11 research outputs found
Fast Lattice Basis Reduction Suitable for Massive Parallelization and Its Application to the Shortest Vector Problem
The hardness of the shortest vector problem for lattices is a fundamental assumption underpinning the security of many lattice-based cryptosystems, and therefore, it is important to evaluate its difficulty.
Here, recent advances in studying the hardness of problems in large-scale lattice computing have pointed to need to study the design and methodology for exploiting the performance of massive parallel computing environments.
In this paper, we propose a lattice basis reduction algorithm suitable for massive parallelization.
Our parallelization strategy is an extension of the Fukase-Kashiwabara algorithm~(J. Information Processing, Vol. 23, No. 1, 2015).
In our algorithm, given a lattice basis as input, variants of the lattice basis are generated, and then each process reduces its lattice basis; at this time, the processes cooperate and share auxiliary information with each other to accelerate lattice basis reduction.
In addition, we propose a new strategy based on our evaluation function of a lattice basis in order to decrease the sum of squared lengths of orthogonal basis vectors.
We applied our algorithm to problem instances from the SVP Challenge.
We solved a 150-dimension problem instance in about 394 days by using large clusters, and we also solved problem instances of dimensions 134, 138, 140, 142, 144, 146, and 148.
Since the previous world record is the problem of dimension 132, these results demonstrate the effectiveness of our proposal
Estimation of the Success Probability of Random Sampling by the Gram-Charlier Approximation
The lattice basis reduction algorithm is a method for solving the
Shortest Vector Problem (SVP) on lattices. There are many variants of
the lattice basis reduction algorithm such as LLL, BKZ, and RSR. Though
BKZ has been used most widely, it is shown recently that some variants
of RSR are quite efficient for solving a high-dimensional SVP (they
achieved many best scores in TU Darmstadt SVP challenge). RSR repeats
alternately the generation of new very short lattice vectors from the
current basis (we call this procedure ``random sampling\u27\u27) and the
improvement of the current basis by utilizing the generated very short
lattice vectors. Therefore, it is important for investigating and
ameliorating RSR to estimate the success probability of finding very
short lattice vectors by combining the current basis. In this paper,
we propose a new method for estimating the success probability by the
Gram-Charlier approximation, which is a basic asymptotic expansion of
any probability distribution by utilizing the higher order cumulants
such as the skewness and the kurtosis. The proposed method uses a
``parametric\u27\u27 model for estimating the probability, which gives a
closed-form expression with a few parameters. Therefore, the proposed
method is much more efficient than the previous methods using the
non-parametric estimation. This enables us to investigate the lattice
basis reduction algorithm intensively in various situations and clarify
its properties. Numerical experiments verified that the Gram-Charlier
approximation can estimate the actual distribution quite accurately.
In addition, we investigated RSR and its variants by the proposed
method. Consequently, the results showed that the weighted random
sampling is useful for generating shorter lattice vectors. They also
showed that it is crucial for solving the SVP to improve the current
basis periodically
Efficient Final Exponentiation via Cyclotomic Structure for Pairings over Families of Elliptic Curves
The final exponentiation, which is the exponentiation by a fixed large exponent, must be performed in the Tate and (optimal) Ate pairing computation to ensure output uniqueness, algorithmic correctness, and security for pairing-based cryptography. In this paper, we propose a new framework of efficient final exponentiation for pairings over families of elliptic curves. Our framework provides two methods: the first method supports families of elliptic curves with arbitrary embedding degrees, and the second method supports families with specific embedding degrees of providing even faster algorithms. Applying our framework to several Barreto-Lynn-Scott families, we obtain faster final exponentiation than the previous state-of-the-art constructions
プライバシを考慮した移動系列情報解析のための安全性の提案
SCIS 2013 The 30th Symposium onCryptography and Information SecurityKyoto, Japan, Jan. 22 - 25, 2013The Institute of Electronics,Information and Communication Engineer
Software implementation of an Attribute-Based Encryption scheme
A ciphertext-policy attribute-based encryption protocol uses bilinear pairings to provide
control access mechanisms, where the set of user\u27s attributes is specified by means of a linear secret sharing scheme. In this paper we present the design of a software cryptographic library that achieves record timings for the computation of a 126-bit security level attribute-based encryption scheme. We developed all the required auxiliary building blocks and compared the computational weight that each of them adds to the overall performance of this protocol.
In particular, our single pairing and multi-pairing implementations achieve state-of-the-art
time performance at the 126-bit security level
Quantum Algorithms for the Approximate <i>k</i>-List Problem and their Application to Lattice Sieving
The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a -dimensional lattice in 2^{\const d + \smallo(d)} time steps with 2^{\const' d + \smallo(d)} memory for constants . In this work, we give various quantum sieving algorithms that trade computational steps for memory.We first give a quantum analogue of the classical -Sieve algorithm [Herold--Kirshanova--Laarhoven, PKC'18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in time steps using memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in time steps and memory. In the QRAM model these algorithms can be implemented using \poly(d) width quantum circuits.Secondly, we frame the -Sieve as the problem of -clique listing in a graph and apply quantum -clique finding techniques to the -Sieve. Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A'13] to the -Sieve and giving an analysis in the quantum circuit model. We show how to heuristically solve SVP in time steps using quantum memory
Security analysis of elliptic curves with embedding degree 1 proposed in PLOS ONE 2016.
Wang et al. proposed a method for obtaining elliptic curves with embedding degree 1 for securing critical infrastructures, and presented several elliptic curves generated by their method with torsion points of 160 bits and 189 bits orders. They also presented some experimental results and claimed that their implementation of an elliptic curve generated with their method is faster than an implementation for embedded devices presented by Bertoni et al. In this paper, we point out that the security and efficiency claims given by Wang et al. are flawed. Specifically, we show that it is possible to solve finite field discrete logarithm problems defined over their elliptic curves in practice. On the elliptic curves with torsion points of 160 bits orders generated by Wang et al., their instances of finite field discrete logarithm problems are solved in around 4 hours by using a standard desktop PC. On the torsion points of 189 bits orders, their instances are solved in around 10 days by using two standard desktop PCs. The hardness of the finite field discrete logarithm problems is one of the most important bases of security; therefore, their elliptic curves should not be used for cryptographic purposes
Histograms of orthogonalized coefficients
Histograms of orthogonalized coefficients of lattice vectors.<div><br></div><div>The horizontal-axis is the value of orthogonal coefficients, and the vertical-axis is the number of the rounded orthogonal coefficients in each bin.</div><div><br></div><div>The page 1 shows a histogram of orthogonal coefficient at index 1, the page 2 shows same data at index 2, and so on.</div><div><br></div><div>See the text for the details of settings.</div><div><br></div><div>(This figure is referred by a paper in ISITA 2018)</div