Lattice-based cryptography: reduced to a special closest vector - - PowerPoint PPT Presentation

1

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: “At Crypto ’97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that : : : the problem of decrypting ciphertexts can be

2

reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out

• f the five numerical challenges

proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.”

1

Lattice-based cryptography: de V: ring strikes back

• J. Bernstein

University of Illinois at Chicago 1999 Nguyen: “At Crypto Goldreich, Goldwasser and proposed a public-key cryptosystem based on the closest problem in a lattice, which wn to be NP-hard. We that : : : the problem of decrypting ciphertexts can be

2

reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out

• f the five numerical challenges

proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.” Fix would dimension “Public k Crypto 1998 “Provably system b

1

cryptography: back Bernstein Illinois at Chicago Nguyen: “At Crypto Goldwasser and a public-key sed on the closest in a lattice, which NP-hard. We the problem of ciphertexts can be

2

reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out

• f the five numerical challenges

proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.” Fix would “probably dimension ≥ 400” “Public key ≈ 1.8 Crypto 1998 Nguy “Provably secure” system breakable with

1

cryptography: Chicago Crypto and ey closest lattice, which We

• f

be

2

reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out

• f the five numerical challenges

proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.” Fix would “probably need dimension ≥ 400” for securit “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwo system breakable with 20MB

2

reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out

• f the five numerical challenges

proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.”

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys.

2

reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out

• f the five numerical challenges

proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.”

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2128 post-quantum security.

2

reduced to a special closest vector roblem which is much easier the general problem. As an application, we solved four out five numerical challenges

• sed on the Internet by the

rs of the cryptosystem. least two of those four challenges were conjectured to

• intractable. We discuss ways

revent the flaw, but conclude even modified, the scheme cannot provide sufficient security without being impractical.”

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2128 post-quantum security. 2017.05: following “Lattice-based “Lattice-based currently for post-quantum

2

ecial closest vector is much easier general problem. As an solved four out numerical challenges Internet by the cryptosystem. those four conjectured to e discuss ways flaw, but conclude dified, the scheme sufficient security impractical.”

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2128 post-quantum security. 2017.05: Lattice student following text to Wikip “Lattice-based cryptography”: “Lattice-based constructions currently the prima for post-quantum cryptogra

2

closest vector easier As an four out challenges y the cryptosystem. conjectured to ways conclude scheme security ractical.”

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2128 post-quantum security. 2017.05: Lattice student adds following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions currently the primary candidates for post-quantum cryptography

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2128 post-quantum security.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.”

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2128 post-quantum security.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.” — [citation needed]

3

Fix would “probably need dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. Crypto 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork system breakable with 20MB keys. Compare to 1978 McEliece code-based cryptosystem: much more stable security story through dozens of attack papers. Typical parameters: 1MB key for >2128 post-quantum security.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.” — [citation needed] 2016.07: Google rolls out large-scale experiment with post-quantum crypto between Chrome and some Google sites. Uses lattice-based crypto.

3

• uld “probably need

dimension ≥ 400” for security: “Public key ≈ 1.8 Mbytes”. 1998 Nguyen–Stern: “Provably secure” Ajtai–Dwork breakable with 20MB keys. Compare to 1978 McEliece de-based cryptosystem: more stable security story through dozens of attack papers. ypical parameters: 1MB key for post-quantum security.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.” — [citation needed] 2016.07: Google rolls out large-scale experiment with post-quantum crypto between Chrome and some Google sites. Uses lattice-based crypto. Google sent for public How can work within Combine

• 1. Do not

large enough connect See, e.g., Koblitz–Menezes–Sa

3

robably need 400” for security: 1.8 Mbytes”. Nguyen–Stern: secure” Ajtai–Dwork able with 20MB keys. 1978 McEliece cryptosystem: stable security story

• f attack papers.

rameters: 1MB key for

• st-quantum security.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.” — [citation needed] 2016.07: Google rolls out large-scale experiment with post-quantum crypto between Chrome and some Google sites. Uses lattice-based crypto. Google sent only a for public keys, ciphertexts. How can lattice-based work within a few Combine two ingredients:

• 1. Do not take key

large enough for theo connect to “well-studied See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sa

3

security: ytes”. en–Stern: Ajtai–Dwork 20MB keys. McEliece story papers. key for security.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.” — [citation needed] 2016.07: Google rolls out large-scale experiment with post-quantum crypto between Chrome and some Google sites. Uses lattice-based crypto. Google sent only a few KB for public keys, ciphertexts. How can lattice-based crypto work within a few KB? Combine two ingredients:

• 1. Do not take key sizes

large enough for theorems to connect to “well-studied” SVP See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.” — [citation needed] 2016.07: Google rolls out large-scale experiment with post-quantum crypto between Chrome and some Google sites. Uses lattice-based crypto.

5

Google sent only a few KB for public keys, ciphertexts. How can lattice-based crypto work within a few KB? Combine two ingredients:

• 1. Do not take key sizes

large enough for theorems to connect to “well-studied” SVP‚. See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar.

4

2017.05: Lattice student adds the following text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates for post-quantum cryptography.” — [citation needed] 2016.07: Google rolls out large-scale experiment with post-quantum crypto between Chrome and some Google sites. Uses lattice-based crypto.

5

Google sent only a few KB for public keys, ciphertexts. How can lattice-based crypto work within a few KB? Combine two ingredients:

• 1. Do not take key sizes

large enough for theorems to connect to “well-studied” SVP‚. See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar.

• 2. Use ideal lattices.

Hope that the extra structure doesn’t damage security.

4

2017.05: Lattice student adds the wing text to Wikipedia page “Lattice-based cryptography”: “Lattice-based constructions are currently the primary candidates

• st-quantum cryptography.”

[citation needed] 2016.07: Google rolls out rge-scale experiment with

• st-quantum crypto between

Chrome and some Google sites. lattice-based crypto.

5

Google sent only a few KB for public keys, ciphertexts. How can lattice-based crypto work within a few KB? Combine two ingredients:

• 1. Do not take key sizes

large enough for theorems to connect to “well-studied” SVP‚. See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar.

• 2. Use ideal lattices.

Hope that the extra structure doesn’t damage security. 1996–1998 Silverman Define R Z[x]=(x503 Elements c0 + c1x with integer To multiply multiply replace x replace x e.g.: (x100 = x300 + = 7x197

4

student adds the Wikipedia page cryptography”: constructions are rimary candidates cryptography.” needed] rolls out eriment with crypto between some Google sites. lattice-based crypto.

5

Google sent only a few KB for public keys, ciphertexts. How can lattice-based crypto work within a few KB? Combine two ingredients:

• 1. Do not take key sizes

large enough for theorems to connect to “well-studied” SVP‚. See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar.

• 2. Use ideal lattices.

Hope that the extra structure doesn’t damage security. 1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are c0 + c1x + c2x2 + with integer coefficients To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x e.g.: (x100 + x300)( = x300 + 8x500 + 7 = 7x197 + x300 + 8

4

adds the edia page cryptography”: constructions are candidates cryptography.” with een sites. crypto.

5

Google sent only a few KB for public keys, ciphertexts. How can lattice-based crypto work within a few KB? Combine two ingredients:

• 1. Do not take key sizes

large enough for theorems to connect to “well-studied” SVP‚. See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar.

• 2. Use ideal lattices.

Hope that the extra structure doesn’t damage security. 1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R

5

Google sent only a few KB for public keys, ciphertexts. How can lattice-based crypto work within a few KB? Combine two ingredients:

• 1. Do not take key sizes

large enough for theorems to connect to “well-studied” SVP‚. See, e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar.

• 2. Use ideal lattices.

Hope that the extra structure doesn’t damage security.

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R.

5

• gle sent only a few KB

public keys, ciphertexts. can lattice-based crypto within a few KB? Combine two ingredients: not take key sizes enough for theorems to connect to “well-studied” SVP‚. e.g., 2016 Chatterjee– Koblitz–Menezes–Sarkar. Use ideal lattices. that the extra structure esn’t damage security.

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R. Define q Alice’s public coefficients This is 503

5

a few KB ciphertexts. lattice-based crypto few KB? ingredients: key sizes theorems to ell-studied” SVP‚. Chatterjee– Koblitz–Menezes–Sarkar. lattices. extra structure security.

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R. Define q = 2048. Alice’s public key: coefficients in {0; 1 This is 503 · 11 =

5

ciphertexts. crypto to SVP‚. Chatterjee– structure

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R. Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − This is 503 · 11 = 5533 bits.

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits.

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}.

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}.

6

1996–1998 Hoffstein–Pipher– Silverman “NTRU”: Define R as the ring Z[x]=(x503 − 1). Elements of R are polynomials c0 + c1x + c2x2 + · · · + c502x502 with integer coefficients cj. To multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. e.g.: (x100 + x300)(x200 + 7x400) = x300 + 8x500 + 7x700 = 7x197 + x300 + 8x500 in R.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}. Bob sends Ab + c mod q. This is also 5533 bits.

6

1998 Hoffstein–Pipher– Silverman “NTRU”: R as the ring x503 − 1). Elements of R are polynomials x + c2x2 + · · · + c502x502 integer coefficients cj. multiply in R: multiply polynomials; replace x503 with 1; replace x504 with x; etc. x100 + x300)(x200 + 7x400) + 8x500 + 7x700

197 + x300 + 8x500 in R.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}. Bob sends Ab + c mod q. This is also 5533 bits. “Quotient used in o Alice generated for small (with suitable i.e., dA −

6

Hoffstein–Pipher– “NTRU”: ring 1). re polynomials + · · · + c502x502 efficients cj. :

• lynomials;

with 1; with x; etc.

300)(x200 + 7x400)

+ 7x700 + 8x500 in R.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}. Bob sends Ab + c mod q. This is also 5533 bits. “Quotient NTRU” used in original NTRU Alice generated A for small random a (with suitable invertibilit i.e., dA − 3a mod

6

Hoffstein–Pipher–

• lynomials

502x502

. 7x400) R.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}. Bob sends Ab + c mod q. This is also 5533 bits. “Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}. Bob sends Ab + c mod q. This is also 5533 bits.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}. Bob sends Ab + c mod q. This is also 5533 bits.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q.

7

Define q = 2048. Alice’s public key: A ∈ R with coefficients in {0; 1; : : : ; q − 1}. This is 503 · 11 = 5533 bits. Bob generates random b; c ∈ R with small coefficients: e.g., all coefficients in {−1; 0; 1}. Bob computes Ab + c mod q: multiply A by b in R; add c; reduce each coefficient modulo q to the range {0; 1; : : : ; q − 1}. Bob sends Ab + c mod q. This is also 5533 bits.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b.

7

q = 2048. public key: A ∈ R with efficients in {0; 1; : : : ; q − 1}. 503 · 11 = 5533 bits. generates random b; c ∈ R small coefficients: all coefficients in {−1; 0; 1}. computes Ab + c mod q: multiply A by b in R; add c; each coefficient modulo q range {0; 1; : : : ; q − 1}. sends Ab + c mod q. also 5533 bits.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b. “Product 2010 Lyubashevsky–P Everyone Alice generated for small

7

2048. ey: A ∈ R with ; 1; : : : ; q − 1}. = 5533 bits. random b; c ∈ R fficients: nts in {−1; 0; 1}. Ab + c mod q: in R; add c; efficient modulo q 1; : : : ; q − 1}. c mod q. bits.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b. “Product NTRU” 2010 Lyubashevsky–P Everyone knows random Alice generated A for small random a

7

with − 1}. bits. ∈ R ; 0; 1}. d q: c; dulo q 1}.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b. “Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ Alice generated A = aG+d mo for small random a; d.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2.

8

“Quotient NTRU” (new name), used in original NTRU design: Alice generated A = 3a=d in R=q for small random a; d (with suitable invertibility): i.e., dA − 3a mod q = 0. Alice receives C = Ab + c mod q. Alice computes dC mod q, i.e., 3ab + dc mod q. Alice reconstructs 3ab + dc, using smallness of a; b; d; c. Alice computes dc, deduces c, deduces b.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C − aB mod q, i.e., m + db + c − ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e.

8

“Quotient NTRU” (new name), in original NTRU design: generated A = 3a=d in R=q mall random a; d suitable invertibility): A − 3a mod q = 0. receives C = Ab + c mod q. computes dC mod q, b + dc mod q. reconstructs 3ab + dc, smallness of a; b; d; c. computes dc, deduces c, deduces b.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C − aB mod q, i.e., m + db + c − ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e. Lattice view: the set of such that

8

NTRU” (new name), NTRU design: A = 3a=d in R=q a; d invertibility): d q = 0. = Ab + c mod q. dC mod q, mod q. reconstructs 3ab + dc,

• f a; b; d; c.

dc, deduces b.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C − aB mod q, i.e., m + db + c − ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e. Lattice view: Defin the set of pairs (v; such that vG − w

8

name), design: in R=q y): mod q. , c, c.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C − aB mod q, i.e., m + db + c − ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e. Lattice view: Define L as the set of pairs (v; w) ∈ R × such that vG − w mod q =

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C − aB mod q, i.e., m + db + c − ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e.

