complexity Security 5 Conclusion Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 14 / 29
22 Rectangular Matrix Rectangular Basis A Basis B = D M D dominant diagonal matrix M noise matrix M i,j small Concequence k = vb 1 k = v(d M) 1 k = vd 1 (1 MD 1 ) 1 k = vd 1 (1 + MD 1 + (MD 1 ) 2 + (MD 1 ) ) Spectral Radius of a matrix A, ρ(a) Theorem: 1 + A + A 2 + A converge if ρ(a) < 1. λ 0 λ 1 λ n 1 ρ(a) ρ(a) A. Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 15 / 29
23 Vector Reduction Input Input: A vector v Z n Input: A basis B = (D M) Z n,n of a lattice L(B) Output: A vector w v mod L with wd 1 < 1 Algorithm 1 w v 2 until wd 1 < 1 1 k wd 1 2 w w k B Conjecture Ending if ρ(md 1 ) < 1 2 Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 16 / 29
24 An example Input A vector v = (22, 14) and a basis B = D M D = «5 0, M = 0 5 «1 1, B = «1 1 4 (7) Algorithm 1 w (22, 14) 2 k wd 1 = [ 22 5, 14 5 ] 3 w w k B w = [22, 14] [4, 3] 4 k wd 1 = [ 1 5, 6 5 ] 5 w w k B w = [1, 6] [0, 1] «6 1 = (22, 14) (21, 8) = (1, 6) 1 4 «6 1 = (1, 6) ( 1, 4) = (2, 2) 1 4 Output w = (2, 2) (22, 14) (mod L) Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 17 / 29
25 GGH Digital Signature 1 Lattice Theory Lattice Inclusion Closest Vector Problem 2 New Vector Reduction Rectangular Matrix Algorithm 3 GGH Digital Signature Lattice Based Cryptography GGHSign Scheme 4 Analysis and Comparison Time Complexity Space Complexity Security 5 Conclusion Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 18 / 29
26 Lattice Based Cryptography Cryptography based on CVP Goldreich, Goldwasser and Halevi: first efficient cryptosystem (GGH and GGHSign) in GGH cryptanalyzed by Nguyen in GGH Improved By Micciancio in GGHSign Cryptanalyzis Gentry and Szydlo: first leaked in in Szydlo: theorithical attack in Nguyen and Regev: Cryptanalysis of GGHSign in Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 19 / 29
27 GGHSign Setup: i) Compute a secret good basis G. ii) Compute a public bad basis B with L(G) = L(B). Sign: i) Hash: m {0, 1} v Z n ii) Signature: w = v mod L(G). Verify: i) Hash: m {0, 1} v Z n ii) Check: w v L(B) Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 20 / 29
28 GGHSign Security Security 1 bad basis Difficult good basis good basis Easy bad basis 2 A good vector reduction with a good basis : Easy. A good vector reduction with a bad basis : Difficult. 3 Inclusion with any basis: Easy. Question How to choose a good basis? How to use it to have a good vector reduction? How to choose a bad basis? How to use it to solve inclusion? Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 21 / 29
29 Digital Signature Setup a) Choose an integer n. b) Compute a randomly integer matrix M { 1, 0, 1} n,n. c) Compute b = 2ρ(M) + 1. d) Compute the Hermite Normal Form H of the basis bid M. e) Public Key is (b, H) and the secret key is M. Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 22 / 29
30 Digital Signature Sign To sign a message m {0, 1} a) v = h(m) Z n with b) v w mod D M h : m v : {0, 1} x Z n, x < b 2 c) Using new Algorithm, compute w, which is a reduced vector of v. d) The signature on m is w. Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 23 / 29
31 Digital Signature Verify To verify a message-signature pair, (m, w), one does the following. a) Check if w < b. b) Compute the vector h(m) Z n. c) Check if the vector h(m) w is in the lattice of basis H. Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 24 / 29
32 Analysis and Comparison 1 Lattice Theory Lattice Inclusion Closest Vector Problem 2 New Vector Reduction Rectangular Matrix Algorithm 3 GGH Digital Signature Lattice Based Cryptography GGHSign Scheme 4 Analysis and Comparison Time Complexity Space Complexity Security 5 Conclusion Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 25 / 29
33 Time Complexity Figure: Average number of loops used to reduce a message vector to a signature vector. Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 26 / 29
34 Space Complexity Babai s method Our method Spectral radius Figure: Average l -norm of signature-vector using different reduction method. Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 27 / 29
35 Security Set of vectors reduce by Babai s method. Set of vectors reduce by our method Figure: Signature-message on R 2 for Babai s reduction and our reduction. Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 28 / 29
36 Conclusion Improvement of GGHSign 1 Practicaly Faster 2 Shorter Signature: ± half. 3 Not broken Open Questions 1 ρ(md 1 ) < Formula for the average number of loops 3 Security Proof Plantard, Susilo and Win (UOW) A Digital Signature Scheme based on CVP 29 / 29
Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationLattice Basis Reduction Part 1: Concepts
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012
More informationHermite Normal Forms and its Cryptographic Applications
Hermite Normal Forms and its Cryptographic Applications A thesis submitted in fulfillment of the requirements for the award of the degree Master of Computer Science from UNIVERSITY OF WOLLONGONG by Vasilios
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationImproving BDD cryptosystems in general lattices
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2011 Improving BDD cryptosystems in general lattices Willy Susilo University
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationNew Cryptosystem Using The CRT And The Jordan Normal Form
