Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
.
On the cryptographic applications
ofGrobner bases and Lattice Theory
University of Maria Curie-Sklodowska
Faculty of Mathematics, Physics and Computer Science
Lublin, 2-14 December 2012
Jaime GutierrezUniversity of Cantabria
Santander
This course will give a general introduction to the Grobner basis and Lattice Theory, and cover the main applications toboth cryptography and cryptanalysis. The main goal of this course is to show interactions between Cryptology and
Symbolic Computation; the two important tools are lattices and Grobner bases.
The most famous example of such an interaction is probably the so called Lenstra, Lenstra, and Lovasz (LLL) latticebasis reduction algorithm, it was a key ingredient to solve a computer algebra problem (factoring polynomials overthe rational numbers); since then, it was used in numerous attacks in cryptology. Informally speaking a lattice isa set of points in n-dimensional space with a periodic structure. Historically, lattices were investigated since thelate 18th century by mathematicians such as Lagrange, Gauss, and later Minkowski. More recently, lattices havebecome an active topic of research in computer science. At the beginning lattice reduction techniques were wereused in cryptography principally to prove cryptographic insecurity. We will cover several of these negative resultsin particular:
• breaking of knapsack-based cryptosystems
• breaking the linear congruential pseudorandom generator.
• breaking the security of padded RSA
The lectures will be primarily focused on the algorithmic aspects of the lattice theory, which lattice problem canbe solved in polynomial time, and which problems seems to be intractable. And also, presenting applications topredicting pseudorandom number generators and integer factoring.
The second important symbolic computation tool is the theory of Grobner basis. A Grobner basis is a set ofmultivariate polynomials that has desirable algorithmic properties. Every set of polynomials can be transformed intoa Grobner basis. This process generalizes three familiar techniques: Gaussian elimination for solving linear systemsof equations, the Euclidean algorithm for computing the greatest common divisor of two univariate polynomials, andthe Simplex Algorithm for linear programming. It is a powerful technique for solving problems in algebraic geometrythat was introduced by Bruno Buchberger, who named them after his advisor Wolfgang Grobner. Grobner basesprovide a uniform approach for solving problems that can be expressed in terms of systems of multivariate polynomialequations. It happens that many practical problems, can be transformed into sets of polynomials, thus solved usingGrobner bases method. For instance, in cryptology the ciphers are rewritten to systems of multivariate equationsthat are solved for variables representing, for example, key bits. Algebraic attacks apply to a variety of ciphers,ranging from
• blockciphers, like AES and Serpent,
• streamciphers, like Toyocrypt and Bluetoot,
• Asymmetric cryptosystems, like Hidden Field Equation (HHE),
• hash functions, like multivariate polynomial for hashing.
The course will give a short theoretical and algorithmic background on Grobner bases, including the Buchberger’salgorithm for computing a such basis, and then shows several applications to cryptology, including the asymmetriccryptographic primitives based on multivariate polynomials over finite fields. Those schemes are often consideredto be good candidates for post-quantum cryptography, once quantum computers can break the current schemes.
Organization Basic bibliography Cryptology Criterion for Cryptosystem
On the cryptographic applications of Grobnerbases and Lattice Theory
University of Maria Curie-Sklodowska.Faculty of Mathematics, Physics and Computer Science.
Lublin, 2-14 December 2012
Jaime Gutierrez (University of Cantabria)
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
On the cryptographic applications of Grobner bases and Lattice Theory
Organization Basic bibliography Cryptology Criterion for Cryptosystem
I Grobner bases:I Affine varieties and idealsI Division algorithmI Buchberger’s Algorithm. Extensions F4 and F5I Elimination theory: How to solve system of equationsI Common cryptosystems and Algebraic cryptanalysisI AES (Advanced Encryption Standard )I HFE (Hidden Field Equations)I Stream Ciphers: Trivium, Bivium
I Lattices:I DefinitionsI Minkowski theorem.I Computational problems: SVP, CVPI LLL Reduced Lattice BasisI Knapsack-based cryptosystems and Lattice-based cryptanalysis.I Small roots of integers polynomials:
I Predicting pseudorandom number generatorsI Security of RSA with small decryption exponent
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
On the cryptographic applications of Grobner bases and Lattice Theory
Organization Basic bibliography Cryptology Criterion for Cryptosystem
I Douglas Stinson, Cryprography: theory and practice.Chapman and Hall/CRC 2006.
I D. Cox, J. Little, and D. O’Shea, Ideals, Varieties andAlgorithms: An introduction to Computational AlgebraicGeometry and Commutative Algebra, Springer-Verlag, 1996.
I M. Grotschel, L. Lovasz and A. Schrijver, Geometricalgorithms and combinatorial optimization, Springer-Verlag,Berlin, 1993.
