An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero
|
|
- Jessie Gerald Ramsey
- 5 years ago
- Views:
Transcription
1 An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University (SNU), Republic of Korea Abstract. Let h and g be polynomials of bounded Euclidean norm in the ring Z[X]/ X n + 1. Given polynomial [h/g] Z [X]/ X n + 1, the NTRU problem is to find a, b Z[X]/ X n + 1 with small Euclidean norm such that [a/b] = [h/g]. We propose an algorithm to solve the NTRU problem which runs in 2Õ(n/log2 ) time when g, h and g 1 are in some range. The main techniue of our algorithm is to reduce a problem on a field to one in a subfield. Recently, the GGH scheme, the first candidate of a (approximate) multilinear map, was known to be insecure by the Hu-Jia attack using encodings of zero, but no polynomial time attack was known without them. Our algorithm can be directly applied to construct level-0 encodings of zero and so utilized to attack the GGH scheme without encodings of zero in polynomial time of its security parameter. Keywords: NTRU, GGH Multilinear Maps, Ideal Lattice, Shortest Vector Problem 1 Introduction The NTRU problem is to find a pair of small polynomial whose ratio matches up to given a ratio of two small polynomials [HPS98]. After introduced for the security of a public key encryption scheme NTRU, the assumption that this NTRU problem is to be hard to solve, so-called NTRU assumption, has been used for the security grounding of various cryptographic schemes such as signature schemes [HHGP + 03,DDLL13], fully homomorphic encryption [LATV12,BLLN13] and candidates for cryptographic multi-linear maps [GGH13,LSS14,ACLL14]. Not broken until now, the NTRU assumption is getting more attention as one of the candidates for the post-uantum public-key crypto system. A variant of NTRU problem can be stated as follows: Problem 1 (A variant of NTRU Problem) Let ϕ n (X) Z[X] be a polynomial of degree n, Z be an integer, and let D, N and B be real numbers. The NTRU Problem NT RU ϕn,,d,n,b is to find a, b R := Z[X]/ ϕ n (X) with Euclidean norm smaller than B such that [b/a] = f for given a polynomial f = [h/g], where h and g are sampled from R and have Euclidean norms bounded by D and N, respectively.
2 2 In the original NTRU problem, h and g are sampled from the some distribution of R. We consider the variant version to attack multilinear maps [GGH13]. In this paper, we propose a polynomial time reduction from NT RU ϕn,,d,n,b into NT RU ϕn/2,,d 1,N 1,B 1 where ϕ n = X n + 1, B = min{ 2D n, 2N n }, D 1 = D 2 n/2, N 1 = 2ND n/2, and B 1 = min{ 2D t n, 2N t n, 2nN 2 g 1 n } for a power n of 2. Our algorithm is to reduce the problem defined over a ring Z[X]/ X n +1 to one over a subring Z[X]/ X n/2 +1. After applying repeatedly, we then use lattice reduction algorithms to find a short element. Since the latter has smaller dimension, lattice reduction algorithms reuire less running time to produce a short element, which results in an algorithm on the NTRU problem. It runs in ) time when g, h and g 1 are in some range. For 2Õ(n/log2 example, when n = λ 2 and log = λ, the running time is of polynomial in λ. As an application of our work, we propose an attack of the GGH multilinear maps [GGH13] without any encodings of zero. The GGH maps were proposed by Garg et al. and broken by so called a zeroizing attack by Hu and Jia [HJ15]. Since their attack extensively utilizes encodings of zero, it does not work without them and no polynomial time attack was known without them until recently (Refer to the related work subsection for concurrent and independent works on this problem). Our algorithm can be directly applied to construct level-0 encodings of zero. We then can utilize them to attack the GGH scheme without encodings of zero in polynomial time of its security parameter. Our GGH attack reuires one known plaintext/ciphertext pair as well as public parameters. Technical overview. A natural approach for the NTRU problem is to convert it to a Shortest Vector Problem (SVP) in an ideal lattice. Let ϕ n (X) = X n + 1 when n is a power of 2. For any polynomial f = [h/g] = n 1 f i X i R := Z[X]/ X n + 1, one may consider it as a vector (f 0,, f n 1 ) T. Then, the product gf = n 1 g i X i f of two polynomials f and g in R is contained in a lattice M f generated by {f, Xf,, X n 1 f}. We aim to obtain an element g Z[X]/ ϕ(x) satisfying g and [ gf] are small. To obtain such a g Z[X]/ ϕ(x), one can naturally contemplate the following column lattice: ( ) I 0 Λ f =, M f I where I is the identity matrix of size n and M f is a basis matrix of M f juxtaposed by {f, Xf,, X n 1 f}. Given a lattice vector u = (u 0,, u 2n 1 ) T of Λ f satisfying u i < /2 for n i 2n 1, we take g = n 1 u i X i and h = n 1 u n+i X i so that h = [g f] and f = [h /g ]. Therefore, if one can find a small lattice point u such that n 1 u i 2 h n and 2n 1 i=n u i 2 g, it becomes a solution n
3 3 of NT RU ϕ,,d,n,b. However, the dimension 2n of the lattice is too large for most applications, where the hardness of the NTRU problem comes from. To overcome this obstacle, we consider a subfield K m of K 0 := Q[X]/ X n +1 with extension degree m, and the trace of f K 0 over K m : [ m ] m Tr(f) = σ i (f) = i (h) i=1 i=1(σ m σ j (g))/ σ i (g). j i i=1 Since the numerator and denominator are elements in K m bounded by m h g m 1 n m and g m n m, respectively, if they are smaller than, we can draw another instance of the NTRU problem on K m, where the dimension of Λ Tr(f) is that of Λ f divided by m. Optimizing the m so that finding a small vector of the reduced lattice is possible with BKZ algorithm, one can reach the our results. Multilinear Maps. After Boneh and Silverberg [BS02] suggested a concept of cryptographic multilinear maps and their applications such as multipartite Diffie- Hellman and an efficient broadcast encryption in 2002, it has been a long lasting open uestion to construct cryptographic multilinear maps. In 2013, after about one decade, approximate cryptographic multilinear maps are first proposed by Garg, Gentry, and Halevi (GGH) [GGH13]. Not much later, second and third cryptographic multilinear maps are suggested by Coron, Lepoint, and Tibouchi (CLT) [CLT13], and Craig Gentry, Sergey Gorbunov, and Shai Halevi [GGH15], respectively. However, none of them have a reduction to standard hardness problem such as subset sum problem. In fact, the first two schemes with low level encodings of zero are known to be insecure [CHL + 15,HJ15], so called zeroizing attack. The last candidate is also broken [Cor15]. Although the fixed scheme of [CLT13] is proposed by the same authors of [CLT15] to resist zeroizing attack against the CLT scheme, it is also shown to be insecure [CLR15]. On the other hand, both [GGH13] scheme and [CLT13] scheme without any encodings of zero, which are used as basic tools for constructing applications such as indistinguishable obfuscations, have still not been analyzed yet. Related work. Recently for GGH multilinear maps without encodings of zero, two more concurrent and independent cryptanalytic works have been announced simultaneously: One by Albrecht, Bai, and Ducas [MA16] and the other by Miles, Sahai, and Zhandry [MSZ16]. The first introduces a very similar reduction from NT RU ϕn,,d,n,b into NT RU ϕn/2,,d 1,N 1,B 1. But they used the norm function instead of the trace function in our algorithm and so happened to have larger N 1 than ours, when N > 2D. That results in uantum polynomial time or subexponential time attack on GGH without encodings of zero. However, they provided rich analysis for NTRU-like homomorphic encryptions LTV [LATV12] and YASHE [BLLN13], and multilinear maps GGH with some implementations. The second introduces a polynomial time attack algorithm against the GGH multilinear maps, so called annihilation attacks. Using non-linear polynomials,
4 4 it also leads to a polynomial time break of the GGH scheme without low level encodings of zero. Organization. In Section 2, we introduce some notations and preliminaries related to ideal theory and Galois theory. In Section 3, we state useful properties and their proof used to solve the NT RU problem. In Section 4, we explain the GGH scheme briefly and present our algorithm to attack the GGH scheme using our theorem. 2 Preliminaries Notation. For an integer, we use the notations Z := Z/(Z) and R := Z [X]/ X n + 1 = R/R. We denote by (x mod ) or [x] the number in Z with range ( 2, ] n 1 2, which is congruent to x modulo. For u = u i X i R, [u] = n 1 [u i ] X i and u denote the Euclidean norm of u. We define ι : Z Z by [x] Z x Z for 2 < x 2. We extend this map into R applying to each coefficient. By abuse of notation, we omit this ι unless confused to identify [x] Z with an integer x when 2 < x 2. Throughout this paper, we assume that an integer n is a power of 2. Then K := Q[X]/ X n +1 is a number field with the ring of integers R := Z[X]/ X n + 1. Especially, K is a Galois extension of Q and we denote by Gal(K/Q) the Galois group of K over Q. As in technical overview, for any polynomial f = n 1 f i X i K, we consider it as a column vector (f 0,, f n 1 ) T. When we need an inverse of element a R, we usually consider the inverse in K with notation a 1. If we want to consider it in R not in K, then we denote it by [ a 1]. We use bold letters to denote vectors or ring elements in Z n or R. Ideal Lattice. An n-dimension full-rank lattice M R n is the set of all Z- linear combinations of n linearly independent vectors. Let det(m) denote the determinant of lattice M. For an element g R, we denote by g be the principal ideal in R generated by g, whose basis consists of {g, Xg,..., X n 1 g}. By identifying a polynomial g = g i X i R with a vector (g n 1, g n 2,..., g 0 ) T in Z n, we can apply a lattice theory to the algebraic ring R and an algebraic ring theory to the ideal lattice g. For a polynomial u R and a basis B := {b 1, b 2,..., b n }, we denote by u mod B the reduction of u modulo the fundamental region of lattice B, i.e, u mod B is the uniue representation of u R such that u (u mod B) B and u mod B = n 1 α i b i for α i ( 1/2, 1/2]. For a polynomial u, v R, we use the notations u mod v as u mod V, where V is a basis {v, Xv,..., X n 1 v}. By
