recovering short generators of principal ideals in
play

Recovering Short Generators of Principal Ideals in Cyclotomic Rings - PowerPoint PPT Presentation

Mar 08, 2024 •161 likes •770 views

Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI, Amsterdam, The Netherlands Joint work with Ronald Cramer Chris Peikert Oded Regev Conference on Mathematics of Cryptography, August 2015, UC Irvine 1 1

  1. Recovering Short Generators of Principal Ideals in Cyclotomic Rings L´ eo Ducas CWI, Amsterdam, The Netherlands Joint work with Ronald Cramer Chris Peikert Oded Regev Conference on Mathematics of Cryptography, August 2015, UC Irvine 1 1 Slides revised on Sept. 7, 2015. L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 1 / 30

  2. Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomorphic Encryption [Smart and Vercauteren, 2010] and Multilinear Maps [Garg et al., 2013, Langlois et al., 2014]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 2 / 30

  3. Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomorphic Encryption [Smart and Vercauteren, 2010] and Multilinear Maps [Garg et al., 2013, Langlois et al., 2014]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 2 / 30

  4. Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomorphic Encryption [Smart and Vercauteren, 2010] and Multilinear Maps [Garg et al., 2013, Langlois et al., 2014]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) 2 Short Generator Problem ◮ Given an arbitrary generator h ∈ R of I ◮ Recover g (or some g ′ equivalently short) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 2 / 30

  5. Cost of those two steps 1 Principal Ideal Problem ( PIP ) ◮ sub-exponential time (2 ˜ O ( n 2 / 3 ) ) classical algorithm [Biasse and Fieker, 2014, Biasse, 2014]. ◮ progress toward quantum polynomial time algorithm [Eisentr¨ ager et al., 2014, Biasse and Song, 2015b, Campbell et al., 2014, Biasse and Song, 2015a]. 2 Short Generator Problem ◮ equivalent to the CVP in the log-unit lattice ◮ becomes a BDD problem in the crypto cases. ◮ claimed to be easy [Campbell et al., 2014] in the cyclotomic case m = 2 k ◮ confirmed by experiments [Schank, 2015] This Work [Cramer et al., 2015] 2 , and prove it can be solved in classical polynomial We focus on step time for the aforementioned cryptanalytic instances, when the ring R is the ring of integers of the cyclotomic number field K = Q ( ζ m ) for m = p k . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 3 / 30

  6. Overview Introduction 1 Preliminary 2 Geometry of Cyclotomic Units 3 Shortness of Log g 4 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 4 / 30

  7. The Logarithmic Embedding Let K be a number field of degree n , σ 1 . . . σ n : K �→ C be its embeddings, and let R be its ring of integers. The logarithmic Embedding is defined as Log : K → R n x �→ (log | σ 1 ( x ) | , . . . , log | σ n ( x ) | ) It induces ◮ a group morphism from ( K \ { 0 } , · ) to ( R n , +) ◮ a monoid morphism from ( R \ { 0 } , · ) to ( R n , +) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 5 / 30

  8. The Unit Group Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . By Dirichlet Unit Theorem ◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ R n is an lattice of rank r + c − 1 (where K has r real embeddings and 2 c complex embeddings) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 6 / 30

  9. The Unit Group Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . By Dirichlet Unit Theorem ◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ R n is an lattice of rank r + c − 1 (where K has r real embeddings and 2 c complex embeddings) Reduction to CVP Elements g , h ∈ R generate the same ideal if and only if h = g · u for some unit u ∈ R × . In particular Log g ∈ Log h + Λ . and g is the “smallest” generator iff Log u ∈ Λ is a vector “closest” to Log h . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 6 / 30

  10. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  11. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  12. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  13. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 ◮ Symmetries induced by ◮ mult. by − 1 0 1 p √ √ 1 + 2 ◮ conjugation 2 �→ − 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  14. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 ◮ Symmetries induced by ◮ mult. by − 1 0 1 p √ √ 1 + 2 ◮ conjugation 2 �→ − 2 − 1 p 2 � “Orthogonal” elements � Units (algebraic norm 1) � “Isonorms” curves L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  15. √ Example: Logarithmic Embedding Log Z [ 2] ( {•} , +) is a sub-monoid of R 2 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  16. √ Example: Logarithmic Embedding Log Z [ 2] Λ =( {•} , +) ∩ � is a lattice of R 2 , orthogonal to (1 , 1) 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  17. √ Example: Logarithmic Embedding Log Z [ 2] {•} ∩ � are shifted finite copies of Λ 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  18. √ Example: Logarithmic Embedding Log Z [ 2] √ Some {•} ∩ � may be empty (e.g. no elements of Norm 3 in Z [ 2]) 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  19. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  20. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  21. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  22. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  23. Decoding with the RoundOff algorithm The simplest algorithm [Babai, 1986] to reduce modulo a lattice RoundOff ( B , t ), B a Z -basis of Λ v = B · ⌊ ( B ∨ ) ⊤ · t ⌉ e = t − v return ( t , e ) where t ∈ B Used as a d ecoding algorithm, its correctness is characterized by the error e and the dual basis B ∨ . Fact(Correctness of RoundOff ) j , e � ∈ [ − 1 2 , 1 let t = v + e for some v ∈ Λ. If � b ∨ 2 ) for all j , then RoundOff ( B , t ) = ( v , e ) . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 10 / 30

