high speed cryptography cryptographers part 3 more
play

High-speed cryptography, Cryptographers part 3: more - PowerPoint PPT Presentation

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken


  1. systems Examples of RSA cryptanalysis: 1993 Buhler–Lenstra–P generalizing 1988 P uestion for Schroeppel’s “linear sieve”, “number-field sieve”, cryptanalysts: mentioned in 1978 RSA paper, factors ♣q into ♣❀ q attacker do factors ♣q into ♣❀ q using ❂ ❂ (3 ✿ 79 ✿ ✿ ✿ + ♦ (1)) (lg ♣q ♣q ❁ ❜ (2 + ♦ (1)) (lg ♣q ) 1 ❂ 2 (lg lg ♣q ) 1 ❂ 2 erations simple operations (conjec computer? simple operations (conjecturally). ❜ To push this beyond uestion for To push this beyond 2 ❜ , must choose ♣q to cryptanalysts: must choose ♣q to have at least (0 ✿ 015 ✿ ✿ ✿ + ♦ (1)) ❜ ❂ ❜ attacker do (0 ✿ 5 + ♦ (1)) ❜ 2 ❂ lg ❜ bits. ❁ ❜ erations Subsequent improveme Note 1: lg = log 2 . computer? 3 ✿ 73 ✿ ✿ ✿ ; details of ♦ Note 2: ♦ (1) says nothing But can reasonably systems that are that 2 (lg ♣q ) 1 ❂ 3+ ♦ (1) about, e.g., ❜ = 128. ❁ 2 ❜ operations. Today: focus on asymptotics. —for classical computers.

  2. Examples of RSA cryptanalysis: 1993 Buhler–Lenstra–Pomera generalizing 1988 Pollard Schroeppel’s “linear sieve”, “number-field sieve”, cryptanalysts: mentioned in 1978 RSA paper, factors ♣q into ♣❀ q using factors ♣q into ♣❀ q using (3 ✿ 79 ✿ ✿ ✿ + ♦ (1)) (lg ♣q ) 1 ❂ 3 (lg lg ♣q ❂ ❁ ❜ (2 + ♦ (1)) (lg ♣q ) 1 ❂ 2 (lg lg ♣q ) 1 ❂ 2 simple operations (conjecturally). simple operations (conjecturally). To push this beyond 2 ❜ , To push this beyond 2 ❜ , must choose ♣q to have at least cryptanalysts: must choose ♣q to have at least (0 ✿ 015 ✿ ✿ ✿ + ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. (0 ✿ 5 + ♦ (1)) ❜ 2 ❂ lg ❜ bits. ❁ ❜ Subsequent improvements: Note 1: lg = log 2 . 3 ✿ 73 ✿ ✿ ✿ ; details of ♦ (1). Note 2: ♦ (1) says nothing But can reasonably conjecture that are that 2 (lg ♣q ) 1 ❂ 3+ ♦ (1) is optimal about, e.g., ❜ = 128. ❁ ❜ erations. Today: focus on asymptotics. —for classical computers.

  3. Examples of RSA cryptanalysis: 1993 Buhler–Lenstra–Pomerance, generalizing 1988 Pollard Schroeppel’s “linear sieve”, “number-field sieve”, mentioned in 1978 RSA paper, factors ♣q into ♣❀ q using factors ♣q into ♣❀ q using (3 ✿ 79 ✿ ✿ ✿ + ♦ (1)) (lg ♣q ) 1 ❂ 3 (lg lg ♣q ) 2 ❂ 3 (2 + ♦ (1)) (lg ♣q ) 1 ❂ 2 (lg lg ♣q ) 1 ❂ 2 simple operations (conjecturally). simple operations (conjecturally). To push this beyond 2 ❜ , To push this beyond 2 ❜ , must choose ♣q to have at least must choose ♣q to have at least (0 ✿ 015 ✿ ✿ ✿ + ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. (0 ✿ 5 + ♦ (1)) ❜ 2 ❂ lg ❜ bits. Subsequent improvements: Note 1: lg = log 2 . 3 ✿ 73 ✿ ✿ ✿ ; details of ♦ (1). Note 2: ♦ (1) says nothing But can reasonably conjecture that 2 (lg ♣q ) 1 ❂ 3+ ♦ (1) is optimal about, e.g., ❜ = 128. Today: focus on asymptotics. —for classical computers.

  4. Examples of RSA cryptanalysis: 1993 Buhler–Lenstra–Pomerance, Cryptographic generalizing 1988 Pollard pre-quantum eppel’s “linear sieve”, “number-field sieve”, mentioned in 1978 RSA paper, Triple DES ❜ ✔ factors ♣q into ♣❀ q using ♣q into ♣❀ q using AES-256 ❜ ✔ (3 ✿ 79 ✿ ✿ ✿ + ♦ (1)) (lg ♣q ) 1 ❂ 3 (lg lg ♣q ) 2 ❂ 3 ♦ ♦ (1)) (lg ♣q ) 1 ❂ 2 (lg lg ♣q ) 1 ❂ 2 RSA with ❜ simple operations (conjecturally). McEliece operations (conjecturally). ❜ 1+ ♦ (1) , To push this beyond 2 ❜ , push this beyond 2 ❜ , ♦ with “strong” ❜ must choose ♣q to have at least choose ♣q to have at least ♦ (0 ✿ 015 ✿ ✿ ✿ + ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. BW with ❜ ♦ (1)) ❜ 2 ❂ lg ❜ bits. ✿ bit discriminant, Subsequent improvements: ♦ “strong” ❜ 1: lg = log 2 . 3 ✿ 73 ✿ ✿ ✿ ; details of ♦ (1). HFE v � with ❜ ♦ 2: ♦ (1) says nothing But can reasonably conjecture ♦ NTRU with ❜ that 2 (lg ♣q ) 1 ❂ 3+ ♦ (1) is optimal e.g., ❜ = 128. y: focus on asymptotics. —for classical computers.

  5. RSA cryptanalysis: 1993 Buhler–Lenstra–Pomerance, Cryptographic systems generalizing 1988 Pollard pre-quantum cryptanalysis: “linear sieve”, “number-field sieve”, 1978 RSA paper, Triple DES (for ❜ ✔ factors ♣q into ♣❀ q using ♣q ♣❀ q using AES-256 (for ❜ ✔ 256), (3 ✿ 79 ✿ ✿ ✿ + ♦ (1)) (lg ♣q ) 1 ❂ 3 (lg lg ♣q ) 2 ❂ 3 RSA with ❜ 3+ ♦ (1) -bit ❂ 2 (lg lg ♣q ) 1 ❂ 2 ♣q ♦ simple operations (conjecturally). McEliece with code erations (conjecturally). ❜ 1+ ♦ (1) , Merkle signatures To push this beyond 2 ❜ , ond 2 ❜ , with “strong” ❜ 1+ ♦ must choose ♣q to have at least ♣q to have at least ♦ (0 ✿ 015 ✿ ✿ ✿ + ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. BW with “strong” ❜ ✿ ♦ ❜ ❂ lg ❜ bits. bit discriminant, ECDSA Subsequent improvements: “strong” ❜ 1+ ♦ (1) -bit 2 . 3 ✿ 73 ✿ ✿ ✿ ; details of ♦ (1). HFE v � with ❜ 1+ ♦ (1) ♦ ys nothing But can reasonably conjecture NTRU with ❜ 1+ ♦ (1) that 2 (lg ♣q ) 1 ❂ 3+ ♦ (1) is optimal ❜ 128. asymptotics. —for classical computers.

  6. cryptanalysis: 1993 Buhler–Lenstra–Pomerance, Cryptographic systems surviving generalizing 1988 Pollard pre-quantum cryptanalysis: sieve”, “number-field sieve”, paper, Triple DES (for ❜ ✔ 112), factors ♣q into ♣❀ q using ♣q ♣❀ q AES-256 (for ❜ ✔ 256), (3 ✿ 79 ✿ ✿ ✿ + ♦ (1)) (lg ♣q ) 1 ❂ 3 (lg lg ♣q ) 2 ❂ 3 RSA with ❜ 3+ ♦ (1) -bit modulus, ❂ ❂ 2 ♣q ♣q ♦ simple operations (conjecturally). McEliece with code length turally). ❜ 1+ ♦ (1) , Merkle signatures To push this beyond 2 ❜ , ❜ with “strong” ❜ 1+ ♦ (1) -bit hash, must choose ♣q to have at least ♣q at least BW with “strong” ❜ 2+ ♦ (1) - (0 ✿ 015 ✿ ✿ ✿ + ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. ✿ ♦ ❜ ❂ ❜ bit discriminant, ECDSA with Subsequent improvements: “strong” ❜ 1+ ♦ (1) -bit curve, 3 ✿ 73 ✿ ✿ ✿ ; details of ♦ (1). HFE v � with ❜ 1+ ♦ (1) polynomials, ♦ But can reasonably conjecture NTRU with ❜ 1+ ♦ (1) bits, et al. that 2 (lg ♣q ) 1 ❂ 3+ ♦ (1) is optimal ❜ asymptotics. —for classical computers.

  7. 1993 Buhler–Lenstra–Pomerance, Cryptographic systems surviving generalizing 1988 Pollard pre-quantum cryptanalysis: “number-field sieve”, Triple DES (for ❜ ✔ 112), factors ♣q into ♣❀ q using AES-256 (for ❜ ✔ 256), (3 ✿ 79 ✿ ✿ ✿ + ♦ (1)) (lg ♣q ) 1 ❂ 3 (lg lg ♣q ) 2 ❂ 3 RSA with ❜ 3+ ♦ (1) -bit modulus, simple operations (conjecturally). McEliece with code length ❜ 1+ ♦ (1) , Merkle signatures To push this beyond 2 ❜ , with “strong” ❜ 1+ ♦ (1) -bit hash, must choose ♣q to have at least BW with “strong” ❜ 2+ ♦ (1) - (0 ✿ 015 ✿ ✿ ✿ + ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. bit discriminant, ECDSA with Subsequent improvements: “strong” ❜ 1+ ♦ (1) -bit curve, 3 ✿ 73 ✿ ✿ ✿ ; details of ♦ (1). HFE v � with ❜ 1+ ♦ (1) polynomials, But can reasonably conjecture NTRU with ❜ 1+ ♦ (1) bits, et al. that 2 (lg ♣q ) 1 ❂ 3+ ♦ (1) is optimal —for classical computers.

  8. Buhler–Lenstra–Pomerance, Cryptographic systems surviving Typical algo generalizing 1988 Pollard pre-quantum cryptanalysis: pre-quantum er-field sieve”, NFS, ✚ , Triple DES (for ❜ ✔ 112), ♣q into ♣❀ q using AES-256 (for ❜ ✔ 256), Post-quantum ✿ ✿ ✿ + ♦ (1)) (lg ♣q ) 1 ❂ 3 (lg lg ♣q ) 2 ❂ 3 ✿ RSA with ❜ 3+ ♦ (1) -bit modulus, have all operations (conjecturally). McEliece with code length plus quantum ❜ 1+ ♦ (1) , Merkle signatures push this beyond 2 ❜ , Spectacula with “strong” ❜ 1+ ♦ (1) -bit hash, choose ♣q to have at least 1994 Sho ♣q ♣❀ q BW with “strong” ❜ 2+ ♦ (1) - ✿ ✿ ✿ + ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. ✿ ♦ using (lg ♣q bit discriminant, ECDSA with simple quantum Subsequent improvements: “strong” ❜ 1+ ♦ (1) -bit curve, ❜ To push ✿ ✿ ✿ ✿ ; details of ♦ (1). HFE v � with ❜ 1+ ♦ (1) polynomials, must cho ♣q can reasonably conjecture NTRU with ❜ 1+ ♦ (1) bits, et al. (lg ♣q ) 1 ❂ 3+ ♦ (1) is optimal 2 (0 ✿ 5+ ♦ (1)) ❜ classical computers.

  9. Buhler–Lenstra–Pomerance, Cryptographic systems surviving Typical algorithmic 1988 Pollard pre-quantum cryptanalysis: pre-quantum cryptanalysts: sieve”, NFS, ✚ , ISD, LLL, Triple DES (for ❜ ✔ 112), ♣q ♣❀ q using AES-256 (for ❜ ✔ 256), Post-quantum cryptanalysts (lg ♣q ) 1 ❂ 3 (lg lg ♣q ) 2 ❂ 3 ✿ ✿ ✿ ✿ ♦ RSA with ❜ 3+ ♦ (1) -bit modulus, have all the same to erations (conjecturally). McEliece with code length plus quantum algo ❜ 1+ ♦ (1) , Merkle signatures ond 2 ❜ , Spectacular example: with “strong” ❜ 1+ ♦ (1) -bit hash, ♣q to have at least 1994 Shor factors ♣q ♣❀ q BW with “strong” ❜ 2+ ♦ (1) - ♦ (1)) ❜ 3 ❂ (lg ❜ ) 2 bits. ✿ ✿ ✿ ✿ using (lg ♣q ) 2+ ♦ (1) bit discriminant, ECDSA with simple quantum op rovements: “strong” ❜ 1+ ♦ (1) -bit curve, ❜ To push this beyond ✿ ✿ ✿ ✿ of ♦ (1). HFE v � with ❜ 1+ ♦ (1) polynomials, must choose ♣q to reasonably conjecture NTRU with ❜ 1+ ♦ (1) bits, et al. ♦ (1) is optimal 2 (0 ✿ 5+ ♦ (1)) ❜ bits. Yik ❂ ♣q computers.

  10. omerance, Cryptographic systems surviving Typical algorithmic tools for pre-quantum cryptanalysis: pre-quantum cryptanalysts: NFS, ✚ , ISD, LLL, F4, XL, et Triple DES (for ❜ ✔ 112), ♣q ♣❀ q AES-256 (for ❜ ✔ 256), Post-quantum cryptanalysts ❂ lg ♣q ) 2 ❂ 3 ♣q ✿ ✿ ✿ ✿ ♦ RSA with ❜ 3+ ♦ (1) -bit modulus, have all the same tools turally). McEliece with code length plus quantum algorithms. ❜ 1+ ♦ (1) , Merkle signatures ❜ Spectacular example: with “strong” ❜ 1+ ♦ (1) -bit hash, ♣q at least 1994 Shor factors ♣q into ♣❀ q BW with “strong” ❜ 2+ ♦ (1) - ✿ ✿ ✿ ✿ ♦ ❜ ❂ ❜ bits. using (lg ♣q ) 2+ ♦ (1) bit discriminant, ECDSA with simple quantum operations. nts: “strong” ❜ 1+ ♦ (1) -bit curve, To push this beyond 2 ❜ , ✿ ✿ ✿ ✿ ♦ HFE v � with ❜ 1+ ♦ (1) polynomials, must choose ♣q to have at least conjecture NTRU with ❜ 1+ ♦ (1) bits, et al. 2 (0 ✿ 5+ ♦ (1)) ❜ bits. Yikes. ❂ ♦ ♣q optimal

  11. Cryptographic systems surviving Typical algorithmic tools for pre-quantum cryptanalysis: pre-quantum cryptanalysts: NFS, ✚ , ISD, LLL, F4, XL, et al. Triple DES (for ❜ ✔ 112), AES-256 (for ❜ ✔ 256), Post-quantum cryptanalysts RSA with ❜ 3+ ♦ (1) -bit modulus, have all the same tools McEliece with code length plus quantum algorithms. ❜ 1+ ♦ (1) , Merkle signatures Spectacular example: with “strong” ❜ 1+ ♦ (1) -bit hash, 1994 Shor factors ♣q into ♣❀ q BW with “strong” ❜ 2+ ♦ (1) - using (lg ♣q ) 2+ ♦ (1) bit discriminant, ECDSA with simple quantum operations. “strong” ❜ 1+ ♦ (1) -bit curve, To push this beyond 2 ❜ , HFE v � with ❜ 1+ ♦ (1) polynomials, must choose ♣q to have at least NTRU with ❜ 1+ ♦ (1) bits, et al. 2 (0 ✿ 5+ ♦ (1)) ❜ bits. Yikes.

  12. Cryptographic systems surviving Typical algorithmic tools for Cryptographic re-quantum cryptanalysis: pre-quantum cryptanalysts: post-quantum NFS, ✚ , ISD, LLL, F4, XL, et al. DES (for ❜ ✔ 112), AES-256 ❜ ✔ AES-256 (for ❜ ✔ 256), Post-quantum cryptanalysts McEliece with ❜ 3+ ♦ (1) -bit modulus, ♦ have all the same tools with code ❜ McEliece with code length plus quantum algorithms. Merkle hash-based ♦ ♦ ❜ , Merkle signatures with “strong” ❜ Spectacular example: HFE v � MQ “strong” ❜ 1+ ♦ (1) -bit hash, 1994 Shor factors ♣q into ♣❀ q ❜ 1+ ♦ (1) p with “strong” ❜ 2+ ♦ (1) - using (lg ♣q ) 2+ ♦ (1) discriminant, ECDSA with NTRU lattice-based simple quantum operations. “strong” ❜ 1+ ♦ (1) -bit curve, with ❜ 1+ ♦ To push this beyond 2 ❜ , � with ❜ 1+ ♦ (1) polynomials, et al. must choose ♣q to have at least with ❜ 1+ ♦ (1) bits, et al. 2 (0 ✿ 5+ ♦ (1)) ❜ bits. Yikes.

  13. systems surviving Typical algorithmic tools for Cryptographic systems cryptanalysis: pre-quantum cryptanalysts: post-quantum cryptanalysis: NFS, ✚ , ISD, LLL, F4, XL, et al. ❜ ✔ 112), AES-256 (for ❜ ✔ 128), ❜ ✔ 256), Post-quantum cryptanalysts McEliece code-based ♦ (1) -bit modulus, ♦ ❜ have all the same tools with code length ❜ code length plus quantum algorithms. Merkle hash-based ♦ with “strong” ❜ 1+ ♦ ❜ signatures Spectacular example: HFE v � MQ signatures ❜ 1+ ♦ (1) -bit hash, 1994 Shor factors ♣q into ♣❀ q ❜ 1+ ♦ (1) polynomials, “strong” ❜ 2+ ♦ (1) - using (lg ♣q ) 2+ ♦ (1) ECDSA with NTRU lattice-based simple quantum operations. with ❜ 1+ ♦ (1) bits, ♦ ❜ -bit curve, To push this beyond 2 ❜ , ♦ (1) polynomials, � ❜ et al. must choose ♣q to have at least ♦ (1) bits, et al. ❜ 2 (0 ✿ 5+ ♦ (1)) ❜ bits. Yikes.

  14. surviving Typical algorithmic tools for Cryptographic systems surviving cryptanalysis: pre-quantum cryptanalysts: post-quantum cryptanalysis: NFS, ✚ , ISD, LLL, F4, XL, et al. ❜ ✔ AES-256 (for ❜ ✔ 128), ❜ ✔ Post-quantum cryptanalysts McEliece code-based encryption ♦ with code length ❜ 1+ ♦ (1) , ❜ dulus, have all the same tools plus quantum algorithms. Merkle hash-based signatures ♦ with “strong” ❜ 1+ ♦ (1) -bit hash, ❜ Spectacular example: HFE v � MQ signatures with ♦ ❜ hash, 1994 Shor factors ♣q into ♣❀ q ❜ 1+ ♦ (1) polynomials, ♦ - ❜ using (lg ♣q ) 2+ ♦ (1) with NTRU lattice-based encryption simple quantum operations. with ❜ 1+ ♦ (1) bits, ♦ ❜ curve, To push this beyond 2 ❜ , ♦ � ❜ olynomials, et al. must choose ♣q to have at least ♦ ❜ et al. 2 (0 ✿ 5+ ♦ (1)) ❜ bits. Yikes.

  15. Typical algorithmic tools for Cryptographic systems surviving pre-quantum cryptanalysts: post-quantum cryptanalysis: NFS, ✚ , ISD, LLL, F4, XL, et al. AES-256 (for ❜ ✔ 128), Post-quantum cryptanalysts McEliece code-based encryption with code length ❜ 1+ ♦ (1) , have all the same tools plus quantum algorithms. Merkle hash-based signatures with “strong” ❜ 1+ ♦ (1) -bit hash, Spectacular example: HFE v � MQ signatures with 1994 Shor factors ♣q into ♣❀ q ❜ 1+ ♦ (1) polynomials, using (lg ♣q ) 2+ ♦ (1) NTRU lattice-based encryption simple quantum operations. with ❜ 1+ ♦ (1) bits, To push this beyond 2 ❜ , et al. must choose ♣q to have at least 2 (0 ✿ 5+ ♦ (1)) ❜ bits. Yikes.

  16. ypical algorithmic tools for Cryptographic systems surviving 3. Efficient re-quantum cryptanalysts: post-quantum cryptanalysis: Fundamental ✚ , ISD, LLL, F4, XL, et al. AES-256 (for ❜ ✔ 128), designers ost-quantum cryptanalysts McEliece code-based encryption of cryptographic with code length ❜ 1+ ♦ (1) , all the same tools Exactly ho quantum algorithms. Merkle hash-based signatures unbroken with “strong” ❜ 1+ ♦ (1) -bit hash, ectacular example: Many goals: HFE v � MQ signatures with Shor factors ♣q into ♣❀ q time, size ❜ 1+ ♦ (1) polynomials, (lg ♣q ) 2+ ♦ (1) Pre-quantum NTRU lattice-based encryption quantum operations. with ❜ 1+ ♦ (1) bits, RSA encrypts push this beyond 2 ❜ , in ❜ 3+ ♦ (1) et al. choose ♣q to have at least ♦ Signature ❜ ♦ (1)) ❜ bits. Yikes. ✿

  17. rithmic tools for Cryptographic systems surviving 3. Efficient systems cryptanalysts: post-quantum cryptanalysis: Fundamental question ✚ L, F4, XL, et al. AES-256 (for ❜ ✔ 128), designers and implemento cryptanalysts McEliece code-based encryption of cryptographic algo with code length ❜ 1+ ♦ (1) , same tools Exactly how efficient algorithms. Merkle hash-based signatures unbroken cryptosystems? with “strong” ❜ 1+ ♦ (1) -bit hash, example: Many goals: minimize HFE v � MQ signatures with rs ♣q into ♣❀ q time, size, decryption ❜ 1+ ♦ (1) polynomials, ♦ (1) ♣q Pre-quantum example: NTRU lattice-based encryption operations. with ❜ 1+ ♦ (1) bits, RSA encrypts and ond 2 ❜ , in ❜ 3+ ♦ (1) simple op et al. ♣q to have at least ♦ Signature occupies ❜ ✿ ♦ ❜ Yikes.

  18. for Cryptographic systems surviving 3. Efficient systems cryptanalysts: post-quantum cryptanalysis: Fundamental question for ✚ XL, et al. AES-256 (for ❜ ✔ 128), designers and implementors cryptanalysts McEliece code-based encryption of cryptographic algorithms: with code length ❜ 1+ ♦ (1) , Exactly how efficient are the Merkle hash-based signatures unbroken cryptosystems? with “strong” ❜ 1+ ♦ (1) -bit hash, Many goals: minimize encryption HFE v � MQ signatures with ♣q ♣❀ q time, size, decryption time, etc ❜ 1+ ♦ (1) polynomials, ♦ ♣q Pre-quantum example: NTRU lattice-based encryption erations. with ❜ 1+ ♦ (1) bits, RSA encrypts and verifies ❜ in ❜ 3+ ♦ (1) simple operations. et al. at least ♣q Signature occupies ❜ 3+ ♦ (1) bits. ✿ ♦ ❜

  19. Cryptographic systems surviving 3. Efficient systems post-quantum cryptanalysis: Fundamental question for AES-256 (for ❜ ✔ 128), designers and implementors McEliece code-based encryption of cryptographic algorithms: with code length ❜ 1+ ♦ (1) , Exactly how efficient are the Merkle hash-based signatures unbroken cryptosystems? with “strong” ❜ 1+ ♦ (1) -bit hash, Many goals: minimize encryption HFE v � MQ signatures with time, size, decryption time, etc. ❜ 1+ ♦ (1) polynomials, Pre-quantum example: NTRU lattice-based encryption with ❜ 1+ ♦ (1) bits, RSA encrypts and verifies in ❜ 3+ ♦ (1) simple operations. et al. Signature occupies ❜ 3+ ♦ (1) bits.

  20. Cryptographic systems surviving 3. Efficient systems ECC (with q ost-quantum cryptanalysis: reasonable Fundamental question for ❂ ♦ q AES-256 (for ❜ ✔ 128), designers and implementors ECDL costs McEliece code-based encryption of cryptographic algorithms: by Pollard’s code length ❜ 1+ ♦ (1) , Exactly how efficient are the Conjecture: hash-based signatures unbroken cryptosystems? optimal attack “strong” ❜ 1+ ♦ (1) -bit hash, Many goals: minimize encryption Can take q ✷ ♦ ❜ � MQ signatures with time, size, decryption time, etc. ♦ Encryption: polynomials, ❜ ♦ ♦ Pre-quantum example: costs (lg q ❜ lattice-based encryption ❜ 1+ ♦ (1) bits, RSA encrypts and verifies ♦ Summary: ❜ in ❜ 3+ ♦ (1) simple operations. Asymptotically Signature occupies ❜ 3+ ♦ (1) bits. ♦ Bonus: also ❜

  21. systems surviving 3. Efficient systems ECC (with strong q cryptanalysis: reasonable padding, Fundamental question for ECDL costs 2 (1 ❂ 2+ ♦ q ❜ ✔ 128), designers and implementors de-based encryption of cryptographic algorithms: by Pollard’s rho me ❜ 1+ ♦ (1) , Exactly how efficient are the Conjecture: this is hash-based signatures unbroken cryptosystems? optimal attack agai ❜ 1+ ♦ (1) -bit hash, Many goals: minimize encryption Can take lg q ✷ (2 ♦ ❜ � signatures with time, size, decryption time, etc. ♦ Encryption: Fast scala olynomials, ❜ costs (lg q ) 2+ ♦ (1) = ❜ ♦ Pre-quantum example: lattice-based encryption ♦ RSA encrypts and verifies ❜ bits, ♦ Summary: ECC costs ❜ in ❜ 3+ ♦ (1) simple operations. Asymptotically faster Signature occupies ❜ 3+ ♦ (1) bits. Bonus: also ❜ 2+ ♦ (1)

  22. surviving 3. Efficient systems ECC (with strong curve/ F q , cryptanalysis: reasonable padding, etc.): Fundamental question for ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q ❜ ✔ designers and implementors encryption of cryptographic algorithms: by Pollard’s rho method. ♦ ❜ Exactly how efficient are the Conjecture: this is the signatures unbroken cryptosystems? optimal attack against ECC. ♦ ❜ hash, Many goals: minimize encryption Can take lg q ✷ (2 + ♦ (1)) ❜ . � with time, size, decryption time, etc. ♦ Encryption: Fast scalar mult ❜ costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Pre-quantum example: encryption ♦ RSA encrypts and verifies ❜ Summary: ECC costs ❜ 2+ ♦ (1) in ❜ 3+ ♦ (1) simple operations. Asymptotically faster than RSA. Signature occupies ❜ 3+ ♦ (1) bits. Bonus: also ❜ 2+ ♦ (1) decryption

  23. 3. Efficient systems ECC (with strong curve/ F q , reasonable padding, etc.): Fundamental question for ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q designers and implementors of cryptographic algorithms: by Pollard’s rho method. Exactly how efficient are the Conjecture: this is the unbroken cryptosystems? optimal attack against ECC. Many goals: minimize encryption Can take lg q ✷ (2 + ♦ (1)) ❜ . time, size, decryption time, etc. Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Pre-quantum example: RSA encrypts and verifies Summary: ECC costs ❜ 2+ ♦ (1) . in ❜ 3+ ♦ (1) simple operations. Asymptotically faster than RSA. Signature occupies ❜ 3+ ♦ (1) bits. Bonus: also ❜ 2+ ♦ (1) decryption .

  24. Efficient systems ECC (with strong curve/ F q , Efficiency reasonable padding, etc.): users have undamental question for ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q designers and implementors Cryptographers, cryptographic algorithms: by Pollard’s rho method. implemento Exactly how efficient are the Conjecture: this is the focus on en cryptosystems? optimal attack against ECC. citing these goals: minimize encryption Can take lg q ✷ (2 + ♦ (1)) ❜ . But Shor size, decryption time, etc. Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Pre-quantum example: encrypts and verifies Summary: ECC costs ❜ 2+ ♦ (1) . ♦ (1) simple operations. ❜ Asymptotically faster than RSA. Signature occupies ❜ 3+ ♦ (1) bits. Bonus: also ❜ 2+ ♦ (1) decryption .

  25. systems ECC (with strong curve/ F q , Efficiency is important: reasonable padding, etc.): users have cost constraints. uestion for ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q implementors Cryptographers, cryptanalysts, algorithms: by Pollard’s rho method. implementors, etc. efficient are the Conjecture: this is the focus on RSA and cryptosystems? optimal attack against ECC. citing these cost constraints. minimize encryption Can take lg q ✷ (2 + ♦ (1)) ❜ . But Shor breaks RSA decryption time, etc. Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . example: and verifies Summary: ECC costs ❜ 2+ ♦ (1) . ♦ ❜ operations. Asymptotically faster than RSA. ccupies ❜ 3+ ♦ (1) bits. Bonus: also ❜ 2+ ♦ (1) decryption .

  26. ECC (with strong curve/ F q , Efficiency is important: reasonable padding, etc.): users have cost constraints. ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q rs Cryptographers, cryptanalysts, rithms: by Pollard’s rho method. implementors, etc. tend to the Conjecture: this is the focus on RSA and ECC, optimal attack against ECC. citing these cost constraints. encryption Can take lg q ✷ (2 + ♦ (1)) ❜ . But Shor breaks RSA and ECC! time, etc. Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: ECC costs ❜ 2+ ♦ (1) . ♦ ❜ erations. Asymptotically faster than RSA. ♦ ❜ bits. Bonus: also ❜ 2+ ♦ (1) decryption .

  27. ECC (with strong curve/ F q , Efficiency is important: reasonable padding, etc.): users have cost constraints. ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q Cryptographers, cryptanalysts, by Pollard’s rho method. implementors, etc. tend to Conjecture: this is the focus on RSA and ECC, optimal attack against ECC. citing these cost constraints. Can take lg q ✷ (2 + ♦ (1)) ❜ . But Shor breaks RSA and ECC! Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: ECC costs ❜ 2+ ♦ (1) . Asymptotically faster than RSA. Bonus: also ❜ 2+ ♦ (1) decryption .

  28. ECC (with strong curve/ F q , Efficiency is important: reasonable padding, etc.): users have cost constraints. ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q Cryptographers, cryptanalysts, by Pollard’s rho method. implementors, etc. tend to Conjecture: this is the focus on RSA and ECC, optimal attack against ECC. citing these cost constraints. Can take lg q ✷ (2 + ♦ (1)) ❜ . But Shor breaks RSA and ECC! Encryption: Fast scalar mult We think that costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . the most efficient unbroken post-quantum systems will be Summary: ECC costs ❜ 2+ ♦ (1) . hash-based signatures, Asymptotically faster than RSA. code-based encryption, Bonus: also ❜ 2+ ♦ (1) decryption . lattice-based encryption, multivariate-quadratic sigs.

  29. (with strong curve/ F q , Efficiency is important: 1978 McEliece reasonable padding, etc.): users have cost constraints. length- ♥ reasonable costs 2 (1 ❂ 2+ ♦ (1)) lg q Cryptographers, cryptanalysts, ollard’s rho method. implementors, etc. tend to Conjecture: cost 2 ( ☞ + ♦ ♥❂ ♥ Conjecture: this is the focus on RSA and ECC, optimal attack against ECC. citing these cost constraints. Quantum ☞ take lg q ✷ (2 + ♦ (1)) ❜ . But Shor breaks RSA and ECC! Can take ♥ ✷ ❂☞ ♦ ❜ ❜ Encryption: Fast scalar mult We think that Encryption: (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . costs ♥ 2+ ♦ ♦ the most efficient unbroken ❜ post-quantum systems will be Summary: ECC costs ❜ 2+ ♦ (1) . ♦ Summary: ❜ hash-based signatures, Asymptotically faster than RSA. Hmmm: code-based encryption, Bonus: also ❜ 2+ ♦ (1) decryption . Need mo lattice-based encryption, multivariate-quadratic sigs.

  30. strong curve/ F q , Efficiency is important: 1978 McEliece system padding, etc.): users have cost constraints. length- ♥ classical Goppa reasonable padding, ❂ 2+ ♦ (1)) lg q Cryptographers, cryptanalysts, method. implementors, etc. tend to Conjecture: Fastest cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ is the focus on RSA and ECC, against ECC. citing these cost constraints. Quantum attacks: ☞ q ✷ (2 + ♦ (1)) ❜ . But Shor breaks RSA and ECC! Can take ♥ ✷ (1 ❂☞ ♦ ❜ ❜ ast scalar mult We think that Encryption: Matrix costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ ♦ = ❜ 2+ ♦ (1) . q the most efficient unbroken post-quantum systems will be costs ❜ 2+ ♦ (1) . ♦ Summary: McEliece ❜ hash-based signatures, faster than RSA. Hmmm: is this faster code-based encryption, ♦ (1) decryption . ❜ Need more detailed lattice-based encryption, multivariate-quadratic sigs.

  31. q , Efficiency is important: 1978 McEliece system (with users have cost constraints. length- ♥ classical Goppa codes, reasonable padding, etc.): ❂ ♦ q Cryptographers, cryptanalysts, implementors, etc. tend to Conjecture: Fastest attacks cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . focus on RSA and ECC, ECC. citing these cost constraints. Quantum attacks: smaller ☞ q ✷ ♦ ❜ . But Shor breaks RSA and ECC! Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ ❜ mult We think that Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . ♦ ♦ (1) . q ❜ the most efficient unbroken post-quantum systems will be ♦ (1) . Summary: McEliece costs ❜ 2+ ♦ ❜ hash-based signatures, RSA. Hmmm: is this faster than ECC? code-based encryption, ♦ ❜ decryption . Need more detailed analysis. lattice-based encryption, multivariate-quadratic sigs.

  32. Efficiency is important: 1978 McEliece system (with users have cost constraints. length- ♥ classical Goppa codes, reasonable padding, etc.): Cryptographers, cryptanalysts, implementors, etc. tend to Conjecture: Fastest attacks cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . focus on RSA and ECC, citing these cost constraints. Quantum attacks: smaller ☞ . But Shor breaks RSA and ECC! Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . We think that Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . the most efficient unbroken post-quantum systems will be Summary: McEliece costs ❜ 2+ ♦ (1) . hash-based signatures, Hmmm: is this faster than ECC? code-based encryption, Need more detailed analysis. lattice-based encryption, multivariate-quadratic sigs.

  33. Efficiency is important: 1978 McEliece system (with ECC encryption: have cost constraints. length- ♥ classical Goppa codes, Θ(lg q ) op q reasonable padding, etc.): Each operation q Cryptographers, cryptanalysts, Θ(lg q lg q q implementors, etc. tend to Conjecture: Fastest attacks Total Θ( ❜ ❜ ❜ cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . on RSA and ECC, these cost constraints. Quantum attacks: smaller ☞ . Shor breaks RSA and ECC! Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . think that Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . most efficient unbroken ost-quantum systems will be Summary: McEliece costs ❜ 2+ ♦ (1) . hash-based signatures, Hmmm: is this faster than ECC? de-based encryption, Need more detailed analysis. lattice-based encryption, multivariate-quadratic sigs.

  34. ortant: 1978 McEliece system (with ECC encryption: constraints. length- ♥ classical Goppa codes, Θ(lg q ) operations q reasonable padding, etc.): Each operation in q cryptanalysts, Θ(lg q lg lg q lg lg lg q etc. tend to Conjecture: Fastest attacks Total Θ( ❜ 2 lg ❜ lg lg ❜ cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . and ECC, constraints. Quantum attacks: smaller ☞ . RSA and ECC! Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . efficient unbroken systems will be Summary: McEliece costs ❜ 2+ ♦ (1) . signatures, Hmmm: is this faster than ECC? encryption, Need more detailed analysis. encryption, riate-quadratic sigs.

  35. 1978 McEliece system (with ECC encryption: constraints. length- ♥ classical Goppa codes, Θ(lg q ) operations in F q . reasonable padding, etc.): Each operation in F q costs cryptanalysts, Θ(lg q lg lg q lg lg lg q ). Conjecture: Fastest attacks Total Θ( ❜ 2 lg ❜ lg lg ❜ ). cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . constraints. Quantum attacks: smaller ☞ . ECC! Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . n ll be Summary: McEliece costs ❜ 2+ ♦ (1) . Hmmm: is this faster than ECC? Need more detailed analysis. sigs.

  36. 1978 McEliece system (with ECC encryption: length- ♥ classical Goppa codes, Θ(lg q ) operations in F q . reasonable padding, etc.): Each operation in F q costs Θ(lg q lg lg q lg lg lg q ). Conjecture: Fastest attacks Total Θ( ❜ 2 lg ❜ lg lg ❜ ). cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . Quantum attacks: smaller ☞ . Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: McEliece costs ❜ 2+ ♦ (1) . Hmmm: is this faster than ECC? Need more detailed analysis.

  37. 1978 McEliece system (with ECC encryption: length- ♥ classical Goppa codes, Θ(lg q ) operations in F q . reasonable padding, etc.): Each operation in F q costs Θ(lg q lg lg q lg lg lg q ). Conjecture: Fastest attacks Total Θ( ❜ 2 lg ❜ lg lg ❜ ). cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . Quantum attacks: smaller ☞ . McEliece encryption, with 1986 Niederreiter speedup: Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , Encryption: Matrix mult each costing Θ( ♥ ). costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . Total Θ( ❜ 2 lg ❜ ). Summary: McEliece costs ❜ 2+ ♦ (1) . Hmmm: is this faster than ECC? Need more detailed analysis.

  38. 1978 McEliece system (with ECC encryption: length- ♥ classical Goppa codes, Θ(lg q ) operations in F q . reasonable padding, etc.): Each operation in F q costs Θ(lg q lg lg q lg lg lg q ). Conjecture: Fastest attacks Total Θ( ❜ 2 lg ❜ lg lg ❜ ). cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . Quantum attacks: smaller ☞ . McEliece encryption, with 1986 Niederreiter speedup: Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , Encryption: Matrix mult each costing Θ( ♥ ). costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . Total Θ( ❜ 2 lg ❜ ). Summary: McEliece costs ❜ 2+ ♦ (1) . McEliece is asymptotically faster. Bonus: Even faster decryption. Hmmm: is this faster than ECC? Another bonus: Post-quantum. Need more detailed analysis.

  39. McEliece system (with ECC encryption: Algorithmic length- ♥ classical Goppa codes, Θ(lg q ) operations in F q . the comp reasonable padding, etc.): Each operation in F q costs 1. Speed Θ(lg q lg lg q lg lg lg q ). Conjecture: Fastest attacks lg lg ❜ using Total Θ( ❜ 2 lg ❜ lg lg ❜ ). ☞ + ♦ (1)) ♥❂ lg ♥ . someday ❜ Quantum attacks: smaller ☞ . McEliece encryption, with 1986 Niederreiter speedup: take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , Encryption: Matrix mult each costing Θ( ♥ ). ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . Total Θ( ❜ 2 lg ❜ ). Summary: McEliece costs ❜ 2+ ♦ (1) . McEliece is asymptotically faster. Bonus: Even faster decryption. Hmmm: is this faster than ECC? Another bonus: Post-quantum. more detailed analysis.

  40. system (with ECC encryption: Algorithmic advance ♥ classical Goppa codes, Θ(lg q ) operations in F q . the competition. Examples: padding, etc.): Each operation in F q costs 1. Speed up ECC: Θ(lg q lg lg q lg lg lg q ). astest attacks lg lg ❜ using 2007 F Total Θ( ❜ 2 lg ❜ lg lg ❜ ). ☞ ♦ ♥❂ lg ♥ . someday eliminate ❜ attacks: smaller ☞ . McEliece encryption, with 1986 Niederreiter speedup: ♥ ✷ ❂☞ + ♦ (1)) ❜ lg ❜ . Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , Matrix mult each costing Θ( ♥ ). ♦ ❜ 2+ ♦ (1) . Total Θ( ❜ 2 lg ❜ ). ♥ McEliece costs ❜ 2+ ♦ (1) . McEliece is asymptotically faster. Bonus: Even faster decryption. faster than ECC? Another bonus: Post-quantum. detailed analysis.

  41. (with ECC encryption: Algorithmic advances can change ♥ odes, Θ(lg q ) operations in F q . the competition. Examples: Each operation in F q costs 1. Speed up ECC: can reduce Θ(lg q lg lg q lg lg lg q ). attacks lg lg ❜ using 2007 F¨ urer; mayb Total Θ( ❜ 2 lg ❜ lg lg ❜ ). ☞ ♦ ♥❂ ♥ someday eliminate lg lg ❜ ? ☞ . McEliece encryption, with 1986 Niederreiter speedup: ♥ ✷ ❂☞ ♦ (1)) ❜ lg ❜ . Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , each costing Θ( ♥ ). ♦ ♦ Total Θ( ❜ 2 lg ❜ ). ♥ ❜ ❜ 2+ ♦ (1) . McEliece is asymptotically faster. Bonus: Even faster decryption. than ECC? Another bonus: Post-quantum. analysis.

  42. ECC encryption: Algorithmic advances can change Θ(lg q ) operations in F q . the competition. Examples: Each operation in F q costs 1. Speed up ECC: can reduce Θ(lg q lg lg q lg lg lg q ). lg lg ❜ using 2007 F¨ urer; maybe Total Θ( ❜ 2 lg ❜ lg lg ❜ ). someday eliminate lg lg ❜ ? McEliece encryption, with 1986 Niederreiter speedup: Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , each costing Θ( ♥ ). Total Θ( ❜ 2 lg ❜ ). McEliece is asymptotically faster. Bonus: Even faster decryption. Another bonus: Post-quantum.

  43. ECC encryption: Algorithmic advances can change Θ(lg q ) operations in F q . the competition. Examples: Each operation in F q costs 1. Speed up ECC: can reduce Θ(lg q lg lg q lg lg lg q ). lg lg ❜ using 2007 F¨ urer; maybe Total Θ( ❜ 2 lg ❜ lg lg ❜ ). someday eliminate lg lg ❜ ? McEliece encryption, 2. Faster attacks on McEliece: with 1986 Niederreiter speedup: 2010 Bernstein–Lange–Peters, Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , 2011 May–Meurer–Thomae, each costing Θ( ♥ ). 2012 Becker–Joux–May–Meurer. Total Θ( ❜ 2 lg ❜ ). ✿ ✿ ✿ but still Θ( ❜ 2 lg ❜ ). McEliece is asymptotically faster. Bonus: Even faster decryption. Another bonus: Post-quantum.

  44. ECC encryption: Algorithmic advances can change Θ(lg q ) operations in F q . the competition. Examples: Each operation in F q costs 1. Speed up ECC: can reduce Θ(lg q lg lg q lg lg lg q ). lg lg ❜ using 2007 F¨ urer; maybe Total Θ( ❜ 2 lg ❜ lg lg ❜ ). someday eliminate lg lg ❜ ? McEliece encryption, 2. Faster attacks on McEliece: with 1986 Niederreiter speedup: 2010 Bernstein–Lange–Peters, Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , 2011 May–Meurer–Thomae, each costing Θ( ♥ ). 2012 Becker–Joux–May–Meurer. Total Θ( ❜ 2 lg ❜ ). ✿ ✿ ✿ but still Θ( ❜ 2 lg ❜ ). McEliece is asymptotically faster. 3. We’re optimizing “subfield Bonus: Even faster decryption. AG” variant of McEliece. Another bonus: Post-quantum. Conjecture: Fastest attacks cost 2 ( ☛ + ♦ (1)) ♥ ; encryption Θ( ❜ 2 ).

  45. encryption: Algorithmic advances can change Code-based q ) operations in F q . the competition. Examples: Modern operation in F q costs 1. Speed up ECC: can reduce Receiver’s q lg lg q lg lg lg q ). lg lg ❜ using 2007 F¨ urer; maybe Θ( ❜ 2 lg ❜ lg lg ❜ ). t lg ♥ ✂ ♥ ❑ someday eliminate lg lg ❜ ? ♥ ✦ t ♥ Specifies McEliece encryption, 2. Faster attacks on McEliece: Typically t ♥ ✙ ✿ ♥ 1986 Niederreiter speedup: 2010 Bernstein–Lange–Peters, ♥❂ lg ♥ ) additions in F ♥ e.g., ♥ = t 2 , 2011 May–Meurer–Thomae, costing Θ( ♥ ). Messages 2012 Becker–Joux–May–Meurer. Θ( ❜ 2 lg ❜ ). ♠ ✷ F ♥ ✿ ✿ ✿ but still Θ( ❜ 2 lg ❜ ). ✟ ✠ ❢ ✐ ♠ ✐ ❣ t 2 McEliece is asymptotically faster. t ♥ Encryption ♠ ❑♠ ✷ 3. We’re optimizing “subfield Bonus: Even faster decryption. AG” variant of McEliece. Use hash ♠ Another bonus: Post-quantum. Conjecture: Fastest attacks cost GCM key 2 ( ☛ + ♦ (1)) ♥ ; encryption Θ( ❜ 2 ).

  46. Algorithmic advances can change Code-based encryption q erations in F q . the competition. Examples: Modern version of in F q costs 1. Speed up ECC: can reduce Receiver’s public k q q lg q ). lg lg ❜ using 2007 F¨ urer; maybe t lg ♥ ✂ ♥ matrix ❑ ❜ ❜ lg ❜ ). someday eliminate lg lg ❜ ? t ♥ Specifies linear F ♥ 2 ✦ encryption, 2. Faster attacks on McEliece: Typically t lg ♥ ✙ 0 ✿ ♥ Niederreiter speedup: 2010 Bernstein–Lange–Peters, ♥ additions in F ♥ e.g., ♥ = 2048, t = ♥❂ 2 , 2011 May–Meurer–Thomae, ♥ ). Messages suitable 2012 Becker–Joux–May–Meurer. ❜ ❜ ♠ ✷ F ♥ ✿ ✿ ✿ but still Θ( ❜ 2 lg ❜ ). ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ ❣ t asymptotically faster. t ♥ Encryption of ♠ is ❑♠ ✷ 3. We’re optimizing “subfield faster decryption. AG” variant of McEliece. Use hash of ♠ as Post-quantum. Conjecture: Fastest attacks cost GCM key to encrypt 2 ( ☛ + ♦ (1)) ♥ ; encryption Θ( ❜ 2 ).

  47. Algorithmic advances can change Code-based encryption q the competition. Examples: q Modern version of McEliece: q costs 1. Speed up ECC: can reduce Receiver’s public key is “random” q q q lg lg ❜ using 2007 F¨ urer; maybe t lg ♥ ✂ ♥ matrix ❑ over F 2 . ❜ ❜ ❜ someday eliminate lg lg ❜ ? 2 ✦ F t lg ♥ Specifies linear F ♥ . 2 2. Faster attacks on McEliece: Typically t lg ♥ ✙ 0 ✿ 2 ♥ ; eedup: 2010 Bernstein–Lange–Peters, ♥ , e.g., ♥ = 2048, t = 40. ♥❂ ♥ 2011 May–Meurer–Thomae, ♥ Messages suitable for encryption: 2012 Becker–Joux–May–Meurer. ❜ ❜ ♠ ✷ F ♥ ✿ ✿ ✿ but still Θ( ❜ 2 lg ❜ ). ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ = 1 ❣ = t faster. Encryption of ♠ is ❑♠ ✷ F t ♥ 3. We’re optimizing “subfield decryption. AG” variant of McEliece. Use hash of ♠ as secret AES- ost-quantum. Conjecture: Fastest attacks cost GCM key to encrypt more data. 2 ( ☛ + ♦ (1)) ♥ ; encryption Θ( ❜ 2 ).

  48. Algorithmic advances can change Code-based encryption the competition. Examples: Modern version of McEliece: 1. Speed up ECC: can reduce Receiver’s public key is “random” lg lg ❜ using 2007 F¨ urer; maybe t lg ♥ ✂ ♥ matrix ❑ over F 2 . someday eliminate lg lg ❜ ? 2 ✦ F t lg ♥ Specifies linear F ♥ . 2 2. Faster attacks on McEliece: Typically t lg ♥ ✙ 0 ✿ 2 ♥ ; 2010 Bernstein–Lange–Peters, e.g., ♥ = 2048, t = 40. 2011 May–Meurer–Thomae, Messages suitable for encryption: 2012 Becker–Joux–May–Meurer. ♠ ✷ F ♥ ✿ ✿ ✿ but still Θ( ❜ 2 lg ❜ ). ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ = 1 ❣ = t . Encryption of ♠ is ❑♠ ✷ F t lg ♥ . 3. We’re optimizing “subfield 2 AG” variant of McEliece. Use hash of ♠ as secret AES- Conjecture: Fastest attacks cost GCM key to encrypt more data. 2 ( ☛ + ♦ (1)) ♥ ; encryption Θ( ❜ 2 ).

  49. rithmic advances can change Code-based encryption Attacker competition. Examples: easily wo Modern version of McEliece: ♥ from ❑♠ ✈ ✷ eed up ECC: can reduce Receiver’s public key is “random” such that ❑✈ ❑♠ ❜ using 2007 F¨ urer; maybe t lg ♥ ✂ ♥ matrix ❑ over F 2 . someday eliminate lg lg ❜ ? i.e. Attack 2 ✦ F t lg ♥ Specifies linear F ♥ . 2 element ✈ ✷ ♠ ❑ aster attacks on McEliece: ♥ � t ♥ Typically t lg ♥ ✙ 0 ✿ 2 ♥ ; Note that ❑ ✕ Bernstein–Lange–Peters, e.g., ♥ = 2048, t = 40. May–Meurer–Thomae, Attacker ✈ Messages suitable for encryption: Becker–Joux–May–Meurer. to find element ❑ ♠ ✷ F ♥ ✿ ✿ ✿ but still Θ( ❜ 2 lg ❜ ). ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ = 1 ❣ = t . at distance t ✈ Presumably ♠ Encryption of ♠ is ❑♠ ✷ F t lg ♥ . e’re optimizing “subfield 2 But deco variant of McEliece. Use hash of ♠ as secret AES- Conjecture: Fastest attacks cost Receiver ❑ GCM key to encrypt more data. ☛ ♦ (1)) ♥ ; encryption Θ( ❜ 2 ). Goppa structure

  50. vances can change Code-based encryption Attacker, by linear etition. Examples: easily works backw Modern version of McEliece: ♥ from ❑♠ to some ✈ ✷ ECC: can reduce Receiver’s public key is “random” such that ❑✈ = ❑♠ ❜ 2007 F¨ urer; maybe t lg ♥ ✂ ♥ matrix ❑ over F 2 . eliminate lg lg ❜ ? i.e. Attacker finds 2 ✦ F t lg ♥ Specifies linear F ♥ . 2 element ✈ ✷ ♠ + Ker ❑ attacks on McEliece: ♥ � t ♥ Typically t lg ♥ ✙ 0 ✿ 2 ♥ ; Note that #Ker ❑ ✕ Bernstein–Lange–Peters, e.g., ♥ = 2048, t = 40. y–Meurer–Thomae, Attacker wants to ✈ Messages suitable for encryption: er–Joux–May–Meurer. to find element of ❑ ♠ ✷ F ♥ ❜ 2 lg ❜ ). ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ = 1 ❣ = t . ✿ ✿ ✿ at distance only t ✈ Presumably unique, ♠ Encryption of ♠ is ❑♠ ✷ F t lg ♥ . optimizing “subfield 2 But decoding isn’t McEliece. Use hash of ♠ as secret AES- astest attacks cost Receiver builds ❑ GCM key to encrypt more data. ♥ encryption Θ( ❜ 2 ). ☛ ♦ Goppa structure fo

  51. change Code-based encryption Attacker, by linear algebra, Examples: easily works backwards Modern version of McEliece: from ❑♠ to some ✈ ✷ F ♥ 2 reduce Receiver’s public key is “random” such that ❑✈ = ❑♠ . ❜ maybe t lg ♥ ✂ ♥ matrix ❑ over F 2 . ❜ i.e. Attacker finds some 2 ✦ F t lg ♥ Specifies linear F ♥ . 2 element ✈ ✷ ♠ + Ker ❑ . McEliece: Note that #Ker ❑ ✕ 2 ♥ � t lg ♥ Typically t lg ♥ ✙ 0 ✿ 2 ♥ ; eters, e.g., ♥ = 2048, t = 40. ae, Attacker wants to decode ✈ : Messages suitable for encryption: y–Meurer. to find element of Ker ❑ ♠ ✷ F ♥ ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ = 1 ❣ = t . ✿ ✿ ✿ ❜ ❜ at distance only t from ✈ . Presumably unique, revealing ♠ Encryption of ♠ is ❑♠ ✷ F t lg ♥ . “subfield 2 But decoding isn’t easy! Use hash of ♠ as secret AES- attacks cost Receiver builds ❑ with secret GCM key to encrypt more data. ☛ ♦ ♥ ❜ 2 ). Goppa structure for fast deco

  52. Code-based encryption Attacker, by linear algebra, easily works backwards Modern version of McEliece: from ❑♠ to some ✈ ✷ F ♥ 2 Receiver’s public key is “random” such that ❑✈ = ❑♠ . t lg ♥ ✂ ♥ matrix ❑ over F 2 . i.e. Attacker finds some 2 ✦ F t lg ♥ Specifies linear F ♥ . 2 element ✈ ✷ ♠ + Ker ❑ . Note that #Ker ❑ ✕ 2 ♥ � t lg ♥ . Typically t lg ♥ ✙ 0 ✿ 2 ♥ ; e.g., ♥ = 2048, t = 40. Attacker wants to decode ✈ : Messages suitable for encryption: to find element of Ker ❑ ♠ ✷ F ♥ ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ = 1 ❣ = t . at distance only t from ✈ . Presumably unique, revealing ♠ . Encryption of ♠ is ❑♠ ✷ F t lg ♥ . 2 But decoding isn’t easy! Use hash of ♠ as secret AES- Receiver builds ❑ with secret GCM key to encrypt more data. Goppa structure for fast decoding.

  53. de-based encryption Attacker, by linear algebra, Goppa co easily works backwards dern version of McEliece: Fix q ✷ ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❣ from ❑♠ to some ✈ ✷ F ♥ 2 t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ q � ❂ q ❝❣ Receiver’s public key is “random” such that ❑✈ = ❑♠ . ♥ ✷ ❢ t lg q ❀ t q ❀ ✿ ✿ ✿ ❀ q ❣ ♥ ✂ ♥ matrix ❑ over F 2 . t i.e. Attacker finds some e.g. q = t ♥ 2 ✦ F t lg ♥ ecifies linear F ♥ . 2 element ✈ ✷ ♠ + Ker ❑ . or q = 4096, t ♥ Note that #Ker ❑ ✕ 2 ♥ � t lg ♥ . ypically t lg ♥ ✙ 0 ✿ 2 ♥ ; Receiver ❍ ♥ = 2048, t = 40. Attacker wants to decode ✈ : as the pa Messages suitable for encryption: to find element of Ker ❑ for the classical ♠ ✷ F ♥ ✟ ✠ 2 : # ❢ ✐ : ♠ ✐ = 1 ❣ = t . at distance only t from ✈ . irreducible ♥ t Presumably unique, revealing ♠ . binary Goppa Encryption of ♠ is ❑♠ ✷ F t lg ♥ . 2 But decoding isn’t easy! a monic t hash of ♠ as secret AES- polynomial ❣ ✷ q ① Receiver builds ❑ with secret key to encrypt more data. distinct ❛ ❀ ❛ ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ q Goppa structure for fast decoding.

  54. encryption Attacker, by linear algebra, Goppa codes easily works backwards of McEliece: Fix q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ from ❑♠ to some ✈ ✷ F ♥ 2 t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � ❂ q ❝❣ key is “random” such that ❑✈ = ❑♠ . ♥ ✷ ❢ t lg q + 1 ❀ t lg q ❀ ✿ ✿ ✿ ❀ q ❣ ❑ over F 2 . t ♥ ✂ ♥ i.e. Attacker finds some e.g. q = 1024, t = ♥ 2 ✦ F t lg ♥ F ♥ . 2 element ✈ ✷ ♠ + Ker ❑ . or q = 4096, t = 150, ♥ Note that #Ker ❑ ✕ 2 ♥ � t lg ♥ . t ♥ ✙ 0 ✿ 2 ♥ ; Receiver builds a matrix ❍ t = 40. ♥ Attacker wants to decode ✈ : as the parity-check ble for encryption: to find element of Ker ❑ for the classical (genus-0) ♥ ✟ ✠ ♠ ✷ ❢ ✐ : ♠ ✐ = 1 ❣ = t . at distance only t from ✈ . irreducible length- ♥ t Presumably unique, revealing ♠ . binary Goppa code ♠ is ❑♠ ✷ F t lg ♥ . 2 But decoding isn’t easy! a monic degree- t irreducible ♠ as secret AES- polynomial ❣ ✷ F q ① Receiver builds ❑ with secret encrypt more data. distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ q Goppa structure for fast decoding.

  55. Attacker, by linear algebra, Goppa codes easily works backwards McEliece: Fix q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ ; from ❑♠ to some ✈ ✷ F ♥ 2 t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � 1) ❂ lg q ❝❣ “random” such that ❑✈ = ❑♠ . ♥ ✷ ❢ t lg q + 1 ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ 2 . t ♥ ✂ ♥ ❑ i.e. Attacker finds some e.g. q = 1024, t = 50, ♥ = 1024. ♥ ✦ t ♥ . element ✈ ✷ ♠ + Ker ❑ . or q = 4096, t = 150, ♥ = 3600. Note that #Ker ❑ ✕ 2 ♥ � t lg ♥ . t ♥ ✙ ✿ ♥ Receiver builds a matrix ❍ ♥ t Attacker wants to decode ✈ : as the parity-check matrix encryption: to find element of Ker ❑ for the classical (genus-0) ♥ ✟ ✠ ♠ ✷ ❢ ✐ ♠ ✐ ❣ = t . at distance only t from ✈ . irreducible length- ♥ degree- t Presumably unique, revealing ♠ . binary Goppa code defined b ❑♠ ✷ F t lg ♥ ♠ . 2 But decoding isn’t easy! a monic degree- t irreducible ♠ AES- polynomial ❣ ✷ F q [ ① ] and Receiver builds ❑ with secret data. distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q . Goppa structure for fast decoding.

  56. Attacker, by linear algebra, Goppa codes easily works backwards Fix q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ ; from ❑♠ to some ✈ ✷ F ♥ 2 t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � 1) ❂ lg q ❝❣ ; such that ❑✈ = ❑♠ . ♥ ✷ ❢ t lg q + 1 ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ . i.e. Attacker finds some e.g. q = 1024, t = 50, ♥ = 1024. element ✈ ✷ ♠ + Ker ❑ . or q = 4096, t = 150, ♥ = 3600. Note that #Ker ❑ ✕ 2 ♥ � t lg ♥ . Receiver builds a matrix ❍ Attacker wants to decode ✈ : as the parity-check matrix to find element of Ker ❑ for the classical (genus-0) at distance only t from ✈ . irreducible length- ♥ degree- t Presumably unique, revealing ♠ . binary Goppa code defined by But decoding isn’t easy! a monic degree- t irreducible polynomial ❣ ✷ F q [ ① ] and Receiver builds ❑ with secret distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q . Goppa structure for fast decoding.

  57. er, by linear algebra, Goppa codes ✿ ✿ ✿ which ❍ works backwards Fix q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ ; ✵ ✶ ❑♠ to some ✈ ✷ F ♥ 2 ✁ ✁ ✁ ❣ ❛ ♥ t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � 1) ❂ lg q ❝❣ ; ❣ ❛ ❇ ❈ that ❑✈ = ❑♠ . ❇ ❈ ♥ ✷ ❢ t lg q + 1 ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ . ❇ ❈ ❛ ❛ ♥ ❇ ❈ ✁ ✁ ✁ ttacker finds some e.g. q = 1024, t = 50, ♥ = 1024. ❇ ❈ ❣ ❛ ❣ ❛ ♥ ❇ ❈ ✿ element ✈ ✷ ♠ + Ker ❑ . or q = 4096, t = 150, ♥ = 3600. ❇ ❈ ❇ ❈ that #Ker ❑ ✕ 2 ♥ � t lg ♥ . ❇ ❈ ❇ ❈ Receiver builds a matrix ❍ ❇ ❈ ❛ t � ❛ t � ❇ ❈ er wants to decode ✈ : as the parity-check matrix ♥ ❅ ❆ ✁ ✁ ✁ ❣ ❛ ❣ ❛ ♥ element of Ker ❑ for the classical (genus-0) distance only t from ✈ . irreducible length- ♥ degree- t Presumably unique, revealing ♠ . binary Goppa code defined by View each q q decoding isn’t easy! a monic degree- t irreducible as a column ♥ ✦ t q polynomial ❣ ✷ F q [ ① ] and Then ❍ Receiver builds ❑ with secret distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q . structure for fast decoding.

  58. linear algebra, Goppa codes ✿ ✿ ✿ which means: ❍ backwards Fix q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ ; ✵ ✶ some ✈ ✷ F ♥ 1 ❑♠ 2 ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ❛ ♥ t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � 1) ❂ lg q ❝❣ ; ❇ ❈ ❑✈ ❑♠ . ❇ ❈ ♥ ✷ ❢ t lg q + 1 ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ . ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ ❣ ( ❛ 1 ) ✁ ✁ ✁ finds some e.g. q = 1024, t = 50, ♥ = 1024. ❇ ❈ ❣ ❛ ♥ ❇ ❈ ✿ ✈ ✷ ♠ Ker ❑ . or q = 4096, t = 150, ♥ = 3600. ❇ ❈ . ... ❇ ❈ . ❑ ✕ 2 ♥ � t lg ♥ . ❇ ❈ . ❇ ❈ Receiver builds a matrix ❍ ❇ ❈ ❛ t � 1 ❛ t � ❇ ❈ to decode ✈ : as the parity-check matrix ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ❛ ♥ of Ker ❑ for the classical (genus-0) t from ✈ . irreducible length- ♥ degree- t unique, revealing ♠ . binary Goppa code defined by View each element q as a column in F lg q isn’t easy! a monic degree- t irreducible 2 2 ✦ F t q Then ❍ : F ♥ polynomial ❣ ✷ F q [ ① ] and 2 ❑ with secret distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q . for fast decoding.

  59. ra, Goppa codes ✿ ✿ ✿ which means: ❍ = Fix q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ ; ✵ ✶ ♥ 1 1 ❑♠ ✈ ✷ ❣ ( ❛ 1 ) ✁ ✁ ✁ t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � 1) ❂ lg q ❝❣ ; ❣ ( ❛ ♥ ) ❇ ❈ ❑✈ ❑♠ ❇ ❈ ♥ ✷ ❢ t lg q + 1 ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ . ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ ❣ ( ❛ 1 ) ✁ ✁ ✁ e.g. q = 1024, t = 50, ♥ = 1024. ❇ ❈ ❣ ( ❛ ♥ ) ❇ ❈ ✿ ✈ ✷ ♠ ❑ or q = 4096, t = 150, ♥ = 3600. ❇ ❈ . . ... ❇ ❈ . . ♥ � t lg ♥ . ❇ ❈ ❑ ✕ . . ❇ ❈ Receiver builds a matrix ❍ ❇ ❈ ❛ t � 1 ❛ t � 1 ❇ ❈ ✈ : as the parity-check matrix ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) ❑ for the classical (genus-0) t ✈ irreducible length- ♥ degree- t vealing ♠ . binary Goppa code defined by View each element of F q here as a column in F lg q a monic degree- t irreducible 2 . 2 ✦ F t lg q Then ❍ : F ♥ polynomial ❣ ✷ F q [ ① ] and . 2 ❑ secret distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q . decoding.

  60. Goppa codes ✿ ✿ ✿ which means: ❍ = Fix q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ ; ✵ ✶ 1 1 ❣ ( ❛ 1 ) ✁ ✁ ✁ t ✷ ❢ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � 1) ❂ lg q ❝❣ ; ❣ ( ❛ ♥ ) ❇ ❈ ❇ ❈ ♥ ✷ ❢ t lg q + 1 ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ . ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ ❣ ( ❛ 1 ) ✁ ✁ ✁ e.g. q = 1024, t = 50, ♥ = 1024. ❇ ❈ ❣ ( ❛ ♥ ) ❇ ❈ ✿ or q = 4096, t = 150, ♥ = 3600. ❇ ❈ . . ... ❇ ❈ . . ❇ ❈ . . ❇ ❈ Receiver builds a matrix ❍ ❇ ❈ ❛ t � 1 ❛ t � 1 ❇ ❈ as the parity-check matrix ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) for the classical (genus-0) irreducible length- ♥ degree- t binary Goppa code defined by View each element of F q here as a column in F lg q a monic degree- t irreducible 2 . 2 ✦ F t lg q Then ❍ : F ♥ polynomial ❣ ✷ F q [ ① ] and . 2 distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q .

  61. codes ✿ ✿ ✿ which means: ❍ = More useful the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ① � ❛ ✐ q ✷ ❢ 8 ❀ 16 ❀ 32 ❀ ✿ ✿ ✿ ❣ ; ✵ ✶ from F ♥ 1 1 q ① ❂❣ 2 ❣ ( ❛ 1 ) ✁ ✁ ✁ t ✷ ❢ ❀ 3 ❀ ✿ ✿ ✿ ❀ ❜ ( q � 1) ❂ lg q ❝❣ ; ❣ ( ❛ ♥ ) ❇ ❈ ❇ ❈ ♥ ✷ ❢ t lg q + 1 ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ . ❍ is the ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ where F ♥ ❣ ( ❛ 1 ) ✁ ✁ ✁ q = 1024, t = 50, ♥ = 1024. ❇ ❈ 2 ❣ ( ❛ ♥ ) ❇ ❈ ✿ q 4096, t = 150, ♥ = 3600. and F q [ ① ❂❣ ❇ ❈ . . ... ❇ ❈ . . ❣❂① t ✆ ☎ ✆ ☎ ❇ ❈ . . ❜ ❣❂① ❝ , ❣❂① ✿ ✿ ✿ ❇ ❈ Receiver builds a matrix ❍ ❇ ❈ ❛ t � 1 ❛ t � 1 ❇ ❈ parity-check matrix One-line q ① ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) classical (genus-0) ❣ � ❣ ( ❛ ✐ ❥ ❦ ❛ ❥ ❳ ❣❂① ❥ ✐ irreducible length- ♥ degree- t ① � ❛ ✐ ❥ ✕ Goppa code defined by View each element of F q here Receiver ❑ as a column in F lg q monic degree- t irreducible 2 . as row reduction ❍ 2 ✦ F t lg q Then ❍ : F ♥ olynomial ❣ ✷ F q [ ① ] and . 2 revealing ❍ distinct ❛ 1 ❀ ❛ 2 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q .

  62. ✿ ✿ ✿ which means: ❍ = More useful view: the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ① � ❛ ✐ q ✷ ❢ ❀ ❀ 32 ❀ ✿ ✿ ✿ ❣ ; ✵ ✶ from F ♥ 1 1 2 to F q [ ① ] ❂❣ ❣ ( ❛ 1 ) ✁ ✁ ✁ t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❜ q � 1) ❂ lg q ❝❣ ; ❣ ( ❛ ♥ ) ❇ ❈ ❇ ❈ ♥ ✷ ❢ t q ❀ t lg q + 2 ❀ ✿ ✿ ✿ ❀ q ❣ . ❍ is the matrix for ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ where F ♥ ❣ ( ❛ 1 ) ✁ ✁ ✁ q t = 50, ♥ = 1024. 2 has standa ❇ ❈ ❣ ( ❛ ♥ ) ❇ ❈ ✿ q t 150, ♥ = 3600. and F q [ ① ] ❂❣ has basis ❇ ❈ . . ... ❇ ❈ . . ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❇ ❈ . . ❜ ❣❂① ❝ , , ✿ ✿ ✿ ❇ ❈ matrix ❍ ❇ ❈ ❛ t � 1 ❛ t � 1 ❇ ❈ y-check matrix One-line proof: In q ① ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) (genus-0) ❣ � ❣ ( ❛ ✐ ) ❥ ❦ ❛ ❥ ❳ ❣❂① ❥ = ✐ length- ♥ degree- t ① � ❛ ✐ ❥ ✕ 0 de defined by View each element of F q here Receiver generates ❑ as a column in F lg q t irreducible 2 . as row reduction of ❍ 2 ✦ F t lg q Then ❍ : F ♥ ❣ ✷ F q [ ① ] and . 2 revealing only Ker ❍ ❛ ❀ ❛ ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q .

  63. ✿ ✿ ✿ which means: ❍ = More useful view: Consider the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ q ✷ ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❣ ✵ ✶ from F ♥ 1 1 2 to F q [ ① ] ❂❣ . ❣ ( ❛ 1 ) ✁ ✁ ✁ t ✷ ❢ ❀ ❀ ✿ ✿ ✿ ❀ ❜ q � ❂ q ❝❣ ; ❣ ( ❛ ♥ ) ❇ ❈ ❇ ❈ ♥ ✷ ❢ t q ❀ t q ❀ ✿ ✿ ✿ ❀ q ❣ . ❍ is the matrix for this map ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ where F ♥ ❣ ( ❛ 1 ) ✁ ✁ ✁ q t ♥ 1024. 2 has standard basis ❇ ❈ ❣ ( ❛ ♥ ) ❇ ❈ ✿ q t ♥ 3600. and F q [ ① ] ❂❣ has basis ❇ ❈ . . ... ❇ ❈ . . ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❇ ❈ . . ❜ ❣❂① ❝ , , ✿ ✿ ✿ , . ❇ ❈ ❍ ❇ ❈ ❛ t � 1 ❛ t � 1 ❇ ❈ One-line proof: In F q [ ① ] have ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) ❣ � ❣ ( ❛ ✐ ) ❥ ❣❂① ❥ +1 ❦ ❛ ❥ ❳ = ✐ ♥ degree- t ① � ❛ ✐ ❥ ✕ 0 by View each element of F q here Receiver generates key ❑ as a column in F lg q t irreducible 2 . as row reduction of ❍ , 2 ✦ F t lg q Then ❍ : F ♥ ❣ ✷ q ① . 2 revealing only Ker ❍ . ❛ ❀ ❛ ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ q .

  64. ✿ ✿ ✿ which means: ❍ = More useful view: Consider the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ ) ✵ ✶ from F ♥ 1 1 2 to F q [ ① ] ❂❣ . ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) ❇ ❈ ❇ ❈ ❍ is the matrix for this map ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ where F ♥ ❣ ( ❛ 1 ) ✁ ✁ ✁ 2 has standard basis ❇ ❈ ❣ ( ❛ ♥ ) ❇ ❈ ✿ and F q [ ① ] ❂❣ has basis ❇ ❈ . . ... ❇ ❈ . . ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❇ ❈ . . ❜ ❣❂① ❝ , , ✿ ✿ ✿ , . ❇ ❈ ❇ ❈ ❛ t � 1 ❛ t � 1 ❇ ❈ One-line proof: In F q [ ① ] have ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) ❣ � ❣ ( ❛ ✐ ) ❥ ❣❂① ❥ +1 ❦ ❛ ❥ ❳ = . ✐ ① � ❛ ✐ ❥ ✕ 0 View each element of F q here Receiver generates key ❑ as a column in F lg q 2 . as row reduction of ❍ , 2 ✦ F t lg q Then ❍ : F ♥ . 2 revealing only Ker ❍ .

  65. ✿ ✿ ✿ which means: ❍ = More useful view: Consider Lattice-based the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ ) 1998 Hoffste ✵ ✶ from F ♥ 1 1 2 to F q [ ① ] ❂❣ . ❣ ( ❛ 1 ) ✁ ✁ ✁ NTRU (textb ❣ ( ❛ ♥ ) ❇ ❈ ❇ ❈ without ❍ is the matrix for this map ❇ ❈ ❛ 1 ❛ ♥ ❇ ❈ where F ♥ ❣ ( ❛ 1 ) ✁ ✁ ✁ 2 has standard basis ❇ ❈ Receiver’s ❣ ( ❛ ♥ ) ❇ ❈ ✿ and F q [ ① ] ❂❣ has basis ❤ ✷ (( Z ❂q ① ❂ ① ♣ � ❇ ❈ ✄ . . ... ❇ ❈ . . ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❇ ❈ . . ❜ ❣❂① ❝ , , ✿ ✿ ✿ , . ❇ ❈ Ciphertext: ♠ r❤ ❇ ❈ ❛ t � 1 ❛ t � 1 ❇ ❈ One-line proof: In F q [ ① ] have ♠❀ r ✷ ( Z ❂q ① ❂ ① ♣ � ♥ ❅ 1 ❆ ❣ ( ❛ 1 ) ✁ ✁ ✁ ❣ ( ❛ ♥ ) ❣ � ❣ ( ❛ ✐ ) ❥ ❣❂① ❥ +1 ❦ ❛ ❥ all coefficients ❢� ❀ ❀ ❣ ❳ = . ✐ ① � ❛ ✐ # ❢ ✐ : r ✐ = � ❣ ❢ ✐ r ✐ ❣ t ❥ ✕ 0 each element of F q here Receiver generates key ❑ ♣ : prime; ♣ column in F lg q 2 . as row reduction of ❍ , q : power ♣ 2 ✦ F t lg q ❍ : F ♥ . 2 ❂♣ ✄ revealing only Ker ❍ . with order ✕ ♣ � ❂ t : roughly ✿ ♣

  66. ✿ ✿ ✿ means: ❍ = More useful view: Consider Lattice-based encryption the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ ) 1998 Hoffstein–Pipher–Silverman ✵ ✶ from F ♥ 1 2 to F q [ ① ] ❂❣ . ✁ ✁ ✁ NTRU (textbook version, ❣ ❛ ❣ ( ❛ ♥ ) ❇ ❈ ❇ ❈ without required pa ❍ is the matrix for this map ❇ ❈ ❛ ❛ ♥ ❇ ❈ where F ♥ ✁ ✁ ✁ 2 has standard basis ❇ ❈ Receiver’s public k ❣ ( ❛ ♥ ) ❣ ❛ ❇ ❈ ✿ and F q [ ① ] ❂❣ has basis ❤ ✷ (( Z ❂q )[ ① ] ❂ ( ① ♣ � ❇ ❈ ✄ . ❇ ❈ .. . ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❇ ❈ . ❜ ❣❂① ❝ , , ✿ ✿ ✿ , . ❇ ❈ Ciphertext: ♠ + r❤ ❇ ❈ ❛ t � ❛ t � 1 ❇ ❈ One-line proof: In F q [ ① ] have ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � ♥ ❅ ❆ ✁ ✁ ✁ ❣ ❛ ❣ ( ❛ ♥ ) ❣ � ❣ ( ❛ ✐ ) ❥ ❣❂① ❥ +1 ❦ ❛ ❥ all coefficients in ❢� ❀ ❀ ❣ ❳ = . ✐ ① � ❛ ✐ # ❢ ✐ : r ✐ = � 1 ❣ = # ❢ ✐ r ✐ ❣ t ❥ ✕ 0 element of F q here Receiver generates key ❑ ♣ : prime; e.g., ♣ = lg q 2 . as row reduction of ❍ , q : power of 2 around ♣ ♥ ✦ F t lg q ❍ . 2 ❂♣ ✄ revealing only Ker ❍ . with order ✕ ( ♣ � 1) ❂ t : roughly 0 ✿ 1 ♣ .

  67. ✿ ✿ ✿ ❍ More useful view: Consider Lattice-based encryption the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ ) 1998 Hoffstein–Pipher–Silverman ✵ ✶ from F ♥ 2 to F q [ ① ] ❂❣ . ✁ ✁ ✁ ❣ ❛ ♥ NTRU (textbook version, ❣ ❛ ❇ ❈ ❇ ❈ without required padding): ❍ is the matrix for this map ❇ ❈ ❛ ❛ ♥ ❇ ❈ where F ♥ ✁ ✁ ✁ 2 has standard basis ❇ ❈ Receiver’s public key is “random” ❣ ❛ ❣ ❛ ♥ ❇ ❈ ✿ and F q [ ① ] ❂❣ has basis ❤ ✷ (( Z ❂q )[ ① ] ❂ ( ① ♣ � 1)) ✄ . ❇ ❈ ❇ ❈ ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❇ ❈ ❜ ❣❂① ❝ , , ✿ ✿ ✿ , . ❇ ❈ Ciphertext: ♠ + r❤ given ❇ ❈ ❛ t � ❛ t � ❇ ❈ One-line proof: In F q [ ① ] have ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1); ♥ ❅ ❆ ✁ ✁ ✁ ❣ ❛ ❣ ❛ ♥ ❣ � ❣ ( ❛ ✐ ) ❥ ❣❂① ❥ +1 ❦ ❛ ❥ all coefficients in ❢� 1 ❀ 0 ❀ 1 ❣ ; ❳ = . ✐ ① � ❛ ✐ # ❢ ✐ : r ✐ = � 1 ❣ = # ❢ ✐ : r ✐ =1 ❣ t ❥ ✕ 0 q here Receiver generates key ❑ ♣ : prime; e.g., ♣ = 613. q as row reduction of ❍ , q : power of 2 around 8 ♣ , ♥ ✦ t q ❍ with order ✕ ( ♣ � 1) ❂ 2 in ( Z ❂♣ ✄ revealing only Ker ❍ . t : roughly 0 ✿ 1 ♣ .

  68. More useful view: Consider Lattice-based encryption the map ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ ) 1998 Hoffstein–Pipher–Silverman from F ♥ 2 to F q [ ① ] ❂❣ . NTRU (textbook version, without required padding): ❍ is the matrix for this map where F ♥ 2 has standard basis Receiver’s public key is “random” and F q [ ① ] ❂❣ has basis ❤ ✷ (( Z ❂q )[ ① ] ❂ ( ① ♣ � 1)) ✄ . ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❜ ❣❂① ❝ , , ✿ ✿ ✿ , . Ciphertext: ♠ + r❤ given One-line proof: In F q [ ① ] have ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1); ❣ � ❣ ( ❛ ✐ ) ❥ ❣❂① ❥ +1 ❦ ❛ ❥ all coefficients in ❢� 1 ❀ 0 ❀ 1 ❣ ; ❳ = . ✐ ① � ❛ ✐ # ❢ ✐ : r ✐ = � 1 ❣ = # ❢ ✐ : r ✐ =1 ❣ = t . ❥ ✕ 0 Receiver generates key ❑ ♣ : prime; e.g., ♣ = 613. as row reduction of ❍ , q : power of 2 around 8 ♣ , with order ✕ ( ♣ � 1) ❂ 2 in ( Z ❂♣ ) ✄ . revealing only Ker ❍ . t : roughly 0 ✿ 1 ♣ .

  69. useful view: Consider Lattice-based encryption Receiver ❤ ❣❂ ❢ ❂q ① ❂ ① ♣ � map ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ ) where ❢❀ ❣ ✷ 1998 Hoffstein–Pipher–Silverman ♥ 2 to F q [ ① ] ❂❣ . all coeffs ❢� ❀ ❀ ❣ NTRU (textbook version, # ❢ ✐ : ❢ ✐ = � ❣ ❢ ✐ ❢ ✐ ❣ t without required padding): ❍ the matrix for this map ❣ ✙ ♣ # ❢ ✐ : ❣ ✐ = � ❣ ✙ ❢ ✐ ❣ ✐ F ♥ 2 has standard basis Receiver’s public key is “random” both 1 + ❢ ❣ q [ ① ] ❂❣ has basis ❤ ✷ (( Z ❂q )[ ① ] ❂ ( ① ♣ � 1)) ✄ . ❣❂① 2 ✆ ❣❂① t ✆ ☎ ☎ ❜ ❣❂① ❝ , , ✿ ✿ ✿ , . Given ciphertext ❝ ♠ r❤ Ciphertext: ♠ + r❤ given receiver One-line proof: In F q [ ① ] have ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1); (1 + 3 ❢ ) ❝ ❢ ♠ r❣ ❣ � ❣ ❛ ✐ ) ❥ ❣❂① ❥ +1 ❦ ❛ ❥ all coefficients in ❢� 1 ❀ 0 ❀ 1 ❣ ; in ( Z ❂q )[ ① ❂ ① ♣ � ❳ = . ✐ ① � ❛ ✐ # ❢ ✐ : r ✐ = � 1 ❣ = # ❢ ✐ : r ✐ =1 ❣ = t . lifts to Z ① ❂ ① ♣ � ❥ ✕ 0 coeffs in ❢� q❂ ❀ ✿ ✿ ✿ ❀ q❂ � ❣ Receiver generates key ❑ ♣ : prime; e.g., ♣ = 613. reduces mo reduction of ❍ , q : power of 2 around 8 ♣ , with order ✕ ( ♣ � 1) ❂ 2 in ( Z ❂♣ ) ✄ . to obtain ♠ revealing only Ker ❍ . t : roughly 0 ✿ 1 ♣ .

  70. view: Consider Lattice-based encryption Receiver built ❤ = ❣❂ ❢ where ❢❀ ❣ ✷ ( Z ❂q )[ ① ❂ ① ♣ � ♠ ✼✦ P ✐ ♠ ✐ ❂ ( ① � ❛ ✐ ) 1998 Hoffstein–Pipher–Silverman ♥ q ① ] ❂❣ . all coeffs in ❢� 1 ❀ 0 ❀ ❣ NTRU (textbook version, # ❢ ✐ : ❢ ✐ = � 1 ❣ = # ❢ ✐ ❢ ✐ ❣ t without required padding): ❍ for this map ❣ ✙ ♣ # ❢ ✐ : ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ ❣ ✐ ♥ standard basis Receiver’s public key is “random” both 1 + 3 ❢ and ❣ q ① ❂❣ basis ❤ ✷ (( Z ❂q )[ ① ] ❂ ( ① ♣ � 1)) ✄ . ❣❂① t ✆ ☎ ✆ ☎ ❜ ❣❂① ❝ ❣❂① ✿ ✿ ✿ , . Given ciphertext ❝ ♠ r❤ Ciphertext: ♠ + r❤ given receiver computes In F q [ ① ] have ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1); (1 + 3 ❢ ) ❝ = (1 + 3 ❢ ♠ r❣ ❣ � ❣ ❛ ✐ ❥ ❣❂① ❥ +1 ❦ ❛ ❥ all coefficients in ❢� 1 ❀ 0 ❀ 1 ❣ ; in ( Z ❂q )[ ① ] ❂ ( ① ♣ � ❳ . ✐ ① � ❛ ✐ # ❢ ✐ : r ✐ = � 1 ❣ = # ❢ ✐ : r ✐ =1 ❣ = t . lifts to Z [ ① ] ❂ ( ① ♣ � ❥ ✕ coeffs in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ � ❣ generates key ❑ ♣ : prime; e.g., ♣ = 613. reduces modulo 3 of ❍ , q : power of 2 around 8 ♣ , with order ✕ ( ♣ � 1) ❂ 2 in ( Z ❂♣ ) ✄ . to obtain ♠ . Ker ❍ . t : roughly 0 ✿ 1 ♣ .

  71. Consider Lattice-based encryption Receiver built ❤ = 3 ❣❂ (1 + 3 ❢ where ❢❀ ❣ ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � ♠ ✼✦ P ✐ ♠ ✐ ❂ ① � ❛ ✐ ) 1998 Hoffstein–Pipher–Silverman ♥ q ① ❂❣ all coeffs in ❢� 1 ❀ 0 ❀ 1 ❣ , NTRU (textbook version, # ❢ ✐ : ❢ ✐ = � 1 ❣ = # ❢ ✐ : ❢ ✐ =1 ❣ t without required padding): ❍ map # ❢ ✐ : ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ ♥ basis Receiver’s public key is “random” both 1 + 3 ❢ and ❣ invertible. q ① ❂❣ ❤ ✷ (( Z ❂q )[ ① ] ❂ ( ① ♣ � 1)) ✄ . ❣❂① t ✆ ☎ ✆ ☎ ❜ ❣❂① ❝ ❣❂① ✿ ✿ ✿ . Given ciphertext ❝ = ♠ + r❤ Ciphertext: ♠ + r❤ given receiver computes q ① have ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1); (1 + 3 ❢ ) ❝ = (1 + 3 ❢ ) ♠ + 3 r❣ ❣ � ❣ ❛ ✐ ❥ ❣❂① ❥ +1 ❦ ❛ ❥ all coefficients in ❢� 1 ❀ 0 ❀ 1 ❣ ; in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), ❳ . ✐ ① � ❛ ✐ # ❢ ✐ : r ✐ = � 1 ❣ = # ❢ ✐ : r ✐ =1 ❣ = t . lifts to Z [ ① ] ❂ ( ① ♣ � 1) with ❥ ✕ coeffs in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ ❑ ♣ : prime; e.g., ♣ = 613. reduces modulo 3 ❍ q : power of 2 around 8 ♣ , with order ✕ ( ♣ � 1) ❂ 2 in ( Z ❂♣ ) ✄ . to obtain ♠ . ❍ t : roughly 0 ✿ 1 ♣ .

  72. Lattice-based encryption Receiver built ❤ = 3 ❣❂ (1 + 3 ❢ ) where ❢❀ ❣ ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), 1998 Hoffstein–Pipher–Silverman all coeffs in ❢� 1 ❀ 0 ❀ 1 ❣ , NTRU (textbook version, # ❢ ✐ : ❢ ✐ = � 1 ❣ = # ❢ ✐ : ❢ ✐ =1 ❣ = t , without required padding): # ❢ ✐ : ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ 3 , Receiver’s public key is “random” both 1 + 3 ❢ and ❣ invertible. ❤ ✷ (( Z ❂q )[ ① ] ❂ ( ① ♣ � 1)) ✄ . Given ciphertext ❝ = ♠ + r❤ , Ciphertext: ♠ + r❤ given receiver computes ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1); (1 + 3 ❢ ) ❝ = (1 + 3 ❢ ) ♠ + 3 r❣ all coefficients in ❢� 1 ❀ 0 ❀ 1 ❣ ; in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), # ❢ ✐ : r ✐ = � 1 ❣ = # ❢ ✐ : r ✐ =1 ❣ = t . lifts to Z [ ① ] ❂ ( ① ♣ � 1) with coeffs in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ , ♣ : prime; e.g., ♣ = 613. reduces modulo 3 q : power of 2 around 8 ♣ , with order ✕ ( ♣ � 1) ❂ 2 in ( Z ❂♣ ) ✄ . to obtain ♠ . t : roughly 0 ✿ 1 ♣ .

  73. Lattice-based encryption Receiver built ❤ = 3 ❣❂ (1 + 3 ❢ ) Basic attack where ❢❀ ❣ ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), ♣ Lift pairs ✉❀ ✉❤ Hoffstein–Pipher–Silverman all coeffs in ❢� 1 ❀ 0 ❀ 1 ❣ , to obtain (textbook version, # ❢ ✐ : ❢ ✐ = � 1 ❣ = # ❢ ✐ : ❢ ✐ =1 ❣ = t , without required padding): Attacking ❤ # ❢ ✐ : ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ 3 , (1 + 3 ❢❀ ❣ Receiver’s public key is “random” both 1 + 3 ❢ and ❣ invertible. in this lattice. Z ❂q )[ ① ] ❂ ( ① ♣ � 1)) ✄ . ❤ ✷ Given ciphertext ❝ = ♠ + r❤ , Attacking ❝ Ciphertext: ♠ + r❤ given receiver computes (0 ❀ ❝ ) is close ♠❀ r ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1); (1 + 3 ❢ ) ❝ = (1 + 3 ❢ ) ♠ + 3 r❣ lattice vect r❀ r❤ efficients in ❢� 1 ❀ 0 ❀ 1 ❣ ; in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), ❢ ✐ r ✐ = � 1 ❣ = # ❢ ✐ : r ✐ =1 ❣ = t . lifts to Z [ ① ] ❂ ( ① ♣ � 1) with Standard ♣ (SVP, CVP) coeffs in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ , ♣ rime; e.g., ♣ = 613. Nothing reduces modulo 3 er of 2 around 8 ♣ , q even post-quantum. rder ✕ ( ♣ � 1) ❂ 2 in ( Z ❂♣ ) ✄ . to obtain ♠ . t roughly 0 ✿ 1 ♣ .

  74. encryption Receiver built ❤ = 3 ❣❂ (1 + 3 ❢ ) Basic attack tool: where ❢❀ ❣ ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), ♣ Lift pairs ( ✉❀ ✉❤ ) to –Pipher–Silverman all coeffs in ❢� 1 ❀ 0 ❀ 1 ❣ , to obtain a lattice. ok version, # ❢ ✐ : ❢ ✐ = � 1 ❣ = # ❢ ✐ : ❢ ✐ =1 ❣ = t , padding): Attacking key ❤ : # ❢ ✐ : ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ 3 , (1 + 3 ❢❀ 3 ❣ ) is a sho key is “random” both 1 + 3 ❢ and ❣ invertible. in this lattice. ❂q ① ❂ ① ♣ � 1)) ✄ . ❤ ✷ Given ciphertext ❝ = ♠ + r❤ , Attacking ciphertext ❝ ♠ r❤ given receiver computes (0 ❀ ❝ ) is close to ❂q ① ❂ ( ① ♣ � 1); ♠❀ r ✷ (1 + 3 ❢ ) ❝ = (1 + 3 ❢ ) ♠ + 3 r❣ lattice vector ( r❀ r❤ ❢� 1 ❀ 0 ❀ 1 ❣ ; in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), ❢ ✐ r ✐ � ❣ # ❢ ✐ : r ✐ =1 ❣ = t . lifts to Z [ ① ] ❂ ( ① ♣ � 1) with Standard lattice algo ♣ (SVP, CVP) cost 2 coeffs in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ , ♣ ♣ = 613. Nothing subexponential reduces modulo 3 round 8 ♣ , q even post-quantum. ✕ ♣ � 1) ❂ 2 in ( Z ❂♣ ) ✄ . to obtain ♠ . t ✿ ♣

  75. Receiver built ❤ = 3 ❣❂ (1 + 3 ❢ ) Basic attack tool: where ❢❀ ❣ ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), Lift pairs ( ✉❀ ✉❤ ) to Z 2 ♣ –Pipher–Silverman all coeffs in ❢� 1 ❀ 0 ❀ 1 ❣ , to obtain a lattice. # ❢ ✐ : ❢ ✐ = � 1 ❣ = # ❢ ✐ : ❢ ✐ =1 ❣ = t , dding): Attacking key ❤ : # ❢ ✐ : ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ 3 , (1 + 3 ❢❀ 3 ❣ ) is a short vector “random” both 1 + 3 ❢ and ❣ invertible. in this lattice. ❂q ① ❂ ① ♣ � ✄ ❤ ✷ Given ciphertext ❝ = ♠ + r❤ , Attacking ciphertext ❝ : ♠ r❤ receiver computes (0 ❀ ❝ ) is close to ❂q ① ❂ ① ♣ � ♠❀ r ✷ (1 + 3 ❢ ) ❝ = (1 + 3 ❢ ) ♠ + 3 r❣ lattice vector ( r❀ r❤ ). ❢� ❀ ❀ ❣ ; in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), ❢ ✐ r ✐ � ❣ ❢ ✐ r ✐ =1 ❣ = t . lifts to Z [ ① ] ❂ ( ① ♣ � 1) with Standard lattice algorithms (SVP, CVP) cost 2 Θ( ♣ ) . coeffs in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ , ♣ ♣ Nothing subexponential known, reduces modulo 3 q ♣ even post-quantum. ( Z ❂♣ ) ✄ . to obtain ♠ . ✕ ♣ � ❂ t ✿ ♣

  76. Receiver built ❤ = 3 ❣❂ (1 + 3 ❢ ) Basic attack tool: where ❢❀ ❣ ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), Lift pairs ( ✉❀ ✉❤ ) to Z 2 ♣ all coeffs in ❢� 1 ❀ 0 ❀ 1 ❣ , to obtain a lattice. # ❢ ✐ : ❢ ✐ = � 1 ❣ = # ❢ ✐ : ❢ ✐ =1 ❣ = t , Attacking key ❤ : # ❢ ✐ : ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ 3 , (1 + 3 ❢❀ 3 ❣ ) is a short vector both 1 + 3 ❢ and ❣ invertible. in this lattice. Given ciphertext ❝ = ♠ + r❤ , Attacking ciphertext ❝ : receiver computes (0 ❀ ❝ ) is close to (1 + 3 ❢ ) ❝ = (1 + 3 ❢ ) ♠ + 3 r❣ lattice vector ( r❀ r❤ ). in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), lifts to Z [ ① ] ❂ ( ① ♣ � 1) with Standard lattice algorithms (SVP, CVP) cost 2 Θ( ♣ ) . coeffs in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ , Nothing subexponential known, reduces modulo 3 even post-quantum. to obtain ♠ .

  77. ❜ Receiver built ❤ = 3 ❣❂ (1 + 3 ❢ ) Basic attack tool: Take ♣ ✷ ❜ ❢❀ ❣ ✷ ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1), Lift pairs ( ✉❀ ✉❤ ) to Z 2 ♣ against all effs in ❢� 1 ❀ 0 ❀ 1 ❣ , to obtain a lattice. Θ( ❜ lg ❜ ) ❢ ✐ ❢ ✐ = � 1 ❣ = # ❢ ✐ : ❢ ✐ =1 ❣ = t , Attacking key ❤ : ♦ ❣ ✐ = � 1 ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ Time ❜ (lg ❜ ❢ ✐ 3 , (1 + 3 ❢❀ 3 ❣ ) is a short vector to multiply + 3 ❢ and ❣ invertible. in this lattice. ( Z ❂q )[ ① ] ❂ ① ♣ � ciphertext ❝ = ♠ + r❤ , Attacking ciphertext ❝ : ♦ Time ❜ (lg ❜ receiver computes (0 ❀ ❝ ) is close to for encryption ❢ ) ❝ = (1 + 3 ❢ ) ♠ + 3 r❣ lattice vector ( r❀ r❤ ). ❂q )[ ① ] ❂ ( ① ♣ � 1), Excellent Z [ ① ] ❂ ( ① ♣ � 1) with Standard lattice algorithms (SVP, CVP) cost 2 Θ( ♣ ) . in ❢� q❂ 2 ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ , Nothing subexponential known, reduces modulo 3 even post-quantum. obtain ♠ .

  78. ❜ ❤ = 3 ❣❂ (1 + 3 ❢ ) Basic attack tool: Take ♣ ✷ Θ( ❜ ) for ❂q )[ ① ] ❂ ( ① ♣ � 1), Lift pairs ( ✉❀ ✉❤ ) to Z 2 ♣ ❢❀ ❣ ✷ against all known attacks. ❢� ❀ 0 ❀ 1 ❣ , to obtain a lattice. Θ( ❜ lg ❜ ) bits in key ❢ ✐ ❢ ✐ � ❣ # ❢ ✐ : ❢ ✐ =1 ❣ = t , Attacking key ❤ : Time ❜ (lg ❜ ) 2+ ♦ (1) � ❣ ✙ # ❢ ✐ : ❣ ✐ =1 ❣ ✙ ♣ ❢ ✐ ❣ ✐ 3 , (1 + 3 ❢❀ 3 ❣ ) is a short vector to multiply in ❣ invertible. ❢ in this lattice. ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). ❝ = ♠ + r❤ , Attacking ciphertext ❝ : Time ❜ (lg ❜ ) 2+ ♦ (1) es (0 ❀ ❝ ) is close to for encryption, decryption. 3 ❢ ) ♠ + 3 r❣ ❢ ❝ lattice vector ( r❀ r❤ ). ❂q ① ❂ ① ♣ � 1), Excellent overall p ① ❂ ① ♣ � 1) with Standard lattice algorithms (SVP, CVP) cost 2 Θ( ♣ ) . ❢� q❂ ❀ ✿ ✿ ✿ ❀ q❂ 2 � 1 ❣ , Nothing subexponential known, 3 even post-quantum. ♠

  79. Take ♣ ✷ Θ( ❜ ) for security 2 ❜ ❤ ❣❂ 3 ❢ ) Basic attack tool: ❂q ① ❂ ① ♣ � 1), Lift pairs ( ✉❀ ✉❤ ) to Z 2 ♣ ❢❀ ❣ ✷ against all known attacks. ❢� ❀ ❀ ❣ to obtain a lattice. Θ( ❜ lg ❜ ) bits in key. ❢ ✐ ❢ ✐ � ❣ ❢ ✐ ❢ ✐ =1 ❣ = t , Attacking key ❤ : Time ❜ (lg ❜ ) 2+ ♦ (1) ❣ ✐ =1 ❣ ✙ ♣ ❢ ✐ ❣ ✐ � ❣ ✙ ❢ ✐ 3 , (1 + 3 ❢❀ 3 ❣ ) is a short vector to multiply in ❣ invertible. ❢ in this lattice. ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). ❝ ♠ r❤ , Attacking ciphertext ❝ : Time ❜ (lg ❜ ) 2+ ♦ (1) (0 ❀ ❝ ) is close to for encryption, decryption. 3 r❣ ❢ ❝ ❢ ♠ lattice vector ( r❀ r❤ ). ❂q ① ❂ ① ♣ � Excellent overall performance. ① ❂ ① ♣ � Standard lattice algorithms (SVP, CVP) cost 2 Θ( ♣ ) . ❢� q❂ ❀ ✿ ✿ ✿ ❀ q❂ � 1 ❣ , Nothing subexponential known, even post-quantum. ♠

  80. Take ♣ ✷ Θ( ❜ ) for security 2 ❜ Basic attack tool: Lift pairs ( ✉❀ ✉❤ ) to Z 2 ♣ against all known attacks. to obtain a lattice. Θ( ❜ lg ❜ ) bits in key. Attacking key ❤ : Time ❜ (lg ❜ ) 2+ ♦ (1) (1 + 3 ❢❀ 3 ❣ ) is a short vector to multiply in in this lattice. ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). Attacking ciphertext ❝ : Time ❜ (lg ❜ ) 2+ ♦ (1) (0 ❀ ❝ ) is close to for encryption, decryption. lattice vector ( r❀ r❤ ). Excellent overall performance. Standard lattice algorithms (SVP, CVP) cost 2 Θ( ♣ ) . Nothing subexponential known, even post-quantum.

  81. Take ♣ ✷ Θ( ❜ ) for security 2 ❜ Basic attack tool: Lift pairs ( ✉❀ ✉❤ ) to Z 2 ♣ against all known attacks. to obtain a lattice. Θ( ❜ lg ❜ ) bits in key. Attacking key ❤ : Time ❜ (lg ❜ ) 2+ ♦ (1) (1 + 3 ❢❀ 3 ❣ ) is a short vector to multiply in in this lattice. ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). Attacking ciphertext ❝ : Time ❜ (lg ❜ ) 2+ ♦ (1) (0 ❀ ❝ ) is close to for encryption, decryption. lattice vector ( r❀ r❤ ). Excellent overall performance. Standard lattice algorithms (SVP, CVP) cost 2 Θ( ♣ ) . The McEliece cryptosystem inspires more confidence Nothing subexponential known, but has much larger keys. even post-quantum.

  82. Take ♣ ✷ Θ( ❜ ) for security 2 ❜ attack tool: Something pairs ( ✉❀ ✉❤ ) to Z 2 ♣ against all known attacks. 1985 H. obtain a lattice. Θ( ❜ lg ❜ ) bits in key. ❆ ( ❦ ) has ttacking key ❤ : of addition ✔ ❀ Time ❜ (lg ❜ ) 2+ ♦ (1) ❢❀ 3 ❣ ) is a short vector Symmetry ✮ ✔ ❀ to multiply in lattice. ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). “The pro ✿ ✿ ✿ ttacking ciphertext ❝ : To determine Time ❜ (lg ❜ ) 2+ ♦ (1) ❀ ❝ is close to complete for encryption, decryption. vector ( r❀ r❤ ). requires Excellent overall performance. already in Standard lattice algorithms of an elliptic CVP) cost 2 Θ( ♣ ) . The McEliece cryptosystem in Weierstra inspires more confidence Nothing subexponential known, but has much larger keys. ost-quantum.

  83. Take ♣ ✷ Θ( ❜ ) for security 2 ❜ ol: Something completely ✉❀ ✉❤ ) to Z 2 ♣ against all known attacks. 1985 H. Lange–Rupp lattice. Θ( ❜ lg ❜ ) bits in key. ❆ ( ❦ ) has a complete ❤ : of addition laws, degree ✔ ❀ Time ❜ (lg ❜ ) 2+ ♦ (1) ❢❀ ❣ short vector Symmetry ✮ degree ✔ ❀ to multiply in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). “The proof is nonconstructive ✿ ✿ ✿ rtext ❝ : To determine explicitly Time ❜ (lg ❜ ) 2+ ♦ (1) ❀ ❝ complete system of for encryption, decryption. r❀ r❤ ). requires tedious computations Excellent overall performance. already in the easiest algorithms of an elliptic curve cost 2 Θ( ♣ ) . The McEliece cryptosystem in Weierstrass normal inspires more confidence onential known, but has much larger keys. ost-quantum.

  84. Take ♣ ✷ Θ( ❜ ) for security 2 ❜ Something completely different ♣ ✉❀ ✉❤ against all known attacks. 1985 H. Lange–Ruppert: Θ( ❜ lg ❜ ) bits in key. ❆ ( ❦ ) has a complete system ❤ of addition laws, degree ✔ (3 ❀ Time ❜ (lg ❜ ) 2+ ♦ (1) ❢❀ ❣ tor Symmetry ✮ degree ✔ (2 ❀ 2). to multiply in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). “The proof is nonconstructive ✿ ✿ ✿ ❝ To determine explicitly a Time ❜ (lg ❜ ) 2+ ♦ (1) ❀ ❝ complete system of addition for encryption, decryption. r❀ r❤ requires tedious computations Excellent overall performance. already in the easiest case rithms of an elliptic curve ♣ The McEliece cryptosystem in Weierstrass normal form.” inspires more confidence known, but has much larger keys.

  85. Take ♣ ✷ Θ( ❜ ) for security 2 ❜ Something completely different against all known attacks. 1985 H. Lange–Ruppert: Θ( ❜ lg ❜ ) bits in key. ❆ ( ❦ ) has a complete system of addition laws, degree ✔ (3 ❀ 3). Time ❜ (lg ❜ ) 2+ ♦ (1) Symmetry ✮ degree ✔ (2 ❀ 2). to multiply in ( Z ❂q )[ ① ] ❂ ( ① ♣ � 1). “The proof is nonconstructive ✿ ✿ ✿ To determine explicitly a Time ❜ (lg ❜ ) 2+ ♦ (1) complete system of addition laws for encryption, decryption. requires tedious computations Excellent overall performance. already in the easiest case of an elliptic curve The McEliece cryptosystem in Weierstrass normal form.” inspires more confidence but has much larger keys.

  86. ♣ ✷ Θ( ❜ ) for security 2 ❜ Something completely different 1985 Lange–Rupp against all known attacks. Explicit complete 1985 H. Lange–Ruppert: of 3 addi ❜ ❜ ) bits in key. ❆ ( ❦ ) has a complete system for short of addition laws, degree ✔ (3 ❀ 3). ❜ (lg ❜ ) 2+ ♦ (1) Symmetry ✮ degree ✔ (2 ❀ 2). Reduce fo multiply in by introducing ❂q )[ ① ] ❂ ( ① ♣ � 1). “The proof is nonconstructive ✿ ✿ ✿ ① ✐ ② ❥ + ① ❥ ② ✐ ① ✐ ② ❥ � ① ❥ ② ✐ To determine explicitly a ❜ (lg ❜ ) 2+ ♦ (1) complete system of addition laws 1987 Lange–Rupp ncryption, decryption. requires tedious computations Explicit complete Excellent overall performance. already in the easiest case of 3 addi of an elliptic curve for long McEliece cryptosystem in Weierstrass normal form.” inspires more confidence has much larger keys.

Recommend


More recommend