5 definition of u mod v, it is of the form n 1 α i X i v for α i ( 1/2, 1/2]. Hence its Euclidean norm size is bounded by n 1 X i v /2 = n 1 v /2 = n 2 v. Next, we introduce useful lemmas related to ideal lattices. Lemma 1 For any a, b R, ab a b n. Proof. The k-th coefficient of ab is of the form: i+j=k a i b j i+j=n+k 5 a i b j. By the Cauchy - Schwartz ineuality, it is smaller than a b. Since each coefficient is smaller than a b, ab a b n. Lemma 2 Let g be an element of Z[X]/ X n + 1, and h Z[X]/ X n + 1 be relative prime to g. If c Z[X]/ X n + 1 satisfies c < /(2 h n) and [c h g 1 ] < /(2 g n), then c is contained in the ideal g. Proof. Let w := [c h g 1 ]. Then, [gw] = [ch]. Since w < /(2 g n), we have gw g w n /2 and ch c h n /2. Therefore, gw = ch in Z[X]/ X n + 1. Because ch g and h is relative prime to g, we can conclude c g. Using Lemma 2, if one can find the c satisfying lemma 2, c is of the form c = dg for some small d Z[X]/ X n + 1. Then multiplying it to [hg 1 ], one can obtain, a small multiple of h, dh. Hence, dh and dg become a solution of NTRU problem. Gaussian distribution. Given σ > 0, the discrete Gaussian distribution over the set L with zero mean is defined as D L,σ (x) = ρ σ (x)/ρ σ (L) for any x L, where ρ σ (x) = exp( π x 2 /σ 2 ), ρ σ (L) = ρ σ (x). We use a notation a D x L to denote choosing an element a according to the distribution of D. Norm and Trace of Field For a finite extension K of a field F, the trace Tr K/F (α) and norm N K/F (α) of α K over F is defined as the trace and determinant of the linear transformation M α which maps x K to αx K respectively, i.e, Tr K/F (α) = a i,i and N K/F (α) = det(a i,j ) where a i,j is the matrix for M α with respect to any base of K over F. The map Tr K/F and N K/F satisfy the following properties: (1) Tr K/F (α) = σ(α), N K/F (α) = σ(α) σ Gal(K/F ) σ Gal(K/F ) if K is a Galois extension of F (2) Tr K/F (α + β) = Tr K/F (α) + Tr K/F (β), N K/F (αβ) = N K/F (α)n K/F (β) (3) Tr K/F (a α) = a Tr K/F (α), N K/F (a α) = a [K:F ] N K/F (α) (4) Tr K/F (a) = [K : F ] a, N K/F (a) = a [K:F ] for α, β K and a F.
6 6 3 Main Theorem In this section we introduce how we can reduce NTRU problem with a given input [h/g] into NTRU problem with an input of which denominator and numerator have the half degree of h and g. Throughout this section, let n = 2 s, and denote Q[X 2t ]/ X n +1 and Z[X 2t ]/ X n +1 by K t and R t, respectively, with 0 t s. Note that K s := Q K s 1 K 0 = Q[X]/ X n + 1, where A B denotes A is a subfield of B. Since K 0 is a Galois extension field of K 1 with degree 2, Gal(K 0 /K 1 ) is a group of order 2. That is, Gal(K 0 /K 1 ) = {id, σ} satisfying σ 2 = id where id is the identity map. For an element f, g R K 0, the following elements are contained in R 1 K 1 : f + σ(f) f σ(f) fσ(g) + σ(f)g, since these are fixed by the Gal(K 0 /K 1 ). Using this property, we can get the following theorem which is the main theorem in this paper. Theorem 1 Let, t and m Z be integers, and let D, N and B be positive real numbers. Put B = min{ 2D n, 2N n }. Then, for ϕ n(x) = X n + 1 with n a power of 2, we can reduce NT RU ϕn,,d,n,b into NT RU ϕn/2,,d t,n t,b t where D t = Dt 1 2 n/2t, N t = 2t D tn D, B t = min{ 2D t n, 2N t n, 2nN 2 g 1 n } with D 0 = D, N 0 = N and B 0 = B. Proof. If we prove this theorem with t = 1, one can easily generalize to obtain the desired result. Suppose we are given [h/g] where g and h are sampled from the set {(g, h) R 2 = (Z[X]/ ϕ ( ) n (X) ) 2 : h < N, g < D}. We consider an h useful element T r K0/K 1 = h ( ) h g g + σ hσ(g) + σ(h)g = K 1 satisfying: g gσ(g) its denominator and numerator lie in R 1, hσ(g) + σ(h)g n/2 h σ(g) + n/2 σ(h) g 2ND n/2, gσ(g) n/2 g σ(g) N 2 n/2. [ ] hσ(g) + σ(h)g Therefore, we can see gσ(g) as a new instance for NT RU ϕn/2,,d 1,N 1,B 1 where N 1 = 2ND n/2, D 1 = N 2 n/2. Now, suppose that a solution (a 1, b 1 ) R 1 of NT RU ϕn/2,,d 1,N 1,B 1 is known such that [b 1 /a 1 ] = [h/g]. Moreover, since g and h are relative prime with high probability [ref], we assume the coprimality of g and h. Then, by Lemma 2, a 1 is of the form a 1 = dgσ(g). Computing [a 1 f] = [dgσ(g) [h/g] ] = [dhσ(g)], put a = a 1 and b = [dhσ(g)]. Then, we can conclude that the pair (a, b) is a
