problem which is much easier the ring strikes back

Transcription

1 Lattice-based cryptography: 1 reduced to a special closest vector 2 Episode V: problem which is much easier the ring strikes back than the general problem. As an Daniel J. Bernstein University of Illinois at Chicago application, we solved four out of the five numerical challenges proposed on the Internet by the Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that : : : the problem of decrypting ciphertexts can be authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.

2 ased cryptography: 1 reduced to a special closest vector 2 Fix woul V: problem which is much easier dimensio strikes back than the general problem. As an Public. Bernstein y of Illinois at Chicago 999 Nguyen: At Crypto reich, Goldwasser and oposed a public-key stem based on the closest oblem in a lattice, which to be NP-hard. We t : : : the problem of g ciphertexts can be application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical. Crypto 1 Provab system b

3 tography: 1 reduced to a special closest vector 2 Fix would probab problem which is much easier dimension 400 k than the general problem. As an Public key 1.8 is at Chicago en: At Crypto ldwasser and public-key d on the closest a lattice, which -hard. We problem of xts can be application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical. Crypto 1998 Nguy Provably secure system breakable w

4 1 reduced to a special closest vector 2 Fix would probably need problem which is much easier dimension 400 for securi than the general problem. As an Public key 1.8 Mbytes. go rypto nd application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to Crypto 1998 Nguyen Stern: Provably secure Ajtai Dw system breakable with 20MB losest hich be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme f e cannot provide sufficient security without being impractical.

5 reduced to a special closest vector 2 Fix would probably need 3 problem which is much easier dimension 400 for security: than the general problem. As an Public key 1.8 Mbytes. application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.

6 reduced to a special closest vector 2 Fix would probably need 3 problem which is much easier dimension 400 for security: than the general problem. As an Public key 1.8 Mbytes. application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. At least two of those four Compare to 1978 McEliece challenges were conjectured to code-based cryptosystem: be intractable. We discuss ways much more stable security story to prevent the flaw, but conclude through dozens of attack papers. that, even modified, the scheme Typical parameters: 1MB key for cannot provide sufficient security >2 128 post-quantum security. without being impractical.

7 to a special closest vector 2 Fix would probably need : which is much easier dimension 400 for security: following general problem. As an Public key 1.8 Mbytes. Lattice- on, we solved four out e numerical challenges on the Internet by the f the cryptosystem. Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. Latticecurrently for post- two of those four Compare to 1978 McEliece s were conjectured to code-based cryptosystem: table. We discuss ways much more stable security story t the flaw, but conclude through dozens of attack papers. n modified, the scheme Typical parameters: 1MB key for rovide sufficient security >2 128 post-quantum security. being impractical.

8 al closest vector 2 Fix would probably need : Lattice s uch easier dimension 400 for security: following text to W roblem. As an Public key 1.8 Mbytes. Lattice-based cry ved four out al challenges ternet by the tosystem. Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. Lattice-based con currently the prima for post-quantum se four Compare to 1978 McEliece njectured to code-based cryptosystem: discuss ways much more stable security story, but conclude through dozens of attack papers. d, the scheme Typical parameters: 1MB key for cient security >2 128 post-quantum security. ractical.

9 vector 2 Fix would probably need : Lattice student add r dimension 400 for security: following text to Wikipedia p s an Public key 1.8 Mbytes. Lattice-based cryptography ut ges the Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. Lattice-based constructions currently the primary candid for post-quantum cryptograp Compare to 1978 McEliece to code-based cryptosystem: ays much more stable security story lude through dozens of attack papers. me Typical parameters: 1MB key for urity >2 128 post-quantum security.

10 Fix would probably need : Lattice student adds the 4 dimension 400 for security: following text to Wikipedia page Public key 1.8 Mbytes. Lattice-based cryptography : Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. Lattice-based constructions are currently the primary candidates for post-quantum cryptography. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2 128 post-quantum security.

11 Fix would probably need : Lattice student adds the 4 dimension 400 for security: following text to Wikipedia page Public key 1.8 Mbytes. Lattice-based cryptography : Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. Lattice-based constructions are currently the primary candidates for post-quantum cryptography. Compare to 1978 McEliece [citation needed] code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2 128 post-quantum security.

12 Fix would probably need : Lattice student adds the 4 dimension 400 for security: following text to Wikipedia page Public key 1.8 Mbytes. Lattice-based cryptography : Crypto 1998 Nguyen Stern: Provably secure Ajtai Dwork system breakable with 20MB keys. Lattice-based constructions are currently the primary candidates for post-quantum cryptography. Compare to 1978 McEliece [citation needed] code-based cryptosystem: : Google rolls out much more stable security story large-scale experiment with through dozens of attack papers. post-quantum crypto between Typical parameters: 1MB key for Chrome and some Google sites. >2 128 post-quantum security. Uses lattice-based crypto.

