Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Similar documents
Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics

Short Stickelberger Class Relations and application to Ideal-SVP

Short generators without quantum computers: the case of multiquadratics

Computing Generator in Cyclotomic Integer Rings

Computing generator in cyclotomic integer rings

Computational algebraic number theory tackles lattice-based cryptography

Computing generator in cyclotomic integer rings

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Post-Quantum Cryptography from Lattices

Open problems in lattice-based cryptography

Weaknesses in Ring-LWE

Computational algebraic number theory tackles lattice-based cryptography

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

Dimension-Preserving Reductions Between Lattice Problems

Recovering Short Generators of Principal Ideals: Extensions and Open Problems

Ring-LWE security in the case of FHE

Classical hardness of the Learning with Errors problem

Classical hardness of Learning with Errors

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Background: Lattices and the Learning-with-Errors problem

Classical hardness of Learning with Errors

Revisiting Lattice Attacks on overstretched NTRU parameters

Implementing Ring-LWE cryptosystems

Ideal Lattices and NTRU

Short Stickelberger Class Relations and Application to Ideal-SVP

Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Solving All Lattice Problems in Deterministic Single Exponential Time

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

Hardness and advantages of Module-SIS and Module-LWE

Weak Instances of PLWE

Gentry s SWHE Scheme

problem which is much easier the ring strikes back

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

A Comment on Gu Map-1

Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3

Middle-Product Learning With Errors

Ring-SIS and Ideal Lattices

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

The quantum threat to cryptography

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Post-Quantum Cryptography

CS Topics in Cryptography January 28, Lecture 5

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

On error distributions in ring-based LWE

Density of Ideal Lattices

Some security bounds for the DGHV scheme

Diophantine equations via weighted LLL algorithm

Cryptology. Scribe: Fabrice Mouhartem M2IF

Cryptanalysis of GGH15 Multilinear Maps

What are we talking about when we talk about post-quantum cryptography?

Improved Parameters for the Ring-TESLA Digital Signature Scheme

In Praise of Twisted Canonical Embedding

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Shai Halevi IBM August 2013

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Algorithms for ray class groups and Hilbert class fields

New Cryptosystem Using The CRT And The Jordan Normal Form

Proving Hardness of LWE

Parameter selection in Ring-LWE-based cryptography

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Lattice Cryptography

Quantum-resistant cryptography

Practical Analysis of Key Recovery Attack against Search-LWE Problem

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

A Note on Discrete Gaussian Combinations of Lattice Vectors

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

An Efficient Lattice-based Secret Sharing Construction

Lattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018

Noise Distributions in Homomorphic Ring-LWE

Multikey Homomorphic Encryption from NTRU

arxiv: v8 [math.nt] 24 Mar 2017

Lattice-Based Cryptography

On Error Distributions in Ring-based LWE

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Faster Fully Homomorphic Encryption

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

LP Solutions of Vectorial Integer Subset Sums Cryptanalysis of Galbraith s Binary Matrix LWE

Lattice-based Cryptography

Solving BDD by Enumeration: An Update

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

Cryptanalysis of the Revised NTRU Signature Scheme

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Isogenies in a quantum world

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Solving LWE with BKW

Public Key Cryptography

Notes for Lecture 15

An Overview of Homomorphic Encryption

Improving BDD cryptosystems in general lattices

Transcription:

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of Michigan, USA New-York University, USA Eurocrypt, May 2016, Vienna, Austria. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 1 / 21

Principal ideals in cryptography Let K be a numberfield (e.g. = Q(ζ m )) and R its ring of integer (R = Z[ζ m ]). A few cryptosystems, for example: Soliloquy [Campbell et al., 2014] FHE [Smart and Vercauteren, 2010] Graded encoding schemes [Garg et al., 2013, Langlois et al., 2014] share this Key Generation procedure. KeyGen sk Choose a short g R as a private key pk Give a bad Z-basis B of the ideal (g) as a public key (e.g. HNF). Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 2 / 21

Short generator recovery Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) Given a Z-basis B of a principal ideal I, Recover some generator h (i.e. I = (h)) Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 3 / 21

Short generator recovery Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) Given a Z-basis B of a principal ideal I, Recover some generator h (i.e. I = (h)) 2 Short Generator Problem Given an arbitrary generator h R of I Recover g (or some g equivalently short) Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 3 / 21

Cost of those two steps 1 Principal Ideal Problem (PIP) sub-exponential time (2Õ(n2/3) ) classical algorithm [Biasse and Fieker, 2014, Biasse, 2014]. quantum polynomial time algorithm [Eisenträger et al., 2014, Campbell et al., 2014, Biasse and Song, 2015]. 2 Short Generator Problem equivalent to the CVP in the log-unit lattice becomes a BDD problem in the crypto cases. claimed to be easy [Campbell et al., 2014] for the m th -cyclotomic ring when m = 2 k This Work confirmed by experiments [Schank, 2015] We focus on step 2, and prove it can be solved in classical polynomial time for the aforementioned cryptanalytic instances, when the ring R is the ring of integers of the cyclotomic number field K = Q(ζ m ) for m = p k. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 4 / 21

