challenges in evaluating costs three typical attack
play

Challenges in evaluating costs Three typical attack problems of - PowerPoint PPT Presentation

Feb 29, 2024 •311 likes •1.73k views

1 2 Challenges in evaluating costs Three typical attack problems of known lattice attacks Define R = Z [ x ] = ( x 761 x 1); Daniel J. Bernstein small = all coeffs in { 1 ; 0 ; 1 } ; Tanja Lange w = 286; q = 4591. Attacker

  1. 3 4 system parameter Examples of target cryptosystems Encryption for Quotient NTRU: frodo frodo Input small b , small d . frodo key: small a ; small e . kyber Ciphertext: B = 3 Gb + d . kyber kyber key reveals multiplier G lac lac Encryption for Product NTRU: lac approximation A = aG + e . newhope Input encoded message M . newhope ntru hps2048509 key for “NTRU”: Randomly generate ntru hps2048677 ntru hps4096821 e=a , and A = 0. ntru hrss701 small b , small d , small c . ntrulpr ntrulpr Ciphertext: B = Gb + d ntrulpr key for “Ring-LWE”: round5n1 round5n1 and C = Ab + M + c . G , and A = aG + e . round5n1 round5nd round5nd Next slides: survey of G; a; e; c; M round5nd Systematization of naming, round5nd details and variants in NISTPQC round5nd recognizing similarity + credits: round5nd saber submissions. Source: Bernstein, “NTRU” ⇒ Quotient NTRU. saber saber “Comparing proofs of security sntrup “Ring-LWE” ⇒ Product NTRU. sntrup for lattice-based encryption”. sntrup threebears threebears threebears

  2. 3 4 system parameter set type set rget cryptosystems Encryption for Quotient NTRU: Product ( frodo 640 Product ( frodo 976 Input small b , small d . Product ( frodo 1344 small a ; small e . Product (( kyber 512 Ciphertext: B = 3 Gb + d . Product (( kyber 768 Product (( kyber 1024 reveals multiplier G Product ( lac 128 Product ( lac 192 Encryption for Product NTRU: Product ( lac 256 ximation A = aG + e . Product ( newhope 512 Input encoded message M . Product ( newhope 1024 Quotient ( ntru hps2048509 “NTRU”: Quotient ( Randomly generate ntru hps2048677 Quotient ( ntru hps4096821 Quotient ( A = 0. ntru hrss701 small b , small d , small c . Product ( ntrulpr 653 Product ( ntrulpr 761 Ciphertext: B = Gb + d Product ( ntrulpr 857 “Ring-LWE”: Product ( round5n1 1 Product ( round5n1 3 and C = Ab + M + c . A = aG + e . Product ( round5n1 5 Product ( round5nd 1.0d Product ( round5nd 3.0d Next slides: survey of G; a; e; c; M Product ( round5nd 5.0d of naming, Product ( round5nd 1.5d details and variants in NISTPQC Product ( round5nd 3.5d similarity + credits: Product ( round5nd 5.5d Product (( saber light submissions. Source: Bernstein, Quotient NTRU. Product (( saber main Product (( saber fire “Comparing proofs of security Quotient ( sntrup 653 Product NTRU. Quotient ( sntrup 761 Quotient ( for lattice-based encryption”. sntrup 857 Product ( threebears baby Product ( threebears mama Product ( threebears papa

  3. 3 4 system parameter set type set of multipliers cryptosystems Encryption for Quotient NTRU: ( Z = 32768) 640 × 640 Product frodo 640 ( Z = 65536) 976 × 976 Product frodo 976 Input small b , small d . ( Z = 65536) 1344 × 1344 Product frodo 1344 e . (( Z = 3329)[ x ] = ( x 256 Product kyber 512 (( Z = 3329)[ x ] = ( x 256 Ciphertext: B = 3 Gb + d . Product kyber 768 (( Z = 3329)[ x ] = ( x 256 Product kyber 1024 ( Z = 251)[ x ] = ( x 512 + multiplier G Product lac 128 ( Z = 251)[ x ] = ( x 1024 + Product lac 192 Encryption for Product NTRU: ( Z = 251)[ x ] = ( x 1024 + Product lac 256 + e . ( Z = 12289)[ x ] = ( x 512 Product newhope 512 Input encoded message M . ( Z = 12289)[ x ] = ( x 1024 Product newhope 1024 ( Z = 2048)[ x ] = ( x 509 − Quotient ntru hps2048509 ( Z = 2048)[ x ] = ( x 677 − Quotient Randomly generate ntru hps2048677 ( Z = 4096)[ x ] = ( x 821 − Quotient ntru hps4096821 ( Z = 8192)[ x ] = ( x 701 − Quotient ntru hrss701 small b , small d , small c . ( Z = 4621)[ x ] = ( x 653 − Product ntrulpr 653 ( Z = 4591)[ x ] = ( x 761 − Product ntrulpr 761 ( Z = 5167)[ x ] = ( x 857 − Ciphertext: B = Gb + d Product ntrulpr 857 WE”: ( Z = 4096) 636 × 636 Product round5n1 1 ( Z = 32768) 876 × 876 Product round5n1 3 and C = Ab + M + c . e . ( Z = 32768) 1217 × 1217 Product round5n1 5 ( Z = 8192)[ x ] = ( x 586 + Product round5nd 1.0d ( Z = 4096)[ x ] = ( x 852 + Product round5nd 3.0d Next slides: survey of G; a; e; c; M ( Z = 8192)[ x ] = ( x 1170 Product round5nd 5.0d naming, ( Z = 1024)[ x ] = ( x 509 − Product round5nd 1.5d ( Z = 4096)[ x ] = ( x 757 − details and variants in NISTPQC Product round5nd 3.5d credits: ( Z = 2048)[ x ] = ( x 947 − Product round5nd 5.5d (( Z = 8192)[ x ] = ( x 256 Product saber light submissions. Source: Bernstein, (( Z = 8192)[ x ] = ( x 256 NTRU. Product saber main (( Z = 8192)[ x ] = ( x 256 Product saber fire “Comparing proofs of security ( Z = 4621)[ x ] = ( x 653 − Quotient sntrup 653 NTRU. ( Z = 4591)[ x ] = ( x 761 − Quotient sntrup 761 ( Z = 5167)[ x ] = ( x 857 − Quotient for lattice-based encryption”. sntrup 857 ( Z = (2 3120 − 2 1560 − Product threebears baby ( Z = (2 3120 − 2 1560 − Product threebears mama ( Z = (2 3120 − 2 1560 − Product threebears papa

  4. 4 5 system parameter set type set of multipliers Encryption for Quotient NTRU: ( Z = 32768) 640 × 640 Product frodo 640 ( Z = 65536) 976 × 976 Product frodo 976 Input small b , small d . ( Z = 65536) 1344 × 1344 Product frodo 1344 (( Z = 3329)[ x ] = ( x 256 + 1)) 2 × 2 Product kyber 512 (( Z = 3329)[ x ] = ( x 256 + 1)) 3 × 3 Ciphertext: B = 3 Gb + d . Product kyber 768 (( Z = 3329)[ x ] = ( x 256 + 1)) 4 × 4 Product kyber 1024 ( Z = 251)[ x ] = ( x 512 + 1) Product lac 128 ( Z = 251)[ x ] = ( x 1024 + 1) Product lac 192 Encryption for Product NTRU: ( Z = 251)[ x ] = ( x 1024 + 1) Product lac 256 ( Z = 12289)[ x ] = ( x 512 + 1) Product newhope 512 Input encoded message M . ( Z = 12289)[ x ] = ( x 1024 + 1) Product newhope 1024 ( Z = 2048)[ x ] = ( x 509 − 1) Quotient ntru hps2048509 ( Z = 2048)[ x ] = ( x 677 − 1) Quotient Randomly generate ntru hps2048677 ( Z = 4096)[ x ] = ( x 821 − 1) Quotient ntru hps4096821 ( Z = 8192)[ x ] = ( x 701 − 1) Quotient ntru hrss701 small b , small d , small c . ( Z = 4621)[ x ] = ( x 653 − x − 1) Product ntrulpr 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Product ntrulpr 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Ciphertext: B = Gb + d Product ntrulpr 857 ( Z = 4096) 636 × 636 Product round5n1 1 ( Z = 32768) 876 × 876 Product round5n1 3 and C = Ab + M + c . ( Z = 32768) 1217 × 1217 Product round5n1 5 ( Z = 8192)[ x ] = ( x 586 + : : : + 1) Product round5nd 1.0d ( Z = 4096)[ x ] = ( x 852 + : : : + 1) Product round5nd 3.0d Next slides: survey of G; a; e; c; M ( Z = 8192)[ x ] = ( x 1170 + : : : + 1) Product round5nd 5.0d ( Z = 1024)[ x ] = ( x 509 − 1) Product round5nd 1.5d ( Z = 4096)[ x ] = ( x 757 − 1) details and variants in NISTPQC Product round5nd 3.5d ( Z = 2048)[ x ] = ( x 947 − 1) Product round5nd 5.5d (( Z = 8192)[ x ] = ( x 256 + 1)) 2 × 2 Product saber light submissions. Source: Bernstein, (( Z = 8192)[ x ] = ( x 256 + 1)) 3 × 3 Product saber main (( Z = 8192)[ x ] = ( x 256 + 1)) 4 × 4 Product saber fire “Comparing proofs of security ( Z = 4621)[ x ] = ( x 653 − x − 1) Quotient sntrup 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Quotient sntrup 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Quotient for lattice-based encryption”. sntrup 857 ( Z = (2 3120 − 2 1560 − 1)) 2 × 2 Product threebears baby ( Z = (2 3120 − 2 1560 − 1)) 3 × 3 Product threebears mama ( Z = (2 3120 − 2 1560 − 1)) 4 × 4 Product threebears papa

  5. 4 5 system parameter set type set of multipliers short element Encryption for Quotient NTRU: ( Z = 32768) 640 × 640 Z 640 × 8 ; {− 12 ; : : Product frodo 640 ( Z = 65536) 976 × 976 Z 976 × 8 ; {− 10 ; : : Product frodo 976 small b , small d . ( Z = 65536) 1344 × 1344 Z 1344 × 8 ; {− 6 ; : : Product frodo 1344 (( Z = 3329)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) Product kyber 512 (( Z = 3329)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) Ciphertext: B = 3 Gb + d . Product kyber 768 (( Z = 3329)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) Product kyber 1024 ( Z = 251)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); Product lac 128 ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); Product lac 192 Encryption for Product NTRU: ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); Product lac 256 ( Z = 12289)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); Product newhope 512 encoded message M . ( Z = 12289)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); Product newhope 1024 ( Z = 2048)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); Quotient ntru hps2048509 ( Z = 2048)[ x ] = ( x 677 − 1) Z [ x ] = ( x 677 − 1); Quotient Randomly generate ntru hps2048677 ( Z = 4096)[ x ] = ( x 821 − 1) Z [ x ] = ( x 821 − 1); Quotient ntru hps4096821 ( Z = 8192)[ x ] = ( x 701 − 1) Z [ x ] = ( x 701 − 1); Quotient ntru hrss701 b , small d , small c . ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − Product ntrulpr 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − Product ntrulpr 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − Ciphertext: B = Gb + d Product ntrulpr 857 ( Z = 4096) 636 × 636 Z 636 × 8 ; {− 1 ; 0 ; 1 Product round5n1 1 ( Z = 32768) 876 × 876 Z 876 × 8 ; {− 1 ; 0 ; 1 Product round5n1 3 = Ab + M + c . ( Z = 32768) 1217 × 1217 Z 1217 × 8 ; {− 1 ; 0 ; Product round5n1 5 ( Z = 8192)[ x ] = ( x 586 + : : : + 1) Z [ x ] = ( x 586 + : : : Product round5nd 1.0d ( Z = 4096)[ x ] = ( x 852 + : : : + 1) Z [ x ] = ( x 852 + : : : Product round5nd 3.0d slides: survey of G; a; e; c; M ( Z = 8192)[ x ] = ( x 1170 + : : : + 1) Z [ x ] = ( x 1170 + : : Product round5nd 5.0d ( Z = 1024)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); Product round5nd 1.5d ( Z = 4096)[ x ] = ( x 757 − 1) Z [ x ] = ( x 757 − 1); and variants in NISTPQC Product round5nd 3.5d ( Z = 2048)[ x ] = ( x 947 − 1) Z [ x ] = ( x 947 − 1); Product round5nd 5.5d (( Z = 8192)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) Product saber light submissions. Source: Bernstein, (( Z = 8192)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) Product saber main (( Z = 8192)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) Product saber fire “Comparing proofs of security ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − Quotient sntrup 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − Quotient sntrup 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − Quotient lattice-based encryption”. sntrup 857 ( Z = (2 3120 − 2 1560 − 1)) 2 × 2 Z 2 ; P 0 ≤ i< 312 2 10 Product threebears baby ( Z = (2 3120 − 2 1560 − 1)) 3 × 3 Z 3 ; P 0 ≤ i< 312 2 10 Product threebears mama ( Z = (2 3120 − 2 1560 − 1)) 4 × 4 Z 4 ; P 0 ≤ i< 312 2 10 Product threebears papa

  6. 4 5 system parameter set type set of multipliers short element Quotient NTRU: ( Z = 32768) 640 × 640 Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : Product frodo 640 ( Z = 65536) 976 × 976 Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : Product frodo 976 small d . ( Z = 65536) 1344 × 1344 Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : Product frodo 1344 (( Z = 3329)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P Product 0 ≤ i< 4 {− 0 : 5 ; 0 kyber 512 (( Z = 3329)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P 3 Gb + d . Product 0 ≤ i< 4 {− 0 : 5 ; 0 kyber 768 (( Z = 3329)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P Product 0 ≤ i< 4 {− 0 : 5 ; 0 kyber 1024 ( Z = 251)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; Product lac 128 ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; Product lac 192 Product NTRU: ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; Product lac 256 ( Z = 12289)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); P Product 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 newhope 512 message M . ( Z = 12289)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); P Product 0 ≤ i< 16 {− 0 : 5 ; 0 : newhope 1024 ( Z = 2048)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps2048509 ( Z = 2048)[ x ] = ( x 677 − 1) Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } Quotient generate ntru hps2048677 ( Z = 4096)[ x ] = ( x 821 − 1) Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps4096821 ( Z = 8192)[ x ] = ( x 701 − 1) Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key corre Quotient ntru hrss701 , small c . ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight Product ntrulpr 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight Product ntrulpr 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight Gb + d Product ntrulpr 857 ( Z = 4096) 636 × 636 Z 636 × 8 ; {− 1 ; 0 ; 1 } ; weight 57 ; 57 Product round5n1 1 ( Z = 32768) 876 × 876 Z 876 × 8 ; {− 1 ; 0 ; 1 } ; weight 223 ; 223 Product round5n1 3 + c . ( Z = 32768) 1217 × 1217 Z 1217 × 8 ; {− 1 ; 0 ; 1 } ; weight 231 ; 231 Product round5n1 5 ( Z = 8192)[ x ] = ( x 586 + : : : + 1) Z [ x ] = ( x 586 + : : : + 1); {− 1 ; 0 ; 1 } ; weight Product round5nd 1.0d ( Z = 4096)[ x ] = ( x 852 + : : : + 1) Z [ x ] = ( x 852 + : : : + 1); {− 1 ; 0 ; 1 } ; weight Product round5nd 3.0d rvey of G; a; e; c; M ( Z = 8192)[ x ] = ( x 1170 + : : : + 1) Z [ x ] = ( x 1170 + : : : + 1); {− 1 ; 0 ; 1 } ; w Product round5nd 5.0d ( Z = 1024)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 68 Product round5nd 1.5d ( Z = 4096)[ x ] = ( x 757 − 1) Z [ x ] = ( x 757 − 1); {− 1 ; 0 ; 1 } ; weight 121 riants in NISTPQC Product round5nd 3.5d ( Z = 2048)[ x ] = ( x 947 − 1) Z [ x ] = ( x 947 − 1); {− 1 ; 0 ; 1 } ; weight 194 Product round5nd 5.5d (( Z = 8192)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P Product 0 ≤ i< 10 {− 0 : 5 ; saber light Source: Bernstein, (( Z = 8192)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P Product 0 ≤ i< 8 {− 0 : 5 ; 0 saber main (( Z = 8192)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P Product 0 ≤ i< 6 {− 0 : 5 ; 0 saber fire ofs of security ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight Quotient sntrup 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight Quotient sntrup 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight Quotient encryption”. sntrup 857 ( Z = (2 3120 − 2 1560 − 1)) 2 × 2 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Z 2 ; P Product threebears baby ( Z = (2 3120 − 2 1560 − 1)) 3 × 3 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; Z 3 ; P Product threebears mama ( Z = (2 3120 − 2 1560 − 1)) 4 × 4 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 Z 4 ; P Product threebears papa

  7. 4 5 system parameter set type set of multipliers short element NTRU: ( Z = 32768) 640 × 640 Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Product frodo 640 ( Z = 65536) 976 × 976 Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Product frodo 976 ( Z = 65536) 1344 × 1344 Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Product frodo 1344 (( Z = 3329)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } kyber 512 (( Z = 3329)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P . Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } kyber 768 (( Z = 3329)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } kyber 1024 ( Z = 251)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Product lac 128 ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Product lac 192 NTRU: ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Product lac 256 ( Z = 12289)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); P Product 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } newhope 512 . ( Z = 12289)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); P Product 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } newhope 1024 ( Z = 2048)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps2048509 ( Z = 2048)[ x ] = ( x 677 − 1) Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps2048677 ( Z = 4096)[ x ] = ( x 821 − 1) Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps4096821 ( Z = 8192)[ x ] = ( x 701 − 1) Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0 Quotient ntru hrss701 ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 252 Product ntrulpr 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 250 Product ntrulpr 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 281 Product ntrulpr 857 ( Z = 4096) 636 × 636 Z 636 × 8 ; {− 1 ; 0 ; 1 } ; weight 57 ; 57 Product round5n1 1 ( Z = 32768) 876 × 876 Z 876 × 8 ; {− 1 ; 0 ; 1 } ; weight 223 ; 223 Product round5n1 3 ( Z = 32768) 1217 × 1217 Z 1217 × 8 ; {− 1 ; 0 ; 1 } ; weight 231 ; 231 Product round5n1 5 ( Z = 8192)[ x ] = ( x 586 + : : : + 1) Z [ x ] = ( x 586 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 91 ; 91 Product round5nd 1.0d ( Z = 4096)[ x ] = ( x 852 + : : : + 1) Z [ x ] = ( x 852 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 106 ; 106 Product round5nd 3.0d ; e; c; M ( Z = 8192)[ x ] = ( x 1170 + : : : + 1) Z [ x ] = ( x 1170 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 111 ; 111 Product round5nd 5.0d ( Z = 1024)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 68 ; 68; ending 0 Product round5nd 1.5d ( Z = 4096)[ x ] = ( x 757 − 1) Z [ x ] = ( x 757 − 1); {− 1 ; 0 ; 1 } ; weight 121 ; 121; ending 0 NISTPQC Product round5nd 3.5d ( Z = 2048)[ x ] = ( x 947 − 1) Z [ x ] = ( x 947 − 1); {− 1 ; 0 ; 1 } ; weight 194 ; 194; ending 0 Product round5nd 5.5d (( Z = 8192)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P Product 0 ≤ i< 10 {− 0 : 5 ; 0 : 5 } saber light Bernstein, (( Z = 8192)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P Product 0 ≤ i< 8 {− 0 : 5 ; 0 : 5 } saber main (( Z = 8192)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P Product 0 ≤ i< 6 {− 0 : 5 ; 0 : 5 } saber fire security ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 288 Quotient sntrup 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 286 Quotient sntrup 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 322 Quotient encryption”. sntrup 857 ( Z = (2 3120 − 2 1560 − 1)) 2 × 2 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z 2 ; P Product threebears baby ( Z = (2 3120 − 2 1560 − 1)) 3 × 3 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z 3 ; P Product threebears mama ( Z = (2 3120 − 2 1560 − 1)) 4 × 4 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z 4 ; P Product threebears papa

  8. 5 6 system parameter set type set of multipliers short element ( Z = 32768) 640 × 640 Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Product frodo 640 ( Z = 65536) 976 × 976 Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Product frodo 976 ( Z = 65536) 1344 × 1344 Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Product frodo 1344 (( Z = 3329)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } kyber 512 (( Z = 3329)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } kyber 768 (( Z = 3329)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } kyber 1024 ( Z = 251)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Product lac 128 ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Product lac 192 ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Product lac 256 ( Z = 12289)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); P Product 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } newhope 512 ( Z = 12289)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); P Product 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } newhope 1024 ( Z = 2048)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps2048509 ( Z = 2048)[ x ] = ( x 677 − 1) Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps2048677 ( Z = 4096)[ x ] = ( x 821 − 1) Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } Quotient ntru hps4096821 ( Z = 8192)[ x ] = ( x 701 − 1) Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0 Quotient ntru hrss701 ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 252 Product ntrulpr 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 250 Product ntrulpr 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 281 Product ntrulpr 857 ( Z = 4096) 636 × 636 Z 636 × 8 ; {− 1 ; 0 ; 1 } ; weight 57 ; 57 Product round5n1 1 ( Z = 32768) 876 × 876 Z 876 × 8 ; {− 1 ; 0 ; 1 } ; weight 223 ; 223 Product round5n1 3 ( Z = 32768) 1217 × 1217 Z 1217 × 8 ; {− 1 ; 0 ; 1 } ; weight 231 ; 231 Product round5n1 5 ( Z = 8192)[ x ] = ( x 586 + : : : + 1) Z [ x ] = ( x 586 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 91 ; 91 Product round5nd 1.0d ( Z = 4096)[ x ] = ( x 852 + : : : + 1) Z [ x ] = ( x 852 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 106 ; 106 Product round5nd 3.0d ( Z = 8192)[ x ] = ( x 1170 + : : : + 1) Z [ x ] = ( x 1170 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 111 ; 111 Product round5nd 5.0d ( Z = 1024)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 68 ; 68; ending 0 Product round5nd 1.5d ( Z = 4096)[ x ] = ( x 757 − 1) Z [ x ] = ( x 757 − 1); {− 1 ; 0 ; 1 } ; weight 121 ; 121; ending 0 Product round5nd 3.5d ( Z = 2048)[ x ] = ( x 947 − 1) Z [ x ] = ( x 947 − 1); {− 1 ; 0 ; 1 } ; weight 194 ; 194; ending 0 Product round5nd 5.5d (( Z = 8192)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P Product 0 ≤ i< 10 {− 0 : 5 ; 0 : 5 } saber light (( Z = 8192)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P Product 0 ≤ i< 8 {− 0 : 5 ; 0 : 5 } saber main (( Z = 8192)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P Product 0 ≤ i< 6 {− 0 : 5 ; 0 : 5 } saber fire ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 288 Quotient sntrup 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 286 Quotient sntrup 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 322 Quotient sntrup 857 ( Z = (2 3120 − 2 1560 − 1)) 2 × 2 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z 2 ; P Product threebears baby ( Z = (2 3120 − 2 1560 − 1)) 3 × 3 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z 3 ; P Product threebears mama ( Z = (2 3120 − 2 1560 − 1)) 4 × 4 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z 4 ; P Product threebears papa

  9. 5 6 rameter set type set of multipliers short element key offset (numerato ( Z = 32768) 640 × 640 Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 640 × 8 ; {− 12 ; : : Product 640 ( Z = 65536) 976 × 976 Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : Product 976 ( Z = 65536) 1344 × 1344 Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : Product 1344 (( Z = 3329)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P ( Z [ x ] = ( x 256 + 1)) Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 512 (( Z = 3329)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P ( Z [ x ] = ( x 256 + 1)) Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 768 (( Z = 3329)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P ( Z [ x ] = ( x 256 + 1)) Product 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 1024 ( Z = 251)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); Product 128 ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); Product 192 ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); Product 256 ( Z = 12289)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); Product 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 512 ( Z = 12289)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); Product 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 1024 ( Z = 2048)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 509 − 1); Quotient hps2048509 ( Z = 2048)[ x ] = ( x 677 − 1) Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 677 − 1); Quotient hps2048677 ( Z = 4096)[ x ] = ( x 821 − 1) Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 821 − 1); Quotient hps4096821 ( Z = 8192)[ x ] = ( x 701 − 1) Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0 Z [ x ] = ( x 701 − 1); Quotient hrss701 ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 252 Product round {− 2310 ; : : 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 250 Product round {− 2295 ; : : 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 281 Product round {− 2583 ; : : 857 ( Z = 4096) 636 × 636 Z 636 × 8 ; {− 1 ; 0 ; 1 } ; weight 57 ; 57 Product round Z = 4096 to 1 ( Z = 32768) 876 × 876 Z 876 × 8 ; {− 1 ; 0 ; 1 } ; weight 223 ; 223 Product round Z = 32768 to 3 ( Z = 32768) 1217 × 1217 Z 1217 × 8 ; {− 1 ; 0 ; 1 } ; weight 231 ; 231 Product round Z = 32768 to 5 ( Z = 8192)[ x ] = ( x 586 + : : : + 1) Z [ x ] = ( x 586 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 91 ; 91 Product round Z = 8192 to 1.0d ( Z = 4096)[ x ] = ( x 852 + : : : + 1) Z [ x ] = ( x 852 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 106 ; 106 Product round Z = 4096 to 3.0d ( Z = 8192)[ x ] = ( x 1170 + : : : + 1) Z [ x ] = ( x 1170 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 111 ; 111 Product round Z = 8192 to 5.0d ( Z = 1024)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 68 ; 68; ending 0 reduce mod x 508 Product 1.5d ( Z = 4096)[ x ] = ( x 757 − 1) Z [ x ] = ( x 757 − 1); {− 1 ; 0 ; 1 } ; weight 121 ; 121; ending 0 reduce mod x 756 Product 3.5d ( Z = 2048)[ x ] = ( x 947 − 1) Z [ x ] = ( x 947 − 1); {− 1 ; 0 ; 1 } ; weight 194 ; 194; ending 0 reduce mod x 946 Product 5.5d (( Z = 8192)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P Product 0 ≤ i< 10 {− 0 : 5 ; 0 : 5 } round Z = 8192 to light (( Z = 8192)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P Product 0 ≤ i< 8 {− 0 : 5 ; 0 : 5 } round Z = 8192 to main (( Z = 8192)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P Product 0 ≤ i< 6 {− 0 : 5 ; 0 : 5 } round Z = 8192 to fire ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 288 Z [ x ] = ( x 653 − x − Quotient 653 ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 286 Z [ x ] = ( x 761 − x − Quotient 761 ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 322 Z [ x ] = ( x 857 − x − Quotient 857 ( Z = (2 3120 − 2 1560 − 1)) 2 × 2 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z 2 ; P Z 2 ; P 0 ≤ i< 312 2 10 Product baby ( Z = (2 3120 − 2 1560 − 1)) 3 × 3 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z 3 ; P Z 3 ; P 0 ≤ i< 312 2 10 Product mama ( Z = (2 3120 − 2 1560 − 1)) 4 × 4 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z 4 ; P Z 4 ; P 0 ≤ i< 312 2 10 Product papa

  10. 5 6 set of multipliers short element key offset (numerator or noise or rounding ( Z = 32768) 640 × 640 Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : ( Z = 65536) 976 × 976 Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : ( Z = 65536) 1344 × 1344 Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : (( Z = 3329)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P ( Z [ x ] = ( x 256 + 1)) 2 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 (( Z = 3329)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P ( Z [ x ] = ( x 256 + 1)) 3 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 (( Z = 3329)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P ( Z [ x ] = ( x 256 + 1)) 4 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 ( Z = 251)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; ( Z = 251)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; ( Z = 12289)[ x ] = ( x 512 + 1) Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 ( Z = 12289)[ x ] = ( x 1024 + 1) Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : ( Z = 2048)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 127 ( Z = 2048)[ x ] = ( x 677 − 1) Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } ; weight 127 ( Z = 4096)[ x ] = ( x 821 − 1) Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } ; weight 255 ( Z = 8192)[ x ] = ( x 701 − 1) Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0 Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key corr ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 252 round {− 2310 ; : : : ; 2310 } to 3 Z ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 250 round {− 2295 ; : : : ; 2295 } to 3 Z ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 281 round {− 2583 ; : : : ; 2583 } to 3 Z ( Z = 4096) 636 × 636 Z 636 × 8 ; {− 1 ; 0 ; 1 } ; weight 57 ; 57 round Z = 4096 to 8 Z ( Z = 32768) 876 × 876 Z 876 × 8 ; {− 1 ; 0 ; 1 } ; weight 223 ; 223 round Z = 32768 to 16 Z ( Z = 32768) 1217 × 1217 Z 1217 × 8 ; {− 1 ; 0 ; 1 } ; weight 231 ; 231 round Z = 32768 to 8 Z ( Z = 8192)[ x ] = ( x 586 + : : : + 1) Z [ x ] = ( x 586 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 91 ; 91 round Z = 8192 to 16 Z ( Z = 4096)[ x ] = ( x 852 + : : : + 1) Z [ x ] = ( x 852 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 106 ; 106 round Z = 4096 to 8 Z ( Z = 8192)[ x ] = ( x 1170 + : : : + 1) Z [ x ] = ( x 1170 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 111 ; 111 round Z = 8192 to 16 Z ( Z = 1024)[ x ] = ( x 509 − 1) Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 68 ; 68; ending 0 reduce mod x 508 + : : : + 1; round Z = ( Z = 4096)[ x ] = ( x 757 − 1) Z [ x ] = ( x 757 − 1); {− 1 ; 0 ; 1 } ; weight 121 ; 121; ending 0 reduce mod x 756 + : : : + 1; round Z = ( Z = 2048)[ x ] = ( x 947 − 1) Z [ x ] = ( x 947 − 1); {− 1 ; 0 ; 1 } ; weight 194 ; 194; ending 0 reduce mod x 946 + : : : + 1; round Z = (( Z = 8192)[ x ] = ( x 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P 0 ≤ i< 10 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z (( Z = 8192)[ x ] = ( x 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P 0 ≤ i< 8 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z (( Z = 8192)[ x ] = ( x 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P 0 ≤ i< 6 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z ( Z = 4621)[ x ] = ( x 653 − x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 288 Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; invertible ( Z = 4591)[ x ] = ( x 761 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 286 Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; invertible ( Z = 5167)[ x ] = ( x 857 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 322 Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; invertible ( Z = (2 3120 − 2 1560 − 1)) 2 × 2 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Z 2 ; P Z 2 ; P ( Z = (2 3120 − 2 1560 − 1)) 3 × 3 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; Z 3 ; P Z 3 ; P ( Z = (2 3120 − 2 1560 − 1)) 4 × 4 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 Z 4 ; P Z 4 ; P

  11. 5 6 short element key offset (numerator or noise or rounding method) Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) 1344 Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P ( Z [ x ] = ( x 256 + 1)) 2 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P ( Z [ x ] = ( x 256 + 1)) 3 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P ( Z [ x ] = ( x 256 + 1)) 4 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 + 1) Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 + 1) 512 + 1) Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 1024 + 1) Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 − 1) Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 − 1) Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } ; weight 255 ; 255 − 1) Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0 Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0; · ( x − 1) − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 252 − x − 1) round {− 2310 ; : : : ; 2310 } to 3 Z Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 250 − x − 1) round {− 2295 ; : : : ; 2295 } to 3 Z Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 281 − x − 1) round {− 2583 ; : : : ; 2583 } to 3 Z Z 636 × 8 ; {− 1 ; 0 ; 1 } ; weight 57 ; 57 round Z = 4096 to 8 Z Z 876 × 8 ; {− 1 ; 0 ; 1 } ; weight 223 ; 223 round Z = 32768 to 16 Z 1217 Z 1217 × 8 ; {− 1 ; 0 ; 1 } ; weight 231 ; 231 round Z = 32768 to 8 Z Z [ x ] = ( x 586 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 91 ; 91 + : : : + 1) round Z = 8192 to 16 Z Z [ x ] = ( x 852 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 106 ; 106 + : : : + 1) round Z = 4096 to 8 Z 1170 + : : : + 1) Z [ x ] = ( x 1170 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 111 ; 111 round Z = 8192 to 16 Z Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 68 ; 68; ending 0 reduce mod x 508 + : : : + 1; round Z = 1024 to 8 Z − 1) Z [ x ] = ( x 757 − 1); {− 1 ; 0 ; 1 } ; weight 121 ; 121; ending 0 reduce mod x 756 + : : : + 1; round Z = 4096 to 16 Z − 1) Z [ x ] = ( x 947 − 1); {− 1 ; 0 ; 1 } ; weight 194 ; 194; ending 0 reduce mod x 946 + : : : + 1; round Z = 2048 to 8 Z − 1) 256 + 1)) 2 × 2 ( Z [ x ] = ( x 256 + 1)) 2 ; P 0 ≤ i< 10 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z 256 + 1)) 3 × 3 ( Z [ x ] = ( x 256 + 1)) 3 ; P 0 ≤ i< 8 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z 256 + 1)) 4 × 4 ( Z [ x ] = ( x 256 + 1)) 4 ; P 0 ≤ i< 6 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 288 Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 − x − 1) Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 286 Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 − x − 1) Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 322 Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 − x − 1) 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * − 1)) 2 × 2 Z 2 ; P Z 2 ; P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * − 1)) 3 × 3 Z 3 ; P Z 3 ; P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * − 1)) 4 × 4 Z 4 ; P Z 4 ; P

  12. 6 7 short element key offset (numerator or noise or rounding method) Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) ( Z [ x ] = ( x 256 + 1)) 2 ; P ( Z [ x ] = ( x 256 + 1)) 2 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 3 ; P ( Z [ x ] = ( x 256 + 1)) 3 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 4 ; P ( Z [ x ] = ( x 256 + 1)) 4 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } ; weight 255 ; 255 Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0 Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0; · ( x − 1) Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 252 round {− 2310 ; : : : ; 2310 } to 3 Z Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 250 round {− 2295 ; : : : ; 2295 } to 3 Z Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 281 round {− 2583 ; : : : ; 2583 } to 3 Z Z 636 × 8 ; {− 1 ; 0 ; 1 } ; weight 57 ; 57 round Z = 4096 to 8 Z Z 876 × 8 ; {− 1 ; 0 ; 1 } ; weight 223 ; 223 round Z = 32768 to 16 Z Z 1217 × 8 ; {− 1 ; 0 ; 1 } ; weight 231 ; 231 round Z = 32768 to 8 Z Z [ x ] = ( x 586 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 91 ; 91 round Z = 8192 to 16 Z Z [ x ] = ( x 852 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 106 ; 106 round Z = 4096 to 8 Z Z [ x ] = ( x 1170 + : : : + 1); {− 1 ; 0 ; 1 } ; weight 111 ; 111 round Z = 8192 to 16 Z Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 68 ; 68; ending 0 reduce mod x 508 + : : : + 1; round Z = 1024 to 8 Z Z [ x ] = ( x 757 − 1); {− 1 ; 0 ; 1 } ; weight 121 ; 121; ending 0 reduce mod x 756 + : : : + 1; round Z = 4096 to 16 Z Z [ x ] = ( x 947 − 1); {− 1 ; 0 ; 1 } ; weight 194 ; 194; ending 0 reduce mod x 946 + : : : + 1; round Z = 2048 to 8 Z ( Z [ x ] = ( x 256 + 1)) 2 ; P 0 ≤ i< 10 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z ( Z [ x ] = ( x 256 + 1)) 3 ; P 0 ≤ i< 8 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z ( Z [ x ] = ( x 256 + 1)) 4 ; P 0 ≤ i< 6 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; weight 288 Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; weight 286 Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; weight 322 Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z 2 ; P Z 2 ; P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z 3 ; P Z 3 ; P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z 4 ; P Z 4 ; P

  13. 6 7 key offset (numerator or noise or rounding method) ciphertext offset Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 8 × 8 ; {− 12 ; : : : ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 8 × 8 ; {− 10 ; : : : ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 8 × 8 ; {− 6 ; : : : ; 6 : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) ( Z [ x ] = ( x 256 + 1)) 2 ; P Z [ x ] = ( x 256 + 1); 1)) 2 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 3 ; P Z [ x ] = ( x 256 + 1); 1)) 3 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 4 ; P Z [ x ] = ( x 256 + 1); 1)) 4 ; P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 1); {− 1 ; 0 ; 1 } not applicable Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 1); {− 1 ; 0 ; 1 } not applicable Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } ; weight 255 ; 255 1); {− 1 ; 0 ; 1 } not applicable Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0; · ( x − 1) 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0 not applicable − 1); {− 1 ; 0 ; 1 } ; weight 252 round {− 2310 ; : : : ; 2310 } to 3 Z bottom 256 coeffs; − 1); {− 1 ; 0 ; 1 } ; weight 250 round {− 2295 ; : : : ; 2295 } to 3 Z bottom 256 coeffs; − 1); {− 1 ; 0 ; 1 } ; weight 281 round {− 2583 ; : : : ; 2583 } to 3 Z bottom 256 coeffs; ; 1 } ; weight 57 ; 57 round Z = 4096 to 8 Z round Z = 4096 to ; 1 } ; weight 223 ; 223 round Z = 32768 to 16 Z round Z = 32768 to 0 ; 1 } ; weight 231 ; 231 round Z = 32768 to 8 Z round Z = 32768 to : : + 1); {− 1 ; 0 ; 1 } ; weight 91 ; 91 round Z = 8192 to 16 Z bottom 128 coeffs; : : + 1); {− 1 ; 0 ; 1 } ; weight 106 ; 106 round Z = 4096 to 8 Z bottom 192 coeffs; : : : + 1); {− 1 ; 0 ; 1 } ; weight 111 ; 111 round Z = 8192 to 16 Z bottom 256 coeffs; reduce mod x 508 + : : : + 1; round Z = 1024 to 8 Z 1); {− 1 ; 0 ; 1 } ; weight 68 ; 68; ending 0 bottom 318 coeffs; reduce mod x 756 + : : : + 1; round Z = 4096 to 16 Z 1); {− 1 ; 0 ; 1 } ; weight 121 ; 121; ending 0 bottom 410 coeffs; reduce mod x 946 + : : : + 1; round Z = 2048 to 8 Z 1); {− 1 ; 0 ; 1 } ; weight 194 ; 194; ending 0 bottom 490 coeffs; 1)) 2 ; P 0 ≤ i< 10 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z round Z = 8192 to 1)) 3 ; P 0 ≤ i< 8 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z round Z = 8192 to 1)) 4 ; P 0 ≤ i< 6 {− 0 : 5 ; 0 : 5 } round Z = 8192 to 8 Z round Z = 8192 to Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 − 1); {− 1 ; 0 ; 1 } ; weight 288 not applicable Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 − 1); {− 1 ; 0 ; 1 } ; weight 286 not applicable Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 − 1); {− 1 ; 0 ; 1 } ; weight 322 not applicable 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z 2 ; P 0 ≤ i< 312 2 10 Z ; P 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z 3 ; P 0 ≤ i< 312 2 10 Z ; P 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z 4 ; P 0 ≤ i< 312 2 10 Z ; P

  14. 6 7 key offset (numerator or noise or rounding method) ciphertext offset (noise or rounding metho Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 8 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 8 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 8 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : 364 ; : : : (spec page 23) ( Z [ x ] = ( x 256 + 1)) 2 ; P Z [ x ] = ( x 256 + 1); P ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 3 ; P Z [ x ] = ( x 256 + 1); P ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 4 ; P Z [ x ] = ( x 256 + 1); P ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); P : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); P 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } ; weight 255 ; 255 not applicable Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0; · ( x − 1) rrelation ≥ 0 not applicable eight 252 round {− 2310 ; : : : ; 2310 } to 3 Z bottom 256 coeffs; z �→ ⌊ (114( z + 2156) eight 250 round {− 2295 ; : : : ; 2295 } to 3 Z bottom 256 coeffs; z �→ ⌊ (113( z + 2175) eight 281 round {− 2583 ; : : : ; 2583 } to 3 Z bottom 256 coeffs; z �→ ⌊ (101( z + 2433) round Z = 4096 to 8 Z round Z = 4096 to 64 Z 223 round Z = 32768 to 16 Z round Z = 32768 to 512 Z 231 round Z = 32768 to 8 Z round Z = 32768 to 64 Z weight 91 ; 91 round Z = 8192 to 16 Z bottom 128 coeffs; round Z = 8192 to weight 106 ; 106 round Z = 4096 to 8 Z bottom 192 coeffs; round Z = 4096 to ; weight 111 ; 111 round Z = 8192 to 16 Z bottom 256 coeffs; round Z = 8192 to reduce mod x 508 + : : : + 1; round Z = 1024 to 8 Z eight 68 ; 68; ending 0 bottom 318 coeffs; round Z = 1024 to reduce mod x 756 + : : : + 1; round Z = 4096 to 16 Z eight 121 ; 121; ending 0 bottom 410 coeffs; round Z = 4096 to reduce mod x 946 + : : : + 1; round Z = 2048 to 8 Z eight 194 ; 194; ending 0 bottom 490 coeffs; round Z = 2048 to 5 ; 0 : 5 } round Z = 8192 to 8 Z round Z = 8192 to 1024 Z ; 0 : 5 } round Z = 8192 to 8 Z round Z = 8192 to 512 Z ; 0 : 5 } round Z = 8192 to 8 Z round Z = 8192 to 128 Z Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 eight 288 not applicable Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 eight 286 not applicable Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 eight 322 not applicable 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr Z 2 ; P Z ; P } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 Z 3 ; P Z ; P 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 Z 4 ; P ; 22 ; 5; * Z ; P

  15. 6 7 key offset (numerator or noise or rounding method) ciphertext offset (noise or rounding method) Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 8 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 8 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 8 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) ( Z [ x ] = ( x 256 + 1)) 2 ; P Z [ x ] = ( x 256 + 1); P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 3 ; P Z [ x ] = ( x 256 + 1); P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 4 ; P Z [ x ] = ( x 256 + 1); P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 256 Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } ; weight 255 ; 255 not applicable Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0; · ( x − 1) not applicable round {− 2310 ; : : : ; 2310 } to 3 Z bottom 256 coeffs; z �→ ⌊ (114( z + 2156) + 16384) = 32768 round {− 2295 ; : : : ; 2295 } to 3 Z bottom 256 coeffs; z �→ ⌊ (113( z + 2175) + 16384) = 32768 round {− 2583 ; : : : ; 2583 } to 3 Z bottom 256 coeffs; z �→ ⌊ (101( z + 2433) + 16384) = 32768 round Z = 4096 to 8 Z round Z = 4096 to 64 Z round Z = 32768 to 16 Z round Z = 32768 to 512 Z round Z = 32768 to 8 Z round Z = 32768 to 64 Z round Z = 8192 to 16 Z bottom 128 coeffs; round Z = 8192 to 512 Z round Z = 4096 to 8 Z bottom 192 coeffs; round Z = 4096 to 128 Z round Z = 8192 to 16 Z bottom 256 coeffs; round Z = 8192 to 256 Z reduce mod x 508 + : : : + 1; round Z = 1024 to 8 Z bottom 318 coeffs; round Z = 1024 to 64 Z reduce mod x 756 + : : : + 1; round Z = 4096 to 16 Z bottom 410 coeffs; round Z = 4096 to 512 Z reduce mod x 946 + : : : + 1; round Z = 2048 to 8 Z bottom 490 coeffs; round Z = 2048 to 64 Z round Z = 8192 to 8 Z round Z = 8192 to 1024 Z round Z = 8192 to 8 Z round Z = 8192 to 512 Z round Z = 8192 to 8 Z round Z = 8192 to 128 Z Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z 2 ; P Z ; P * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z 3 ; P Z ; P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z 4 ; P Z ; P

  16. 7 8 key offset (numerator or noise or rounding method) ciphertext offset (noise or rounding method) Z 640 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 8 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) Z 976 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 8 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) Z 1344 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) Z 8 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) ( Z [ x ] = ( x 256 + 1)) 2 ; P Z [ x ] = ( x 256 + 1); P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 3 ; P Z [ x ] = ( x 256 + 1); P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } ( Z [ x ] = ( x 256 + 1)) 4 ; P Z [ x ] = ( x 256 + 1); P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 Z [ x ] = ( x 512 + 1); P Z [ x ] = ( x 512 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 1024 + 1); P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 509 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable Z [ x ] = ( x 677 − 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable Z [ x ] = ( x 821 − 1); {− 1 ; 0 ; 1 } ; weight 255 ; 255 not applicable Z [ x ] = ( x 701 − 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0; · ( x − 1) not applicable round {− 2310 ; : : : ; 2310 } to 3 Z bottom 256 coeffs; z �→ ⌊ (114( z + 2156) + 16384) = 32768 ⌋ round {− 2295 ; : : : ; 2295 } to 3 Z bottom 256 coeffs; z �→ ⌊ (113( z + 2175) + 16384) = 32768 ⌋ round {− 2583 ; : : : ; 2583 } to 3 Z bottom 256 coeffs; z �→ ⌊ (101( z + 2433) + 16384) = 32768 ⌋ round Z = 4096 to 8 Z round Z = 4096 to 64 Z round Z = 32768 to 16 Z round Z = 32768 to 512 Z round Z = 32768 to 8 Z round Z = 32768 to 64 Z round Z = 8192 to 16 Z bottom 128 coeffs; round Z = 8192 to 512 Z round Z = 4096 to 8 Z bottom 192 coeffs; round Z = 4096 to 128 Z round Z = 8192 to 16 Z bottom 256 coeffs; round Z = 8192 to 256 Z reduce mod x 508 + : : : + 1; round Z = 1024 to 8 Z bottom 318 coeffs; round Z = 1024 to 64 Z reduce mod x 756 + : : : + 1; round Z = 4096 to 16 Z bottom 410 coeffs; round Z = 4096 to 512 Z reduce mod x 946 + : : : + 1; round Z = 2048 to 8 Z bottom 490 coeffs; round Z = 2048 to 64 Z round Z = 8192 to 8 Z round Z = 8192 to 1024 Z round Z = 8192 to 8 Z round Z = 8192 to 512 Z round Z = 8192 to 8 Z round Z = 8192 to 128 Z Z [ x ] = ( x 653 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable Z [ x ] = ( x 761 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable Z [ x ] = ( x 857 − x − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z 2 ; P Z ; P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z 3 ; P Z ; P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z 4 ; P Z ; P

  17. 7 8 (numerator or noise or rounding method) ciphertext offset (noise or rounding method) set of encoded messages Z 8 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) 8 × 8 matrix over Z 8 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) 8 × 8 matrix over Z 8 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) 8 × 8 matrix over Z [ x ] = ( x 256 + 1); P 1)) 2 ; P P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 256 { 0 ; 1665 Z [ x ] = ( x 256 + 1); P 1)) 3 ; P P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 256 { 0 ; 1665 Z [ x ] = ( x 256 + 1); P 1)) 4 ; P P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 256 { 0 ; 1665 Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 128 ; 128 256-dim subcode Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1; weight 128 ; 128 256-dim subcode Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1; weight 256 ; 256 256-dim subcode Z [ x ] = ( x 512 + 1); P 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } P 0 ≤ i< 256 { 0 ; 6145 Z [ x ] = ( x 1024 + 1); P 1); P P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 256 { 0 ; 6145 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable not applicable 1); {− 1 ; 0 ; 1 } ; weight 127 ; 127 not applicable not applicable 1); {− 1 ; 0 ; 1 } ; weight 255 ; 255 not applicable not applicable 1); {− 1 ; 0 ; 1 } ; key correlation ≥ 0; · ( x − 1) not applicable not applicable P ; : : : ; 2310 } to 3 Z bottom 256 coeffs; z �→ ⌊ (114( z + 2156) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2310 P ; : : : ; 2295 } to 3 Z bottom 256 coeffs; z �→ ⌊ (113( z + 2175) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2295 ; : : : ; 2583 } to 3 Z bottom 256 coeffs; z �→ ⌊ (101( z + 2433) + 16384) = 32768 ⌋ P 0 ≤ i< 256 { 0 ; 2583 to 8 Z round Z = 4096 to 64 Z 8 × 8 matrix over 32768 to 16 Z round Z = 32768 to 512 Z 8 × 8 matrix over 32768 to 8 Z round Z = 32768 to 64 Z 8 × 8 matrix over P to 16 Z bottom 128 coeffs; round Z = 8192 to 512 Z 0 ≤ i< 128 { 0 ; 4096 P to 8 Z bottom 192 coeffs; round Z = 4096 to 128 Z 0 ≤ i< 192 { 0 ; 2048 P to 16 Z bottom 256 coeffs; round Z = 8192 to 256 Z 0 ≤ i< 256 { 0 ; 4096 508 + : : : + 1; round Z = 1024 to 8 Z bottom 318 coeffs; round Z = 1024 to 64 Z 128-dim subcode 756 + : : : + 1; round Z = 4096 to 16 Z bottom 410 coeffs; round Z = 4096 to 512 Z 192-dim subcode 946 + : : : + 1; round Z = 2048 to 8 Z bottom 490 coeffs; round Z = 2048 to 64 Z 256-dim subcode P to 8 Z round Z = 8192 to 1024 Z 0 ≤ i< 256 { 0 ; 4096 P to 8 Z round Z = 8192 to 512 Z 0 ≤ i< 256 { 0 ; 4096 P to 8 Z round Z = 8192 to 128 Z 0 ≤ i< 256 { 0 ; 4096 − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable not applicable − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable not applicable − 1); {− 1 ; 0 ; 1 } ; invertible mod 3 not applicable not applicable 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z ; P 256-dim subcode 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z ; P 256-dim subcode 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * Z ; P 256-dim subcode

  18. 7 8 rounding method) ciphertext offset (noise or rounding method) set of encoded messages Z 8 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; 16384 ; 24576 Z 8 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; : : : ; 57344 Z 8 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) 364 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 4096 ; : : : ; 61440 Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P ; 0 : 5 } 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 2 ; 1; weight 128 ; 128 256-dim subcode (see spec) of P 0 ≤ i Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1 256-dim subcode (see spec) of P 6 ; 1; weight 128 ; 128 0 ≤ i Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 256-dim subcode (see spec) of P 2 ; 1; weight 256 ; 256 0 ≤ i Z [ x ] = ( x 512 + 1); P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 ) : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 + x 512 P 0 : 5 } 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } eight 127 ; 127 not applicable not applicable eight 127 ; 127 not applicable not applicable eight 255 ; 255 not applicable not applicable rrelation ≥ 0; · ( x − 1) not applicable not applicable 0 ≤ i< 256 { 0 ; 2310 } x i P bottom 256 coeffs; z �→ ⌊ (114( z + 2156) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2295 } x i P bottom 256 coeffs; z �→ ⌊ (113( z + 2175) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2583 } x i bottom 256 coeffs; z �→ ⌊ (101( z + 2433) + 16384) = 32768 ⌋ P round Z = 4096 to 64 Z 8 × 8 matrix over { 0 ; 1024 ; 2048 ; 3072 round Z = 32768 to 512 Z 8 × 8 matrix over { 0 ; 4096 ; : : : ; 28672 round Z = 32768 to 64 Z 8 × 8 matrix over { 0 ; 2048 ; : : : ; 30720 0 ≤ i< 128 { 0 ; 4096 } x i P bottom 128 coeffs; round Z = 8192 to 512 Z 0 ≤ i< 192 { 0 ; 2048 } x i P bottom 192 coeffs; round Z = 4096 to 128 Z 0 ≤ i< 256 { 0 ; 4096 } x i P bottom 256 coeffs; round Z = 8192 to 256 Z Z = 1024 to 8 Z bottom 318 coeffs; round Z = 1024 to 64 Z 128-dim subcode (see spec) of P 0 ≤ i 192-dim subcode (see spec) of P Z = 4096 to 16 Z bottom 410 coeffs; round Z = 4096 to 512 Z 0 ≤ i 256-dim subcode (see spec) of P Z = 2048 to 8 Z bottom 490 coeffs; round Z = 2048 to 64 Z 0 ≤ i 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 1024 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 512 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 128 Z invertible mod 3 not applicable not applicable invertible mod 3 not applicable not applicable invertible mod 3 not applicable not applicable 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Z ; P 256-dim subcode (see spec) of P } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * Z ; P 256-dim subcode (see spec) of P 13 ; 38 ; 13; * 0 ≤ i 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * ; 22 ; 5; * Z ; P 256-dim subcode (see spec) of P 0 ≤ i

  19. 7 8 ciphertext offset (noise or rounding method) set of encoded messages Z 8 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; 16384 ; 24576 } Z 8 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; : : : ; 57344 } Z 8 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 4096 ; : : : ; 61440 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 0 ≤ i< 512 { 0 ; 126 } x i 256-dim subcode (see spec) of P Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P 128 Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P 256 Z [ x ] = ( x 512 + 1); P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 ) 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 + x 512 + x 768 ) P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } not applicable not applicable not applicable not applicable not applicable not applicable 1) not applicable not applicable 0 ≤ i< 256 { 0 ; 2310 } x i P bottom 256 coeffs; z �→ ⌊ (114( z + 2156) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2295 } x i P bottom 256 coeffs; z �→ ⌊ (113( z + 2175) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2583 } x i bottom 256 coeffs; z �→ ⌊ (101( z + 2433) + 16384) = 32768 ⌋ P round Z = 4096 to 64 Z 8 × 8 matrix over { 0 ; 1024 ; 2048 ; 3072 } round Z = 32768 to 512 Z 8 × 8 matrix over { 0 ; 4096 ; : : : ; 28672 } round Z = 32768 to 64 Z 8 × 8 matrix over { 0 ; 2048 ; : : : ; 30720 } 0 ≤ i< 128 { 0 ; 4096 } x i P bottom 128 coeffs; round Z = 8192 to 512 Z 0 ≤ i< 192 { 0 ; 2048 } x i P bottom 192 coeffs; round Z = 4096 to 128 Z 0 ≤ i< 256 { 0 ; 4096 } x i P bottom 256 coeffs; round Z = 8192 to 256 Z 0 ≤ i< 318 { 0 ; 512 } x i bottom 318 coeffs; round Z = 1024 to 64 Z 128-dim subcode (see spec) of P 0 ≤ i< 410 { 0 ; 2048 } x i 192-dim subcode (see spec) of P bottom 410 coeffs; round Z = 4096 to 512 Z 0 ≤ i< 490 { 0 ; 1024 } x i 256-dim subcode (see spec) of P bottom 490 coeffs; round Z = 2048 to 64 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 1024 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 512 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 128 Z not applicable not applicable not applicable not applicable not applicable not applicable 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i Z ; P 256-dim subcode (see spec) of P * 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i Z ; P 256-dim subcode (see spec) of P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i Z ; P 256-dim subcode (see spec) of P

  20. 8 9 ciphertext offset (noise or rounding method) set of encoded messages Z 8 × 8 ; {− 12 ; : : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; 16384 ; 24576 } Z 8 × 8 ; {− 10 ; : : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; : : : ; 57344 } Z 8 × 8 ; {− 6 ; : : : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 4096 ; : : : ; 61440 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 256 + 1); P 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } Z [ x ] = ( x 512 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 0 ≤ i< 512 { 0 ; 126 } x i 256-dim subcode (see spec) of P Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P Z [ x ] = ( x 1024 + 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P Z [ x ] = ( x 512 + 1); P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 ) 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } P Z [ x ] = ( x 1024 + 1); P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 + x 512 + x 768 ) P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } not applicable not applicable not applicable not applicable not applicable not applicable not applicable not applicable 0 ≤ i< 256 { 0 ; 2310 } x i P bottom 256 coeffs; z �→ ⌊ (114( z + 2156) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2295 } x i P bottom 256 coeffs; z �→ ⌊ (113( z + 2175) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2583 } x i bottom 256 coeffs; z �→ ⌊ (101( z + 2433) + 16384) = 32768 ⌋ P round Z = 4096 to 64 Z 8 × 8 matrix over { 0 ; 1024 ; 2048 ; 3072 } round Z = 32768 to 512 Z 8 × 8 matrix over { 0 ; 4096 ; : : : ; 28672 } round Z = 32768 to 64 Z 8 × 8 matrix over { 0 ; 2048 ; : : : ; 30720 } 0 ≤ i< 128 { 0 ; 4096 } x i P bottom 128 coeffs; round Z = 8192 to 512 Z 0 ≤ i< 192 { 0 ; 2048 } x i P bottom 192 coeffs; round Z = 4096 to 128 Z 0 ≤ i< 256 { 0 ; 4096 } x i P bottom 256 coeffs; round Z = 8192 to 256 Z 0 ≤ i< 318 { 0 ; 512 } x i bottom 318 coeffs; round Z = 1024 to 64 Z 128-dim subcode (see spec) of P 0 ≤ i< 410 { 0 ; 2048 } x i 192-dim subcode (see spec) of P bottom 410 coeffs; round Z = 4096 to 512 Z 0 ≤ i< 490 { 0 ; 1024 } x i 256-dim subcode (see spec) of P bottom 490 coeffs; round Z = 2048 to 64 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 1024 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 512 Z 0 ≤ i< 256 { 0 ; 4096 } x i P round Z = 8192 to 128 Z not applicable not applicable not applicable not applicable not applicable not applicable 0 ≤ i< 312 2 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i Z ; P 256-dim subcode (see spec) of P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i Z ; P 256-dim subcode (see spec) of P 0 ≤ i< 312 2 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i Z ; P 256-dim subcode (see spec) of P

  21. 8 9 offset (noise or rounding method) set of encoded messages Attacking : : ; 12 } ; Pr 1 ; 4 ; 17 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; 16384 ; 24576 } : : ; 10 } ; Pr 1 ; 6 ; 29 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; : : : ; 57344 } : ; 6 } ; Pr 2 ; 40 ; 364 ; : : : (spec page 23) 8 × 8 matrix over { 0 ; 4096 ; : : : ; 61440 } Attack strategy 0 ≤ i< 256 { 0 ; 1665 } x i 1); P P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 256 { 0 ; 1665 } x i 1); P P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } of usually 0 ≤ i< 256 { 0 ; 1665 } x i 1); P P 0 ≤ i< 4 {− 0 : 5 ; 0 : 5 } 0 ≤ i< 512 { 0 ; 126 } x i 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 256-dim subcode (see spec) of P 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P strategy. 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 6 ; 1 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P 1); {− 1 ; 0 ; 1 } ; Pr 1 ; 2 ; 1 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 ) 1); P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } P Normal la 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 + x 512 + x 768 ) 1); P P 0 ≤ i< 16 {− 0 : 5 ; 0 : 5 } not applicable not applicable not applicable not applicable 0 ≤ i< 256 { 0 ; 2310 } x i P effs; z �→ ⌊ (114( z + 2156) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2295 } x i P effs; z �→ ⌊ (113( z + 2175) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2583 } x i effs; z �→ ⌊ (101( z + 2433) + 16384) = 32768 ⌋ P to 64 Z 8 × 8 matrix over { 0 ; 1024 ; 2048 ; 3072 } 32768 to 512 Z 8 × 8 matrix over { 0 ; 4096 ; : : : ; 28672 } “App 32768 to 64 Z 8 × 8 matrix over { 0 ; 2048 ; : : : ; 30720 } 0 ≤ i< 128 { 0 ; 4096 } x i P effs; round Z = 8192 to 512 Z 0 ≤ i< 192 { 0 ; 2048 } x i P effs; round Z = 4096 to 128 Z 0 ≤ i< 256 { 0 ; 4096 } x i P effs; round Z = 8192 to 256 Z 0 ≤ i< 318 { 0 ; 512 } x i effs; round Z = 1024 to 64 Z 128-dim subcode (see spec) of P 0 ≤ i< 410 { 0 ; 2048 } x i 192-dim subcode (see spec) of P effs; round Z = 4096 to 512 Z 0 ≤ i< 490 { 0 ; 1024 } x i 256-dim subcode (see spec) of P effs; round Z = 2048 to 64 Z 0 ≤ i< 256 { 0 ; 4096 } x i P to 1024 Z 0 ≤ i< 256 { 0 ; 4096 } x i P to 512 Z 0 ≤ i< 256 { 0 ; 4096 } x i P to 128 Z not applicable not applicable not applicable 10 i {− 2 ; − 1 ; 0 ; 1 ; 2 } ; Pr 1 ; 32 ; 62 ; 32 ; 1; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P Mo 10 i {− 1 ; 0 ; 1 } ; Pr 13 ; 38 ; 13; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P 10 i {− 1 ; 0 ; 1 } ; Pr 5 ; 22 ; 5; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P

  22. � � � � � 8 9 method) set of encoded messages Attacking these problems : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; 16384 ; 24576 } : : (spec page 23) 8 × 8 matrix over { 0 ; 8192 ; : : : ; 57344 } : : (spec page 23) 8 × 8 matrix over { 0 ; 4096 ; : : : ; 61440 } Attack strategy with 0 ≤ i< 256 { 0 ; 1665 } x i P : 5 } 0 ≤ i< 256 { 0 ; 1665 } x i P : 5 } of usually being best: 0 ≤ i< 256 { 0 ; 1665 } x i P : 5 } 0 ≤ i< 512 { 0 ; 126 } x i 2 ; 1 256-dim subcode (see spec) of P 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P strategy. Focus of 6 ; 1 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P 2 ; 1 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 ) : 5 } P Normal layers in ana 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 + x 512 + x 768 ) P 0 : 5 } not applicable not applicable Analysis of not applicable not applicable to attack 0 ≤ i< 256 { 0 ; 2310 } x i P 2156) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2295 } x i P 2175) + 16384) = 32768 ⌋ 0 ≤ i< 256 { 0 ; 2583 } x i 2433) + 16384) = 32768 ⌋ P 8 × 8 matrix over { 0 ; 1024 ; 2048 ; 3072 } 8 × 8 matrix over { 0 ; 4096 ; : : : ; 28672 } “Approximate-SVP” 8 × 8 matrix over { 0 ; 2048 ; : : : ; 30720 } 0 ≤ i< 128 { 0 ; 4096 } x i P to 512 Z analysis 0 ≤ i< 192 { 0 ; 2048 } x i P to 128 Z 0 ≤ i< 256 { 0 ; 4096 } x i P to 256 Z 0 ≤ i< 318 { 0 ; 512 } x i to 64 Z 128-dim subcode (see spec) of P 0 ≤ i< 410 { 0 ; 2048 } x i 192-dim subcode (see spec) of P to 512 Z 0 ≤ i< 490 { 0 ; 1024 } x i 256-dim subcode (see spec) of P to 64 Z “SVP” 0 ≤ i< 256 { 0 ; 4096 } x i P 0 ≤ i< 256 { 0 ; 4096 } x i P analysis 0 ≤ i< 256 { 0 ; 4096 } x i P not applicable not applicable not applicable 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P ; Pr 1 ; 32 ; 62 ; 32 ; 1; * Model of computation 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P ; 38 ; 13; * 0 ≤ i< 274 { 0 ; 512 } 2 10 i 22 ; 5; * 256-dim subcode (see spec) of P

  23. � � � � � 8 9 set of encoded messages Attacking these problems 8 × 8 matrix over { 0 ; 8192 ; 16384 ; 24576 } 8 × 8 matrix over { 0 ; 8192 ; : : : ; 57344 } 8 × 8 matrix over { 0 ; 4096 ; : : : ; 61440 } Attack strategy with reputation 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 256 { 0 ; 1665 } x i P of usually being best: “primal” 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 512 { 0 ; 126 } x i 256-dim subcode (see spec) of P 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P strategy. Focus of this talk. 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 ) P Normal layers in analysis: 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 + x 512 + x 768 ) P not applicable not applicable Analysis of lattices not applicable not applicable to attack systems 0 ≤ i< 256 { 0 ; 2310 } x i P 32768 ⌋ 0 ≤ i< 256 { 0 ; 2295 } x i P 32768 ⌋ 0 ≤ i< 256 { 0 ; 2583 } x i 32768 ⌋ P 8 × 8 matrix over { 0 ; 1024 ; 2048 ; 3072 } 8 × 8 matrix over { 0 ; 4096 ; : : : ; 28672 } “Approximate-SVP” 8 × 8 matrix over { 0 ; 2048 ; : : : ; 30720 } 0 ≤ i< 128 { 0 ; 4096 } x i P analysis 0 ≤ i< 192 { 0 ; 2048 } x i P 0 ≤ i< 256 { 0 ; 4096 } x i P 0 ≤ i< 318 { 0 ; 512 } x i 128-dim subcode (see spec) of P 0 ≤ i< 410 { 0 ; 2048 } x i 192-dim subcode (see spec) of P 0 ≤ i< 490 { 0 ; 1024 } x i 256-dim subcode (see spec) of P “SVP” 0 ≤ i< 256 { 0 ; 4096 } x i P 0 ≤ i< 256 { 0 ; 4096 } x i P analysis 0 ≤ i< 256 { 0 ; 4096 } x i P not applicable not applicable not applicable 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P Model of computation 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P

  24. � � � � � 9 10 set of encoded messages Attacking these problems 8 × 8 matrix over { 0 ; 8192 ; 16384 ; 24576 } 8 × 8 matrix over { 0 ; 8192 ; : : : ; 57344 } 8 × 8 matrix over { 0 ; 4096 ; : : : ; 61440 } Attack strategy with reputation 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 256 { 0 ; 1665 } x i P of usually being best: “primal” 0 ≤ i< 256 { 0 ; 1665 } x i P 0 ≤ i< 512 { 0 ; 126 } x i 256-dim subcode (see spec) of P 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P strategy. Focus of this talk. 0 ≤ i< 1024 { 0 ; 126 } x i 256-dim subcode (see spec) of P 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 ) P Normal layers in analysis: 0 ≤ i< 256 { 0 ; 6145 } x i (1 + x 256 + x 512 + x 768 ) P not applicable not applicable Analysis of lattices not applicable not applicable to attack systems 0 ≤ i< 256 { 0 ; 2310 } x i P 0 ≤ i< 256 { 0 ; 2295 } x i P 0 ≤ i< 256 { 0 ; 2583 } x i P 8 × 8 matrix over { 0 ; 1024 ; 2048 ; 3072 } 8 × 8 matrix over { 0 ; 4096 ; : : : ; 28672 } “Approximate-SVP” 8 × 8 matrix over { 0 ; 2048 ; : : : ; 30720 } 0 ≤ i< 128 { 0 ; 4096 } x i P analysis 0 ≤ i< 192 { 0 ; 2048 } x i P 0 ≤ i< 256 { 0 ; 4096 } x i P 0 ≤ i< 318 { 0 ; 512 } x i 128-dim subcode (see spec) of P 0 ≤ i< 410 { 0 ; 2048 } x i 192-dim subcode (see spec) of P 0 ≤ i< 490 { 0 ; 1024 } x i 256-dim subcode (see spec) of P “SVP” 0 ≤ i< 256 { 0 ; 4096 } x i P 0 ≤ i< 256 { 0 ; 4096 } x i P analysis 0 ≤ i< 256 { 0 ; 4096 } x i P not applicable not applicable not applicable 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P Model of computation 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P 0 ≤ i< 274 { 0 ; 512 } 2 10 i 256-dim subcode (see spec) of P

  25. � � � � � 9 10 messages Attacking these problems Models of over { 0 ; 8192 ; 16384 ; 24576 } over { 0 ; 8192 ; : : : ; 57344 } over { 0 ; 4096 ; : : : ; 61440 } Attack strategy with reputation Multitap 1665 } x i 1665 } x i of usually being best: “primal” 1665 } x i sort N ints, 0 ≤ i< 512 { 0 ; 126 } x i de (see spec) of P 0 ≤ i< 1024 { 0 ; 126 } x i de (see spec) of P strategy. Focus of this talk. time N 1+ 0 ≤ i< 1024 { 0 ; 126 } x i de (see spec) of P 6145 } x i (1 + x 256 ) Normal layers in analysis: 6145 } x i (1 + x 256 + x 512 + x 768 ) Analysis of lattices to attack systems 2310 } x i 2295 } x i 2583 } x i over { 0 ; 1024 ; 2048 ; 3072 } over { 0 ; 4096 ; : : : ; 28672 } “Approximate-SVP” over { 0 ; 2048 ; : : : ; 30720 } 4096 } x i analysis 2048 } x i 4096 } x i 0 ≤ i< 318 { 0 ; 512 } x i de (see spec) of P 0 ≤ i< 410 { 0 ; 2048 } x i de (see spec) of P 0 ≤ i< 490 { 0 ; 1024 } x i de (see spec) of P “SVP” 4096 } x i 4096 } x i analysis 4096 } x i 0 ≤ i< 274 { 0 ; 512 } 2 10 i de (see spec) of P Model of computation 0 ≤ i< 274 { 0 ; 512 } 2 10 i de (see spec) of P 0 ≤ i< 274 { 0 ; 512 } 2 10 i de (see spec) of P

  26. � � � � � 9 10 Attacking these problems Models of computation 24576 } 57344 } 61440 } Attack strategy with reputation Multitape Turing machine: of usually being best: “primal” sort N ints, each N ≤ i< 512 { 0 ; 126 } x i ≤ i< 1024 { 0 ; 126 } x i strategy. Focus of this talk. time N 1+ o (1) , space ≤ i< 1024 { 0 ; 126 } x i Normal layers in analysis: x 512 + x 768 ) Analysis of lattices to attack systems 3072 } 28672 } “Approximate-SVP” 30720 } analysis ≤ i< 318 { 0 ; 512 } x i ≤ i< 410 { 0 ; 2048 } x i ≤ i< 490 { 0 ; 1024 } x i “SVP” analysis ≤ i< 274 { 0 ; 512 } 2 10 i Model of computation ≤ i< 274 { 0 ; 512 } 2 10 i ≤ i< 274 { 0 ; 512 } 2 10 i

  27. � � � � � 9 10 Attacking these problems Models of computation Attack strategy with reputation Multitape Turing machine: e.g., sort N ints, each N o (1) bits, of usually being best: “primal” strategy. Focus of this talk. time N 1+ o (1) , space N 1+ o (1) Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis “SVP” analysis Model of computation

  28. � � � � � 10 11 Attacking these problems Models of computation Attack strategy with reputation Multitape Turing machine: e.g., sort N ints, each N o (1) bits, in of usually being best: “primal” strategy. Focus of this talk. time N 1+ o (1) , space N 1+ o (1) . Normal layers in analysis: Analysis of lattices to attack systems “Approximate-SVP” analysis “SVP” analysis Model of computation

  29. � � � � � 10 11 Attacking these problems Models of computation Attack strategy with reputation Multitape Turing machine: e.g., sort N ints, each N o (1) bits, in of usually being best: “primal” strategy. Focus of this talk. time N 1+ o (1) , space N 1+ o (1) . Normal layers in analysis: Brent–Kung 2D circuit model Analysis of lattices allows parallelism—e.g., sort in to attack systems time N 0 : 5+ o (1) , space N 1+ o (1) . “Approximate-SVP” analysis “SVP” analysis Model of computation

  30. � � � � � 10 11 Attacking these problems Models of computation Attack strategy with reputation Multitape Turing machine: e.g., sort N ints, each N o (1) bits, in of usually being best: “primal” strategy. Focus of this talk. time N 1+ o (1) , space N 1+ o (1) . Normal layers in analysis: Brent–Kung 2D circuit model Analysis of lattices allows parallelism—e.g., sort in to attack systems time N 0 : 5+ o (1) , space N 1+ o (1) . PRAM: multiple inequivalent “Approximate-SVP” definitions, untethered to physical analysis explanations. Sort in time N o (1) . “SVP” analysis Model of computation

  31. � � � � � 10 11 Attacking these problems Models of computation Attack strategy with reputation Multitape Turing machine: e.g., sort N ints, each N o (1) bits, in of usually being best: “primal” strategy. Focus of this talk. time N 1+ o (1) , space N 1+ o (1) . Normal layers in analysis: Brent–Kung 2D circuit model Analysis of lattices allows parallelism—e.g., sort in to attack systems time N 0 : 5+ o (1) , space N 1+ o (1) . PRAM: multiple inequivalent “Approximate-SVP” definitions, untethered to physical analysis explanations. Sort in time N o (1) . “SVP” Quantum computing: analysis similar divergence of models. Model of computation

  32. � � � � � 10 11 ttacking these problems Models of computation Lattices strategy with reputation Multitape Turing machine: e.g., Rewrite sort N ints, each N o (1) bits, in usually being best: “primal” short nonzero strategy. Focus of this talk. time N 1+ o (1) , space N 1+ o (1) . of homogeneous rmal layers in analysis: Brent–Kung 2D circuit model Problem Analysis of lattices allows parallelism—e.g., sort in with aG to attack systems time N 0 : 5+ o (1) , space N 1+ o (1) . PRAM: multiple inequivalent “Approximate-SVP” definitions, untethered to physical analysis explanations. Sort in time N o (1) . “SVP” Quantum computing: analysis similar divergence of models. Model of computation

  33. � � � 10 11 problems Models of computation Lattices with reputation Multitape Turing machine: e.g., Rewrite each problem sort N ints, each N o (1) bits, in best: “primal” short nonzero solution of this talk. time N 1+ o (1) , space N 1+ o (1) . of homogeneous R analysis: Brent–Kung 2D circuit model Problem 1: Find ( a of lattices allows parallelism—e.g., sort in with aG + e = 0, given attack systems time N 0 : 5+ o (1) , space N 1+ o (1) . PRAM: multiple inequivalent ximate-SVP” definitions, untethered to physical analysis explanations. Sort in time N o (1) . “SVP” Quantum computing: analysis similar divergence of models. computation

  34. 10 11 Models of computation Lattices reputation Multitape Turing machine: e.g., Rewrite each problem as finding sort N ints, each N o (1) bits, in rimal” short nonzero solution to system talk. time N 1+ o (1) , space N 1+ o (1) . of homogeneous R =q equations. Problem 1: Find ( a; e ) ∈ R 2 Brent–Kung 2D circuit model lattices allows parallelism—e.g., sort in with aG + e = 0, given G ∈ time N 0 : 5+ o (1) , space N 1+ o (1) . PRAM: multiple inequivalent ximate-SVP” definitions, untethered to physical explanations. Sort in time N o (1) . Quantum computing: similar divergence of models. computation

  35. 11 12 Models of computation Lattices Multitape Turing machine: e.g., Rewrite each problem as finding sort N ints, each N o (1) bits, in short nonzero solution to system time N 1+ o (1) , space N 1+ o (1) . of homogeneous R =q equations. Problem 1: Find ( a; e ) ∈ R 2 Brent–Kung 2D circuit model allows parallelism—e.g., sort in with aG + e = 0, given G ∈ R =q . time N 0 : 5+ o (1) , space N 1+ o (1) . PRAM: multiple inequivalent definitions, untethered to physical explanations. Sort in time N o (1) . Quantum computing: similar divergence of models.

  36. 11 12 Models of computation Lattices Multitape Turing machine: e.g., Rewrite each problem as finding sort N ints, each N o (1) bits, in short nonzero solution to system time N 1+ o (1) , space N 1+ o (1) . of homogeneous R =q equations. Problem 1: Find ( a; e ) ∈ R 2 Brent–Kung 2D circuit model allows parallelism—e.g., sort in with aG + e = 0, given G ∈ R =q . time N 0 : 5+ o (1) , space N 1+ o (1) . Problem 2: Find ( a; t; e ) ∈ R 3 PRAM: multiple inequivalent with aG + e = At , definitions, untethered to physical given G; A ∈ R =q . explanations. Sort in time N o (1) . Quantum computing: similar divergence of models.

  37. 11 12 Models of computation Lattices Multitape Turing machine: e.g., Rewrite each problem as finding sort N ints, each N o (1) bits, in short nonzero solution to system time N 1+ o (1) , space N 1+ o (1) . of homogeneous R =q equations. Problem 1: Find ( a; e ) ∈ R 2 Brent–Kung 2D circuit model allows parallelism—e.g., sort in with aG + e = 0, given G ∈ R =q . time N 0 : 5+ o (1) , space N 1+ o (1) . Problem 2: Find ( a; t; e ) ∈ R 3 PRAM: multiple inequivalent with aG + e = At , definitions, untethered to physical given G; A ∈ R =q . explanations. Sort in time N o (1) . Problem 3: Find ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with Quantum computing: similar divergence of models. aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  38. 11 12 dels of computation Lattices Recognize as a full- Multitape Turing machine: e.g., Rewrite each problem as finding ints, each N o (1) bits, in short nonzero solution to system Problem 1+ o (1) , space N 1+ o (1) . of homogeneous R =q equations. the map from R 2 Problem 1: Find ( a; e ) ∈ R 2 Brent–Kung 2D circuit model parallelism—e.g., sort in with aG + e = 0, given G ∈ R =q . 0 : 5+ o (1) , space N 1+ o (1) . Problem 2: Find ( a; t; e ) ∈ R 3 PRAM: multiple inequivalent with aG + e = At , definitions, untethered to physical given G; A ∈ R =q . explanations. Sort in time N o (1) . Problem 3: Find ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with Quantum computing: divergence of models. aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  39. 11 12 utation Lattices Recognize each solution as a full-rank lattice: uring machine: e.g., Rewrite each problem as finding N o (1) bits, in short nonzero solution to system Problem 1: Lattice space N 1+ o (1) . of homogeneous R =q equations. the map ( a; r ) �→ ( from R 2 to R 2 . Problem 1: Find ( a; e ) ∈ R 2 circuit model rallelism—e.g., sort in with aG + e = 0, given G ∈ R =q . space N 1+ o (1) . Problem 2: Find ( a; t; e ) ∈ R 3 inequivalent with aG + e = At , untethered to physical given G; A ∈ R =q . rt in time N o (1) . Problem 3: Find ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with computing: ergence of models. aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  40. 11 12 Lattices Recognize each solution space as a full-rank lattice: machine: e.g., Rewrite each problem as finding bits, in short nonzero solution to system Problem 1: Lattice is image (1) . of homogeneous R =q equations. the map ( a; r ) �→ ( a; qr − aG from R 2 to R 2 . Problem 1: Find ( a; e ) ∈ R 2 del rt in with aG + e = 0, given G ∈ R =q . o (1) . Problem 2: Find ( a; t; e ) ∈ R 3 inequivalent with aG + e = At , physical given G; A ∈ R =q . N o (1) . Problem 3: Find ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with dels. aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  41. 12 13 Lattices Recognize each solution space as a full-rank lattice: Rewrite each problem as finding short nonzero solution to system Problem 1: Lattice is image of of homogeneous R =q equations. the map ( a; r ) �→ ( a; qr − aG ) from R 2 to R 2 . Problem 1: Find ( a; e ) ∈ R 2 with aG + e = 0, given G ∈ R =q . Problem 2: Find ( a; t; e ) ∈ R 3 with aG + e = At , given G; A ∈ R =q . Problem 3: Find ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  42. 12 13 Lattices Recognize each solution space as a full-rank lattice: Rewrite each problem as finding short nonzero solution to system Problem 1: Lattice is image of of homogeneous R =q equations. the map ( a; r ) �→ ( a; qr − aG ) from R 2 to R 2 . Problem 1: Find ( a; e ) ∈ R 2 with aG + e = 0, given G ∈ R =q . Problem 2: Lattice is image of the map ( a; t; r ) �→ Problem 2: Find ( a; t; e ) ∈ R 3 ( a; t; At + qr − aG ). with aG + e = At , given G; A ∈ R =q . Problem 3: Find ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  43. 12 13 Lattices Recognize each solution space as a full-rank lattice: Rewrite each problem as finding short nonzero solution to system Problem 1: Lattice is image of of homogeneous R =q equations. the map ( a; r ) �→ ( a; qr − aG ) from R 2 to R 2 . Problem 1: Find ( a; e ) ∈ R 2 with aG + e = 0, given G ∈ R =q . Problem 2: Lattice is image of the map ( a; t; r ) �→ Problem 2: Find ( a; t; e ) ∈ R 3 ( a; t; At + qr − aG ). with aG + e = At , given G; A ∈ R =q . Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ Problem 3: Find ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with A 2 t 2 + qr 2 − aG 2 ). aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  44. 12 13 Lattices Recognize each solution space Module structure as a full-rank lattice: Rewrite each problem as finding Each of nonzero solution to system Problem 1: Lattice is image of module, homogeneous R =q equations. the map ( a; r ) �→ ( a; qr − aG ) many indep from R 2 to R 2 . Problem 1: Find ( a; e ) ∈ R 2 G + e = 0, given G ∈ R =q . Problem 2: Lattice is image of the map ( a; t; r ) �→ Problem 2: Find ( a; t; e ) ∈ R 3 ( a; t; At + qr − aG ). G + e = At , G; A ∈ R =q . Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ Problem 3: Find ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with A 2 t 2 + qr 2 − aG 2 ). e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  45. 12 13 Recognize each solution space Module structure as a full-rank lattice: roblem as finding Each of these lattices solution to system Problem 1: Lattice is image of module, and thus has, R =q equations. the map ( a; r ) �→ ( a; qr − aG ) many independent from R 2 to R 2 . ( a; e ) ∈ R 2 0, given G ∈ R =q . Problem 2: Lattice is image of the map ( a; t; r ) �→ ( a; t; e ) ∈ R 3 ( a; t; At + qr − aG ). At , =q . Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; ∈ R 5 with A 2 t 2 + qr 2 − aG 2 ). , aG 2 + e 2 = A 2 t 2 , ; A 2 ∈ R =q .

  46. 12 13 Recognize each solution space Module structure as a full-rank lattice: finding Each of these lattices is an R system Problem 1: Lattice is image of module, and thus has, generically equations. the map ( a; r ) �→ ( a; qr − aG ) many independent short vecto from R 2 to R 2 . R 2 ∈ R =q . Problem 2: Lattice is image of the map ( a; t; r ) �→ ∈ R 3 ( a; t; At + qr − aG ). Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; A 2 t 2 + qr 2 − aG 2 ). = A 2 t 2 , =q .

  47. 13 14 Recognize each solution space Module structure as a full-rank lattice: Each of these lattices is an R - Problem 1: Lattice is image of module, and thus has, generically, the map ( a; r ) �→ ( a; qr − aG ) many independent short vectors. from R 2 to R 2 . Problem 2: Lattice is image of the map ( a; t; r ) �→ ( a; t; At + qr − aG ). Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; A 2 t 2 + qr 2 − aG 2 ).

  48. 13 14 Recognize each solution space Module structure as a full-rank lattice: Each of these lattices is an R - Problem 1: Lattice is image of module, and thus has, generically, the map ( a; r ) �→ ( a; qr − aG ) many independent short vectors. from R 2 to R 2 . e.g. in Problem 2: Problem 2: Lattice is Lattice has short ( a; t; e ). image of the map ( a; t; r ) �→ Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). ( a; t; At + qr − aG ). etc. Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; A 2 t 2 + qr 2 − aG 2 ).

  49. 13 14 Recognize each solution space Module structure as a full-rank lattice: Each of these lattices is an R - Problem 1: Lattice is image of module, and thus has, generically, the map ( a; r ) �→ ( a; qr − aG ) many independent short vectors. from R 2 to R 2 . e.g. in Problem 2: Problem 2: Lattice is Lattice has short ( a; t; e ). image of the map ( a; t; r ) �→ Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). ( a; t; At + qr − aG ). etc. Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ Many more lattice vectors ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; are fairly short combinations A 2 t 2 + qr 2 − aG 2 ). of independent vectors: e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ).

  50. 13 14 Recognize each solution space Module structure 2001 Ma full-rank lattice: 1: Force Each of these lattices is an R - a to be 0. Problem 1: Lattice is image of module, and thus has, generically, rank, speeding map ( a; r ) �→ ( a; qr − aG ) many independent short vectors. despite lo 2 to R 2 . e.g. in Problem 2: Problem 2: Lattice is Lattice has short ( a; t; e ). of the map ( a; t; r ) �→ Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). t + qr − aG ). etc. Problem 3: Lattice is image of map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ Many more lattice vectors t 2 ; A 1 t 1 + qr 1 − aG 1 ; are fairly short combinations qr 2 − aG 2 ). of independent vectors: e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ).

  51. 13 14 solution space Module structure 2001 May–Silverman lattice: 1: Force a few coefficients Each of these lattices is an R - a to be 0. This reduces Lattice is image of module, and thus has, generically, rank, speeding up ( a; qr − aG ) many independent short vectors. despite lower success e.g. in Problem 2: Lattice is Lattice has short ( a; t; e ). map ( a; t; r ) �→ Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). aG ). etc. Lattice is image of ; r 1 ; r 2 ) �→ Many more lattice vectors qr 1 − aG 1 ; are fairly short combinations 2 ). of independent vectors: e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ).

  52. 13 14 space Module structure 2001 May–Silverman, for Problem 1: Force a few coefficients of Each of these lattices is an R - a to be 0. This reduces lattice image of module, and thus has, generically, rank, speeding up various attacks, aG ) many independent short vectors. despite lower success chance. e.g. in Problem 2: Lattice has short ( a; t; e ). �→ Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). etc. image of Many more lattice vectors ; are fairly short combinations of independent vectors: e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ).

  53. 14 15 Module structure 2001 May–Silverman, for Problem 1: Force a few coefficients of Each of these lattices is an R - a to be 0. This reduces lattice module, and thus has, generically, rank, speeding up various attacks, many independent short vectors. despite lower success chance. e.g. in Problem 2: Lattice has short ( a; t; e ). Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). etc. Many more lattice vectors are fairly short combinations of independent vectors: e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ).

  54. 14 15 Module structure 2001 May–Silverman, for Problem 1: Force a few coefficients of Each of these lattices is an R - a to be 0. This reduces lattice module, and thus has, generically, rank, speeding up various attacks, many independent short vectors. despite lower success chance. e.g. in Problem 2: (Always a speedup? Seems to be Lattice has short ( a; t; e ). a slowdown if q is very large.) Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). etc. Many more lattice vectors are fairly short combinations of independent vectors: e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ).

  55. 14 15 Module structure 2001 May–Silverman, for Problem 1: Force a few coefficients of Each of these lattices is an R - a to be 0. This reduces lattice module, and thus has, generically, rank, speeding up various attacks, many independent short vectors. despite lower success chance. e.g. in Problem 2: (Always a speedup? Seems to be Lattice has short ( a; t; e ). a slowdown if q is very large.) Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). Other problems: same speedup. etc. e.g. Problem 2: Force many coefficients of ( a; t ) to be 0. Many more lattice vectors Bai–Galbraith special case: are fairly short combinations Force t = 1, and force of independent vectors: a few coefficients of a to be 0. e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ). (Also slowdown if q is very large?)

  56. 14 15 dule structure 2001 May–Silverman, for Problem Standard 1: Force a few coefficients of of these lattices is an R - Lattice has a to be 0. This reduces lattice dule, and thus has, generically, Uniform rank, speeding up various attacks, independent short vectors. secret a despite lower success chance. Problem 2: (Always a speedup? Seems to be Lattice has short ( a; t; e ). a slowdown if q is very large.) Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). Other problems: same speedup. e.g. Problem 2: Force many coefficients of ( a; t ) to be 0. more lattice vectors Bai–Galbraith special case: airly short combinations Force t = 1, and force independent vectors: a few coefficients of a to be 0. (( x + 1) a; ( x + 1) t; ( x + 1) e ). (Also slowdown if q is very large?)

  57. 14 15 structure 2001 May–Silverman, for Problem Standard analysis fo 1: Force a few coefficients of lattices is an R - Lattice has rank 2 a to be 0. This reduces lattice thus has, generically, Uniform random small rank, speeding up various attacks, endent short vectors. secret a has length despite lower success chance. 2: (Always a speedup? Seems to be rt ( a; t; e ). a slowdown if q is very large.) rt ( xa; xt; xe ). rt ( x 2 a; x 2 t; x 2 e ). Other problems: same speedup. e.g. Problem 2: Force many coefficients of ( a; t ) to be 0. lattice vectors Bai–Galbraith special case: combinations Force t = 1, and force vectors: a few coefficients of a to be 0. x + 1) t; ( x + 1) e ). (Also slowdown if q is very large?)

  58. 14 15 2001 May–Silverman, for Problem Standard analysis for Problem 1: Force a few coefficients of R - Lattice has rank 2 · 761 = 1522. a to be 0. This reduces lattice generically, Uniform random small weight- rank, speeding up various attacks, secret a has length √ w ≈ 17. vectors. despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) e ). ; x 2 e ). Other problems: same speedup. e.g. Problem 2: Force many coefficients of ( a; t ) to be 0. Bai–Galbraith special case: combinations Force t = 1, and force a few coefficients of a to be 0. + 1) e ). (Also slowdown if q is very large?)

  59. 15 16 2001 May–Silverman, for Problem Standard analysis for Problem 1 1: Force a few coefficients of Lattice has rank 2 · 761 = 1522. a to be 0. This reduces lattice Uniform random small weight- w rank, speeding up various attacks, secret a has length √ w ≈ 17. despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large.) Other problems: same speedup. e.g. Problem 2: Force many coefficients of ( a; t ) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?)

  60. 15 16 2001 May–Silverman, for Problem Standard analysis for Problem 1 1: Force a few coefficients of Lattice has rank 2 · 761 = 1522. a to be 0. This reduces lattice Uniform random small weight- w rank, speeding up various attacks, secret a has length √ w ≈ 17. despite lower success chance. Uniform random small secret (Always a speedup? Seems to be e has length usually close to a slowdown if q is very large.) p 1522 = 3 ≈ 23. (What if it’s Other problems: same speedup. smaller? What if it’s larger? Does e.g. Problem 2: Force many fixed weight change security?) coefficients of ( a; t ) to be 0. Bai–Galbraith special case: Force t = 1, and force a few coefficients of a to be 0. (Also slowdown if q is very large?)

  61. 15 16 2001 May–Silverman, for Problem Standard analysis for Problem 1 1: Force a few coefficients of Lattice has rank 2 · 761 = 1522. a to be 0. This reduces lattice Uniform random small weight- w rank, speeding up various attacks, secret a has length √ w ≈ 17. despite lower success chance. Uniform random small secret (Always a speedup? Seems to be e has length usually close to a slowdown if q is very large.) p 1522 = 3 ≈ 23. (What if it’s Other problems: same speedup. smaller? What if it’s larger? Does e.g. Problem 2: Force many fixed weight change security?) coefficients of ( a; t ) to be 0. Attack parameter: k = 13. Bai–Galbraith special case: Force k positions in a to be 0: Force t = 1, and force restrict to sublattice of rank 1509. a few coefficients of a to be 0. Pr[ a is in sublattice] ≈ 0 : 2%. (Also slowdown if q is very large?)

  62. 15 16 May–Silverman, for Problem Standard analysis for Problem 1 Attacker ce a few coefficients of another Lattice has rank 2 · 761 = 1522. e 0. This reduces lattice Uniform random small weight- w speeding up various attacks, secret a has length √ w ≈ 17. despite lower success chance. Uniform random small secret ys a speedup? Seems to be e has length usually close to wdown if q is very large.) p 1522 = 3 ≈ 23. (What if it’s problems: same speedup. smaller? What if it’s larger? Does Problem 2: Force many fixed weight change security?) efficients of ( a; t ) to be 0. Attack parameter: k = 13. Bai–Galbraith special case: Force k positions in a to be 0: t = 1, and force restrict to sublattice of rank 1509. coefficients of a to be 0. Pr[ a is in sublattice] ≈ 0 : 2%. slowdown if q is very large?)

  63. 15 16 erman, for Problem Standard analysis for Problem 1 Attacker is just as oefficients of another solution such Lattice has rank 2 · 761 = 1522. reduces lattice Uniform random small weight- w up various attacks, secret a has length √ w ≈ 17. success chance. Uniform random small secret eedup? Seems to be e has length usually close to is very large.) p 1522 = 3 ≈ 23. (What if it’s same speedup. smaller? What if it’s larger? Does Force many fixed weight change security?) ; t ) to be 0. Attack parameter: k = 13. ecial case: Force k positions in a to be 0: force restrict to sublattice of rank 1509. ients of a to be 0. Pr[ a is in sublattice] ≈ 0 : 2%. if q is very large?)

  64. 15 16 Problem Standard analysis for Problem 1 Attacker is just as happy to of another solution such as ( xa Lattice has rank 2 · 761 = 1522. lattice Uniform random small weight- w attacks, secret a has length √ w ≈ 17. chance. Uniform random small secret Seems to be e has length usually close to rge.) p 1522 = 3 ≈ 23. (What if it’s eedup. smaller? What if it’s larger? Does many fixed weight change security?) 0. Attack parameter: k = 13. case: Force k positions in a to be 0: restrict to sublattice of rank 1509. e 0. Pr[ a is in sublattice] ≈ 0 : 2%. very large?)

  65. 16 17 Standard analysis for Problem 1 Attacker is just as happy to find another solution such as ( xa; xe ). Lattice has rank 2 · 761 = 1522. Uniform random small weight- w secret a has length √ w ≈ 17. Uniform random small secret e has length usually close to p 1522 = 3 ≈ 23. (What if it’s smaller? What if it’s larger? Does fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[ a is in sublattice] ≈ 0 : 2%.

  66. 16 17 Standard analysis for Problem 1 Attacker is just as happy to find another solution such as ( xa; xe ). Lattice has rank 2 · 761 = 1522. Standard analysis for, e.g., Uniform random small weight- w Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) secret a has length √ w ≈ 17. has chance ≈ 0 : 2% of being in Uniform random small secret sublattice. These 761 chances e has length usually close to are independent. (No, they p 1522 = 3 ≈ 23. (What if it’s aren’t; also, total Pr depends on smaller? What if it’s larger? Does attacker’s choice of positions.) fixed weight change security?) Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[ a is in sublattice] ≈ 0 : 2%.

  67. 16 17 Standard analysis for Problem 1 Attacker is just as happy to find another solution such as ( xa; xe ). Lattice has rank 2 · 761 = 1522. Standard analysis for, e.g., Uniform random small weight- w Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) secret a has length √ w ≈ 17. has chance ≈ 0 : 2% of being in Uniform random small secret sublattice. These 761 chances e has length usually close to are independent. (No, they p 1522 = 3 ≈ 23. (What if it’s aren’t; also, total Pr depends on smaller? What if it’s larger? Does attacker’s choice of positions.) fixed weight change security?) Ignore bigger solutions ( ¸a; ¸e ). Attack parameter: k = 13. (How hard are these to find?) Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[ a is in sublattice] ≈ 0 : 2%.

  68. 16 17 Standard analysis for Problem 1 Attacker is just as happy to find another solution such as ( xa; xe ). Lattice has rank 2 · 761 = 1522. Standard analysis for, e.g., Uniform random small weight- w Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) secret a has length √ w ≈ 17. has chance ≈ 0 : 2% of being in Uniform random small secret sublattice. These 761 chances e has length usually close to are independent. (No, they p 1522 = 3 ≈ 23. (What if it’s aren’t; also, total Pr depends on smaller? What if it’s larger? Does attacker’s choice of positions.) fixed weight change security?) Ignore bigger solutions ( ¸a; ¸e ). Attack parameter: k = 13. (How hard are these to find?) Force k positions in a to be 0: Pretend this analysis applies to restrict to sublattice of rank 1509. Z [ x ] = ( x 761 − x − 1). (It doesn’t.) Pr[ a is in sublattice] ≈ 0 : 2%.

  69. 16 17 Standard analysis for Problem 1 Attacker is just as happy to find Write equa another solution such as ( xa; xe ). as 761 equations Lattice has rank 2 · 761 = 1522. Standard analysis for, e.g., rm random small weight- w Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) a has length √ w ≈ 17. has chance ≈ 0 : 2% of being in rm random small secret sublattice. These 761 chances length usually close to are independent. (No, they 1522 = 3 ≈ 23. (What if it’s aren’t; also, total Pr depends on smaller? What if it’s larger? Does attacker’s choice of positions.) eight change security?) Ignore bigger solutions ( ¸a; ¸e ). parameter: k = 13. (How hard are these to find?) k positions in a to be 0: Pretend this analysis applies to restrict to sublattice of rank 1509. Z [ x ] = ( x 761 − x − 1). (It doesn’t.) in sublattice] ≈ 0 : 2%.

  70. 16 17 analysis for Problem 1 Attacker is just as happy to find Write equation e = another solution such as ( xa; xe ). as 761 equations on 2 · 761 = 1522. Standard analysis for, e.g., small weight- w Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) length √ w ≈ 17. has chance ≈ 0 : 2% of being in small secret sublattice. These 761 chances usually close to are independent. (No, they (What if it’s aren’t; also, total Pr depends on if it’s larger? Does attacker’s choice of positions.) change security?) Ignore bigger solutions ( ¸a; ¸e ). rameter: k = 13. (How hard are these to find?) ositions in a to be 0: Pretend this analysis applies to sublattice of rank 1509. Z [ x ] = ( x 761 − x − 1). (It doesn’t.) sublattice] ≈ 0 : 2%.

  71. 16 17 Problem 1 Attacker is just as happy to find Write equation e = qr − aG another solution such as ( xa; xe ). as 761 equations on coefficients. 1522. Standard analysis for, e.g., eight- w Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) 17. has chance ≈ 0 : 2% of being in secret sublattice. These 761 chances to are independent. (No, they it’s aren’t; also, total Pr depends on rger? Does attacker’s choice of positions.) security?) Ignore bigger solutions ( ¸a; ¸e ). 13. (How hard are these to find?) e 0: Pretend this analysis applies to rank 1509. Z [ x ] = ( x 761 − x − 1). (It doesn’t.) 2%.

  72. 17 18 Attacker is just as happy to find Write equation e = qr − aG another solution such as ( xa; xe ). as 761 equations on coefficients. Standard analysis for, e.g., Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) has chance ≈ 0 : 2% of being in sublattice. These 761 chances are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions ( ¸a; ¸e ). (How hard are these to find?) Pretend this analysis applies to Z [ x ] = ( x 761 − x − 1). (It doesn’t.)

  73. 17 18 Attacker is just as happy to find Write equation e = qr − aG another solution such as ( xa; xe ). as 761 equations on coefficients. Standard analysis for, e.g., Attack parameter: m = 600. Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) Ignore 761 − m = 161 equations: has chance ≈ 0 : 2% of being in i.e., project e onto 600 positions. sublattice. These 761 chances Projected sublattice rank are independent. (No, they d = 1509 − 161 = 1348; det q 600 . aren’t; also, total Pr depends on attacker’s choice of positions.) Ignore bigger solutions ( ¸a; ¸e ). (How hard are these to find?) Pretend this analysis applies to Z [ x ] = ( x 761 − x − 1). (It doesn’t.)

  74. 17 18 Attacker is just as happy to find Write equation e = qr − aG another solution such as ( xa; xe ). as 761 equations on coefficients. Standard analysis for, e.g., Attack parameter: m = 600. Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) Ignore 761 − m = 161 equations: has chance ≈ 0 : 2% of being in i.e., project e onto 600 positions. sublattice. These 761 chances Projected sublattice rank are independent. (No, they d = 1509 − 161 = 1348; det q 600 . aren’t; also, total Pr depends on attacker’s choice of positions.) Attack parameter: – = 1 : 331876. Ignore bigger solutions ( ¸a; ¸e ). Rescaling: Assign weight – to (How hard are these to find?) positions in a . Increases length of a to – √ w ≈ 23; increases det Pretend this analysis applies to to – 748 q 600 . (Is this – optimal? Z [ x ] = ( x 761 − x − 1). (It doesn’t.) Interaction with e size variation?)

  75. 17 18 er is just as happy to find Write equation e = qr − aG Lattice-basis another solution such as ( xa; xe ). as 761 equations on coefficients. Attack pa Standard analysis for, e.g., Attack parameter: m = 600. Use BKZ- x 761 − 1): Each ( x j a; x j e ) Ignore 761 − m = 161 equations: lattice basis. chance ≈ 0 : 2% of being in i.e., project e onto 600 positions. alternatives sublattice. These 761 chances Projected sublattice rank dependent. (No, they d = 1509 − 161 = 1348; det q 600 . also, total Pr depends on er’s choice of positions.) Attack parameter: – = 1 : 331876. bigger solutions ( ¸a; ¸e ). Rescaling: Assign weight – to hard are these to find?) positions in a . Increases length of a to – √ w ≈ 23; increases det Pretend this analysis applies to to – 748 q 600 . (Is this – optimal? x 761 − x − 1). (It doesn’t.) Interaction with e size variation?)

  76. 17 18 as happy to find Write equation e = qr − aG Lattice-basis reduction such as ( xa; xe ). as 761 equations on coefficients. Attack parameter: analysis for, e.g., Attack parameter: m = 600. Use BKZ- ˛ algorithm 1): Each ( x j a; x j e ) Ignore 761 − m = 161 equations: lattice basis. (What 2% of being in i.e., project e onto 600 positions. alternatives to BKZ?) These 761 chances Projected sublattice rank endent. (No, they d = 1509 − 161 = 1348; det q 600 . total Pr depends on of positions.) Attack parameter: – = 1 : 331876. solutions ( ¸a; ¸e ). Rescaling: Assign weight – to these to find?) positions in a . Increases length of a to – √ w ≈ 23; increases det analysis applies to to – 748 q 600 . (Is this – optimal? − 1). (It doesn’t.) Interaction with e size variation?)

  77. 17 18 to find Write equation e = qr − aG Lattice-basis reduction xa; xe ). as 761 equations on coefficients. Attack parameter: ˛ = 525. e.g., Attack parameter: m = 600. Use BKZ- ˛ algorithm to reduce a; x j e ) Ignore 761 − m = 161 equations: lattice basis. (What about eing in i.e., project e onto 600 positions. alternatives to BKZ?) chances Projected sublattice rank they d = 1509 − 161 = 1348; det q 600 . ends on ositions.) Attack parameter: – = 1 : 331876. ¸a; ¸e ). Rescaling: Assign weight – to find?) positions in a . Increases length of a to – √ w ≈ 23; increases det applies to to – 748 q 600 . (Is this – optimal? doesn’t.) Interaction with e size variation?)

  78. 18 19 Write equation e = qr − aG Lattice-basis reduction as 761 equations on coefficients. Attack parameter: ˛ = 525. Attack parameter: m = 600. Use BKZ- ˛ algorithm to reduce Ignore 761 − m = 161 equations: lattice basis. (What about i.e., project e onto 600 positions. alternatives to BKZ?) Projected sublattice rank d = 1509 − 161 = 1348; det q 600 . Attack parameter: – = 1 : 331876. Rescaling: Assign weight – to positions in a . Increases length of a to – √ w ≈ 23; increases det to – 748 q 600 . (Is this – optimal? Interaction with e size variation?)

  79. 18 19 Write equation e = qr − aG Lattice-basis reduction as 761 equations on coefficients. Attack parameter: ˛ = 525. Attack parameter: m = 600. Use BKZ- ˛ algorithm to reduce Ignore 761 − m = 161 equations: lattice basis. (What about i.e., project e onto 600 positions. alternatives to BKZ?) Projected sublattice rank Standard analysis of BKZ- ˛ : d = 1509 − 161 = 1348; det q 600 . “Normally” finds nonzero vector of length ‹ d (det L ) 1 =d where Attack parameter: – = 1 : 331876. ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . Rescaling: Assign weight – to positions in a . Increases length of a to – √ w ≈ 23; increases det to – 748 q 600 . (Is this – optimal? Interaction with e size variation?)

  80. 18 19 Write equation e = qr − aG Lattice-basis reduction as 761 equations on coefficients. Attack parameter: ˛ = 525. Attack parameter: m = 600. Use BKZ- ˛ algorithm to reduce Ignore 761 − m = 161 equations: lattice basis. (What about i.e., project e onto 600 positions. alternatives to BKZ?) Projected sublattice rank Standard analysis of BKZ- ˛ : d = 1509 − 161 = 1348; det q 600 . “Normally” finds nonzero vector of length ‹ d (det L ) 1 =d where Attack parameter: – = 1 : 331876. ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . Rescaling: Assign weight – to positions in a . Increases length (This ‹ formula is an asymptotic of a to – √ w ≈ 23; increases det claim without claimed error to – 748 q 600 . (Is this – optimal? bounds. Does not match Interaction with e size variation?) experiments for specific d .)

  81. 18 19 equation e = qr − aG Lattice-basis reduction Standard equations on coefficients. Attack parameter: ˛ = 525. “Geometric-series parameter: m = 600. holds. (What Use BKZ- ˛ algorithm to reduce identified 761 − m = 161 equations: lattice basis. (What about oject e onto 600 positions. alternatives to BKZ?) Projected sublattice rank Standard analysis of BKZ- ˛ : 1509 − 161 = 1348; det q 600 . “Normally” finds nonzero vector of length ‹ d (det L ) 1 =d where parameter: – = 1 : 331876. ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . Rescaling: Assign weight – to ositions in a . Increases length (This ‹ formula is an asymptotic – √ w ≈ 23; increases det claim without claimed error q 600 . (Is this – optimal? bounds. Does not match Interaction with e size variation?) experiments for specific d .)

  82. 18 19 = qr − aG Lattice-basis reduction Standard analysis, equations on coefficients. Attack parameter: ˛ = 525. “Geometric-series rameter: m = 600. holds. (What about Use BKZ- ˛ algorithm to reduce identified in 2018 exp = 161 equations: lattice basis. (What about onto 600 positions. alternatives to BKZ?) sublattice rank Standard analysis of BKZ- ˛ : = 1348; det q 600 . “Normally” finds nonzero vector of length ‹ d (det L ) 1 =d where rameter: – = 1 : 331876. ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . Assign weight – to Increases length (This ‹ formula is an asymptotic 23; increases det claim without claimed error this – optimal? bounds. Does not match e size variation?) experiments for specific d .)

  83. 18 19 G Lattice-basis reduction Standard analysis, continued: efficients. Attack parameter: ˛ = 525. “Geometric-series assumption” 600. holds. (What about deviations Use BKZ- ˛ algorithm to reduce identified in 2018 experiments?) equations: lattice basis. (What about ositions. alternatives to BKZ?) Standard analysis of BKZ- ˛ : det q 600 . “Normally” finds nonzero vector of length ‹ d (det L ) 1 =d where 331876. ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . to length (This ‹ formula is an asymptotic increases det claim without claimed error optimal? bounds. Does not match riation?) experiments for specific d .)

  84. 19 20 Lattice-basis reduction Standard analysis, continued: Attack parameter: ˛ = 525. “Geometric-series assumption” holds. (What about deviations Use BKZ- ˛ algorithm to reduce identified in 2018 experiments?) lattice basis. (What about alternatives to BKZ?) Standard analysis of BKZ- ˛ : “Normally” finds nonzero vector of length ‹ d (det L ) 1 =d where ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . (This ‹ formula is an asymptotic claim without claimed error bounds. Does not match experiments for specific d .)

  85. 19 20 Lattice-basis reduction Standard analysis, continued: Attack parameter: ˛ = 525. “Geometric-series assumption” holds. (What about deviations Use BKZ- ˛ algorithm to reduce identified in 2018 experiments?) lattice basis. (What about alternatives to BKZ?) BKZ- ˛ finds unique (mod ± ) shortest nonzero vector ⇔ Standard analysis of BKZ- ˛ : length ≤ ‹ 2 ˛ − d (det L ) 1 =d p d=˛ . “Normally” finds nonzero vector (What about deviations identified of length ‹ d (det L ) 1 =d where in 2017 experiments?) ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . (This ‹ formula is an asymptotic claim without claimed error bounds. Does not match experiments for specific d .)

  86. 19 20 Lattice-basis reduction Standard analysis, continued: Attack parameter: ˛ = 525. “Geometric-series assumption” holds. (What about deviations Use BKZ- ˛ algorithm to reduce identified in 2018 experiments?) lattice basis. (What about alternatives to BKZ?) BKZ- ˛ finds unique (mod ± ) shortest nonzero vector ⇔ Standard analysis of BKZ- ˛ : length ≤ ‹ 2 ˛ − d (det L ) 1 =d p d=˛ . “Normally” finds nonzero vector (What about deviations identified of length ‹ d (det L ) 1 =d where in 2017 experiments?) ‹ = ( ˛ ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . Hence the attack finds ( a; e ), (This ‹ formula is an asymptotic assuming forcing worked. If it claim without claimed error didn’t, retry. (Are these tries bounds. Does not match independent? Should they use experiments for specific d .) new parameters? Grover?)

  87. 19 20 Lattice-basis reduction Standard analysis, continued: How long parameter: ˛ = 525. “Geometric-series assumption” Standard 2 153 : 3 op holds. (What about deviations BKZ- ˛ algorithm to reduce identified in 2018 experiments?) basis. (What about alternatives to BKZ?) BKZ- ˛ finds unique (mod ± ) shortest nonzero vector ⇔ Standard analysis of BKZ- ˛ : length ≤ ‹ 2 ˛ − d (det L ) 1 =d p d=˛ . rmally” finds nonzero vector (What about deviations identified length ‹ d (det L ) 1 =d where in 2017 experiments?) ( ı˛ ) 1 =˛ = (2 ıe )) 1 = (2( ˛ − 1)) . Hence the attack finds ( a; e ), ‹ formula is an asymptotic assuming forcing worked. If it without claimed error didn’t, retry. (Are these tries ounds. Does not match independent? Should they use eriments for specific d .) new parameters? Grover?)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based

Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based

1 Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Why analysis is important: Guide attack optimization.

799 views • 69 slides
Evaluating and Estimating CO2 Facility Needs and Costs Chris Bledsoe 4 th Annual Wyoming CO2

Evaluating and Estimating CO2 Facility Needs and Costs Chris Bledsoe 4 th Annual Wyoming CO2

Evaluating and Estimating CO2 Facility Needs and Costs Chris Bledsoe 4 th Annual Wyoming CO2 Conference June 29-30, 2010 Overview Understand the process for evaluating CO2 facility needs Overview of FEED study topics Discuss

355 views • 20 slides
The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie Mellon University May 20 2013 Old: DDoS Attacks against Single Servers typical attack : floods server with HTTP, UDP, SYN, ICMP packets

613 views • 28 slides
CHALLENGES FOR THE APPROVAL OF ANTI- CANCER IMMUNOTHERAPEUTIC DRUGS Challenges in evaluating

CHALLENGES FOR THE APPROVAL OF ANTI- CANCER IMMUNOTHERAPEUTIC DRUGS Challenges in evaluating

CHALLENGES FOR THE APPROVAL OF ANTI- CANCER IMMUNOTHERAPEUTIC DRUGS Challenges in evaluating relative effectiveness Mira Pavlovic MDT Services mira.pavlovic@mdt-services.eu EMA-CDDF JOINT MEETING London, February 4-5, 2016 Preliminary

531 views • 26 slides
Tax Challenges for Counsel to Non Profit Joint Ventures and Alliances Evaluating Tax

Tax Challenges for Counsel to Non Profit Joint Ventures and Alliances Evaluating Tax

Presenting a live 110 minute teleconference with interactive Q&amp;A Tax Challenges for Counsel to Non Profit Joint Ventures and Alliances Evaluating Tax Consequences of Entity Structure and Activities, Maintaining Tax Exempt Status

1.17k views • 82 slides
Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur and Vinod Ganapathy blaseur@rci.rutgers.edu , vinodg@cs.rutgers.edu Rutgers University W2SP09 Online Social Networks 200 million

513 views • 37 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Tax Challenges for Counsel to Nonprofit Joint Ventures and Alliances Evaluating Tax Consequences

Tax Challenges for Counsel to Nonprofit Joint Ventures and Alliances Evaluating Tax Consequences

Presenting a live 90-minute webinar with interactive Q&amp;A Tax Challenges for Counsel to Nonprofit Joint Ventures and Alliances Evaluating Tax Consequences of Entity Structure and Activities, Maintaining Tax-Exempt Status THURSDAY, MAY 25,

1.04k views • 86 slides
Tax Challenges for Counsel to Nonprofit Joint Ventures and Alliances Evaluating Tax Consequences

Tax Challenges for Counsel to Nonprofit Joint Ventures and Alliances Evaluating Tax Consequences

Presenting a live 90-minute teleconference with interactive Q&amp;A Tax Challenges for Counsel to Nonprofit Joint Ventures and Alliances Evaluating Tax Consequences of Entity Structure and Activities, Maintaining Tax-Exempt Status THURS DAY,

1.13k views • 95 slides
Evaluating Ad Hoc Teamwork Performance in Drop-In Player Challenges Patrick MacAlpine and Peter

Evaluating Ad Hoc Teamwork Performance in Drop-In Player Challenges Patrick MacAlpine and Peter

Evaluating Ad Hoc Teamwork Performance in Drop-In Player Challenges Patrick MacAlpine and Peter Stone Department of Computer Science, The University of Texas at Austin May 9, 2017 Patrick MacAlpine (UT Austin) Evaluating Ad Hoc Teamwork 1

825 views • 41 slides
Evaluating programmes that aim to tackle poverty and respond to the challenges of climate change

Evaluating programmes that aim to tackle poverty and respond to the challenges of climate change

Evaluating programmes that aim to tackle poverty and respond to the challenges of climate change Alison Pollard, Evaluation Adviser, Climate &amp; Environment Department DFID The Global Challenge One of the most urgent and pressing

560 views • 11 slides
Client Capacity Considerations in Elder Law Legal and Ethical Challenges When Evaluating Clients

Client Capacity Considerations in Elder Law Legal and Ethical Challenges When Evaluating Clients

Presenting a live 90-minute webinar with interactive Q&amp;A Client Capacity Considerations in Elder Law Legal and Ethical Challenges When Evaluating Clients THURS DAY, MARCH 15, 2012 1pm East ern | 12pm Cent ral | 11am Mount ain

1.38k views • 79 slides
New Approach Recovering to Internet Security damage due to a cyber attack costs from Hacktrophy

New Approach Recovering to Internet Security damage due to a cyber attack costs from Hacktrophy

New Approach Recovering to Internet Security damage due to a cyber attack costs from Hacktrophy is a modern way to test the https://hacktrophy.com/en/internet-security/ 31 000 to 9.5 mil.

157 views • 15 slides
Long term challenges in reflecting network costs: Pricing and other solutions to manage network

Long term challenges in reflecting network costs: Pricing and other solutions to manage network

Long term challenges in reflecting network costs: Pricing and other solutions to manage network challenges. (feat. Network Opportunity Maps) Chris Dunstan (Research Director, ISF) AER Tariff Structure Statement Forum 14 December, 2015

610 views • 43 slides
Airport Planning Seminar/Workshop for the SAM Region Typical challenges on airport planning and

Airport Planning Seminar/Workshop for the SAM Region Typical challenges on airport planning and

International Civil Aviation Organization Airport Planning Seminar/Workshop for the SAM Region Typical challenges on airport planning and implementation Lima, September 12 2018 Alfonso Dez-Mentzel alfonso.diez@atenair.com Outline 1.

436 views • 30 slides
Typical Childhood Challenges Carrie L. Gottschalk, M.S. LMHP Behavior Consultant/Therapist

Typical Childhood Challenges Carrie L. Gottschalk, M.S. LMHP Behavior Consultant/Therapist

Typical Childhood Challenges Carrie L. Gottschalk, M.S. LMHP Behavior Consultant/Therapist clgottschalk@gmail.com The Goals 1. Preserving the relationship 2. Creating lasting, positive behavior change What does work? What doesnt work?

330 views • 20 slides
A Lattice-Theoretic Approach to Monitoring Distributed Computations Vijay K. Garg Neeraj Mittal

A Lattice-Theoretic Approach to Monitoring Distributed Computations Vijay K. Garg Neeraj Mittal

A Lattice-Theoretic Approach to Monitoring Distributed Computations Vijay K. Garg Neeraj Mittal Parallel and Distributed Systems Lab, Department of Electrical and Computer Engineering, The University of Texas at Austin, Advanced Networking

1.02k views • 99 slides
From quantum integrability to Schubert calculus P. Zinn-Justin School of Mathematics and

From quantum integrability to Schubert calculus P. Zinn-Justin School of Mathematics and

From quantum integrability to Schubert calculus P. Zinn-Justin School of Mathematics and Statistics, the University of Melbourne July 27, 2018 P. Zinn-Justin From quantum integrability to Schubert calculus July 27, 2018 1 / 22 Introduction

966 views • 65 slides
Critical behavior of SU(3) lattice gauge theory with 12 light flavors Yannick Meurice University

Critical behavior of SU(3) lattice gauge theory with 12 light flavors Yannick Meurice University

Critical behavior of SU(3) lattice gauge theory with 12 light flavors Yannick Meurice University of Iowa Work done in part with Diego Floor and Zech Gelzer DPF Fermilab, July 31, 2017 Yannick Meurice (UofI) Critical behavior of Nf=12 DPF

497 views • 22 slides
A lattice model for active-passive pedestrian dynamics: a quest for drafting effects Thoa Thieu 1

A lattice model for active-passive pedestrian dynamics: a quest for drafting effects Thoa Thieu 1

A lattice model for active-passive pedestrian dynamics: a quest for drafting effects Thoa Thieu 1 Joint work with: Matteo Colangeli 2 , Emilio N. M. Cirillo 3 and Adrian Muntean 4 1 Gran Sasso Science Institute (GSSI), LAquila, Italy 2

280 views • 27 slides
Conformal field theory on the lattice: from discrete complex analysis to Virasoro algebra Kalle

Conformal field theory on the lattice: from discrete complex analysis to Virasoro algebra Kalle

Conformal field theory on the lattice: from discrete complex analysis to Virasoro algebra Kalle Kytl tt Department of Mathematics and Systems Analysis, Aalto University joint work

938 views • 65 slides
A form factor series for dynamical correlation functions of integrable lattice models at finite

A form factor series for dynamical correlation functions of integrable lattice models at finite

A form factor series for dynamical correlation functions of integrable lattice models at finite temperature Frank G ohmann Bergische Universit at Wuppertal Fakult at f ur Mathematik und Naturwissenschaften Annecy 11.9.2018

1.01k views • 65 slides
Towards Partial Compositeness on the Lattice: Baryons with Fermions in Multiple

Towards Partial Compositeness on the Lattice: Baryons with Fermions in Multiple

Towards Partial Compositeness on the Lattice: Baryons with Fermions in Multiple Representations William I. Jay, University of Colorado Boulder With Tom DeGrand, Ethan Neil, Daniel Hackett (Boulder); Yigal Shamir, Ben Svetitsky (Tel

560 views • 24 slides
Self-avoiding walks Length doubling Implementation Results Conclusion Rob Bisseling

Self-avoiding walks Length doubling Implementation Results Conclusion Rob Bisseling

Introduction Self-avoiding walks Length doubling Implementation Results Conclusion Rob Bisseling Mathematical Institute, Utrecht University Mathematics colloquium, Utrecht April 19, 2012 1 Joint work Introduction Length doubling

692 views • 54 slides

More recommend