13 d probably need : Lattice student adds the 4 Google s n 400 for security: following text to Wikipedia page for publi key 1.8 Mbytes. 998 Nguyen Stern: ly secure Ajtai Dwork reakable with 20MB keys. to 1978 McEliece Lattice-based cryptography : Lattice-based constructions are currently the primary candidates for post-quantum cryptography. [citation needed] How can work wit Combine 1. Do no large eno ed cryptosystem: : Google rolls out connect re stable security story large-scale experiment with See, e.g. dozens of attack papers. post-quantum crypto between Koblitz arameters: 1MB key for Chrome and some Google sites. st-quantum security. Uses lattice-based crypto.

14 ly need : Lattice student adds the 4 Google sent only a for security: following text to Wikipedia page for public keys, cip Mbytes. en Stern: Ajtai Dwork ith 20MB keys. celiece Lattice-based cryptography : Lattice-based constructions are currently the primary candidates for post-quantum cryptography. [citation needed] How can lattice-ba work within a few Combine two ingre 1. Do not take ke large enough for th ystem: : Google rolls out connect to well-st security story large-scale experiment with See, e.g., 2016 Ch attack papers. post-quantum crypto between Koblitz Menezes S : 1MB key for Chrome and some Google sites. m security. Uses lattice-based crypto.

15 : Lattice student adds the 4 Google sent only a few KB ty: following text to Wikipedia page for public keys, ciphertexts. ork keys. Lattice-based cryptography : Lattice-based constructions are currently the primary candidates for post-quantum cryptography. [citation needed] How can lattice-based crypto work within a few KB? Combine two ingredients: 1. Do not take key sizes large enough for theorems to : Google rolls out connect to well-studied SV ory large-scale experiment with See, e.g., 2016 Chatterjee pers. post-quantum crypto between Koblitz Menezes Sarkar. y for Chrome and some Google sites. y. Uses lattice-based crypto.

16 : Lattice student adds the 4 Google sent only a few KB 5 following text to Wikipedia page for public keys, ciphertexts. Lattice-based cryptography : Lattice-based constructions are currently the primary candidates for post-quantum cryptography. How can lattice-based crypto work within a few KB? Combine two ingredients: [citation needed] 1. Do not take key sizes large enough for theorems to : Google rolls out connect to well-studied SVP. large-scale experiment with See, e.g., 2016 Chatterjee post-quantum crypto between Koblitz Menezes Sarkar. Chrome and some Google sites. Uses lattice-based crypto.

17 : Lattice student adds the 4 Google sent only a few KB 5 following text to Wikipedia page for public keys, ciphertexts. Lattice-based cryptography : Lattice-based constructions are currently the primary candidates for post-quantum cryptography. How can lattice-based crypto work within a few KB? Combine two ingredients: [citation needed] 1. Do not take key sizes large enough for theorems to : Google rolls out connect to well-studied SVP. large-scale experiment with See, e.g., 2016 Chatterjee post-quantum crypto between Koblitz Menezes Sarkar. Chrome and some Google sites. Uses lattice-based crypto. 2. Use ideal lattices. Hope that the extra structure doesn t damage security.

18 Lattice student adds the 4 Google sent only a few KB text to Wikipedia page for public keys, ciphertexts. Silverma based cryptography : based constructions are the primary candidates quantum cryptography. How can lattice-based crypto work within a few KB? Combine two ingredients: Define R Z[x]=(x 5 Elements ion needed] 1. Do not take key sizes large enough for theorems to c 0 + c 1 x with inte Google rolls out le experiment with ntum crypto between and some Google sites. tice-based crypto. connect to well-studied SVP. See, e.g., 2016 Chatterjee Koblitz Menezes Sarkar. 2. Use ideal lattices. Hope that the extra structure To multi multiply replace x replace x e.g.: (x 1 doesn t damage security. = x = 7x 197

19 tudent adds the 4 Google sent only a few KB Hoffste ikipedia page for public keys, ciphertexts. Silverman NTRU ptography : structions are ry candidates cryptography. How can lattice-based crypto work within a few KB? Combine two ingredients: Define R as the rin Z[x]=(x 503 1). Elements of R are ] 1. Do not take key sizes large enough for theorems to c 0 + c 1 x + c 2 x 2 + with integer coeffic olls out ent with to between Google sites. d crypto. connect to well-studied SVP. See, e.g., 2016 Chatterjee Koblitz Menezes Sarkar. 2. Use ideal lattices. Hope that the extra structure To multiply in R: multiply polynomia replace x 503 with 1 replace x 504 with x e.g.: (x x 300 ) doesn t damage security. = x x = 7x x 300 +

20 s the 4 Google sent only a few KB Hoffstein Pipher age for public keys, ciphertexts. Silverman NTRU : : are ates hy. How can lattice-based crypto work within a few KB? Combine two ingredients: Define R as the ring Z[x]=(x 503 1). Elements of R are polynomia 1. Do not take key sizes c 0 + c 1 x + c 2 x c 502 large enough for theorems to with integer coefficients c j. n es. connect to well-studied SVP. See, e.g., 2016 Chatterjee Koblitz Menezes Sarkar. 2. Use ideal lattices. To multiply in R: multiply polynomials; replace x 503 with 1; replace x 504 with x; etc. Hope that the extra structure doesn t damage security. e.g.: (x x 300 )(x = x x x 700 = 7x x x 500 in R

21 Google sent only a few KB Hoffstein Pipher 6 for public keys, ciphertexts. Silverman NTRU : How can lattice-based crypto Define R as the ring work within a few KB? Z[x]=(x 503 1). Combine two ingredients: 1. Do not take key sizes Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 large enough for theorems to with integer coefficients c j. connect to well-studied SVP. See, e.g., 2016 Chatterjee Koblitz Menezes Sarkar. To multiply in R: multiply polynomials; replace x 503 with 1; 2. Use ideal lattices. replace x 504 with x; etc. Hope that the extra structure doesn t damage security. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R.

