it is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work...
TRANSCRIPT
![Page 1: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/1.jpg)
1
NTRU Prime
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
cr.yp.to/papers.html
#ntruprime is joint work with:
Chitchanok Chuengsatiansup
Tanja Lange
Christine van Vredendaal
Technische Universiteit Eindhoven
Focus of this talk: motivation.
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
![Page 2: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/2.jpg)
1
NTRU Prime
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
cr.yp.to/papers.html
#ntruprime is joint work with:
Chitchanok Chuengsatiansup
Tanja Lange
Christine van Vredendaal
Technische Universiteit Eindhoven
Focus of this talk: motivation.
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
![Page 3: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/3.jpg)
1
NTRU Prime
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
cr.yp.to/papers.html
#ntruprime is joint work with:
Chitchanok Chuengsatiansup
Tanja Lange
Christine van Vredendaal
Technische Universiteit Eindhoven
Focus of this talk: motivation.
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
![Page 4: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/4.jpg)
1
NTRU Prime
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
cr.yp.to/papers.html
#ntruprime is joint work with:
Chitchanok Chuengsatiansup
Tanja Lange
Christine van Vredendaal
Technische Universiteit Eindhoven
Focus of this talk: motivation.
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
![Page 5: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/5.jpg)
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
![Page 6: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/6.jpg)
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
![Page 7: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/7.jpg)
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
![Page 8: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/8.jpg)
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
![Page 9: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/9.jpg)
2
Can we predict future attacks?
1996 Dobbertin–Bosselaers–
Preneel “RIPEMD-160:
a strengthened version of
RIPEMD”: “It is anticipated that
these techniques can be used to
produce collisions for MD5 and
perhaps also for RIPEMD. This
will probably require an additional
effort, but it no longer seems as
far away as it was a year ago.”
1996 Robshaw: Collisions “should
be expected”; upgrade “when
practical and convenient”.
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
![Page 10: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/10.jpg)
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
![Page 11: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/11.jpg)
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
![Page 12: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/12.jpg)
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
![Page 13: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/13.jpg)
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
![Page 14: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/14.jpg)
3
Imagine someone responding:
“This is completely out of line.
The attack by Dobbertin does
not break any normal usage of
MD5, so what exactly is the
point of preventing it? This
speculation about MD5 collisions
is controversial and non-scientific,
and creates confusion on the
state of the art. Recommending
alternative hash functions is at
the very least quite premature.”
Clearly not a real cryptographer.
Maybe a standards organization.
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
![Page 15: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/15.jpg)
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
![Page 16: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/16.jpg)
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
![Page 17: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/17.jpg)
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
![Page 18: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/18.jpg)
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
![Page 19: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/19.jpg)
4
Now imagine a religious fanatic
saying that all of these functions
are worse than “provably secure”
cryptographic hash functions.
1991 “provably secure” example,
Chaum–van Heijst–Pfitzmann:
Choose p sensibly.
Define C(x; y) = 4x9y mod p
for suitable ranges of x and y .
Simple, beautiful, structured.
Very easy security reduction:
finding C collision implies
computing a discrete logarithm.
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
![Page 20: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/20.jpg)
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
![Page 21: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/21.jpg)
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
![Page 22: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/22.jpg)
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
![Page 23: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/23.jpg)
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
![Page 24: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/24.jpg)
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
![Page 25: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/25.jpg)
5
CvHP is very bad cryptography.
Horrible security for its speed.
Far worse security record than
standard “unstructured”
compression-function designs.
Security losses in C include
1922 Kraitchik (index calculus);
1986 Coppersmith–Odlyzko–
Schroeppel (NFS predecessor);
1993 Gordon (general DL NFS);
1993 Schirokauer (faster NFS);
1994 Shor (quantum poly time).
Imagine someone in 1991 saying
“DL security is well understood”.
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
![Page 26: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/26.jpg)
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
![Page 27: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/27.jpg)
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
![Page 28: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/28.jpg)
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
![Page 29: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/29.jpg)
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
![Page 30: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/30.jpg)
6
We still use discrete logs for
pre-quantum public-key crypto.
Which DL groups are best?
1986 Miller proposes ECC.
Gives detailed arguments that
index calculus “is not likely
to work on elliptic curves.”
1997 Rivest: “Over time, this
may change, but for now trying to
get an evaluation of the security
of an elliptic-curve cryptosystem
is a bit like trying to get an
evaluation of some recently
discovered Chaldean poetry.”
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
![Page 31: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/31.jpg)
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
![Page 32: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/32.jpg)
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
![Page 33: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/33.jpg)
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
![Page 34: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/34.jpg)
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
![Page 35: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/35.jpg)
7
Are RSA, DSA, etc. less scary?
These systems have structure
enabling attacks such as NFS.
Many optimization avenues.
Attacks keep getting better.
>100 scientific papers.
Still many unexplored avenues.
How many people understand
the state of the art?
Recurring themes in attacks:
factorizations of ring elements;
ring automorphisms; subfields;
extending applicability (even to
some curves!) via group maps.
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
![Page 36: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/36.jpg)
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
![Page 37: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/37.jpg)
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
![Page 38: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/38.jpg)
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
![Page 39: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/39.jpg)
8
Which ECC fields do we use?
2005 Bernstein: prime fields
“have the virtue of minimizing
the number of security concerns
for elliptic-curve cryptography.”
2005 ECRYPT key-sizes report:
“Some general concerns
exist about possible future
attacks : : : As a first choice, we
recommend curves over prime
fields.” No extra automorphisms.
Imagine a response: “That’s
premature! E(F2n) isn’t broken!”
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
![Page 40: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/40.jpg)
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
![Page 41: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/41.jpg)
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
![Page 42: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/42.jpg)
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
![Page 43: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/43.jpg)
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
![Page 44: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/44.jpg)
9
Last example: 2013 Garg–Gentry–
Halevi–Raykova–Sahai–Waters
“Candidate indistinguishability
obfuscation and functional
encryption for all circuits”.
UCLA press release: “According
to Sahai, previously developed
techniques for obfuscation
presented only a ‘speed bump,’
forcing an attacker to spend some
effort, perhaps a few days, trying
to reverse-engineer the software.
The new system, he said, puts up
an ‘iron wall’ : : : a game-change
in the field of cryptography.”
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
![Page 45: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/45.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
![Page 46: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/46.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
![Page 47: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/47.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
![Page 48: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/48.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
![Page 49: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/49.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
![Page 50: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/50.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
![Page 51: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/51.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
![Page 52: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/52.jpg)
10
2013 Bernstein: “The flagship
cryptographic conferences are full
of this sort of shit, and, if this is
the best defense that the world
has against the U.S. National
Security Agency, we’re screwed.”
2016 Miles–Sahai–Zhandry: “We
exhibit two simple programs that
are functionally equivalent, and
show how to efficiently distinguish
between the obfuscations
of these two programs.”
So Sahai’s claimed “iron wall”
is just another “speed bump”.
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
![Page 53: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/53.jpg)
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
![Page 54: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/54.jpg)
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
![Page 55: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/55.jpg)
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
![Page 56: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/56.jpg)
11
Classic NTRU
Standardize prime p; e.g. 743.
Also standardize q; e.g. 2048.
Define R = Z[x ]=(xp − 1).
Receiver chooses small f ; g ∈ R.
(Some invertibility requirements.)
Public key h = 3g=f mod q.
Sender chooses small m; r ∈ R.
Ciphertext c = m + hr mod q.
Multiply by f mod q: f c mod q.
Use smallness: f m + 3gr .
Reduce mod 3: f m mod 3.
Divide by f mod 3: m.
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
![Page 57: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/57.jpg)
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
![Page 58: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/58.jpg)
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
![Page 59: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/59.jpg)
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
![Page 60: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/60.jpg)
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
![Page 61: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/61.jpg)
12
1998 Hoffstein–Pipher–Silverman
introduced this system.
Many subsequent NTRU papers:
meet-in-the-middle attacks,
lattice attacks, hybrid attacks;
chosen-ciphertext attacks;
decryption-failure attacks;
complicated padding systems;
variations for efficiency;
parameter selection.
Also many ideas that in retrospect
were small tweaks of NTRU:
e.g., homomorphic encryption.
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
![Page 62: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/62.jpg)
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
![Page 63: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/63.jpg)
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
![Page 64: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/64.jpg)
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
![Page 65: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/65.jpg)
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
![Page 66: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/66.jpg)
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
![Page 67: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/67.jpg)
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
![Page 68: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/68.jpg)
13
Unnecessary structures in NTRU
Attacker can evaluate
public polynomials h; c at 1.
Compatible with addition and
multiplication mod xp − 1:
f (1)h(1) = 3g(1) in Z=q;
c(1) = m(1) + h(1)r(1) in Z=q.
One way to exploit this:
c(1); h(1) are visible; r(1) is
guessable, sometimes standard.
Attacker scans many ciphertexts
to find some with large m(1).
Uses this to speed up m search.
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
![Page 69: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/69.jpg)
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
![Page 70: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/70.jpg)
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
![Page 71: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/71.jpg)
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
![Page 72: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/72.jpg)
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
![Page 73: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/73.jpg)
14
NTRU complicates m selection
so that m(1) is never large.
Limits impact of the attack.
Better: replace NTRU’s
Z[x ]=(xp − 1) with Z[x ]=Φp.
Recall Φp = (xp − 1)=(x − 1).
Can view poly m mod xp − 1
as two parts: m(1); m mod Φp.
Compatible with add, mult.
Why include m(1) here?
Doesn’t seem to help security.
Or use other irreds. Ring-LWE
typically uses Φ2048 = x1024 + 1.
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
![Page 74: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/74.jpg)
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
![Page 75: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/75.jpg)
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
![Page 76: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/76.jpg)
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
![Page 77: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/77.jpg)
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
![Page 78: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/78.jpg)
15
More generally: Attacker applies
any ring map (Z=q)[x ]=P → T
to the equations h = 3g=f
and c = m + hr in (Z=q)[x ]=P .
e.g. typically q = 2048 in NTRU.
Have natural ring maps from
(Z=2048)[x ]=(xp − 1) to
(Z=2)[x ]=(xp − 1),
(Z=4)[x ]=(xp − 1),
(Z=8)[x ]=(xp − 1), etc.
Can attacker exploit these?
Maybe. Complicated. See 2004
Smart–Vercauteren–Silverman.
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
![Page 79: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/79.jpg)
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
![Page 80: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/80.jpg)
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
![Page 81: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/81.jpg)
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
![Page 82: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/82.jpg)
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
![Page 83: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/83.jpg)
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
![Page 84: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/84.jpg)
16
Ring-LWE religion, version 1: For
“provable security”, take prime
q so that P splits completely in
Z[x ]=q; i.e., have n different ring
maps (Z=q)[x ]=P → Z=q.
Do these maps damage security?
Fast attacks in some cases: 2014
Eisentrager–Hallgren–Lauter, 2015
Elias–Lauter–Ozman–Stange,
2016 Chen–Lauter–Stange.
Fast non-q-dependent attack
by 2016 Castryck–Iliashenko–
Vercauteren breaks 2015 ELOS
cases but not 2016 CLS cases.
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
![Page 85: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/85.jpg)
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
![Page 86: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/86.jpg)
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
![Page 87: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/87.jpg)
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
![Page 88: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/88.jpg)
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
![Page 89: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/89.jpg)
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
![Page 90: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/90.jpg)
17
Ring-LWE religion, version 2
(2012 Langlois–Stehle): “We
prove that the arithmetic form
of the modulus q is irrelevant
to the computational hardness
of LWE and RLWE.”
Basic idea: “modulus switching”
from Z=q to Z=q′. Attacker
multiplies by q′=q and rounds.
But rounding adds noise,
making attacks harder!
The proof limits security gap
but does not eliminate it.
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
![Page 91: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/91.jpg)
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
![Page 92: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/92.jpg)
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
![Page 93: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/93.jpg)
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
![Page 94: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/94.jpg)
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
![Page 95: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/95.jpg)
18
We recommend: Take irred P
that remains irred in (Z=q)[x ];
i.e., choose inert modulus q.
Field (Z=q)[x ]=P . No ring map
to any smaller nonzero ring.
So far this is compatible with
Ring-LWE religion, version 2.
But we also recommend heresy:
take P with prime degree p
and with large Galois group,
specifically Sp, size p!.
Good example: P = xp − x − 1.
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
![Page 96: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/96.jpg)
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
![Page 97: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/97.jpg)
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
![Page 98: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/98.jpg)
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
![Page 99: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/99.jpg)
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
![Page 100: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/100.jpg)
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
![Page 101: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/101.jpg)
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
![Page 102: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/102.jpg)
19
2014.02, our 2nd announcement:
To eliminate “worrisome”
structures, use “a number field
of prime degree, so that the only
subfield is Q” and “an irreducible
polynomial xp − x − 1 with a
very large Galois group, so that
the number field is very far from
having automorphisms”.