1 Introduction 2 Overview 3 Results and conclusion Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 5 / 21

The Problem Short generator recovery Given h R, find a small generator g of the ideal (h). Note that g (h) is a generator iff g = u h for some unit u R. We need to explore the (multiplicative) unit group R. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 6 / 21

The Problem Short generator recovery Given h R, find a small generator g of the ideal (h). Note that g (h) is a generator iff g = u h for some unit u R. We need to explore the (multiplicative) unit group R. Translation an to additive problem Take logarithms: Log : g (log σ 1 (g),..., log σ n (g) ) R n where the σ i s are the canonical embeddings K C. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 6 / 21

The Unit Group and the log-unit lattice Let R denotes the multiplicative group of units of R. Let Λ = Log R. Theorem (Dirichlet unit Theorem) Λ R n is a lattice (of a given rank). Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 7 / 21

The Unit Group and the log-unit lattice Let R denotes the multiplicative group of units of R. Let Λ = Log R. Theorem (Dirichlet unit Theorem) Λ R n is a lattice (of a given rank). Reduction to a Close Vector Problem Elements g is a generator of (h) if and only if Log g Log h + Λ. Moreover the map Log preserves some geometric information: g is the smallest generator iff Log g is the smallest in Log h + Λ. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 7 / 21

Example: Embedding Z[ 2] R 2 x-axis: σ 1 (a + b 2) = a + b 2 y-axis: σ 2 (a + b 2) = a b 2 1 1 2 component-wise additions and multiplications 1 0 1 1 + 2 2 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 8 / 21

Example: Embedding Z[ 2] R 2 x-axis: σ 1 (a + b 2) = a + b 2 y-axis: σ 2 (a + b 2) = a b 2 1 1 2 component-wise additions and multiplications 1 0 1 1 + 2 2 Orthogonal elements Units (algebraic norm 1) Isonorms curves ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 8 / 21

Example: Logarithmic Embedding Log Z[ 2] ({ }, +) is a sub-monoid of R 2 1 Log 1 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 9 / 21

Example: Logarithmic Embedding Log Z[ 2] Λ =({ }, +) is a lattice of R 2, orthogonal to (1, 1) 1 Log 1 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 9 / 21

Example: Logarithmic Embedding Log Z[ 2] { } are shifted finite copies of Λ 1 Log 1 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 9 / 21

Reduction modulo Λ = Log Z[ 2] The reduction modλ for various fundamental domains. 1 Log 1 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 10 / 21

Reduction modulo Λ = Log Z[ 2] The reduction modλ for various fundamental domains. 1 Log 1 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 10 / 21

Reduction modulo Λ = Log Z[ 2] The reduction modλ for various fundamental domains. 1 Log 1 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 10 / 21

Reduction modulo Λ = Log Z[ 2] The reduction modλ for various fundamental domains. 1 Log 1 ramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 10 / 21

Round-Off Decoding We also need the fundamental domain to have an efficient reduction algorithm. The simplest one follows: Round(B, t) for B a basis of Λ Return B frac(b 1 t). Used as a decoding algorithm, its correctness is characterized by the error e and the dual basis B = B T. Fact [Lenstra, 1982, Babai, 1986] Suppose t = v + e for some v Λ. If b j, e [ 1 2, 1 2 ) for all j, then Round(B, t) = v. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 11 / 21

Recovering Short Generator: Proof Plan Folklore strategy [Bernstein, 2014, Campbell et al., 2014] to recover a short generator g 1 Construct a basis B of the unit-log lattice Log R For K = Q(ζm ), m = p k, an (almost 1 ) canonical basis is given by b j = Log 1 ζj, j {2,..., m/2}, j co-prime with m 1 ζ 2 Prove that the basis is good, that is b j are all small 3 Prove that e = Log g is small enough 1 it only spans a super-lattice of finite index h + which is conjectured to be small Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 12 / 21

Recovering Short Generator: Proof Plan Folklore strategy [Bernstein, 2014, Campbell et al., 2014] to recover a short generator g 1 Construct a basis B of the unit-log lattice Log R For K = Q(ζm ), m = p k, an (almost 1 ) canonical basis is given by b j = Log 1 ζj, j {2,..., m/2}, j co-prime with m 1 ζ 2 Prove that the basis is good, that is b j are all small 3 Prove that e = Log g is small enough Technical contributions 2 Estimate b j precisely using analytic tools [Washington, 1997, Landau, 1927] 3 Bound e using theory of sub-exponential random variables [Vershynin, 2012] 1 it only spans a super-lattice of finite index h + which is conjectured to be small Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 12 / 21

1 Introduction 2 Overview 3 Results and conclusion Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 13 / 21

Geometric statement from Analytic Number Theory Theorem ([Landau, 1927]) If χ is a non-quadratic Dirichlet character of conductor f. L(1, χ) 1/O(log f ). Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 14 / 21