22 ent only a few KB Hoffstein Pipher 6 Define q c keys, ciphertexts. Silverman NTRU : Alice s p lattice-based crypto Define R as the ring coefficien hin a few KB? Z[x]=(x 503 1). This is 5 two ingredients: t take key sizes Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 ugh for theorems to with integer coefficients c j. to well-studied SVP., 2016 Chatterjee Menezes Sarkar. To multiply in R: multiply polynomials; replace x 503 with 1; deal lattices. replace x 504 with x; etc. t the extra structure amage security. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R.

23 few KB Hoffstein Pipher 6 Define q = hertexts. Silverman NTRU : Alice s public key: sed crypto Define R as the ring coefficients in {0; 1 KB? Z[x]=(x 503 1). This is = dients: y sizes Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 eorems to with integer coefficients c j. udied SVP. atterjee arkar. To multiply in R: multiply polynomials; replace x 503 with 1; ces. replace x 504 with x; etc. a structure curity. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R.

24 Hoffstein Pipher 6 Define q = Silverman NTRU : Alice s public key: A R wi Define R as the ring coefficients in {0; 1; : : : ; q Z[x]=(x 503 1). This is = 5533 bits. e P. Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 with integer coefficients c j. To multiply in R: multiply polynomials; replace x 503 with 1; replace x 504 with x; etc. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R.

25 Hoffstein Pipher 6 Define q = Silverman NTRU : Alice s public key: A R with Define R as the ring coefficients in {0; 1; : : : ; q 1}. Z[x]=(x 503 1). This is = 5533 bits. Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 with integer coefficients c j. To multiply in R: multiply polynomials; replace x 503 with 1; replace x 504 with x; etc. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R.

26 Hoffstein Pipher 6 Define q = Silverman NTRU : Alice s public key: A R with Define R as the ring coefficients in {0; 1; : : : ; q 1}. Z[x]=(x 503 1). This is = 5533 bits. Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 Bob generates random b; c R with small coefficients: with integer coefficients c j. e.g., all coefficients in { 1; 0; 1}. To multiply in R: multiply polynomials; replace x 503 with 1; replace x 504 with x; etc. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R.

27 Hoffstein Pipher 6 Define q = Silverman NTRU : Alice s public key: A R with Define R as the ring coefficients in {0; 1; : : : ; q 1}. Z[x]=(x 503 1). This is = 5533 bits. Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 Bob generates random b; c R with small coefficients: with integer coefficients c j. e.g., all coefficients in { 1; 0; 1}. To multiply in R: Bob computes Ab + c mod q: multiply polynomials; multiply A by b in R; add c; replace x 503 with 1; reduce each coefficient modulo q replace x 504 with x; etc. to the range {0; 1; : : : ; q 1}. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R.

28 Hoffstein Pipher 6 Define q = Silverman NTRU : Alice s public key: A R with Define R as the ring coefficients in {0; 1; : : : ; q 1}. Z[x]=(x 503 1). This is = 5533 bits. Elements of R are polynomials c 0 + c 1 x + c 2 x c 502 x 502 Bob generates random b; c R with small coefficients: with integer coefficients c j. e.g., all coefficients in { 1; 0; 1}. To multiply in R: Bob computes Ab + c mod q: multiply polynomials; multiply A by b in R; add c; replace x 503 with 1; reduce each coefficient modulo q replace x 504 with x; etc. to the range {0; 1; : : : ; q 1}. e.g.: (x x 300 )(x x 400 ) = x x x 700 = 7x x x 500 in R. Bob sends Ab + c mod q. This is also 5533 bits.

29 98 Hoffstein Pipher 6 Define q = Quotien n NTRU : Alice s public key: A R with used in o as the ring 03 1). coefficients in {0; 1; : : : ; q 1}. This is = 5533 bits. Alice gen for small of R are polynomials + c 2 x c 502 x 502 Bob generates random b; c R with small coefficients: (with sui i.e., da ger coefficients c j. e.g., all coefficients in { 1; 0; 1}. ply in R: Bob computes Ab + c mod q: polynomials; 503 with 1; multiply A by b in R; add c; reduce each coefficient modulo q 504 with x; etc. to the range {0; 1; : : : ; q 1} x 300 )(x x 400 ) 8x x x x 500 in R. Bob sends Ab + c mod q. This is also 5533 bits.