10

Lattice view: Define L as the set of pairs (v; w) ∈ R × R such that vG − w mod q = 0.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C − aB mod q, i.e., m + db + c − ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e.

10

Lattice view: Define L as the set of pairs (v; w) ∈ R × R such that vG − w mod q = 0. e.g. (a; A − d) ∈ L. (0; A) is close to a lattice point. Try to find close lattice point. Breaks both Product NTRU and Quotient NTRU.

9

“Product NTRU” (new name), 2010 Lyubashevsky–Peikert–Regev: Everyone knows random G ∈ R. Alice generated A = aG+d mod q for small random a; d. Bob sends B = Gb + e mod q and C = m + Ab + c mod q where b; c; e are small and each coefficient of m is 0 or q=2. Alice computes C − aB mod q, i.e., m + db + c − ae mod q. Alice reconstructs m, using smallness of d; b; c; a; e.

10

Lattice view: Define L as the set of pairs (v; w) ∈ R × R such that vG − w mod q = 0. e.g. (a; A − d) ∈ L. (0; A) is close to a lattice point. Try to find close lattice point. Breaks both Product NTRU and Quotient NTRU. Try to exploit reuse of b for faster Product NTRU attack. (“Ring-LWE”: arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack.

9

duct NTRU” (new name), Lyubashevsky–Peikert–Regev:

• ne knows random G ∈ R.

generated A = aG+d mod q small random a; d. sends B = Gb + e mod q = m + Ab + c mod q b; c; e are small and each efficient of m is 0 or q=2. computes C − aB mod q, + db + c − ae mod q. reconstructs m, smallness of d; b; c; a; e.

10

Lattice view: Define L as the set of pairs (v; w) ∈ R × R such that vG − w mod q = 0. e.g. (a; A − d) ∈ L. (0; A) is close to a lattice point. Try to find close lattice point. Breaks both Product NTRU and Quotient NTRU. Try to exploit reuse of b for faster Product NTRU attack. (“Ring-LWE”: arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack. 2013 Lyubashevsky–P Regev: “All and algo quantum employ : to bear again problems despite considerable significant these problems The best-kno ideal lattices no better counterpa in practic

9

NTRU” (new name), Lyubashevsky–Peikert–Regev: random G ∈ R. A = aG+d mod q a; d. Gb + e mod q + c mod q small and each is 0 or q=2. C − aB mod q, − ae mod q. reconstructs m,

• f d; b; c; a; e.

10

Lattice view: Define L as the set of pairs (v; w) ∈ R × R such that vG − w mod q = 0. e.g. (a; A − d) ∈ L. (0; A) is close to a lattice point. Try to find close lattice point. Breaks both Product NTRU and Quotient NTRU. Try to exploit reuse of b for faster Product NTRU attack. (“Ring-LWE”: arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack. 2013 Lyubashevsky–P Regev: “All of the and algorithmic to quantum computation) employ : : : can also to bear against SVP problems on ideal despite considerable significant progress these problems has The best-known algo ideal lattices perfo no better than their counterparts, both in practice.”

9

name), ert–Regev: ∈ R. d mod q mod q q each 2. mod q, q. a; e.

10

Lattice view: Define L as the set of pairs (v; w) ∈ R × R such that vG − w mod q = 0. e.g. (a; A − d) ∈ L. (0; A) is close to a lattice point. Try to find close lattice point. Breaks both Product NTRU and Quotient NTRU. Try to exploit reuse of b for faster Product NTRU attack. (“Ring-LWE”: arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack. 2013 Lyubashevsky–Peikert– Regev: “All of the algebraic and algorithmic tools (including quantum computation) that employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Y despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms fo ideal lattices perform essentially no better than their generic counterparts, both in theory in practice.”

