Computing Generator in Cyclotomic Integer Rings
|
|
- Bertina Pierce
- 5 years ago
- Views:
Transcription
1 A subfield algorithm for the Principal Ideal Problem in L 1 K 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul Kirchner 4 University of South Florida, Department of Mathematics and Statistics, Tampa, USA Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France Institut Universitaire de France, Paris, France and Université de Rennes 1, France École Normale Supérieure, Paris, France 2017/05/01
2 The Principal Ideal Problem Definition The Principal Ideal Problem PIP consists in finding a generator of an ideal, assuming it is principal.
3 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal.
4 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes [SV10],[GGH13]
5 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes [SV10],[GGH13] Two distinct phases: 1 Given the Z-basis of the ideal a = g, find a not necessarily short generator g = g u for a unit u. 2 From g, find a short generator of the ideal.
6 The Principal Ideal Problem Definition The Short Principal Ideal Problem SPIP consists in finding a short generator of an ideal, assuming it is principal. Base of several cryptographical schemes [SV10],[GGH13] Two distinct phases: 1 Given the Z-basis of the ideal a = g, find a not necessarily short generator g = g u for a unit u. 2 From g, find a short generator of the ideal. Campbell, Groves, and Sheperd 2014 found a solution in polynomial time for the second point for power-of-two cyclotomic fields. Cramer, Ducas, Peikert, and Regev 2016 provided a proof and an extension to prime-power cyclotomic fields.
7 FHE scheme Smart and Vercauteren PKC 2010 Key Generation: 1 Fix the security parameter N = 2 n. 2 Let F X = X N + 1 be the polynomial defining the cyclotomic field K = Qζ 2N. 3 Set GX = SX, for SX of degree N 1 with coefficients in such that the norm N Gζ 2N is prime. 4 Set g = Gζ 2N O K. 5 Return the secret key sk = g and the public key pk = HNF g. [ 2 N, 2 ] N,
8 FHE scheme Smart and Vercauteren PKC 2010 Key Generation: 1 Fix the security parameter N = 2 n. 2 Let F X = X N + 1 be the polynomial defining the cyclotomic field K = Qζ 2N. 3 Set GX = SX, for SX of degree N 1 with coefficients in such that the norm N Gζ 2N is prime. 4 Set g = Gζ 2N O K. 5 Return the secret key sk = g and the public key pk = HNF g. [ 2 N, 2 ] N, Our goal: Recover the secret key from the public key.
9 Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one.
10 Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant Qζ2N = N N, for N = 2 n.
11 Outline of the algorithm 1 Perform a reduction from the cyclotomic field to its totally real subfield, allowing to work in smaller dimension. 2 Then a q-descent makes the size of involved ideals decrease. 3 Collect relations and run linear algebra to construct small ideals and a generator. 4 Eventually run the derivation of the short generator from a bigger one. All the complexities are expressed as a function of the field discriminant Qζ2N = N N, for N = 2 n. For instance, L K α = 2 N α+o1.
12 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u
13 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Problem: no information about g ḡ g is the private key
14 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1
15 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1 Z-basis of g = Z-basis of u and u ū = N g 2
16 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1 Z-basis of g = Z-basis of u and u ū = N g 2 In the end, we get g ḡ 1 and a Z-basis of I + = g + ḡ Qζ + ζ 1
17 1. Reduction to the totally real subfield Goal: Halving the dimension of the ambient field Gentry-Szydlo algorithm: Polynomial complexity Input: a Z-basis of I = u and u ū Output: the generator u Solution: we introduce u = N ggḡ 1 Z-basis of g = Z-basis of u and u ū = N g 2 In the end, we get g ḡ 1 and a Z-basis of I + = g + ḡ Qζ + ζ 1 Once we have a generator for I +, we get one for I by multiplying by ḡ g 1
18 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 a 2 1 a a 2 n 2 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l
19 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction Norm: L 3 K 2 a 2 1 a a 2 n 2 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l
20 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l
21 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step Norm: L 5 K 4 a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l
22 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a 3 n 3 a l 1 a l 1 a l 2... a l n l
23 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a 3 n 3 Second step Norm: L 9 K 8 a l 1 a l 1 a l 2... a l n l
24 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a 3 n 3 Second step L 5 K 8 -smooth a l 1 a l 1 a l 2... a l n l
25 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step Norm: L K 1 a l 1 a l 2... a l n l
26 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step L K 2 -smooth a l 1 a l 2... a l n l
27 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step L K 2 -smooth a l 1 a l 2... a l n l Last step Norm: L K 1
28 2. The q-descent I + = a 0 Input ideal Norm arbitrary large a 1 1 a a 1 n 1 Initial reduction L K 1-smooth a 2 1 a a 2 n 2 First step L 3 K 4 -smooth a 3 1 a a l 1... a 3 n 3 Second step L 5 K 8 -smooth Last but one step L K 2 -smooth a l 1 a l 2... a l n l Last step L 1 K 2 -smooth
29 2.1. The q-descent Initial round Input: a of norm arbitrarily large
30 2.1. The q-descent Initial round Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size log K 1 2 N on the lattice built from the canonical embedding O K + R N 2
31 2.1. The q-descent Initial round Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size log K 1 2 N on the lattice built from the canonical embedding O K + R N 2 Output: small vector algebraic integer v a = ideal b O K + s.t. v = a b and N b L 3 K 2
32 2.1. The q-descent Initial round Input: a of norm arbitrarily large Tool: DBKZ-reduction with block-size log K 1 2 N on the lattice built from the canonical embedding O K + R N 2 Output: small vector algebraic integer v a = ideal b O K + s.t. v = a b and N b L 3 K 2 Cost: DBKZ-reduction Poly N, log N a L K 2
33 Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L K a is a power-product of prime ideals of norm bounded by B = L K b satisfies P L K a b 1. Using ECM algorithm, each B-smoothness test costs L K b 2.
34 Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L K a is a power-product of prime ideals of norm bounded by B = L K b satisfies P L K a b 1. Using ECM algorithm, each B-smoothness test costs L K b 2. Conclusion: b is L K 1-smooth with probability L 1 K 2 and one test costs L 1 K 2. 1
35 Smoothness tests & Randomization Heuristic We assume that the probability P that an ideal of norm bounded by L K a is a power-product of prime ideals of norm bounded by B = L K b satisfies P L K a b 1. Using ECM algorithm, each B-smoothness test costs L K b 2. Conclusion: b is L K 1-smooth with probability L 1 K 2 and one test costs L 1 K 2. 1 = We use L 1 K 2 ideals ã = a p e i i for small prime ideals p i and integers e i to be sure to derive one b that is L K 1-smooth.
36 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction.
37 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension
38 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α
39 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α Output: algebraic integer v a and ideal b O K + s.t. v = a b and N b L 2α+3 K 4
40 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α Output: algebraic integer v a and ideal b O K + s.t. v = a b and N b L 2α+3 K 4 L 2α+1 K 4 -smooth
41 2.2. The q-descent Subsequent steps We cannot reduce the norm using the same lattice-reduction. Solution: Cheon s trick Use the coefficient embedding in the basis ζ i + ζ i i Compute the HNF of the integral lattice Find a short vector in a sublattice of smaller dimension Input: a with N a L K α Output: algebraic integer v a and ideal b O K + s.t. v = a b and N b L 2α+3 K 4 L 2α+1 K 4 -smooth Cost: L K 2 for lattice reduction & smoothness tests
42 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l.
43 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K = L log N K 1. 2
44 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K Conclusion: All ideals have norm below L K = L log N K 1. 2
45 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K Conclusion: All ideals have norm below L K = L log N K They are at most N l L K 2 ideals 1. 2
46 2.3. The q-descent The final step After l 1 steps, ideals have norm below L K l. For l = log 2 log N, we have L K l L K Conclusion: All ideals have norm below L K = L log N K They are at most N l L K 2 ideals The total runtime of the q-descent is L K
47 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2
48 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L 1 K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B
49 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L 1 K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M
50 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal ideal that splits on the factor base. Test ideals generated by v = v i ζ i + ζ i for v i log K.
51 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M Relation: principal ideal that splits on the factor base. Test ideals generated by v = v i ζ i + ζ i for v i log K. Norm below L K 1 = L K 2 -smooth ideals in L K 2.