30 in Pipher 6 Define q = Quotient NTRU : Alice s public key: A R with used in original NT g coefficients in {0; 1; : : : ; q 1}. Alice generated A This is = 5533 bits. for small random a polynomials + c 502 x 502 Bob generates random b; c R with small coefficients: (with suitable inve i.e., da 3a mod ients c j. e.g., all coefficients in { 1; 0; 1}. Bob computes Ab + c mod q: ls; multiply A by b in R; add c; ; reduce each coefficient modulo q ; etc. to the range {0; 1; : : : ; q 1}. (x x 400 ) 7x 700 8x 500 in R. Bob sends Ab + c mod q. This is also 5533 bits.

31 6 Define q = Quotient NTRU (new nam Alice s public key: A R with used in original NTRU desig coefficients in {0; 1; : : : ; q 1}. Alice generated A = 3a=d in This is = 5533 bits. for small random a; d ls x 502 Bob generates random b; c R with small coefficients: (with suitable invertibility): i.e., da 3a mod q = 0. e.g., all coefficients in { 1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q 1}. x 400 ) Bob sends Ab + c mod q.. This is also 5533 bits.

32 Define q = Quotient NTRU (new name), 8 Alice s public key: A R with used in original NTRU design: coefficients in {0; 1; : : : ; q 1}. Alice generated A = 3a=d in R=q This is = 5533 bits. for small random a; d Bob generates random b; c R with small coefficients: (with suitable invertibility): i.e., da 3a mod q = 0. e.g., all coefficients in { 1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q 1}. Bob sends Ab + c mod q. This is also 5533 bits.

33 Define q = Quotient NTRU (new name), 8 Alice s public key: A R with used in original NTRU design: coefficients in {0; 1; : : : ; q 1}. Alice generated A = 3a=d in R=q This is = 5533 bits. for small random a; d Bob generates random b; c R with small coefficients: (with suitable invertibility): i.e., da 3a mod q = 0. e.g., all coefficients in { 1; 0; 1}. Alice receives C = Ab + c mod q. Bob computes Ab + c mod q: multiply A by b in R; add c; Alice computes dc mod q, i.e., 3ab + dc mod q. reduce each coefficient modulo q to the range {0; 1; : : : ; q 1}. Bob sends Ab + c mod q. This is also 5533 bits.

34 Define q = Quotient NTRU (new name), 8 Alice s public key: A R with used in original NTRU design: coefficients in {0; 1; : : : ; q 1}. Alice generated A = 3a=d in R=q This is = 5533 bits. for small random a; d Bob generates random b; c R with small coefficients: (with suitable invertibility): i.e., da 3a mod q = 0. e.g., all coefficients in { 1; 0; 1}. Alice receives C = Ab + c mod q. Bob computes Ab + c mod q: multiply A by b in R; add c; Alice computes dc mod q, i.e., 3ab + dc mod q. reduce each coefficient modulo q Alice reconstructs 3ab + dc, to the range {0; 1; : : : ; q 1}. using smallness of a; b; d; c. Bob sends Ab + c mod q. This is also 5533 bits. Alice computes dc, deduces c, deduces b.

35 = Quotient NTRU (new name), 8 Produc ublic key: A R with used in original NTRU design: 2010 Lyu ts in {0; 1; : : : ; q 1}. Alice generated A = 3a=d in R=q Everyone = 5533 bits. for small random a; d Alice gen erates random b; c R ll coefficients: (with suitable invertibility): i.e., da 3a mod q = 0. for small oefficients in { 1; 0; 1}. Alice receives C = Ab + c mod q. putes Ab + c mod q: A by b in R; add c; Alice computes dc mod q, i.e., 3ab + dc mod q. ach coefficient modulo q Alice reconstructs 3ab + dc, nge {0; 1; : : : ; q 1}. using smallness of a; b; d; c. s Ab + c mod q. lso 5533 bits. Alice computes dc, deduces c, deduces b.

36 7 Quotient NTRU (new name), 8 Product NTRU A R with used in original NTRU design: 2010 Lyubashevsky ; : : : ; q 1}. Alice generated A = 3a=d in R=q Everyone knows ra 5533 bits. for small random a; d Alice generated A dom b; c R nts: (with suitable invertibility): i.e., da 3a mod q = 0. for small random a s in { 1; 0; 1}. Alice receives C = Ab + c mod q. + c mod q: R; add c; Alice computes dc mod q, i.e., 3ab + dc mod q. ient modulo q Alice reconstructs 3ab + dc, : : : ; q 1}. using smallness of a; b; d; c. mod q. its. Alice computes dc, deduces c, deduces b.

37 7 Quotient NTRU (new name), 8 Product NTRU (new nam th used in original NTRU design: 2010 Lyubashevsky Peikert 1}. Alice generated A = 3a=d in R=q Everyone knows random G for small random a; d Alice generated A = ag +d R (with suitable invertibility): i.e., da 3a mod q = 0. for small random a; d. ; 1}. Alice receives C = Ab + c mod q. : Alice computes dc mod q, i.e., 3ab + dc mod q. lo q Alice reconstructs 3ab + dc, }. using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b.