7 7 solution of NT RU ϕn,,d,n,b with following properties: [b/a] = [h/g] { } a B = min 2D n, 2N n 2N n/2 dhσ(g) = dgσ(g)g 1 h a 1 g 1 h n 2nN 2 g 1 n g 1 N n = 2N n The second ineuality implies b = [dhσ(g)] is actually b = dhσ(g) in R. Thus, we get the desired result. Theorem 2 Let be an integer, n be a power of 2, and λ be a security parameter. Let [h/g] be an instance of NT RU ϕn,,d,n,b problem with setting n, N, D, log = poly(λ), ϕ n (X) = X n + 1, and B = min{ }. If g 1 < poly(λ), the problem is solved in 2Õ(n/log2 ) time. 2D n, 2N n For example, when n = λ 2 and log = λ, one can solve the NT RU ϕn,,d,n,b in polynomial time in λ. In case of n = λ 3 and log = λ, one can solve the problem in 2Õ(λ) time. Proof. Without loss of generality, we assume N is larger than D. More precisely, we put N = λ s, D = λ k for s k. Then, by Theorem 1, one can obtain a new instance Tr K/Kt ([h/g] ) R R t for NT RU ϕn/2 t,,n t,d t,b t where N t < 2 t λ s (nλ t /2) 2t, D t < ( nλ k /2 ) 2 t, and B t = min{, 2D t nt, nλ 2s g 1 }. If t > 1, we assume B t = since it is asymptotically smaller than the others Now, we consider the following column lattice M t : ( ) Int 0 M t =, Λ t I nt where I nt is the identity matrix of size n t = n/2 t and Λ t Z n t n t is a matrix whose i-th column is ι(x i2t Tr K/Kt ([h/g] )) for 0 i < n/2 t. In other words, for Tr K/Kt ([h/g] ) = nt 1 f j X j2t, the i-th column of Λ t is of the form j=0 ( f nt i,, f nt 1, f 0, f nt i 1) T. Using the BKZ algorithm with block size β, one can obtain an element in M t u t = (u 0,, u nt 1, u nt,, u 2nt 1) T with u t 2β n t 1 2(β 1) det(mt ) = 2β n t 1 2(β 1) [HPS11]. Take c = n t 1 u i X i2t Z[X 2t ]/ X n + 1. Then we have [c Tr K/Kt ([h/g] )] = nt 1 u nt+ix i2t
8 8 Z[X 2t ]/ X n + 1. Moreover, if we choose t such that 2β n t 2(β 1) + 3 2, then c and c Tr K/Kt ([h/g] )] satisfy c < u t 2β n t 1 2(β 1) c Tr K/Kt ([h/g] )] < u t 2β n t 1 2(β 1) D t nt. In other words, c satisfies the conditions of Lemma 2. Therefore, c is in N K/Kt (g) g. Note that c is of the form c = d N K/Kt (g) = d g R t. To check the above condition of t is satisfied, we have the euivalence euation: 2β n t 2(β 1) ( nt 2(β 1) + 3 ) log β + log N t + log n t + 2 < log To optimize the left hand side of ineuality, we choose t such that 2 t n log β 2(β 1)(log nλ k /2). Then the left hand side is asymptotic to the following: ( nt 2(β 1) + 3 ) log β + log N t + log n t n 2 t 2(β 1) log β + 2t log(nλ k /2) + O(κ log n) n log β log(nλ k /2) 2 + O(κ log n) 2(β 1) where the last approximation comes from the arithmetic-geometric mean. It n implies that if one choose β =, for arbitrary 0 < ϵ < 2, then the last (log ) 2 ϵ value is smaller than log asymptotically. 2 Running time of this procedure is dominated by that of BKZ algorithm with block size β, which is poly(n, log ) C HKZ (β) times where C HKZ (β) = 2 O(β) is the cost of HKZ-reduction in dimension β [ADRSD14,HPS11] Finally, we have constructed an algorithm to find an element dn K/Kt (g) with the size of it smaller than from [h/g]. By multiplying dn K/Kt (g) to [h/g], one 2N t nt < 2N n t can obtain an element dhn K/Kt (g)g 1 and its Euclidean size is smaller than
9 9 2N n. dn K/Kt (g) h g 1 n N g 1 n nn 2 g 1 N g 1 n The second ineuality comes from B t = min{, 2D t nt, nn 2 g 1 } = by assumption. Hence, a pair (dn K/Kt (g), dhn K/Kt (g)g 1 ) is a solution of NT RU ϕn,,n,d,b. 4 Application to GGH In this section, we explain an attack algorithm to solve the GDDH problem of GGH scheme without low level encodings of zero. 4.1 The GGH Scheme First, we briefly recall the Garg et al. construction. We refer to the original paper [GGH13] for a complete description. The scheme relies on the following parameters. λ: the security parameter κ: the multilinearity parameter : the modulus of a ciphertext n: the dimension of base ring m: the number of level-κ encodings of zero in public parameters σ: the basic Gaussian parameter for drawing the ideal generator g σ : the Gaussian parameter for sampling level-zero elements Instance generation: (params, p zt ) InstGen(1 λ, 1 κ ). For given λ and κ, determine the parameter (σ, σ,, n) to satisfy the above conditions and output (params, p zt ). Sample g D R,σ until g, g 1 n 2 and I = g is a prime ideal in R. Sample z R. Sample X = {b i g} D I,σ and set a level-κ encoding of 0, x i = for each i m. Sample h D R, and set a zero-testing parameter p zt = Publish params = (n,, κ, {x i }) and p zt. [ ] h g zκ. [ ] bi g z κ Sampling level-zero encodings: a samp(params). Sample a D I,σ. Encodings at higher levels: c i enc(params, i, [ c). c Given a level-j encoding c for j < i, compute c i = z i j ].
