Cryptanalysis of the Paeng-Jung-Ha Cryptosystem from PKC 2003

Han, Demin; Kim, Myung–Hwan; Yeom, Yongjin

doi:10.1007/978-3-540-71677-8_8

Cited by 6 publications

(10 citation statements)

References 18 publications

(27 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For many parameters, the numerical gap given in [14] is much lower than what could be hoped from our predictions for LLL, but there is a simple explanation. The problem considered in [14] is actually much easier than a general Unique-SVP problem: it is the embedding of a CVP problem when we already know a nearly-orthogonal basis and the target vector is very close to the lattice. This implies that LLL only performs a size-reduction of the last basis vector, which immediately discloses the solution.…”

Section: The Ggh Challengescontrasting

confidence: 61%

“…This implies that LLL only performs a size-reduction of the last basis vector, which immediately discloses the solution. This also explains why the LLL running times of [14] were surprisingly low in high dimension.…”

Section: The Ggh Challengesmentioning

confidence: 91%

“…Recently, a weak instantiation of GGH was broken in [14], by solving Unique-SVP instances of polynomial gap using LLL up to at least dimension 1000. For many parameters, the numerical gap given in [14] is much lower than what could be hoped from our predictions for LLL, but there is a simple explanation. The problem considered in [14] is actually much easier than a general Unique-SVP problem: it is the embedding of a CVP problem when we already know a nearly-orthogonal basis and the target vector is very close to the lattice.…”

Section: The Ggh Challengesmentioning

confidence: 99%

“…Recently, a weak instantiation of GGH was broken in [14], by solving Unique-SVP instances of polynomial gap using LLL, up to at least dimension 1000. Surprisingly, for many parameters, the numerical gap of the instances solved in [14] is much lower than what could be hoped from our predictions for LLL. But there is an explanation.…”

Section: The Ggh Challengesmentioning

confidence: 99%

See 3 more Smart Citations

Predicting Lattice Reduction

Gama

Nguyêñ

Lecture Notes in Computer Science

290

301

View full text Add to dashboard Cite

Despite their popularity, lattice reduction algorithms remain mysterious cryptanalytical tools. Though it has been widely reported that they behave better than their proved worst-case theoretical bounds, no precise assessment has ever been given. Such an assessment would be very helpful to predict the behaviour of lattice-based attacks, as well as to select keysizes for lattice-based cryptosystems. The goal of this paper is to provide such an assessment, based on extensive experiments performed with the NTL library. The experiments suggest several conjectures on the worst case and the actual behaviour of lattice reduction algorithms. We believe the assessment might also help to design new reduction algorithms overcoming the limitations of current algorithms.The integer d is the dimension of the lattice L. A lattice has infinitely many bases, but some are more useful than others. The goal of lattice reduction is to find interesting lattice bases, such as bases consisting of reasonably short and almost orthogonal vectors.Lattice reduction is one of the few potentially hard problems currently in use in public-key cryptography (see [29,23] for surveys on lattice-based cryptosystems), with the unique property that some lattice-based cryptosystems [3,34,35,33,11] are based on worst-case assumptions. And the problem is well-known for its major applications in public-key cryptanalysis (see [29]): knapsack cryptosystems [32], RSA in special settings [7,5], DSA signatures in special settings [16,26], etc. One peculiarity is the existence of very efficient approximation algorithms, which can sometimes solve the exact problem. In practice, the most popular lattice reduction algorithms are: floating-point versions [37,27] of the LLL algorithm [20], the LLL algorithm with deep insertions [37], and the BKZ algorithms [37,38], which are all implemented in the NTL library [39].Although these algorithms are widely used, their performances remain mysterious in many ways: it is folklore that there is a gap between the theoretical N. Smart (Ed.): EUROCRYPT

show abstract

Section: The Ggh Challengescontrasting

confidence: 61%

Section: The Ggh Challengesmentioning

confidence: 91%

Section: The Ggh Challengesmentioning

confidence: 99%

Section: The Ggh Challengesmentioning

confidence: 99%

See 2 more Smart Citations

Predicting Lattice Reduction

Gama

Nguyêñ

Lecture Notes in Computer Science

290

301

View full text Add to dashboard Cite

show abstract

“…In 2003, Paeng, Jung and Ha [59] proposed to use some lattices built on a polynomial ring. However, in 2007, Han, Kim, and Yeom [32] used lattice reduction to cryptanalyze this scheme. Their attack can successfully recover the secret key even in a huge dimension (> 1000) and make the Paeng-Jung-Ha scheme [59] unusable.…”

Section: Cvp-based Cryptosystemsmentioning

confidence: 99%

Recursive Lattice Reduction

Plantard

Susilo

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Lattice reduction is known to be a very powerful tool in modern cryptanalysis. In the literature, there are many lattice reduction algorithms that have been proposed with various time complexity (from quadratic to subexponential). These algorithms can be utilized to find a short vector of a lattice with a small norm. Over time, shorter vector will be found by incorporating these methods. In this paper, we take a different approach by presenting a methodology that can be applied to any lattice reduction algorithms, with the implication that enables us to find a shorter vector (i.e. a smaller solution) while requiring shorter computation time. Instead of applying a lattice reduction algorithm to a complete lattice, we work on a sublattice with a smaller dimension chosen in the function of the lattice reduction algorithm that is being used. This way, the lattice reduction algorithm will be fully utilized and hence, it will produce a better solution. Furthermore, as the dimension of the lattice becomes smaller, the time complexity will be better. Hence, our methodology provides us with a new direction to build a lattice that is resistant to lattice reduction attacks. Moreover, based on this methodology, we also propose a recursive method for producing an optimal approach for lattice reduction with optimal computational time, regardless of the lattice reduction algorithm used. We evaluate our technique by applying it to break the lattice challenge 1 by producing the shortest vector known so far. Our results outperform the existing known results and hence, our results achieve the record in the lattice challenge problem.

show abstract