Ulaanbaatar (Mongolia) School of Mathematic and …michel.waldschmidt/articles/pdf/...September 14-20, 2015 Ulaanbaatar (Mongolia) School of Mathematic and Computer Science, National

September 14-20, 2015

Ulaanbaatar (Mongolia)

School of Mathematic and Computer Science,

National University of Mongolia.

Lattice Cryptography

Michel Waldschmidt

Institut de Mathematiques de Jussieu — Paris VIhttp://webusers.imj-prg.fr/~michel.waldschmidt/

http://webusers.imj-prg.fr/~michel.waldschmidt/

SEAMS School 2015

”Number Theory and Applicationsin Cryptography and Coding Theory”

University of Science, Ho Chi Minh, Vietnam

August 31 - September 08, 2015

Course on Lattices and Applications byDung Duong, University of Bielefeld,Khuong A. Nguyen, HCMUT, VNU-HCMHa Tran, Aalto University

Slides :http://www.math.uni-bielefeld.de/~dhoang/seams15/

http://www.math.uni-bielefeld.de/~dhoang/seams15/

CIMPA-ICTP School 2016

Lattices and application tocryptography and coding theory

CIMPA-ICTP-VIETNAMResearch School co-sponsored with ICTP

Ho Chi Minh, August 1-12, 2016

http://www.cimpa-icpam.org/

http://ricerca.mat.uniroma3.it/users/valerio/hochiminh16.html

Applications : http://students.cimpa.info/login

http://www.cimpa-icpam.org/

http://ricerca.mat.uniroma3.it/users/valerio/hochiminh16.html

http://students.cimpa.info/login

Main references

• Jeffrey Hoffstein, Jill Pipher and Joseph H. Silverman : Anintroduction to mathematical cryptography. SpringerUndergraduate Texts in Mathematics, 2008. Second ed. 2014.

• Wade Trappe and Lawrence C. Washington : Introduction toCryptography with Coding Theory. Pearson Prentice Hall,2006.http://en.bookfi.org/book/1470907

http://en.bookfi.org/book/1470907

Further references

• A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovacz : FactoringPolynomials with Rational Coefficients. Math Annalen 261(1982) 515–534.

• Daniele Micciancio & Oded Regev : Lattice-basedCryptography (2008).http://www.cims.nyu.edu/~regev/papers/pqc.pdf

• Joachim von zur Gathen & Jurgen Gerhard. Modern ComputerAlgebra. Cambridge University Press, Cambridge, UK, Thirdedition (2013).https://cosec.bit.uni-bonn.de/science/mca/

• Abderrahmane Nitaj : Applications de l’algorithme LLL encryptographie . Informal notes.http://math.unicaen.fr/~nitaj/LLLapplic.pdf

http://www.cims.nyu.edu/~regev/papers/pqc.pdf

https://cosec.bit.uni-bonn.de/science/mca/

http://math.unicaen.fr/~nitaj/LLLapplic.pdf

Subgroups of Rn

Examples

Finitely generated or not, finite rank or not

discrete or not, dense or not, closed or not

Classification of closed subgroups of R

Classification of closed subgroups of R2, of Rn

Subgroups of Rn

Examples





Subgroups of Rn

Examples





Subgroups of Rn

Examples





Subgroups of Rn

Examples





Quotient of Rn by a discrete subgroup

Additive group : C

Multiplicative group : C×

R/Z ' U R −→ U t 7−→ e2iπt

C/Z ' C× C −→ C× z 7−→ e2iπz

Elliptic curve : C/L L = Zω1 + Zω2 lattice in C ' R2

Abelian variety : Cg/L L lattice in Cg ' R2g

Commutative algebraic groups over C.


Additive group : C


R/Z ' U R −→ U t 7−→ e2iπt

C/Z ' C× C −→ C× z 7−→ e2iπz





Additive group : C


R/Z ' U R −→ U t 7−→ e2iπt

C/Z ' C× C −→ C× z 7−→ e2iπz





Additive group : C


R/Z ' U R −→ U t 7−→ e2iπt

C/Z ' C× C −→ C× z 7−→ e2iπz





Additive group : C


R/Z ' U R −→ U t 7−→ e2iπt

C/Z ' C× C −→ C× z 7−→ e2iπz





Additive group : C


R/Z ' U R −→ U t 7−→ e2iπt

C/Z ' C× C −→ C× z 7−→ e2iπz





Additive group : C


R/Z ' U R −→ U t 7−→ e2iπt

C/Z ' C× C −→ C× z 7−→ e2iπz




Some acronymes

DES : Data Encryption Standard (1977)