New Cryptosystem Using The CRT And The Jordan Normal Form Hemlata Nagesh 1 and Birendra Kumar Sharma 2 School of Studies in Mathematics,Pt.Ravishankar Shukla University Raipur(C.G.). E-mail:5Hemlata5@gmail.com
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationA CVP-BASED LATTICE SIGNATURE SCHEME FOR NETWORK CODING
International Journal of Innovative Computing, Information and Control ICIC International c 2014 ISSN 1349-4198 Volume 10, Number 1, February 2014 pp. 317 327 A CVP-BASED LATTICE SIGNATURE SCHEME FOR NETWORK
More informationLattice reduction for modular knapsack
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Lattice reduction for modular knapsack Thomas
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationCOMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationBabai round-off CVP method in RNS: application to latice based cryptographic protocols
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 Babai round-off CVP method in RNS: application
More informationA Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science
More informationLearning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
A preliminary version appeared in the Proceedings of EUROCRYPT 06 Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures Phong Q. Nguyen 1 and Oded Regev 2 1 CNRS & École normale supérieure,
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationLearning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures Phong Q. Nguyen 1, and Oded Regev 2, 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationM4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD
M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD Ha Tran, Dung H. Duong, Khuong A. Nguyen. SEAMS summer school 2015 HCM University of Science 1 / 31 1 The LLL algorithm History Applications of
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationSolving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems
Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems Thijs Laarhoven Joop van de Pol Benne de Weger September 10, 2012 Abstract This paper is a tutorial introduction to the present
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationAn Efficient Broadcast Attack against NTRU
An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, zhugz08}@mailstsinghuaeducn
More informationfrom Lattice Reduction Problems MIT - Laboratory for Computer Science November 12, 1996 Abstract
Public-Key Cryptosystems from Lattice Reduction Problems Oded Goldreich Sha Goldwasser y Shai Halevi z MIT - Laboratory for Computer Science November 12, 1996 Abstract We present a new proposal for a trapdoor
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationInteger Least Squares: Sphere Decoding and the LLL Algorithm
Integer Least Squares: Sphere Decoding and the LLL Algorithm Sanzheng Qiao Department of Computing and Software McMaster University 28 Main St. West Hamilton Ontario L8S 4L7 Canada. ABSTRACT This paper
More informationLearning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures
Author manuscript, published in "ASIACRYPT 2012 7658 (2012) 433-450" DOI : 10.1007/978-3-642-34961-4_27 Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures Léo Ducas and Phong Q. Nguyen
More informationSome Sieving Algorithms for Lattice Problems
Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008. Editors: R. Hariharan, M. Mukund, V. Vinay; pp - Some Sieving Algorithms for Lattice Problems V. Arvind and Pushkar
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationRevisiting Fully Homomorphic Encryption Schemes and Their Cryptographic Primitives
Revisiting Fully Homomorphic Encryption Schemes and Their Cryptographic Primitives A thesis submitted in fulfillment of the requirements for the award of the degree Doctor of Philosophy from UNIVERSITY
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky and Daniele Micciancio May 9, 009 Abstract We prove the equivalence, up to a small polynomial
More informationSolving Closest Vector Instances Using an Approximate Shortest Independent Vectors Oracle
Tian CL, Wei W, Lin DD. Solving closest vector instances using an approximate shortest independent vectors oracle. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 306): 1370 1377 Nov. 015. DOI 10.1007/s11390-015-
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationand the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that
Sampling short lattice vectors and the closest lattice vector problem Miklos Ajtai Ravi Kumar D. Sivakumar IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120. fajtai, ravi, sivag@almaden.ibm.com
More informationLectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002
Lectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002 J. Pipher Brown University, Providence RI 02912 1 Lecture 1 1.1 Integer lattices Lattices have been studied by
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationApplications of Lattices in Telecommunications
Applications of Lattices in Telecommunications Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013 1 Sphere Decoder Algorithm Rotated Signal Constellations
More informationBKZ 2.0: Better Lattice Security Estimates
BKZ 2.0: Better Lattice Security Estimates Yuanmi Chen and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d Ulm, 75005 Paris, France. http://www.eleves.ens.fr/home/ychen/ 2 INRIA and ENS, Dept. Informatique,