I Antoine Joux, Algorithmic Cryptanalysis. Chapman andHall/CRC 2009.
Sage: Open Source Mathematics Software
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
On the cryptographic applications of Grobner bases and Lattice Theory
Organization Basic bibliography Cryptology Criterion for Cryptosystem
I CryptographyI Private KeyI Public key
I Cryptanalysis
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
On the cryptographic applications of Grobner bases and Lattice Theory
Organization Basic bibliography Cryptology Criterion for Cryptosystem
C.E. Shannon (1916 – 2001)
Communication Theory of Secrecy Systems, Bell System TechnicalJournal (1949).
“as much work as solving a system of simultaneousequations in a large number of unknowns of acomplex type.”
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
On the cryptographic applications of Grobner bases and Lattice Theory
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
Grobner bases in public key cryptography
University of Maria Curie-Sklodowska.Faculty of Mathematics, Physics and Computer Science.
Lublin, 2-14 December 2012
Jaime Gutierrez (University of Cantabria)
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
The public key is a set of polynomial equations over a finite field K
y1= f1(x1, . . . , xn),y2= f2(x1, . . . , xn),
...yn= fn(x1, . . . , xn).
I Encryption: Evaluating the polynomials fi in: plaintextx = (x1, . . . , xn) ∈ Kn, → ciphertext y = (y1, . . . , yn) ∈ Kn
I Attacking: Solving the system of equations.
TheoremDeciding if an arbitrary system of multivariate, quadratic equationsover a finite field is solvable is NP-complete.
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
Keying material
I K = Fq a finite field of characteristic a prime number p.I HFE polynomial:
f (x) =∑
i ,j
βi ,jxqθi,j+q
φi,j+
∑
l
αlxqεl + µ ∈ Fqn [x ]
βi ,j , αl , µ ∈ Fqn and θi ,j , φi ,j , εl ∈ NI For an irreducible polynomial g(x) ∈ K[x ]:
K [x ]/ < g(x) > ∼= Fqn
The elements of Fqn are represented as n-tuples over K .
f (x1, . . . , xn) = (p′1(x1, . . . , xn), p′2(x1, . . . , xn . . . , p′n(x1, . . . , xn))
p′i (x1, . . . , xn) ∈ K[x1, . . . , xn] are quadratic polynomials.I Two affine bijections s and t as vector spaces: Kn → Kn.
t(f (s(x1, . . . , xn))) = (p1(x1, . . . , pn(x1, . . . , xn))
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
The protocol
I Public key: K, n and pi (x1, . . . , xn).
I Private key: f , s, t and the representation of Fqn
over K.
I Encrypt: Plaintext x = (x1, . . . , xn) compute the ciphertexty = (y1, . . . , yn):
y = p1(x1, . . . , pn(x1, . . . , xn))
I Decrypt: Find all solutions to the equation
f (z) = t−1(y)
and x ′ = s−1(z)
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
Main properties
Matsumoto-Imai (1988), J. Patarin, H (1996), N. Koblitz, 1997.
I Encryption and Decryption can be computed efficiently:I Public transformation: O(n5)I Private: O(n4(n + log n)
I The inverse quadratic polynomial map may have a muchhigher degree.
I Algebraic Cryptanalysis
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
The problem
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
General idea Hidden Field Equations 2R/2R− Schemes Functional Decomposition
References
I J. von zur Gathen, J. Gutierrez, R. Rubio MultivariatePolynomial Decomposition. Applicable Algebra inEngineering, Communication and Computing, 2004.
I D.F. Ye, Z.D. Dai, K.Y. Lam. (u = n) Decomposing Attackson Asymmetric Cryptography Based on MappingCompositions. Journal of Cryptology, 2001.
I E. Biham. Cryptanalysis of Patarin’s 2-Round Public KeySystem with S-Boxes (2R). CRYPTO 2000.
I J.C Faugere, L. Perret An Efficient Algorithm forDecomposing Multivariate Polynomials and its Applications toCryptography. 2010.
University of Maria Curie-Sklodowska. Faculty of Mathematics, Physics and Computer Science. Lublin, 2-14 December 2012
Grobner bases in public key cryptography
Lattices in Algorithmic
and
Cryptography
Jaime Gutierrez
ALGORITHMIC MATHEMATICS AND CRYPTOGRAPHY
University of Cantabria
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.1/72
ORGANIZATION
Lattices.
Cryptographic Knapsack Scheme
RSA and integer factoring with extra information.
Pseudorandom number generators over Elliptic curves.
Ideal decomposition and intermediate subfields.
Cayley graphs of cyclic groups.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.2/72
LATTICES
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.3/72
LATTICES
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.4/72
LATTICES
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.5/72
LATTICES
B = [b1| · · · |bn], l.i.
L(B) := {Bx / x ∈ Zn}
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.6/72
b1, . . . ,bn ∈ Rm, l.i.