  24. RoundOff in pictures t t RoundOff algorithm : L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 11 / 30

  25. RoundOff in pictures t ′ × ( B ∨ ) t t t − → RoundOff algorithm : 1 use basis B to switch to the lattice Z n ( × ( B ∨ ) t ) t ′ = ( B ∨ ) t · t ; L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 11 / 30

  26. RoundOff in pictures t ′ × ( B ∨ ) t t t v ′ − → RoundOff algorithm : 1 use basis B to switch to the lattice Z n ( × ( B ∨ ) t ) 2 Round each coordinate t ′ = ( B ∨ ) t · t ; v ′ = ⌊ t ′ ⌉ ; L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 11 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas, Chris Peikert , Oded Regev 9 July 2015 Simons Institute Workshop on Math of Modern Crypto 1 / 15 Short Generators of Ideals in Cryptography A

688 views • 43 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q Patrick Holzer, Thomas Wunderer, Johannes Buchmann Recovering Short Generators | Thomas Wunderer | 1 Contents Introduction Preliminaries Algorithmic

488 views • 30 slides
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short Generator of a Principal Ideal

418 views • 23 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI, Amsterdam, The Netherlands Joint work with Ronald Cramer Chris Peikert Oded Regev Presented at ICERM, Brown University, April 2015 L eo Ducas (CWI,

765 views • 58 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer L eo Ducas

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer L eo Ducas

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer L eo Ducas Chris Peikert Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of Michigan, USA New-York University,

699 views • 34 slides
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de Valence & Tanja Lange

461 views • 44 slides
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry de Valence & Tanja Lange &

553 views • 41 slides
Cormac Mc Carthy, Access Planning, EirGrid Liaison Group November 2013 EirGrid Short Circuit

Cormac Mc Carthy, Access Planning, EirGrid Liaison Group November 2013 EirGrid Short Circuit

Short Circuit Cormac Mc Carthy, Access Planning, EirGrid Liaison Group November 2013 EirGrid Short Circuit Review Can generators safely connect? Prioritise and sequence short circuit reinforcements Small generators, large lists of

622 views • 23 slides
Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo (

Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo (

Perfect sets and f -ideals Jin Guo Outline Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo ( n, 2) th perfect number (This is a joint work with professor Tongsuo Wu) Structure of V ( n, 2)

2.01k views • 154 slides
Factorizations of ideals in noncommutative rings similar to factorizations of ideals in

Factorizations of ideals in noncommutative rings similar to factorizations of ideals in

Factorizations of ideals in noncommutative rings similar to factorizations of ideals in commutative Dedekind domains Alberto Facchini Universit` a di Padova Conference on Rings and Factorizations Graz, 21 February 2018 Dedekind domains

960 views • 71 slides
Recovering System Capacity Costs: Generation and Transmission Presentation to the CPUC Rates

Recovering System Capacity Costs: Generation and Transmission Presentation to the CPUC Rates

Recovering System Capacity Costs: Generation and Transmission Presentation to the CPUC Rates Forum Tom Beach Principal Consultant Crossborder Energy December 11, 2017 Noncoincident and Monthly Demand Charges Are (Mostly) a Relic of Obsolete

218 views • 5 slides
Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are

Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are

Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are becoming important Types of Micro Power Generators Power Generators Reviewed Ambient Vibrational energy Radiant heat energy

445 views • 19 slides
Polynomial ideals associated to combinatorial objects William J. Martin Department of

Polynomial ideals associated to combinatorial objects William J. Martin Department of

Homotopy in Distance-Regular Graphs Ideals of Designs Spherical Codes Association Schemes and Duality Polynomial ideals associated to combinatorial objects William J. Martin Department of Mathematical Sciences and Department of Computer

1.1k views • 84 slides
Hort Update - Assessing and Recovering from Winter-kill of Bermudagrass in Oklahoma Dennis

Hort Update - Assessing and Recovering from Winter-kill of Bermudagrass in Oklahoma Dennis

The Short Version Feb 2014 Hort Update - Assessing and Recovering from Winter-kill of Bermudagrass in Oklahoma Dennis Martin, PhD Professor & Turfgrass Specialist Oklahoma State University The winter of 2013/2014 had extreme

855 views • 52 slides
Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William M. Hoza 1 Chris Umans 2 October 10, 2016 Dagstuhl Seminar 16411 1 University of Texas at Austin 2 California Institute of Technology ?