52 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L 1 K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M v 1 v 2. v Q B. M 1,1 M 1, B M 2,1 M 2, B.. M Q B,1 M Q B, B B = i, v i = j=1 p M i,j j
53 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N-dimensional vector Y including all the valuations of the smooth ideals in the p i
54 3. Solution for smooth ideals Input: Bunch of prime ideals of norm below B = L K 2 Index Calculus Method: Factor base: set of all prime ideals with norm below B Relation collection: construction of a full-rank matrix M A N-dimensional vector Y including all the valuations of the smooth ideals in the p i A solution X of MX = Y provides a generator of the product of the L K 2 -smooth ideals
55 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256.
56 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256. Gentry-Szydlo: 20h and 24GB memory
57 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h Descent reduced to only one step
58 Implementation results PARI-GP and fplll for BKZ-reductions IntelR XeonR CPU E GHz with 32GB of memory Dimension of the field: N = 2 8 = 256. Gentry-Szydlo: 20h and 24GB memory BKZ-reduction: between 10 min and 4h Descent reduced to only one step We recover g ζ i and so the secret key g in less than a day.
59 Thanks Thank you
Computing generator in cyclotomic integer rings
Computing generator in cyclotomic integer rings Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque, Alexandre Gélin, Paul Kirchner To cite this version: Jean-François Biasse, Thomas Espitau, Pierre-Alain
More informationComputing generator in cyclotomic integer rings
Computing generator in cyclotomic integer rings A L K (1/2) algorithm for the Principal Ideal Problem and application to the cryptanalysis of a FHE scheme Thomas Espitau 1, Pierre-Alain Fouque 2, Alexandre
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationRing-LWE security in the case of FHE
Chair of Naval Cyber Defense 5 July 2016 Workshop HEAT Paris Why worry? Which algorithm performs best depends on the concrete parameters considered. For small n, DEC may be favourable. For large n, BKW
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationCryptanalysis of branching program obfuscators
Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationNTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven
NTRU Prime Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal Technische Universiteit Eindhoven 25 August 2016 Tanja Lange NTRU Prime https://eprint.iacr.org/2016/461
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationEfficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields
Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields Jean-François Biasse Fang Song Abstract This paper gives polynomial time
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationarxiv: v8 [math.nt] 24 Mar 2017
Subexponential algorithms for finding a short generator of a principal ideal and solving γ-svp in Q(ζ p s) arxiv:1503.03107v8 [math.nt] 24 Mar 2017 Jean-François Biasse University of South Florida Department
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationRecovering Short Generators of Principal Ideals: Extensions and Open Problems
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short
More informationReducing number field defining polynomials: An application to class group computations
Reducing number field defining polynomials: An application to class group computations Alexandre Gélin and Antoine Joux Abstract In this paper, we describe how to compute smallest monic polynomials that
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters Paul Kirchner 1,2 and Pierre-Alain Fouque 2,3 1 École normale supérieure 2 IRISA 3 Université de Rennes 1 & Institut Universitaire de France
More informationLattice Reductions over Euclidean Rings with Applications to Cryptanalysis
IMACC 2017 December 12 14, 2017 Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis Taechan Kim and Changmin Lee NTT Secure Platform Laboratories, Japan and Seoul National University,
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationGalois Theory TCU Graduate Student Seminar George Gilbert October 2015
Galois Theory TCU Graduate Student Seminar George Gilbert October 201 The coefficients of a polynomial are symmetric functions of the roots {α i }: fx) = x n s 1 x n 1 + s 2 x n 2 + + 1) n s n, where s
More informationThe Smart-Vercauteren Fully Homomorphic Encryption Scheme
The Smart-Vercauteren Fully Homomorphic Encryption Scheme Vidar Klungre Master of Science in Physics and Mathematics Submission date: June 2012 Supervisor: Kristian Gjøsteen, MATH Norwegian University
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationAlgorithms for ray class groups and Hilbert class fields
(Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationShortest Lattice Vector Enumeration on Graphics Cards
Shortest Lattice Vector Enumeration on Graphics Cards Jens Hermans 1 Michael Schneider 2 Fréderik Vercauteren 1 Johannes Buchmann 2 Bart Preneel 1 1 K.U.Leuven 2 TU Darmstadt SHARCS - 10 September 2009
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationA Course in Computational Algebraic Number Theory
Henri Cohen 2008 AGI-Information Management Consultants May be used for personal purporses only or by libraries associated to dandelon.com network. A Course in Computational Algebraic Number Theory Springer
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More informationPolynomial arithmetic and applications in number theory
Polynomial arithmetic and applications in number theory September 26, 2008 What is my research about? Computational number theory. Most of the time, I use big computers to multiply and divide big polynomials
More informationThus, the integral closure A i of A in F i is a finitely generated (and torsion-free) A-module. It is not a priori clear if the A i s are locally
Math 248A. Discriminants and étale algebras Let A be a noetherian domain with fraction field F. Let B be an A-algebra that is finitely generated and torsion-free as an A-module with B also locally free
More informationA Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme
A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme Presented by: Vincent Zucca 1 Joint work with: Jean-Claude Bajard 1, Julien Eynard 2 and Anwar Hasan 2 1 Sorbonne
More information(January 14, 2009) q n 1 q d 1. D = q n = q + d
(January 14, 2009) [10.1] Prove that a finite division ring D (a not-necessarily commutative ring with 1 in which any non-zero element has a multiplicative inverse) is commutative. (This is due to Wedderburn.)
More informationReal Analysis Prelim Questions Day 1 August 27, 2013
Real Analysis Prelim Questions Day 1 August 27, 2013 are 5 questions. TIME LIMIT: 3 hours Instructions: Measure and measurable refer to Lebesgue measure µ n on R n, and M(R n ) is the collection of measurable
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationAlgebraic number theory
Algebraic number theory F.Beukers February 2011 1 Algebraic Number Theory, a crash course 1.1 Number fields Let K be a field which contains Q. Then K is a Q-vector space. We call K a number field if dim
More informationUnderstanding hard cases in the general class group algorithm
Understanding hard cases in the general class group algorithm Makoto Suwama Supervisor: Dr. Steve Donnelly The University of Sydney February 2014 1 Introduction This report has studied the general class
More informationShort Stickelberger Class Relations and Application to Ideal-SVP
Short Stickelberger Class Relations and Application to Ideal-SVP Ronald Cramer 1,2, Léo Ducas 1 and Benjamin Wesolowski 3 1 Cryptology Group, CWI, Amsterdam, The Netherlands 2 Mathematical Institute, Leiden
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationFULL rate and full diversity codes for the coherent
1432 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 51, NO. 4, APRIL 2005 The Golden Code: A 2 2 Full-Rate Space Time Code With Nonvanishing Determinants Jean-Claude Belfiore, Member, IEEE, Ghaya Rekaya,
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationPost-Quantum Cryptography from Lattices
Post-Quantum Cryptography from Lattices Léo Ducas 1 CWI, Amsterdam, The Netherlands CWI Scientific Meeting, November 2016. 1 Funded by a PPP Grant, between NXP and CWI. Cryptography Cryptography in everyday
More informationSubring Homomorphic Encryption
Subring Homomorphic Encryption Seiko Arita Sari Handa June 7, 2017 Abstract In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition
More informationSome algebraic number theory and the reciprocity map
Some algebraic number theory and the reciprocity map Ervin Thiagalingam September 28, 2015 Motivation In Weinstein s paper, the main problem is to find a rule (reciprocity law) for when an irreducible
More informationBabai round-off CVP method in RNS: application to latice based cryptographic protocols
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 Babai round-off CVP method in RNS: application
More informationAn introduction to the algorithmic of p-adic numbers
An introduction to the algorithmic of p-adic numbers David Lubicz 1 1 Universté de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France Outline Introduction 1 Introduction 2 3 4 5 6 7 8 When do we
More informationLoop-abort faults on supersingular isogeny cryptosystems
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne,
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationA history of the development of NTRU