10 10 Adding and multiplying encodings: Given two encodings c 1 and c 2 of same level, the addition of c 1 and c 2 is computed by Add(c 1, c 2 )=[c 1 + c 2 ]. Given two encodings c 1 and c 2, we multiply c 1 and c 2 by Mul(c 1, c 2 )=[c 1 c 2 ]. Zero-testing: iszero(params, p zt, c)? = 0/1. Given a level-κ encoding c, return 1 if [p zt c] < 3/4, and return 0 otherwise. Extraction: sk ext(params, p zt, c). Given a level-κ encoding c, compute MSB log /4 λ ([p zt c] ). 4.2 Hardness Assumptions We recall the definition of the Graded Decisional Diffie-Hellman problem (GDDH) and Graded Computational Diffie-Hellman problem (GCDH) on which the security of GGH scheme relies [GGH13]. These do not seem to be reducible to more classical assumptions in generic ways. GDDH, ext-gcdh, GCDH. For an adversary A and parameters λ, κ, we consider the following process in the GGH scheme. 1. Choose (, {x i }, p zt ) InstGen(1 λ, 1 κ ). 2. Sample a j samp(, {x i }) for each 0 j κ. 3. Set u j enc(, {x i }, 1, a j ) for all 0 j κ. 4. Choose r D R,σ. 5. Sample [ ρ j {0, 1} for 1 j m 6. Set û= 7. Set u= [ a 0 κ i=1 u i + j r κ i=1 u i + j ρ j x j ] ρ j x j ] The GCDH problem is to output a level-κ encoding of.. {, {x i }, p zt, u 0,..., u κ }. κ a i + I given inputs The ext-gcdh problem is to output a v R such that [v p zt û] < 3/4 given inputs {, {x i }, p zt, u 0,..., u κ }. The GDDH problem is to distinguish between two distributions D DDH and D R where D DDH = {, {x i }, p zt, u 0,..., u κ, û} and D R = {, {x i }, p zt, u 0,..., u κ, u}.
11 Attack to GGH Considering GGH13, one can notice that the theorem in section 3 can be applied to solve the GCDH problem, which is the security problem of the GGH scheme. More precisely, suppose we have {, {x i }, p zt, u 0,, u κ }. Additionally, we assume [ that we ] have a pair of level-0 encoding m / g and its m + ag level-1 encoding b =. Our attack algorithm consists of three steps: z First, find a small element cg g. Next, compute a small level-1 encoding of m 1 using the m, cg Last, recover a element m i in R = Z[X]/ Xn + 1 such that m i m i g for any 0 i κ. [( κ ) ] Finally, we can compute m i ( m 1 ) κ mod cg b κ and it becomes a solution of GCDH problem Step 1: Finding a small element of g Note that m + αg, b i g, a i n 3.5 and m n 3 with overwhelming probability. Considering [u κ 1/x 1 ] = [a κ 1/b 1 g], the size of denominator and numerator is bounded by n 3.5κ n κ 1 < n 4κ and n 3.5, respectively. Using the algorithm of Theorem 2 to several [a i1 a iκ /b j g], for i 1,, i κ {0,, κ} and j {1,, m}, one can recover several multiples of N K/Kt (g) and basis matrix of the ideal lattice of N K/Kt (g) over R t. Its determinant is eual to N Kt /Q(N K/Kt (g)) = N K/Q (g) and it is bounded by n 2n. Now, using β block- BKZ algorithm [HPS11], one can obtain an element cg N K/Kt (g) such that cg 2β n t 1 2(β 1) n 2 t+1 as we want Step( 2: Recovering the level-1 encoding of 1 [ ] ) m + ag Using a pair m, b =, one can recover a level-1 encoding of 1 as z follows. If m and cg N K/Kt (g) are relative prime, one can compute e, e R such that e m + e cg = 1. Then, (e mod cg) and (e κ mod cg) are the inverses of m and m κ in R/ N K/Kt (g) and R/ g, respectively. Moreover, these size are smaller than cg n/2 β n t 1 2(β 1) n 2 t+2. Note that m and cg N K/Kt (g) are relative prime with high probability [MA16] and it is always true when g is a prime in R Step 3: Computing the m We refer to Section in [GGH13] to solve the GCDH problem with short
12 12 vector c g. We explain how to use cg in order to solve the GCDH problem in the GGH scheme. First, by using u 0, u 1,..., u κ, cg, b, e κ mod cg, and p zt, one can obtain the following zero-testing values in Z[X]/ X n + 1 : ) f := ι ([(e κ mod cg) b κ p zt cg] = (1 + Jg)hd ( [(ui f i := ι e κ mod cg) b κ 1 p zt cg ] ) = (m i + J g)hd, (0 i κ). Assuming that f has an inverse in R/ N K/Kt (g), we can compute f i /f = m i mod N K/Kt (g). It implies that f i /f mod N K/Kt (g) is also in m i + g for 0 i κ. Therefore we obtain F = is in κ m i + g. Now compute F e κ cg n/2 β n t 1 2(β 1) κ f i /f mod N K/Kt (g), which mod cg whose size is smaller than n 2 t+2. To compute the level-κ encoding of compute [F e κ mod cg b κ p zt ]. We notice that it is of the form κ m i, we κ m i +rg g, the size of whose denominator is bounded by F e κ mod cg ( m + ag) κ h β n t 1 2(β 1) n 2 t+2 n 4κ. When β = λ 1 ϵ, it is asymptotically smaller than 3/4 and we can solve the GCDH problem. In summary, we can get the following corollary. Corollary 3 Given {n,, {x i }, m, b, p zt, u 0,, u κ } of the GGH scheme parameters, where n is Θ(λ 2 ), log = Θ(λ), x i is a level-κ encoding of zero, m is a level-0 encoding, b is a level of 1 encoding of m and u i is a level-1 encoding of a i, one can compute an enc κ ( κ a i ) which is a solution of GCDH problem in the GGH scheme in the 2 O(λ1 ϵ) for some 0 < ϵ < 1. 5 Conclusion After GGH scheme providing encoding of zero is known to be insecure, the variant of NTRU has received a lot of attention because of the security grounding of GGH scheme without encoding of zero. In this work, we described how to find a small solution of the variant of NTRU using reduction techniue. By applying the method to GGH scheme, we could attack the GCDH problem in GGH scheme. Therefore, our results imply that there is no guarantee for the security of the GGH scheme not only when we are given a small encoding of zero but also when we are not given.
13 13 References [ACLL14] Martin R Albrecht, Catalin Cocis, Fabien Laguillaumie, and Adeline Langlois. Implementing candidate graded encoding schemes from ideal lattices. In Advances in Cryptology ASIACRYPT 2015, pages Springer, [ADRSD14] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens- Davidowitz. Solving the shortest vector problem in 2 n time via discrete gaussian sampling. arxiv preprint arxiv: , [BLLN13] Joppe W Bos, Kristin Lauter, Jake Loftus, and Michael Naehrig. Improved security for a ring-based fully homomorphic encryption scheme. In Cryptography and Coding, pages Springer, [BS02] D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography. Contemporary Mathematics, 324:71 90, [CHL + 15] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu, and Damien Stehlé. Cryptanalysis of the multilinear map over the integers. In Advances in Cryptology EUROCRYPT 2015, pages Springer, [CLR15] Jung Hee Cheon, Changmin Lee, and Hansol Ryu. Cryptanalysis of the new clt multilinear maps. IACR-ePrint ( iacr. org/2015/934), [CLT13] Jean-Sébastien Coron, Tancrede Lepoint, and Mehdi Tibouchi. Practical multilinear maps over the integers. In Advances in Cryptology CRYPTO 2013, pages Springer, [CLT15] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi. New multilinear maps over the integers. In Advances in Cryptology CRYPTO 2015, pages Springer, [Cor15] Jean-Sébastien Coron. Cryptanalysis of GGH15 multilinear maps. IACR Cryptology eprint Archive, 2015:1037, [DDLL13] Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In Advances in Cryptology [GGH13] CRYPTO 2013, pages Springer, Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In Eurocrypt, volume 7881, pages Springer, [HJ15] [HPS98] [HPS11] [GGH15] Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-induced multilinear maps from lattices. In Theory of Cryptography, pages Springer, [HHGP + 03] Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H Silverman, and William Whyte. Ntrusign: Digital signatures using the ntru lattice. In Topics in cryptologyct-rsa 2003, pages Springer, Yupu Hu and Huiwen Jia. Cryptanalysis of GGH map. Technical report, Cryptology eprint Archive, Report 2015/301, Jeffrey Hoffstein, Jill Pipher, and Joseph H Silverman. Ntru: A ring-based public key cryptosystem. In Algorithmic number theory, pages Springer, Guillaume Hanrot, Xavier Pujol, and Damien Stehlé. Terminating bkz. IACR Cryptology eprint Archive, 2011:198, [LATV12] Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. On-thefly multiparty computation on the cloud via multikey fully homomorphic encryption. In Proceedings of the forty-fourth annual ACM symposium on Theory of computing, pages ACM, 2012.
