recovering short generators of principal ideals in
play

Recovering Short Generators of Principal Ideals in Cyclotomic Rings - PowerPoint PPT Presentation

Mar 08, 2024 •161 likes •770 views

Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI, Amsterdam, The Netherlands Joint work with Ronald Cramer Chris Peikert Oded Regev Conference on Mathematics of Cryptography, August 2015, UC Irvine 1 1

  1. Recovering Short Generators of Principal Ideals in Cyclotomic Rings L´ eo Ducas CWI, Amsterdam, The Netherlands Joint work with Ronald Cramer Chris Peikert Oded Regev Conference on Mathematics of Cryptography, August 2015, UC Irvine 1 1 Slides revised on Sept. 7, 2015. L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 1 / 30

  2. Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomorphic Encryption [Smart and Vercauteren, 2010] and Multilinear Maps [Garg et al., 2013, Langlois et al., 2014]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 2 / 30

  3. Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomorphic Encryption [Smart and Vercauteren, 2010] and Multilinear Maps [Garg et al., 2013, Langlois et al., 2014]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 2 / 30

  4. Recovering Short Generators for Cryptanalysis A few cryptosystems (Fully Homomorphic Encryption [Smart and Vercauteren, 2010] and Multilinear Maps [Garg et al., 2013, Langlois et al., 2014]) share this KeyGen : sk Choose a short g in some ring R as a private key pk Give a bad Z -basis B of the ideal ( g ) as a public key (e.g. HNF). Cryptanalysis in two steps (Key Recovery Attack) 1 Principal Ideal Problem (PIP) ◮ Given a Z -basis B of a principal ideal I , ◮ Recover some generator h (i.e. I = ( h )) 2 Short Generator Problem ◮ Given an arbitrary generator h ∈ R of I ◮ Recover g (or some g ′ equivalently short) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 2 / 30

  5. Cost of those two steps 1 Principal Ideal Problem ( PIP ) ◮ sub-exponential time (2 ˜ O ( n 2 / 3 ) ) classical algorithm [Biasse and Fieker, 2014, Biasse, 2014]. ◮ progress toward quantum polynomial time algorithm [Eisentr¨ ager et al., 2014, Biasse and Song, 2015b, Campbell et al., 2014, Biasse and Song, 2015a]. 2 Short Generator Problem ◮ equivalent to the CVP in the log-unit lattice ◮ becomes a BDD problem in the crypto cases. ◮ claimed to be easy [Campbell et al., 2014] in the cyclotomic case m = 2 k ◮ confirmed by experiments [Schank, 2015] This Work [Cramer et al., 2015] 2 , and prove it can be solved in classical polynomial We focus on step time for the aforementioned cryptanalytic instances, when the ring R is the ring of integers of the cyclotomic number field K = Q ( ζ m ) for m = p k . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 3 / 30

  6. Overview Introduction 1 Preliminary 2 Geometry of Cyclotomic Units 3 Shortness of Log g 4 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 4 / 30

  7. The Logarithmic Embedding Let K be a number field of degree n , σ 1 . . . σ n : K �→ C be its embeddings, and let R be its ring of integers. The logarithmic Embedding is defined as Log : K → R n x �→ (log | σ 1 ( x ) | , . . . , log | σ n ( x ) | ) It induces ◮ a group morphism from ( K \ { 0 } , · ) to ( R n , +) ◮ a monoid morphism from ( R \ { 0 } , · ) to ( R n , +) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 5 / 30

  8. The Unit Group Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . By Dirichlet Unit Theorem ◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ R n is an lattice of rank r + c − 1 (where K has r real embeddings and 2 c complex embeddings) L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 6 / 30

  9. The Unit Group Let R × denotes the multiplicative group of units of R . Let Λ = Log R × . By Dirichlet Unit Theorem ◮ the kernel of Log is the cyclic group T of roots of unity of R ◮ Λ ⊂ R n is an lattice of rank r + c − 1 (where K has r real embeddings and 2 c complex embeddings) Reduction to CVP Elements g , h ∈ R generate the same ideal if and only if h = g · u for some unit u ∈ R × . In particular Log g ∈ Log h + Λ . and g is the “smallest” generator iff Log u ∈ Λ is a vector “closest” to Log h . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 6 / 30

  10. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  11. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  12. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 0 1 p 1 + 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  13. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 ◮ Symmetries induced by ◮ mult. by − 1 0 1 p √ √ 1 + 2 ◮ conjugation 2 �→ − 2 − 1 p 2 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  14. √ → R 2 Example: Embedding Z [ 2] ֒ √ √ ◮ x -axis: a + b 2 �→ a + b 2 √ √ ◮ y -axis: a + b 2 �→ a − b 2 ◮ component-wise multiplication 2 1 1 ◮ Symmetries induced by ◮ mult. by − 1 0 1 p √ √ 1 + 2 ◮ conjugation 2 �→ − 2 − 1 p 2 � “Orthogonal” elements � Units (algebraic norm 1) � “Isonorms” curves L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 7 / 30

  15. √ Example: Logarithmic Embedding Log Z [ 2] ( {•} , +) is a sub-monoid of R 2 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  16. √ Example: Logarithmic Embedding Log Z [ 2] Λ =( {•} , +) ∩ � is a lattice of R 2 , orthogonal to (1 , 1) 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  17. √ Example: Logarithmic Embedding Log Z [ 2] {•} ∩ � are shifted finite copies of Λ 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  18. √ Example: Logarithmic Embedding Log Z [ 2] √ Some {•} ∩ � may be empty (e.g. no elements of Norm 3 in Z [ 2]) 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 8 / 30

  19. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  20. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  21. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  22. √ 2] × Reduction modulo Λ = Log Z [ The reduction modΛ for various fundamental domains. 1 1 L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 9 / 30

  23. Decoding with the RoundOff algorithm The simplest algorithm [Babai, 1986] to reduce modulo a lattice RoundOff ( B , t ), B a Z -basis of Λ v = B · ⌊ ( B ∨ ) ⊤ · t ⌉ e = t − v return ( t , e ) where t ∈ B Used as a d ecoding algorithm, its correctness is characterized by the error e and the dual basis B ∨ . Fact(Correctness of RoundOff ) j , e � ∈ [ − 1 2 , 1 let t = v + e for some v ∈ Λ. If � b ∨ 2 ) for all j , then RoundOff ( B , t ) = ( v , e ) . L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 10 / 30

  24. RoundOff in pictures t t RoundOff algorithm : L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 11 / 30

  25. RoundOff in pictures t ′ × ( B ∨ ) t t t − → RoundOff algorithm : 1 use basis B to switch to the lattice Z n ( × ( B ∨ ) t ) t ′ = ( B ∨ ) t · t ; L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 11 / 30

  26. RoundOff in pictures t ′ × ( B ∨ ) t t t v ′ − → RoundOff algorithm : 1 use basis B to switch to the lattice Z n ( × ( B ∨ ) t ) 2 Round each coordinate t ′ = ( B ∨ ) t · t ; v ′ = ⌊ t ′ ⌉ ; L´ eo Ducas (CWI, Amsterdam) Recovering Short Generators UC Irvine, August 2015 11 / 30

Recommend

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas, Chris Peikert , Oded Regev 9 July 2015 Simons Institute Workshop on Math of Modern Crypto 1 / 15 Short Generators of Ideals in Cryptography A

688 views • 43 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q Patrick Holzer, Thomas Wunderer, Johannes Buchmann Recovering Short Generators | Thomas Wunderer | 1 Contents Introduction Preliminaries Algorithmic

488 views • 30 slides
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert

Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short Generator of a Principal Ideal

418 views • 23 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings L eo Ducas CWI, Amsterdam, The Netherlands Joint work with Ronald Cramer Chris Peikert Oded Regev Presented at ICERM, Brown University, April 2015 L eo Ducas (CWI,

765 views • 58 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer L eo Ducas

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer L eo Ducas

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer L eo Ducas Chris Peikert Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of Michigan, USA New-York University,

699 views • 34 slides
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de Valence & Tanja Lange

461 views • 44 slides
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry de Valence & Tanja Lange &

553 views • 41 slides
Cormac Mc Carthy, Access Planning, EirGrid Liaison Group November 2013 EirGrid Short Circuit

Cormac Mc Carthy, Access Planning, EirGrid Liaison Group November 2013 EirGrid Short Circuit

Short Circuit Cormac Mc Carthy, Access Planning, EirGrid Liaison Group November 2013 EirGrid Short Circuit Review Can generators safely connect? Prioritise and sequence short circuit reinforcements Small generators, large lists of

622 views • 23 slides
Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo (

Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo (

Perfect sets and f -ideals Jin Guo Outline Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo ( n, 2) th perfect number (This is a joint work with professor Tongsuo Wu) Structure of V ( n, 2)

2.01k views • 154 slides
Factorizations of ideals in noncommutative rings similar to factorizations of ideals in

Factorizations of ideals in noncommutative rings similar to factorizations of ideals in

Factorizations of ideals in noncommutative rings similar to factorizations of ideals in commutative Dedekind domains Alberto Facchini Universit` a di Padova Conference on Rings and Factorizations Graz, 21 February 2018 Dedekind domains

960 views • 71 slides
Recovering System Capacity Costs: Generation and Transmission Presentation to the CPUC Rates

Recovering System Capacity Costs: Generation and Transmission Presentation to the CPUC Rates

Recovering System Capacity Costs: Generation and Transmission Presentation to the CPUC Rates Forum Tom Beach Principal Consultant Crossborder Energy December 11, 2017 Noncoincident and Monthly Demand Charges Are (Mostly) a Relic of Obsolete

218 views • 5 slides
Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are

Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are

Micro Power Generators Sung Park Kelvin Yuk ECS 203 Overview Why Micro Power Generators are becoming important Types of Micro Power Generators Power Generators Reviewed Ambient Vibrational energy Radiant heat energy

445 views • 19 slides
Polynomial ideals associated to combinatorial objects William J. Martin Department of

Polynomial ideals associated to combinatorial objects William J. Martin Department of

Homotopy in Distance-Regular Graphs Ideals of Designs Spherical Codes Association Schemes and Duality Polynomial ideals associated to combinatorial objects William J. Martin Department of Mathematical Sciences and Department of Computer

1.1k views • 84 slides
Hort Update - Assessing and Recovering from Winter-kill of Bermudagrass in Oklahoma Dennis

Hort Update - Assessing and Recovering from Winter-kill of Bermudagrass in Oklahoma Dennis

The Short Version Feb 2014 Hort Update - Assessing and Recovering from Winter-kill of Bermudagrass in Oklahoma Dennis Martin, PhD Professor & Turfgrass Specialist Oklahoma State University The winter of 2013/2014 had extreme

855 views • 52 slides
Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William M. Hoza 1 Chris Umans 2 October 10, 2016 Dagstuhl Seminar 16411 1 University of Texas at Austin 2 California Institute of Technology ?

1.67k views • 130 slides
Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline

Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline

Documentation Generators Documentation Generators Steven J Zeil March 3, 2013 Documentation Generators Outline Source Code (API) Documentation 1 javadoc doxygen Other Tools Project Reports 2 Project Websites 3

435 views • 21 slides
National Generators Forum NGF Sponsored Rule changes Information provisions Alex Cruickshank

National Generators Forum NGF Sponsored Rule changes Information provisions Alex Cruickshank

National Generators Forum NGF Sponsored Rule changes Information provisions Alex Cruickshank Chairman, Markets Working Group National Generators Forum NGF National Generators Forum Directly represents 21 major power generators in the

206 views • 5 slides
Binomial edge ideals and determinantal facet ideals Sara Saeedi Madani (joint with J. Herzog and

Binomial edge ideals and determinantal facet ideals Sara Saeedi Madani (joint with J. Herzog and

Binomial edge ideals and determinantal facet ideals Sara Saeedi Madani (joint with J. Herzog and D. Kiani) Universit at Osnabr uck October 2015 Sara Saeedi Madani (joint with J. Herzog and D. Kiani) Binomial edge ideals and

839 views • 68 slides
Is the ozone layer Is the ozone layer recovering ? recovering ? Johannes Staehelin Institute

Is the ozone layer Is the ozone layer recovering ? recovering ? Johannes Staehelin Institute

Is the ozone layer Is the ozone layer recovering ? recovering ? Johannes Staehelin Institute for Atmospheric and Climate Institute for Atmospheric and Climate Science (IACETH), Swiss Federal Institute of Technology Zrich (ETHZ) gy ( )

509 views • 27 slides
Conductor ideals of affine monoids and K -theory Joseph Gubeladze San Francisco State University

Conductor ideals of affine monoids and K -theory Joseph Gubeladze San Francisco State University

Conductor ideals of affine monoids and K -theory Joseph Gubeladze San Francisco State University AMS Special Session: Combinatorial Ideals and Applications Fargo, 2016 Outline Frobenius number of a numerical semigroup Affine monoid,

644 views • 47 slides
Convex incidences, neuroscience, and ideals Mohamed Omar (joint w/ R. Amzi Jeffs) Combinatorial

Convex incidences, neuroscience, and ideals Mohamed Omar (joint w/ R. Amzi Jeffs) Combinatorial

Convex incidences, neuroscience, and ideals Mohamed Omar (joint w/ R. Amzi Jeffs) Combinatorial Ideals & Applications AMS Spring Central Sectional Meeting Apr 16, 2016 Mohamed Omar (joint w/ R. Amzi Jeffs) Combinatorial Ideals &

650 views • 53 slides
Patterns of ideals of numerical semigroups Klara Stokes AMS Sectional Meeting Special Session

Patterns of ideals of numerical semigroups Klara Stokes AMS Sectional Meeting Special Session

Patterns of ideals of numerical semigroups Klara Stokes AMS Sectional Meeting Special Session on Factorization and Arithmetic Properties of Integral Domains and Monoids March 24, 2019 Table of Contents Introduction 1 Patterns of ideals of

1.01k views • 62 slides
Ideals and Algebras defined by Isotone Maps between Posets J urgen Herzog Universit at

Ideals and Algebras defined by Isotone Maps between Posets J urgen Herzog Universit at

Ideals and Algebras defined by Isotone Maps between Posets J urgen Herzog Universit at Duisburg-Essen IPM, Tehran November 12, 2015 Outline Hibi rings The category of posets and ideals attached to graphs of isotone maps Alexander

906 views • 67 slides
Decompositions of Binomial Ideals Laura Felicia Matusevich Texas A&M University AMS Spring

Decompositions of Binomial Ideals Laura Felicia Matusevich Texas A&M University AMS Spring

Decompositions of Binomial Ideals Laura Felicia Matusevich Texas A&M University AMS Spring Central Sectional Meeting, April 17, 2016 Polynomial Ideals k the polynomial ring over a field k .

456 views • 24 slides

More recommend