38 Quotient NTRU (new name), 8 Product NTRU (new name), 9 used in original NTRU design: 2010 Lyubashevsky Peikert Regev: Alice generated A = 3a=d in R=q Everyone knows random G R. for small random a; d Alice generated A = ag +d mod q (with suitable invertibility): for small random a; d. i.e., da 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dc mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b.

39 Quotient NTRU (new name), 8 Product NTRU (new name), 9 used in original NTRU design: 2010 Lyubashevsky Peikert Regev: Alice generated A = 3a=d in R=q Everyone knows random G R. for small random a; d Alice generated A = ag +d mod q (with suitable invertibility): for small random a; d. i.e., da 3a mod q = 0. Bob sends B = Gb + e mod q Alice receives C = Ab + c mod q. and C = m + Ab + c mod q Alice computes dc mod q, where b; c; e are small and each i.e., 3ab + dc mod q. coefficient of m is 0 or q=2. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b.

40 Quotient NTRU (new name), 8 Product NTRU (new name), 9 used in original NTRU design: 2010 Lyubashevsky Peikert Regev: Alice generated A = 3a=d in R=q Everyone knows random G R. for small random a; d Alice generated A = ag +d mod q (with suitable invertibility): for small random a; d. i.e., da 3a mod q = 0. Bob sends B = Gb + e mod q Alice receives C = Ab + c mod q. and C = m + Ab + c mod q Alice computes dc mod q, where b; c; e are small and each i.e., 3ab + dc mod q. coefficient of m is 0 or q=2. Alice reconstructs 3ab + dc, Alice computes C ab mod q, using smallness of a; b; d; c. i.e., m + db + c ae mod q. Alice computes dc, Alice reconstructs m, deduces c, deduces b. using smallness of d; b; c; a; e.

41 t NTRU (new name), 8 Product NTRU (new name), 9 Lattice v riginal NTRU design: 2010 Lyubashevsky Peikert Regev: the set o erated A = 3a=d in R=q Everyone knows random G R. such tha random a; d Alice generated A = ag +d mod q table invertibility): for small random a; d. 3a mod q = 0. Bob sends B = Gb + e mod q eives C = Ab + c mod q. and C = m + Ab + c mod q putes dc mod q, where b; c; e are small and each + dc mod q. coefficient of m is 0 or q=2. onstructs 3ab + dc, Alice computes C ab mod q, allness of a; b; d; c. i.e., m + db + c ae mod q. putes dc, Alice reconstructs m, c, deduces b. using smallness of d; b; c; a; e.

42 (new name), 8 Product NTRU (new name), 9 Lattice view: Defin RU design: 2010 Lyubashevsky Peikert Regev: the set of pairs (v; = 3a=d in R=q Everyone knows random G R. such that vg w ; d Alice generated A = ag +d mod q rtibility): for small random a; d. q = 0. Bob sends B = Gb + e mod q Ab + c mod q. and C = m + Ab + c mod q mod q, where b; c; e are small and each q. coefficient of m is 0 or q=2. 3ab + dc, Alice computes C ab mod q, a; b; d; c. i.e., m + db + c ae mod q., Alice reconstructs m, s b. using smallness of d; b; c; a; e.

43 e), 8 Product NTRU (new name), 9 Lattice view: Define L as n: 2010 Lyubashevsky Peikert Regev: the set of pairs (v; w) R R=q Everyone knows random G R. such that vg w mod q = Alice generated A = ag +d mod q for small random a; d. Bob sends B = Gb + e mod q od q. and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C ab mod q, i.e., m + db + c ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e.

44 Product NTRU (new name), 9 Lattice view: Define L as Lyubashevsky Peikert Regev: the set of pairs (v; w) R R Everyone knows random G R. such that vg w mod q = 0. Alice generated A = ag +d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C ab mod q, i.e., m + db + c ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e.

45 Product NTRU (new name), 9 Lattice view: Define L as Lyubashevsky Peikert Regev: the set of pairs (v; w) R R Everyone knows random G R. such that vg w mod q = 0. Alice generated A = ag +d mod q e.g. (a; A d) L. for small random a; d. (0; A) is close to a lattice point. Bob sends B = Gb + e mod q Try to find close lattice point. and C = m + Ab + c mod q Breaks both Product NTRU where b; c; e are small and each and Quotient NTRU. coefficient of m is 0 or q=2. Alice computes C ab mod q, i.e., m + db + c ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e.

46 Product NTRU (new name), 9 Lattice view: Define L as Lyubashevsky Peikert Regev: the set of pairs (v; w) R R Everyone knows random G R. such that vg w mod q = 0. Alice generated A = ag +d mod q e.g. (a; A d) L. for small random a; d. (0; A) is close to a lattice point. Bob sends B = Gb + e mod q Try to find close lattice point. and C = m + Ab + c mod q Breaks both Product NTRU where b; c; e are small and each and Quotient NTRU. coefficient of m is 0 or q=2. Try to exploit reuse of b Alice computes C ab mod q, for faster Product NTRU attack. i.e., m + db + c ae mod q. ( Ring-LWE : arbitrary reuse.) Alice reconstructs m, using smallness of d; b; c; a; e. Try to exploit A = 3a=d structure for faster Quotient NTRU attack.

