Provably weak instances of ring-LWE revisited

In CRYPTO 2015, Elias, Lauter, Ozman and Stange described an attack on the non-dual decision version of the ring learning with errors problem (RLWE) for two special families of defining polynomials, whose construction depends on the modulus q that is being used. For particularly chosen error parameters, they managed to solve non-dual decision RLWE given 20 samples, with a success rate ranging from 10% to 80%. In this paper we show how to solve the search version for the same families and error parameters, using only 7 samples with a success rate of 100%. Moreover our attack works for every modulus q instead of the q that was used to construct the defining polynomial. The attack is based on the observation that the RLWE error distribution for these families of polynomials is very skewed in the directions of the polynomial basis. For the parameters chosen by Elias et al. the smallest errors are negligible and simple linear algebra suffices to recover the secret. But enlarging the error paremeters makes the largest errors wrap around, thereby turning the RLWE problem unsuitable for cryptographic applications. These observations also apply to dual RLWE, but do not contradict the seminal work by Lyubashevsky, Peikert and Regev

Sanitization of FHE ciphertexts

By definition, fully homomorphic encryption (FHE) schemes support homomorphic decryption, and all known FHE constructions are bootstrapped from a Somewhat Homomorphic Encryption (SHE) scheme via this technique. Additionally, when a public key is provided, ciphertexts are also re-randomizable, e.g., by adding to them fresh encryptions of 0. From those two operations we devise an algorithm to sanitize a ciphertext, by making its distribution canonical. In particular, the distribution of the ciphertext does not depend on the circuit that led to it via homomorphic evaluation, thus providing circuit privacy in the honest-but-curious model. Unlike the previous approach based on noise flooding, our approach does not degrade much the security/efficiency trade-off of the underlying FHE. The technique can be applied to all lattice-based FHE proposed so far, without substantially affecting their concrete parameters

Second order statistical behavior of LLL and BKZ

The LLL algorithm (from Lenstra, Lenstra and Lovász) and its generalization BKZ (from Schnorr and Euchner) are widely used in cryptanalysis, especially for lattice-based cryptography. Precisely understanding their behavior is crucial for deriving appropriate key-size for cryptographic schemes subject to lattice-reduction attacks. Current models, e.g. the Geometric Series Assumption and Chen-Nguyen’s BKZ-simulator, have provided a decent first-order analysis of the behavior of LLL and BKZ. However, they only focused on the average behavior and were not perfectly accurate. In this work, we initiate a second order analysis of this behavior. We confirm and quantify discrepancies between models and experiments —in particular in the head and tail regions— and study their consequences. We also provide variations around the mean and correlations statistics, and study their impact. While mostly based on experiments, by pointing at and quantifying unaccounted phenomena, our study sets the ground for a theoretical and predictive understanding of LLL and BKZ performances at the second order

Leonel Ducas: Playing by Ear: Growing Up and Growing Old through the Accordion

In this short audio story, Leonel Ducas describes his immigration to the United States from Canada and how music has been a significant part of his life, both socially and personally. Throughout the story, we gain a better idea of how Ducas learned accordion, his family history, and how he uses music as a means of remembering. This project focuses on French music for a course on Franco-American identity in Maine.https://digitalcommons.colby.edu/franco_american/1007/thumbnail.jp

Theoretical study of the absorption spectra of the sodium dimer

Absorption of radiation from the sodium dimer molecular states correlating to Na(3s)-Na(3s) is investigated theoretically. Vibrational bound and continuum transitions from the singlet X Sigma-g+ state to the first excited singlet A Sigma-u+ and singlet B Pi-u states and from the triplet a Sigma-u+ state to the first excited triplet b Sigma-g+ and triplet c Pi-g states are studied quantum-mechanically. Theoretical and experimental data are used to characterize the molecular properties taking advantage of knowledge recently obtained from ab initio calculations, spectroscopy, and ultra-cold atom collision studies. The quantum-mechanical calculations are carried out for temperatures in the range from 500 to 3000 K and are compared with previous calculations and measurements where available.Comment: 19 pages, 8 figures, revtex, eps

Provable lattice reduction of Zn with blocksize n/2

The Lattice Isomorphism Problem (LIP) is the computational task of recovering, assuming it exists, an orthogonal linear transformation sending one lattice to another. For cryptographic purposes, the case of the trivial lattice Zn is of particular interest (Z LIP). Heuristic analysis suggests that the BKZ algorithm with blocksize β= n/ 2 + o(n) solves such instances (Ducas, Postlethwaite, Pulles, van Woerden, ASIACRYPT 2022). In this work, I propose a provable version of this statement, namely, that Z LIP can indeed be solved by making polynomially many calls to a Shortest Vector Problem oracle in dimension at most n/ 2 + 1

Slowing and cooling molecules and neutral atoms by time-varying electric field gradients

A method of slowing, accelerating, cooling, and bunching molecules and neutral atoms using time-varying electric field gradients is demonstrated with cesium atoms in a fountain. The effects are measured and found to be in agreement with calculation. Time-varying electric field gradient slowing and cooling is applicable to atoms that have large dipole polarizabilities, including atoms that are not amenable to laser slowing and cooling, to Rydberg atoms, and to molecules, especially polar molecules with large electric dipole moments. The possible applications of this method include slowing and cooling thermal beams of atoms and molecules, launching cold atoms from a trap into a fountain, and measuring atomic dipole polarizabilities.Comment: 13 pages, 10 figures. Scheduled for publication in Nov. 1 Phys. Rev.

On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm

The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the ana

The closest vector problem in tensored root lattices of type A and in their duals

In this work we consider the closest vector problem (CVP)—a problem also known as maximum-likelihood decoding—in the tensor of two root lattices of type A ((Formula presented.)), as well as in their duals ((Formula presented.)). This problem is mainly motivated by lattice based cryptography, where the cyclotomic rings (Formula presented.) (resp. its co-different (Formula presented.)) play a central role, and turn out to be isomorphic as lattices to tensors of (Formula presented.) lattices (resp. A root lattices). In particular, our results lead to solving CVP in (Formula presented.) and in (Formula presented.) for conductors of the form (Formula presented.) for any two odd primes p, q. For the primal case (Formula presented.), we provide a full characterization of the Voronoi region in terms of simple cycles in the complete directed bipartite graph (Formula presented.). This leads—relying on the Bellman-Ford algorithm for negative cycle detection—to a CVP algorithm running in polynomial time. Precisely, our algorithm performs (Formula presented.) operations on reals, where l is the number of bits per coordinate of the input target. For the dual case, we use a gluing-construction to solve CVP in sub-exponential time (Formula presented.)