DOCSLIB.ORG

An Introduction to the Theory of Lattices and Applications to Cryptography Joseph H

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Introduction to the Theory of Lattices and Applications to Cryptography Joseph H An Introduction to the Theory of Lattices and Applications to Cryptography Joseph H. Silverman Brown University and NTRU Cryptosystems, Inc. Summer School on Computational Number Theory and Applications to Cryptography University of Wyoming June 19 { July 7, 2006 0 An Introduction to the Theory of Lattices Outline ² Introduction ² Lattices and Lattice Problems ² Fundamental Lattice Theorems ² Lattice Reduction and the LLL Algorithm ² Knapsack Cryptosystems and Lattice Cryptanaly- sis ² Lattice-Based Cryptography ² The NTRU Public Key Cryptosystem ² Convolution Modular Lattices and NTRU Lattices ² Further Reading An Introduction to the Theory of Lattices { 1{ An Introduction to the Theory of Lattices Public Key Cryptography and Hard Mathematical Problems ² Underlying every public key cryptosystem is a hard mathematical problem. ² Unfortunately, in very few instances is there a proof that breaking the cryptosystem is equivalent to solving the hard mathematical problem. But we won't worry about that for now! ² The best known examples are: RSA Integer Factorization Problem ¤ Di±e-Hellman Discrete Logarithm Problem in Fq ECC Discrete Logarithm Problem on an Elliptic Curve An Introduction to the Theory of Lattices { 2{ An Introduction to the Theory of Lattices A Di®erent Hard Problem for Cryptography ² There are many other hard mathematical problems that one might use for cryptography. ² An appealing class of problems involves ¯nding clos- est and shortest vectors in lattices. ² The general Closest Vector Problem (CVP) is known to be NP-hard and the Shortest Vector Problem (SVP) is NP-hard under a randomized reduction hypothesis. ² In this lecture I will discuss the mathematics of lattices, alogrithms to solve SVP and CVP, and give some applications to breaking cryptosystems. In the next lecture I will describe some cryptosys- tems that are based on the di±culty of solving SVP and CVP. An Introduction to the Theory of Lattices { 3{ Lattices and Lattice Problems Lattices and Lattice Problems Lattices | De¯nition and Notation De¯nition. A lattice L of dimension n is a maximal discrete subgroup of Rn. Equivalently, a lattice is the Z-linear span of a set of n linearly independent vectors: L = fa1v1 + a2v2 + ¢ ¢ ¢ + anvn : a1; a2; : : : ; an 2 Zg: The vectors v1;:::; vn are a Basis for L. Lattices have many bases. Some bases are \better" than others. A fundamental domain for the quotient Rn=L is the set F(L) = ft1v1 + t2v2 + ¢ ¢ ¢ + tnvn : 0 · ti < 1g: The Discriminant (or \volume") of L is ¡ ¢ Disc(L) = Volume(F(L)) = det v1jv2j ¢ ¢ ¢ jvn : An Introduction to the Theory of Lattices { 4{ Lattices and Lattice Problems A Two Dimensional Example v 6 v v v v v v v L x ÃÃÃÃÃà ÃÃÃÃÃÃÃ÷·· ÃÃÃÃ÷·Ã··Ã÷·Ãà ÃÃÃÃÃ÷÷··Ã·Ã· Ã÷·Ã÷·· ÃÃÃÃÃ÷·Ã·Ã·Ã·Ã÷÷·Ã··ÃÃà ÃÃÃÃÃÃ÷÷·Ã··Ã· Ã÷·Ã··Ã·Ã·ÃÃ÷··Ã÷· ÃxÃÃ÷÷·Ã·Ã··ÃÃ÷·Ã··Ã·Ã· Ã÷÷÷÷·ÃÃà ÃÃ÷÷·Ã··ÃÃ÷·Ã··Ã·ÃÃÃ÷·Ã··Ã··ÃÃ÷·Ã÷Ã÷· ·Ã·Ã··ÃÃ÷·Ã··Ã·Ã· Ã÷·Ã·Ã···ÃÃÃ÷·Ã··Ã··ÃÃà ÷÷·Ã··Ã·ÃÃ÷÷·Ã··Ã· Ã÷÷·Ã··Ã·ÃÃ÷÷Ã÷·· ÷÷ÃÃ÷·Ã·Ã··ÃÃÃ÷·Ã··Ã·ÃÃ÷·Ã··Ã·Ã·ÃÃà ÷÷·Ã÷·Ã·Ã÷÷·Ã··Ã·ÃÃ÷÷·Ã··Ã·ÃÃ÷·Ã÷·· v ÷·ÃÃ÷÷÷÷·ÃÃ÷÷··Ã·ÃÃÃ÷·Ã··Ã··ÃÃà v ÷÷·Ã··Ã·Ã÷Ã÷·Ã··Ã·Ã÷÷·Ã··Ã÷ÃÃ÷·Ã÷·· ÷·ÃÃ÷÷··Ã·ÃÃÃ÷·ÃF··Ã·ÃÃ÷·Ã·Ã·Ã··ÃÃà ÷Ã÷·Ã··Ã·Ã÷÷·Ã··Ã·ÃÃ÷÷·Ã··Ã· ÃÃ÷·Ã÷Ã÷· ÷·ÃÃÃ÷÷··Ã·ÃÃ÷·Ã·Ã··ÃÃÃ÷·Ã··Ã··ÃÃà ÷÷·Ã··Ã·ÃÃ÷÷·Ã··Ã·Ã÷÷·Ã··Ã·ÃÃ÷·Ã·Ã÷·· ÷÷ÃÃ÷··Ã·Ã··ÃÃ÷÷·Ã·Ã··Ã÷÷÷··Ã·ÃÃÃ÷x ÷÷·Ã÷·ÃÃ÷÷·Ã··ÃÃÃ÷÷·Ã··ÃÃ÷÷·Ã÷· ÷·Ã÷÷÷÷÷·Ã÷÷÷··Ã·ÃÃÃ÷÷·Ã··Ã· ÷·Ã··Ã··ÃÃ÷·Ã÷·Ã··ÃÃ÷·Ã··Ã·· ÷ÃÃ÷÷÷·Ã·ÃÃ÷÷·Ã··Ã ÷·Ã··Ã·Ã·ÃÃ÷·Ã··Ã·· ÷Ã÷÷·Ã···Ã v ÷x÷·Ã··Ã· - v A 2-dimensional lattice L with fundamental domain F An Introduction to the Theory of Lattices { 5{ Lattices and Lattice Problems The Two Fundamental Hard Lattice Problems Let L be a lattice of dimension n. The two most im- portant computational problems are: Shortest Vector Problem (SVP) Find a shortest nonzero vector in L. Closest Vector Problem (CVP) Given a vector t 2 Rn not in L, ¯nd a vector in L that is closest to t. The Approximate Closest Vector Problem (apprCVP) is to ¯nd a vector v 2 L so that kv ¡ tk is small. For example, kv ¡ tk · · min kw ¡ tk w2L for a small constant ·. An Introduction to the Theory of Lattices { 6{ Lattices and Lattice Problems Using a Basis to Try to Solve the Closest Vector Problem 6 t Draw a fundamental domain t t around the target point t ÃÃÃt ÃÃà · ÃÃà ÃÃà · ÃÃà ÃÃà · tà · · · · · · t t t x · · · · · L · ·t · ÃÃÃà ÃÃà · ÃÃà ÃÃà · ÃÃà ·Ãt Ãà t t t t t - t Use a basis for the lattice to draw a parallelogram around the target point. An Introduction to the Theory of Lattices { 7{ Lattices and Lattice Problems Using a Basis to Try to Solve the Closest Vector Problem 6 t t t ÃÃÃt ÃÃà · ÃÃà ÃÃà · ÃÃà ÃÃà · tà · · · · · · t t t x · · · · · L · ·x · ÃÃÃà ÃÃà · ÃÃà ÃÃà · ÃÃà v t·ÃÃà The vertex v that is closest t to t is a candidate for (approximate) closest vector t t - The vertex v of the fundamental domain that is closest to t will be a close lattice point if the basis is \good", meaning if the basis consists of short vectors that are reasonably orthogonal to one another. An Introduction to the Theory of Lattices { 8{ Lattices and Lattice Problems Good and Bad Bases s s s s s s s s s s s s s s s s s s s s s s s s s s s s s 6 s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s ³³1 »»»: ³³ »»» s s s s s s ³³s s »» s s ³³ »»» ³³ »»» s s s s s ³³ s »» s s s s ³³ »»» ³³ »»» s s s ³³s »»s s s s s s ³³ »»» s s s ³³s »»» s s s s s s ³³ »» ³³ »» s s ³ »s» s s s s s s s ©* ³»³»» ©»³©»³» s»³©»³ s s s s s s s s - s @ s @Rs s s s s s s s s s s s s s s s s s A \good" basis and a \bad" basis An Introduction to the Theory of Lattices { 9{ Lattices and Lattice Problems The Closest Vertex Method Using a Bad Basis s s s s s s s s s s s s s s s s s s s s s s s s s s s s s 6 s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s »»» s s s s s s s s s s»»» »»» s s s s s s s s »s» s ³³ »»» ³³ »»» ³³ s s s s s s »s » s ³s ³ s ³³ »»» ³³ »»» s s s s s s ³³s s »» s s ³³ »»» ³³ »»» s s s Targets Points ³³ s »» s s s s ³³ x »»» ³³ »»» s s s ³³s »»s s s s s s ³³ »»» s s s ³³s »»» s s s s s s ³³ »» ³³ »» s s ³ »s» s s s s s s s ³»³»» »³»³» s»³»³ s s s s s s s s - s s s s s s s s s s s s s s s s s s s s Here is the parallelogram spanned by a \bad" basis and a CVP target point. An Introduction to the Theory of Lattices { 10{ Lattices and Lattice Problems The Closest Vertex Method Using a Bad Basis s s s s s s s s s s s s s s s s s s s s s s s s s s s s s 6 s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s s »»» s s s s s s s s s s»»» »»» s s s s s s s s »s» s ³³ »»» ³³ Closest Vertex »»» ³³ s s s s s s x»s » s ³s ³ s ³³ »»» ³³ »»» s s s s s s ³³s s »» s s ³³ »»» ³³ »»» s s s Targets Points ³³ s »» s s s s ³³ x »»» ³³ »»» s s s ³³s »»s s s s s s ³³ »»» s s s ³³s »»» s s s s s s ³³ »» ³³ »» s s ³ »s» s s s s s s s ³»³»» »³»³» s»³»³ s s s s s s s s - s s s s s s s s s s s s s s s s s s s s It is easy to ¯nd the vertex of the parallelogram that is closest to the target point.
Load more

Recommended publications
  • Arxiv:Cs/0601091V2
    Communication Over MIMO Broadcast Channels Using Lattice-Basis Reduction1 Mahmoud Taherzadeh, Amin Mobasher, and Amir K. Khandani Coding & Signal Transmission Laboratory Department of Electrical & Computer Engineering University of Waterloo Waterloo, Ontario, Canada, N2L 3G1 Abstract A simple scheme for communication over MIMO broadcast channels is introduced which adopts the lattice reduction technique to improve the naive channel inversion method. Lattice basis reduction helps us to reduce the average transmitted energy by modifying the region which includes the constellation points. Simulation results show that the proposed scheme performs well, and as compared to the more complex methods (such as the perturbation method [1]) has a negligible loss. Moreover, the proposed method is extended to the case of different rates for different users. The asymptotic behavior (SNR ) of the symbol error rate of the proposed method and the −→ ∞ perturbation technique, and also the outage probability for the case of fixed-rate users is analyzed. It is shown that the proposed method, based on LLL lattice reduction, achieves the optimum asymptotic slope of symbol-error-rate (called the precoding diversity). Also, the outage probability for the case of fixed sum-rate is analyzed. I. INTRODUCTION In the recent years, communications over multiple-antenna fading channels has attracted the attention of many researchers. Initially, the main interest has been on the point-to-point Multiple-Input Multiple-Output (MIMO) communications [2]–[6]. In [2] and [3], the authors have shown that the capacity of a MIMO point-to-point channel increases linearly with the arXiv:cs/0601091v2 [cs.IT] 18 Jun 2007 minimum number of the transmit and the receive antennas.
    [Show full text]
  • Lectures on the NTRU Encryption Algorithm and Digital Signature Scheme: Grenoble, June 2002
    Lectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002 J. Pipher Brown University, Providence RI 02912 1 Lecture 1 1.1 Integer lattices Lattices have been studied by cryptographers for quite some time, in both the field of cryptanalysis (see for example [16{18]) and as a source of hard problems on which to build encryption schemes (see [1, 8, 9]). In this lecture, we describe the NTRU encryption algorithm, and the lattice problems on which this is based. We begin with some definitions and a brief overview of lattices. If a ; a ; :::; a are n independent vectors in Rm, n m, then the 1 2 n ≤ integer lattice with these vectors as basis is the set = n x a : x L f 1 i i i 2 Z . A lattice is often represented as matrix A whose rows are the basis g P vectors a1; :::; an. The elements of the lattice are simply the vectors of the form vT A, which denotes the usual matrix multiplication. We will specialize for now to the situation when the rank of the lattice and the dimension are the same (n = m). The determinant of a lattice det( ) is the volume of the fundamen- L tal parallelepiped spanned by the basis vectors. By the Gram-Schmidt process, one can obtain a basis for the vector space generated by , and L the det( ) will just be the product of these orthogonal vectors. Note that L these vectors are not a basis for as a lattice, since will not usually L L possess an orthogonal basis.
    [Show full text]
  • Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems
    Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems † Thijs Laarhoven∗ Joop van de Pol Benne de Weger∗ September 10, 2012 Abstract This paper is a tutorial introduction to the present state-of-the-art in the field of security of lattice- based cryptosystems. After a short introduction to lattices, we describe the main hard problems in lattice theory that cryptosystems base their security on, and we present the main methods of attacking these hard problems, based on lattice basis reduction. We show how to find shortest vectors in lattices, which can be used to improve basis reduction algorithms. Finally we give a framework for assessing the security of cryptosystems based on these hard problems. 1 Introduction Lattice-based cryptography is a quickly expanding field. The last two decades have seen exciting devel- opments, both in using lattices in cryptanalysis and in building public key cryptosystems on hard lattice problems. In the latter category we could mention the systems of Ajtai and Dwork [AD], Goldreich, Goldwasser and Halevi [GGH2], the NTRU cryptosystem [HPS], and systems built on Small Integer Solu- tions [MR1] problems and Learning With Errors [R1] problems. In the last few years these developments culminated in the advent of the first fully homomorphic encryption scheme by Gentry [Ge]. A major issue in this field is to base key length recommendations on a firm understanding of the hardness of the underlying lattice problems. The general feeling among the experts is that the present understanding is not yet on the same level as the understanding of, e.g., factoring or discrete logarithms.
    [Show full text]
  • On Ideal Lattices and Learning with Errors Over Rings∗
    On Ideal Lattices and Learning with Errors Over Rings∗ Vadim Lyubashevskyy Chris Peikertz Oded Regevx June 25, 2013 Abstract The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives). We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring- LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE. 1 Introduction Over the last decade, lattices have emerged as a very attractive foundation for cryptography. The appeal of lattice-based primitives stems from the fact that their security can often be based on worst-case hardness assumptions, and that they appear to remain secure even against quantum computers.
    [Show full text]
  • On Lattices, Learning with Errors, Random Linear Codes, and Cryptography
    On Lattices, Learning with Errors, Random Linear Codes, and Cryptography Oded Regev ¤ May 2, 2009 Abstract Our main result is a reduction from worst-case lattice problems such as GAPSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the ‘learning from parity with error’ problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GAPSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., non-quantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GAPSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryp- tosystems: the public key is of size O~(n2) and encrypting a message increases its size by a factor of O~(n) (in previous cryptosystems these values are O~(n4) and O~(n2), respectively). In fact, under the assumption that all parties share a random bit string of length O~(n2), the size of the public key can be reduced to O~(n). 1 Introduction Main theorem. For an integer n ¸ 1 and a real number " ¸ 0, consider the ‘learning from parity with n error’ problem, defined as follows: the goal is to find an unknown s 2 Z2 given a list of ‘equations with errors’ hs; a1i ¼" b1 (mod 2) hs; a2i ¼" b2 (mod 2) .
    [Show full text]
  • Lattice Reduction for Modular Knapsack⋆
    Lattice Reduction for Modular Knapsack? Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University Of Wollongong, Australia fthomaspl, wsusilo, [email protected] Abstract. In this paper, we present a new methodology to adapt any kind of lattice reduction algorithms to deal with the modular knapsack problem. In general, the modular knapsack problem can be solved using a lattice reduction algorithm, when its density is low. The complexity of lattice reduction algorithms to solve those problems is upper-bounded in the function of the lattice dimension and the maximum norm of the input basis. In the case of a low density modular knapsack-type basis, the weight of maximum norm is mainly from its first column. Therefore, by distributing the weight into multiple columns, we are able to reduce the maximum norm of the input basis. Consequently, the upper bound of the time complexity is reduced. To show the advantage of our methodology, we apply our idea over the floating-point LLL (L2) algorithm. We bring the complexity from O(d3+"β2 + d4+"β) to O(d2+"β2 + d4+"β) for " < 1 for the low den- sity knapsack problem, assuming a uniform distribution, where d is the dimension of the lattice, β is the bit length of the maximum norm of knapsack-type basis. We also provide some techniques when dealing with a principal ideal lattice basis, which can be seen as a special case of a low density modular knapsack-type basis. Keywords: Lattice Theory, Lattice Reduction, Knapsack Problem, LLL, Recursive Reduction, Ideal Lattice.
    [Show full text]
  • Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices
    Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé1 and Ron Steinfeld2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d’Italie, 69364 Lyon Cedex 07, France. [email protected] – http://perso.ens-lyon.fr/damien.stehle 2 Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University, NSW 2109, Australia [email protected] – http://web.science.mq.edu.au/~rons Abstract. NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Sil- verman, is the fastest known lattice-based encryption scheme. Its mod- erate key-sizes, excellent asymptotic performance and conjectured resis- tance to quantum computers could make it a desirable alternative to fac- torisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the se- cret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem. Keywords. Lattice-based cryptography, NTRU, provable security. 1 Introduction NTRUEncrypt, devised by Hoffstein, Pipher and Silverman, was first presented at the Crypto’96 rump session [14]. Although its description relies on arithmetic n over the polynomial ring Zq[x]=(x − 1) for n prime and q a small integer, it was quickly observed that breaking it could be expressed as a problem over Euclidean lattices [6].
    [Show full text]
  • Lower Bounds on Lattice Sieving and Information Set Decoding
    Lower bounds on lattice sieving and information set decoding Elena Kirshanova1 and Thijs Laarhoven2 1Immanuel Kant Baltic Federal University, Kaliningrad, Russia [email protected] 2Eindhoven University of Technology, Eindhoven, The Netherlands [email protected] April 22, 2021 Abstract In two of the main areas of post-quantum cryptography, based on lattices and codes, nearest neighbor techniques have been used to speed up state-of-the-art cryptanalytic algorithms, and to obtain the lowest asymptotic cost estimates to date [May{Ozerov, Eurocrypt'15; Becker{Ducas{Gama{Laarhoven, SODA'16]. These upper bounds are useful for assessing the security of cryptosystems against known attacks, but to guarantee long-term security one would like to have closely matching lower bounds, showing that improvements on the algorithmic side will not drastically reduce the security in the future. As existing lower bounds from the nearest neighbor literature do not apply to the nearest neighbor problems appearing in this context, one might wonder whether further speedups to these cryptanalytic algorithms can still be found by only improving the nearest neighbor subroutines. We derive new lower bounds on the costs of solving the nearest neighbor search problems appearing in these cryptanalytic settings. For the Euclidean metric we show that for random data sets on the sphere, the locality-sensitive filtering approach of [Becker{Ducas{Gama{Laarhoven, SODA 2016] using spherical caps is optimal, and hence within a broad class of lattice sieving algorithms covering almost all approaches to date, their asymptotic time complexity of 20:292d+o(d) is optimal. Similar conditional optimality results apply to lattice sieving variants, such as the 20:265d+o(d) complexity for quantum sieving [Laarhoven, PhD thesis 2016] and previously derived complexity estimates for tuple sieving [Herold{Kirshanova{Laarhoven, PKC 2018].
    [Show full text]
  • Lattice Reduction in Two Dimensions: Analyses Under Realistic Probabilistic Models
    Lattice reduction in two dimensions : analyses under realistic probabilistic models Brigitte Vallée, Antonio Vera To cite this version: Brigitte Vallée, Antonio Vera. Lattice reduction in two dimensions : analyses under realistic proba- bilistic models. 2008. hal-00211495 HAL Id: hal-00211495 https://hal.archives-ouvertes.fr/hal-00211495 Preprint submitted on 21 Jan 2008 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Lattice reduction in two dimensions: analyses under realistic probabilistic models Brigitte Vallee´ and Antonio Vera CNRS UMR 6072, GREYC, Universite´ de Caen, F-14032 Caen, France The Gaussian algorithm for lattice reduction in dimension 2 is precisely analysed under a class of realistic probabilistic models, which are of interest when applying the Gauss algorithm “inside” the LLL algorithm. The proofs deal with the underlying dynamical systems and transfer operators. All the main parameters are studied: execution parameters which describe the behaviour of the algorithm itself as well as output parameters, which describe the geometry of reduced bases. Keywords: Lattice Reduction, Gauss’ algorithm, LLL algorithm, Euclid’s algorithm, probabilistic analysis of algo- rithms, Dynamical Systems, Dynamical analysis of Algorithms. 1 Introduction The lattice reduction problem consists in finding a short basis of a lattice of Euclidean space given an initially skew basis.
    [Show full text]
  • Algorithms for the Approximate Common Divisor Problem
    Algorithms for the Approximate Common Divisor Problem Steven D. Galbraith1, Shishay W. Gebregiyorgis1, and Sean Murphy2 1 Mathematics Department, University of Auckland, New Zealand. [email protected],[email protected] 2 Royal Holloway, University of London, UK. [email protected] Abstract. The security of several homomorphic encryption schemes depends on the hardness of the Approximate Common Divisor (ACD) problem. In this paper we review and compare existing algorithms to solve the ACD prob- lem using lattices. In particular we consider the simultaneous Diophantine approximation method, the orthogonal lattice method, and a method based on multivariate polynomials and Coppersmith’s algorithm that was studied in detail by Cohn and Heninger. One of our main goals is to compare the multivariate polynomial approach with other methods. We find that the multivariate polynomial approach is not better than the orthogonal lattice algorithm for practical cryptanalysis. Another contribution is to consider a sample-amplification technique for ACD samples, and to consider a pre- processing algorithm similar to the Blum-Kalai-Wasserman (BKW) algorithm for learning parity with noise. We explain why, unlike in other settings, the BKW algorithm does not give an improvement over the lattice algorithms. This is the full version of a paper published at ANTS-XII in 2016. Keywords: Approximate common divisors, lattice attacks, orthogonal lattice, Coppersmith’s method. 1 Introduction The approximate common divisor problem (ACD) was first studied by Howgrave-Graham [HG01]. Further inter- est in this problem was provided by the homomorphic encryption scheme of van Dijk, Gentry, Halevi and Vaikun- tanathan [DGHV10] and its variants [CMNT11,CNT12,CS15].
    [Show full text]
  • A Hybrid Lattice-Reduction and Meet-In-The-Middle Attack Against NTRU
    A hybrid lattice-reduction and meet-in-the-middle attack against NTRU Nick Howgrave-Graham [email protected] NTRU Cryptosystems, Inc. Abstract. To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meet-in-the-middle at- tack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meet-in-the-middle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 284.2 to 260.3, for the k = 80 parameter set. In practice the attack is still expensive (depen- dent on ones choice of cost-metric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains expo- nential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meet-in-the-middle attack has complexity 2k even after an initial lattice basis reduction of complexity 2k. 1 Introduction It is well known that the closest vector problem (CVP) can be solved efficiently in the case that the given point in space is very close to a lattice vector [7, 18]. If this CVP algorithm takes time t and a set S has the property that it includes at least one point v0 S which is very close to a lattice vector, then clearly v0 can be found in time O∈( S t) by exhaustively enumerating the set S.
    [Show full text]
  • Algorithms for the Densest Sub-Lattice Problem
    Algorithms for the Densest Sub-Lattice Problem Daniel Dadush∗ Daniele Micciancioy December 24, 2012 Abstract We give algorithms for computing the densest k-dimensional sublattice of an arbitrary lattice, and related problems. This is an important problem in the algorithmic geometry of numbers that includes as special cases Rankin’s problem (which corresponds to the densest sublattice problem with respect to the Euclidean norm, and has applications to the design of lattice reduction algorithms), and the shortest vector problem for arbitrary norms (which corresponds to setting k = 1) and its dual (k = n − 1). Our algorithm works for any norm and has running time kO(k·n) and uses 2n poly(n) space. In particular, the algorithm runs in single exponential time 2O(n) for any constant k = O(1). ∗Georgia Tech. Atlanta, GA, USA. Email: [email protected] yUniversity of California, San Diego. 9500 Gilman Dr., Mail Code 0404, La Jolla, CA 92093, USA. Email: [email protected]. This work was supported in part by NSF grant CNS-1117936. Any opinions, findings, and con- clusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. 1 Introduction n A lattice is a discrete subgroup of R . Computational problems on lattices play an important role in many areas of computer science, mathematics and engineering, including cryptography, cryptanalysis, combinatorial optimization, communication theory and algebraic number theory. The most famous problem on lattices is the shortest vector problem (SVP), which asks to find the shortest nonzero vector in an input lattice.
    [Show full text]