47 t NTRU (new name), 9 Lattice view: Define L as Lyu bashevsky Peikert Regev: the set of pairs (v; w) R R Regev: knows random G R. erated A = ag +d mod q random a; d. such that vg w mod q = 0. e.g. (a; A d) L. (0; A) is close to a lattice point. and algo quantum employ : to bear a s B = Gb + e mod q Try to find close lattice point. problems m + Ab + c mod q Breaks both Product NTRU despite c c; e are small and each and Quotient NTRU. significan t of m is 0 or q=2. putes C ab mod q, db + c ae mod q. onstructs m, allness of d; b; c; a; e. Try to exploit reuse of b for faster Product NTRU attack. ( Ring-LWE : arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack. these pro The best ideal latt no bette counterp in practi

48 (new name), 9 Lattice view: Define L as Lyubashevsky Peikert Regev: the set of pairs (v; w) R R Regev: All of the ndom G R. = ag +d mod q ; d. such that vg w mod q = 0. e.g. (a; A d) L. (0; A) is close to a lattice point. and algorithmic to quantum computa employ : : : can als to bear against SV + e mod q Try to find close lattice point. problems on ideal c mod q Breaks both Product NTRU despite considerab all and each and Quotient NTRU. significant progress 0 or q=2. ab mod q, ae mod q. m, d; b; c; a; e. Try to exploit reuse of b for faster Product NTRU attack. ( Ring-LWE : arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack. these problems has The best-known al ideal lattices perfo no better than the counterparts, both in practice.

49 e), 9 Lattice view: Define L as Lyubashevsky Peikert Regev: the set of pairs (v; w) R R Regev: All of the algebraic R. mod q such that vg w mod q = 0. e.g. (a; A d) L. (0; A) is close to a lattice point. and algorithmic tools (includ quantum computation) that employ : : : can also be brou to bear against SVP and oth q Try to find close lattice point. problems on ideal lattices. Y Breaks both Product NTRU despite considerable effort, n ach and Quotient NTRU. significant progress in attack q,. e. Try to exploit reuse of b for faster Product NTRU attack. ( Ring-LWE : arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack. these problems has been ma The best-known algorithms f ideal lattices perform essenti no better than their generic counterparts, both in theory in practice.

50 Lattice view: Define L as Lyubashevsky Peikert 11 the set of pairs (v; w) R R Regev: All of the algebraic such that vg w mod q = 0. and algorithmic tools (including e.g. (a; A d) L. (0; A) is close to a lattice point. quantum computation) that we employ : : : can also be brought to bear against SVP and other Try to find close lattice point. problems on ideal lattices. Yet Breaks both Product NTRU despite considerable effort, no and Quotient NTRU. significant progress in attacking Try to exploit reuse of b for faster Product NTRU attack. ( Ring-LWE : arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack. these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.

51 iew: Define L as Lyubashevsky Peikert 11 Many m f pairs (v; w) R R Regev: All of the algebraic (often no t vg w mod q = 0. d) L. close to a lattice point. nd close lattice point. oth Product NTRU tient NTRU. ploit reuse of b r Product NTRU attack. WE : arbitrary reuse.) ploit A = 3a=d structure r Quotient NTRU attack. and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice. Fully hom STOC 2 Fully ho using ide PKC 201 Eurocryp etc. Multiline Eurocryp Halevi C maps fro

52 e L as Lyubashevsky Peikert 11 Many more NTRU w) R R Regev: All of the algebraic (often not creditin mod q = 0.. lattice point. ttice point. ct NTRU U. e of b NTRU attack. trary reuse.) 3a=d structure NTRU attack. and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice. Fully homomorphic STOC 2009 Gentr Fully homomorph using ideal lattices PKC 2010 Smart Eurocrypt 2011 Ge etc. Multilinear maps: Eurocrypt 2013 Ga Halevi Candidate maps from ideal la

53 Lyubashevsky Peikert 11 Many more NTRU variants R Regev: All of the algebraic (often not crediting NTRU). 0. int. t. and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. Fully homomorphic encryptio STOC 2009 Gentry Fully homomorphic encrypt using ideal lattices. PKC 2010 Smart Vercautere Eurocrypt 2011 Gentry Hale etc. ack. e.) cture tack. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice. Multilinear maps: e.g., Eurocrypt 2013 Garg Gentry Halevi Candidate multilinea maps from ideal lattices.

54 2013 Lyubashevsky Peikert 11 Many more NTRU variants 12 Regev: All of the algebraic (often not crediting NTRU). and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. Fully homomorphic encryption: STOC 2009 Gentry Fully homomorphic encryption using ideal lattices. PKC 2010 Smart Vercauteren. Eurocrypt 2011 Gentry Halevi. etc. The best-known algorithms for Multilinear maps: e.g., ideal lattices perform essentially Eurocrypt 2013 Garg Gentry no better than their generic Halevi Candidate multilinear counterparts, both in theory and maps from ideal lattices. in practice.

