40 research outputs found
Certified lattice reduction
Quadratic form reduction and lattice reduction are fundamental tools in
computational number theory and in computer science, especially in
cryptography. The celebrated Lenstra-Lenstra-Lov\'asz reduction algorithm
(so-called LLL) has been improved in many ways through the past decades and
remains one of the central methods used for reducing integral lattice basis. In
particular, its floating-point variants-where the rational arithmetic required
by Gram-Schmidt orthogonalization is replaced by floating-point arithmetic-are
now the fastest known. However, the systematic study of the reduction theory of
real quadratic forms or, more generally, of real lattices is not widely
represented in the literature. When the problem arises, the lattice is usually
replaced by an integral approximation of (a multiple of) the original lattice,
which is then reduced. While practically useful and proven in some special
cases, this method doesn't offer any guarantee of success in general. In this
work, we present an adaptive-precision version of a generalized LLL algorithm
that covers this case in all generality. In particular, we replace
floating-point arithmetic by Interval Arithmetic to certify the behavior of the
algorithm. We conclude by giving a typical application of the result in
algebraic number theory for the reduction of ideal lattices in number fields.Comment: 23 page
The nearest-colattice algorithm
In this work, we exhibit a hierarchy of polynomial time algorithms solving
approximate variants of the Closest Vector Problem (CVP). Our first
contribution is a heuristic algorithm achieving the same distance tradeoff as
HSVP algorithms, namely for a random
lattice of rank . Compared to the so-called Kannan's embedding
technique, our algorithm allows using precomputations and can be used for
efficient batch CVP instances. This implies that some attacks on lattice-based
signatures lead to very cheap forgeries, after a precomputation. Our second
contribution is a proven reduction from approximating the closest vector with a
factor to the Shortest Vector
Problem (SVP) in dimension .Comment: 19 pages, presented at the Algorithmic Number Theory Symposium (ANTS
2020
Proving uniformity and independence by self-composition and coupling
Proof by coupling is a classical proof technique for establishing
probabilistic properties of two probabilistic processes, like stochastic
dominance and rapid mixing of Markov chains. More recently, couplings have been
investigated as a useful abstraction for formal reasoning about relational
properties of probabilistic programs, in particular for modeling
reduction-based cryptographic proofs and for verifying differential privacy. In
this paper, we demonstrate that probabilistic couplings can be used for
verifying non-relational probabilistic properties. Specifically, we show that
the program logic pRHL---whose proofs are formal versions of proofs by
coupling---can be used for formalizing uniformity and probabilistic
independence. We formally verify our main examples using the EasyCrypt proof
assistant
*-Liftings for Differential Privacy
Recent developments in formal verification have identified approximate liftings (also known as approximate couplings) as a clean, compositional abstraction for proving differential privacy. There are two styles of definitions for this construction. Earlier definitions require the existence of one or more witness distributions, while a recent definition by Sato uses universal quantification over all sets of samples. These notions have different strengths and weaknesses: the universal version is more general than the existential ones, but the existential versions enjoy more precise composition principles.
We propose a novel, existential version of approximate lifting, called *-lifting, and show that it is equivalent to Sato\u27s construction for discrete probability measures. Our work unifies all known notions of approximate lifting, giving cleaner properties, more general constructions, and more precise composition theorems for both styles of lifting, enabling richer proofs of differential privacy. We also clarify the relation between existing definitions of approximate lifting, and generalize our constructions to approximate liftings based on f-divergences
Quantum binary quadratic form reduction
Quadratic form reduction enjoys broad uses both in classical and quantum algorithms
such as in the celebrated LLL algorithm for lattice reduction. In this paper, we propose the first quantum
circuit for definite binary quadratic form reduction that achieves O(n log n) depth, O(n^2)
width and O(n^2 log(n)) quantum gates. The proposed work is based on a
binary variant of the reduction algorithm of the definite quadratic form. As
side results, we show a quantum circuit performing bit rotation
with O(log n) depth, O(n) width, and O(n log n) gates, in addition to a circuit performing
integer logarithm computation with O(log n) depth, O(n) width, and O(n) gates
Algebraic and Euclidean Lattices: Optimal Lattice Reduction and Beyond
We introduce a framework generalizing lattice reduction algorithms to module
lattices in order to practically and efficiently solve the -Hermite
Module-SVP problem over arbitrary cyclotomic fields. The core idea is to
exploit the structure of the subfields for designing a doubly-recursive
strategy of reduction: both recursive in the rank of the module and in the
field we are working in. Besides, we demonstrate how to leverage the inherent
symplectic geometry existing in the tower of fields to provide a significant
speed-up of the reduction for rank two modules. The recursive strategy over the
rank can also be applied to the reduction of Euclidean lattices, and we can
perform a reduction in asymptotically almost the same time as matrix
multiplication. As a byproduct of the design of these fast reductions, we also
generalize to all cyclotomic fields and provide speedups for many previous
number theoretical algorithms. Quantitatively, we show that a module of rank 2
over a cyclotomic field of degree can be heuristically reduced within
approximation factor in time , where is
the bitlength of the entries. For large enough, this complexity shrinks to
. This last result is particularly striking as it
goes below the estimate of swaps given by the classical analysis of the
LLL algorithm using the so-called potential
Finding short integer solutions when the modulus is small
We present cryptanalysis of the inhomogenous short integer solution (ISIS) problem for anomalously small moduli by exploiting the geometry of BKZ reduced bases of -ary lattices.
We apply this cryptanalysis to examples from the literature where taking such small moduli has been suggested. A recent work [EspitauâTibouchiâWalletâYu, CRYPTO 2022] suggests small versions of the lattice signature scheme FALCON and its variant MITAKA.
For one small parametrisation of FALCON we reduce the estimated security against signature forgery by approximately 26 bits. For one small parametrisation of MITAKA we successfully forge a signature in seconds
Loop-Abort Faults on Lattice-Based FiatâShamir and Hash-and-Sign Signatures
As the advent of general-purpose quantum computers appears to be drawing closer, agencies and advisory bodies have started recommending that we prepare the transition away from factoring and discrete logarithm-based cryptography, and towards postquantum secure constructions, such as lattice- based schemes.
Almost all primitives of classical cryptography (and more!) can be realized with lattices, and the efficiency of primitives like encryption and signatures has gradually improved to the point that key sizes are competitive with RSA at similar security levels, and fast performance can be achieved both in soft- ware and hardware. However, little research has been conducted on physical attacks targeting concrete implementations of postquantum cryptography in general and lattice-based schemes in particular, and such research is essential if lattices are going to replace RSA and elliptic curves in our devices and smart cards.
In this paper, we look in particular at fault attacks against implementations of lattice-based signature schemes, looking both at FiatâShamir type constructions (particularly BLISS, but also GLP, PASSSing and Ring-TESLA) and at hash-and-sign schemes (particularly the GPV-based scheme of DucasâPrestâ Lyubashevsky). These schemes include essentially all practical lattice-based signatures, and achieve the best efficiency to date in both software and hardware. We present several fault attacks against those schemes yielding a full key recovery with only a few or even a single faulty signature, and discuss possible countermeasures to protect against these attacks
Computing generator in cyclotomic integer rings
The Principal Ideal Problem (resp. Short Principal Ideal Problem), shorten as PIP (resp. SPIP), consists in finding a generator (resp. short generator) of a principal ideal in the ring of integers of a number field. Several lattice-based cryptosystems rely on the presumed hardness of these two problems. Yet, in practice, most of them do not use an arbitrary number field but a power-of-two cyclotomic field. The Smart and Vercauteren fully homomorphic encryption scheme and the multilinear map of Garg, Gentry and Halevi epitomize this common restriction. Recently, Cramer, Ducas, Peikert and Regev show that solving the SPIP in such cyclotomic rings boils down to solving the PIP. We complete their result by an algorithm that solves PIP in cyclotomic fields in subexponential time , where denotes the discriminant of the number field and N its degree. This asymptotic complexity could be compared with the one obtained by Biasse and Fieker method, that aims at finding a generator as we do, but runs in
L_{|\Delta_K|} (2/3). Besides this theoretical improvement, our algorithm permits to recover in practice the secret key of the Smart and Vercauteren scheme, for the
smallest proposed parameters