1.67k views • 130 slides
Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline

Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline

Documentation Generators Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline Source Code (API) Documentation 1 javadoc doxygen Other Tools Project Reports 2 Project Websites 3

435 views • 21 slides
Notebook The Larger Jupyter Team @jupyterlab on GitHub @ProjectJupyter on Twitter Vidar Tonaas

Notebook The Larger Jupyter Team @jupyterlab on GitHub @ProjectJupyter on Twitter Vidar Tonaas

Chris Colbert, Jupyter Steven Silvester, Quansight Afshin Darian, Jupyter Ian Rose, Berkeley Jason Grout, Bloomberg Brian Granger, Cal Poly JupyterLab: Jessica Forde, Jupyter Grant Nestor, Cal Poly The Evolution of the Jupyter Cameron

277 views • 12 slides
Academic Affairs Partners Academic in Progress Meeting: Affairs Climate March 2019 &

Academic Affairs Partners Academic in Progress Meeting: Affairs Climate March 2019 &

Academic Affairs Partners Academic in Progress Meeting: Affairs Climate March 2019 & Diversity Committee aacdc.tamu.edu 3/19/2019 1 Academic Affairs Leadership Commitment Established Academic Affairs Climate and Diversity Committee in

438 views • 14 slides
The T2K Experiment - Super-Kamiokande, Analysis and Results Pip A. Hamilton Contents 1. The

The T2K Experiment - Super-Kamiokande, Analysis and Results Pip A. Hamilton Contents 1. The

The T2K Experiment - Super-Kamiokande, Analysis and Results Pip A. Hamilton Contents 1. The Super-K Detector 2. Analysis 2.1 Particle ID 2.2 Backgrounds Backgrounds external to the beam Backgrounds within the beam 3. Results 4. Summary

568 views • 15 slides
Pipeline Research Council International, Inc. PRCI's New Technology Development Center and the

Pipeline Research Council International, Inc. PRCI's New Technology Development Center and the

Pipeline Research Council International, Inc. PRCI's New Technology Development Center and the Future of Collaborative R&D for the Pipeline Industry Steven Trevino Pipeline Research Council International Agenda 2 Who is PRCI

212 views • 20 slides
SKILLS GAP A GUIDE FOR BUILDING A WORKFORCE-READY TALENT PIPELINE IN YOUR COMMUNITY Developed by

SKILLS GAP A GUIDE FOR BUILDING A WORKFORCE-READY TALENT PIPELINE IN YOUR COMMUNITY Developed by

OVERCOMING THE MANUFACTURING SKILLS GAP A GUIDE FOR BUILDING A WORKFORCE-READY TALENT PIPELINE IN YOUR COMMUNITY Developed by the NAM Task Force on Competitiveness & the Workforce / Summer 2014 Overcoming the Manufacturing Skills Gap: A

199 views • 17 slides
Department of Housing Stability C OUNCIL D ISTRICT 4 T OWN H ALL O CTOBER 14, 2020 "No one

Department of Housing Stability C OUNCIL D ISTRICT 4 T OWN H ALL O CTOBER 14, 2020 "No one

Department of Housing Stability C OUNCIL D ISTRICT 4 T OWN H ALL O CTOBER 14, 2020 "No one is meant to be on the street. No one." -Debra Dyson, a guest at the Coliseum this summer At the end of the day, what we are driving toward

255 views • 12 slides
FROM MODELS TO AI- FROM MODELS TO AI- ENABLED SYSTEMS ENABLED SYSTEMS Christian Kaestner

FROM MODELS TO AI- FROM MODELS TO AI- ENABLED SYSTEMS ENABLED SYSTEMS Christian Kaestner

FROM MODELS TO AI- FROM MODELS TO AI- ENABLED SYSTEMS ENABLED SYSTEMS Christian Kaestner Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning Engineering." (2018), Chapters 5 (Components of Intelligent

663 views • 54 slides
The Piracy Threat Problem 1 : Unauthorized over production of IC $$ Lost revenue

The Piracy Threat Problem 1 : Unauthorized over production of IC $$ Lost revenue

The Piracy Threat Problem 1 : Unauthorized over production of IC $$ Lost revenue opportunities Synthesis, Verification & Test for Secure ICs Undesired exposure of proprietary technology Protecting Integrated Circuits Problem

94 views • 8 slides

More recommend