L = L([b1| · · · |bn]) =
=
{n∑
i=1
λibi
∣∣∣∣∣ λi ∈ Z
}.
B = (b1, . . . ,bn) is a basis of L.L([(1, 0), (0, 1)] =L([(2006, 1), (2007, 1)]) = Z2
L([(3, 1), (2, 4)]) ={(x, y) ∈ Z2 : 3x+ y ≡ 0 mod 10}
[LAGRANGE, GAUSS, MINSKOWSKI]
b1
b2
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.7/72
DISCRETE SUBGROUPS
In general, L(B) is not a lattice:B := (2,
√2)
2√2
Lattices are discrete subgroups.
λ1 := min{‖v‖ / v ∈ L\{0}}
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.8/72
THE VOLUME OF A LATTICE
Fundamental Parallelepiped
(associated to a basis)volL =
√|BtB|
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.9/72
MAIN BOUNDS
Norm ℓ∞:λ1 ≤ (volL)1/n
Norm ℓ1:λ1 ≤ (n! volL)1/n
Norm ℓ2:λ1 ≤
√γn(volL)1/n
n
2eπ+ o(n) ≤ γn ≤
1′744eπ
n+ o(n)
Gauss Heuristic
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.10/72
MAIN PROBLEMS
SVPmin{‖v‖ / v ∈ L\{0}}
NP hard ??
CVPmin{‖v − t‖ / v ∈ L}
NP hard
Fixed n is polynomial: [KANNAN (1987)]
Approximation: [LLL = A. LENSTRA, H. LENSTRA, L. LOVACS (1982)],
[T. BABAI (1986)], [M. AJTAI (1998)]LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.11/72
LLL-REDUCTION
B = [b1| · · · |bn] is a δ-LLL reduced basis of L if
|µi,j| ≤ 1/2
δ‖b∗i ‖ ≥ ‖µi+1,ib
∗i + b∗
i+1‖,where 1/4 < δ < 1 y b∗
1, . . . ,b∗n is the Gram-Schmidt
orthogonal basis : b∗i := bi −
∑j<i µijbj , µi,j :=
<bi,b∗j>
<b∗j ,b
∗j>
.
‖b1‖ ≤(
1
δ − 1/4
)n−12
λ1
LLL-algorithm is polynomial in M = max{n, log(maxi ‖bi‖)}.LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.12/72
OUR LATTICES
L consist of integer solutions x = (x0, . . . , xs−1) ∈ Zs of asystem of congruences
s−1∑
i=0
aijxi ≡ 0 mod qj , j = 1, . . . ,m,
modulo the intergers q1, . . . , qm.
Typically, vol(L) = Q = q1 . . . qm.
SVP and CVP are polynomials in logQ.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.13/72
CRYPTOGRAPHIC KNAPSACK
SCHEME
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.14/72
THE KNAPSACK PROBLEM
(a1, a2, . . . , an) a finite sequence of positive integers (theweights)
Given a natural s compute, if it exists, x1, x2, . . . , xn,where xi{0, 1} such that
s = x1a1 + x2a2 + · · · + xnan
NP-complete problem
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.15/72
SUPER-INCREASING SEQUENCES
The sequence (a1, a2, . . . , an) is super-increasing if satisfies:
ai > a1 + a2 + · · · + ai−1
Example :ai := ki
In this case it is simple
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.16/72
THE MERKLE-HELLMAN CRYPTOSYSTEMA (b1, b2, . . . , bn) super-increasing sequence
Two co-prime positive integers U and V such that
U >
n∑
i=1
bi, V < U.
ai = biV mod U.
PUBLIC KEY: (a1, a2, . . . , an)
PRIVATE KEY: (b1, b2, . . . , bn), U, V )
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.17/72
THE MERKLE-HELLMAN CRYPTOSYSTEM
ENCRYPTION:The plaintext x, 0 ≤ x < 2n
x = [x1, . . . , xn] binary representation
The cipher text is y =∑n
i xiai
DECRYPTION.The ciphertext y, 0 ≤ y < 2n
Compute s = yV −1 mod U =∑
xibi
x =∑n
i=1 xi2i−1
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.18/72
THE MERKLE-HELLMAN CRYPTOSYSTEM
Several variations of this scheme.
It is easy to implement.
It is faster than RSA
Broken by Shamir in 1982
Chor-Rivest Scheme
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.19/72
LLL AND MERKLE-HELLMAN CRYPTOSYSTEM
Given a knapsack problem with coefficients (c1, c2, . . . , cn)and s. Let L be the lattice generated by A:
A =
−a1 a2 . . . −an s
1 0 . . . 0 0
0 1 . . . 0 0
... ... . . . ... ...
0 0 . . . 1 0
∈ Z(n+1)×(n+1),
If x = (x1, . . . , xn) :∑n
i xici = s→ vector v ∈ L is small:
v = (0, x1, . . . , xn).
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.20/72
RSA and INTEGERSFACTORIZATION
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.21/72
Integers factorization
THE PROBLEM
INPUT : N = PQ and the high-order h bits of P .
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.22/72
Integers factorization
THE PROBLEM
INPUT : N = PQ and the high-order h bits of P .
OUTPUT: The factorization of N , i.e, P and Q.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.23/72
Integers factorization
WHY STUDY THIS PROBLEM ?
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.24/72
Integers factorization
WHY TO STUDY THIS PROBLEM ?
because I like it,
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.25/72
Integers factorization
WHY TO STUDY THIS PROBLEM ?because I like it,
RSAloss of the equipment that generated P and Q,explicit release of partial extra information as part ofa protocol, for instance exchange of secret,timing measurements,routine usage of P and Q to decrypt mail, signmessages, etc.,poor physical security to guard P and Q,any other heuristic attack . . .
[RIVEST AND SHAMIR (1986)], [COPPERSMITH (1995-1998)], [ BONEH AND
HOWGRAVE-GRAHAM (1999)], [MAY AND CORON (2005)]
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.26/72
Integers factorization
FORMALIZATION AND NOTATION
DEFINITION. We say that an integer w is a ∆-approximation to theinteger u when |w − u| ≤ ∆.We can build a ∆-approximation P0 to P , by taking the hhigh-order bits of P and ⌊logP ⌋ + 1− h zeroes. In this case,∆ = 2⌊logP ⌋+1−h − 1, that is,
P − P0 ≤ ∆ ∼= P
2h.
By dividing N into P0, we obtain a ∆1-approximation Q0
to Q:
|Q−Q0| ≤ ∆1∼= Q∆
P.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.27/72
Integers factorization and attacking RSA
FORMALIZATION AND NOTATION
Let ε0 = P − P0 and ε1 = Q−Q0. From N = PQ we obtain:
f(ε0, ε1) = 0,
wheref(ε0, ε1) = (P0 + ε0)(Q0 + ε1)−N.
And with|ε0| ≤ ∆, |ε1| ≤ ∆1.
The main objective is to find small roots of this innocentpolynomial f(ε0, ε1).
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.28/72
Small roots of integer polynomials
THE COPPERSMITH’S RESULT
THEOREM. [D. COPPERSMITH (1997)]Let p(ε0, ε1) be an irreducible polynomial in two variables over Z, ofmaximum degree δ in each variable separately. Let ∆,∆1 be bounds onthe desired solutions x0, y0. Define p∗(ε0, ε1) = p(ε0∆, ε1∆1) and letW be the absolute value of the largest coefficient of p∗(ε0, ε1). If
∆∆1 ≤ W 2/(3δ)−ǫ2−14δ/3,
then in polynomial time in (logW, δ, 1/ǫ) we can find all integer pairs(x0, y0) with p(x0, y0) = 0 bounded by |x0| ≤ ∆, |y0| ≤ ∆1.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.29/72
Integers factorization
ADAPTING COPPERSMITH’S RESULT
We suppose that we know N = PQ and the high-orderh = 1
4 log2N bits of P . We apply the previous result topolynomial f(ε0, ε1) and take:
|ε0| < P0N−1/4 = ∆,
|ε1| < Q0N−1/4 = ∆1,
δ = 1, W = N3/4.
Corollary . [D. COPPERSMITH (1997)]In polynomial time we can find the factorization of N = PQ if we know
the high-order (14 log2N) bits of P
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.30/72
Integers factorization
TWO ITERATION TECHNIQUE
(P0 + ε0)(Q0 + ε1) = N,
|ε0| ≤ ∆, |ε1| ≤ ∆1
(P0Q0 −N)∆1∆+Q0∆x1 + P0∆1x2 + x3 = 0,
x1 ≡ 0 mod ∆,
x2 ≡ 0 mod ∆1.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.31/72
Integers factorization
TWO ITERATIONS TECHNIQUE
e = (∆1ε0,∆ε1, ε0ε1).
f solution of the CVP. Check if e = f , otherwise:
u,v LLL reduced basis of lattice:
Q0∆x1 + P0∆1x2 + x3 = 0,
x1 ≡ 0 mod ∆,
x2 ≡ 0 mod ∆1.
f = (∆1f1,∆f2, f3),
u = (∆1u1,∆u2, u3),
v = (∆1v1,∆v2, v3),LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.32/72
Integers factorization
TWO ITERATIONS TECHNIQUE
e = f + αu+ βv
⇓
ε0 = f1 + αu1 + βv1,
ε1 = f2 + αu2 + βv2,
ε0ε1 = f3 + αu3 + βv3,
⇓(f1 + αu1 + βv1)(f2 + αu2 + βv2) = f3 + αu3 + βv3
This is a new equation in α, β
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.33/72
Integers factorization
TWO ITERATIONS RESULT
THEOREM. [D. GOMEZ AND J. G. AND A. IBEAS (2006)]
For a prime P and natural numbers ∆, ∆1, there is a setV(∆,∆1) ⊂ ZP of cardinality
#V(∆,∆1) = O
((∆7∆4
1)
P 3
)
with the following property. Given N, P0, Q0, ∆1 and ∆, whereN = PQ, P0 is a ∆-approximation of P and Q0 a ∆1-approximation ofQ then if Q 6∈ V(∆,∆1) there is an algorithm such that recover P andQ in polynomial time in the size of N .
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.34/72
Integers factorization
PRACTICAL APPLICATION: TWO ITERATIONS
P ≡ Q ≡√N , then O
((∆7∆4
1)P 3
)< P implies 3/10 logN < h
P,Q ≡ 21000
This method requires :636 bits of P .
The dimension of the lattice is 8.
For the same known bits, Coppersmith method requiresa lattice of dimension 199.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.35/72
Integers factorization
NUMERICAL RESULTS
Bits of P Bits of Q Bits known Iterations Time100 100 66 1 3.675 sec100 100 60 2 10.271 sec512 512 306 2 11.392 sec512 512 300 3 14.025 sec512 512 292 3 15.339 sec1024 1024 624 2 7.240 sec1024 1024 600 3 29. 357 sec1024 1024 580 3 1 m. 35 sec
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.36/72
LINEAR GENERATOR
over
ELLIPTIC CURVES
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.37/72
Linear generators over elliptic curves
STREAM CIPHERS
A B
Insecure channel
m m⊕ k m⊕ k m
k = · · ·
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.38/72
Linear generators over elliptic curves
LINEAR CONGRUENTIAL GENERATOR
a ∈ F∗p, c ∈ Fp
u0 ∈ Fp (seed)
un+1 ≡p aun + c
k = · · ·
u0 u1 u2
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.39/72
Linear generators over elliptic curves
LINEAR GENERATOR ON ELLIPTIC CURVES
This generator employs the usualabelian group operation (⊕) on theset of points of an elliptic curve:
A prime p.
An elliptic curveE : Y 2 = X3 + AX2 +B over Fp.
The seed U0 ∈ E.
The parameter G ∈ E, which we callcomposer .
Un+1 = Un ⊕G,∀n ≥ 0.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.40/72
Linear generators over elliptic curves
LINEAR GENERATOR ON ELLIPTIC CURVES
Toy example with a 7-periodic generator inan elliptic curve with 35points over F31.
E : Y 2 = X3 −X2 + 1
Un+1 = n(5, 11)⊕ (8, 3)
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.41/72
Linear generators over elliptic curves
CRYPTOGRAPHICALLY SECURE GENERATOR
A PRBG is cryptographically secure if there is no polynomial timealgorithm which on input of the first l bits of an output sequence s canpredict the (l + 1)st bit of s with probability significant greater than 1/2.
[YAO (1982)], [ BLUM AND BLUM AND SHUB (1998)]
k = · · ·
u0 u1 u2
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.42/72
Linear generators over elliptic curves
CRYPTOGRAPHICALLY SECURE GENERATOR
A PRBG is cryptographically secure if there is no polynomial timealgorithm which on input of the first l bits of an output sequence s canpredict the (l + 1)st bit of s with probability significant greater than 1/2.
[YAO (1982)], [ BLUM AND BLUM AND SHUB (1998)]
k =
ε0 ε1 ε2
· · ·
u0 u1 u2
[S. BLACKBURN AND D. GOMEZ AND J. G. AND I. SHPARLINSKI (2005)]
[D. GOMEZ AND J. G. AND A. IBEAS (2006)], [KNUTH (1985)]LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.43/72
Linear generators over elliptic curves
METHOD SKETCHWe assume access to:
Approximations W0,W1 to the first two values U0, U1:Ui = (xi, yi),Wi = (αi, βi),xi = αi + ei, yi = βi + fi, |ei|, |fi| ≤ ∆.
The composer G = (xG, yG).
From U0 ⊕G = U1 when U0 6∈ {G,−G} , we obtain (over Fp ):
x3G + x1x2G − x0x
2G − 2x1xGx0 − xGx
20 + x30 + 2yGy0 + x1 = 0,
y1xG − y1x0 − yGx0 + yGx1 − y0x1 + y0xG = 0.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.44/72
Linear generators over elliptic curves
METHOD SKETCHTranslate previous equations into a linear system in theapproximation errors e0, e1, f0, f1.
Find the smaller integer solution to the system (CVP)
Check if the obtained solution is valid.
