111 research outputs found
Artin's primitive root conjecture -a survey -
This is an expanded version of a write-up of a talk given in the fall of 2000
in Oberwolfach. A large part of it is intended to be understandable by
non-number theorists with a mathematical background. The talk covered some of
the history, results and ideas connected with Artin's celebrated primitive root
conjecture dating from 1927. In the update several new results established
after 2000 are also discussed.Comment: 87 pages, 512 references, to appear in Integer
How (Not) to Instantiate Ring-LWE
The \emph{learning with errors over rings} (Ring-LWE) problem---or
more accurately, family of problems---has emerged as a promising
foundation for cryptography due to its practical efficiency,
conjectured quantum resistance, and provable \emph{worst-case
hardness}: breaking certain instantiations of Ring-LWE is at least
as hard as quantumly approximating the Shortest Vector Problem on
\emph{any} ideal lattice in the ring.
Despite this hardness guarantee, several recent works have shown that
certain instantiations of Ring-LWE can be broken by relatively simple
attacks. While the affected instantiations are not supported by
worst-case hardness theorems (and were not ever proposed for
cryptographic purposes), this state of affairs raises natural
questions about what other instantiations might be vulnerable, and in
particular whether certain classes of rings are inherently unsafe for
Ring-LWE.
This work comprehensively reviews the known attacks on Ring-LWE and
vulnerable instantiations. We give a new, unified exposition which
reveals an elementary geometric reason why the attacks work, and
provide rigorous analysis to explain certain phenomena that were
previously only exhibited by experiments. In all cases, the
insecurity of an instantiation is due to the fact that the error
distribution is insufficiently ``well spread\u27\u27 relative to the ring.
In particular, the insecure instantiations use the so-called
\emph{non-dual} form of Ring-LWE, together with \emph{spherical} error
distributions that are much narrower and of a very different shape
than the ones supported by hardness proofs.
On the positive side, we show that any Ring-LWE instantiation which
satisfies (or only almost satisfies) the hypotheses of the
``worst-case hardness of search\u27\u27 theorem is \emph{provably immune} to
broad generalizations of the above-described attacks: the running time
divided by advantage is at least exponential in the degree of the
ring. This holds for the ring of integers in \emph{any} number field,
so the rings themselves are not the source of insecurity in the
vulnerable instantiations. Moreover, the hypotheses of the worst-case
hardness theorem are \emph{nearly minimal} ones which provide these
immunity guarantees
Usability of structured lattices for a post-quantum cryptography: practical computations, and a study of some real Kummer extensions
Lattice-based cryptography is an excellent candidate for post-quantum cryptography, i.e. cryptosystems which are resistant to attacks run on quantum computers. For efficiency reason, most of the constructions explored nowadays are based on structured lattices, such as module lattices or ideal lattices. The security of most constructions can be related to the hardness of retrieving a short element in such lattices, and one does not know yet to what extent these additional structures weaken the cryptosystems. A related problem – which is an extension of a classical problem in computational number theory – called the Short Principal Ideal Problem (or SPIP), consists of finding a short generator of a principal ideal. Its assumed hardness has been used to build some cryptographic schemes. However it has been shown to be solvable in quantum polynomial time over cyclotomic fields, through an attack which uses the Log-unit lattice of the field considered. Later, practical results showed that multiquadratic fields were also weak to this strategy.
The main general question that we study in this thesis is To what extent can structured lattices be used to build a post-quantum cryptography
Performance Evaluation of Optimal Ate Pairing on Low-Cost Single Microprocessor Platform
The framework of low-cost interconnected devices forms a new kind of cryptographic environment with diverse requirements. Due to the minimal resource capacity of the devices, light-weight cryptographic algorithms are favored.
Many applications of IoT work autonomously and process sensible data, which emphasizes security needs, and might also cause a need for specific security measures.
A bilinear pairing is a mapping based on groups formed by elliptic curves over extension fields. The pairings are the key-enabler for versatile cryptosystems, such as certificateless signatures and searchable encryption. However, they have a major computational overhead, which coincides with the requirements of the low-cost devices. Nonetheless, the bilinear pairings are the only known approach for many cryptographic protocols so their feasibility should certainly be studied, as they might turn out to be necessary for some future IoT solutions. Promising results already exist for high-frequency CPU:s and platforms with hardware extensions.
In this work, we study the feasibility of computing the optimal ate pairing over the BN254 curve, on a 64 MHz Cortex-M33 based platform by utilizing an optimized open-source library. The project is carried out for the company Nordic Semiconductor. As a result, the pairing was effectively computed in under 26* 10^6 cycles, or in 410 ms.
The resulting pairing enables a limited usage of pairing-based cryptography, with a capacity of at most few cryptographic operations, such as ID-based key verifications per second. Referring to other relevant works, a competent pairing application would require either a high-frequency - and thus high consuming - microprocessor, or a customized FPGA. Moreover, it is noted that the research in efficient pairing-based cryptography is constantly taking steps forward in every front-line: efficient algorithms, protocols, and hardware-solutions
Algebraic and Euclidean Lattices: Optimal Lattice Reduction and Beyond
We introduce a framework generalizing lattice reduction algorithms to module
lattices in order to practically and efficiently solve the -Hermite
Module-SVP problem over arbitrary cyclotomic fields. The core idea is to
exploit the structure of the subfields for designing a doubly-recursive
strategy of reduction: both recursive in the rank of the module and in the
field we are working in. Besides, we demonstrate how to leverage the inherent
symplectic geometry existing in the tower of fields to provide a significant
speed-up of the reduction for rank two modules. The recursive strategy over the
rank can also be applied to the reduction of Euclidean lattices, and we can
perform a reduction in asymptotically almost the same time as matrix
multiplication. As a byproduct of the design of these fast reductions, we also
generalize to all cyclotomic fields and provide speedups for many previous
number theoretical algorithms. Quantitatively, we show that a module of rank 2
over a cyclotomic field of degree can be heuristically reduced within
approximation factor in time , where is
the bitlength of the entries. For large enough, this complexity shrinks to
. This last result is particularly striking as it
goes below the estimate of swaps given by the classical analysis of the
LLL algorithm using the so-called potential
- …