Computational algebraic number theory tackles lattice-based cryptography

Similar documents
Computational algebraic number theory tackles lattice-based cryptography

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Computing Generator in Cyclotomic Integer Rings

Short Stickelberger Class Relations and application to Ideal-SVP

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

Weaknesses in Ring-LWE

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

Recovering Short Generators of Principal Ideals: Extensions and Open Problems

Solving All Lattice Problems in Deterministic Single Exponential Time

Revisiting Lattice Attacks on overstretched NTRU parameters

1. Group Theory Permutations.

Computing generator in cyclotomic integer rings

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

Computing generator in cyclotomic integer rings

Ring-LWE security in the case of FHE

Graduate Preliminary Examination

Page Points Possible Points. Total 200

Algebra Exam Topics. Updated August 2017

Understanding hard cases in the general class group algorithm

Post-Quantum Cryptography from Lattices

problem which is much easier the ring strikes back

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Open problems in lattice-based cryptography

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Thus, the integral closure A i of A in F i is a finitely generated (and torsion-free) A-module. It is not a priori clear if the A i s are locally

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Ring-SIS and Ideal Lattices

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Discrete Logarithm Problem

Polynomial Selection Using Lattices

Computing Individual Discrete Logarithms Faster in GF(p n ) with the NFS-DL Algorithm

Algorithms for ray class groups and Hilbert class fields

A Course in Computational Algebraic Number Theory

The number field sieve in the medium prime case

Finding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago

Some algebraic number theory and the reciprocity map

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

ALGEBRA PH.D. QUALIFYING EXAM SOLUTIONS October 20, 2011

Algebra Qualifying Exam Solutions. Thomas Goller

IDEAL CLASSES AND RELATIVE INTEGERS

Lattice-Based Cryptography

Sample algebra qualifying exam

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups

Computational complexity of lattice problems and cyclic lattices

CSIR - Algebra Problems

Rings. Chapter 1. Definition 1.2. A commutative ring R is a ring in which multiplication is commutative. That is, ab = ba for all a, b R.

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Note that a unit is unique: 1 = 11 = 1. Examples: Nonnegative integers under addition; all integers under multiplication.

Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields

ALGEBRA 11: Galois theory

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

REMARKS ON THE NFS COMPLEXITY

Section 18 Rings and fields

Algebraic function fields

ALGEBRA EXERCISES, PhD EXAMINATION LEVEL

0.2 Vector spaces. J.A.Beachy 1

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

(IV.C) UNITS IN QUADRATIC NUMBER RINGS

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

Math 553 Qualifying Exam. In this test, you may assume all theorems proved in the lectures. All other claims must be proved.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Background: Lattices and the Learning-with-Errors problem

Background of Pairings

part 2: detecting smoothness part 3: the number-field sieve

1 Fields and vector spaces

Explicit Complex Multiplication

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Classical hardness of the Learning with Errors problem

IUPUI Qualifying Exam Abstract Algebra

(1) A frac = b : a, b A, b 0. We can define addition and multiplication of fractions as we normally would. a b + c d

Ideals: Definitions & Examples

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

ALGEBRA QUALIFYING EXAM SPRING 2012

1 Shortest Vector Problem

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Algebra Qualifying Exam, Fall 2018

Thanks to: University of Illinois at Chicago NSF DMS Alfred P. Sloan Foundation

Ph.D. Qualifying Examination in Algebra Department of Mathematics University of Louisville January 2018

NOTES FOR DRAGOS: MATH 210 CLASS 12, THURS. FEB. 22

Fermat s Last Theorem for Regular Primes

School of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information

Lesson 2 The Unit Circle: A Rich Example for Gaining Perspective

Isogenies in a quantum world

Transcendence in Positive Characteristic

Notes for Lecture 15

4.4 Noetherian Rings

CSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

MATH 131B: ALGEBRA II PART B: COMMUTATIVE ALGEBRA

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

List of topics for the preliminary exam in algebra

Gauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1

Elliptic Nets and Points on Elliptic Curves

Transcription:

Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right Big generator Moving through the night Yes, Big Generator, 1987

The short-generator problem Take degree-n number field K. i.e. field K C with len Q K = n. (Weaker specification: field K with Q K and len Q K = n.) e.g. n = 2; K = Q(i) = Q Qi, Q[x]=(x 2 + 1). e.g. n = 256; = exp(ıi=n); K = Q( ), Q[x]=(x n + 1). e.g. n = 660; = exp(2ıi=661); K = Q( ), Q[x]=(x n + + 1). e.g. K = Q( 2; 3; 5; : : : ; 29).

Define O = Z K; subring of K. O, Z n as Z-modules. Nonzero ideals of O factor uniquely as products of powers of prime ideals of O. e.g. K = Q(i), Q[x]=(x 2 + 1) O = Z[i], Z[x]=(x 2 + 1). e.g. = exp(ıi=256), K = Q( ) O = Z[ ], Z[x]=(x 256 + 1). e.g. = exp(2ıi=661), K = Q( ) O = Z[ ],. e.g. K = Q( 5) O = Z[(1+ 5)=2], Z[x]=(x 2 x 1).

The short-generator problem: Find short nonzero g O given the principal ideal go. e.g. = exp(ıi=4); K = Q( ); O = Z[ ], Z[x]=(x 4 + 1). The Z-submodule of O gen by 201 233 430 2 712 3, 935 1063 1986 2 3299 3, 979 1119 2092 2 3470 3, 718 829 1537 2 2546 3 is an ideal I of O. Can you find a short g O such that I = go?

The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; 233; 430; 712); B = (935; 1063; 1986; 3299); C = (979; 1119; 2092; 3470); D = (718; 829; 1537; 2546):

The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; 233; 430; 712); B = (935; 1063; 1986; 3299); C = (979; 1119; 2092; 3470); D = (718; 829; 1537; 2546): Find (3; 1; 4; 1) as 37A + 3B 7C + 16D. This was my original g.

The lattice perspective Use LLL to quickly find short elements of lattice ZA + ZB + ZC + ZD where A = (201; 233; 430; 712); B = (935; 1063; 1986; 3299); C = (979; 1119; 2092; 3470); D = (718; 829; 1537; 2546): Find (3; 1; 4; 1) as 37A + 3B 7C + 16D. This was my original g. Also find, e.g., ( 4; 1; 3; 1). Multiplying by root of unity (here 2 ) preserves shortness.

For much larger n: LLL almost never finds g. Big gap between size of g and size of short vectors that LLL typically finds in I.

For much larger n: LLL almost never finds g. Big gap between size of g and size of short vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower.

For much larger n: LLL almost never finds g. Big gap between size of g and size of short vectors that LLL typically finds in I. Increased BKZ block size: reduced gap but slower. Fancier lattice algorithms: Under reasonable assumptions, 2015 Laarhoven de Weger finds g in time 1:23 n. Big progress compared to, e.g., 2008 Nguyen Vidick ( 1:33 n ) but still exponential time.

Exploiting factorization Use LLL, BKZ, etc. to generate rather short go. What happens if O go? Pure lattice approach: Discard. Work much harder, find shorter.

Exploiting factorization Use LLL, BKZ, etc. to generate rather short go. What happens if O go? Pure lattice approach: Discard. Work much harder, find shorter. Alternative: Gain information from factorization of ideals.

Exploiting factorization Use LLL, BKZ, etc. to generate rather short go. What happens if O go? Pure lattice approach: Discard. Work much harder, find shorter. Alternative: Gain information from factorization of ideals. e.g. If 1O = go P 2 Q 2

Exploiting factorization Use LLL, BKZ, etc. to generate rather short go. What happens if O go? Pure lattice approach: Discard. Work much harder, find shorter. Alternative: Gain information from factorization of ideals. e.g. If 1O = go P 2 Q 2 and 2O = go P Q 3

Exploiting factorization Use LLL, BKZ, etc. to generate rather short go. What happens if O go? Pure lattice approach: Discard. Work much harder, find shorter. Alternative: Gain information from factorization of ideals. e.g. If 1O = go P 2 Q 2 and 2O = go P Q 3 and 3O = go P Q 2

Exploiting factorization Use LLL, BKZ, etc. to generate rather short go. What happens if O go? Pure lattice approach: Discard. Work much harder, find shorter. Alternative: Gain information from factorization of ideals. e.g. If 1O = go P 2 Q 2 and 2O = go P Q 3 and 3O = go P Q 2 then P = 1 1 3 2 1 O and Q = 3 O and go = 1 1 2 2 43 O.

General strategy: For many s, factor O into products of powers of some primes and go. Solve system of equations to find generator for go as product of powers of the s.

General strategy: For many s, factor O into products of powers of some primes and go. Solve system of equations to find generator for go as product of powers of the s. Can the system be solved? Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes.

General strategy: For many s, factor O into products of powers of some primes and go. Solve system of equations to find generator for go as product of powers of the s. Can the system be solved? Becomes increasingly reasonable to expect as the number of equations approaches and passes the number of primes. But {primes} is infinite!

Restrict to a factor base : e.g., all primes of norm y.

Restrict to a factor base : e.g., all primes of norm y. But what if O doesn t factor into those primes?

Restrict to a factor base : e.g., all primes of norm y. But what if O doesn t factor into those primes? Then throw it away. But often it does factor.

Restrict to a factor base : e.g., all primes of norm y. But what if O doesn t factor into those primes? Then throw it away. But often it does factor. Familiar issue from index calculus DL methods, CFRAC, LS, QS, NFS, etc. Model the norm of ( =g)o as random integer in [1; x]; y-smoothness p chance 1=y if log y (1=2) log x log log x.

Variation: Ignore go. Generate rather short O, factor O into small primes. After enough s, solve system of equations; obtain generator for each prime.

Variation: Ignore go. Generate rather short O, factor O into small primes. After enough s, solve system of equations; obtain generator for each prime. After this precomputation, factor one O go; obtain generator for go.

Variation: Ignore go. Generate rather short O, factor O into small primes. After enough s, solve system of equations; obtain generator for each prime. After this precomputation, factor one O go; obtain generator for go. Do all primes have generators?

Variation: Ignore go. Generate rather short O, factor O into small primes. After enough s, solve system of equations; obtain generator for each prime. After this precomputation, factor one O go; obtain generator for go. Do all primes have generators? Standard heuristics: For many (most?) number fields, yes; but for big cyclotomics, no! Modulo a few small primes, yes.

{principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} C where C is a finite abelian group, the class group of K. Fundamental object of study in algebraic number theory.

{principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} C where C is a finite abelian group, the class group of K. Fundamental object of study in algebraic number theory. Factoring many small O is a standard textbook method of computing class group and generators of ideals.

{principal nonzero ideals} is kernel of a semigroup map {nonzero ideals} C where C is a finite abelian group, the class group of K. Fundamental object of study in algebraic number theory. Factoring many small O is a standard textbook method of computing class group and generators of ideals. Also compute unit group O via ratios of generators.

Big generator Smart Vercauteren: However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in may take exponential time. Indeed, generator found for go is product of powers of various s. Must be gu for some u O, but extremely unlikely to be g.

Big generator Smart Vercauteren: However this method is likely to produce a generator of large height, i.e., with large coefficients. Indeed so large, that writing the obtained generator down as a polynomial in may take exponential time. Indeed, generator found for go is product of powers of various s. Must be gu for some u O, but extremely unlikely to be g. How do we find g from gu?

There are exactly n distinct ring maps 1 ; : : : ; n : K C.

There are exactly n distinct ring maps 1 ; : : : ; n : K C. Define Log : K R n by Log = (log 1 ; : : : ; log n ).

There are exactly n distinct ring maps 1 ; : : : ; n : K C. Define Log : K R n by Log = (log 1 ; : : : ; log n ). Log O is a lattice of rank r 1 + r 2 1 where r 1 = #{i : i (K) R}, 2r 2 = #{i : i (K) R}.

There are exactly n distinct ring maps 1 ; : : : ; n : K C. Define Log : K R n by Log = (log 1 ; : : : ; log n ). Log O is a lattice of rank r 1 + r 2 1 where r 1 = #{i : i (K) R}, 2r 2 = #{i : i (K) R}. e.g. = exp(ıi=256), K = Q( ): images of under ring maps are ; 3 ; 5 ; : : : ; 511. r 1 = 0; r 2 = 128; rank 127.

Compute Log gu as sum of multiples of Log for the original s.

Compute Log gu as sum of multiples of Log for the original s. Find elements of Log O close to Log gu.

Compute Log gu as sum of multiples of Log for the original s. Find elements of Log O close to Log gu. This is a close-vector problem ( bounded-distance decoding ). Embedding heuristic: CVP as fast as SVP.

Compute Log gu as sum of multiples of Log for the original s. Find elements of Log O close to Log gu. This is a close-vector problem ( bounded-distance decoding ). Embedding heuristic: CVP as fast as SVP. This finds Log u. Easily reconstruct g up to a root of unity. #{roots of unity} is small.

A subfield-logarithm attack (2014.02 Bernstein) Say we know Log norm K:F g for a proper subfield F K.

A subfield-logarithm attack (2014.02 Bernstein) Say we know Log norm K:F g for a proper subfield F K. We also know Log norm K:F gu, so we know Log norm K:F u.

A subfield-logarithm attack (2014.02 Bernstein) Say we know Log norm K:F g for a proper subfield F K. We also know Log norm K:F gu, so we know Log norm K:F u. This linearly constrains Log u to a shifted sublattice of Log O. Number of independent constraints: unit rank for F.

A subfield-logarithm attack (2014.02 Bernstein) Say we know Log norm K:F g for a proper subfield F K. We also know Log norm K:F gu, so we know Log norm K:F u. This linearly constrains Log u to a shifted sublattice of Log O. Number of independent constraints: unit rank for F. Find elements close to Log gu. Lower-dimension lattice problem, if unit rank of F is positive.

Start by recursively computing Log norm K:F g via norm of go for each F K. Various constraints on Log u, depending on subfield structure.

Start by recursively computing Log norm K:F g via norm of go for each F K. Various constraints on Log u, depending on subfield structure. e.g. = exp(2ıi=661), K = Q( ). Degrees of subfields of K: 660 330 220 132 60 165 110 66 44 30 20 12 33 33 33 33 33 333 55 33 22 15 10 6 4 3 3 3 11 5 3 2 1

Most extreme case: Composite of quadratics, such as K = Q( 2; 3; 5; : : : ; 29). CVP becomes trivial!

Most extreme case: Composite of quadratics, such as K = Q( 2; 3; 5; : : : ; 29). CVP becomes trivial! Opposite extreme: prime degree; the only proper subfield is Q. My recommendation: big Galois group; e.g., Q[x]=(x p x 1). Many intermediate cases.

Most extreme case: Composite of quadratics, such as K = Q( 2; 3; 5; : : : ; 29). CVP becomes trivial! Opposite extreme: prime degree; the only proper subfield is Q. My recommendation: big Galois group; e.g., Q[x]=(x p x 1). Many intermediate cases. Confused summary by Cramer Ducas Peikert Regev: method may yield slightly subexponential runtimes in cyclotomic rings of highly smooth index.

Further improvements: 1, 2 1 2014.10 Campbell Groves Shepherd: Quickly solve CVP for cyclotomics using known (good) basis for cyclotomic units.

Further improvements: 1, 2 1 2014.10 Campbell Groves Shepherd: Quickly solve CVP for cyclotomics using known (good) basis for cyclotomic units. Analysis in paper is bogus, but algorithm is very fast.

Further improvements: 1, 2 1 2014.10 Campbell Groves Shepherd: Quickly solve CVP for cyclotomics using known (good) basis for cyclotomic units. Analysis in paper is bogus, but algorithm is very fast. Plagiarized and properly analyzed by Cramer Ducas Peikert Regev.

Further improvements: 1, 2 1 2014.10 Campbell Groves Shepherd: Quickly solve CVP for cyclotomics using known (good) basis for cyclotomic units. Analysis in paper is bogus, but algorithm is very fast. Plagiarized and properly analyzed by Cramer Ducas Peikert Regev. 2 2015.01 Song announcement: Fast quantum algorithm for gu. PIP : : : solved [BiasseSong 14]. But paper not available yet.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback