SLIDE 1 1
Challenges in evaluating costs
Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 Bernstein–Chuengsatiansup– Lange–van Vredendaal. Why analysis is important:
- Guide attack optimization.
- Guide attack selection.
- Evaluate crypto parameters.
- Evaluate crypto designs.
- Advise users on security.
2
Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.
SLIDE 2 1
Challenges in evaluating costs wn lattice attacks
Lange
Bernstein–Chuengsatiansup– Lange–van Vredendaal. analysis is important: Guide attack optimization. Guide attack selection. Evaluate crypto parameters. Evaluate crypto designs. Advise users on security.
2
Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R. Examples Secret key: Public key and appro Public key G = −e=a
SLIDE 3 1
evaluating costs attacks Bernstein survey from Bernstein–Chuengsatiansup– redendaal. important:
selection. crypto parameters. crypto designs.
2
Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R. Examples of target Secret key: small a Public key reveals and approximation Public key for “NTRU”: G = −e=a, and A
SLIDE 4 1
costs from Bernstein–Chuengsatiansup– rtant:
rameters.
2
Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R. Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier and approximation A = aG + Public key for “NTRU”: G = −e=a, and A = 0.
SLIDE 5
2
Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0.
SLIDE 6
2
Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e.
SLIDE 7
2
Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU.
SLIDE 8
2
typical attack problems R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; 286; q = 4591. er wants to find weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and . Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. aG1 + e1; aG2 + e2. secrets e1; e2 ∈ R.
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU. Encryption Input small Ciphertext:
SLIDE 9
2
attack problems ]=(x761 − x − 1); effs in {−1; 0; 1}; 4591. to find secret a ∈ R. Public G ∈ R=q with Small secret e ∈ R. Public G ∈ R=q and secret e ∈ R. Public G1; G2 ∈ R=q. ; aG2 + e2. ; e2 ∈ R.
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU. Encryption for Quotient Input small b, small Ciphertext: B = 3
SLIDE 10
2
roblems x − 1); 1; 0; 1}; R. =q with e ∈ R. =q and R. ∈ R=q. .
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU. Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d.
SLIDE 11
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU.
4
Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d.
SLIDE 12
3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU.
4
Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = Gb + d and C = Ab + M + c.
SLIDE 13 3
Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU”: G = −e=a, and A = 0. Public key for “Ring-LWE”: random G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU.
4
Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = Gb + d and C = Ab + M + c. Next slides: survey of G; a; e; c; M details and variants in NISTPQC
- submissions. Source: Bernstein,
“Comparing proofs of security for lattice-based encryption”.
SLIDE 14 3
Examples of target cryptosystems key: small a; small e. key reveals multiplier G approximation A = aG + e. key for “NTRU”: e=a, and A = 0. key for “Ring-LWE”: G, and A = aG + e. Systematization of naming, recognizing similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU.
4
Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = Gb + d and C = Ab + M + c. Next slides: survey of G; a; e; c; M details and variants in NISTPQC
- submissions. Source: Bernstein,
“Comparing proofs of security for lattice-based encryption”.
system parameter frodo frodo frodo kyber kyber kyber lac lac lac newhope newhope ntru hps2048509 ntru hps2048677 ntru hps4096821 ntru hrss701 ntrulpr ntrulpr ntrulpr round5n1 round5n1 round5n1 round5nd round5nd round5nd round5nd round5nd round5nd saber saber saber sntrup sntrup sntrup threebears threebears threebears
SLIDE 15 3
rget cryptosystems small a; small e. reveals multiplier G ximation A = aG + e. “NTRU”: A = 0. “Ring-LWE”: A = aG + e.
similarity + credits: Quotient NTRU. Product NTRU.
4
Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = Gb + d and C = Ab + M + c. Next slides: survey of G; a; e; c; M details and variants in NISTPQC
- submissions. Source: Bernstein,
“Comparing proofs of security for lattice-based encryption”.
system parameter set type set frodo 640 Product ( frodo 976 Product ( frodo 1344 Product ( kyber 512 Product (( kyber 768 Product (( kyber 1024 Product (( lac 128 Product ( lac 192 Product ( lac 256 Product ( newhope 512 Product ( newhope 1024 Product ( ntru hps2048509 Quotient ( ntru hps2048677 Quotient ( ntru hps4096821 Quotient ( ntru hrss701 Quotient ( ntrulpr 653 Product ( ntrulpr 761 Product ( ntrulpr 857 Product ( round5n1 1 Product ( round5n1 3 Product ( round5n1 5 Product ( round5nd 1.0d Product ( round5nd 3.0d Product ( round5nd 5.0d Product ( round5nd 1.5d Product ( round5nd 3.5d Product ( round5nd 5.5d Product ( saber light Product (( saber main Product (( saber fire Product (( sntrup 653 Quotient ( sntrup 761 Quotient ( sntrup 857 Quotient ( threebears baby Product ( threebears mama Product ( threebears papa Product (
SLIDE 16 3
cryptosystems e. multiplier G + e. WE”: e. naming, credits: NTRU. NTRU.
4
Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = Gb + d and C = Ab + M + c. Next slides: survey of G; a; e; c; M details and variants in NISTPQC
- submissions. Source: Bernstein,
“Comparing proofs of security for lattice-based encryption”.
system parameter set type set of multipliers frodo 640 Product (Z=32768)640×640 frodo 976 Product (Z=65536)976×976 frodo 1344 Product (Z=65536)1344×1344 kyber 512 Product ((Z=3329)[x]=(x256 kyber 768 Product ((Z=3329)[x]=(x256 kyber 1024 Product ((Z=3329)[x]=(x256 lac 128 Product (Z=251)[x]=(x512 + lac 192 Product (Z=251)[x]=(x1024 + lac 256 Product (Z=251)[x]=(x1024 + newhope 512 Product (Z=12289)[x]=(x512 newhope 1024 Product (Z=12289)[x]=(x1024 ntru hps2048509 Quotient (Z=2048)[x]=(x509 − ntru hps2048677 Quotient (Z=2048)[x]=(x677 − ntru hps4096821 Quotient (Z=4096)[x]=(x821 − ntru hrss701 Quotient (Z=8192)[x]=(x701 − ntrulpr 653 Product (Z=4621)[x]=(x653 − ntrulpr 761 Product (Z=4591)[x]=(x761 − ntrulpr 857 Product (Z=5167)[x]=(x857 − round5n1 1 Product (Z=4096)636×636 round5n1 3 Product (Z=32768)876×876 round5n1 5 Product (Z=32768)1217×1217 round5nd 1.0d Product (Z=8192)[x]=(x586 + round5nd 3.0d Product (Z=4096)[x]=(x852 + round5nd 5.0d Product (Z=8192)[x]=(x1170 round5nd 1.5d Product (Z=1024)[x]=(x509 − round5nd 3.5d Product (Z=4096)[x]=(x757 − round5nd 5.5d Product (Z=2048)[x]=(x947 − saber light Product ((Z=8192)[x]=(x256 saber main Product ((Z=8192)[x]=(x256 saber fire Product ((Z=8192)[x]=(x256 sntrup 653 Quotient (Z=4621)[x]=(x653 − sntrup 761 Quotient (Z=4591)[x]=(x761 − sntrup 857 Quotient (Z=5167)[x]=(x857 − threebears baby Product (Z=(23120 − 21560 − threebears mama Product (Z=(23120 − 21560 − threebears papa Product (Z=(23120 − 21560 −
SLIDE 17 4
Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3Gb + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = Gb + d and C = Ab + M + c. Next slides: survey of G; a; e; c; M details and variants in NISTPQC
- submissions. Source: Bernstein,
“Comparing proofs of security for lattice-based encryption”.
5
system parameter set type set of multipliers frodo 640 Product (Z=32768)640×640 frodo 976 Product (Z=65536)976×976 frodo 1344 Product (Z=65536)1344×1344 kyber 512 Product ((Z=3329)[x]=(x256 + 1))2×2 kyber 768 Product ((Z=3329)[x]=(x256 + 1))3×3 kyber 1024 Product ((Z=3329)[x]=(x256 + 1))4×4 lac 128 Product (Z=251)[x]=(x512 + 1) lac 192 Product (Z=251)[x]=(x1024 + 1) lac 256 Product (Z=251)[x]=(x1024 + 1) newhope 512 Product (Z=12289)[x]=(x512 + 1) newhope 1024 Product (Z=12289)[x]=(x1024 + 1) ntru hps2048509 Quotient (Z=2048)[x]=(x509 − 1) ntru hps2048677 Quotient (Z=2048)[x]=(x677 − 1) ntru hps4096821 Quotient (Z=4096)[x]=(x821 − 1) ntru hrss701 Quotient (Z=8192)[x]=(x701 − 1) ntrulpr 653 Product (Z=4621)[x]=(x653 − x − 1) ntrulpr 761 Product (Z=4591)[x]=(x761 − x − 1) ntrulpr 857 Product (Z=5167)[x]=(x857 − x − 1) round5n1 1 Product (Z=4096)636×636 round5n1 3 Product (Z=32768)876×876 round5n1 5 Product (Z=32768)1217×1217 round5nd 1.0d Product (Z=8192)[x]=(x586 + : : : + 1) round5nd 3.0d Product (Z=4096)[x]=(x852 + : : : + 1) round5nd 5.0d Product (Z=8192)[x]=(x1170 + : : : + 1) round5nd 1.5d Product (Z=1024)[x]=(x509 − 1) round5nd 3.5d Product (Z=4096)[x]=(x757 − 1) round5nd 5.5d Product (Z=2048)[x]=(x947 − 1) saber light Product ((Z=8192)[x]=(x256 + 1))2×2 saber main Product ((Z=8192)[x]=(x256 + 1))3×3 saber fire Product ((Z=8192)[x]=(x256 + 1))4×4 sntrup 653 Quotient (Z=4621)[x]=(x653 − x − 1) sntrup 761 Quotient (Z=4591)[x]=(x761 − x − 1) sntrup 857 Quotient (Z=5167)[x]=(x857 − x − 1) threebears baby Product (Z=(23120 − 21560 − 1))2×2 threebears mama Product (Z=(23120 − 21560 − 1))3×3 threebears papa Product (Z=(23120 − 21560 − 1))4×4
SLIDE 18 4
Encryption for Quotient NTRU: small b, small d. Ciphertext: B = 3Gb + d. Encryption for Product NTRU: encoded message M. Randomly generate b, small d, small c. Ciphertext: B = Gb + d = Ab + M + c. slides: survey of G; a; e; c; M and variants in NISTPQC
- submissions. Source: Bernstein,
“Comparing proofs of security lattice-based encryption”.
5
system parameter set type set of multipliers frodo 640 Product (Z=32768)640×640 frodo 976 Product (Z=65536)976×976 frodo 1344 Product (Z=65536)1344×1344 kyber 512 Product ((Z=3329)[x]=(x256 + 1))2×2 kyber 768 Product ((Z=3329)[x]=(x256 + 1))3×3 kyber 1024 Product ((Z=3329)[x]=(x256 + 1))4×4 lac 128 Product (Z=251)[x]=(x512 + 1) lac 192 Product (Z=251)[x]=(x1024 + 1) lac 256 Product (Z=251)[x]=(x1024 + 1) newhope 512 Product (Z=12289)[x]=(x512 + 1) newhope 1024 Product (Z=12289)[x]=(x1024 + 1) ntru hps2048509 Quotient (Z=2048)[x]=(x509 − 1) ntru hps2048677 Quotient (Z=2048)[x]=(x677 − 1) ntru hps4096821 Quotient (Z=4096)[x]=(x821 − 1) ntru hrss701 Quotient (Z=8192)[x]=(x701 − 1) ntrulpr 653 Product (Z=4621)[x]=(x653 − x − 1) ntrulpr 761 Product (Z=4591)[x]=(x761 − x − 1) ntrulpr 857 Product (Z=5167)[x]=(x857 − x − 1) round5n1 1 Product (Z=4096)636×636 round5n1 3 Product (Z=32768)876×876 round5n1 5 Product (Z=32768)1217×1217 round5nd 1.0d Product (Z=8192)[x]=(x586 + : : : + 1) round5nd 3.0d Product (Z=4096)[x]=(x852 + : : : + 1) round5nd 5.0d Product (Z=8192)[x]=(x1170 + : : : + 1) round5nd 1.5d Product (Z=1024)[x]=(x509 − 1) round5nd 3.5d Product (Z=4096)[x]=(x757 − 1) round5nd 5.5d Product (Z=2048)[x]=(x947 − 1) saber light Product ((Z=8192)[x]=(x256 + 1))2×2 saber main Product ((Z=8192)[x]=(x256 + 1))3×3 saber fire Product ((Z=8192)[x]=(x256 + 1))4×4 sntrup 653 Quotient (Z=4621)[x]=(x653 − x − 1) sntrup 761 Quotient (Z=4591)[x]=(x761 − x − 1) sntrup 857 Quotient (Z=5167)[x]=(x857 − x − 1) threebears baby Product (Z=(23120 − 21560 − 1))2×2 threebears mama Product (Z=(23120 − 21560 − 1))3×3 threebears papa Product (Z=(23120 − 21560 − 1))4×4 short element Z640×8; {−12; : : Z976×8; {−10; : : Z1344×8; {−6; : : (Z[x]=(x256 + 1)) (Z[x]=(x256 + 1)) (Z[x]=(x256 + 1)) Z[x]=(x512 + 1); Z[x]=(x1024 + 1); Z[x]=(x1024 + 1); Z[x]=(x512 + 1); Z[x]=(x1024 + 1); Z[x]=(x509 − 1); Z[x]=(x677 − 1); Z[x]=(x821 − 1); Z[x]=(x701 − 1); Z[x]=(x653 − x − Z[x]=(x761 − x − Z[x]=(x857 − x − Z636×8; {−1; 0; 1 Z876×8; {−1; 0; 1 Z1217×8; {−1; 0; Z[x]=(x586 + : : : Z[x]=(x852 + : : : Z[x]=(x1170 + : : Z[x]=(x509 − 1); Z[x]=(x757 − 1); Z[x]=(x947 − 1); (Z[x]=(x256 + 1)) (Z[x]=(x256 + 1)) (Z[x]=(x256 + 1)) Z[x]=(x653 − x − Z[x]=(x761 − x − Z[x]=(x857 − x − Z2; P
0≤i<312 210
Z3; P
0≤i<312 210
Z4; P
0≤i<312 210
SLIDE 19 4
Quotient NTRU: small d. 3Gb + d. Product NTRU: message M. generate , small c. Gb + d + c. rvey of G; a; e; c; M riants in NISTPQC Source: Bernstein,
encryption”.
5
system parameter set type set of multipliers frodo 640 Product (Z=32768)640×640 frodo 976 Product (Z=65536)976×976 frodo 1344 Product (Z=65536)1344×1344 kyber 512 Product ((Z=3329)[x]=(x256 + 1))2×2 kyber 768 Product ((Z=3329)[x]=(x256 + 1))3×3 kyber 1024 Product ((Z=3329)[x]=(x256 + 1))4×4 lac 128 Product (Z=251)[x]=(x512 + 1) lac 192 Product (Z=251)[x]=(x1024 + 1) lac 256 Product (Z=251)[x]=(x1024 + 1) newhope 512 Product (Z=12289)[x]=(x512 + 1) newhope 1024 Product (Z=12289)[x]=(x1024 + 1) ntru hps2048509 Quotient (Z=2048)[x]=(x509 − 1) ntru hps2048677 Quotient (Z=2048)[x]=(x677 − 1) ntru hps4096821 Quotient (Z=4096)[x]=(x821 − 1) ntru hrss701 Quotient (Z=8192)[x]=(x701 − 1) ntrulpr 653 Product (Z=4621)[x]=(x653 − x − 1) ntrulpr 761 Product (Z=4591)[x]=(x761 − x − 1) ntrulpr 857 Product (Z=5167)[x]=(x857 − x − 1) round5n1 1 Product (Z=4096)636×636 round5n1 3 Product (Z=32768)876×876 round5n1 5 Product (Z=32768)1217×1217 round5nd 1.0d Product (Z=8192)[x]=(x586 + : : : + 1) round5nd 3.0d Product (Z=4096)[x]=(x852 + : : : + 1) round5nd 5.0d Product (Z=8192)[x]=(x1170 + : : : + 1) round5nd 1.5d Product (Z=1024)[x]=(x509 − 1) round5nd 3.5d Product (Z=4096)[x]=(x757 − 1) round5nd 5.5d Product (Z=2048)[x]=(x947 − 1) saber light Product ((Z=8192)[x]=(x256 + 1))2×2 saber main Product ((Z=8192)[x]=(x256 + 1))3×3 saber fire Product ((Z=8192)[x]=(x256 + 1))4×4 sntrup 653 Quotient (Z=4621)[x]=(x653 − x − 1) sntrup 761 Quotient (Z=4591)[x]=(x761 − x − 1) sntrup 857 Quotient (Z=5167)[x]=(x857 − x − 1) threebears baby Product (Z=(23120 − 21560 − 1))2×2 threebears mama Product (Z=(23120 − 21560 − 1))3×3 threebears papa Product (Z=(23120 − 21560 − 1))4×4 short element Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:
Z[x]=(x509 − 1); {−1; 0; 1} Z[x]=(x677 − 1); {−1; 0; 1} Z[x]=(x821 − 1); {−1; 0; 1} Z[x]=(x701 − 1); {−1; 0; 1}; key corre Z[x]=(x653 − x − 1); {−1; 0; 1}; weight Z[x]=(x761 − x − 1); {−1; 0; 1}; weight Z[x]=(x857 − x − 1); {−1; 0; 1}; weight Z636×8; {−1; 0; 1}; weight 57; 57 Z876×8; {−1; 0; 1}; weight 223; 223 Z1217×8; {−1; 0; 1}; weight 231; 231 Z[x]=(x586 + : : : + 1); {−1; 0; 1}; weight Z[x]=(x852 + : : : + 1); {−1; 0; 1}; weight Z[x]=(x1170 + : : : + 1); {−1; 0; 1}; w Z[x]=(x509 − 1); {−1; 0; 1}; weight 68 Z[x]=(x757 − 1); {−1; 0; 1}; weight 121 Z[x]=(x947 − 1); {−1; 0; 1}; weight 194 (Z[x]=(x256 + 1))2; P
0≤i<10{−0:5;
(Z[x]=(x256 + 1))3; P
0≤i<8{−0:5; 0
(Z[x]=(x256 + 1))4; P
0≤i<6{−0:5; 0
Z[x]=(x653 − x − 1); {−1; 0; 1}; weight Z[x]=(x761 − x − 1); {−1; 0; 1}; weight Z[x]=(x857 − x − 1); {−1; 0; 1}; weight Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2};
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13;
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22
SLIDE 20 4
NTRU: . NTRU: . ; e; c; M NISTPQC Bernstein, security encryption”.
5
system parameter set type set of multipliers frodo 640 Product (Z=32768)640×640 frodo 976 Product (Z=65536)976×976 frodo 1344 Product (Z=65536)1344×1344 kyber 512 Product ((Z=3329)[x]=(x256 + 1))2×2 kyber 768 Product ((Z=3329)[x]=(x256 + 1))3×3 kyber 1024 Product ((Z=3329)[x]=(x256 + 1))4×4 lac 128 Product (Z=251)[x]=(x512 + 1) lac 192 Product (Z=251)[x]=(x1024 + 1) lac 256 Product (Z=251)[x]=(x1024 + 1) newhope 512 Product (Z=12289)[x]=(x512 + 1) newhope 1024 Product (Z=12289)[x]=(x1024 + 1) ntru hps2048509 Quotient (Z=2048)[x]=(x509 − 1) ntru hps2048677 Quotient (Z=2048)[x]=(x677 − 1) ntru hps4096821 Quotient (Z=4096)[x]=(x821 − 1) ntru hrss701 Quotient (Z=8192)[x]=(x701 − 1) ntrulpr 653 Product (Z=4621)[x]=(x653 − x − 1) ntrulpr 761 Product (Z=4591)[x]=(x761 − x − 1) ntrulpr 857 Product (Z=5167)[x]=(x857 − x − 1) round5n1 1 Product (Z=4096)636×636 round5n1 3 Product (Z=32768)876×876 round5n1 5 Product (Z=32768)1217×1217 round5nd 1.0d Product (Z=8192)[x]=(x586 + : : : + 1) round5nd 3.0d Product (Z=4096)[x]=(x852 + : : : + 1) round5nd 5.0d Product (Z=8192)[x]=(x1170 + : : : + 1) round5nd 1.5d Product (Z=1024)[x]=(x509 − 1) round5nd 3.5d Product (Z=4096)[x]=(x757 − 1) round5nd 5.5d Product (Z=2048)[x]=(x947 − 1) saber light Product ((Z=8192)[x]=(x256 + 1))2×2 saber main Product ((Z=8192)[x]=(x256 + 1))3×3 saber fire Product ((Z=8192)[x]=(x256 + 1))4×4 sntrup 653 Quotient (Z=4621)[x]=(x653 − x − 1) sntrup 761 Quotient (Z=4591)[x]=(x761 − x − 1) sntrup 857 Quotient (Z=5167)[x]=(x857 − x − 1) threebears baby Product (Z=(23120 − 21560 − 1))2×2 threebears mama Product (Z=(23120 − 21560 − 1))3×3 threebears papa Product (Z=(23120 − 21560 − 1))4×4 short element Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1} Z[x]=(x677 − 1); {−1; 0; 1} Z[x]=(x821 − 1); {−1; 0; 1} Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0 Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 252 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 250 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 281 Z636×8; {−1; 0; 1}; weight 57; 57 Z876×8; {−1; 0; 1}; weight 223; 223 Z1217×8; {−1; 0; 1}; weight 231; 231 Z[x]=(x586 + : : : + 1); {−1; 0; 1}; weight 91; 91 Z[x]=(x852 + : : : + 1); {−1; 0; 1}; weight 106; 106 Z[x]=(x1170 + : : : + 1); {−1; 0; 1}; weight 111; 111 Z[x]=(x509 − 1); {−1; 0; 1}; weight 68; 68; ending 0 Z[x]=(x757 − 1); {−1; 0; 1}; weight 121; 121; ending 0 Z[x]=(x947 − 1); {−1; 0; 1}; weight 194; 194; ending 0 (Z[x]=(x256 + 1))2; P
0≤i<10{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<8{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<6{−0:5; 0:5}
Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 288 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 286 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 322 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
SLIDE 21 5
system parameter set type set of multipliers frodo 640 Product (Z=32768)640×640 frodo 976 Product (Z=65536)976×976 frodo 1344 Product (Z=65536)1344×1344 kyber 512 Product ((Z=3329)[x]=(x256 + 1))2×2 kyber 768 Product ((Z=3329)[x]=(x256 + 1))3×3 kyber 1024 Product ((Z=3329)[x]=(x256 + 1))4×4 lac 128 Product (Z=251)[x]=(x512 + 1) lac 192 Product (Z=251)[x]=(x1024 + 1) lac 256 Product (Z=251)[x]=(x1024 + 1) newhope 512 Product (Z=12289)[x]=(x512 + 1) newhope 1024 Product (Z=12289)[x]=(x1024 + 1) ntru hps2048509 Quotient (Z=2048)[x]=(x509 − 1) ntru hps2048677 Quotient (Z=2048)[x]=(x677 − 1) ntru hps4096821 Quotient (Z=4096)[x]=(x821 − 1) ntru hrss701 Quotient (Z=8192)[x]=(x701 − 1) ntrulpr 653 Product (Z=4621)[x]=(x653 − x − 1) ntrulpr 761 Product (Z=4591)[x]=(x761 − x − 1) ntrulpr 857 Product (Z=5167)[x]=(x857 − x − 1) round5n1 1 Product (Z=4096)636×636 round5n1 3 Product (Z=32768)876×876 round5n1 5 Product (Z=32768)1217×1217 round5nd 1.0d Product (Z=8192)[x]=(x586 + : : : + 1) round5nd 3.0d Product (Z=4096)[x]=(x852 + : : : + 1) round5nd 5.0d Product (Z=8192)[x]=(x1170 + : : : + 1) round5nd 1.5d Product (Z=1024)[x]=(x509 − 1) round5nd 3.5d Product (Z=4096)[x]=(x757 − 1) round5nd 5.5d Product (Z=2048)[x]=(x947 − 1) saber light Product ((Z=8192)[x]=(x256 + 1))2×2 saber main Product ((Z=8192)[x]=(x256 + 1))3×3 saber fire Product ((Z=8192)[x]=(x256 + 1))4×4 sntrup 653 Quotient (Z=4621)[x]=(x653 − x − 1) sntrup 761 Quotient (Z=4591)[x]=(x761 − x − 1) sntrup 857 Quotient (Z=5167)[x]=(x857 − x − 1) threebears baby Product (Z=(23120 − 21560 − 1))2×2 threebears mama Product (Z=(23120 − 21560 − 1))3×3 threebears papa Product (Z=(23120 − 21560 − 1))4×4
6
short element Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1} Z[x]=(x677 − 1); {−1; 0; 1} Z[x]=(x821 − 1); {−1; 0; 1} Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0 Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 252 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 250 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 281 Z636×8; {−1; 0; 1}; weight 57; 57 Z876×8; {−1; 0; 1}; weight 223; 223 Z1217×8; {−1; 0; 1}; weight 231; 231 Z[x]=(x586 + : : : + 1); {−1; 0; 1}; weight 91; 91 Z[x]=(x852 + : : : + 1); {−1; 0; 1}; weight 106; 106 Z[x]=(x1170 + : : : + 1); {−1; 0; 1}; weight 111; 111 Z[x]=(x509 − 1); {−1; 0; 1}; weight 68; 68; ending 0 Z[x]=(x757 − 1); {−1; 0; 1}; weight 121; 121; ending 0 Z[x]=(x947 − 1); {−1; 0; 1}; weight 194; 194; ending 0 (Z[x]=(x256 + 1))2; P
0≤i<10{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<8{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<6{−0:5; 0:5}
Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 288 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 286 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 322 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
SLIDE 22 5
rameter set type set of multipliers 640 Product (Z=32768)640×640 976 Product (Z=65536)976×976 1344 Product (Z=65536)1344×1344 512 Product ((Z=3329)[x]=(x256 + 1))2×2 768 Product ((Z=3329)[x]=(x256 + 1))3×3 1024 Product ((Z=3329)[x]=(x256 + 1))4×4 128 Product (Z=251)[x]=(x512 + 1) 192 Product (Z=251)[x]=(x1024 + 1) 256 Product (Z=251)[x]=(x1024 + 1) 512 Product (Z=12289)[x]=(x512 + 1) 1024 Product (Z=12289)[x]=(x1024 + 1) hps2048509 Quotient (Z=2048)[x]=(x509 − 1) hps2048677 Quotient (Z=2048)[x]=(x677 − 1) hps4096821 Quotient (Z=4096)[x]=(x821 − 1) hrss701 Quotient (Z=8192)[x]=(x701 − 1) 653 Product (Z=4621)[x]=(x653 − x − 1) 761 Product (Z=4591)[x]=(x761 − x − 1) 857 Product (Z=5167)[x]=(x857 − x − 1) 1 Product (Z=4096)636×636 3 Product (Z=32768)876×876 5 Product (Z=32768)1217×1217 1.0d Product (Z=8192)[x]=(x586 + : : : + 1) 3.0d Product (Z=4096)[x]=(x852 + : : : + 1) 5.0d Product (Z=8192)[x]=(x1170 + : : : + 1) 1.5d Product (Z=1024)[x]=(x509 − 1) 3.5d Product (Z=4096)[x]=(x757 − 1) 5.5d Product (Z=2048)[x]=(x947 − 1) light Product ((Z=8192)[x]=(x256 + 1))2×2 main Product ((Z=8192)[x]=(x256 + 1))3×3 fire Product ((Z=8192)[x]=(x256 + 1))4×4 653 Quotient (Z=4621)[x]=(x653 − x − 1) 761 Quotient (Z=4591)[x]=(x761 − x − 1) 857 Quotient (Z=5167)[x]=(x857 − x − 1) baby Product (Z=(23120 − 21560 − 1))2×2 mama Product (Z=(23120 − 21560 − 1))3×3 papa Product (Z=(23120 − 21560 − 1))4×4
6
short element Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1} Z[x]=(x677 − 1); {−1; 0; 1} Z[x]=(x821 − 1); {−1; 0; 1} Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0 Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 252 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 250 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 281 Z636×8; {−1; 0; 1}; weight 57; 57 Z876×8; {−1; 0; 1}; weight 223; 223 Z1217×8; {−1; 0; 1}; weight 231; 231 Z[x]=(x586 + : : : + 1); {−1; 0; 1}; weight 91; 91 Z[x]=(x852 + : : : + 1); {−1; 0; 1}; weight 106; 106 Z[x]=(x1170 + : : : + 1); {−1; 0; 1}; weight 111; 111 Z[x]=(x509 − 1); {−1; 0; 1}; weight 68; 68; ending 0 Z[x]=(x757 − 1); {−1; 0; 1}; weight 121; 121; ending 0 Z[x]=(x947 − 1); {−1; 0; 1}; weight 194; 194; ending 0 (Z[x]=(x256 + 1))2; P
0≤i<10{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<8{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<6{−0:5; 0:5}
Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 288 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 286 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 322 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
key offset (numerato Z640×8; {−12; : : Z976×8; {−10; : : Z1344×8; {−6; : : (Z[x]=(x256 + 1)) (Z[x]=(x256 + 1)) (Z[x]=(x256 + 1)) Z[x]=(x512 + 1); Z[x]=(x1024 + 1); Z[x]=(x1024 + 1); Z[x]=(x512 + 1); Z[x]=(x1024 + 1); Z[x]=(x509 − 1); Z[x]=(x677 − 1); Z[x]=(x821 − 1); Z[x]=(x701 − 1); round {−2310; : : round {−2295; : : round {−2583; : : round Z=4096 to round Z=32768 to round Z=32768 to round Z=8192 to round Z=4096 to round Z=8192 to reduce mod x508 reduce mod x756 reduce mod x946 round Z=8192 to round Z=8192 to round Z=8192 to Z[x]=(x653 − x − Z[x]=(x761 − x − Z[x]=(x857 − x − Z2; P
0≤i<312 210
Z3; P
0≤i<312 210
Z4; P
0≤i<312 210
SLIDE 23 5
set of multipliers (Z=32768)640×640 (Z=65536)976×976 (Z=65536)1344×1344 ((Z=3329)[x]=(x256 + 1))2×2 ((Z=3329)[x]=(x256 + 1))3×3 ((Z=3329)[x]=(x256 + 1))4×4 (Z=251)[x]=(x512 + 1) (Z=251)[x]=(x1024 + 1) (Z=251)[x]=(x1024 + 1) (Z=12289)[x]=(x512 + 1) (Z=12289)[x]=(x1024 + 1) (Z=2048)[x]=(x509 − 1) (Z=2048)[x]=(x677 − 1) (Z=4096)[x]=(x821 − 1) (Z=8192)[x]=(x701 − 1) (Z=4621)[x]=(x653 − x − 1) (Z=4591)[x]=(x761 − x − 1) (Z=5167)[x]=(x857 − x − 1) (Z=4096)636×636 (Z=32768)876×876 (Z=32768)1217×1217 (Z=8192)[x]=(x586 + : : : + 1) (Z=4096)[x]=(x852 + : : : + 1) (Z=8192)[x]=(x1170 + : : : + 1) (Z=1024)[x]=(x509 − 1) (Z=4096)[x]=(x757 − 1) (Z=2048)[x]=(x947 − 1) ((Z=8192)[x]=(x256 + 1))2×2 ((Z=8192)[x]=(x256 + 1))3×3 ((Z=8192)[x]=(x256 + 1))4×4 (Z=4621)[x]=(x653 − x − 1) (Z=4591)[x]=(x761 − x − 1) (Z=5167)[x]=(x857 − x − 1) (Z=(23120 − 21560 − 1))2×2 (Z=(23120 − 21560 − 1))3×3 (Z=(23120 − 21560 − 1))4×4
6
short element Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1} Z[x]=(x677 − 1); {−1; 0; 1} Z[x]=(x821 − 1); {−1; 0; 1} Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0 Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 252 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 250 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 281 Z636×8; {−1; 0; 1}; weight 57; 57 Z876×8; {−1; 0; 1}; weight 223; 223 Z1217×8; {−1; 0; 1}; weight 231; 231 Z[x]=(x586 + : : : + 1); {−1; 0; 1}; weight 91; 91 Z[x]=(x852 + : : : + 1); {−1; 0; 1}; weight 106; 106 Z[x]=(x1170 + : : : + 1); {−1; 0; 1}; weight 111; 111 Z[x]=(x509 − 1); {−1; 0; 1}; weight 68; 68; ending 0 Z[x]=(x757 − 1); {−1; 0; 1}; weight 121; 121; ending 0 Z[x]=(x947 − 1); {−1; 0; 1}; weight 194; 194; ending 0 (Z[x]=(x256 + 1))2; P
0≤i<10{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<8{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<6{−0:5; 0:5}
Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 288 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 286 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 322 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
key offset (numerator or noise or rounding Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:
Z[x]=(x509 − 1); {−1; 0; 1}; weight 127 Z[x]=(x677 − 1); {−1; 0; 1}; weight 127 Z[x]=(x821 − 1); {−1; 0; 1}; weight 255 Z[x]=(x701 − 1); {−1; 0; 1}; key corr round {−2310; : : : ; 2310} to 3Z round {−2295; : : : ; 2295} to 3Z round {−2583; : : : ; 2583} to 3Z round Z=4096 to 8Z round Z=32768 to 16Z round Z=32768 to 8Z round Z=8192 to 16Z round Z=4096 to 8Z round Z=8192 to 16Z reduce mod x508 + : : : + 1; round Z= reduce mod x756 + : : : + 1; round Z= reduce mod x946 + : : : + 1; round Z= round Z=8192 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z Z[x]=(x653 − x − 1); {−1; 0; 1}; invertible Z[x]=(x761 − x − 1); {−1; 0; 1}; invertible Z[x]=(x857 − x − 1); {−1; 0; 1}; invertible Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2};
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13;
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22
SLIDE 24 5
1344 256 + 1))2×2 256 + 1))3×3 256 + 1))4×4
+ 1) + 1) + 1)
512 + 1) 1024 + 1)
− 1) − 1) − 1) − 1) − x − 1) − x − 1) − x − 1)
1217
+ : : : + 1) + : : : + 1)
1170 + : : : + 1)
− 1) − 1) − 1)
256 + 1))2×2 256 + 1))3×3 256 + 1))4×4
− x − 1) − x − 1) − x − 1) − 1))2×2 − 1))3×3 − 1))4×4
6
short element Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1} Z[x]=(x677 − 1); {−1; 0; 1} Z[x]=(x821 − 1); {−1; 0; 1} Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0 Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 252 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 250 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 281 Z636×8; {−1; 0; 1}; weight 57; 57 Z876×8; {−1; 0; 1}; weight 223; 223 Z1217×8; {−1; 0; 1}; weight 231; 231 Z[x]=(x586 + : : : + 1); {−1; 0; 1}; weight 91; 91 Z[x]=(x852 + : : : + 1); {−1; 0; 1}; weight 106; 106 Z[x]=(x1170 + : : : + 1); {−1; 0; 1}; weight 111; 111 Z[x]=(x509 − 1); {−1; 0; 1}; weight 68; 68; ending 0 Z[x]=(x757 − 1); {−1; 0; 1}; weight 121; 121; ending 0 Z[x]=(x947 − 1); {−1; 0; 1}; weight 194; 194; ending 0 (Z[x]=(x256 + 1))2; P
0≤i<10{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<8{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<6{−0:5; 0:5}
Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 288 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 286 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 322 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
key offset (numerator or noise or rounding method) Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x677 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x821 − 1); {−1; 0; 1}; weight 255; 255 Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0; ·(x − 1) round {−2310; : : : ; 2310} to 3Z round {−2295; : : : ; 2295} to 3Z round {−2583; : : : ; 2583} to 3Z round Z=4096 to 8Z round Z=32768 to 16Z round Z=32768 to 8Z round Z=8192 to 16Z round Z=4096 to 8Z round Z=8192 to 16Z reduce mod x508 + : : : + 1; round Z=1024 to 8Z reduce mod x756 + : : : + 1; round Z=4096 to 16Z reduce mod x946 + : : : + 1; round Z=2048 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z Z[x]=(x653 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x761 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x857 − x − 1); {−1; 0; 1}; invertible mod 3 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
SLIDE 25 6
short element Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1} Z[x]=(x677 − 1); {−1; 0; 1} Z[x]=(x821 − 1); {−1; 0; 1} Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0 Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 252 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 250 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 281 Z636×8; {−1; 0; 1}; weight 57; 57 Z876×8; {−1; 0; 1}; weight 223; 223 Z1217×8; {−1; 0; 1}; weight 231; 231 Z[x]=(x586 + : : : + 1); {−1; 0; 1}; weight 91; 91 Z[x]=(x852 + : : : + 1); {−1; 0; 1}; weight 106; 106 Z[x]=(x1170 + : : : + 1); {−1; 0; 1}; weight 111; 111 Z[x]=(x509 − 1); {−1; 0; 1}; weight 68; 68; ending 0 Z[x]=(x757 − 1); {−1; 0; 1}; weight 121; 121; ending 0 Z[x]=(x947 − 1); {−1; 0; 1}; weight 194; 194; ending 0 (Z[x]=(x256 + 1))2; P
0≤i<10{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<8{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<6{−0:5; 0:5}
Z[x]=(x653 − x − 1); {−1; 0; 1}; weight 288 Z[x]=(x761 − x − 1); {−1; 0; 1}; weight 286 Z[x]=(x857 − x − 1); {−1; 0; 1}; weight 322 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
7
key offset (numerator or noise or rounding method) Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x677 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x821 − 1); {−1; 0; 1}; weight 255; 255 Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0; ·(x − 1) round {−2310; : : : ; 2310} to 3Z round {−2295; : : : ; 2295} to 3Z round {−2583; : : : ; 2583} to 3Z round Z=4096 to 8Z round Z=32768 to 16Z round Z=32768 to 8Z round Z=8192 to 16Z round Z=4096 to 8Z round Z=8192 to 16Z reduce mod x508 + : : : + 1; round Z=1024 to 8Z reduce mod x756 + : : : + 1; round Z=4096 to 16Z reduce mod x946 + : : : + 1; round Z=2048 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z Z[x]=(x653 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x761 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x857 − x − 1); {−1; 0; 1}; invertible mod 3 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
SLIDE 26 6
: : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) 1))2; P
0≤i<4{−0:5; 0:5}
1))3; P
0≤i<4{−0:5; 0:5}
1))4; P
0≤i<4{−0:5; 0:5}
1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 1); P
0≤i<16{−0:5; 0:5}
1); P
0≤i<16{−0:5; 0:5}
1); {−1; 0; 1} 1); {−1; 0; 1} 1); {−1; 0; 1} 1); {−1; 0; 1}; key correlation ≥ 0 − 1); {−1; 0; 1}; weight 252 − 1); {−1; 0; 1}; weight 250 − 1); {−1; 0; 1}; weight 281 ; 1}; weight 57; 57 ; 1}; weight 223; 223 0; 1}; weight 231; 231 : : + 1); {−1; 0; 1}; weight 91; 91 : : + 1); {−1; 0; 1}; weight 106; 106 : : : + 1); {−1; 0; 1}; weight 111; 111 1); {−1; 0; 1}; weight 68; 68; ending 0 1); {−1; 0; 1}; weight 121; 121; ending 0 1); {−1; 0; 1}; weight 194; 194; ending 0 1))2; P
0≤i<10{−0:5; 0:5}
1))3; P
0≤i<8{−0:5; 0:5}
1))4; P
0≤i<6{−0:5; 0:5}
− 1); {−1; 0; 1}; weight 288 − 1); {−1; 0; 1}; weight 286 − 1); {−1; 0; 1}; weight 322 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; * 210i {−1; 0; 1}; Pr 13; 38; 13; * 210i {−1; 0; 1}; Pr 5; 22; 5; *
7
key offset (numerator or noise or rounding method) Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x677 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x821 − 1); {−1; 0; 1}; weight 255; 255 Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0; ·(x − 1) round {−2310; : : : ; 2310} to 3Z round {−2295; : : : ; 2295} to 3Z round {−2583; : : : ; 2583} to 3Z round Z=4096 to 8Z round Z=32768 to 16Z round Z=32768 to 8Z round Z=8192 to 16Z round Z=4096 to 8Z round Z=8192 to 16Z reduce mod x508 + : : : + 1; round Z=1024 to 8Z reduce mod x756 + : : : + 1; round Z=4096 to 16Z reduce mod x946 + : : : + 1; round Z=2048 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z Z[x]=(x653 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x761 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x857 − x − 1); {−1; 0; 1}; invertible mod 3 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
ciphertext offset Z8×8; {−12; : : : ; Z8×8; {−10; : : : ; Z8×8; {−6; : : : ; 6 Z[x]=(x256 + 1); Z[x]=(x256 + 1); Z[x]=(x256 + 1); Z[x]=(x512 + 1); Z[x]=(x1024 + 1); Z[x]=(x1024 + 1); Z[x]=(x512 + 1); Z[x]=(x1024 + 1); not applicable not applicable not applicable not applicable bottom 256 coeffs; bottom 256 coeffs; bottom 256 coeffs; round Z=4096 to round Z=32768 to round Z=32768 to bottom 128 coeffs; bottom 192 coeffs; bottom 256 coeffs; bottom 318 coeffs; bottom 410 coeffs; bottom 490 coeffs; round Z=8192 to round Z=8192 to round Z=8192 to not applicable not applicable not applicable Z; P
0≤i<312 210
Z; P
0≤i<312 210
Z; P
0≤i<312 210
SLIDE 27 6
; : : : (spec page 23) ; : : : (spec page 23) 364; : : : (spec page 23) ; 0:5} ; 0:5} ; 0:5} 2; 1; weight 128; 128 6; 1; weight 128; 128 2; 1; weight 256; 256 :5} 0:5} rrelation ≥ 0 eight 252 eight 250 eight 281 223 231 weight 91; 91 weight 106; 106 ; weight 111; 111 eight 68; 68; ending 0 eight 121; 121; ending 0 eight 194; 194; ending 0 5; 0:5} ; 0:5} ; 0:5} eight 288 eight 286 eight 322 }; Pr 1; 32; 62; 32; 1; * 13; 38; 13; * ; 22; 5; *
7
key offset (numerator or noise or rounding method) Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x677 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x821 − 1); {−1; 0; 1}; weight 255; 255 Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0; ·(x − 1) round {−2310; : : : ; 2310} to 3Z round {−2295; : : : ; 2295} to 3Z round {−2583; : : : ; 2583} to 3Z round Z=4096 to 8Z round Z=32768 to 16Z round Z=32768 to 8Z round Z=8192 to 16Z round Z=4096 to 8Z round Z=8192 to 16Z reduce mod x508 + : : : + 1; round Z=1024 to 8Z reduce mod x756 + : : : + 1; round Z=4096 to 16Z reduce mod x946 + : : : + 1; round Z=2048 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z Z[x]=(x653 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x761 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x857 − x − 1); {−1; 0; 1}; invertible mod 3 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
ciphertext offset (noise or rounding metho Z8×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : Z8×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : Z8×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:
not applicable not applicable not applicable not applicable bottom 256 coeffs; z → ⌊(114(z + 2156) bottom 256 coeffs; z → ⌊(113(z + 2175) bottom 256 coeffs; z → ⌊(101(z + 2433) round Z=4096 to 64Z round Z=32768 to 512Z round Z=32768 to 64Z bottom 128 coeffs; round Z=8192 to bottom 192 coeffs; round Z=4096 to bottom 256 coeffs; round Z=8192 to bottom 318 coeffs; round Z=1024 to bottom 410 coeffs; round Z=4096 to bottom 490 coeffs; round Z=2048 to round Z=8192 to 1024Z round Z=8192 to 512Z round Z=8192 to 128Z not applicable not applicable not applicable Z; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22
SLIDE 28 6
128 256 *
7
key offset (numerator or noise or rounding method) Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x677 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x821 − 1); {−1; 0; 1}; weight 255; 255 Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0; ·(x − 1) round {−2310; : : : ; 2310} to 3Z round {−2295; : : : ; 2295} to 3Z round {−2583; : : : ; 2583} to 3Z round Z=4096 to 8Z round Z=32768 to 16Z round Z=32768 to 8Z round Z=8192 to 16Z round Z=4096 to 8Z round Z=8192 to 16Z reduce mod x508 + : : : + 1; round Z=1024 to 8Z reduce mod x756 + : : : + 1; round Z=4096 to 16Z reduce mod x946 + : : : + 1; round Z=2048 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z Z[x]=(x653 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x761 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x857 − x − 1); {−1; 0; 1}; invertible mod 3 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
ciphertext offset (noise or rounding method) Z8×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z8×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z8×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
not applicable not applicable not applicable not applicable bottom 256 coeffs; z → ⌊(114(z + 2156) + 16384)=32768 bottom 256 coeffs; z → ⌊(113(z + 2175) + 16384)=32768 bottom 256 coeffs; z → ⌊(101(z + 2433) + 16384)=32768 round Z=4096 to 64Z round Z=32768 to 512Z round Z=32768 to 64Z bottom 128 coeffs; round Z=8192 to 512Z bottom 192 coeffs; round Z=4096 to 128Z bottom 256 coeffs; round Z=8192 to 256Z bottom 318 coeffs; round Z=1024 to 64Z bottom 410 coeffs; round Z=4096 to 512Z bottom 490 coeffs; round Z=2048 to 64Z round Z=8192 to 1024Z round Z=8192 to 512Z round Z=8192 to 128Z not applicable not applicable not applicable Z; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
SLIDE 29 7
key offset (numerator or noise or rounding method) Z640×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z976×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z1344×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) (Z[x]=(x256 + 1))2; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))3; P
0≤i<4{−0:5; 0:5}
(Z[x]=(x256 + 1))4; P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x509 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x677 − 1); {−1; 0; 1}; weight 127; 127 Z[x]=(x821 − 1); {−1; 0; 1}; weight 255; 255 Z[x]=(x701 − 1); {−1; 0; 1}; key correlation ≥ 0; ·(x − 1) round {−2310; : : : ; 2310} to 3Z round {−2295; : : : ; 2295} to 3Z round {−2583; : : : ; 2583} to 3Z round Z=4096 to 8Z round Z=32768 to 16Z round Z=32768 to 8Z round Z=8192 to 16Z round Z=4096 to 8Z round Z=8192 to 16Z reduce mod x508 + : : : + 1; round Z=1024 to 8Z reduce mod x756 + : : : + 1; round Z=4096 to 16Z reduce mod x946 + : : : + 1; round Z=2048 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z round Z=8192 to 8Z Z[x]=(x653 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x761 − x − 1); {−1; 0; 1}; invertible mod 3 Z[x]=(x857 − x − 1); {−1; 0; 1}; invertible mod 3 Z2; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z3; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z4; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
8
ciphertext offset (noise or rounding method) Z8×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z8×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z8×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
not applicable not applicable not applicable not applicable bottom 256 coeffs; z → ⌊(114(z + 2156) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(113(z + 2175) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(101(z + 2433) + 16384)=32768⌋ round Z=4096 to 64Z round Z=32768 to 512Z round Z=32768 to 64Z bottom 128 coeffs; round Z=8192 to 512Z bottom 192 coeffs; round Z=4096 to 128Z bottom 256 coeffs; round Z=8192 to 256Z bottom 318 coeffs; round Z=1024 to 64Z bottom 410 coeffs; round Z=4096 to 512Z bottom 490 coeffs; round Z=2048 to 64Z round Z=8192 to 1024Z round Z=8192 to 512Z round Z=8192 to 128Z not applicable not applicable not applicable Z; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
SLIDE 30 7
(numerator or noise or rounding method) : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) 1))2; P
0≤i<4{−0:5; 0:5}
1))3; P
0≤i<4{−0:5; 0:5}
1))4; P
0≤i<4{−0:5; 0:5}
1); {−1; 0; 1}; Pr 1; 2; 1; weight 128; 128 1); {−1; 0; 1}; Pr 1; 6; 1; weight 128; 128 1); {−1; 0; 1}; Pr 1; 2; 1; weight 256; 256 1); P
0≤i<16{−0:5; 0:5}
1); P
0≤i<16{−0:5; 0:5}
1); {−1; 0; 1}; weight 127; 127 1); {−1; 0; 1}; weight 127; 127 1); {−1; 0; 1}; weight 255; 255 1); {−1; 0; 1}; key correlation ≥ 0; ·(x − 1) ; : : : ; 2310} to 3Z ; : : : ; 2295} to 3Z ; : : : ; 2583} to 3Z to 8Z 32768 to 16Z 32768 to 8Z to 16Z to 8Z to 16Z
508 + : : : + 1; round Z=1024 to 8Z 756 + : : : + 1; round Z=4096 to 16Z 946 + : : : + 1; round Z=2048 to 8Z
to 8Z to 8Z to 8Z − 1); {−1; 0; 1}; invertible mod 3 − 1); {−1; 0; 1}; invertible mod 3 − 1); {−1; 0; 1}; invertible mod 3 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; * 210i {−1; 0; 1}; Pr 13; 38; 13; * 210i {−1; 0; 1}; Pr 5; 22; 5; *
8
ciphertext offset (noise or rounding method) Z8×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z8×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z8×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
not applicable not applicable not applicable not applicable bottom 256 coeffs; z → ⌊(114(z + 2156) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(113(z + 2175) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(101(z + 2433) + 16384)=32768⌋ round Z=4096 to 64Z round Z=32768 to 512Z round Z=32768 to 64Z bottom 128 coeffs; round Z=8192 to 512Z bottom 192 coeffs; round Z=4096 to 128Z bottom 256 coeffs; round Z=8192 to 256Z bottom 318 coeffs; round Z=1024 to 64Z bottom 410 coeffs; round Z=4096 to 512Z bottom 490 coeffs; round Z=2048 to 64Z round Z=8192 to 1024Z round Z=8192 to 512Z round Z=8192 to 128Z not applicable not applicable not applicable Z; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
set of encoded messages 8 × 8 matrix over 8 × 8 matrix over 8 × 8 matrix over P
0≤i<256{0; 1665
P
0≤i<256{0; 1665
P
0≤i<256{0; 1665
256-dim subcode 256-dim subcode 256-dim subcode P
0≤i<256{0; 6145
P
0≤i<256{0; 6145
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310
P
0≤i<256{0; 2295
P
0≤i<256{0; 2583
8 × 8 matrix over 8 × 8 matrix over 8 × 8 matrix over P
0≤i<128{0; 4096
P
0≤i<192{0; 2048
P
0≤i<256{0; 4096
128-dim subcode 192-dim subcode 256-dim subcode P
0≤i<256{0; 4096
P
0≤i<256{0; 4096
P
0≤i<256{0; 4096
not applicable not applicable not applicable 256-dim subcode 256-dim subcode 256-dim subcode
SLIDE 31 7
rounding method) ; : : : (spec page 23) ; : : : (spec page 23) 364; : : : (spec page 23) ; 0:5} ; 0:5} ; 0:5} 2; 1; weight 128; 128 6; 1; weight 128; 128 2; 1; weight 256; 256 :5} 0:5} eight 127; 127 eight 127; 127 eight 255; 255 rrelation ≥ 0; ·(x − 1) Z=1024 to 8Z Z=4096 to 16Z Z=2048 to 8Z invertible mod 3 invertible mod 3 invertible mod 3 }; Pr 1; 32; 62; 32; 1; * 13; 38; 13; * ; 22; 5; *
8
ciphertext offset (noise or rounding method) Z8×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z8×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z8×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
not applicable not applicable not applicable not applicable bottom 256 coeffs; z → ⌊(114(z + 2156) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(113(z + 2175) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(101(z + 2433) + 16384)=32768⌋ round Z=4096 to 64Z round Z=32768 to 512Z round Z=32768 to 64Z bottom 128 coeffs; round Z=8192 to 512Z bottom 192 coeffs; round Z=4096 to 128Z bottom 256 coeffs; round Z=8192 to 256Z bottom 318 coeffs; round Z=1024 to 64Z bottom 410 coeffs; round Z=4096 to 512Z bottom 490 coeffs; round Z=2048 to 64Z round Z=8192 to 1024Z round Z=8192 to 512Z round Z=8192 to 128Z not applicable not applicable not applicable Z; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
set of encoded messages 8 × 8 matrix over {0; 8192; 16384; 24576 8 × 8 matrix over {0; 8192; : : : ; 57344 8 × 8 matrix over {0; 4096; : : : ; 61440 P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
256-dim subcode (see spec) of P
0≤i
256-dim subcode (see spec) of P
0≤i
256-dim subcode (see spec) of P
0≤i
P
0≤i<256{0; 6145}xi (1 + x256)
P
0≤i<256{0; 6145}xi (1 + x256 + x512
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310}xi
P
0≤i<256{0; 2295}xi
P
0≤i<256{0; 2583}xi
8 × 8 matrix over {0; 1024; 2048; 3072 8 × 8 matrix over {0; 4096; : : : ; 28672 8 × 8 matrix over {0; 2048; : : : ; 30720 P
0≤i<128{0; 4096}xi
P
0≤i<192{0; 2048}xi
P
0≤i<256{0; 4096}xi
128-dim subcode (see spec) of P
0≤i
192-dim subcode (see spec) of P
0≤i
256-dim subcode (see spec) of P
0≤i
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
not applicable not applicable not applicable 256-dim subcode (see spec) of P
0≤i
256-dim subcode (see spec) of P
0≤i
256-dim subcode (see spec) of P
0≤i
SLIDE 32 7
128 256 1) *
8
ciphertext offset (noise or rounding method) Z8×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z8×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z8×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
not applicable not applicable not applicable not applicable bottom 256 coeffs; z → ⌊(114(z + 2156) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(113(z + 2175) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(101(z + 2433) + 16384)=32768⌋ round Z=4096 to 64Z round Z=32768 to 512Z round Z=32768 to 64Z bottom 128 coeffs; round Z=8192 to 512Z bottom 192 coeffs; round Z=4096 to 128Z bottom 256 coeffs; round Z=8192 to 256Z bottom 318 coeffs; round Z=1024 to 64Z bottom 410 coeffs; round Z=4096 to 512Z bottom 490 coeffs; round Z=2048 to 64Z round Z=8192 to 1024Z round Z=8192 to 512Z round Z=8192 to 128Z not applicable not applicable not applicable Z; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
set of encoded messages 8 × 8 matrix over {0; 8192; 16384; 24576} 8 × 8 matrix over {0; 8192; : : : ; 57344} 8 × 8 matrix over {0; 4096; : : : ; 61440} P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
256-dim subcode (see spec) of P
0≤i<512{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
P
0≤i<256{0; 6145}xi (1 + x256)
P
0≤i<256{0; 6145}xi (1 + x256 + x512 + x768)
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310}xi
P
0≤i<256{0; 2295}xi
P
0≤i<256{0; 2583}xi
8 × 8 matrix over {0; 1024; 2048; 3072} 8 × 8 matrix over {0; 4096; : : : ; 28672} 8 × 8 matrix over {0; 2048; : : : ; 30720} P
0≤i<128{0; 4096}xi
P
0≤i<192{0; 2048}xi
P
0≤i<256{0; 4096}xi
128-dim subcode (see spec) of P
0≤i<318{0; 512}xi
192-dim subcode (see spec) of P
0≤i<410{0; 2048}xi
256-dim subcode (see spec) of P
0≤i<490{0; 1024}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
not applicable not applicable not applicable 256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
SLIDE 33 8
ciphertext offset (noise or rounding method) Z8×8; {−12; : : : ; 12}; Pr 1; 4; 17; : : : (spec page 23) Z8×8; {−10; : : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) Z8×8; {−6; : : : ; 6}; Pr 2; 40; 364; : : : (spec page 23) Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x256 + 1); P
0≤i<4{−0:5; 0:5}
Z[x]=(x512 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 6; 1 Z[x]=(x1024 + 1); {−1; 0; 1}; Pr 1; 2; 1 Z[x]=(x512 + 1); P
0≤i<16{−0:5; 0:5}
Z[x]=(x1024 + 1); P
0≤i<16{−0:5; 0:5}
not applicable not applicable not applicable not applicable bottom 256 coeffs; z → ⌊(114(z + 2156) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(113(z + 2175) + 16384)=32768⌋ bottom 256 coeffs; z → ⌊(101(z + 2433) + 16384)=32768⌋ round Z=4096 to 64Z round Z=32768 to 512Z round Z=32768 to 64Z bottom 128 coeffs; round Z=8192 to 512Z bottom 192 coeffs; round Z=4096 to 128Z bottom 256 coeffs; round Z=8192 to 256Z bottom 318 coeffs; round Z=1024 to 64Z bottom 410 coeffs; round Z=4096 to 512Z bottom 490 coeffs; round Z=2048 to 64Z round Z=8192 to 1024Z round Z=8192 to 512Z round Z=8192 to 128Z not applicable not applicable not applicable Z; P
0≤i<312 210i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 13; 38; 13; *
Z; P
0≤i<312 210i {−1; 0; 1}; Pr 5; 22; 5; *
9
set of encoded messages 8 × 8 matrix over {0; 8192; 16384; 24576} 8 × 8 matrix over {0; 8192; : : : ; 57344} 8 × 8 matrix over {0; 4096; : : : ; 61440} P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
256-dim subcode (see spec) of P
0≤i<512{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
P
0≤i<256{0; 6145}xi (1 + x256)
P
0≤i<256{0; 6145}xi (1 + x256 + x512 + x768)
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310}xi
P
0≤i<256{0; 2295}xi
P
0≤i<256{0; 2583}xi
8 × 8 matrix over {0; 1024; 2048; 3072} 8 × 8 matrix over {0; 4096; : : : ; 28672} 8 × 8 matrix over {0; 2048; : : : ; 30720} P
0≤i<128{0; 4096}xi
P
0≤i<192{0; 2048}xi
P
0≤i<256{0; 4096}xi
128-dim subcode (see spec) of P
0≤i<318{0; 512}xi
192-dim subcode (see spec) of P
0≤i<410{0; 2048}xi
256-dim subcode (see spec) of P
0≤i<490{0; 1024}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
not applicable not applicable not applicable 256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
SLIDE 34 8
- ffset (noise or rounding method)
: : ; 12}; Pr 1; 4; 17; : : : (spec page 23) : : ; 10}; Pr 1; 6; 29; : : : (spec page 23) : ; 6}; Pr 2; 40; 364; : : : (spec page 23) 1); P
0≤i<4{−0:5; 0:5}
1); P
0≤i<4{−0:5; 0:5}
1); P
0≤i<4{−0:5; 0:5}
1); {−1; 0; 1}; Pr 1; 2; 1 1); {−1; 0; 1}; Pr 1; 6; 1 1); {−1; 0; 1}; Pr 1; 2; 1 1); P
0≤i<16{−0:5; 0:5}
1); P
0≤i<16{−0:5; 0:5}
effs; z → ⌊(114(z + 2156) + 16384)=32768⌋ effs; z → ⌊(113(z + 2175) + 16384)=32768⌋ effs; z → ⌊(101(z + 2433) + 16384)=32768⌋ to 64Z 32768 to 512Z 32768 to 64Z effs; round Z=8192 to 512Z effs; round Z=4096 to 128Z effs; round Z=8192 to 256Z effs; round Z=1024 to 64Z effs; round Z=4096 to 512Z effs; round Z=2048 to 64Z to 1024Z to 512Z to 128Z
10i {−2; −1; 0; 1; 2}; Pr 1; 32; 62; 32; 1; * 10i {−1; 0; 1}; Pr 13; 38; 13; * 10i {−1; 0; 1}; Pr 5; 22; 5; *
9
set of encoded messages 8 × 8 matrix over {0; 8192; 16384; 24576} 8 × 8 matrix over {0; 8192; : : : ; 57344} 8 × 8 matrix over {0; 4096; : : : ; 61440} P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
256-dim subcode (see spec) of P
0≤i<512{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
P
0≤i<256{0; 6145}xi (1 + x256)
P
0≤i<256{0; 6145}xi (1 + x256 + x512 + x768)
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310}xi
P
0≤i<256{0; 2295}xi
P
0≤i<256{0; 2583}xi
8 × 8 matrix over {0; 1024; 2048; 3072} 8 × 8 matrix over {0; 4096; : : : ; 28672} 8 × 8 matrix over {0; 2048; : : : ; 30720} P
0≤i<128{0; 4096}xi
P
0≤i<192{0; 2048}xi
P
0≤i<256{0; 4096}xi
128-dim subcode (see spec) of P
0≤i<318{0; 512}xi
192-dim subcode (see spec) of P
0≤i<410{0; 2048}xi
256-dim subcode (see spec) of P
0≤i<490{0; 1024}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
not applicable not applicable not applicable 256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
Attacking Attack strategy
strategy. Normal la “App Mo
SLIDE 35 8
method) : : (spec page 23) : : (spec page 23) : : (spec page 23) :5} :5} :5} 2; 1 6; 1 2; 1 :5} 0:5} 2156) + 16384)=32768⌋ 2175) + 16384)=32768⌋ 2433) + 16384)=32768⌋ to 512Z to 128Z to 256Z to 64Z to 512Z to 64Z ; Pr 1; 32; 62; 32; 1; * ; 38; 13; * 22; 5; *
9
set of encoded messages 8 × 8 matrix over {0; 8192; 16384; 24576} 8 × 8 matrix over {0; 8192; : : : ; 57344} 8 × 8 matrix over {0; 4096; : : : ; 61440} P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
256-dim subcode (see spec) of P
0≤i<512{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
P
0≤i<256{0; 6145}xi (1 + x256)
P
0≤i<256{0; 6145}xi (1 + x256 + x512 + x768)
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310}xi
P
0≤i<256{0; 2295}xi
P
0≤i<256{0; 2583}xi
8 × 8 matrix over {0; 1024; 2048; 3072} 8 × 8 matrix over {0; 4096; : : : ; 28672} 8 × 8 matrix over {0; 2048; : : : ; 30720} P
0≤i<128{0; 4096}xi
P
0≤i<192{0; 2048}xi
P
0≤i<256{0; 4096}xi
128-dim subcode (see spec) of P
0≤i<318{0; 512}xi
192-dim subcode (see spec) of P
0≤i<410{0; 2048}xi
256-dim subcode (see spec) of P
0≤i<490{0; 1024}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
not applicable not applicable not applicable 256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
Attacking these problems Attack strategy with
- f usually being best:
- strategy. Focus of
Normal layers in ana Analysis of to attack “Approximate-SVP” analysis
analysis
SLIDE 36 8
32768⌋ 32768⌋ 32768⌋
9
set of encoded messages 8 × 8 matrix over {0; 8192; 16384; 24576} 8 × 8 matrix over {0; 8192; : : : ; 57344} 8 × 8 matrix over {0; 4096; : : : ; 61440} P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
256-dim subcode (see spec) of P
0≤i<512{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
P
0≤i<256{0; 6145}xi (1 + x256)
P
0≤i<256{0; 6145}xi (1 + x256 + x512 + x768)
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310}xi
P
0≤i<256{0; 2295}xi
P
0≤i<256{0; 2583}xi
8 × 8 matrix over {0; 1024; 2048; 3072} 8 × 8 matrix over {0; 4096; : : : ; 28672} 8 × 8 matrix over {0; 2048; : : : ; 30720} P
0≤i<128{0; 4096}xi
P
0≤i<192{0; 2048}xi
P
0≤i<256{0; 4096}xi
128-dim subcode (see spec) of P
0≤i<318{0; 512}xi
192-dim subcode (see spec) of P
0≤i<410{0; 2048}xi
256-dim subcode (see spec) of P
0≤i<490{0; 1024}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
not applicable not applicable not applicable 256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
SLIDE 37 9
set of encoded messages 8 × 8 matrix over {0; 8192; 16384; 24576} 8 × 8 matrix over {0; 8192; : : : ; 57344} 8 × 8 matrix over {0; 4096; : : : ; 61440} P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
P
0≤i<256{0; 1665}xi
256-dim subcode (see spec) of P
0≤i<512{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
256-dim subcode (see spec) of P
0≤i<1024{0; 126}xi
P
0≤i<256{0; 6145}xi (1 + x256)
P
0≤i<256{0; 6145}xi (1 + x256 + x512 + x768)
not applicable not applicable not applicable not applicable P
0≤i<256{0; 2310}xi
P
0≤i<256{0; 2295}xi
P
0≤i<256{0; 2583}xi
8 × 8 matrix over {0; 1024; 2048; 3072} 8 × 8 matrix over {0; 4096; : : : ; 28672} 8 × 8 matrix over {0; 2048; : : : ; 30720} P
0≤i<128{0; 4096}xi
P
0≤i<192{0; 2048}xi
P
0≤i<256{0; 4096}xi
128-dim subcode (see spec) of P
0≤i<318{0; 512}xi
192-dim subcode (see spec) of P
0≤i<410{0; 2048}xi
256-dim subcode (see spec) of P
0≤i<490{0; 1024}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
P
0≤i<256{0; 4096}xi
not applicable not applicable not applicable 256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
256-dim subcode (see spec) of P
0≤i<274{0; 512}210i
10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
SLIDE 38 9
messages
- ver {0; 8192; 16384; 24576}
- ver {0; 8192; : : : ; 57344}
- ver {0; 4096; : : : ; 61440}
1665}xi 1665}xi 1665}xi de (see spec) of P
0≤i<512{0; 126}xi
de (see spec) of P
0≤i<1024{0; 126}xi
de (see spec) of P
0≤i<1024{0; 126}xi
6145}xi (1 + x256) 6145}xi (1 + x256 + x512 + x768) 2310}xi 2295}xi 2583}xi
- ver {0; 1024; 2048; 3072}
- ver {0; 4096; : : : ; 28672}
- ver {0; 2048; : : : ; 30720}
4096}xi 2048}xi 4096}xi de (see spec) of P
0≤i<318{0; 512}xi
de (see spec) of P
0≤i<410{0; 2048}xi
de (see spec) of P
0≤i<490{0; 1024}xi
4096}xi 4096}xi 4096}xi de (see spec) of P
0≤i<274{0; 512}210i
de (see spec) of P
0≤i<274{0; 512}210i
de (see spec) of P
0≤i<274{0; 512}210i
10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
- Model of computation
- Models of
Multitap sort N ints, time N1+
SLIDE 39 9
24576} 57344} 61440}
≤i<512{0; 126}xi ≤i<1024{0; 126}xi ≤i<1024{0; 126}xi
x512 + x768) 3072} 28672} 30720}
≤i<318{0; 512}xi ≤i<410{0; 2048}xi ≤i<490{0; 1024}xi ≤i<274{0; 512}210i ≤i<274{0; 512}210i ≤i<274{0; 512}210i
10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
- Model of computation
- Models of computation
Multitape Turing machine: sort N ints, each N time N1+o(1), space
SLIDE 40 9 10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
- Model of computation
- Models of computation
Multitape Turing machine: e.g., sort N ints, each No(1) bits, time N1+o(1), space N1+o(1)
SLIDE 41 10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1).
SLIDE 42 10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1).
SLIDE 43 10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
SLIDE 44 10
Attacking these problems Attack strategy with reputation
- f usually being best: “primal”
- strategy. Focus of this talk.
Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: similar divergence of models.
SLIDE 45 10
ttacking these problems strategy with reputation usually being best: “primal”
- strategy. Focus of this talk.
rmal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis
analysis
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: similar divergence of models. Lattices Rewrite short nonzero
Problem with aG
SLIDE 46 10
problems with reputation best: “primal”
analysis:
attack systems ximate-SVP” analysis
analysis
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: similar divergence of models. Lattices Rewrite each problem short nonzero solution
Problem 1: Find (a with aG + e = 0, given
SLIDE 47 10
reputation rimal” talk. lattices ximate-SVP” computation
11
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: similar divergence of models. Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈
SLIDE 48 11
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: similar divergence of models.
12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q.
SLIDE 49 11
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: similar divergence of models.
12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q.
SLIDE 50 11
Models of computation Multitape Turing machine: e.g., sort N ints, each No(1) bits, in time N1+o(1), space N1+o(1). Brent–Kung 2D circuit model allows parallelism—e.g., sort in time N0:5+o(1), space N1+o(1). PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: similar divergence of models.
12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.
SLIDE 51 11
dels of computation Multitape Turing machine: e.g., ints, each No(1) bits, in
1+o(1), space N1+o(1).
Brent–Kung 2D circuit model parallelism—e.g., sort in
0:5+o(1), space N1+o(1).
PRAM: multiple inequivalent definitions, untethered to physical
- explanations. Sort in time No(1).
Quantum computing: divergence of models.
12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q. Recognize as a full- Problem the map from R2
SLIDE 52 11
utation uring machine: e.g., No(1) bits, in space N1+o(1). circuit model rallelism—e.g., sort in space N1+o(1). inequivalent untethered to physical rt in time No(1). computing: ergence of models.
12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q. Recognize each solution as a full-rank lattice: Problem 1: Lattice the map (a; r) → ( from R2 to R2.
SLIDE 53 11
machine: e.g., bits, in
(1).
del rt in
inequivalent physical No(1). dels.
12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q. Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image the map (a; r) → (a; qr − aG from R2 to R2.
SLIDE 54 12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2.
SLIDE 55 12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG).
SLIDE 56 12
Lattices Rewrite each problem as finding short nonzero solution to system
- f homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).
SLIDE 57
12
Lattices Rewrite each problem as finding nonzero solution to system homogeneous R=q equations. Problem 1: Find (a; e) ∈ R2 G + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 G + e = At, G; A ∈ R=q. Problem 3: Find t2; e1; e2) ∈ R5 with e1 = A1t1, aG2 +e2 = A2t2, G1; A1; G2; A2 ∈ R=q.
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2). Module structure Each of module, many indep
SLIDE 58
12
roblem as finding solution to system R=q equations. (a; e) ∈ R2 0, given G ∈ R=q. (a; t; e) ∈ R3 At, =q. ∈ R5 with , aG2 +e2 = A2t2, ; A2 ∈ R=q.
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2). Module structure Each of these lattices module, and thus has, many independent
SLIDE 59
12
finding system equations. R2 ∈ R=q. ∈ R3 = A2t2, =q.
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2). Module structure Each of these lattices is an R module, and thus has, generically many independent short vecto
SLIDE 60
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).
14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors.
SLIDE 61
13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).
14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc.
SLIDE 62 13
Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).
14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
SLIDE 63 13
Recognize each solution space full-rank lattice: Problem 1: Lattice is image of map (a; r) → (a; qr − aG)
2 to R2.
Problem 2: Lattice is
t + qr − aG). Problem 3: Lattice is image of map (a; t1; t2; r1; r2) → t2; A1t1 + qr1 − aG1; qr2 − aG2).
14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations
e.g., ((x + 1)a; (x + 1)t; (x + 1)e). 2001 Ma 1: Force a to be 0. rank, speeding despite lo
SLIDE 64 13
solution space lattice: Lattice is image of (a; qr − aG) Lattice is map (a; t; r) → aG). Lattice is image of ; r1; r2) → qr1 − aG1;
2).
14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations
e.g., ((x + 1)a; (x + 1)t; (x + 1)e). 2001 May–Silverman 1: Force a few coefficients a to be 0. This reduces rank, speeding up despite lower success
SLIDE 65 13
space image of aG) → image of ;
14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations
e.g., ((x + 1)a; (x + 1)t; (x + 1)e). 2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance.
SLIDE 66 14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance.
SLIDE 67 14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.)
SLIDE 68 14
Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of (a; t) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?)
SLIDE 69 14
dule structure
- f these lattices is an R-
dule, and thus has, generically, independent short vectors. Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). more lattice vectors airly short combinations independent vectors: ((x + 1)a; (x + 1)t; (x + 1)e).
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of (a; t) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?) Standard Lattice has Uniform secret a
SLIDE 70
14
structure lattices is an R- thus has, generically, endent short vectors. 2: rt (a; t; e). rt (xa; xt; xe). rt (x2a; x2t; x2e). lattice vectors combinations vectors: x + 1)t; (x + 1)e).
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of (a; t) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?) Standard analysis fo Lattice has rank 2 Uniform random small secret a has length
SLIDE 71
14
R- generically, vectors. e). ; x2e). combinations + 1)e).
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of (a; t) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?) Standard analysis for Problem Lattice has rank 2 · 761 = 1522. Uniform random small weight- secret a has length √w ≈ 17.
SLIDE 72
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of (a; t) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?)
16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17.
SLIDE 73
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of (a; t) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?)
16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?)
SLIDE 74
15
2001 May–Silverman, for Problem 1: Force a few coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of (a; t) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?)
16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.
SLIDE 75
15
May–Silverman, for Problem ce a few coefficients of e 0. This reduces lattice speeding up various attacks, despite lower success chance. ys a speedup? Seems to be wdown if q is very large.) problems: same speedup. Problem 2: Force many efficients of (a; t) to be 0. Bai–Galbraith special case: t = 1, and force coefficients of a to be 0. slowdown if q is very large?)
16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%. Attacker another
SLIDE 76 15
erman, for Problem
reduces lattice up various attacks, success chance. eedup? Seems to be is very large.) same speedup. Force many ; t) to be 0. ecial case: force ients of a to be 0. if q is very large?)
16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%. Attacker is just as another solution such
SLIDE 77 15
Problem
lattice attacks, chance. Seems to be rge.) eedup. many 0. case: e 0. very large?)
16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%. Attacker is just as happy to another solution such as (xa
SLIDE 78
16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.
17
Attacker is just as happy to find another solution such as (xa; xe).
SLIDE 79 16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.
17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.)
SLIDE 80 16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.
17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?)
SLIDE 81 16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.
17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)
SLIDE 82 16
Standard analysis for Problem 1 Lattice has rank 2 · 761 = 1522. rm random small weight-w a has length √w ≈ 17. rm random small secret length usually close to 1522=3 ≈ 23. (What if it’s smaller? What if it’s larger? Does eight change security?) parameter: k = 13. k positions in a to be 0: restrict to sublattice of rank 1509. in sublattice] ≈ 0:2%.
17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.) Write equa as 761 equations
SLIDE 83 16
analysis for Problem 1 2 · 761 = 1522. small weight-w length √w ≈ 17. small secret usually close to (What if it’s if it’s larger? Does change security?) rameter: k = 13.
sublattice of rank 1509. sublattice] ≈ 0:2%.
17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.) Write equation e = as 761 equations on
SLIDE 84 16
Problem 1 1522. eight-w 17. secret to it’s rger? Does security?) 13. e 0: rank 1509. 2%.
17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.) Write equation e = qr − aG as 761 equations on coefficients.
SLIDE 85 17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)
18
Write equation e = qr − aG as 761 equations on coefficients.
SLIDE 86 17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)
18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600.
SLIDE 87 17
Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in
- sublattice. These 761 chances
are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)
18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling: Assign weight – to positions in a. Increases length
- f a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal? Interaction with e size variation?)
SLIDE 88 17
er is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., x761 − 1): Each (xja; xje) chance ≈0:2% of being in
- sublattice. These 761 chances
- dependent. (No, they
also, total Pr depends on er’s choice of positions.) bigger solutions (¸a; ¸e). hard are these to find?) Pretend this analysis applies to x761 − x − 1). (It doesn’t.)
18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling: Assign weight – to positions in a. Increases length
- f a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal? Interaction with e size variation?) Lattice-basis Attack pa Use BKZ- lattice basis. alternatives
SLIDE 89 17
as happy to find such as (xa; xe). analysis for, e.g., 1): Each (xja; xje) 2% of being in These 761 chances
total Pr depends on
solutions (¸a; ¸e). these to find?) analysis applies to − 1). (It doesn’t.)
18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling: Assign weight – to positions in a. Increases length
- f a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal? Interaction with e size variation?) Lattice-basis reduction Attack parameter: Use BKZ-˛ algorithm lattice basis. (What alternatives to BKZ?)
SLIDE 90 17
to find xa; xe). e.g., a; xje) eing in chances they ends on
¸a; ¸e). find?) applies to doesn’t.)
18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling: Assign weight – to positions in a. Increases length
- f a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal? Interaction with e size variation?) Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?)
SLIDE 91 18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling: Assign weight – to positions in a. Increases length
- f a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal? Interaction with e size variation?)
19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?)
SLIDE 92 18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling: Assign weight – to positions in a. Increases length
- f a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal? Interaction with e size variation?)
19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)).
SLIDE 93 18
Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. Projected sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling: Assign weight – to positions in a. Increases length
- f a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal? Interaction with e size variation?)
19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)). (This ‹ formula is an asymptotic claim without claimed error
experiments for specific d.)
SLIDE 94 18
equation e = qr − aG equations on coefficients. parameter: m = 600. 761 − m = 161 equations:
- ject e onto 600 positions.
Projected sublattice rank 1509 − 161 = 1348; det q600. parameter: – = 1:331876. Rescaling: Assign weight – to
- sitions in a. Increases length
–√w ≈ 23; increases det
- q600. (Is this – optimal?
Interaction with e size variation?)
19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)). (This ‹ formula is an asymptotic claim without claimed error
experiments for specific d.) Standard “Geometric-series
identified
SLIDE 95 18
= qr − aG equations on coefficients. rameter: m = 600. = 161 equations:
sublattice rank = 1348; det q600. rameter: – = 1:331876. Assign weight – to Increases length 23; increases det this – optimal? e size variation?)
19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)). (This ‹ formula is an asymptotic claim without claimed error
experiments for specific d.) Standard analysis, “Geometric-series
identified in 2018 exp
SLIDE 96 18
G efficients. 600. equations:
det q600. 331876. to length increases det
riation?)
19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)). (This ‹ formula is an asymptotic claim without claimed error
experiments for specific d.) Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?)
SLIDE 97 19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)). (This ‹ formula is an asymptotic claim without claimed error
experiments for specific d.)
20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?)
SLIDE 98 19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)). (This ‹ formula is an asymptotic claim without claimed error
experiments for specific d.)
20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?)
SLIDE 99 19
Lattice-basis reduction Attack parameter: ˛ = 525. Use BKZ-˛ algorithm to reduce lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ-˛: “Normally” finds nonzero vector
- f length ‹d(det L)1=d where
‹ = (˛(ı˛)1=˛=(2ıe))1=(2(˛−1)). (This ‹ formula is an asymptotic claim without claimed error
experiments for specific d.)
20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?) Hence the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries independent? Should they use new parameters? Grover?)
SLIDE 100 19
Lattice-basis reduction parameter: ˛ = 525. BKZ-˛ algorithm to reduce
alternatives to BKZ?) Standard analysis of BKZ-˛: rmally” finds nonzero vector length ‹d(det L)1=d where (ı˛)1=˛=(2ıe))1=(2(˛−1)). ‹ formula is an asymptotic without claimed error
eriments for specific d.)
20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?) Hence the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries independent? Should they use new parameters? Grover?) How long Standard 2153:3 op
SLIDE 101 19
reduction rameter: ˛ = 525. rithm to reduce (What about BKZ?) analysis of BKZ-˛: finds nonzero vector L)1=d where (2ıe))1=(2(˛−1)). is an asymptotic claimed error not match specific d.)
20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?) Hence the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries independent? Should they use new parameters? Grover?) How long does BKZ- Standard answer: 2153:3 operations b
SLIDE 102 19
525. reduce
˛: vector where
(2(˛−1)).
asymptotic r .)
20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?) Hence the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries independent? Should they use new parameters? Grover?) How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”.
SLIDE 103 20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?) Hence the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries independent? Should they use new parameters? Grover?)
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”.
SLIDE 104 20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?) Hence the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries independent? Should they use new parameters? Grover?)
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?)
SLIDE 105 20
Standard analysis, continued: “Geometric-series assumption”
- holds. (What about deviations
identified in 2018 experiments?) BKZ-˛ finds unique (mod ±) shortest nonzero vector ⇔ length ≤ ‹2˛−d(det L)1=dp d=˛. (What about deviations identified in 2017 experiments?) Hence the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries independent? Should they use new parameters? Grover?)
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”.
SLIDE 106
20
Standard analysis, continued: “Geometric-series assumption” (What about deviations identified in 2018 experiments?) finds unique (mod ±) rtest nonzero vector ⇔ ≤ ‹2˛−d(det L)1=dp d=˛. about deviations identified 2017 experiments?) the attack finds (a; e), assuming forcing worked. If it didn’t, retry. (Are these tries endent? Should they use parameters? Grover?)
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”. Note fragilit S ≤ 43 ⇒ S = 0:396 0:187˛ log
SLIDE 107 20
analysis, continued: “Geometric-series assumption”
2018 experiments?) unique (mod ±) vector ⇔ (det L)1=dp d=˛. deviations identified eriments?) attack finds (a; e),
(Are these tries Should they use Grover?)
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”. Note fragility of compa S ≤ 43 ⇒ E < S fo S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019
SLIDE 108
20
continued: assumption” deviations eriments?) ±) p d=˛. identified e), If it tries use Grover?)
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”. Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16
SLIDE 109
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”.
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1.
SLIDE 110
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”.
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1. S ≤ 225 ⇒ E < S for S = 0:369˛, E = (0:187˛ log2 ˛ − 1:019˛ + 16:1)=2.
SLIDE 111
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”.
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1. S ≤ 225 ⇒ E < S for S = 0:369˛, E = (0:187˛ log2 ˛ − 1:019˛ + 16:1)=2. S ≤ 86 ⇒ E < S for S = 0:265˛, E = (0:125˛ log2 ˛ − 0:545˛ + 10)=2.
SLIDE 112
21
How long does BKZ-˛ take? Standard answer: 20:292˛ = 2153:3 operations by “sieving”. (Plugging o(1) = 0 into the 2(0:292+o(1))˛ asymptotic does not match experiments. What’s the actual performance? And what exactly is an “operation”?) 0:292˛ (fake) cost for “sieving” is advertised as being below 0:187˛ log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of experiments) for “enumeration”.
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1. S ≤ 225 ⇒ E < S for S = 0:369˛, E = (0:187˛ log2 ˛ − 1:019˛ + 16:1)=2. S ≤ 86 ⇒ E < S for S = 0:265˛, E = (0:125˛ log2 ˛ − 0:545˛ + 10)=2. Need to get analyses right! First step: include models that account for memory cost.
SLIDE 113 21
long does BKZ-˛ take? Standard answer: 20:292˛ =
(Plugging o(1) = 0 into the
292+o(1))˛ asymptotic does
match experiments. What’s actual performance? And exactly is an “operation”?) (fake) cost for “sieving” advertised as being below log2 ˛ − 1:019˛ + 16:1 (questionable extrapolation of eriments) for “enumeration”.
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1. S ≤ 225 ⇒ E < S for S = 0:369˛, E = (0:187˛ log2 ˛ − 1:019˛ + 16:1)=2. S ≤ 86 ⇒ E < S for S = 0:265˛, E = (0:125˛ log2 ˛ − 0:545˛ + 10)=2. Need to get analyses right! First step: include models that account for memory cost. sntrup761 “NTRU Ignoring 368 185 368 185 153 139 208 208 Including 230 169 277 169 153 139 208 180 Security . . . pre-quantum . . .
SLIDE 114 21
BKZ-˛ take? er: 20:292˛ = erations by “sieving”. 0 into the asymptotic does
rmance? And an “operation”?) cost for “sieving” being below 1:019˛ + 16:1 extrapolation of “enumeration”.
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1. S ≤ 225 ⇒ E < S for S = 0:369˛, E = (0:187˛ log2 ˛ − 1:019˛ + 16:1)=2. S ≤ 86 ⇒ E < S for S = 0:265˛, E = (0:125˛ log2 ˛ − 0:545˛ + 10)=2. Need to get analyses right! First step: include models that account for memory cost. sntrup761 evaluations “NTRU Prime: round Ignoring hybrid attacks: 368 185 enum, free 368 185 enum, real 153 139 sieving, free 208 208 sieving, real Including hybrid attacks: 230 169 enum, free 277 169 enum, real 153 139 sieving, free 208 180 sieving, real Security levels: . . . pre-quantum . . . post-quantum
SLIDE 115 21
e? = “sieving”. the does What’s And eration”?) “sieving” w 16:1
“enumeration”.
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1. S ≤ 225 ⇒ E < S for S = 0:369˛, E = (0:187˛ log2 ˛ − 1:019˛ + 16:1)=2. S ≤ 86 ⇒ E < S for S = 0:265˛, E = (0:125˛ log2 ˛ − 0:545˛ + 10)=2. Need to get analyses right! First step: include models that account for memory cost. sntrup761 evaluations from “NTRU Prime: round 2” Table Ignoring hybrid attacks: 368 185 enum, free memory 368 185 enum, real memory 153 139 sieving, free memo 208 208 sieving, real memo Including hybrid attacks: 230 169 enum, free memory 277 169 enum, real memory 153 139 sieving, free memo 208 180 sieving, real memo Security levels: . . . pre-quantum . . . post-quantum
SLIDE 116
22
Note fragility of comparison. S ≤ 43 ⇒ E < S for S = 0:396˛, E = 0:187˛ log2 ˛ − 1:019˛ + 16:1. S ≤ 225 ⇒ E < S for S = 0:369˛, E = (0:187˛ log2 ˛ − 1:019˛ + 16:1)=2. S ≤ 86 ⇒ E < S for S = 0:265˛, E = (0:125˛ log2 ˛ − 0:545˛ + 10)=2. Need to get analyses right! First step: include models that account for memory cost.
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum
SLIDE 117
22
fragility of comparison. 43 ⇒ E < S for :396˛, E = log2 ˛ − 1:019˛ + 16:1. 225 ⇒ E < S for :369˛, E = ˛ log2 ˛ − 1:019˛ + 16:1)=2. 86 ⇒ E < S for :265˛, E = ˛ log2 ˛ − 0:545˛ + 10)=2. to get analyses right! step: include models account for memory cost.
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum Hybrid a Extreme Search a
SLIDE 118
22
comparison. for 1:019˛ + 16:1. S for 1:019˛ + 16:1)=2. for 0:545˛ + 10)=2. analyses right! include models memory cost.
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum Hybrid attacks Extreme special case: Search all small weight-
SLIDE 119
22
rison. 16:1. 16:1)=2. 10)=2. right! cost.
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum Hybrid attacks Extreme special case: Search all small weight-w a.
SLIDE 120
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum
24
Hybrid attacks Extreme special case: Search all small weight-w a.
SLIDE 121
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ .
SLIDE 122
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2).
SLIDE 123
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring hybrid attacks: 368 185 enum, free memory cost 368 185 enum, real memory cost 153 139 sieving, free memory cost 208 208 sieving, real memory cost Including hybrid attacks: 230 169 enum, free memory cost 277 169 enum, real memory cost 153 139 sieving, free memory cost 208 180 sieving, real memory cost Security levels: . . . pre-quantum . . . post-quantum
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?)
SLIDE 124
23
sntrup761 evaluations from “NTRU Prime: round 2” Table 2: ring hybrid attacks: 185 enum, free memory cost 185 enum, real memory cost 139 sieving, free memory cost 208 sieving, real memory cost Including hybrid attacks: 169 enum, free memory cost 169 enum, real memory cost 139 sieving, free memory cost 180 sieving, real memory cost Security levels: re-quantum . . post-quantum
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?) Seems w for typical
SLIDE 125 23
evaluations from round 2” Table 2: attacks: free memory cost real memory cost sieving, free memory cost sieving, real memory cost attacks: free memory cost real memory cost sieving, free memory cost sieving, real memory cost re-quantum
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?) Seems worse than for typical {a}.
SLIDE 126
23
from able 2: memory cost memory cost memory cost memory cost memory cost memory cost memory cost memory cost
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?) Seems worse than basis reduction for typical {a}.
SLIDE 127
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?)
25
Seems worse than basis reduction for typical {a}.
SLIDE 128
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone.
SLIDE 129
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M.
SLIDE 130
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v.
SLIDE 131
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}.
SLIDE 132
24
Hybrid attacks Extreme special case: Search all small weight-w a. Grover reduces cost to √ . Can also get “ √ ” using memory without quantum computation. Represent a as a1 + a2. (What is the optimal a1; a2 overlap?) Look for approximate collision between H1(a1) and H2(a2). e.g. Problem 1: aG small so a1G ≈ −a2G. (How fast are near-neighbor algorithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}.
SLIDE 133 24
attacks Extreme special case: all small weight-w a. reduces cost to √ . also get “ √ ” using memory without quantum computation. resent a as a1 + a2. (What
for approximate collision een H1(a1) and H2(a2). Problem 1: aG small ≈ −a2G. (How fast are r-neighbor algorithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}. Search th most likely
SLIDE 134
24
case: weight-w a. cost to √ . ” using memory computation.
1 + a2. (What
; a2 overlap?) ximate collision and H2(a2). aG small . (How fast are algorithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}. Search through many most likely choices
SLIDE 135 24
a. . memory computation. (What
collision ). fast are rithms?)
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}. Search through many of the most likely choices of v.
SLIDE 136
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}.
26
Search through many of the most likely choices of v.
SLIDE 137
25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}.
26
Search through many of the most likely choices of v. For each v: Quickly find z with zB ≈ −v(0; K). Check whether (v; v(0; K) + zB) is short enough.
SLIDE 138 25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}.
26
Search through many of the most likely choices of v. For each v: Quickly find z with zB ≈ −v(0; K). Check whether (v; v(0; K) + zB) is short enough. Can again do quantum search,
- r approximate collision search.
SLIDE 139 25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}.
26
Search through many of the most likely choices of v. For each v: Quickly find z with zB ≈ −v(0; K). Check whether (v; v(0; K) + zB) is short enough. Can again do quantum search,
- r approximate collision search.
Can afford exponentially many z, maybe compensating for lower ˛.
SLIDE 140 25
Seems worse than basis reduction for typical {a}. But hybrid attack uses basis reduction and search; can beat basis reduction alone. Unified lattice description: {(u; uM + qr)} given matrix M. Relabel: {(v; w; vK + wL + qr)}. Attacker chooses subset of u indices to relabel as v. Use BKZ-˛ to find short B with {(w; wL + qr)} = {zB}. Now {(v; w; vK + wL + qr)} = {(v; v(0; K) + zB)}.
26
Search through many of the most likely choices of v. For each v: Quickly find z with zB ≈ −v(0; K). Check whether (v; v(0; K) + zB) is short enough. Can again do quantum search,
- r approximate collision search.
Can afford exponentially many z, maybe compensating for lower ˛. Common claim: This saves time
- nly for sufficiently narrow {a}.
(Is this true, or a calculation error in existing algorithm analyses?)