Geometric statement from Analytic Number Theory Theorem ([Landau, 1927]) If χ is a non-quadratic Dirichlet character of conductor f. L(1, χ) 1/O(log f ). Theorem (Cramer, D., Peikert, Regev) Let m = p k, and B = (Log(b j )) j G\{1} be the canonical basis of Log C. Then, for all j b 2 j O ( m 1 log 3 m ). Interpretation The log-unit lattice Log R admits a (known, efficiently computable) basis that is almost orthogonal: BDD is easy! Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 14 / 21

No Crypto from Principal Ideals We formalized, generalized and proved a claim of [Campbell et al., 2014]: Corollary [Cramer, D., Peikert, Regev] (simplified) If g follows a reasonable distribution, then given any generator h of (g), one may recover g in poly-time with probability 1 o(1). Combined with a poly-time quantum algorithm 2 of [Biasse and Song, 2015], this breaks several cryptographic proposal. 2 Alt. a classical sub-exponential algorithm [Biasse and Fieker, 2014, Biasse, 2014]. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 15 / 21

What about the worst case? Theorem [Cramer, D., Peikert, Regev] Given a generator h of any principal ideal (h), one may find in poly-time a generator g of (h) of length g N(h) 1/n 2Õ( n). Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 16 / 21

What about the worst case? Theorem [Cramer, D., Peikert, Regev] Given a generator h of any principal ideal (h), one may find in poly-time a generator g of (h) of length g N(h) 1/n 2Õ( n). We also show that this is nearly optimal: Theorem [Cramer, D., Peikert, Regev] In some principal ideals I, the shortest generator has length at least g N(I) 1/n 2 Ω( m/ log m). Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 16 / 21

Open questions 1 Are there other classes of rings whose log-unit lattice can be studied? I I 2 Does this result has a bearing on (worst-case) non-principal ideals? I I 3 For cyclotomics, several happy event for the proof to go through. Other rings are harder to study. Security by ignorance? Possibly: class group Caley graphs, Stickleberger s Ideal... This approach seems limited to large approx. factors 2O ( n). And on Ring-LWE? I I Seems much harder than 2. Would still be limited to large approx. factors 2O ( n). Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 17 / 21

Questions? Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 18 / 21

Questions? Thanks for your attention! Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 18 / 21

References I Babai, L. (1986). On Lovász lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1 13. Preliminary version in STACS 1985. Bernstein, D. (2014). A subfield-logarithm attack against ideal lattices. http://blog.cr.yp.to/20140213-ideal.html. Biasse, J.-F. (2014). Subexponential time relations in the class group of large degree number fields. Adv. Math. Commun., 8(4):407 425. Biasse, J.-F. and Fieker, C. (2014). Subexponential class group and unit group computation in large degree number fields. LMS Journal of Computation and Mathematics, 17:385 403. Biasse, J.-F. and Song, F. (2015). On the quantum attacks against schemes relying on the hardness of finding a short generator of an ideal in q (ζpn). Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 19 / 21

References II Campbell, P., Groves, M., and Shepherd, D. (2014). Soliloquy: A cautionary tale. ETSI 2nd Quantum-Safe Crypto Workshop. Available at http://docbox.etsi.org/workshop/2014/201410_crypto/s07_systems_ and_attacks/s07_groves_annex.pdf. Eisenträger, K., Hallgren, S., Kitaev, A., and Song, F. (2014). A quantum algorithm for computing the unit group of an arbitrary degree number field. In Proceedings of the 46th Annual ACM Symposium on Theory of Computing, pages 293 302. ACM. Garg, S., Gentry, C., and Halevi, S. (2013). Candidate multilinear maps from ideal lattices. In EUROCRYPT, pages 1 17. Landau, E. (1927). Über Dirichletsche Reihen mit komplexen Charakteren. Journal für die reine und angewandte Mathematik, 157:26 32. Langlois, A., Stehlé, D., and Steinfeld, R. (2014). Gghlite: More efficient multilinear maps from ideal lattices. In Advances in Cryptology EUROCRYPT 2014, pages 239 256. Springer. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 20 / 21

References III Lenstra, A. K. (1982). Lattices and factorization of polynomials over algebraic number fields. In Computer Algebra, pages 32 39. Springer. Schank, J. (2015). LogCvp, Pari implementation of CVP in Log Z[ζ 2 n ]. https://github.com/jschanck-si/logcvp. Smart, N. P. and Vercauteren, F. (2010). Fully homomorphic encryption with relatively small key and ciphertext sizes. In Public Key Cryptography, pages 420 443. Vershynin, R. (2012). Compressed Sensing, Theory and Applications, chapter 5, pages 210 268. Cambridge University Press. Available at http://www-personal.umich.edu/~romanv/papers/non-asymptotic-rmt-plain.pdf. Washington, L. (1997). Introduction to Cyclotomic Fields. Graduate Texts in Mathematics. Springer New York. Cramer, D., Peikert, Regev (Leiden, CWI,NYU, UM) Recovering Short Generators Eurocrypt, May 2016 21 / 21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback