Usability of structured lattices for a post-quantum cryptography: practical computations, and a study of some real Kummer extensions

Lattice-based cryptography is an excellent candidate for post-quantum cryptography, i.e. cryptosystems which are resistant to attacks run on quantum computers. For efficiency reason, most of the constructions explored nowadays are based on structured lattices, such as module lattices or ideal lattices. The security of most constructions can be related to the hardness of retrieving a short element in such lattices, and one does not know yet to what extent these additional structures weaken the cryptosystems. A related problem – which is an extension of a classical problem in computational number theory – called the Short Principal Ideal Problem (or SPIP), consists of finding a short generator of a principal ideal. Its assumed hardness has been used to build some cryptographic schemes. However it has been shown to be solvable in quantum polynomial time over cyclotomic fields, through an attack which uses the Log-unit lattice of the field considered. Later, practical results showed that multiquadratic fields were also weak to this strategy. The main general question that we study in this thesis is To what extent can structured lattices be used to build a post-quantum cryptography

Efficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications

Copyright 2016 by SCITEPRESS - Science and Technology Publications, Lda. All rights reserved.Cryptographic operations performed on an embedded device are vulnerable to side channel analysis and particularly to differential and correlation power analysis. The basic protection against such attacks is to randomize the data all along the cryptographic computations. In this paper we present a modular multiplication algorithm which can be used for randomization. We show that we can use it to randomize the modular exponentiation of the RSA cryptosystem. The proposed randomization is free of computation and induces a level of randomization from 210 to 215 for practical RSA modulus size

Computing ee-th roots in number fields

We describe several algorithms for computing $e$-th roots of elements in a number field $K$, where $e$ is an odd prime-power integer. In particular we generalize Couveignes' and Thom\'e's algorithms originally designed to compute square-roots in the Number Field Sieve algorithm for integer factorization. Our algorithms cover most cases of $e$ and $K$ and allow to obtain reasonable timings even for large degree number fields and large exponents $e$. The complexity of our algorithms is better than general root finding algorithms and our implementation compared well in performance to these algorithms implemented in well-known computer algebra softwares. One important application of our algorithms is to compute the saturation phase in the Twisted-PHS algorithm for computing the Ideal-SVP problem over cyclotomic fields in post-quantum cryptography.Comment: 9 pages, 4 figures. Associated experimental code provided at https://github.com/ob3rnard/eth-root

A note on the discriminant and prime ramification of some real Kummer extensions

In this note, we establish some facts about real Kummer extensions of the form L = Q(p √ m 1 ,. .. , p √ mr), and L = K(p √ m 1 ,. .. , p √ mr) where Q(q √ n 1 ,. .. , q √ ns). In particular, we study the splitting of primes in L and exhibit fairly canonical and simple Q-bases of L and d L ∈ N such that the order it generates contains d L O L

A note on the discriminant and prime ramification of some real Kummer extensions

In this note, we establish some facts about real Kummer extensions of the form L = Q(p √ m 1 ,. .. , p √ mr), and L = K(p √ m 1 ,. .. , p √ mr) where Q(q √ n 1 ,. .. , q √ ns). In particular, we study the splitting of primes in L and exhibit fairly canonical and simple Q-bases of L and d L ∈ N such that the order it generates contains d L O L

ON THE SHORT PRINCIPAL IDEAL PROBLEM OVER SOME REAL KUMMER FIELDS

Several cryptosystems using structured lattices have been believed to be quantum resistant. Their security can be linked to the hardness of solving the Shortest Vector Problem over module or ideal lattices. During the past few years it has been shown that the related problem of finding a short generator of a principal ideal can be solved in quantum polynomial time over cyclotomic fields, and classical polynomial time over a range of multiquadratic and multicubic fields. Hence, it is important to study as many as possible other number fields, to improve our knowledge of the aformentioned problems. In this paper we generalise the work done over multiquadratic and multicubic fields to a larger range of real Kummer extensions of prime exponent p. Moreover, we extend the analysis by studying the Log-unit lattice over these number fields, in comparison to already studied fields

Computing roots of polynomials over number fields using complex embeddings

We explore a generic method to compute roots of polynomials over number fields through complex embeddings. We show how to use a structure of a relative extension to decode in a subfield. Additionally we describe several heuristic options to improve practical efficiency. We provide experimental data from our implementation, and compare our methods to the one implemented in \textsc{Pari/Gp}

Computing roots of polynomials over number fields using complex embeddings

We explore a generic method to compute roots of polynomials over number fields through complex embeddings. We show how to use a structure of a relative extension to decode in a subfield. Additionally we describe several heuristic options to improve practical efficiency. We provide experimental data from our implementation, and compare our methods to the one implemented in \textsc{Pari/Gp}

Efficient leak resistant modular exponentiation in RNS

2017 IEEE. The leak resistant arithmetic in RNS was introduced in 2004 to randomize RSA modular exponentiation. This randomization is meant to protect implementations on embedded device from side channel analysis. We propose in this paper a faster version of the approach of Bajard et al. in the case of right-to-left square-and-multiply exponentiation. We show that this saves roughly 30% of the computation when the randomization is done at each loop iteration. We also show that the level of randomization of the proposed approach is better than the one of Bajard et al. after a few number of loop iterations