10

Lattice view: Define L as the set of pairs (v; w) ∈ R × R such that vG − w mod q = 0. e.g. (a; A − d) ∈ L. (0; A) is close to a lattice point. Try to find close lattice point. Breaks both Product NTRU and Quotient NTRU. Try to exploit reuse of b for faster Product NTRU attack. (“Ring-LWE”: arbitrary reuse.) Try to exploit A = 3a=d structure for faster Quotient NTRU attack.

11

2013 Lyubashevsky–Peikert– Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.”

10

Lattice view: Define L as set of pairs (v; w) ∈ R × R that vG − w mod q = 0. ; A − d) ∈ L. is close to a lattice point. find close lattice point. both Product NTRU Quotient NTRU. exploit reuse of b faster Product NTRU attack. (“Ring-LWE”: arbitrary reuse.) exploit A = 3a=d structure faster Quotient NTRU attack.

11

2013 Lyubashevsky–Peikert– Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.” Many mo (often not Fully homomo STOC 2009 “Fully homomo using ideal PKC 2010 Eurocrypt etc. Multilinea Eurocrypt Halevi “Candidate maps from

10

fine L as (v; w) ∈ R × R w mod q = 0. L. a lattice point. lattice point. duct NTRU NTRU. reuse of b uct NTRU attack. rbitrary reuse.) = 3a=d structure Quotient NTRU attack.

11

2013 Lyubashevsky–Peikert– Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.” Many more NTRU (often not crediting Fully homomorphic STOC 2009 Gentry “Fully homomorphic using ideal lattices”. PKC 2010 Smart–V Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: Eurocrypt 2013 Ga Halevi “Candidate maps from ideal lattices”.

10

× R = 0. point.

• int.

NTRU attack. reuse.) structure attack.

11

2013 Lyubashevsky–Peikert– Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.” Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinea maps from ideal lattices”.

11

2013 Lyubashevsky–Peikert– Regev: “All of the algebraic and algorithmic tools (including quantum computation) that we employ : : : can also be brought to bear against SVP and other problems on ideal lattices. Yet despite considerable effort, no significant progress in attacking these problems has been made. The best-known algorithms for ideal lattices perform essentially no better than their generic counterparts, both in theory and in practice.”

12

Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinear maps from ideal lattices”.

11

Lyubashevsky–Peikert– : “All of the algebraic algorithmic tools (including quantum computation) that we y : : : can also be brought r against SVP and other roblems on ideal lattices. Yet despite considerable effort, no significant progress in attacking problems has been made. est-known algorithms for lattices perform essentially etter than their generic counterparts, both in theory and ractice.”

12

Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinear maps from ideal lattices”. STOC 2009 broken b for typical

11

Lyubashevsky–Peikert– the algebraic tools (including computation) that we also be brought SVP and other ideal lattices. Yet considerable effort, no

• gress in attacking

has been made. algorithms for erform essentially their generic

• th in theory and

12

Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinear maps from ideal lattices”. STOC 2009 Gentry broken by quantum for typical “cyclotomic

11

ert– raic (including at we rought

• ther

Yet , no attacking made. rithms for essentially generic ry and

12

Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinear maps from ideal lattices”. STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”.

12

Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinear maps from ideal lattices”.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”.

12

Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinear maps from ideal lattices”.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm.

12

Many more NTRU variants (often not crediting NTRU). Fully homomorphic encryption: STOC 2009 Gentry “Fully homomorphic encryption using ideal lattices”. PKC 2010 Smart–Vercauteren. Eurocrypt 2011 Gentry–Halevi. etc. Multilinear maps: e.g., Eurocrypt 2013 Garg–Gentry– Halevi “Candidate multilinear maps from ideal lattices”.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. Older pre-quantum algorithms take subexponential time.

12

more NTRU variants not crediting NTRU). homomorphic encryption: 2009 Gentry homomorphic encryption ideal lattices”. 2010 Smart–Vercauteren. crypt 2011 Gentry–Halevi. Multilinear maps: e.g., crypt 2013 Garg–Gentry– “Candidate multilinear from ideal lattices”.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. Older pre-quantum algorithms take subexponential time. Second stage Campbell–Groves–Shepherd fast pre-qu for typical to compute

12

NTRU variants crediting NTRU). rphic encryption: Gentry rphic encryption lattices”. rt–Vercauteren. Gentry–Halevi. maps: e.g., Garg–Gentry– “Candidate multilinear lattices”.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. Older pre-quantum algorithms take subexponential time. Second stage of attack: Campbell–Groves–Shepherd fast pre-quantum algo for typical cyclotomic to compute ug →

12

riants NTRU). encryption: encryption ercauteren. Gentry–Halevi. rg–Gentry– ear

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. Older pre-quantum algorithms take subexponential time. Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. Older pre-quantum algorithms take subexponential time.

