160 research outputs found
A New Reduction from Search SVP to Optimization SVP
It is well known that search SVP is equivalent to optimization SVP. However,
the former reduction from search SVP to optimization SVP by Kannan needs
polynomial times calls to the oracle that solves the optimization SVP. In this
paper, a new rank-preserving reduction is presented with only one call to the
optimization SVP oracle. It is obvious that the new reduction needs the least
calls, and improves Kannan's classical result. What's more, the idea also leads
a similar direct reduction from search CVP to optimization CVP with only one
call to the oracle
A Coefficient-Embedding Ideal Lattice can be Embedded into Infinitely Many Polynomial Rings
Many lattice-based crypstosystems employ ideal lattices for high efficiency.
However, the additional algebraic structure of ideal lattices usually makes us
worry about the security, and it is widely believed that the algebraic
structure will help us solve the hard problems in ideal lattices more
efficiently. In this paper, we study the additional algebraic structure of
ideal lattices further and find that a given ideal lattice in some fixed
polynomial ring can be embedded as an ideal in infinitely many different
polynomial rings. We explicitly present all these polynomial rings for any
given ideal lattice. The interesting phenomenon tells us that a single ideal
lattice may have more abundant algebraic structures than we imagine, which will
impact the security of corresponding crypstosystems. For example, it increases
the difficulties to evaluate the security of crypstosystems based on ideal
lattices, since it seems that we need consider all the polynomial rings that
the given ideal lattices can be embedded into if we believe that the algebraic
structure will contribute to solve the corresponding hard problem. It also
inspires us a new method to solve the ideal lattice problems by embedding the
given ideal lattice into another well-studied polynomial ring. As a by-product,
we also introduce an efficient algorithm to identify if a given lattice is an
ideal lattice or not
Generalized Implicit Factorization Problem
The Implicit Factorization Problem was first introduced by May and
Ritzenhofen at PKC'09. This problem aims to factorize two RSA moduli
and when their prime factors share a certain number
of least significant bits (LSBs). They proposed a lattice-based algorithm to
tackle this problem and extended it to cover RSA moduli. Since then,
several variations of the Implicit Factorization Problem have been studied,
including the cases where and share some most significant bits
(MSBs), middle bits, or both MSBs and LSBs at the same position.
In this paper, we explore a more general case of the Implicit Factorization
Problem, where the shared bits are located at different and unknown positions
for different primes. We propose a lattice-based algorithm and analyze its
efficiency under certain conditions. We also present experimental results to
support our analysis
Cryptanalysis of the Randomized Version of a Lattice-Based Signature Scheme from PKC'08
International audienceIn PKC'08, Plantard, Susilo and Win proposed a lattice-based signature scheme, whose security is based on the hardness of the closest vector problem with the infinity norm (CVP∞). This signature scheme was proposed as a countermeasure against the Nguyen-Regev attack, which improves the security and the efficiency of the Goldreich, Goldwasser and Halevi scheme (GGH). Furthermore, to resist potential side channel attacks, the authors suggested modifying the determinis-tic signing algorithm to be randomized. In this paper, we propose a chosen message attack against the randomized version. Note that the randomized signing algorithm will generate different signature vectors in a relatively small cube for the same message, so the difference of any two signature vectors will be relatively short lattice vector. Once collecting enough such short difference vectors, we can recover the whole or the partial secret key by lattice reduction algorithms, which implies that the randomized version is insecure under the chosen message attack
Cryptanalysis of the Structure-Preserving Signature Scheme on Equivalence Classes from Asiacrypt 2014
At Asiacrypt 2014, Hanser and Slamanig presented a new cryptographic primitive called structure-preserving signature scheme on equivalence classes in the message space (\G_1^*)^\ell , where \G_1 is some additive cyclic group. Based on the signature scheme, they constructed an efficient multi-show attribute-based anonymous credential
system that allows to encode an arbitrary number of attributes. The signature scheme was claimed to be existentially unforgeable under the adaptive chosen message attacks in the generic group model. However, for ,
Fuchsbauer pointed out a valid existential forgery can be generated with overwhelming probability by using 4 adaptive chosen-message queries. Hence, the scheme is existentially forgeable under the adaptive chosen message attack at least when . In this paper, we show that even for the general case , the scheme is \textit{existentially forgeable} under the \textit{non-adaptive} chosen message attack and \textit{universally forgeable} under the \textit{adaptive} chosen message attack.
It is surprising that our attacks will succeed all the time and need fewer queries,
which give a better description of the scheme\u27s security
A Note on the Density of the Multiple Subset Sum Problems
It is well known that the general subset sum problem is NP-complete. However, almost all subset sum problems with density less than can be solved in polynomial time with an oracle that can find the shortest vector in a special lattice. In this paper, we give a similar result for the multiple subset sum problems which has subset sum problems with the same solution. Some extended versions of the multiple subset sum problems are also considered. In addition, a modified lattice is involved to make the analysis much simpler than before
An algorithm for factoring integers
We propose an algorithm for factoring a
composite number. The method seems new
Cryptanalysis of the Cai-Cusick Lattice-based Public-key Cryptosystem
In 1998, Cai and Cusick proposed a lattice-based public-key
cryptosystem based on the similar ideas of the Ajtai-Dwork
cryptosystem, but with much less data expansion. However, they
didn\u27t give any security proof. In our paper, we present an
efficient ciphertext-only attack which runs in polynomial time
against the cryptosystem to recover the message, so the Cai-Cusick
lattice-based public-key cryptosystem is not secure. We also present
two chosen-ciphertext attacks to get a similar private key which
acts as the real private key
- …