Exploring the parameter space sntrup761 evaluations from in lattice - - PowerPoint PPT Presentation

1

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 Bernstein–Chuengsatiansup– Lange–van Vredendaal. Some hard lattice meta-problems:

• Analyze cost of known attacks.
• Optimize attack parameters.
• Compare different attacks.
• Evaluate crypto parameters.
• Evaluate crypto designs.

2

sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring cost of memory: 368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid 153 139 sieving, including hybrid Accounting for cost of memory: 368 185 enum, ignoring hybrid 277 169 enum, including hybrid 208 208 sieving, ignoring hybrid 208 180 sieving, including hybrid Security levels: . . . pre-quantum . . . post-quantum

1

ring the parameter space lattice attacks

• J. Bernstein

Lange

• n attack survey from

Bernstein–Chuengsatiansup– Lange–van Vredendaal. hard lattice meta-problems: Analyze cost of known attacks. Optimize attack parameters. Compare different attacks. Evaluate crypto parameters. Evaluate crypto designs.

2

sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring cost of memory: 368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid 153 139 sieving, including hybrid Accounting for cost of memory: 368 185 enum, ignoring hybrid 277 169 enum, including hybrid 208 208 sieving, ignoring hybrid 208 180 sieving, including hybrid Security levels: . . . pre-quantum . . . post-quantum Analysis has complications and at inte This talk to “App Mo

1

rameter space attacks Bernstein survey from Bernstein–Chuengsatiansup– redendaal. lattice meta-problems:

• f known attacks.

attack parameters. erent attacks. crypto parameters. crypto designs.

2

sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring cost of memory: 368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid 153 139 sieving, including hybrid Accounting for cost of memory: 368 185 enum, ignoring hybrid 277 169 enum, including hybrid 208 208 sieving, ignoring hybrid 208 180 sieving, including hybrid Security levels: . . . pre-quantum . . . post-quantum Analysis of typical has complications and at interfaces b This talk emphasizes Analysis of to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation

1

space from Bernstein–Chuengsatiansup– roblems: attacks. rameters. attacks. rameters.

2

sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring cost of memory: 368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid 153 139 sieving, including hybrid Accounting for cost of memory: 368 185 enum, ignoring hybrid 277 169 enum, including hybrid 208 208 sieving, ignoring hybrid 208 180 sieving, including hybrid Security levels: . . . pre-quantum . . . post-quantum Analysis of typical lattice attack has complications at four lay and at interfaces between lay This talk emphasizes top lay Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation

2

sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring cost of memory: 368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid 153 139 sieving, including hybrid Accounting for cost of memory: 368 185 enum, ignoring hybrid 277 169 enum, including hybrid 208 208 sieving, ignoring hybrid 208 180 sieving, including hybrid Security levels: . . . pre-quantum . . . post-quantum

3

Analysis of typical lattice attack has complications at four layers, and at interfaces between layers. This talk emphasizes top layer. Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation

2

sntrup761 evaluations from “NTRU Prime: round 2” Table 2: ring cost of memory: 185 enum, ignoring hybrid 169 enum, including hybrid 139 sieving, ignoring hybrid 139 sieving, including hybrid Accounting for cost of memory: 185 enum, ignoring hybrid 169 enum, including hybrid 208 sieving, ignoring hybrid 180 sieving, including hybrid Security levels: re-quantum . . post-quantum

3

Analysis of typical lattice attack has complications at four layers, and at interfaces between layers. This talk emphasizes top layer. Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation
• Three typical

Define R “small” = w = 286; Attacker small weight- Problem aG + e = Problem aG + e = Problem Public aG Small secrets

2

evaluations from round 2” Table 2: memory: ignoring hybrid including hybrid sieving, ignoring hybrid sieving, including hybrid cost of memory: ignoring hybrid including hybrid sieving, ignoring hybrid sieving, including hybrid re-quantum

• st-quantum

3

Analysis of typical lattice attack has complications at four layers, and at interfaces between layers. This talk emphasizes top layer. Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation
• Three typical attack

Define R = Z[x]=( “small” = all coeffs w = 286; q = 4591. Attacker wants to small weight-w secret Problem 1: Public aG + e = 0. Small Problem 2: Public aG + e = A. Small Problem 3: Public Public aG1 + e1; aG Small secrets e1; e2

2

from able 2: hybrid hybrid hybrid including hybrid mory: hybrid hybrid hybrid including hybrid

3

Analysis of typical lattice attack has complications at four layers, and at interfaces between layers. This talk emphasizes top layer. Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation
• Three typical attack problems

Define R = Z[x]=(x761 − x − “small” = all coeffs in {−1; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R Problem 1: Public G ∈ R=q aG + e = 0. Small secret e ∈ Problem 2: Public G ∈ R=q aG + e = A. Small secret e Problem 3: Public G1; G2 ∈ Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

3

Analysis of typical lattice attack has complications at four layers, and at interfaces between layers. This talk emphasizes top layer. Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation
• 4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

3

Analysis of typical lattice attack complications at four layers, interfaces between layers. talk emphasizes top layer. Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis

• “SVP”

analysis

• Model of computation
• 4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R. Examples Secret key: Public key and appro Public key Hoffstein–Pipher–Silverman): G = −e=a

3

ypical lattice attack complications at four layers, s between layers. emphasizes top layer.

• f lattices

cryptosystems ximate-SVP” analysis

• “SVP”

analysis

• computation
• 4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R. Examples of target Secret key: small a Public key reveals and approximation Public key for “NTRU” Hoffstein–Pipher–Silverman): G = −e=a, and A

3

attack layers, layers. layer. lattices cryptosystems ximate-SVP” computation

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R. Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier and approximation A = aG + Public key for “NTRU” (1996 Hoffstein–Pipher–Silverman): G = −e=a, and A = 0.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU” (1996 Hoffstein–Pipher–Silverman): G = −e=a, and A = 0.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU” (1996 Hoffstein–Pipher–Silverman): G = −e=a, and A = 0. Public key for “Ring-LWE” (2010 Lyubashevsky–Peikert–Regev): random G, and A = aG + e.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Examples of target cryptosystems Secret key: small a; small e. Public key reveals multiplier G and approximation A = aG + e. Public key for “NTRU” (1996 Hoffstein–Pipher–Silverman): G = −e=a, and A = 0. Public key for “Ring-LWE” (2010 Lyubashevsky–Peikert–Regev): random G, and A = aG + e. Recognize similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3bG + d.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3bG + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = bG + d and C = bA + M + c.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Encryption for Quotient NTRU: Input small b, small d. Ciphertext: B = 3bG + d. Encryption for Product NTRU: Input encoded message M. Randomly generate small b, small d, small c. Ciphertext: B = bG + d and C = bA + M + c. 2019 Bernstein “Comparing proofs of security for lattice-based encryption” includes survey of G; a; e; c; M details and variants in NISTPQC submissions.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q.

4

Three typical attack problems Define R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; w = 286; q = 4591. Attacker wants to find small weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with aG + e = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and aG + e = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. Public aG1 + e1; aG2 + e2. Small secrets e1; e2 ∈ R.

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.

4

typical attack problems R = Z[x]=(x761 − x − 1); “small” = all coeffs in {−1; 0; 1}; 286; q = 4591. er wants to find weight-w secret a ∈ R. Problem 1: Public G ∈ R=q with = 0. Small secret e ∈ R. Problem 2: Public G ∈ R=q and = A. Small secret e ∈ R. Problem 3: Public G1; G2 ∈ R=q. aG1 + e1; aG2 + e2. secrets e1; e2 ∈ R.

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q. Recognize as a full- Problem the map from R2

4

attack problems ]=(x761 − x − 1); effs in {−1; 0; 1}; 4591. to find secret a ∈ R. Public G ∈ R=q with Small secret e ∈ R. Public G ∈ R=q and Small secret e ∈ R. Public G1; G2 ∈ R=q. ; aG2 + e2. ; e2 ∈ R.

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q. Recognize each solution as a full-rank lattice: Problem 1: Lattice the map (a; r) → ( from R2 to R2.

4

roblems x − 1); 1; 0; 1}; R. =q with e ∈ R. =q and e ∈ R. ∈ R=q. .

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q. Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image the map (a; r) → (a; qr − aG from R2 to R2.

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2.

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG).

5

Lattices Rewrite each problem as finding short nonzero solution to system

• f homogeneous R=q equations.

Problem 1: Find (a; e) ∈ R2 with aG + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 with aG + e = At, given G; A ∈ R=q. Problem 3: Find (a; t1; t2; e1; e2) ∈ R5 with aG1 +e1 = A1t1, aG2 +e2 = A2t2, given G1; A1; G2; A2 ∈ R=q.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).

5

Lattices Rewrite each problem as finding nonzero solution to system homogeneous R=q equations. Problem 1: Find (a; e) ∈ R2 G + e = 0, given G ∈ R=q. Problem 2: Find (a; t; e) ∈ R3 G + e = At, G; A ∈ R=q. Problem 3: Find t2; e1; e2) ∈ R5 with e1 = A1t1, aG2 +e2 = A2t2, G1; A1; G2; A2 ∈ R=q.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2). Module structure Each of module, many indep

5

roblem as finding solution to system R=q equations. (a; e) ∈ R2 0, given G ∈ R=q. (a; t; e) ∈ R3 At, =q. ∈ R5 with , aG2 +e2 = A2t2, ; A2 ∈ R=q.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2). Module structure Each of these lattices module, and thus has, many independent

5

finding system equations. R2 ∈ R=q. ∈ R3 = A2t2, =q.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2). Module structure Each of these lattices is an R module, and thus has, generically many independent short vecto

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc.

6

Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map (a; r) → (a; qr − aG) from R2 to R2. Problem 2: Lattice is image of the map (a; t; r) → (a; t; At + qr − aG). Problem 3: Lattice is image of the map (a; t1; t2; r1; r2) → (a; t1; t2; A1t1 + qr1 − aG1; A2t2 + qr2 − aG2).

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations

• f independent vectors:

e.g., ((x + 1)a; (x + 1)t; (x + 1)e).

6

Recognize each solution space full-rank lattice: Problem 1: Lattice is image of map (a; r) → (a; qr − aG)

2 to R2.

Problem 2: Lattice is

• f the map (a; t; r) →

t + qr − aG). Problem 3: Lattice is image of map (a; t1; t2; r1; r2) → t2; A1t1 + qr1 − aG1; qr2 − aG2).

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations

• f independent vectors:

e.g., ((x + 1)a; (x + 1)t; (x + 1)e). 1999 Ma a stretch be 0. This speeding despite lo

6

solution space lattice: Lattice is image of (a; qr − aG) Lattice is map (a; t; r) → aG). Lattice is image of ; r1; r2) → qr1 − aG1;

2).

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations

• f independent vectors:

e.g., ((x + 1)a; (x + 1)t; (x + 1)e). 1999 May, for Problem a stretch of coefficients be 0. This reduces speeding up various despite lower success

6

space image of aG) → image of ;

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations

• f independent vectors:

e.g., ((x + 1)a; (x + 1)t; (x + 1)e). 1999 May, for Problem 1: Fo a stretch of coefficients of a be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance.

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations

• f independent vectors:

e.g., ((x + 1)a; (x + 1)t; (x + 1)e).

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance.

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations

• f independent vectors:

e.g., ((x + 1)a; (x + 1)t; (x + 1)e).

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.)

7

Module structure Each of these lattices is an R- module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). etc. Many more lattice vectors are fairly short combinations

• f independent vectors:

e.g., ((x + 1)a; (x + 1)t; (x + 1)e).

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!)

7

dule structure

• f these lattices is an R-

dule, and thus has, generically, independent short vectors. Problem 2: Lattice has short (a; t; e). Lattice has short (xa; xt; xe). Lattice has short (x2a; x2t; x2e). more lattice vectors airly short combinations independent vectors: ((x + 1)a; (x + 1)t; (x + 1)e).

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!) Standard Uniform secret a

7

structure lattices is an R- thus has, generically, endent short vectors. 2: rt (a; t; e). rt (xa; xt; xe). rt (x2a; x2t; x2e). lattice vectors combinations vectors: x + 1)t; (x + 1)e).

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!) Standard analysis fo Uniform random small secret a has length

7

R- generically, vectors. e). ; x2e). combinations + 1)e).

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!) Standard analysis for Problem Uniform random small weight- secret a has length √w ≈ 17.

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17.

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

8

1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.

8

May, for Problem 1: Force stretch of coefficients of a to This reduces lattice rank, eeding up various attacks, despite lower success chance. ys a speedup? Seems to be wdown if q is very large: 2016 Kirchner–Fouque.) problems: same speedup. “Bai–Galbraith embedding” Problem 2: Force t ∈ Z; force coefficients of a to be 0. wdown if q is very large? Literature misses module option!)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%. Attacker another

8

Problem 1: Force efficients of a to reduces lattice rank, rious attacks, success chance. eedup? Seems to be is very large: Kirchner–Fouque.) same speedup. raith embedding”

• rce t ∈ Z; force

ients of a to be 0. is very large? misses module option!)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%. Attacker is just as another solution such

8

Force a to rank, attacks, chance. Seems to be rge:

• uque.)

eedup. edding” Z; force e 0. rge?

• ption!)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%. Attacker is just as happy to another solution such as (xa

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.

10

Attacker is just as happy to find another solution such as (xa; xe).

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?)

9

Standard analysis for Problem 1 Uniform random small weight-w secret a has length √w ≈ 17. Uniform random small secret e has length usually close to p 1522=3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong–

• Rossi. Is fixed weight safer?)

Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[a is in sublattice] ≈ 0:2%.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)

9

Standard analysis for Problem 1 rm random small weight-w a has length √w ≈ 17. rm random small secret length usually close to 1522=3 ≈ 23. (Impact of riations? Partial answer: 2020 Dachman-Soled–Ducas–Gong– Is fixed weight safer?) Lattice has rank 2 · 761 = 1522. parameter: k = 13. k positions in a to be 0: restrict to sublattice of rank 1509. in sublattice] ≈ 0:2%.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.) Write equa as 761 equations

9

analysis for Problem 1 small weight-w length √w ≈ 17. small secret usually close to (Impact of rtial answer: 2020 Dachman-Soled–Ducas–Gong– eight safer?) 2 · 761 = 1522. rameter: k = 13.

• sitions in a to be 0:

sublattice of rank 1509. sublattice] ≈ 0:2%.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.) Write equation e = as 761 equations on

9

Problem 1 eight-w 17. secret to

• f

er: 2020 Dachman-Soled–Ducas–Gong– safer?) 1522. 13. e 0: rank 1509. 2%.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.) Write equation e = qr − aG as 761 equations on coefficients.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)

11

Write equation e = qr − aG as 761 equations on coefficients.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600.

10

Attacker is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., Z[x]=(x761 − 1): Each (xja; xje) has chance ≈0:2% of being in

• sublattice. These 761 chances

are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions (¸a; ¸e). (How hard are these to find?) Pretend this analysis applies to Z[x]=(x761 − x − 1). (It doesn’t.)

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?)

10

er is just as happy to find another solution such as (xa; xe). Standard analysis for, e.g., x761 − 1): Each (xja; xje) chance ≈0:2% of being in

• sublattice. These 761 chances
• dependent. (No, they

also, total Pr depends on er’s choice of positions. 2001 May–Silverman.) bigger solutions (¸a; ¸e). hard are these to find?) Pretend this analysis applies to x761 − x − 1). (It doesn’t.)

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?) Cost-analysis Huge space For each figure out and chance

10

as happy to find such as (xa; xe). analysis for, e.g., 1): Each (xja; xje) 2% of being in These 761 chances

• endent. (No, they

total Pr depends on

• f positions.

y–Silverman.) solutions (¸a; ¸e). these to find?) analysis applies to − 1). (It doesn’t.)

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?) Cost-analysis challenges Huge space of attack For each of these lattices, figure out cost of (e.g.) and chance it finds

10

to find xa; xe). e.g., a; xje) eing in chances they ends on

• sitions.

y–Silverman.) ¸a; ¸e). find?) applies to doesn’t.)

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?) Cost-analysis challenges Huge space of attack lattices. For each of these lattices, try figure out cost of (e.g.) BKZ- and chance it finds short vecto

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?)

12

Cost-analysis challenges Huge space of attack lattices. For each of these lattices, try to figure out cost of (e.g.) BKZ-˛ and chance it finds short vector.

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?)

12

Cost-analysis challenges Huge space of attack lattices. For each of these lattices, try to figure out cost of (e.g.) BKZ-˛ and chance it finds short vector. Accurate experiments are slow. Need accurate fast estimates!

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?)

12

Cost-analysis challenges Huge space of attack lattices. For each of these lattices, try to figure out cost of (e.g.) BKZ-˛ and chance it finds short vector. Accurate experiments are slow. Need accurate fast estimates! Efforts to simplify are error-prone; e.g. “conservative lower bound” (3=2)˛=2 on (pre-q) cost is broken for all sufficiently large sizes.

11

Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q600. Attack parameter: – = 1:331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a. Increases length

• f a to –√w ≈ 23; increases det

to –748q600. (Is this – optimal? Interaction with e size variation?)

12

Cost-analysis challenges Huge space of attack lattices. For each of these lattices, try to figure out cost of (e.g.) BKZ-˛ and chance it finds short vector. Accurate experiments are slow. Need accurate fast estimates! Efforts to simplify are error-prone; e.g. “conservative lower bound” (3=2)˛=2 on (pre-q) cost is broken for all sufficiently large sizes. Hybrid attacks (2008 Howgrave- Graham, : : : , 2018 Wunderer):

• ften faster; different analysis.