55 bashevsky Peikert 11 Many more NTRU variants 12 STOC 2 All of the algebraic (often not crediting NTRU). broken b rithmic tools (including computation) that we : : can also be brought gainst SVP and other on ideal lattices. Yet onsiderable effort, no t progress in attacking blems has been made. Fully homomorphic encryption: STOC 2009 Gentry Fully homomorphic encryption using ideal lattices. PKC 2010 Smart Vercauteren. Eurocrypt 2011 Gentry Halevi. etc. for typic -known algorithms for Multilinear maps: e.g., ices perform essentially Eurocrypt 2013 Garg Gentry r than their generic Halevi Candidate multilinear arts, both in theory and maps from ideal lattices. ce.

56 Peikert 11 Many more NTRU variants 12 STOC 2009 Gentr algebraic (often not crediting NTRU). broken by quantum ols (including tion) that we o be brought P and other lattices. Yet le effort, no in attacking been made. Fully homomorphic encryption: STOC 2009 Gentry Fully homomorphic encryption using ideal lattices. PKC 2010 Smart Vercauteren. Eurocrypt 2011 Gentry Halevi. etc. for typical cycloto gorithms for Multilinear maps: e.g., rm essentially Eurocrypt 2013 Garg Gentry ir generic Halevi Candidate multilinear in theory and maps from ideal lattices.

57 11 Many more NTRU variants 12 STOC 2009 Gentry system i (often not crediting NTRU). broken by quantum algorith ing we ght er et o ing de. Fully homomorphic encryption: STOC 2009 Gentry Fully homomorphic encryption using ideal lattices. PKC 2010 Smart Vercauteren. Eurocrypt 2011 Gentry Halevi. etc. for typical cyclotomic rings or Multilinear maps: e.g., ally Eurocrypt 2013 Garg Gentry Halevi Candidate multilinear and maps from ideal lattices.

58 Many more NTRU variants 12 STOC 2009 Gentry system is 13 (often not crediting NTRU). broken by quantum algorithms Fully homomorphic encryption: for typical cyclotomic rings. STOC 2009 Gentry Fully homomorphic encryption using ideal lattices. PKC 2010 Smart Vercauteren. Eurocrypt 2011 Gentry Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg Gentry Halevi Candidate multilinear maps from ideal lattices.

59 Many more NTRU variants 12 STOC 2009 Gentry system is 13 (often not crediting NTRU). broken by quantum algorithms Fully homomorphic encryption: for typical cyclotomic rings. STOC 2009 Gentry First stage in attack: Fully homomorphic encryption SODA 2016 Biasse Song using ideal lattices. fast quantum algorithm to PKC 2010 Smart Vercauteren. compute gr ug with u R. Eurocrypt 2011 Gentry Halevi. etc. Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song Multilinear maps: e.g., quantum R R algorithm. Eurocrypt 2013 Garg Gentry Halevi Candidate multilinear maps from ideal lattices.

60 Many more NTRU variants 12 STOC 2009 Gentry system is 13 (often not crediting NTRU). broken by quantum algorithms Fully homomorphic encryption: for typical cyclotomic rings. STOC 2009 Gentry First stage in attack: Fully homomorphic encryption SODA 2016 Biasse Song using ideal lattices. fast quantum algorithm to PKC 2010 Smart Vercauteren. compute gr ug with u R. Eurocrypt 2011 Gentry Halevi. etc. Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song Multilinear maps: e.g., quantum R R algorithm. Eurocrypt 2013 Garg Gentry Halevi Candidate multilinear maps from ideal lattices. Older pre-quantum algorithms take subexponential time.

61 ore NTRU variants 12 STOC 2009 Gentry system is 13 Second s t crediting NTRU). broken by quantum algorithms Campbel omorphic encryption: 009 Gentry momorphic encryption for typical cyclotomic rings. First stage in attack: SODA 2016 Biasse Song fast prefor typic to comp al lattices. fast quantum algorithm to 0 Smart Vercauteren. compute gr ug with u R. t 2011 Gentry Halevi. Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song ar maps: e.g., quantum R R algorithm. t 2013 Garg Gentry andidate multilinear m ideal lattices. Older pre-quantum algorithms take subexponential time.

62 variants 12 STOC 2009 Gentry system is 13 Second stage of at g NTRU). broken by quantum algorithms Campbell Groves encryption: y ic encryption for typical cyclotomic rings. First stage in attack: SODA 2016 Biasse Song fast pre-quantum a for typical cyclotom to compute ug. fast quantum algorithm to Vercauteren. compute gr ug with u R. ntry Halevi. Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song e.g., quantum R R algorithm. rg Gentry multilinear ttices. Older pre-quantum algorithms take subexponential time.