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationLATTICE-BASED CRYPTOGRAPHY: A PRACTICAL IMPLEMENTATION
LATTICE-BASED CRYPTOGRAPHY: A PRACTICAL IMPLEMENTATION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationProxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012
Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationDensity of Ideal Lattices
Density of Ideal Lattices - Preliminary Draft - Johannes Buchmann and Richard Lindner Technische Universität Darmstadt, Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany buchmann,rlindner@cdc.informatik.tu-darmstadt.de
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More information2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ
Corrected version of Algorithmic Number Theory { Proceedings of ANTS-IV (July 3{7, 2000, Leiden, Netherlands) W. Bosma (Ed.), vol.???? of Lecture Notes in Computer Science, pages???{??? cspringer-verlag
More informationCryptanalysis of the Revised NTRU Signature Scheme
Cryptanalysis of the Revised NTRU Signature Scheme Craig Gentry 1 and Mike Szydlo 2 1 DoCoMo USA Labs, San Jose, CA, USA cgentry@docomolabs-usa.com 2 RSA Laboratories, Bedford, MA, USA mszydlo@rsasecurity.com
More informationProposal of a new efficient public key system for encryption and digital signatures
Proposal of a new efficient public key system for encryption and digital signatures Gerold Grünauer Email: geroldgruenauer@web.de 10/01/2007 Abstract In this paper a new efficient public key cryptosystem
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationSolving BDD by Enumeration: An Update
Solving BDD by Enumeration: An Update Mingjie Liu, Phong Q. Nguyen To cite this version: Mingjie Liu, Phong Q. Nguyen. Solving BDD by Enumeration: An Update. Ed Dawson. CT-RSA 2013 - The Cryptographers
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationLocally Dense Codes. Daniele Micciancio. August 26, 2013
Electronic Colloquium on Computational Complexity, Report No. 115 (2013) Locally Dense Codes Daniele Micciancio August 26, 2013 Abstract The Minimum Distance Problem (MDP), i.e., the computational task
More informationBALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS
BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS KONSTANTINOS A. DRAZIOTIS Abstract. We use lattice based methods in order to get an integer solution of the linear equation a x + +a nx n = a 0, which satisfies
More informationLower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices
Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices Jingguo Bi 1 and Qi Cheng 2 1 Lab of Cryptographic Technology and Information Security School of Mathematics
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationGenerating Shorter Bases for Hard Random Lattices
Generating Shorter Bases for Hard Random Lattices Joël Alwen New York University Chris Peikert Georgia Institute of Technology July 10, 2010 Abstract We revisit the problem of generating a hard random
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationSome Lattice Attacks on DSA and ECDSA
Some Lattice Attacks on DSA and ECDSA Dimitrios Poulakis Department of Mathematics, Aristotle University of Thessaloniki, Thessaloniki 54124, Greece, email:poulakis@math.auth.gr November 10, 2010 Abstract
More informationInteger Factorization using lattices
Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/anr CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010 Plan Introduction Plan Introduction Outline of the algorithm
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationA Decade of Lattice Cryptography
A Decade of Lattice Cryptography Chris Peikert 1 September 26, 2015 1 Department of Computer Science and Engineering, University of Michigan. Much of this work was done while at the School of Computer
More informationHow to Use Linear Homomorphic Signature in Network Coding
How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013 How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear
More informationEnumeration. Phong Nguyễn
Enumeration Phong Nguyễn http://www.di.ens.fr/~pnguyen March 2017 References Joint work with: Yoshinori Aono, published at EUROCRYPT 2017: «Random Sampling Revisited: Lattice Enumeration with Discrete
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationNew Chosen-Ciphertext Attacks on NTRU
New Chosen-Ciphertext Attacks on NTRU Nicolas Gama 1,Phong Q. Nguyen 1 École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr CNRS/École normale supérieure, DI, 45 rue d Ulm,
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationApplication of the LLL Algorithm in Sphere Decoding
Application of the LLL Algorithm in Sphere Decoding Sanzheng Qiao Department of Computing and Software McMaster University August 20, 2008 Outline 1 Introduction Application Integer Least Squares 2 Sphere
More informationLearning Strikes Again: the Case of the DRS Signature Scheme
Learning trikes Again: the Case of the DR ignature cheme Yang Yu and Léo Ducas 2 Department of Computer cience and Technology, Tsinghua University, Beijing, China y-y3@mails.tsinghua.edu.cn 2 Cryptology
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem Royal Holloway an Kyushu University Workshop on Lattice-base cryptography 7 th September, 2016 Momonari Kuo Grauate School of Mathematics,
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More information