Short generators without quantum computers: the case of multiquadratics

Similar documents
Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics

Computational algebraic number theory tackles lattice-based cryptography

Computational algebraic number theory tackles lattice-based cryptography

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

problem which is much easier the ring strikes back

Short Stickelberger Class Relations and application to Ideal-SVP

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Weaknesses in Ring-LWE

Open problems in lattice-based cryptography

Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Post-Quantum Cryptography from Lattices

Computing Generator in Cyclotomic Integer Rings

3. Focus on secure cryptosystems. How do we know what a quantum computer will do?

Computing generator in cyclotomic integer rings

Introduction to Quantum Safe Cryptography. ENISA September 2018

Classical hardness of Learning with Errors

The quantum threat to cryptography

Recovering Short Generators of Principal Ideals: Extensions and Open Problems

Computing generator in cyclotomic integer rings

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Algorithms for ray class groups and Hilbert class fields

Revisiting Lattice Attacks on overstretched NTRU parameters

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Post-Quantum Cryptography

Solving All Lattice Problems in Deterministic Single Exponential Time

Classical hardness of Learning with Errors

Classical hardness of the Learning with Errors problem

Post-quantum key exchange for the Internet based on lattices

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

What are we talking about when we talk about post-quantum cryptography?

In Praise of Twisted Canonical Embedding

Short Stickelberger Class Relations and Application to Ideal-SVP

Lattice Reduction Algorithms: Theory and Practice

Shai Halevi IBM August 2013

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors

Ring-SIS and Ideal Lattices

Background: Lattices and the Learning-with-Errors problem

Notes for Lecture 15

Gentry s SWHE Scheme

Ideal Lattices and NTRU

Parameter selection in Ring-LWE-based cryptography

Lattice Reductions over Euclidean Rings with Applications to Cryptanalysis

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

Sieving for Shortest Vectors in Ideal Lattices:

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Middle-Product Learning With Errors

On error distributions in ring-based LWE

Finding shortest lattice vectors faster using quantum search

Quantum-resistant cryptography

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

BKZ 2.0: Better Lattice Security Estimates

SIS-based Signatures

A history of the development of NTRU

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Density of Ideal Lattices

Lossy Trapdoor Functions and Their Applications

Weak Instances of PLWE

Daniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.

Solving LWE with BKW

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Hardness and advantages of Module-SIS and Module-LWE

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

Ring-LWE security in the case of FHE

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)

Computing with Encrypted Data Lecture 26

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

On the Abundance of Large Primes with Small B-smooth values for p-1: An Aspect of Integer Factorization

part 2: detecting smoothness part 3: the number-field sieve

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

A simple lattice based PKE scheme

Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields

Lattice Based Crypto: Answering Questions You Don't Understand

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Mechanizing Elliptic Curve Associativity

Gauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1

Cryptanalysis of the Revised NTRU Signature Scheme

Leakage of Signal function with reused keys in RLWE key exchange

Integer factorization, part 1: the Q sieve. D. J. Bernstein

Implementing Ring-LWE cryptosystems

arxiv: v1 [cs.cr] 25 Jan 2013

Sieving for Shortest Vectors in Ideal Lattices

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Homomorphic Evaluation of the AES Circuit

A Digital Signature Scheme based on CVP

Finding shortest lattice vectors faster using quantum search

CS Topics in Cryptography January 28, Lecture 5

Isogenies in a quantum world

An Overview of Homomorphic Encryption

On Ideal Lattices and Learning with Errors Over Rings

Predicting Lattice Reduction

An Algorithm for NTRU Problems

Transcription:

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry de Valence & Tanja Lange & Christine van Vredendaal Followup to my SIAM AG15 talk Computational algebraic number theory tackles lattice-based cryptography : https://cr.yp.to/talks.html#2015.08.06 Daniel J. Bernstein multiquad.cr.yp.to 1

Lattice-based crypto is secure because lattice problems are hard. Everyone who works on lattice-based crypto Daniel J. Bernstein multiquad.cr.yp.to 2

Lattice-based crypto is secure because lattice problems are hard. Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time <2 100? Which cryptosystems are broken in time <2 100? Daniel J. Bernstein multiquad.cr.yp.to 2

Lattice-based crypto is secure because lattice problems are hard. Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time <2 100? Which cryptosystems are broken in time <2 100? 2006 Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Daniel J. Bernstein multiquad.cr.yp.to 2

Lattice-based crypto is secure because lattice problems are hard. Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time <2 100? Which cryptosystems are broken in time <2 100? 2006 Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. 2014 Peikert: Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds of years even when one allows for the power of quantum algorithms (see, e.g.,... ) we have solid and unique evidence that lattice-based cryptoschemes are secure. Daniel J. Bernstein multiquad.cr.yp.to 2

Lattice-based crypto is secure because lattice problems are hard. Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time <2 100? Which cryptosystems are broken in time <2 100? 2006 Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. 2014 Peikert: Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds of years even when one allows for the power of quantum algorithms (see, e.g.,... ) we have solid and unique evidence that lattice-based cryptoschemes are secure. Sounds like SVP is claimed to be a hard problem. How hard is it? Daniel J. Bernstein multiquad.cr.yp.to 2

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. c 0.384: 2011 Wang Liu Tian Bi. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. c 0.384: 2011 Wang Liu Tian Bi. c 0.378: 2013 Zhang Pan Hu. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. c 0.384: 2011 Wang Liu Tian Bi. c 0.378: 2013 Zhang Pan Hu. c 0.337: 2014 Laarhoven. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. c 0.384: 2011 Wang Liu Tian Bi. c 0.378: 2013 Zhang Pan Hu. c 0.337: 2014 Laarhoven. c 0.298: 2015 Laarhoven de Weger. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. c 0.384: 2011 Wang Liu Tian Bi. c 0.378: 2013 Zhang Pan Hu. c 0.337: 2014 Laarhoven. c 0.298: 2015 Laarhoven de Weger. c 0.292: 2015 Becker Ducas Gama Laarhoven. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. c 0.384: 2011 Wang Liu Tian Bi. c 0.378: 2013 Zhang Pan Hu. c 0.337: 2014 Laarhoven. c 0.298: 2015 Laarhoven de Weger. c 0.292: 2015 Becker Ducas Gama Laarhoven. c 0.268 quantum algorithm: 2014 Laarhoven Mosca van de Pol. Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N), asymptotically much faster. Some algorithms taking time 2 (c+o(1))n, under plausible assumptions: c 0.415: 2008 Nguyen Vidick. c 0.415: 2010 Micciancio Voulgaris. c 0.384: 2011 Wang Liu Tian Bi. c 0.378: 2013 Zhang Pan Hu. c 0.337: 2014 Laarhoven. c 0.298: 2015 Laarhoven de Weger. c 0.292: 2015 Becker Ducas Gama Laarhoven. c 0.268 quantum algorithm: 2014 Laarhoven Mosca van de Pol. Who thinks this is the end of the story? Is 2 (0.1+o(1))N possible? 2 Θ(N/ log N)? 2 N1/2+o(1)? Daniel J. Bernstein multiquad.cr.yp.to 3

How secure is approx SVP? Public-key lattice-based crypto allows approximation factors. How much does this damage security? Daniel J. Bernstein multiquad.cr.yp.to 4

How secure is approx SVP? Public-key lattice-based crypto allows approximation factors. How much does this damage security? 2002 Micciancio Goldwasser (emphasis added): To date, the best known polynomial time (possibly randomized) approximation algorithms for SVP and CVP achieve worst-case (over the choice of the input) approximation factors γ(n) that are essentially exponential in the rank n. 2007 Regev: 2013 Micciancio: Smooth trade-off between running time and approximation: γ 2 O(n log log T / log T ) Daniel J. Bernstein multiquad.cr.yp.to 4

Quantum attacks against cyclotomic lattice problems STOC 2014 Eisenträger Hallgren Kitaev Song: poly-time quantum algorithm for K O K. K: number field. O K : ring of algebraic integers in K. O K : group of units in O K. Daniel J. Bernstein multiquad.cr.yp.to 5

Quantum attacks against cyclotomic lattice problems STOC 2014 Eisenträger Hallgren Kitaev Song: poly-time quantum algorithm for K O K. K: number field. O K : ring of algebraic integers in K. O K : group of units in O K. 2015 (and SODA 2016) Biasse Song, also using an idea from 2014 Campbell Groves Shepherd: poly-time quantum algorithm for K, go K ζ j mg for some j, assuming cyclotomic K = Q(ζ m ), small h + m, very short g. Daniel J. Bernstein multiquad.cr.yp.to 5

Quantum attacks against cyclotomic lattice problems STOC 2014 Eisenträger Hallgren Kitaev Song: poly-time quantum algorithm for K O K. K: number field. O K : ring of algebraic integers in K. O K : group of units in O K. 2015 (and SODA 2016) Biasse Song, also using an idea from 2014 Campbell Groves Shepherd: poly-time quantum algorithm for K, go K ζ j mg for some j, assuming cyclotomic K = Q(ζ m ), small h + m, very short g. This recovers secret keys in, e.g., STOC 2009 Gentry homomorphic-encryption system using cyclotomics, Eurocrypt 2013 Garg Gentry Halevi multilinear-map system, etc. Daniel J. Bernstein multiquad.cr.yp.to 5

Is the attack idea limited to very short generators? More lattice problems of interest: I shortest nonzero vector in I. ( Exact Ideal-SVP.) I close to shortest nonzero vector in I. ( Approximate Ideal-SVP.) Attack is against principal I with a very short generator. Daniel J. Bernstein multiquad.cr.yp.to 6

Is the attack idea limited to very short generators? More lattice problems of interest: I shortest nonzero vector in I. ( Exact Ideal-SVP.) I close to shortest nonzero vector in I. ( Approximate Ideal-SVP.) Attack is against principal I with a very short generator. 2015 Peikert says technique is useless for more general principal ideals. ( We simply hadn t realized that the added guarantee of a short generator would transform the technique from useless to devastatingly effective. ) Daniel J. Bernstein multiquad.cr.yp.to 6

Is the attack idea limited to very short generators? More lattice problems of interest: I shortest nonzero vector in I. ( Exact Ideal-SVP.) I close to shortest nonzero vector in I. ( Approximate Ideal-SVP.) Attack is against principal I with a very short generator. 2015 Peikert says technique is useless for more general principal ideals. ( We simply hadn t realized that the added guarantee of a short generator would transform the technique from useless to devastatingly effective. ) Counterargument: attack is poly time against arbitrary principal ideals for approx factor 2 N1/2+o(1) in degree-n cyclotomics, assuming small h +. See, e.g., 2016 Cramer Ducas Peikert Regev. Daniel J. Bernstein multiquad.cr.yp.to 6

Is the attack idea limited to principal ideals? 2015 Peikert: Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD... For commonly used rings, principal ideals are an extremely small fraction of all ideals.... The weakness here is not so much due to the structure of cyclotomics, but rather to the extra structure of principal ideals that have short generators. Daniel J. Bernstein multiquad.cr.yp.to 7

Is the attack idea limited to principal ideals? 2015 Peikert: Although cyclotomics have a lot of structure, nobody has yet found a way to exploit it in attacking Ideal-SVP/BDD... For commonly used rings, principal ideals are an extremely small fraction of all ideals.... The weakness here is not so much due to the structure of cyclotomics, but rather to the extra structure of principal ideals that have short generators. Counterargument, 2016 Cramer Ducas Wesolowski: fast Ideal-SVP attack for approx factor 2 N1/2+o(1) in degree-n cyclotomics, under plausible assumptions about class-group generators etc. Starts from Biasse Song, uses more features of cyclotomic fields. This shreds the standard approx-ideal-svp tradeoff picture. Daniel J. Bernstein multiquad.cr.yp.to 7

Non-cyclotomic lattice-based cryptography Cyclotomics are scary. Let s explore alternatives: Eliminate the ideal structure. e.g., use LWE instead of Ring-LWE. But this limits the security achievable for key size K. Daniel J. Bernstein multiquad.cr.yp.to 8

