Computing Generator in Cyclotomic Integer Rings

Biasse, Jean‐François; Espitau, Thomas; Fouque, Pierre-Alain; Gélin, Alexandre; Kirchner, Paul

doi:10.1007/978-3-319-56620-7_3

Cited by 20 publications

(10 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This ensures statistical closeness to the desired distribution up to exp(−n 2ε ). Considering that there are already classical attacks in time exp(Õ( √ n)) (namely, using [6,14] to recover h from the ideal hR), one may just choose ε = 1/4.…”

Section: Sampling Methodsmentioning

confidence: 99%

“…We call v the level of the encoding. 6 We abuse notation by saying that u is an encoding of a (instead of an encoding of the coset a + I).…”

Section: The Ggh13 Multilinear Mapmentioning

confidence: 99%

“…Orthogonally, it has been discovered that solving over-stretched versions of the NTRU problem (whose intractability is necessary for the security of the GGH MMap) was significantly easier than previously thought, due to the presence of an unusually dense sublattice [1,12,26], yet this can be compensated at the cost of increasing parameters. Also, due to recent algorithms for the Principal Ideal Problem [6,7] and Short generator recovery [10,14], the GGH MMap can be broken 1 in quantum polynomial time, and classical subexponential time exp(Õ( √ n)), where n is the dimension of the used ring. Nevertheless, this candidate MMap was still considered in a weaker form, 2 to attempt realizing indistinguishability obfuscation (or, for short, iO).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the Statistical Leak of the GGH13 Multilinear Map and Some Variants

Ducas

Pellet-Mary

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

At EUROCRYPT 2013, Garg, Gentry and Halevi proposed a candidate construction (later referred as GGH13) of cryptographic multilinear map (MMap). Despite weaknesses uncovered by Hu and Jia (EURO-CRYPT 2016), this candidate is still used for designing obfuscators. The naive version of the GGH13 scheme was deemed susceptible to averaging attacks, i.e., it could suffer from a statistical leak (yet no precise attack was described). A variant was therefore devised, but it remains heuristic. Recently, to obtain MMaps with low noise and modulus, two variants of this countermeasure were developed by Döttling et al. (EPRINT:2016/599). In this work, we propose a systematic study of this statistical leakage for all these GGH13 variants. In particular, we confirm the weakness of the naive version of GGH13. We also show that, among the two variants proposed by Döttling et al., the so-called conservative method is not so effective: it leaks the same value as the unprotected method. Luckily, the leakage is more noisy than in the unprotected method, making the straightforward attack unsuccessful. Additionally, we note that all the other methods also leak values correlated with secrets. As a conclusion, we propose yet another countermeasure, for which this leakage is made unrelated to all secrets. On our way, we also make explicit and tighten the hidden exponents in the size of the parameters, as an effort to assess and improve the efficiency of MMaps.

show abstract

Section: Sampling Methodsmentioning

confidence: 99%

“…We call v the level of the encoding. 6 We abuse notation by saying that u is an encoding of a (instead of an encoding of the coset a + I).…”

Section: The Ggh13 Multilinear Mapmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the Statistical Leak of the GGH13 Multilinear Map and Some Variants

Ducas

Pellet-Mary

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…One such application is the object of another work in progress. Namely, we note that many algorithms [5,4,8] rely on nding elements a in an ideal I such that aI −1 is easy to factor (e.g. prime, near-prime, or B-smooth).…”

Section: Related Workmentioning

confidence: 99%

Random Self-reducibility of Ideal-SVP via Arakelov Random Walks

Boer

Ducas

Pellet-Mary

et al. 2020

Advances in Cryptology – CRYPTO 2020

View full text Add to dashboard Cite

Fixing a number eld, the space of all ideal lattices, up to isometry, is naturally an abelian group, called the Arakelov class group. This fact, well known to number theorists, has so far not been explicitly used in the literature on lattice-based cryptography. Remarkably, the Arakelov class group is a combination of two groups that have already led to signicant cryptanalytic advances: the class group and the unit torus. In the present article, we show that the Arakelov class group has more to oer. We start with the development of a new versatile tool: we prove that, subject to the Riemann Hypothesis for Hecke Lfunctions, certain random walks on the Arakelov class group have a rapid mixing property. We then exploit this result to relate the average-case and the worst-case of the Shortest Vector Problem in ideal lattices. Our reduction appears particularly sharp: for Hermite-SVP in ideal lattices of certain cyclotomic number elds, it loses no more than aÕ(√ n) factor on the Hermite approximation factor. Furthermore, we suggest that this rapid-mixing theorem should nd other applications in cryptography and in algorithmic number theory.

show abstract

“…This is the stage that uses quantum computation. The best known pre-quantum attacks (see, e.g., [11]) reuse ideas from NFS, the number-field sieve for integer factorization, and take time exponential in N c+o (1) for a real number c with 0 < c < 1 where N is the field degree. If N is chosen as an appropriate power of the target security level then the pre-quantum attacks take time exponential in the target security level, but the Biasse-Song attack takes time polynomial in the target security level.…”

Section: Introductionmentioning

confidence: 99%

Advances in Cryptology – EUROCRYPT 2017

Bauch

Bernstein

Valence

et al. 2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. A binary stream cipher, known as A5, consisting of three short LFSRs of total length 64 that are mutually clocked in the stop/go manner is cryptanalyzed. It is allegedly used in the GSM standard for digital cellular mobile telephones. Very short keystream sequences are generated from different initial states obtained by combining a 64-bit secret session key and a known 22-bit public key. A basic divide-and-conquer attack recovering the unknown initial state from a known keystream sequence is first introduced. It exploits the specific clocking rule used and has average computational complexity around 2 40 . A time-memory trade-off attack based on the birthday paradox which yields the unknown internal state at a known time for a known keystream sequence is then pointed out. The attack is successful if T · M > 2 63.32 where T and M are the required computational time and memory (in 128-bit words), respectively. The precomputation time is O(M) and the required number of known keystream sequences generated from different public keys is about T/102. For example, one can choose T ~ 2 27.67 and M ~ 2 35.65 . To obtain the secret session key from the determined internal state, a so-called internal state reversion attack is proposed and analyzed by the theory of critical and subcritical branching processes. Document Classification unclassified Classification of SF298 unclassified Classification of Abstract unclassified Limitation of Abstract unlimited Number of Pages 21 REPORT DOCUMENTATION PAGE Form Approved OMB No. 074-0188Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to

show abstract

Computing Generator in Cyclotomic Integer Rings

Cited by 20 publications

References 36 publications

On the Statistical Leak of the GGH13 Multilinear Map and Some Variants

On the Statistical Leak of the GGH13 Multilinear Map and Some Variants

Random Self-reducibility of Ideal-SVP via Arakelov Random Walks

Advances in Cryptology – EUROCRYPT 2017

Contact Info

Product

Resources

About