Subsequent attacks against
several lattice-based systems
have exploited these structures
and have not been extended
to our recommended rings.
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
![Page 103: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/103.jpg)
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
![Page 104: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/104.jpg)
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
![Page 105: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/105.jpg)
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
![Page 106: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/106.jpg)
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
![Page 107: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/107.jpg)
20
2014.10 Campbell–Groves–
Shepherd describe an ideal-lattice-
based system “Soliloquy”; claim
quantum poly-time key recovery.
2010 Smart–Vercauteren system is
practically identical to Soliloquy.
2009 Gentry system (simpler
version described at STOC) has
the same key-recovery problem.
2012 Garg–Gentry–Halevi
multilinear maps have the
same key-recovery problem
(and many other security issues).
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
![Page 108: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/108.jpg)
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
![Page 109: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/109.jpg)
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
![Page 110: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/110.jpg)
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
![Page 111: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/111.jpg)
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
![Page 112: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/112.jpg)
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
![Page 113: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/113.jpg)
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
![Page 114: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/114.jpg)
21
SV/Soliloquy parameter:
k ≥ 1. Define R = Z[x ]=Φ2k .
Public key: prime q and c ∈ Z=q.
Secret key: short element g ∈ Rwith gR = qR+ (x − c)R;
i.e., short generator
of the ideal qR+ (x − c)R.
But wait, isn’t it known how to
compute a generator of an ideal?
See, e.g., 1993 Cohen textbook
“A course in computational
algebraic number theory”.
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
![Page 115: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/115.jpg)
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
![Page 116: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/116.jpg)
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
![Page 117: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/117.jpg)
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
![Page 118: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/118.jpg)
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
![Page 119: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/119.jpg)
22
Smart–Vercauteren dismiss this
as taking exponential time.
It actually takes subexponential
time. Same basic idea as NFS.
Campbell–Groves–Shepherd
claim quantum poly time.
Claim disputed by Biasse,
not defended by CGS.
2016 Biasse–Song, building on
2014 Eisentrager–Hallgren–
Kitaev–Song: different algorithm
that takes quantum poly time.
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
![Page 120: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/120.jpg)
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
![Page 121: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/121.jpg)
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
![Page 122: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/122.jpg)
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
![Page 123: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/123.jpg)
23
Smart–Vercauteren also dismiss
this generator as not being short.
Have ideal I of R.
Want short g with gR = I.
Have g ′ with g ′R = I.
Know g ′ = ug for some u ∈ R∗.But how do we find u?
Log g ′ = Log u + Log g
where Log is Dirichlet’s log map.
Dirichlet’s unit theorem:
LogR∗ is a lattice, known dim.
Finding Log u is a closest-vector
problem in this lattice.
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
![Page 124: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/124.jpg)
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
![Page 125: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/125.jpg)
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
![Page 126: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/126.jpg)
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
![Page 127: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/127.jpg)
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
![Page 128: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/128.jpg)
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
![Page 129: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/129.jpg)
24
Campbell–Groves–Shepherd:
“A simple generating set for the
cyclotomic units is of course
known. The image of O× [i.e.,
R∗] under the logarithm map
forms a lattice. The determinant
of this lattice turns out to be
much bigger than the typical log-
length of a private key ¸ [i.e.,
g ], so it is easy to recover the
causally short private key given
any generator of ¸O [i.e., I],
e.g. via the LLL lattice reduction
algorithm.”
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
![Page 130: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/130.jpg)
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
![Page 131: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/131.jpg)
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
![Page 132: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/132.jpg)
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
![Page 133: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/133.jpg)
25
x 7→ x3, x 7→ x5, x 7→ x7, etc. are
automorphisms of R = Z[x ]=Φ2k .
Easy to see (1−x3)=(1−x) ∈ R∗.
“Cyclotomic units” are defined as
R∗ ∩˘±xe0
Qi (1− x i )ei
¯.
Weber’s conjecture: all elements
of R∗ are cyclotomic units.
Experiments confirm that SV is
quickly broken by LLL using, e.g.,
1997 Washington textbook
basis for cyclotomic units.
Shortness of basis is critical;
missing from bogus CGS analysis.
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
![Page 134: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/134.jpg)
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
![Page 135: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/135.jpg)
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
![Page 136: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/136.jpg)
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
![Page 137: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/137.jpg)
26
Attackers can also use
automorphisms in more ways.
2016 Albrecht–Bai–Ducas
“A subfield lattice attack on
overstretched NTRU assumptions:
Cryptanalysis of some FHE and
Graded Encoding Schemes” use
norms gff(g), and independently
2016 Cheon–Jeong–Lee (“The
main technique of our algorithm
is the reduction of a problem on
a field to one in a subfield”) use
traces g + ff(g), where ff is
an order-2 automorphism.
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
![Page 138: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/138.jpg)
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
![Page 139: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/139.jpg)
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
![Page 140: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/140.jpg)
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
![Page 141: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/141.jpg)
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
![Page 142: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/142.jpg)
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
![Page 143: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/143.jpg)
27
We recommend changing
the choice of rings in
ideal-lattice-based cryptography.
Requiring prime degree p
minimizes number of subfields.
Requiring Galois group
Sp maximizes difficulty of
automorphism computations: e.g.,
the smallest field containing all
roots of P has degree p!.
All available evidence is that
this rescues some systems
and never hurts security.
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
![Page 144: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/144.jpg)
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
![Page 145: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/145.jpg)
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
But we have shown that
an optimized combination of
Karatsuba and Toom is also
extremely fast at crypto sizes.
Hard to find any applications
that will notice the differences.
And we improve network traffic.
![Page 146: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/146.jpg)
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
But we have shown that
an optimized combination of
Karatsuba and Toom is also
extremely fast at crypto sizes.
Hard to find any applications
that will notice the differences.
And we improve network traffic.
30
What you find in paper
Streamlined NTRU Prime:
an optimized cryptosystem.
The design space of
lattice-based encryption.
Security of Streamlined NTRU
Prime: meet-in-the-middle
attacks, lattice attacks, etc.
Parameters.
Public-key encryption vs.
unauthenticated key exchange.
And more!
![Page 147: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/147.jpg)
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
But we have shown that
an optimized combination of
Karatsuba and Toom is also
extremely fast at crypto sizes.
Hard to find any applications
that will notice the differences.
And we improve network traffic.
30
What you find in paper
Streamlined NTRU Prime:
an optimized cryptosystem.
The design space of
lattice-based encryption.
Security of Streamlined NTRU
Prime: meet-in-the-middle
attacks, lattice attacks, etc.
Parameters.
Public-key encryption vs.
unauthenticated key exchange.
And more!
![Page 148: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/148.jpg)
28
The importance of efficiency
“If you’re so worried about
structure, why are you tolerating
visible polynomial structure?
Use LWE, or classic McEliece!”
Maybe better security, yes—
but huge costs in network traffic.
Is this affordable?
If it is, would we gain more
security from larger polynomials?
Larger impact on known attacks,
maybe also on unknown attacks.
Not clear what to recommend.
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
But we have shown that
an optimized combination of
Karatsuba and Toom is also
extremely fast at crypto sizes.
Hard to find any applications
that will notice the differences.
And we improve network traffic.
30
What you find in paper
Streamlined NTRU Prime:
an optimized cryptosystem.
The design space of
lattice-based encryption.
Security of Streamlined NTRU
Prime: meet-in-the-middle
attacks, lattice attacks, etc.
Parameters.
Public-key encryption vs.
unauthenticated key exchange.
And more!
![Page 149: It is anticipated that - cr.yp.to · 2016. 7. 19. · cr.yp.to/papers.html #ntruprime is joint work with: Chitchanok Chuengsatiansup Tanja Lange Christine van Vredendaal Technische](https://reader035.vdocuments.us/reader035/viewer/2022071108/5fe25e049babfd5e062cb1d9/html5/thumbnails/149.jpg)
29
Conventional wisdom:
Rings (Z=q)[x ]=Φ2k
with q mod 2k+1 = 1 allow
extremely fast FFT-based mults.
NTRU Prime rings will be
several times slower.
Is this affordable? etc.
But we have shown that
an optimized combination of
Karatsuba and Toom is also
extremely fast at crypto sizes.
Hard to find any applications
that will notice the differences.
And we improve network traffic.
30
What you find in paper
Streamlined NTRU Prime:
an optimized cryptosystem.
The design space of
lattice-based encryption.
Security of Streamlined NTRU
Prime: meet-in-the-middle
attacks, lattice attacks, etc.
Parameters.
Public-key encryption vs.
unauthenticated key exchange.
And more!