THEOREM. [J. G. AND A. IBEAS (2007)]
If the algorithm outputs a wrong solution, the first coordinatex0 of the first value must satisfy a certain equation. Thisleads to the bound O(∆6) for the possibilities for x0 in afailure example. So, when ∆ < p1/6 we can expect with highprobability the success of the guessing algorithm.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.45/72
Linear generators over elliptic curves
UNKNOWN COMPOSERWe take three approximations Wi = (αi, βi) to any threevalues (consecutive or not): Ui = (xi, yi)
y2i = x3i + Axi + B, i = 0, 1, 2.
Eliminating the curve parameters A,B and assuming thatU0 6∈ {U1,−U1} (that is, x0 6= x1), we obtain the followingequation:
−y22x1+y22x0+x32x1−x32x0−x2y20+x2x30+x2y
21−x2x31−y21x0+x31x0+x1y
20−
Substituting xi = αi + ei, yi = βi + fi for i = 0, 1, 2, we obtaina threshold of p1/46 for the tolerance below wich we canexpect successful guessing.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.46/72
Linear generators over elliptic curves
SMALL ROOTS OF MODULAR POLYNOMIALS
THEOREM. [J. G. (2007)]
There exists an algorithm with the following properties. Let p be a prime
number and ∆ a positive integer such that p > ∆ ≥ 1. Let
f(X,Y ) =∑m1,m2
i=0,j=0 ai,jXiY j ∈ Fp[X,Y ] be an irreduclible
polynomial of degree m1 ≥ 2 in X and degree m2 ≥ 2 in Y over Fp.
The algorithm, when given f and ∆-approximations w0, w1 to v0, v1
where f(v0, v1) ≡ 0 mod p, recovers v0, v1 in time polynomial in
m1,m2 and log q provided that v0 does not lie in a certain set V(f) ⊆ Fp
of cardinality:
V(f) = (2√(m1 + 1)(m2 + 1)λ(m1+1)(m2+1))
(m1+1)(m2+1)∆ωm1,m2
ωm1,m2 =m2
1
2(2m2 + 1) +
m22
2(2m1 + 1) +m1m2.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.47/72
IDEAL DECOMPOSITION
and
INTERMEDIATE FIELDS
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.48/72
Ideal decomposition and intermediate fields
THE PROBLEM
Given:f(x) polynomial in Q[x]
Find:g(x), h(x), f(x) ∈ Q[x] verifying
f(x)f(x) = g(h(x)),
1 < deg g, deg h < deg f.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.49/72
Ideal decomposition and intermediate fields
POLYNOMIAL DECOMPOSITION AND RATIONAL SUBFIELDSIf deg f = 0, then
f(x) = g(h(x)).Luroth’s Theorem. [A. SCHINZEL (1982)]Let F be a field such that K ⊂ F ⊂ K(x1, . . . , xn) andtr.deg.(F/K) = 1. Then there exists h ∈ K(x1, . . . , xn) such thatF = K(h). Also, if the field contains a polynomial, then a polynomialgenerator exists.
{[(g, h)] : f = g(h)} ←→ {F : K(f) ⊂ F ⊂ K(x)}[(g, h)] ←→ F = K(h).
[LANDAU-KOZEN-VON ZUR GATHEN (19889)], [GIESBRECHT (1990)],
[J. G. AND R. RUBIO AND D. SEVILLA (98-2005)]LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.50/72
Ideal decomposition and intermediate fields
ALGEBRAIC SUBFIELDSIf f(x) is irreducible and f(α) = 0, then the followingstatements are equivalent:
f is an ideal decomposable.
GalQ(f) acts imprimitively on the roots of f .
A proper subfield, Q(β), exists with
Q ⊂ Q(β) ⊂ Q(α).
{[(f , g, h)] : ff = g(h)} ←→ {F : Q ⊂ F ⊂ Q(α)}[(f , g, h)
]←→ F = Q(h(α)).
[S. LANDAU AND G. MILLER (1985)], [J. KLUNERS AND M. POHST (1997)][J. G. AND D. SEVILLA (2006)]
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.51/72
Ideal decomposition and intermediate fields
THE ALGORITHMWe divide the problem into two parts:
1. Compute candidates polynomial h(x).
2. Given f(x) and h(x), compute (if it exists) f(x), g(x) :
f(x)f(x) = g(h(x))
Compute f(x), g(x) from f(x) and h(x) is solving alinear system of equations.
The hard part is compute h(x).
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.52/72
Ideal decomposition and intermediate fields
THE BASIC IDEAFrom
f(x)f(x) = g(h(x)),
There are two distintict roots of f(x), say αi and αj for which
h(αi) = h(αj)
h(x) =∑s
k=1 hkxk ∈ Z[x] for some s with: 1 < s < deg f
Find the coefficients h1, h2, . . . , hs in Z satisfying
h1(αi − αj) + h2(α2i − α2
j ) + · · · + hs(αsi − αs
j).