14 14 [LSS14] Adeline Langlois, Damien Stehlé, and Ron Steinfeld. Gghlite: More efficient multilinear maps from ideal lattices. In Advances in Cryptology EUROCRYPT 2014, pages Springer, [MA16] Léo Ducas Martin Albrecht, Shi Bai. A subfield lattice attack on overstretched ntru assumptions: Cryptanalysis of some fhe and graded encoding schemes. Cryptology eprint Archive, Report 2016/127, [MSZ16] Eric Miles, Amit Sahai, and Mark Zhandry. Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over ggh13. Cryptology eprint Archive, Report 2016/147,
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero Jung Hee Cheon Jinhyuck Jeong Changmin Lee Seoul National University (SNU) Republic of Korea
More informationAn Algorithm for NTRU Problems
An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationA subfield lattice attack on overstretched NTRU assumptions
A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes Martin R. Albrecht, Shi Bai and Léo Ducas London-ish Lattice Coding and Cryptography Meeting,
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationCryptanalysis of GGH15 Multilinear Maps
Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationCryptanalysis of branching program obfuscators
Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois 1, Damien Stehlé 1, Ron Steinfeld 2 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d Italie,
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois 1, Damien Stehlé 1, Ron Steinfeld 2 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENS de Lyon, INRIA, UCBL), 46 Allée d Italie,
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters Paul Kirchner 1,2 and Pierre-Alain Fouque 2,3 1 École normale supérieure 2 IRISA 3 Université de Rennes 1 & Institut Universitaire de France
More informationWeak Instances of PLWE
Weak Instances of PLWE Kirsten Eisenträger 1, Sean Hallgren 2, and Kristin Lauter 3 1 Department of Mathematics, The Pennsylvania State University, University Park, PA 16802, USA, and Harvard University.
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More informationImmunizing Multilinear Maps Against Zeroizing Attacks
Immunizing Multilinear Maps Against Zeroizing Attacks Dan Boneh Stanford University David J. Wu Stanford University Joe Zimmerman Stanford University Abstract In recent work Cheon, Han, Lee, Ryu, and Stehlé
More informationSimple Lattice Trapdoor Sampling from a Broad Class of Distributions
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky 1 and Daniel Wichs 2 1 Inria/ENS, Paris 2 Northeastern University Abstract. At the center of many lattice-based constructions
More informationMultilinear maps via secret ring
Multilinear maps via secret rin Chunshen Gu School of Computer Enineerin, Jiansu University of Technoloy, China {chunshen_u}@163.com Abstract. Gar, Gentry and Halevi (GGH13) described the first candidate
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationEvaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems
Rochester Institute of Technology RIT Scholar Works Presentations and other scholarship 3-31-2016 Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems Peizhao Hu Rochester
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationDetermination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes
Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes Vincent Migliore, Guillaume Bonnoron, Caroline Fontaine To cite this version: Vincent
More informationA signature scheme from the finite field isomorphism problem
A signature scheme from the finite field isomorphism problem Jeffrey Hoffstein 1, Joseph H. Silverman 1, William Whyte 2, and Zhenfei Zhang 2 1 Brown University, Providence, USA {jhoff,jhs}@math.brown.edu
More information저작권법에따른이용자의권리는위의내용에의하여영향을받지않습니다.
저작자표시 - 비영리 - 변경금지 2.0 대한민국 이용자는아래의조건을따르는경우에한하여자유롭게 이저작물을복제, 배포, 전송, 전시, 공연및방송할수있습니다. 다음과같은조건을따라야합니다 : 저작자표시. 귀하는원저작자를표시하여야합니다. 비영리. 귀하는이저작물을영리목적으로이용할수없습니다. 변경금지. 귀하는이저작물을개작, 변형또는가공할수없습니다. 귀하는, 이저작물의재이용이나배포의경우,
More informationCryptanalyses of Candidate Branching Program Obfuscators
Cryptanalyses of Candidate Branching Program Obfuscators ilei Chen Craig Gentry Shai Halevi February 16, 2017 Abstract We describe new cryptanalytic attacks on the candidate branching program obfuscator
More informationZeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1
Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1 Jean-Sébastien Coron 2 Craig Gentry 3 Shai Halevi 3 Tancrède Lepoint 4 Hemanta K. Maji 5,6 Eric Miles 6 Mariana Raykova 7 Amit
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationGraded Encoding, Variations on a Scheme
Graded Encoding, Variations on a Scheme Shai Halevi IBM October 30, 2015 Update (Oct 2015): The key-agreement protocols that are described (or alluded to) in sections 6,7 are broken. Thanks to Yupu Hu
More informationCryptanalysis of the Co-ACD Assumption
Cryptanalysis of the Co-ACD Assumption Pierre-Alain Fouque 1, Moon Sung Lee 2, Tancrède Lepoint 3, and Mehdi Tibouchi 4 1 Université de Rennes 1 and Institut Universitaire de France fouque@irisa.fr 2 Seoul
More informationPolynomial Functional Encryption Scheme with Linear Ciphertext Size
Polynomial Functional Encryption Scheme with Linear Ciphertext Size Jung Hee Cheon, Seungwan Hong, Changmin Lee, Yongha Son Seoul National University (SNU), Republic of Korea bstract. In this paper, we
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationAnnihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles UCLA enmiles@cs.ucla.edu Amit Sahai UCLA sahai@cs.ucla.edu Mark Zhandry MI mzhandry@gmail.com
More informationIdentifying Ideal Lattices
Identifying Ideal Lattices Jintai Ding 1 and Richard Lindner 2 1 University of Cincinnati, Department of Mathematical Sciences PO Box 2125, Cincinnati, OH 45221-25, USA jintaiding@ucedu 2 Technische Universität
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationGraph-Induced Multilinear Maps from Lattices
Graph-Induced Multilinear Maps from Lattices Craig Gentry IBM Sergey Gorbunov MIT November 11, 2014 Shai Halevi IBM Abstract Graded multilinear encodings have found extensive applications in cryptography
More informationReduced Memory Meet-in-the-Middle Attack against the NTRU Private Key
Submitted exclusively to the London Mathematical Society doi:10.1112/0000/000000 Reduced Memory Meet-in-the-Middle Attack against the NTRU Private Key Christine van Vredendaal Abstract NTRU is a public-key
More informationZeroizing Attacks on Indistinguishability Obfuscation over CLT13
Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 SRI International 3 NTT Secure
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationA Note on Discrete Gaussian Combinations of Lattice Vectors
CHICAGO JOURNAL OF THEORETICAL COMPUTER SCIENCE 2016, Article 07, pages 1 11 http://cjtcs.cs.uchicago.edu/ A Note on Discrete Gaussian Combinations of Lattice Vectors Divesh Aggarwal Oded Regev * Received
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationObfuscation and Weak Multilinear Maps
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationLattice Reductions over Euclidean Rings with Applications to Cryptanalysis
IMACC 2017 December 12 14, 2017 Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis Taechan Kim and Changmin Lee NTT Secure Platform Laboratories, Japan and Seoul National University,
More informationLattice-based Multi-signature with Linear Homomorphism
Copyright c 2016 The Institute of Electronics, Information and Communication Engineers SCIS 2016 2016 Symposium on Cryptography and Information Security Kumamoto, Japan, Jan. 19-22, 2016 The Institute
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University zvika@stanford.edu Abstract. We present a new tensoring techniue for LWE-based fully homomorphic
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationLearning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures
Author manuscript, published in "ASIACRYPT 2012 7658 (2012) 433-450" DOI : 10.1007/978-3-642-34961-4_27 Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures Léo Ducas and Phong Q. Nguyen
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationDensity of Ideal Lattices
Density of Ideal Lattices - Preliminary Draft - Johannes Buchmann and Richard Lindner Technische Universität Darmstadt, Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany buchmann,rlindner@cdc.informatik.tu-darmstadt.de
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationKnown-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme
Information Processing Letters 97 2006) 8 23 wwwelseviercom/locate/ipl Known-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme Jung Hee Cheon a, Woo-Hwan Kim b,, Hyun
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland, New Zealand. S.Bai@auckland.ac.nz S.Galbraith@math.auckland.ac.nz
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationLeakage of Signal function with reused keys in RLWE key exchange
Leakage of Signal function with reused keys in RLWE key exchange Jintai Ding 1, Saed Alsayigh 1, Saraswathy RV 1, Scott Fluhrer 2, and Xiaodong Lin 3 1 University of Cincinnati 2 Cisco Systems 3 Rutgers
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationThe Rényi Divergence and Security Proofs
The Rényi Divergence and Security Proofs Thomas Prest Introduction 1 Introduction 2 Theory 1 The Rényi Divergence 2 Three useful lemmas 3 Framework for proving stuff 3 Practice 1 Application 1: Security
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationCryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)
AAECC (212) 23:143 149 DOI 1.17/s2-12-17-z ORIGINAL PAPER Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2) Abdel Alim Kamal Amr M. Youssef Received: 2 November 211
More informationHomomorphic Encryption for Approximate Matrix Arithmetic
Homomorphic Encryption for Approximate Matrix Arithmetic Jung Hee Cheon 1, Andrey Kim 1 Seoul National University, Republic of Korea {jhcheon, kimandrik}@snu.ac.kr Abstract. Homomorphic Encryption for
More informationAn Efficient and Parallel Gaussian Sampler for Lattices
An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Institute of Technology Abstract. At the heart of many recent lattice-based cryptographic schemes is a polynomial-time algorithm
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationAlgorithms for the Approximate Common Divisor Problem
Submitted exclusively to the London Mathematical Society doi:10.1112/0000/000000 Algorithms for the Approximate Common Divisor Problem Steven D. Galbraith, Shishay W. Gebregiyorgis and Sean Murphy Abstract
More informationSum-of-Squares Meets Program Obfuscation, Revisited
Sum-of-Squares Meets Program Obfuscation, Revisited Boaz Barak, Samuel B. Hopkins, Aayush Jain, Pravesh Kothari, and Amit Sahai. Abstract We develop attacks on the security of variants of pseudorandom
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More information