63 12 STOC 2009 Gentry system is 13 Second stage of attack: 201 broken by quantum algorithms Campbell Groves Shepherd n: ion for typical cyclotomic rings. First stage in attack: SODA 2016 Biasse Song fast pre-quantum algorithm for typical cyclotomic ring to compute ug short g. fast quantum algorithm to n. compute gr ug with u R. vi. Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song quantum R R algorithm. r Older pre-quantum algorithms take subexponential time.

64 STOC 2009 Gentry system is 13 Second stage of attack: broken by quantum algorithms Campbell Groves Shepherd for typical cyclotomic rings. fast pre-quantum algorithm First stage in attack: SODA 2016 Biasse Song for typical cyclotomic ring to compute ug short g. fast quantum algorithm to compute gr ug with u R. Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song quantum R R algorithm. Older pre-quantum algorithms take subexponential time.

65 STOC 2009 Gentry system is 13 Second stage of attack: broken by quantum algorithms Campbell Groves Shepherd for typical cyclotomic rings. fast pre-quantum algorithm First stage in attack: SODA 2016 Biasse Song for typical cyclotomic ring to compute ug short g. fast quantum algorithm to Eurocrypt 2017 Cramer Ducas compute gr ug with u R. Wesolowski extension of CGS: Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song for typical cyclotomic ring, find fairly short element of any ideal. quantum R R algorithm. Older pre-quantum algorithms take subexponential time.

66 STOC 2009 Gentry system is 13 Second stage of attack: broken by quantum algorithms Campbell Groves Shepherd for typical cyclotomic rings. fast pre-quantum algorithm First stage in attack: SODA 2016 Biasse Song for typical cyclotomic ring to compute ug short g. fast quantum algorithm to Eurocrypt 2017 Cramer Ducas compute gr ug with u R. Wesolowski extension of CGS: Builds upon STOC 2014 Eisenträger Hallgren Kitaev Song for typical cyclotomic ring, find fairly short element of any ideal. quantum R R algorithm. These attacks exploit structure of Older pre-quantum algorithms take subexponential time. cyclotomic rings. Rescue system by switching to another ring?

67 009 Gentry system is 13 Second stage of attack: y quantum algorithms Campbell Groves Shepherd attack st al cyclotomic rings. fast pre-quantum algorithm time for ge in attack: 016 Biasse Song for typical cyclotomic ring to compute ug short g. Eurocryp Bernstein tum algorithm to Eurocrypt 2017 Cramer Ducas Vredenda gr ug with u R. Wesolowski extension of CGS: time pre on STOC 2014 er Hallgren Kitaev Song for typical cyclotomic ring, find fairly short element of any ideal. multiqu 2016 Be R R algorithm. These attacks exploit structure of Lange v e-quantum algorithms exponential time. cyclotomic rings. Rescue system by switching to another ring? Prime : Galois gr reduce a

68 y system is 13 Second stage of attack: Bernstein: algorithms Campbell Groves Shepherd attack strategy; su mic rings. fast pre-quantum algorithm time for many cho k: Song for typical cyclotomic ring to compute ug short g. Eurocrypt 2017 Ba Bernstein de Valen rithm to Eurocrypt 2017 Cramer Ducas Vredendaal: quasip with u R. Wesolowski extension of CGS: time pre-quantum 2014 en Kitaev Song for typical cyclotomic ring, find fairly short element of any ideal. multiquadratic rin 2016 Bernstein Ch algorithm. These attacks exploit structure of Lange van Vreden algorithms l time. cyclotomic rings. Rescue system by switching to another ring? Prime : use prime Galois group, inert reduce attack surfa

69 s 13 Second stage of attack: Bernstein: pre-quan ms Campbell Groves Shepherd attack strategy; subexponen. fast pre-quantum algorithm time for many choices of rin for typical cyclotomic ring to compute ug short g. Eurocrypt 2017 Bauch Bernstein de Valence Lange Eurocrypt 2017 Cramer Ducas Vredendaal: quasipolynomia R. Wesolowski extension of CGS: time pre-quantum attack for for typical cyclotomic ring, find multiquadratic rings. Song fairly short element of any ideal Bernstein Chuengsatia. These attacks exploit structure of Lange van Vredendaal NTR s cyclotomic rings. Rescue system by switching to another ring? Prime : use prime degree, la Galois group, inert modulus; reduce attack surface at low

70 Second stage of attack: Bernstein: pre-quantum 15 Campbell Groves Shepherd attack strategy; subexponential fast pre-quantum algorithm time for many choices of ring. for typical cyclotomic ring to compute ug short g. Eurocrypt 2017 Bauch Bernstein de Valence Lange van Eurocrypt 2017 Cramer Ducas Vredendaal: quasipolynomial- Wesolowski extension of CGS: time pre-quantum attack for for typical cyclotomic ring, find multiquadratic rings. fairly short element of any ideal Bernstein Chuengsatiansup These attacks exploit structure of Lange van Vredendaal NTRU cyclotomic rings. Rescue system Prime : use prime degree, large by switching to another ring? Galois group, inert modulus; reduce attack surface at low cost.