A history of the development of NTRU Brown University EUROCRYPT 2014, Copenhagen A one way function from number theory Let D be a large square free integer, and let p 1, p 2, p 3,... be a sequence of primes
More informationLoop-abort faults on supersingular isogeny cryptosystems
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin 1 and Benjamin Wesolowski 2 1 Sorbonne Universités, UPMC Paris 6, UMR 7606, LIP6, Paris, France alexandre.gelin@lip6.fr 2 École
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationSymbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS Inès Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris
More informationNew Chosen-Ciphertext Attacks on NTRU
New Chosen-Ciphertext Attacks on NTRU Nicolas Gama 1,Phong Q. Nguyen 1 École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr CNRS/École normale supérieure, DI, 45 rue d Ulm,
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationAlgebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case
1 / 27 Algebraic Cryptanalysis of a Quantum Money Scheme The Noise-Free Case Marta Conde Pena 1 Jean-Charles Faugère 2,3,4 Ludovic Perret 3,2,4 1 Spanish National Research Council (CSIC) 2 Sorbonne Universités,
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationIn Praise of Twisted Canonical Embedding
In Praise of Twisted Canonical Embedding Jheyne N. Ortiz 1, Robson R. de Araujo 2, Ricardo Dahab 1, Diego F. Aranha 1, and Sueli I. R. Costa 2 1 Institute of Computing, University of Campinas, Brazil jheyne.ortiz@ic.unicamp.br
More informationDensity of Ideal Lattices
Density of Ideal Lattices - Preliminary Draft - Johannes Buchmann and Richard Lindner Technische Universität Darmstadt, Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany buchmann,rlindner@cdc.informatik.tu-darmstadt.de
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationImaginary Quadratic Fields With Isomorphic Abelian Galois Groups
Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups Universiteit Leiden, Université Bordeaux 1 July 12, 2012 - UCSD - X - a Question Let K be a number field and G K = Gal(K/K) the absolute
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationDiscrete logarithms: Recent progress (and open problems)
Discrete logarithms: Recent progress (and open problems) CryptoExperts Chaire de Cryptologie de la Fondation de l UPMC LIP6 February 25 th, 2014 Discrete logarithms Given a multiplicative group G with
More informationCryptanalysis of GGH15 Multilinear Maps
Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationAlgebraic function fields
Algebraic function fields 1 Places Definition An algebraic function field F/K of one variable over K is an extension field F K such that F is a finite algebraic extension of K(x) for some element x F which
More information1. a) Let ω = e 2πi/p with p an odd prime. Use that disc(ω p ) = ( 1) p 1
Number Theory Mat 6617 Homework Due October 15, 018 To get full credit solve of the following 7 problems (you are welcome to attempt them all) The answers may be submitted in English or French 1 a) Let
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationMATH 101A: ALGEBRA I, PART D: GALOIS THEORY 11
MATH 101A: ALGEBRA I, PART D: GALOIS THEORY 11 3. Examples I did some examples and explained the theory at the same time. 3.1. roots of unity. Let L = Q(ζ) where ζ = e 2πi/5 is a primitive 5th root of
More informationPoint counting and real multiplication on K3 surfaces
Point counting and real multiplication on K3 surfaces Andreas-Stephan Elsenhans Universität Paderborn September 2016 Joint work with J. Jahnel. A.-S. Elsenhans (Universität Paderborn) K3 surfaces September
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationThe number field sieve in the medium prime case
The number field sieve in the medium prime case Frederik Vercauteren ESAT/COSIC - K.U. Leuven Joint work with Antoine Joux, Reynald Lercier, Nigel Smart Finite Field DLOG Basis finite field is F p = {0,...,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationA quasi polynomial algorithm for discrete logarithm in small characteristic
CCA seminary January 10, 2014 A quasi polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 LIX, École Polytechnique
More informationRamification Theory. 3.1 Discriminant. Chapter 3
Chapter 3 Ramification Theory This chapter introduces ramification theory, which roughly speaking asks the following question: if one takes a prime (ideal) p in the ring of integers O K of a number field
More informationCreating a Challenge for Ideal Lattices
Creating a Challenge for Ideal Lattices Thomas Plantard 1 and Michael Schneider 2 1 University of Wollongong, Australia thomaspl@uow.edu.au 2 Technische Universität Darmstadt, Germany mischnei@cdc.informatik.tu-darmstadt.de
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More information