14

Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. Older pre-quantum algorithms take subexponential time.

14

Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g. Eurocrypt 2017 Cramer–Ducas– Wesolowski extension of CGS: for typical cyclotomic ring, find fairly short element of any ideal.

13

STOC 2009 Gentry system is broken by quantum algorithms for typical “cyclotomic rings”. First stage in attack: SODA 2016 Biasse–Song fast quantum algorithm to compute gR → ug with u ∈ R∗. Builds upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. Older pre-quantum algorithms take subexponential time.

14

Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g. Eurocrypt 2017 Cramer–Ducas– Wesolowski extension of CGS: for typical cyclotomic ring, find fairly short element of any ideal. These attacks exploit structure of cyclotomic rings. Rescue system by switching to another ring?

13

2009 Gentry system is en by quantum algorithms ypical “cyclotomic rings”. stage in attack: 2016 Biasse–Song quantum algorithm to compute gR → ug with u ∈ R∗. upon STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song quantum R → R∗ algorithm. pre-quantum algorithms subexponential time.

14

Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g. Eurocrypt 2017 Cramer–Ducas– Wesolowski extension of CGS: for typical cyclotomic ring, find fairly short element of any ideal. These attacks exploit structure of cyclotomic rings. Rescue system by switching to another ring? 2014.02 attack strategy; time for Eurocrypt Bernstein–de Vredendaal time pre-quantum “multiquadratic 2016 Bernstein–Chuengsatiansup– Lange–van Prime”: Galois group, reduce attack

13

Gentry system is uantum algorithms “cyclotomic rings”. attack: Biasse–Song algorithm to ug with u ∈ R∗. STOC 2014 ager–Hallgren–Kitaev–Song

∗ algorithm.

ntum algorithms

• nential time.

14

Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g. Eurocrypt 2017 Cramer–Ducas– Wesolowski extension of CGS: for typical cyclotomic ring, find fairly short element of any ideal. These attacks exploit structure of cyclotomic rings. Rescue system by switching to another ring? 2014.02 Bernstein: attack strategy; sub time for many choices Eurocrypt 2017 Bauch– Bernstein–de Valence–Lange–van Vredendaal: quasip time pre-quantum “multiquadratic rings”. 2016 Bernstein–Chuengsatiansup– Lange–van Vredendaal Prime”: use prime Galois group, inert reduce attack surface

13

is rithms rings”. ∈ R∗. ager–Hallgren–Kitaev–Song rithm. rithms

14

Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g. Eurocrypt 2017 Cramer–Ducas– Wesolowski extension of CGS: for typical cyclotomic ring, find fairly short element of any ideal. These attacks exploit structure of cyclotomic rings. Rescue system by switching to another ring? 2014.02 Bernstein: pre-quantum attack strategy; subexponential time for many choices of ring. Eurocrypt 2017 Bauch– Bernstein–de Valence–Lange–van Vredendaal: quasipolynomial- time pre-quantum attack for “multiquadratic rings”. 2016 Bernstein–Chuengsatiansup– Lange–van Vredendaal “NTRU Prime”: use prime degree, la Galois group, inert modulus; reduce attack surface at low

14

Second stage of attack: 2014.10 Campbell–Groves–Shepherd fast pre-quantum algorithm for typical cyclotomic ring to compute ug → short g. Eurocrypt 2017 Cramer–Ducas– Wesolowski extension of CGS: for typical cyclotomic ring, find fairly short element of any ideal. These attacks exploit structure of cyclotomic rings. Rescue system by switching to another ring?

15

2014.02 Bernstein: pre-quantum attack strategy; subexponential time for many choices of ring. Eurocrypt 2017 Bauch– Bernstein–de Valence–Lange–van Vredendaal: quasipolynomial- time pre-quantum attack for “multiquadratic rings”. 2016 Bernstein–Chuengsatiansup– Lange–van Vredendaal “NTRU Prime”: use prime degree, large Galois group, inert modulus; reduce attack surface at low cost.