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.53/72
Ideal decomposition and intermediate fields
INTEGER RELATIONSA nonzero vector h = (h1, . . . , hs) ∈ Zs is called an INTEGER
RELATION for the real numbers γ1, . . . , γs if
h1γ1 + · · · + hsγs = 0.
Given γ1, . . . , γs complex numbers approximating to thealgebraic numbers γ1, . . . , γs, and a parameter ǫ
either finds an integer relation for γ1, . . . , γs or
proves that no relation of Euclidean length shorterthan 1/ǫ exists.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.54/72
Ideal decomposition and intermediate fields
INTEGER RELATIONS AMONG ALGEBRAIC NUMBERS
L([b1| · · · |bs]) ⊂ Qs+2 the lattice spanned
b1= (1, 0, . . . , 0, C ·Re(γ1), C · Im(γ1))...
bs= (0, . . . , 0, 1, C ·Re(γs), C · Im(γs)
C is a large integer depend on ǫ, the height of (γ1, . . . , γs)and [Q(γ1, . . . , γs) : Q].
Let b be the first vector of the LLL-basis:b = (m1, . . . ,ms, C ·
∑si=1miRe(γi), C ·
∑si=1miIm(γi)).
If ‖b‖ < 2n/ǫ2, then (m1, . . . ,ms) is a solution.Otherwise, no solution shorter than 1/ǫ exists.
[J. HASTAD AND B. JUST AND J. LAGARIAS AND C. SCHNORR (1989)]
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.55/72
Ideal decomposition and intermediate fields
BOUNDS ON THE COEFFICIENTS OF h(x)
Given a non-trivial ideal decomposition of polyno-mial f ∈ Z[x], i.e
f(x)f(x) = g(h(x))find an upper bound on the height Ht(h(x)) ofh(x).
POLYNOMIAL DECOMPOSITION, i.e., f(x) = 1, thenHt(h(x)) < CHt(f(x)).
If f(x) is irreducible: [J. DIXON (1990)], [J. MCKAY (1996)],
Ht(h(x)) < CHt(f(x))deg f ,
where C is a constant
In general, ???LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.56/72
CAYLEY GRAPHS
of
CYCLIC GROUPS
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.57/72
Cayley graphs of cyclic groups
CIRCULANT DI-GRAPHS
Vertices : G = (ZN ,+)
Edges - Set of jumps H = {j1, . . . , jr}0
1
2
3
45
6
7
8
9
N = 10
H = {1, 3}
(x, x+ ji mod N),
x ∈ ZN , 1 ≤ i ≤ r
Connected graph : gcd(j1, . . . , jr, N) = 1LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.58/72
Cayley graphs of cyclic groups
ADJANCENCY MATRIXCirculant Matrix :
RN =
0 1
1. . . 0
1
CN (j1, . . . , jr),
r∑
i=1
RjiN
Undirected : CN (±j1, . . . ,±jr)
01
2
3
45
6
7
8
9
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.59/72
Cayley graphs of cyclic groups
DISTRIBUTED LOOP COMPUTER NETWORKSApplication to distributing an parallel computation.
A extremely simple description.
O (r logN)
small diameter.
Routing algorithms and fault tolerance.
The two jump case is widely studied.
[C. K. WONG AND D. COPPERSMITH (1974)]
[J.C. BERMOND AND F. COMELLAS AND D. F. HSU (1995)]
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.60/72
Cayley graphs of cyclic groups
PATHS IN A CIRCULANT
Directed Undirected
x = (x1, . . . , xr) ∈ Nr x = (x1, . . . , xr) ∈ Zr
01
2
3
45
6
7
8
90
1
2
3
45
6
7
8
9
(2,2) (1,-1)
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.61/72
Cayley graphs of cyclic groups
THE LATTICE OF A CIRCULANT GRAPHGiven the jumps j1, . . . , jr and the number of nodes N :
LC = {(x1, . . . , xr) ∈ Zr : j1x1+ · · ·+ jrxr ≡ 0 mod N.}
A shortest path from node α to node β:
Undirected : x = (x1, . . . , xr) ∈ LC (with minimal ‖x‖1 ).
