ntru prime: round 2 table 2: tanja lange exploring the ...tanja-20200706-lattice-4x3.pdf368 185...
TRANSCRIPT
![Page 1: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/1.jpg)
1
Exploring the parameter space
in lattice attacks
Daniel J. Bernstein
Tanja Lange
Based on attack survey from
2019 Bernstein–Chuengsatiansup–
Lange–van Vredendaal.
Some hard lattice meta-problems:
• Analyze cost of known attacks.
• Optimize attack parameters.
• Compare different attacks.
• Evaluate crypto parameters.
• Evaluate crypto designs.
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
![Page 2: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/2.jpg)
1
Exploring the parameter space
in lattice attacks
Daniel J. Bernstein
Tanja Lange
Based on attack survey from
2019 Bernstein–Chuengsatiansup–
Lange–van Vredendaal.
Some hard lattice meta-problems:
• Analyze cost of known attacks.
• Optimize attack parameters.
• Compare different attacks.
• Evaluate crypto parameters.
• Evaluate crypto designs.
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
![Page 3: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/3.jpg)
1
Exploring the parameter space
in lattice attacks
Daniel J. Bernstein
Tanja Lange
Based on attack survey from
2019 Bernstein–Chuengsatiansup–
Lange–van Vredendaal.
Some hard lattice meta-problems:
• Analyze cost of known attacks.
• Optimize attack parameters.
• Compare different attacks.
• Evaluate crypto parameters.
• Evaluate crypto designs.
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
![Page 4: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/4.jpg)
1
Exploring the parameter space
in lattice attacks
Daniel J. Bernstein
Tanja Lange
Based on attack survey from
2019 Bernstein–Chuengsatiansup–
Lange–van Vredendaal.
Some hard lattice meta-problems:
• Analyze cost of known attacks.
• Optimize attack parameters.
• Compare different attacks.
• Evaluate crypto parameters.
• Evaluate crypto designs.
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
![Page 5: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/5.jpg)
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
![Page 6: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/6.jpg)
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
![Page 7: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/7.jpg)
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
![Page 8: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/8.jpg)
2
sntrup761 evaluations from
“NTRU Prime: round 2” Table 2:
Ignoring cost of memory:368 185 enum, ignoring hybrid230 169 enum, including hybrid153 139 sieving, ignoring hybrid153 139 sieving, including hybrid
Accounting for cost of memory:368 185 enum, ignoring hybrid277 169 enum, including hybrid208 208 sieving, ignoring hybrid208 180 sieving, including hybrid
Security levels:. . . pre-quantum
. . . post-quantum
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
![Page 9: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/9.jpg)
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
![Page 10: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/10.jpg)
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Examples of target cryptosystems
Secret key: small a; small e.
Public key reveals multiplier G
and approximation A = aG + e.
Public key for “NTRU” (1996
Hoffstein–Pipher–Silverman):
G = −e=a, and A = 0.
![Page 11: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/11.jpg)
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Examples of target cryptosystems
Secret key: small a; small e.
Public key reveals multiplier G
and approximation A = aG + e.
Public key for “NTRU” (1996
Hoffstein–Pipher–Silverman):
G = −e=a, and A = 0.
![Page 12: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/12.jpg)
3
Analysis of typical lattice attack
has complications at four layers,
and at interfaces between layers.
This talk emphasizes top layer.
Analysis of latticesto attack cryptosystems
“Approximate-SVP”analysis
OO
“SVP”analysis
OO
Model of computation
OO
<<
77
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Examples of target cryptosystems
Secret key: small a; small e.
Public key reveals multiplier G
and approximation A = aG + e.
Public key for “NTRU” (1996
Hoffstein–Pipher–Silverman):
G = −e=a, and A = 0.
![Page 13: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/13.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Examples of target cryptosystems
Secret key: small a; small e.
Public key reveals multiplier G
and approximation A = aG + e.
Public key for “NTRU” (1996
Hoffstein–Pipher–Silverman):
G = −e=a, and A = 0.
![Page 14: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/14.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Examples of target cryptosystems
Secret key: small a; small e.
Public key reveals multiplier G
and approximation A = aG + e.
Public key for “NTRU” (1996
Hoffstein–Pipher–Silverman):
G = −e=a, and A = 0.
Public key for “Ring-LWE” (2010
Lyubashevsky–Peikert–Regev):
random G, and A = aG + e.
![Page 15: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/15.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Examples of target cryptosystems
Secret key: small a; small e.
Public key reveals multiplier G
and approximation A = aG + e.
Public key for “NTRU” (1996
Hoffstein–Pipher–Silverman):
G = −e=a, and A = 0.
Public key for “Ring-LWE” (2010
Lyubashevsky–Peikert–Regev):
random G, and A = aG + e.
Recognize similarity + credits:
“NTRU” ⇒ Quotient NTRU.
“Ring-LWE” ⇒ Product NTRU.
![Page 16: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/16.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Encryption for Quotient NTRU:
Input small b, small d .
Ciphertext: B = 3bG + d .
![Page 17: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/17.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Encryption for Quotient NTRU:
Input small b, small d .
Ciphertext: B = 3bG + d .
Encryption for Product NTRU:
Input encoded message M.
Randomly generate
small b, small d , small c .
Ciphertext: B = bG + d
and C = bA+M + c .
![Page 18: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/18.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Encryption for Quotient NTRU:
Input small b, small d .
Ciphertext: B = 3bG + d .
Encryption for Product NTRU:
Input encoded message M.
Randomly generate
small b, small d , small c .
Ciphertext: B = bG + d
and C = bA+M + c .
2019 Bernstein “Comparing
proofs of security for lattice-based
encryption” includes survey of
G; a; e; c;M details and variants
in NISTPQC submissions.
![Page 19: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/19.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
![Page 20: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/20.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
![Page 21: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/21.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
![Page 22: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/22.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
![Page 23: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/23.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
![Page 24: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/24.jpg)
4
Three typical attack problems
Define R = Z[x ]=(x761 − x − 1);
“small” = all coeffs in {−1; 0; 1};w = 286; q = 4591.
Attacker wants to find
small weight-w secret a ∈ R.
Problem 1: Public G ∈ R=q with
aG + e = 0. Small secret e ∈ R.
Problem 2: Public G ∈ R=q and
aG + e = A. Small secret e ∈ R.
Problem 3: Public G1; G2 ∈ R=q.
Public aG1 + e1; aG2 + e2.
Small secrets e1; e2 ∈ R.
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
![Page 25: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/25.jpg)
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
![Page 26: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/26.jpg)
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
![Page 27: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/27.jpg)
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
![Page 28: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/28.jpg)
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
![Page 29: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/29.jpg)
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
![Page 30: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/30.jpg)
5
Lattices
Rewrite each problem as finding
short nonzero solution to system
of homogeneous R=q equations.
Problem 1: Find (a; e) ∈ R2
with aG + e = 0, given G ∈ R=q.
Problem 2: Find (a; t; e) ∈ R3
with aG + e = At,
given G;A ∈ R=q.
Problem 3: Find
(a; t1; t2; e1; e2) ∈ R5 with
aG1 +e1 = A1t1, aG2 +e2 = A2t2,
given G1; A1; G2; A2 ∈ R=q.
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
![Page 31: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/31.jpg)
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
![Page 32: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/32.jpg)
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
![Page 33: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/33.jpg)
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
![Page 34: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/34.jpg)
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
![Page 35: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/35.jpg)
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
![Page 36: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/36.jpg)
6
Recognize each solution space
as a full-rank lattice:
Problem 1: Lattice is image of
the map (a; r) 7→ (a; qr − aG)
from R2 to R2.
Problem 2: Lattice is
image of the map (a; t; r) 7→(a; t; At + qr − aG).
Problem 3: Lattice is image of
the map (a; t1; t2; r1; r2) 7→(a; t1; t2; A1t1 + qr1 − aG1;
A2t2 + qr2 − aG2).
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
![Page 37: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/37.jpg)
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
![Page 38: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/38.jpg)
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
![Page 39: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/39.jpg)
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
![Page 40: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/40.jpg)
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
![Page 41: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/41.jpg)
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
![Page 42: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/42.jpg)
7
Module structure
Each of these lattices is an R-
module, and thus has, generically,
many independent short vectors.
e.g. in Problem 2:
Lattice has short (a; t; e).
Lattice has short (xa; xt; xe).
Lattice has short (x2a; x2t; x2e).
etc.
Many more lattice vectors
are fairly short combinations
of independent vectors:
e.g., ((x + 1)a; (x + 1)t; (x + 1)e).
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
![Page 43: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/43.jpg)
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
![Page 44: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/44.jpg)
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
![Page 45: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/45.jpg)
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
![Page 46: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/46.jpg)
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
![Page 47: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/47.jpg)
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
![Page 48: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/48.jpg)
8
1999 May, for Problem 1: Force
a stretch of coefficients of a to
be 0. This reduces lattice rank,
speeding up various attacks,
despite lower success chance.
(Always a speedup? Seems to be
a slowdown if q is very large:
see 2016 Kirchner–Fouque.)
Other problems: same speedup.
e.g. “Bai–Galbraith embedding”
for Problem 2: Force t ∈ Z; force
a few coefficients of a to be 0.
(Slowdown if q is very large?
Literature misses module option!)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
![Page 49: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/49.jpg)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
![Page 50: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/50.jpg)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
![Page 51: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/51.jpg)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
![Page 52: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/52.jpg)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
![Page 53: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/53.jpg)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
![Page 54: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/54.jpg)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
![Page 55: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/55.jpg)
9
Standard analysis for Problem 1
Uniform random small weight-w
secret a has length√w ≈ 17.
Uniform random small secret
e has length usually close top1522=3 ≈ 23. (Impact of
variations? Partial answer: 2020
Dachman-Soled–Ducas–Gong–
Rossi. Is fixed weight safer?)
Lattice has rank 2 · 761 = 1522.
Attack parameter: k = 13.
Force k positions in a to be 0:
restrict to sublattice of rank 1509.
Pr[a is in sublattice] ≈ 0:2%.
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
![Page 56: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/56.jpg)
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
![Page 57: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/57.jpg)
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
![Page 58: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/58.jpg)
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
![Page 59: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/59.jpg)
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
12
Cost-analysis challenges
Huge space of attack lattices.
For each of these lattices, try to
figure out cost of (e.g.) BKZ-˛
and chance it finds short vector.
![Page 60: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/60.jpg)
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
12
Cost-analysis challenges
Huge space of attack lattices.
For each of these lattices, try to
figure out cost of (e.g.) BKZ-˛
and chance it finds short vector.
![Page 61: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/61.jpg)
10
Attacker is just as happy to find
another solution such as (xa; xe).
Standard analysis for, e.g.,
Z[x ]=(x761 − 1): Each (x ja; x je)
has chance ≈0:2% of being in
sublattice. These 761 chances
are independent. (No, they
aren’t; also, total Pr depends on
attacker’s choice of positions.
See 2001 May–Silverman.)
Ignore bigger solutions (¸a; ¸e).
(How hard are these to find?)
Pretend this analysis applies to
Z[x ]=(x761 − x − 1). (It doesn’t.)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
12
Cost-analysis challenges
Huge space of attack lattices.
For each of these lattices, try to
figure out cost of (e.g.) BKZ-˛
and chance it finds short vector.
![Page 62: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/62.jpg)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
12
Cost-analysis challenges
Huge space of attack lattices.
For each of these lattices, try to
figure out cost of (e.g.) BKZ-˛
and chance it finds short vector.
![Page 63: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/63.jpg)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
12
Cost-analysis challenges
Huge space of attack lattices.
For each of these lattices, try to
figure out cost of (e.g.) BKZ-˛
and chance it finds short vector.
Accurate experiments are slow.
Need accurate fast estimates!
![Page 64: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/64.jpg)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
12
Cost-analysis challenges
Huge space of attack lattices.
For each of these lattices, try to
figure out cost of (e.g.) BKZ-˛
and chance it finds short vector.
Accurate experiments are slow.
Need accurate fast estimates!
Efforts to simplify are error-prone;
e.g. “conservative lower bound”
(3=2)˛=2 on (pre-q) cost is broken
for all sufficiently large sizes.
![Page 65: NTRU Prime: round 2 Table 2: Tanja Lange Exploring the ...tanja-20200706-lattice-4x3.pdf368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid](https://reader034.vdocuments.us/reader034/viewer/2022050520/5fa40372af29fa0213354183/html5/thumbnails/65.jpg)
11
Write equation e = qr − aGas 761 equations on coefficients.
Attack parameter: m = 600.
Ignore 761−m = 161 equations:
i.e., project e onto 600 positions.
(1999 May.) Sublattice rank
d = 1509− 161 = 1348; det q600.
Attack parameter: – = 1:331876.
Rescaling (1997 Coppersmith–
Shamir): Assign weight – to
positions in a. Increases length
of a to –√w ≈ 23; increases det
to –748q600. (Is this – optimal?
Interaction with e size variation?)
12
Cost-analysis challenges
Huge space of attack lattices.
For each of these lattices, try to
figure out cost of (e.g.) BKZ-˛
and chance it finds short vector.
Accurate experiments are slow.
Need accurate fast estimates!
Efforts to simplify are error-prone;
e.g. “conservative lower bound”
(3=2)˛=2 on (pre-q) cost is broken
for all sufficiently large sizes.
Hybrid attacks (2008 Howgrave-
Graham, : : : , 2018 Wunderer):
often faster; different analysis.