Non-cyclotomic lattice-based cryptography Cyclotomics are scary. Let s explore alternatives: Eliminate the ideal structure. e.g., use LWE instead of Ring-LWE. But this limits the security achievable for key size K. 2016 Bernstein Chuengsatiansup Lange van Vredendaal NTRU Prime (preliminary announcement 2014.02, before these attacks): as in discrete-log crypto, eliminate unnecessary ring morphisms. Use prime degree, large Galois group: e.g., x p x 1. Daniel J. Bernstein multiquad.cr.yp.to 8

Non-cyclotomic lattice-based cryptography Cyclotomics are scary. Let s explore alternatives: Eliminate the ideal structure. e.g., use LWE instead of Ring-LWE. But this limits the security achievable for key size K. 2016 Bernstein Chuengsatiansup Lange van Vredendaal NTRU Prime (preliminary announcement 2014.02, before these attacks): as in discrete-log crypto, eliminate unnecessary ring morphisms. Use prime degree, large Galois group: e.g., x p x 1. This talk: Switch from cyclotomics to other Galois number fields. Another popular example in algebraic-number-theory textbooks: multiquadratics; e.g., Q( 2, 3, 5, 7, 11, 13, 17, 19, 23). Daniel J. Bernstein multiquad.cr.yp.to 8

A reasonable multiquadratic cryptosystem Case study of a lattice-based cryptosystem that was already defined in detail for arbitrary number fields: 2010 Smart Vercauteren, optimized version of 2009 Gentry. Parameter: R = Z[α] for an algebraic integer α. Secret key: very short g R. Public key: gr. Daniel J. Bernstein multiquad.cr.yp.to 9

A reasonable multiquadratic cryptosystem Case study of a lattice-based cryptosystem that was already defined in detail for arbitrary number fields: 2010 Smart Vercauteren, optimized version of 2009 Gentry. Parameter: R = Z[α] for an algebraic integer α. Secret key: very short g R. Public key: gr. To handle multiquadratics better, we generalized beyond Z[α]; fixed a keygen speed problem; used twisted Hadamard transforms as replacement for FFTs; adapted 2011 Gentry Halevi cyclotomic speedups to multiquadratics. Like Smart Vercauteren, we took N λ 2+o(1) for target security 2 λ. Checked security against standard lattice attacks: nothing better than exponential time. Daniel J. Bernstein multiquad.cr.yp.to 9

Our main multiquadratic results See https://multiquad.cr.yp.to for paper and software: Huge parameter range for this cryptosystem is now broken. Applicability: Attack is non-quantum. Works on your PC. Verifiability: We implemented the attack. It works as predicted. Fits the pattern motivating the NTRU prime recommendations: subfields and automorphisms tend to damage security. Speed: Quasipoly for Q( d 1,..., d n ) if d 1,..., d n are quasipoly. (Quasipoly as function of 2 n : i.e., logs are bounded by n O(1).) Analysis assuming standard heuristics: Attack always finds unit group O L. Attack always finds some generator of input ideal. Attack always finds short generator if d1,..., d n > 2 1.03n. Experiments find short generator even for much smaller d s. Some failures for tiny d s presumably should do better BDD. Daniel J. Bernstein multiquad.cr.yp.to 10

Conventional techniques to find generators Want to find g given gr. Lattice-basis-reduction algorithms find fairly short nonzero vectors α gr. Could α be as small as g? Extremely rare in high dimensions. Daniel J. Bernstein multiquad.cr.yp.to 11

Conventional techniques to find generators Want to find g given gr. Lattice-basis-reduction algorithms find fairly short nonzero vectors α gr. Could α be as small as g? Extremely rare in high dimensions. Much more common: can factor (α/g)r into prime ideals. Multiply and divide these equations sensibly. Example from SIAM AG15 talk: If α 1 R = gr P 2 Q 2 and α 2 R = gr P Q 3 and α 3 R = gr P Q 2 then P = α 1 α3 1 R and Q = α 2α3 1 R and gr = α 1 1 α 2 2 α4 3 R. This is the core of the conventional methods of computing units (find two generators of same ideal; divide); computing class group (obstruction to all ideals having generators); computing discrete logarithms by NFS; factoring by NFS; etc. Daniel J. Bernstein multiquad.cr.yp.to 11

