3 4 Imagine someone responding: Now imagine a religious fanatic CvHP is is completely out of line. saying that all of these functions Horrible attack by Dobbertin does are worse than “provably secure” Far worse reak any normal usage of cryptographic hash functions. standard so what exactly is the compression-function 1991 “provably secure” example, of preventing it? This Chaum–van Heijst–Pfitzmann: Security eculation about MD5 collisions 1922 Kraitchik Choose p sensibly. controversial and non-scientific, 1986 Copp Define C ( x; y ) = 4 x 9 y mod p creates confusion on the Schroepp for suitable ranges of x and y . of the art. Recommending 1993 Gord alternative hash functions is at Simple, beautiful, structured. 1993 Schirok very least quite premature.” Very easy security reduction: 1994 Sho finding C collision implies not a real cryptographer. computing a discrete logarithm. a standards organization.
3 4 someone responding: Now imagine a religious fanatic CvHP is very bad cryptography completely out of line. saying that all of these functions Horrible security fo Dobbertin does are worse than “provably secure” Far worse security normal usage of cryptographic hash functions. standard “unstructured” exactly is the compression-function 1991 “provably secure” example, venting it? This Chaum–van Heijst–Pfitzmann: Security losses in C out MD5 collisions 1922 Kraitchik (index Choose p sensibly. and non-scientific, 1986 Coppersmith–Odlyzk Define C ( x; y ) = 4 x 9 y mod p confusion on the Schroeppel (NFS p for suitable ranges of x and y . Recommending 1993 Gordon (general functions is at Simple, beautiful, structured. 1993 Schirokauer (faster quite premature.” Very easy security reduction: 1994 Shor (quantum finding C collision implies real cryptographer. computing a discrete logarithm. rds organization.
3 4 onding: Now imagine a religious fanatic CvHP is very bad cryptography line. saying that all of these functions Horrible security for its speed. does are worse than “provably secure” Far worse security record than usage of cryptographic hash functions. standard “unstructured” the compression-function designs. 1991 “provably secure” example, This Chaum–van Heijst–Pfitzmann: Security losses in C include collisions 1922 Kraitchik (index calculus); Choose p sensibly. non-scientific, 1986 Coppersmith–Odlyzko– Define C ( x; y ) = 4 x 9 y mod p the Schroeppel (NFS predecesso for suitable ranges of x and y . Recommending 1993 Gordon (general DL NFS); is at Simple, beautiful, structured. 1993 Schirokauer (faster NFS); mature.” Very easy security reduction: 1994 Shor (quantum poly time). finding C collision implies cryptographer. computing a discrete logarithm. rganization.
4 5 Now imagine a religious fanatic CvHP is very bad cryptography. saying that all of these functions Horrible security for its speed. are worse than “provably secure” Far worse security record than cryptographic hash functions. standard “unstructured” compression-function designs. 1991 “provably secure” example, Chaum–van Heijst–Pfitzmann: Security losses in C include 1922 Kraitchik (index calculus); Choose p sensibly. 1986 Coppersmith–Odlyzko– Define C ( x; y ) = 4 x 9 y mod p Schroeppel (NFS predecessor); for suitable ranges of x and y . 1993 Gordon (general DL NFS); Simple, beautiful, structured. 1993 Schirokauer (faster NFS); Very easy security reduction: 1994 Shor (quantum poly time). finding C collision implies computing a discrete logarithm.
4 5 Now imagine a religious fanatic CvHP is very bad cryptography. saying that all of these functions Horrible security for its speed. are worse than “provably secure” Far worse security record than cryptographic hash functions. standard “unstructured” compression-function designs. 1991 “provably secure” example, Chaum–van Heijst–Pfitzmann: Security losses in C include 1922 Kraitchik (index calculus); Choose p sensibly. 1986 Coppersmith–Odlyzko– Define C ( x; y ) = 4 x 9 y mod p Schroeppel (NFS predecessor); for suitable ranges of x and y . 1993 Gordon (general DL NFS); Simple, beautiful, structured. 1993 Schirokauer (faster NFS); Very easy security reduction: 1994 Shor (quantum poly time). finding C collision implies Imagine someone in 1991 saying computing a discrete logarithm. “DL security is well understood”.
4 5 imagine a religious fanatic CvHP is very bad cryptography. We still that all of these functions Horrible security for its speed. pre-quantum rse than “provably secure” Far worse security record than Which DL cryptographic hash functions. standard “unstructured” compression-function designs. provably secure” example, Chaum–van Heijst–Pfitzmann: Security losses in C include 1922 Kraitchik (index calculus); ose p sensibly. 1986 Coppersmith–Odlyzko– C ( x; y ) = 4 x 9 y mod p Schroeppel (NFS predecessor); itable ranges of x and y . 1993 Gordon (general DL NFS); Simple, beautiful, structured. 1993 Schirokauer (faster NFS); easy security reduction: 1994 Shor (quantum poly time). C collision implies Imagine someone in 1991 saying computing a discrete logarithm. “DL security is well understood”.
4 5 religious fanatic CvHP is very bad cryptography. We still use discrete of these functions Horrible security for its speed. pre-quantum public-k provably secure” Far worse security record than Which DL groups hash functions. standard “unstructured” compression-function designs. secure” example, Heijst–Pfitzmann: Security losses in C include 1922 Kraitchik (index calculus); sensibly. 1986 Coppersmith–Odlyzko– 4 x 9 y mod p Schroeppel (NFS predecessor); ranges of x and y . 1993 Gordon (general DL NFS); eautiful, structured. 1993 Schirokauer (faster NFS); security reduction: 1994 Shor (quantum poly time). collision implies Imagine someone in 1991 saying discrete logarithm. “DL security is well understood”.
4 5 fanatic CvHP is very bad cryptography. We still use discrete logs for functions Horrible security for its speed. pre-quantum public-key crypto. secure” Far worse security record than Which DL groups are best? functions. standard “unstructured” compression-function designs. example, Heijst–Pfitzmann: Security losses in C include 1922 Kraitchik (index calculus); 1986 Coppersmith–Odlyzko– d p Schroeppel (NFS predecessor); and y . 1993 Gordon (general DL NFS); structured. 1993 Schirokauer (faster NFS); tion: 1994 Shor (quantum poly time). Imagine someone in 1991 saying rithm. “DL security is well understood”.
5 6 CvHP is very bad cryptography. We still use discrete logs for Horrible security for its speed. pre-quantum public-key crypto. Far worse security record than Which DL groups are best? standard “unstructured” compression-function designs. Security losses in C include 1922 Kraitchik (index calculus); 1986 Coppersmith–Odlyzko– Schroeppel (NFS predecessor); 1993 Gordon (general DL NFS); 1993 Schirokauer (faster NFS); 1994 Shor (quantum poly time). Imagine someone in 1991 saying “DL security is well understood”.
5 6 CvHP is very bad cryptography. We still use discrete logs for Horrible security for its speed. pre-quantum public-key crypto. Far worse security record than Which DL groups are best? standard “unstructured” 1986 Miller proposes ECC. compression-function designs. Gives detailed arguments that Security losses in C include index calculus “is not likely 1922 Kraitchik (index calculus); to work on elliptic curves.” 1986 Coppersmith–Odlyzko– Schroeppel (NFS predecessor); 1993 Gordon (general DL NFS); 1993 Schirokauer (faster NFS); 1994 Shor (quantum poly time). Imagine someone in 1991 saying “DL security is well understood”.
5 6 CvHP is very bad cryptography. We still use discrete logs for Horrible security for its speed. pre-quantum public-key crypto. Far worse security record than Which DL groups are best? standard “unstructured” 1986 Miller proposes ECC. compression-function designs. Gives detailed arguments that Security losses in C include index calculus “is not likely 1922 Kraitchik (index calculus); to work on elliptic curves.” 1986 Coppersmith–Odlyzko– 1997 Rivest: “Over time, this Schroeppel (NFS predecessor); may change, but for now trying to 1993 Gordon (general DL NFS); get an evaluation of the security 1993 Schirokauer (faster NFS); of an elliptic-curve cryptosystem 1994 Shor (quantum poly time). is a bit like trying to get an Imagine someone in 1991 saying evaluation of some recently “DL security is well understood”. discovered Chaldean poetry.”
5 6 is very bad cryptography. We still use discrete logs for Are RSA, rrible security for its speed. pre-quantum public-key crypto. These syste rse security record than Which DL groups are best? enabling rd “unstructured” Many optimization 1986 Miller proposes ECC. ression-function designs. Attacks Gives detailed arguments that > 100 scientific Security losses in C include index calculus “is not likely Still many Kraitchik (index calculus); to work on elliptic curves.” Coppersmith–Odlyzko– How many 1997 Rivest: “Over time, this eppel (NFS predecessor); the state may change, but for now trying to Gordon (general DL NFS); get an evaluation of the security Schirokauer (faster NFS); of an elliptic-curve cryptosystem Shor (quantum poly time). is a bit like trying to get an Imagine someone in 1991 saying evaluation of some recently security is well understood”. discovered Chaldean poetry.”
5 6 bad cryptography. We still use discrete logs for Are RSA, DSA, etc. for its speed. pre-quantum public-key crypto. These systems have security record than Which DL groups are best? enabling attacks such “unstructured” Many optimization 1986 Miller proposes ECC. ression-function designs. Attacks keep getting Gives detailed arguments that > 100 scientific pap C include index calculus “is not likely Still many unexplo (index calculus); to work on elliptic curves.” ersmith–Odlyzko– How many people 1997 Rivest: “Over time, this predecessor); the state of the art? may change, but for now trying to (general DL NFS); get an evaluation of the security uer (faster NFS); of an elliptic-curve cryptosystem (quantum poly time). is a bit like trying to get an someone in 1991 saying evaluation of some recently ell understood”. discovered Chaldean poetry.”
5 6 cryptography. We still use discrete logs for Are RSA, DSA, etc. less scary? eed. pre-quantum public-key crypto. These systems have structure than Which DL groups are best? enabling attacks such as NFS. Many optimization avenues. 1986 Miller proposes ECC. designs. Attacks keep getting better. Gives detailed arguments that > 100 scientific papers. include index calculus “is not likely Still many unexplored avenues. calculus); to work on elliptic curves.” o– How many people understand 1997 Rivest: “Over time, this ssor); the state of the art? may change, but for now trying to NFS); get an evaluation of the security NFS); of an elliptic-curve cryptosystem time). is a bit like trying to get an saying evaluation of some recently understood”. discovered Chaldean poetry.”
6 7 We still use discrete logs for Are RSA, DSA, etc. less scary? pre-quantum public-key crypto. These systems have structure Which DL groups are best? enabling attacks such as NFS. Many optimization avenues. 1986 Miller proposes ECC. Attacks keep getting better. Gives detailed arguments that > 100 scientific papers. index calculus “is not likely Still many unexplored avenues. to work on elliptic curves.” How many people understand 1997 Rivest: “Over time, this the state of the art? may change, but for now trying to get an evaluation of the security of an elliptic-curve cryptosystem is a bit like trying to get an evaluation of some recently discovered Chaldean poetry.”
6 7 We still use discrete logs for Are RSA, DSA, etc. less scary? pre-quantum public-key crypto. These systems have structure Which DL groups are best? enabling attacks such as NFS. Many optimization avenues. 1986 Miller proposes ECC. Attacks keep getting better. Gives detailed arguments that > 100 scientific papers. index calculus “is not likely Still many unexplored avenues. to work on elliptic curves.” How many people understand 1997 Rivest: “Over time, this the state of the art? may change, but for now trying to get an evaluation of the security Recurring themes in attacks: of an elliptic-curve cryptosystem factorizations of ring elements; is a bit like trying to get an ring automorphisms; subfields; evaluation of some recently extending applicability (even to discovered Chaldean poetry.” some curves!) via group maps.
6 7 still use discrete logs for Are RSA, DSA, etc. less scary? Which ECC re-quantum public-key crypto. These systems have structure 2005 Bernstein: DL groups are best? enabling attacks such as NFS. “have the Many optimization avenues. Miller proposes ECC. the numb Attacks keep getting better. detailed arguments that for elliptic > 100 scientific papers. calculus “is not likely 2005 ECRYPT Still many unexplored avenues. rk on elliptic curves.” “Some general How many people understand Rivest: “Over time, this exist about the state of the art? change, but for now trying to attacks : evaluation of the security Recurring themes in attacks: recommend elliptic-curve cryptosystem factorizations of ring elements; fields.” No bit like trying to get an ring automorphisms; subfields; evaluation of some recently extending applicability (even to discovered Chaldean poetry.” some curves!) via group maps.
6 7 discrete logs for Are RSA, DSA, etc. less scary? Which ECC fields public-key crypto. These systems have structure 2005 Bernstein: pr s are best? enabling attacks such as NFS. “have the virtue of Many optimization avenues. oses ECC. the number of securit Attacks keep getting better. rguments that for elliptic-curve cryptography > 100 scientific papers. “is not likely 2005 ECRYPT key-sizes Still many unexplored avenues. elliptic curves.” “Some general concerns How many people understand “Over time, this exist about possible the state of the art? but for now trying to attacks : : : As a first evaluation of the security Recurring themes in attacks: recommend curves elliptic-curve cryptosystem factorizations of ring elements; fields.” No extra automo trying to get an ring automorphisms; subfields; some recently extending applicability (even to Chaldean poetry.” some curves!) via group maps.
6 7 for Are RSA, DSA, etc. less scary? Which ECC fields do we use? crypto. These systems have structure 2005 Bernstein: prime fields est? enabling attacks such as NFS. “have the virtue of minimizing Many optimization avenues. ECC. the number of security concerns Attacks keep getting better. that for elliptic-curve cryptography > 100 scientific papers. ely 2005 ECRYPT key-sizes repo Still many unexplored avenues. curves.” “Some general concerns How many people understand this exist about possible future the state of the art? trying to attacks : : : As a first choice, security Recurring themes in attacks: recommend curves over prime cryptosystem factorizations of ring elements; fields.” No extra automorphisms. an ring automorphisms; subfields; recently extending applicability (even to etry.” some curves!) via group maps.
7 8 Are RSA, DSA, etc. less scary? Which ECC fields do we use? These systems have structure 2005 Bernstein: prime fields enabling attacks such as NFS. “have the virtue of minimizing Many optimization avenues. the number of security concerns Attacks keep getting better. for elliptic-curve cryptography.” > 100 scientific papers. 2005 ECRYPT key-sizes report: Still many unexplored avenues. “Some general concerns How many people understand exist about possible future the state of the art? attacks : : : As a first choice, we Recurring themes in attacks: recommend curves over prime factorizations of ring elements; fields.” No extra automorphisms. ring automorphisms; subfields; extending applicability (even to some curves!) via group maps.
7 8 Are RSA, DSA, etc. less scary? Which ECC fields do we use? These systems have structure 2005 Bernstein: prime fields enabling attacks such as NFS. “have the virtue of minimizing Many optimization avenues. the number of security concerns Attacks keep getting better. for elliptic-curve cryptography.” > 100 scientific papers. 2005 ECRYPT key-sizes report: Still many unexplored avenues. “Some general concerns How many people understand exist about possible future the state of the art? attacks : : : As a first choice, we Recurring themes in attacks: recommend curves over prime factorizations of ring elements; fields.” No extra automorphisms. ring automorphisms; subfields; Imagine a response: “That’s extending applicability (even to premature! E ( F 2 n ) isn’t broken!” some curves!) via group maps.
7 8 RSA, DSA, etc. less scary? Which ECC fields do we use? Last example: systems have structure Halevi–Ra 2005 Bernstein: prime fields enabling attacks such as NFS. “Candidate “have the virtue of minimizing optimization avenues. obfuscation the number of security concerns ttacks keep getting better. encryption for elliptic-curve cryptography.” scientific papers. UCLA pres 2005 ECRYPT key-sizes report: many unexplored avenues. to Sahai, “Some general concerns many people understand techniques exist about possible future state of the art? presented attacks : : : As a first choice, we forcing a Recurring themes in attacks: recommend curves over prime effort, perhaps rizations of ring elements; fields.” No extra automorphisms. to reverse- automorphisms; subfields; Imagine a response: “That’s The new extending applicability (even to premature! E ( F 2 n ) isn’t broken!” an ‘iron curves!) via group maps. in the field
7 8 etc. less scary? Which ECC fields do we use? Last example: 2013 have structure Halevi–Raykova–Sahai–W 2005 Bernstein: prime fields such as NFS. “Candidate indistinguishabilit “have the virtue of minimizing optimization avenues. obfuscation and functional the number of security concerns getting better. encryption for all circuits”. for elliptic-curve cryptography.” papers. UCLA press release: 2005 ECRYPT key-sizes report: unexplored avenues. to Sahai, previously “Some general concerns eople understand techniques for obfuscation exist about possible future art? presented only a ‘sp attacks : : : As a first choice, we forcing an attacker themes in attacks: recommend curves over prime effort, perhaps a few ring elements; fields.” No extra automorphisms. to reverse-engineer rphisms; subfields; Imagine a response: “That’s The new system, he applicability (even to premature! E ( F 2 n ) isn’t broken!” an ‘iron wall’ : : : a via group maps. in the field of cryptography
7 8 scary? Which ECC fields do we use? Last example: 2013 Garg–Gentry– structure Halevi–Raykova–Sahai–Wate 2005 Bernstein: prime fields NFS. “Candidate indistinguishabilit “have the virtue of minimizing avenues. obfuscation and functional the number of security concerns etter. encryption for all circuits”. for elliptic-curve cryptography.” UCLA press release: “According 2005 ECRYPT key-sizes report: avenues. to Sahai, previously developed “Some general concerns understand techniques for obfuscation exist about possible future presented only a ‘speed bump,’ attacks : : : As a first choice, we forcing an attacker to spend attacks: recommend curves over prime effort, perhaps a few days, trying elements; fields.” No extra automorphisms. to reverse-engineer the softw subfields; Imagine a response: “That’s The new system, he said, puts (even to premature! E ( F 2 n ) isn’t broken!” an ‘iron wall’ : : : a game-change maps. in the field of cryptography.”
8 9 Which ECC fields do we use? Last example: 2013 Garg–Gentry– Halevi–Raykova–Sahai–Waters 2005 Bernstein: prime fields “Candidate indistinguishability “have the virtue of minimizing obfuscation and functional the number of security concerns encryption for all circuits”. for elliptic-curve cryptography.” UCLA press release: “According 2005 ECRYPT key-sizes report: to Sahai, previously developed “Some general concerns techniques for obfuscation exist about possible future presented only a ‘speed bump,’ attacks : : : As a first choice, we forcing an attacker to spend some recommend curves over prime effort, perhaps a few days, trying fields.” No extra automorphisms. to reverse-engineer the software. Imagine a response: “That’s The new system, he said, puts up premature! E ( F 2 n ) isn’t broken!” an ‘iron wall’ : : : a game-change in the field of cryptography.”
8 9 ECC fields do we use? Last example: 2013 Garg–Gentry– 2013 Bernstein: Halevi–Raykova–Sahai–Waters cryptographic Bernstein: prime fields “Candidate indistinguishability of this so the virtue of minimizing obfuscation and functional the best number of security concerns encryption for all circuits”. has against lliptic-curve cryptography.” Security UCLA press release: “According ECRYPT key-sizes report: to Sahai, previously developed general concerns techniques for obfuscation about possible future presented only a ‘speed bump,’ attacks : : : As a first choice, we forcing an attacker to spend some recommend curves over prime effort, perhaps a few days, trying No extra automorphisms. to reverse-engineer the software. Imagine a response: “That’s The new system, he said, puts up remature! E ( F 2 n ) isn’t broken!” an ‘iron wall’ : : : a game-change in the field of cryptography.”
8 9 fields do we use? Last example: 2013 Garg–Gentry– 2013 Bernstein: “The Halevi–Raykova–Sahai–Waters cryptographic conferences prime fields “Candidate indistinguishability of this sort of shit, of minimizing obfuscation and functional the best defense that security concerns encryption for all circuits”. has against the U.S. cryptography.” Security Agency, w UCLA press release: “According ey-sizes report: to Sahai, previously developed concerns techniques for obfuscation ossible future presented only a ‘speed bump,’ first choice, we forcing an attacker to spend some rves over prime effort, perhaps a few days, trying automorphisms. to reverse-engineer the software. onse: “That’s The new system, he said, puts up n ) isn’t broken!” an ‘iron wall’ : : : a game-change in the field of cryptography.”
8 9 use? Last example: 2013 Garg–Gentry– 2013 Bernstein: “The flagship Halevi–Raykova–Sahai–Waters cryptographic conferences are fields “Candidate indistinguishability of this sort of shit, and, if this minimizing obfuscation and functional the best defense that the wo concerns encryption for all circuits”. has against the U.S. National cryptography.” Security Agency, we’re screw UCLA press release: “According report: to Sahai, previously developed techniques for obfuscation presented only a ‘speed bump,’ choice, we forcing an attacker to spend some rime effort, perhaps a few days, trying rphisms. to reverse-engineer the software. “That’s The new system, he said, puts up roken!” an ‘iron wall’ : : : a game-change in the field of cryptography.”
9 10 Last example: 2013 Garg–Gentry– 2013 Bernstein: “The flagship Halevi–Raykova–Sahai–Waters cryptographic conferences are full “Candidate indistinguishability of this sort of shit, and, if this is obfuscation and functional the best defense that the world encryption for all circuits”. has against the U.S. National Security Agency, we’re screwed.” UCLA press release: “According to Sahai, previously developed techniques for obfuscation presented only a ‘speed bump,’ forcing an attacker to spend some effort, perhaps a few days, trying to reverse-engineer the software. The new system, he said, puts up an ‘iron wall’ : : : a game-change in the field of cryptography.”
9 10 Last example: 2013 Garg–Gentry– 2013 Bernstein: “The flagship Halevi–Raykova–Sahai–Waters cryptographic conferences are full “Candidate indistinguishability of this sort of shit, and, if this is obfuscation and functional the best defense that the world encryption for all circuits”. has against the U.S. National Security Agency, we’re screwed.” UCLA press release: “According to Sahai, previously developed 2016 Miles–Sahai–Zhandry: “We techniques for obfuscation exhibit two simple programs that presented only a ‘speed bump,’ are functionally equivalent, and forcing an attacker to spend some show how to efficiently distinguish effort, perhaps a few days, trying between the obfuscations to reverse-engineer the software. of these two programs.” The new system, he said, puts up So Sahai’s claimed “iron wall” an ‘iron wall’ : : : a game-change is just another “speed bump”. in the field of cryptography.”
9 10 example: 2013 Garg–Gentry– 2013 Bernstein: “The flagship Classic NTRU Halevi–Raykova–Sahai–Waters cryptographic conferences are full Standardize “Candidate indistinguishability of this sort of shit, and, if this is Also standa obfuscation and functional the best defense that the world Define R encryption for all circuits”. has against the U.S. National Receiver Security Agency, we’re screwed.” press release: “According (Some invertibilit Sahai, previously developed 2016 Miles–Sahai–Zhandry: “We Public key techniques for obfuscation exhibit two simple programs that Sender cho resented only a ‘speed bump,’ are functionally equivalent, and Ciphertext an attacker to spend some show how to efficiently distinguish perhaps a few days, trying between the obfuscations reverse-engineer the software. of these two programs.” new system, he said, puts up So Sahai’s claimed “iron wall” ‘iron wall’ : : : a game-change is just another “speed bump”. field of cryptography.”
9 10 2013 Garg–Gentry– 2013 Bernstein: “The flagship Classic NTRU ova–Sahai–Waters cryptographic conferences are full Standardize prime indistinguishability of this sort of shit, and, if this is Also standardize q functional the best defense that the world Define R = Z [ x ] = ( all circuits”. has against the U.S. National Receiver chooses small Security Agency, we’re screwed.” release: “According (Some invertibility reviously developed 2016 Miles–Sahai–Zhandry: “We Public key h = 3 g=f obfuscation exhibit two simple programs that Sender chooses small ‘speed bump,’ are functionally equivalent, and Ciphertext c = m + attacker to spend some show how to efficiently distinguish few days, trying between the obfuscations eer the software. of these two programs.” system, he said, puts up So Sahai’s claimed “iron wall” : a game-change is just another “speed bump”. cryptography.”
9 10 rg–Gentry– 2013 Bernstein: “The flagship Classic NTRU ters cryptographic conferences are full Standardize prime p ; e.g. 743. indistinguishability of this sort of shit, and, if this is Also standardize q ; e.g. 2048. functional the best defense that the world Define R = Z [ x ] = ( x p − 1). circuits”. has against the U.S. National Receiver chooses small f ; g ∈ Security Agency, we’re screwed.” “According (Some invertibility requirements.) developed 2016 Miles–Sahai–Zhandry: “We Public key h = 3 g=f mod q . exhibit two simple programs that Sender chooses small m; r ∈ bump,’ are functionally equivalent, and Ciphertext c = m + hr mod end some show how to efficiently distinguish ys, trying between the obfuscations software. of these two programs.” puts up So Sahai’s claimed “iron wall” game-change is just another “speed bump”. cryptography.”
10 11 2013 Bernstein: “The flagship Classic NTRU cryptographic conferences are full Standardize prime p ; e.g. 743. of this sort of shit, and, if this is Also standardize q ; e.g. 2048. the best defense that the world Define R = Z [ x ] = ( x p − 1). has against the U.S. National Receiver chooses small f ; g ∈ R . Security Agency, we’re screwed.” (Some invertibility requirements.) 2016 Miles–Sahai–Zhandry: “We Public key h = 3 g=f mod q . exhibit two simple programs that Sender chooses small m; r ∈ R . are functionally equivalent, and Ciphertext c = m + hr mod q . show how to efficiently distinguish between the obfuscations of these two programs.” So Sahai’s claimed “iron wall” is just another “speed bump”.
10 11 2013 Bernstein: “The flagship Classic NTRU cryptographic conferences are full Standardize prime p ; e.g. 743. of this sort of shit, and, if this is Also standardize q ; e.g. 2048. the best defense that the world Define R = Z [ x ] = ( x p − 1). has against the U.S. National Receiver chooses small f ; g ∈ R . Security Agency, we’re screwed.” (Some invertibility requirements.) 2016 Miles–Sahai–Zhandry: “We Public key h = 3 g=f mod q . exhibit two simple programs that Sender chooses small m; r ∈ R . are functionally equivalent, and Ciphertext c = m + hr mod q . show how to efficiently distinguish between the obfuscations Multiply by f mod q : f c mod q . of these two programs.” So Sahai’s claimed “iron wall” is just another “speed bump”.
10 11 2013 Bernstein: “The flagship Classic NTRU cryptographic conferences are full Standardize prime p ; e.g. 743. of this sort of shit, and, if this is Also standardize q ; e.g. 2048. the best defense that the world Define R = Z [ x ] = ( x p − 1). has against the U.S. National Receiver chooses small f ; g ∈ R . Security Agency, we’re screwed.” (Some invertibility requirements.) 2016 Miles–Sahai–Zhandry: “We Public key h = 3 g=f mod q . exhibit two simple programs that Sender chooses small m; r ∈ R . are functionally equivalent, and Ciphertext c = m + hr mod q . show how to efficiently distinguish between the obfuscations Multiply by f mod q : f c mod q . of these two programs.” Use smallness: f m + 3 gr . So Sahai’s claimed “iron wall” is just another “speed bump”.
10 11 2013 Bernstein: “The flagship Classic NTRU cryptographic conferences are full Standardize prime p ; e.g. 743. of this sort of shit, and, if this is Also standardize q ; e.g. 2048. the best defense that the world Define R = Z [ x ] = ( x p − 1). has against the U.S. National Receiver chooses small f ; g ∈ R . Security Agency, we’re screwed.” (Some invertibility requirements.) 2016 Miles–Sahai–Zhandry: “We Public key h = 3 g=f mod q . exhibit two simple programs that Sender chooses small m; r ∈ R . are functionally equivalent, and Ciphertext c = m + hr mod q . show how to efficiently distinguish between the obfuscations Multiply by f mod q : f c mod q . of these two programs.” Use smallness: f m + 3 gr . Reduce mod 3: f m mod 3. So Sahai’s claimed “iron wall” is just another “speed bump”.
10 11 2013 Bernstein: “The flagship Classic NTRU cryptographic conferences are full Standardize prime p ; e.g. 743. of this sort of shit, and, if this is Also standardize q ; e.g. 2048. the best defense that the world Define R = Z [ x ] = ( x p − 1). has against the U.S. National Receiver chooses small f ; g ∈ R . Security Agency, we’re screwed.” (Some invertibility requirements.) 2016 Miles–Sahai–Zhandry: “We Public key h = 3 g=f mod q . exhibit two simple programs that Sender chooses small m; r ∈ R . are functionally equivalent, and Ciphertext c = m + hr mod q . show how to efficiently distinguish between the obfuscations Multiply by f mod q : f c mod q . of these two programs.” Use smallness: f m + 3 gr . Reduce mod 3: f m mod 3. So Sahai’s claimed “iron wall” Divide by f mod 3: m . is just another “speed bump”.
10 11 Bernstein: “The flagship Classic NTRU 1998 Hoffste cryptographic conferences are full introduced Standardize prime p ; e.g. 743. sort of shit, and, if this is Also standardize q ; e.g. 2048. Many subsequent est defense that the world Define R = Z [ x ] = ( x p − 1). meet-in-the-middle against the U.S. National lattice attacks, Receiver chooses small f ; g ∈ R . Security Agency, we’re screwed.” chosen-ciphertext (Some invertibility requirements.) Miles–Sahai–Zhandry: “We decryption-failure Public key h = 3 g=f mod q . two simple programs that complicated Sender chooses small m; r ∈ R . unctionally equivalent, and variations Ciphertext c = m + hr mod q . how to efficiently distinguish parameter een the obfuscations Multiply by f mod q : f c mod q . Also many these two programs.” Use smallness: f m + 3 gr . were small Reduce mod 3: f m mod 3. Sahai’s claimed “iron wall” e.g., homomo Divide by f mod 3: m . another “speed bump”.
10 11 “The flagship Classic NTRU 1998 Hoffstein–Pipher–Silverman conferences are full introduced this syste Standardize prime p ; e.g. 743. shit, and, if this is Also standardize q ; e.g. 2048. Many subsequent NTRU that the world Define R = Z [ x ] = ( x p − 1). meet-in-the-middle U.S. National lattice attacks, hyb Receiver chooses small f ; g ∈ R . , we’re screwed.” chosen-ciphertext a (Some invertibility requirements.) Miles–Sahai–Zhandry: “We decryption-failure attacks; Public key h = 3 g=f mod q . simple programs that complicated padding Sender chooses small m; r ∈ R . equivalent, and variations for efficiency; Ciphertext c = m + hr mod q . efficiently distinguish parameter selection. obfuscations Multiply by f mod q : f c mod q . Also many ideas that rograms.” Use smallness: f m + 3 gr . were small tweaks Reduce mod 3: f m mod 3. claimed “iron wall” e.g., homomorphic Divide by f mod 3: m . “speed bump”.
10 11 flagship Classic NTRU 1998 Hoffstein–Pipher–Silverman are full introduced this system. Standardize prime p ; e.g. 743. this is Also standardize q ; e.g. 2048. Many subsequent NTRU pap world Define R = Z [ x ] = ( x p − 1). meet-in-the-middle attacks, National lattice attacks, hybrid attacks; Receiver chooses small f ; g ∈ R . screwed.” chosen-ciphertext attacks; (Some invertibility requirements.) Miles–Sahai–Zhandry: “We decryption-failure attacks; Public key h = 3 g=f mod q . rograms that complicated padding systems; Sender chooses small m; r ∈ R . equivalent, and variations for efficiency; Ciphertext c = m + hr mod q . distinguish parameter selection. Multiply by f mod q : f c mod q . Also many ideas that in retrosp Use smallness: f m + 3 gr . were small tweaks of NTRU: Reduce mod 3: f m mod 3. all” e.g., homomorphic encryption. Divide by f mod 3: m . bump”.
11 12 Classic NTRU 1998 Hoffstein–Pipher–Silverman introduced this system. Standardize prime p ; e.g. 743. Also standardize q ; e.g. 2048. Many subsequent NTRU papers: Define R = Z [ x ] = ( x p − 1). meet-in-the-middle attacks, lattice attacks, hybrid attacks; Receiver chooses small f ; g ∈ R . chosen-ciphertext attacks; (Some invertibility requirements.) decryption-failure attacks; Public key h = 3 g=f mod q . complicated padding systems; Sender chooses small m; r ∈ R . variations for efficiency; Ciphertext c = m + hr mod q . parameter selection. Multiply by f mod q : f c mod q . Also many ideas that in retrospect Use smallness: f m + 3 gr . were small tweaks of NTRU: Reduce mod 3: f m mod 3. e.g., homomorphic encryption. Divide by f mod 3: m .
11 12 NTRU 1998 Hoffstein–Pipher–Silverman Unnecessa introduced this system. Standardize prime p ; e.g. 743. Attacker standardize q ; e.g. 2048. Many subsequent NTRU papers: public polynomials R = Z [ x ] = ( x p − 1). meet-in-the-middle attacks, Compatible lattice attacks, hybrid attacks; Receiver chooses small f ; g ∈ R . multiplication chosen-ciphertext attacks; invertibility requirements.) f (1) h (1) decryption-failure attacks; key h = 3 g=f mod q . c (1) = m complicated padding systems; Sender chooses small m; r ∈ R . variations for efficiency; Ciphertext c = m + hr mod q . parameter selection. Multiply by f mod q : f c mod q . Also many ideas that in retrospect allness: f m + 3 gr . were small tweaks of NTRU: Reduce mod 3: f m mod 3. e.g., homomorphic encryption. by f mod 3: m .
11 12 1998 Hoffstein–Pipher–Silverman Unnecessary structures introduced this system. rime p ; e.g. 743. Attacker can evaluate q ; e.g. 2048. Many subsequent NTRU papers: public polynomials ] = ( x p − 1). meet-in-the-middle attacks, Compatible with addition lattice attacks, hybrid attacks; oses small f ; g ∈ R . multiplication mod chosen-ciphertext attacks; invertibility requirements.) f (1) h (1) = 3 g (1) decryption-failure attacks; g=f mod q . c (1) = m (1) + h (1) complicated padding systems; small m; r ∈ R . variations for efficiency; + hr mod q . parameter selection. mod q : f c mod q . Also many ideas that in retrospect f m + 3 gr . were small tweaks of NTRU: f m mod 3. e.g., homomorphic encryption. 3: m .
11 12 1998 Hoffstein–Pipher–Silverman Unnecessary structures in NTRU introduced this system. 743. Attacker can evaluate 2048. Many subsequent NTRU papers: public polynomials h; c at 1. 1). meet-in-the-middle attacks, Compatible with addition and lattice attacks, hybrid attacks; multiplication mod x p − 1: ∈ R . chosen-ciphertext attacks; requirements.) f (1) h (1) = 3 g (1) in Z =q ; decryption-failure attacks; q . c (1) = m (1) + h (1) r (1) in Z complicated padding systems; ∈ R . variations for efficiency; d q . parameter selection. mod q . Also many ideas that in retrospect + 3 gr . were small tweaks of NTRU: mod 3. e.g., homomorphic encryption. m .
12 13 1998 Hoffstein–Pipher–Silverman Unnecessary structures in NTRU introduced this system. Attacker can evaluate Many subsequent NTRU papers: public polynomials h; c at 1. meet-in-the-middle attacks, Compatible with addition and lattice attacks, hybrid attacks; multiplication mod x p − 1: chosen-ciphertext attacks; f (1) h (1) = 3 g (1) in Z =q ; decryption-failure attacks; c (1) = m (1) + h (1) r (1) in Z =q . complicated padding systems; variations for efficiency; parameter selection. Also many ideas that in retrospect were small tweaks of NTRU: e.g., homomorphic encryption.
12 13 1998 Hoffstein–Pipher–Silverman Unnecessary structures in NTRU introduced this system. Attacker can evaluate Many subsequent NTRU papers: public polynomials h; c at 1. meet-in-the-middle attacks, Compatible with addition and lattice attacks, hybrid attacks; multiplication mod x p − 1: chosen-ciphertext attacks; f (1) h (1) = 3 g (1) in Z =q ; decryption-failure attacks; c (1) = m (1) + h (1) r (1) in Z =q . complicated padding systems; One way to exploit this: variations for efficiency; c (1) ; h (1) are visible; r (1) is parameter selection. guessable, sometimes standard. Also many ideas that in retrospect Attacker scans many ciphertexts were small tweaks of NTRU: to find some with large m (1). e.g., homomorphic encryption. Uses this to speed up m search.
12 13 Hoffstein–Pipher–Silverman Unnecessary structures in NTRU NTRU complicates duced this system. so that m Attacker can evaluate Limits impact subsequent NTRU papers: public polynomials h; c at 1. meet-in-the-middle attacks, Compatible with addition and attacks, hybrid attacks; multiplication mod x p − 1: chosen-ciphertext attacks; f (1) h (1) = 3 g (1) in Z =q ; decryption-failure attacks; c (1) = m (1) + h (1) r (1) in Z =q . complicated padding systems; One way to exploit this: riations for efficiency; c (1) ; h (1) are visible; r (1) is rameter selection. guessable, sometimes standard. many ideas that in retrospect Attacker scans many ciphertexts small tweaks of NTRU: to find some with large m (1). homomorphic encryption. Uses this to speed up m search.
12 13 –Pipher–Silverman Unnecessary structures in NTRU NTRU complicates system. so that m (1) is never Attacker can evaluate Limits impact of the subsequent NTRU papers: public polynomials h; c at 1. meet-in-the-middle attacks, Compatible with addition and hybrid attacks; multiplication mod x p − 1: chosen-ciphertext attacks; f (1) h (1) = 3 g (1) in Z =q ; decryption-failure attacks; c (1) = m (1) + h (1) r (1) in Z =q . padding systems; One way to exploit this: efficiency; c (1) ; h (1) are visible; r (1) is selection. guessable, sometimes standard. that in retrospect Attacker scans many ciphertexts ks of NTRU: to find some with large m (1). rphic encryption. Uses this to speed up m search.
12 13 –Pipher–Silverman Unnecessary structures in NTRU NTRU complicates m selection so that m (1) is never large. Attacker can evaluate Limits impact of the attack. papers: public polynomials h; c at 1. attacks, Compatible with addition and attacks; multiplication mod x p − 1: f (1) h (1) = 3 g (1) in Z =q ; c (1) = m (1) + h (1) r (1) in Z =q . systems; One way to exploit this: c (1) ; h (1) are visible; r (1) is guessable, sometimes standard. retrospect Attacker scans many ciphertexts NTRU: to find some with large m (1). encryption. Uses this to speed up m search.
13 14 Unnecessary structures in NTRU NTRU complicates m selection so that m (1) is never large. Attacker can evaluate Limits impact of the attack. public polynomials h; c at 1. Compatible with addition and multiplication mod x p − 1: f (1) h (1) = 3 g (1) in Z =q ; c (1) = m (1) + h (1) r (1) in Z =q . One way to exploit this: c (1) ; h (1) are visible; r (1) is guessable, sometimes standard. Attacker scans many ciphertexts to find some with large m (1). Uses this to speed up m search.
13 14 Unnecessary structures in NTRU NTRU complicates m selection so that m (1) is never large. Attacker can evaluate Limits impact of the attack. public polynomials h; c at 1. Better: replace NTRU’s Compatible with addition and Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . multiplication mod x p − 1: Recall Φ p = ( x p − 1) = ( x − 1). f (1) h (1) = 3 g (1) in Z =q ; c (1) = m (1) + h (1) r (1) in Z =q . One way to exploit this: c (1) ; h (1) are visible; r (1) is guessable, sometimes standard. Attacker scans many ciphertexts to find some with large m (1). Uses this to speed up m search.
13 14 Unnecessary structures in NTRU NTRU complicates m selection so that m (1) is never large. Attacker can evaluate Limits impact of the attack. public polynomials h; c at 1. Better: replace NTRU’s Compatible with addition and Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . multiplication mod x p − 1: Recall Φ p = ( x p − 1) = ( x − 1). f (1) h (1) = 3 g (1) in Z =q ; Can view poly m mod x p − 1 c (1) = m (1) + h (1) r (1) in Z =q . as two parts: m (1); m mod Φ p . One way to exploit this: Compatible with add, mult. c (1) ; h (1) are visible; r (1) is Why include m (1) here? guessable, sometimes standard. Doesn’t seem to help security. Attacker scans many ciphertexts to find some with large m (1). Uses this to speed up m search.
13 14 Unnecessary structures in NTRU NTRU complicates m selection so that m (1) is never large. Attacker can evaluate Limits impact of the attack. public polynomials h; c at 1. Better: replace NTRU’s Compatible with addition and Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . multiplication mod x p − 1: Recall Φ p = ( x p − 1) = ( x − 1). f (1) h (1) = 3 g (1) in Z =q ; Can view poly m mod x p − 1 c (1) = m (1) + h (1) r (1) in Z =q . as two parts: m (1); m mod Φ p . One way to exploit this: Compatible with add, mult. c (1) ; h (1) are visible; r (1) is Why include m (1) here? guessable, sometimes standard. Doesn’t seem to help security. Attacker scans many ciphertexts to find some with large m (1). Or use other irreds. Ring-LWE typically uses Φ 2048 = x 1024 + 1. Uses this to speed up m search.
13 14 Unnecessary structures in NTRU NTRU complicates m selection More generally: so that m (1) is never large. any ring er can evaluate Limits impact of the attack. to the equations polynomials h; c at 1. and c = Better: replace NTRU’s Compatible with addition and Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . multiplication mod x p − 1: Recall Φ p = ( x p − 1) = ( x − 1). (1) = 3 g (1) in Z =q ; Can view poly m mod x p − 1 m (1) + h (1) r (1) in Z =q . as two parts: m (1); m mod Φ p . ay to exploit this: Compatible with add, mult. (1) are visible; r (1) is Why include m (1) here? guessable, sometimes standard. Doesn’t seem to help security. er scans many ciphertexts some with large m (1). Or use other irreds. Ring-LWE typically uses Φ 2048 = x 1024 + 1. this to speed up m search.
13 14 structures in NTRU NTRU complicates m selection More generally: Attack so that m (1) is never large. any ring map ( Z =q evaluate Limits impact of the attack. to the equations h olynomials h; c at 1. and c = m + hr in Better: replace NTRU’s addition and Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . mod x p − 1: Recall Φ p = ( x p − 1) = ( x − 1). (1) in Z =q ; Can view poly m mod x p − 1 (1) r (1) in Z =q . as two parts: m (1); m mod Φ p . exploit this: Compatible with add, mult. visible; r (1) is Why include m (1) here? sometimes standard. Doesn’t seem to help security. many ciphertexts with large m (1). Or use other irreds. Ring-LWE typically uses Φ 2048 = x 1024 + 1. eed up m search.
13 14 NTRU NTRU complicates m selection More generally: Attacker applies so that m (1) is never large. any ring map ( Z =q )[ x ] =P → Limits impact of the attack. to the equations h = 3 g=f 1. and c = m + hr in ( Z =q )[ x ] =P Better: replace NTRU’s and Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . 1: Recall Φ p = ( x p − 1) = ( x − 1). Can view poly m mod x p − 1 Z =q . as two parts: m (1); m mod Φ p . Compatible with add, mult. is Why include m (1) here? standard. Doesn’t seem to help security. ciphertexts (1). Or use other irreds. Ring-LWE typically uses Φ 2048 = x 1024 + 1. search.
14 15 NTRU complicates m selection More generally: Attacker applies so that m (1) is never large. any ring map ( Z =q )[ x ] =P → T Limits impact of the attack. to the equations h = 3 g=f and c = m + hr in ( Z =q )[ x ] =P . Better: replace NTRU’s Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . Recall Φ p = ( x p − 1) = ( x − 1). Can view poly m mod x p − 1 as two parts: m (1); m mod Φ p . Compatible with add, mult. Why include m (1) here? Doesn’t seem to help security. Or use other irreds. Ring-LWE typically uses Φ 2048 = x 1024 + 1.
14 15 NTRU complicates m selection More generally: Attacker applies so that m (1) is never large. any ring map ( Z =q )[ x ] =P → T Limits impact of the attack. to the equations h = 3 g=f and c = m + hr in ( Z =q )[ x ] =P . Better: replace NTRU’s Z [ x ] = ( x p − 1) with Z [ x ] = Φ p . e.g. typically q = 2048 in NTRU. Recall Φ p = ( x p − 1) = ( x − 1). Have natural ring maps from ( Z = 2048)[ x ] = ( x p − 1) to Can view poly m mod x p − 1 ( Z = 2)[ x ] = ( x p − 1), as two parts: m (1); m mod Φ p . ( Z = 4)[ x ] = ( x p − 1), Compatible with add, mult. ( Z = 8)[ x ] = ( x p − 1), etc. Why include m (1) here? Can attacker exploit these? Doesn’t seem to help security. Maybe. Complicated. See 2004 Or use other irreds. Ring-LWE Smart–Vercauteren–Silverman. typically uses Φ 2048 = x 1024 + 1.
14 15 complicates m selection More generally: Attacker applies Ring-LWE that m (1) is never large. any ring map ( Z =q )[ x ] =P → T “provable impact of the attack. to the equations h = 3 g=f q so that and c = m + hr in ( Z =q )[ x ] =P . Z [ x ] =q ; i.e., Better: replace NTRU’s maps ( Z x p − 1) with Z [ x ] = Φ p . e.g. typically q = 2048 in NTRU. Φ p = ( x p − 1) = ( x − 1). Have natural ring maps from ( Z = 2048)[ x ] = ( x p − 1) to view poly m mod x p − 1 ( Z = 2)[ x ] = ( x p − 1), parts: m (1); m mod Φ p . ( Z = 4)[ x ] = ( x p − 1), Compatible with add, mult. ( Z = 8)[ x ] = ( x p − 1), etc. include m (1) here? Can attacker exploit these? esn’t seem to help security. Maybe. Complicated. See 2004 other irreds. Ring-LWE Smart–Vercauteren–Silverman. ypically uses Φ 2048 = x 1024 + 1.
14 15 complicates m selection More generally: Attacker applies Ring-LWE religion, never large. any ring map ( Z =q )[ x ] =P → T “provable security”, the attack. to the equations h = 3 g=f q so that P splits and c = m + hr in ( Z =q )[ x ] =P . Z [ x ] =q ; i.e., have n NTRU’s maps ( Z =q )[ x ] =P with Z [ x ] = Φ p . e.g. typically q = 2048 in NTRU. − 1) = ( x − 1). Have natural ring maps from ( Z = 2048)[ x ] = ( x p − 1) to mod x p − 1 ( Z = 2)[ x ] = ( x p − 1), (1); m mod Φ p . ( Z = 4)[ x ] = ( x p − 1), add, mult. ( Z = 8)[ x ] = ( x p − 1), etc. (1) here? Can attacker exploit these? help security. Maybe. Complicated. See 2004 irreds. Ring-LWE Smart–Vercauteren–Silverman. 2048 = x 1024 + 1.
14 15 selection More generally: Attacker applies Ring-LWE religion, version 1: rge. any ring map ( Z =q )[ x ] =P → T “provable security”, take prime attack. to the equations h = 3 g=f q so that P splits completely and c = m + hr in ( Z =q )[ x ] =P . Z [ x ] =q ; i.e., have n different maps ( Z =q )[ x ] =P → Z =q . Φ p . e.g. typically q = 2048 in NTRU. 1). Have natural ring maps from ( Z = 2048)[ x ] = ( x p − 1) to − 1 ( Z = 2)[ x ] = ( x p − 1), d Φ p . ( Z = 4)[ x ] = ( x p − 1), mult. ( Z = 8)[ x ] = ( x p − 1), etc. Can attacker exploit these? security. Maybe. Complicated. See 2004 Ring-LWE Smart–Vercauteren–Silverman. 1024 + 1.
15 16 More generally: Attacker applies Ring-LWE religion, version 1: For any ring map ( Z =q )[ x ] =P → T “provable security”, take prime to the equations h = 3 g=f q so that P splits completely in and c = m + hr in ( Z =q )[ x ] =P . Z [ x ] =q ; i.e., have n different ring maps ( Z =q )[ x ] =P → Z =q . e.g. typically q = 2048 in NTRU. Have natural ring maps from ( Z = 2048)[ x ] = ( x p − 1) to ( Z = 2)[ x ] = ( x p − 1), ( Z = 4)[ x ] = ( x p − 1), ( Z = 8)[ x ] = ( x p − 1), etc. Can attacker exploit these? Maybe. Complicated. See 2004 Smart–Vercauteren–Silverman.
15 16 More generally: Attacker applies Ring-LWE religion, version 1: For any ring map ( Z =q )[ x ] =P → T “provable security”, take prime to the equations h = 3 g=f q so that P splits completely in and c = m + hr in ( Z =q )[ x ] =P . Z [ x ] =q ; i.e., have n different ring maps ( Z =q )[ x ] =P → Z =q . e.g. typically q = 2048 in NTRU. Have natural ring maps from Do these maps damage security? ( Z = 2048)[ x ] = ( x p − 1) to Fast attacks in some cases: 2014 ( Z = 2)[ x ] = ( x p − 1), Eisentr¨ ager–Hallgren–Lauter, 2015 ( Z = 4)[ x ] = ( x p − 1), Elias–Lauter–Ozman–Stange, ( Z = 8)[ x ] = ( x p − 1), etc. 2016 Chen–Lauter–Stange. Can attacker exploit these? Fast non- q -dependent attack Maybe. Complicated. See 2004 by 2016 Castryck–Iliashenko– Smart–Vercauteren–Silverman. Vercauteren breaks 2015 ELOS cases but not 2016 CLS cases.
15 16 generally: Attacker applies Ring-LWE religion, version 1: For Ring-LWE ring map ( Z =q )[ x ] =P → T “provable security”, take prime (2012 Langlois–Stehl equations h = 3 g=f q so that P splits completely in prove that = m + hr in ( Z =q )[ x ] =P . Z [ x ] =q ; i.e., have n different ring of the mo maps ( Z =q )[ x ] =P → Z =q . to the computational ypically q = 2048 in NTRU. of LWE and natural ring maps from Do these maps damage security? 2048)[ x ] = ( x p − 1) to Fast attacks in some cases: 2014 2)[ x ] = ( x p − 1), Eisentr¨ ager–Hallgren–Lauter, 2015 4)[ x ] = ( x p − 1), Elias–Lauter–Ozman–Stange, 8)[ x ] = ( x p − 1), etc. 2016 Chen–Lauter–Stange. attacker exploit these? Fast non- q -dependent attack e. Complicated. See 2004 by 2016 Castryck–Iliashenko– rt–Vercauteren–Silverman. Vercauteren breaks 2015 ELOS cases but not 2016 CLS cases.
15 16 Attacker applies Ring-LWE religion, version 1: For Ring-LWE religion, =q )[ x ] =P → T “provable security”, take prime (2012 Langlois–Stehl h = 3 g=f q so that P splits completely in prove that the arithmetic in ( Z =q )[ x ] =P . Z [ x ] =q ; i.e., have n different ring of the modulus q is maps ( Z =q )[ x ] =P → Z =q . to the computational 2048 in NTRU. of LWE and RLWE.” ing maps from Do these maps damage security? − 1) to Fast attacks in some cases: 2014 1), Eisentr¨ ager–Hallgren–Lauter, 2015 1), Elias–Lauter–Ozman–Stange, 1), etc. 2016 Chen–Lauter–Stange. exploit these? Fast non- q -dependent attack Complicated. See 2004 by 2016 Castryck–Iliashenko– ercauteren–Silverman. Vercauteren breaks 2015 ELOS cases but not 2016 CLS cases.
15 16 applies Ring-LWE religion, version 1: For Ring-LWE religion, version 2 → T “provable security”, take prime (2012 Langlois–Stehl´ e): “We q so that P splits completely in prove that the arithmetic form x ] =P . Z [ x ] =q ; i.e., have n different ring of the modulus q is irrelevant maps ( Z =q )[ x ] =P → Z =q . to the computational hardness NTRU. of LWE and RLWE.” from Do these maps damage security? Fast attacks in some cases: 2014 Eisentr¨ ager–Hallgren–Lauter, 2015 Elias–Lauter–Ozman–Stange, 2016 Chen–Lauter–Stange. these? Fast non- q -dependent attack 2004 by 2016 Castryck–Iliashenko– ercauteren–Silverman. Vercauteren breaks 2015 ELOS cases but not 2016 CLS cases.
16 17 Ring-LWE religion, version 1: For Ring-LWE religion, version 2 “provable security”, take prime (2012 Langlois–Stehl´ e): “We q so that P splits completely in prove that the arithmetic form Z [ x ] =q ; i.e., have n different ring of the modulus q is irrelevant maps ( Z =q )[ x ] =P → Z =q . to the computational hardness of LWE and RLWE.” Do these maps damage security? Fast attacks in some cases: 2014 Eisentr¨ ager–Hallgren–Lauter, 2015 Elias–Lauter–Ozman–Stange, 2016 Chen–Lauter–Stange. Fast non- q -dependent attack by 2016 Castryck–Iliashenko– Vercauteren breaks 2015 ELOS cases but not 2016 CLS cases.
16 17 Ring-LWE religion, version 1: For Ring-LWE religion, version 2 “provable security”, take prime (2012 Langlois–Stehl´ e): “We q so that P splits completely in prove that the arithmetic form Z [ x ] =q ; i.e., have n different ring of the modulus q is irrelevant maps ( Z =q )[ x ] =P → Z =q . to the computational hardness of LWE and RLWE.” Do these maps damage security? Fast attacks in some cases: 2014 Basic idea: “modulus switching” from Z =q to Z =q ′ . Attacker Eisentr¨ ager–Hallgren–Lauter, 2015 multiplies by q ′ =q and rounds. Elias–Lauter–Ozman–Stange, 2016 Chen–Lauter–Stange. Fast non- q -dependent attack by 2016 Castryck–Iliashenko– Vercauteren breaks 2015 ELOS cases but not 2016 CLS cases.
16 17 Ring-LWE religion, version 1: For Ring-LWE religion, version 2 “provable security”, take prime (2012 Langlois–Stehl´ e): “We q so that P splits completely in prove that the arithmetic form Z [ x ] =q ; i.e., have n different ring of the modulus q is irrelevant maps ( Z =q )[ x ] =P → Z =q . to the computational hardness of LWE and RLWE.” Do these maps damage security? Fast attacks in some cases: 2014 Basic idea: “modulus switching” from Z =q to Z =q ′ . Attacker Eisentr¨ ager–Hallgren–Lauter, 2015 multiplies by q ′ =q and rounds. Elias–Lauter–Ozman–Stange, 2016 Chen–Lauter–Stange. But rounding adds noise, Fast non- q -dependent attack making attacks harder! by 2016 Castryck–Iliashenko– The proof limits security gap Vercauteren breaks 2015 ELOS but does not eliminate it. cases but not 2016 CLS cases.
16 17 WE religion, version 1: For Ring-LWE religion, version 2 We recommend: rovable security”, take prime (2012 Langlois–Stehl´ e): “We that remains that P splits completely in prove that the arithmetic form i.e., choose ; i.e., have n different ring of the modulus q is irrelevant Field ( Z =q ( Z =q )[ x ] =P → Z =q . to the computational hardness to any smaller of LWE and RLWE.” these maps damage security? attacks in some cases: 2014 Basic idea: “modulus switching” from Z =q to Z =q ′ . Attacker Eisentr¨ ager–Hallgren–Lauter, 2015 multiplies by q ′ =q and rounds. Elias–Lauter–Ozman–Stange, Chen–Lauter–Stange. But rounding adds noise, non- q -dependent attack making attacks harder! 2016 Castryck–Iliashenko– The proof limits security gap ercauteren breaks 2015 ELOS but does not eliminate it. but not 2016 CLS cases.
16 17 religion, version 1: For Ring-LWE religion, version 2 We recommend: T ity”, take prime (2012 Langlois–Stehl´ e): “We that remains irred splits completely in prove that the arithmetic form i.e., choose inert mo e n different ring of the modulus q is irrelevant Field ( Z =q )[ x ] =P . =P → Z =q . to the computational hardness to any smaller nonzero of LWE and RLWE.” damage security? some cases: 2014 Basic idea: “modulus switching” from Z =q to Z =q ′ . Attacker ager–Hallgren–Lauter, 2015 multiplies by q ′ =q and rounds. Elias–Lauter–Ozman–Stange, Chen–Lauter–Stange. But rounding adds noise, endent attack making attacks harder! Castryck–Iliashenko– The proof limits security gap reaks 2015 ELOS but does not eliminate it. 2016 CLS cases.
16 17 1: For Ring-LWE religion, version 2 We recommend: Take irred P rime (2012 Langlois–Stehl´ e): “We that remains irred in ( Z =q )[ x completely in prove that the arithmetic form i.e., choose inert modulus q different ring of the modulus q is irrelevant Field ( Z =q )[ x ] =P . No ring map to the computational hardness to any smaller nonzero ring. of LWE and RLWE.” security? cases: 2014 Basic idea: “modulus switching” from Z =q to Z =q ′ . Attacker ager–Hallgren–Lauter, 2015 multiplies by q ′ =q and rounds. Elias–Lauter–Ozman–Stange, Chen–Lauter–Stange. But rounding adds noise, attack making attacks harder! Castryck–Iliashenko– The proof limits security gap ELOS but does not eliminate it. cases.
17 18 Ring-LWE religion, version 2 We recommend: Take irred P (2012 Langlois–Stehl´ e): “We that remains irred in ( Z =q )[ x ]; prove that the arithmetic form i.e., choose inert modulus q . of the modulus q is irrelevant Field ( Z =q )[ x ] =P . No ring map to the computational hardness to any smaller nonzero ring. of LWE and RLWE.” Basic idea: “modulus switching” from Z =q to Z =q ′ . Attacker multiplies by q ′ =q and rounds. But rounding adds noise, making attacks harder! The proof limits security gap but does not eliminate it.
17 18 Ring-LWE religion, version 2 We recommend: Take irred P (2012 Langlois–Stehl´ e): “We that remains irred in ( Z =q )[ x ]; prove that the arithmetic form i.e., choose inert modulus q . of the modulus q is irrelevant Field ( Z =q )[ x ] =P . No ring map to the computational hardness to any smaller nonzero ring. of LWE and RLWE.” So far this is compatible with Basic idea: “modulus switching” Ring-LWE religion, version 2. from Z =q to Z =q ′ . Attacker multiplies by q ′ =q and rounds. But rounding adds noise, making attacks harder! The proof limits security gap but does not eliminate it.
17 18 Ring-LWE religion, version 2 We recommend: Take irred P (2012 Langlois–Stehl´ e): “We that remains irred in ( Z =q )[ x ]; prove that the arithmetic form i.e., choose inert modulus q . of the modulus q is irrelevant Field ( Z =q )[ x ] =P . No ring map to the computational hardness to any smaller nonzero ring. of LWE and RLWE.” So far this is compatible with Basic idea: “modulus switching” Ring-LWE religion, version 2. from Z =q to Z =q ′ . Attacker But we also recommend heresy: multiplies by q ′ =q and rounds. take P with prime degree p But rounding adds noise, and with large Galois group , making attacks harder! specifically S p , size p !. The proof limits security gap Good example: P = x p − x − 1. but does not eliminate it.
17 18 WE religion, version 2 We recommend: Take irred P 2014.02, Langlois–Stehl´ e): “We that remains irred in ( Z =q )[ x ]; To eliminate that the arithmetic form i.e., choose inert modulus q . structures, modulus q is irrelevant of prime Field ( Z =q )[ x ] =P . No ring map computational hardness subfield is to any smaller nonzero ring. WE and RLWE.” polynomial So far this is compatible with very large idea: “modulus switching” Ring-LWE religion, version 2. the numb =q to Z =q ′ . Attacker having automo But we also recommend heresy: multiplies by q ′ =q and rounds. take P with prime degree p rounding adds noise, and with large Galois group , making attacks harder! specifically S p , size p !. roof limits security gap Good example: P = x p − x − 1. es not eliminate it.
17 18 religion, version 2 We recommend: Take irred P 2014.02, our 2nd announcement: Langlois–Stehl´ e): “We that remains irred in ( Z =q )[ x ]; To eliminate “worrisome” rithmetic form i.e., choose inert modulus q . structures, use “a q is irrelevant of prime degree, so Field ( Z =q )[ x ] =P . No ring map computational hardness subfield is Q ” and to any smaller nonzero ring. polynomial x p − x E.” So far this is compatible with very large Galois group, dulus switching” Ring-LWE religion, version 2. the number field is =q ′ . Attacker having automorphisms”. But we also recommend heresy: =q and rounds. take P with prime degree p adds noise, and with large Galois group , harder! specifically S p , size p !. security gap Good example: P = x p − x − 1. eliminate it.
17 18 2 We recommend: Take irred P 2014.02, our 2nd announcement: “We that remains irred in ( Z =q )[ x ]; To eliminate “worrisome” form i.e., choose inert modulus q . structures, use “a number field irrelevant of prime degree, so that the Field ( Z =q )[ x ] =P . No ring map rdness subfield is Q ” and “an irreducible to any smaller nonzero ring. polynomial x p − x − 1 with So far this is compatible with very large Galois group, so that switching” Ring-LWE religion, version 2. the number field is very far from er having automorphisms”. But we also recommend heresy: rounds. take P with prime degree p and with large Galois group , specifically S p , size p !. gap Good example: P = x p − x − 1.
18 19 We recommend: Take irred P 2014.02, our 2nd announcement: that remains irred in ( Z =q )[ x ]; To eliminate “worrisome” i.e., choose inert modulus q . structures, use “a number field of prime degree, so that the only Field ( Z =q )[ x ] =P . No ring map subfield is Q ” and “an irreducible to any smaller nonzero ring. polynomial x p − x − 1 with a So far this is compatible with very large Galois group, so that Ring-LWE religion, version 2. the number field is very far from having automorphisms”. But we also recommend heresy: take P with prime degree p and with large Galois group , specifically S p , size p !. Good example: P = x p − x − 1.
18 19 We recommend: Take irred P 2014.02, our 2nd announcement: that remains irred in ( Z =q )[ x ]; To eliminate “worrisome” i.e., choose inert modulus q . structures, use “a number field of prime degree, so that the only Field ( Z =q )[ x ] =P . No ring map subfield is Q ” and “an irreducible to any smaller nonzero ring. polynomial x p − x − 1 with a So far this is compatible with very large Galois group, so that Ring-LWE religion, version 2. the number field is very far from having automorphisms”. But we also recommend heresy: take P with prime degree p Subsequent attacks against and with large Galois group , several lattice-based systems specifically S p , size p !. have exploited these structures Good example: P = x p − x − 1. and have not been extended to our recommended rings.
18 19 recommend: Take irred P 2014.02, our 2nd announcement: 2014.10 remains irred in ( Z =q )[ x ]; To eliminate “worrisome” Shepherd choose inert modulus q . structures, use “a number field based system of prime degree, so that the only quantum Z =q )[ x ] =P . No ring map subfield is Q ” and “an irreducible smaller nonzero ring. polynomial x p − x − 1 with a this is compatible with very large Galois group, so that WE religion, version 2. the number field is very far from having automorphisms”. e also recommend heresy: with prime degree p Subsequent attacks against with large Galois group , several lattice-based systems ecifically S p , size p !. have exploited these structures example: P = x p − x − 1. and have not been extended to our recommended rings.
18 19 Take irred P 2014.02, our 2nd announcement: 2014.10 Campbell–Groves– irred in ( Z =q )[ x ]; To eliminate “worrisome” Shepherd describe inert modulus q . structures, use “a number field based system “Solilo of prime degree, so that the only quantum poly-time . No ring map subfield is Q ” and “an irreducible nonzero ring. polynomial x p − x − 1 with a compatible with very large Galois group, so that religion, version 2. the number field is very far from having automorphisms”. recommend heresy: rime degree p Subsequent attacks against Galois group , several lattice-based systems size p !. have exploited these structures P = x p − x − 1. and have not been extended to our recommended rings.
18 19 irred P 2014.02, our 2nd announcement: 2014.10 Campbell–Groves– )[ x ]; To eliminate “worrisome” Shepherd describe an ideal-lattice- dulus q . structures, use “a number field based system “Soliloquy”; claim of prime degree, so that the only quantum poly-time key recovery map subfield is Q ” and “an irreducible ring. polynomial x p − x − 1 with a with very large Galois group, so that 2. the number field is very far from having automorphisms”. heresy: degree p Subsequent attacks against group , several lattice-based systems have exploited these structures x − 1. and have not been extended to our recommended rings.
19 20 2014.02, our 2nd announcement: 2014.10 Campbell–Groves– To eliminate “worrisome” Shepherd describe an ideal-lattice- structures, use “a number field based system “Soliloquy”; claim of prime degree, so that the only quantum poly-time key recovery. subfield is Q ” and “an irreducible polynomial x p − x − 1 with a very large Galois group, so that the number field is very far from having automorphisms”. Subsequent attacks against several lattice-based systems have exploited these structures and have not been extended to our recommended rings.
19 20 2014.02, our 2nd announcement: 2014.10 Campbell–Groves– To eliminate “worrisome” Shepherd describe an ideal-lattice- structures, use “a number field based system “Soliloquy”; claim of prime degree, so that the only quantum poly-time key recovery. subfield is Q ” and “an irreducible 2010 Smart–Vercauteren system is polynomial x p − x − 1 with a practically identical to Soliloquy. very large Galois group, so that the number field is very far from having automorphisms”. Subsequent attacks against several lattice-based systems have exploited these structures and have not been extended to our recommended rings.
19 20 2014.02, our 2nd announcement: 2014.10 Campbell–Groves– To eliminate “worrisome” Shepherd describe an ideal-lattice- structures, use “a number field based system “Soliloquy”; claim of prime degree, so that the only quantum poly-time key recovery. subfield is Q ” and “an irreducible 2010 Smart–Vercauteren system is polynomial x p − x − 1 with a practically identical to Soliloquy. very large Galois group, so that 2009 Gentry system (simpler the number field is very far from version described at STOC) has having automorphisms”. the same key-recovery problem. Subsequent attacks against several lattice-based systems have exploited these structures and have not been extended to our recommended rings.
19 20 2014.02, our 2nd announcement: 2014.10 Campbell–Groves– To eliminate “worrisome” Shepherd describe an ideal-lattice- structures, use “a number field based system “Soliloquy”; claim of prime degree, so that the only quantum poly-time key recovery. subfield is Q ” and “an irreducible 2010 Smart–Vercauteren system is polynomial x p − x − 1 with a practically identical to Soliloquy. very large Galois group, so that 2009 Gentry system (simpler the number field is very far from version described at STOC) has having automorphisms”. the same key-recovery problem. Subsequent attacks against 2012 Garg–Gentry–Halevi several lattice-based systems multilinear maps have the have exploited these structures same key-recovery problem and have not been extended (and many other security issues). to our recommended rings.
19 20 2014.02, our 2nd announcement: 2014.10 Campbell–Groves– SV/Solilo eliminate “worrisome” Shepherd describe an ideal-lattice- k ≥ 1. Define structures, use “a number field based system “Soliloquy”; claim Public key: e degree, so that the only quantum poly-time key recovery. Secret key: subfield is Q ” and “an irreducible 2010 Smart–Vercauteren system is olynomial x p − x − 1 with a with g R practically identical to Soliloquy. i.e., short rge Galois group, so that 2009 Gentry system (simpler of the ideal number field is very far from version described at STOC) has automorphisms”. the same key-recovery problem. Subsequent attacks against 2012 Garg–Gentry–Halevi several lattice-based systems multilinear maps have the exploited these structures same key-recovery problem have not been extended (and many other security issues). recommended rings.
Recommend
More recommend