Directed: x = (x1, . . . , xr) ∈ LC⋂Nr (with minimal ‖x‖1)
r∑
i=1
xiji ≡ α− β mod N.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.62/72
Cayley graphs of cyclic groups
SHORTEST PATH FOR TWO JUMPS
01
2
3
45
6
7
8
9
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.63/72
Cayley graphs of cyclic groups
PATH DESCRIPTION
CN (a, b)
w = (x1, x2) / ax1 + bx2 ≡ c mod N
L := {x ∈ Z2 / ax1 + bx2 ≡ 0 mod N}CA(c) = w + L
The total amount of jumps of the path w is ‖w‖1.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.64/72
Cayley graphs of cyclic groups
THE COMPLEXITYTHEOREM. [D. GOMEZ AND J. G. AND A. IBEAS (2005)]
INPUT: a, b,N, c
Description of the set of paths CA(c).w + Z < u,v > O(logN)
Recduction of the basis L.w + Z < u,v > O(logN)
Iterative reduction.w′ O(logN)
Discrete searching.w′′ O(1)
O(log2N log logN log log logN))
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.65/72
Cayley graphs of cyclic groups
THE POLYNOMIAL IDEAL OF A LATTICE
IL := ( xa+ − xa−: a ∈ L ) ⊂ K[X1, . . . , Xr].
a = a+ − a− = (a1, . . . , ar) ∈ Zr, a+ = (a+1 , . . . , a+r ),
a+i = max{ai, 0}, a− = (a−1 , . . . , a−r ), a
−i = max{−ai, 0}.
[B. STURMFELS AND R. WEISMANTEL AND G. M. ZIEGLER (1995)]
THEOREM. [J. G. AND A. IBEAS (2006)]
ILC= ( xN1 xN2 · · · xNr − 1, xa+ − xa−
, (a ∈ S) ),
S = {(Nα1, . . . , Nαr), (α1j1 − 1, α2j2, . . . , αrjr),
(α1j1, α2j2 − 1, . . . , αrjr), . . . , (α1j1, . . . , αr−1jr−1αrjr − 1)}.αi ∈ Z, (i = 1, . . . , r), 1 = α1j1 + · · · + αrjr + βN
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.66/72
Cayley graphs of cyclic groups
GROEBNER BASES AND ROUTING
THEOREM. [J. G. AND A. IBEAS (2006)]
Fixed any grade monomial ordering ≺:Let G be a Gröbner basis of ILC
with respcet ≺ and c a pathfrom 0 to j ∈ ZN .
The normal form ofxc − 1
with respect G isxd − 1,
where d is a shortest path.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.67/72
GROEBNER BASES
and
LLL-REDUCED BASES
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.68/72
Groebner Bases and LLL-reduced bases
GROEBNER BASIS VERSUS LLL-REDUCED BASIS
Definition Let I be an ideal of K[x1, . . . , xn].G = {g1, . . . , gs} ⊂ I is a Groebner Basis if and only if ∀f ∈ I
f =∑s
i=1 figi with fi ∈ K[x1, . . . , xn], gi ∈ G andlm(f) ≥ lm(figi)
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.69/72
Groebner Bases and LLL-reduced bases
GROEBNER BASIS VERSUS LLL-REDUCED BASIS
Definition Let I be an ideal of K[x1, . . . , xn].G = {g1, . . . , gs} ⊂ I is a Groebner Basis if and only if ∀f ∈ I
f =∑s
i=1 figi with fi ∈ K[x1, . . . , xn], gi ∈ G andlm(f) ≥ lm(figi)
Definition Let L be a lattice of Zn. G = {b1, . . . ,bs} ⊂ L is aG-Reduced Basis if and only if ∀v ∈ L
x =∑s
i=1 αibi with αi ∈ Z, bi ∈ G and ‖x‖ ≥ ‖αibi‖
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.70/72
Groebner Bases and LLL-reduced bases
GROEBNER BASIS VERSUS LLL-REDUCED BASIS
Definition Let I be an ideal of K[x1, . . . , xn].G = {g1, . . . , gs} ⊂ I is a Groebner Basis if and only if ∀f ∈ I
f =∑s
i=1 figi with fi ∈ K[x1, . . . , xn], gi ∈ G andlm(f) ≥ lm(figi)
Definition Let L be a lattice of Zn. G = {b1, . . . ,bs} ⊂ L is aG-Reduced Basis if and only if ∀v ∈ L
x =∑s
i=1 αibi with αi ∈ Z, bi ∈ G and ‖x‖ ≥ ‖αibi‖
LLL-Reduced 6⇒ G-reduced
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.71/72
Groebner Bases and LLL-reduced bases
GROEBNER BASIS VERSUS LLL-REDUCED BASIS
THEOREM [D. GOMEZ (2005)]Let {b1, . . . ,bs} be a LLL reduced basis of a lattice L with repect to δ,1/4 < δ < 1. Let x ∈ L such that:
x = α1b1 + · · · + αsbs,
then we have the following inequality:
‖αibi‖ ≤ 23s‖x‖,for all i = 1, ..., s.
LATTICES IN ALGORITHMIC AND CRYPTOGRAPHY. University of Maria Curie-Sklodowska, Lublin 3-14 Decembe r 2012. – p.72/72