Some ways to exploit subfields and automorphisms 1. Well known: In many geometric cases, such as elliptic curves, use automorphisms for much faster class-group ( point-counting ) methods. Daniel J. Bernstein multiquad.cr.yp.to 12

Some ways to exploit subfields and automorphisms 1. Well known: In many geometric cases, such as elliptic curves, use automorphisms for much faster class-group ( point-counting ) methods. 2. Factorization of α factorization of σ(α) for each automorphism σ of R. Special case: obtain cyclotomic units from α = 1 ζ N. Analogous: multiquadratic units from units of quadratic subfields. Daniel J. Bernstein multiquad.cr.yp.to 12

Some ways to exploit subfields and automorphisms 1. Well known: In many geometric cases, such as elliptic curves, use automorphisms for much faster class-group ( point-counting ) methods. 2. Factorization of α factorization of σ(α) for each automorphism σ of R. Special case: obtain cyclotomic units from α = 1 ζ N. Analogous: multiquadratic units from units of quadratic subfields. 3. How to obtain all units of a multiquadratic field? (Can t find all units of hard cyclotomics without solving this!) 1966 Wada: Use subfield relation u 2 = N σ (u)n τ (u)/σ(n στ (u)). First solve same problem recursively for the σ, τ, στ subfields; then try square roots of exponential number of products of generators. Better: find squares using quadratic chars, as in 1991 Adleman NFS. Daniel J. Bernstein multiquad.cr.yp.to 12

Some ways to exploit subfields and automorphisms 1. Well known: In many geometric cases, such as elliptic curves, use automorphisms for much faster class-group ( point-counting ) methods. 2. Factorization of α factorization of σ(α) for each automorphism σ of R. Special case: obtain cyclotomic units from α = 1 ζ N. Analogous: multiquadratic units from units of quadratic subfields. 3. How to obtain all units of a multiquadratic field? (Can t find all units of hard cyclotomics without solving this!) 1966 Wada: Use subfield relation u 2 = N σ (u)n τ (u)/σ(n στ (u)). First solve same problem recursively for the σ, τ, στ subfields; then try square roots of exponential number of products of generators. Better: find squares using quadratic chars, as in 1991 Adleman NFS. 4. Similarly find generators starting with generators of norms. Daniel J. Bernstein multiquad.cr.yp.to 12

Coefficients for MQ lattice Vertical axis: Average absolute coefficients of Log g on MQ basis. Horizontal axis: 1.11/(2 n/2 log(u D )). Daniel J. Bernstein multiquad.cr.yp.to 13

Success for MQ lattice Vertical axis: Success probability of simple rounding (in the MQ lattice). Horizontal axis: d 1, using n consecutive primes for (d 1,..., d n ). Daniel J. Bernstein multiquad.cr.yp.to 14

Time (in seconds) to find full lattice and generator Sage Sage tower absolute new new new new 2 n units units units units2 gen gen2 8 0.05 0.03 0.90 0.91 0.07 0.07 16 0.48 0.24 2.33 2.39 0.20 0.19 32 6.75 4.73 6.61 7.36 0.56 0.51 64 >700000 >700000 23.30 37.51 1.51 1.51 128 93.02 1560.49 4.95 7.29 256 463.91 31469.23 27.95 100.65 Table: Observed time to compute (once) the units of Q( d 1,..., d n ); and to find a generator for the public key in the cryptosystem. Daniel J. Bernstein multiquad.cr.yp.to 15

Success at finding short generator of ideal n 3 4 5 6 7 8 p suc (L 1 ) 0.122 0.137 0.132 0.036 0.001 0.000 p suc (L n ) 0.203 0.490 0.648 0.936 0.631 0.423 p suc (L n 2) 0.784 0.981 1.000 1.000 1.000 1.000 Table: Observed attack success probabilities for various multiquadratic fields. Daniel J. Bernstein multiquad.cr.yp.to 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback