28 research outputs found
PotLLL: A Polynomial Time Version of LLL With Deep Insertions
Lattice reduction algorithms have numerous applications in number theory,
algebra, as well as in cryptanalysis. The most famous algorithm for lattice
reduction is the LLL algorithm. In polynomial time it computes a reduced basis
with provable output quality. One early improvement of the LLL algorithm was
LLL with deep insertions (DeepLLL). The output of this version of LLL has
higher quality in practice but the running time seems to explode. Weaker
variants of DeepLLL, where the insertions are restricted to blocks, behave
nicely in practice concerning the running time. However no proof of polynomial
running time is known. In this paper PotLLL, a new variant of DeepLLL with
provably polynomial running time, is presented. We compare the practical
behavior of the new algorithm to classical LLL, BKZ as well as blockwise
variants of DeepLLL regarding both the output quality and running time.Comment: 17 pages, 8 figures; extended version of arXiv:1212.5100 [cs.CR
Tensor-based trapdoors for CVP and their application to public key cryptography
We propose two trapdoors for the Closest-Vector-Problem in lattices (CVP) related to the lattice tensor product. Using these trapdoors we set up a lattice-based cryptosystem which resembles to the McEliece scheme
Worst-Case Hermite-Korkine-Zolotarev Reduced Lattice Bases
The Hermite-Korkine-Zolotarev reduction plays a central role in strong
lattice reduction algorithms. By building upon a technique introduced by Ajtai,
we show the existence of Hermite-Korkine-Zolotarev reduced bases that are
arguably least reduced. We prove that for such bases, Kannan's algorithm
solving the shortest lattice vector problem requires
d^{\frac{d}{2\e}(1+o(1))} bit operations in dimension . This matches the
best complexity upper bound known for this algorithm. These bases also provide
lower bounds on Schnorr's constants and that are
essentially equal to the best upper bounds. Finally, we also show the existence
of particularly bad bases for Schnorr's hierarchy of reductions
A Tale of Three Signatures: practical attack of ECDSA with wNAF
One way of attacking ECDSA with wNAF implementation for the scalar multiplication is to perform a side-channel analysis to collect information, then use a lattice based method to recover the secret key. In this paper, we reinvestigate the construction of the lattice used in one of these methods, the Extended Hidden Number Problem (EHNP). We find the secret key with only 3 signatures, thus reaching the theoretical bound given by Fan, Wang and Cheng, whereas best previous methods required at least 4 signatures in practice. Our attack is more efficient than previous attacks, in particular compared to times reported by Fan et al. at CCS 2016 and for most cases, has better probability of success. To obtain such results, we perform a detailed analysis of the parameters used in the attack and introduce a preprocessing method which reduces by a factor up to 7 the overall time to recover the secret key for some parameters. We perform an error resilience analysis which has never been done before in the setup of EHNP. Our construction is still able to find the secret key with a small amount of erroneous traces, up to 2% of false digits, and 4% with a specific type of error. We also investigate Coppersmith's methods as a potential alternative to EHNP and explain why, to the best of our knowledge, EHNP goes beyond the limitations of Coppersmith's methods