AES : Advanced Encryption Standard (2000)

RSA : Rivest, Shamir, Adelman (1978)

LLL : Lenstra, Lenstra, Lovacz (1982)

SVP : Shortest Vector Problem (and approximate versions)

CVP : Closest Vector Problem (and approximate versions)

SBP : Shortest Basis Problem (and approximate versions)

Some acronymes








Some acronymes








Some acronymes








Some acronymes








Some acronymes








Some acronymes








Lattice based cryptosystems (∼ 1995)

Ajtai - Dwork

GGH : Goldreich, Goldwasser, Halevi

NTRU : Number Theorists Are Us (Are Useful)Hoffstein, Pipher and Silverman


Ajtai - Dwork




Ajtai - Dwork



An argument of Paul Turan

Theorem (Fermat). An odd prime p is the sum of twosquares if and only if p is congruent to 1 modulo 4.

Proof.

Step 1. For an odd prime p, the following conditions areequivalent.(i) p ≡ 1 (mod 4).(ii) −1 is a square in the finite field Fp.(iii) −1 is a quadratic residue modulo p(iv) There exists an integer r such that p divides r2 + 1.


Theorem (Fermat). An odd prime p is the sum of twosquares if and only if p is congruent to 1 modulo 4.

Proof.

Step 1. For an odd prime p, the following conditions areequivalent.(i) p ≡ 1 (mod 4).(ii) −1 is a square in the finite field Fp.(iii) −1 is a quadratic residue modulo p(iv) There exists an integer r such that p divides r2 + 1.


Step 2. If p is a sum of two squares, then p is congruent to 1modulo 4.


Step 3. Assume p divides r2 + 1. Let L be the lattice withbasis (1, r)T , (0, p)T . The determinant of L is p. UsingMinkowski’s Theorem with the disk of radius R, we deducethat L contains a vector (a, b)T of norm

√a2 + b2 ≤ R as

soon as πR2 > 4p. Take

R =2√p

√3

so that πR2 > 4p and R2 < 2p.

Hence there exists such a vector with a2 + b2 < 2p.

Since (a, b)T ∈ L, there exists c ∈ Z with b = ar + cp. Since pdivides r2 + 1, it follows that a2 + b2 is a multiple of p. Theonly nonzero multiple of p of absolute value less than 2p is p.Hence p = a2 + b2.



√a2 + b2 ≤ R as


R =2√p

√3






√a2 + b2 ≤ R as


R =2√p

√3






√a2 + b2 ≤ R as


R =2√p

√3






√a2 + b2 ≤ R as


R =2√p

√3






√a2 + b2 ≤ R as


R =2√p

√3






√a2 + b2 ≤ R as


R =2√p

√3




Minkowski’s first Theorem

Let K be a compact convex set in Rn symmetric about 0 suchthat 0 lies in the interior of K. Let λ1 = λ1(K) be the infimumof the real numbers λ such that λK contains an integer pointin Zn distinct from 0. Let V = V (K) be the volume of K. Setλ = 2V −1/n. Then λK is a convex body with volume 2n. ByMinkowski’s convex body theorem λK contains an integerpoint 6= 0. Therefore λ1 ≤ 2V −1/n, which means

λn1V < 2n.

This is Minkowski’s first Theorem.

Minkowski’s second theorem

For each integer j with 1 ≤ j ≤ n, let λj = λj(K) be theinfimum of all λ > 0 such that λK contains j linearlyindependent integer points. Then

0 < λ1 ≤ λ2 · · · ≤ λn <∞.

The numbers λ1, λ2, . . . , λn are the successive minima of K.

Theorem [Minkowski’s second convex body theorem, 1907].

2n

n!≤ λ1 · · ·λnV ≤ 2n.

Minkowski’s second theorem

For each integer j with 1 ≤ j ≤ n, let λj = λj(K) be theinfimum of all λ > 0 such that λK contains j linearlyindependent integer points. Then

0 < λ1 ≤ λ2 · · · ≤ λn <∞.

The numbers λ1, λ2, . . . , λn are the successive minima of K.

Theorem [Minkowski’s second convex body theorem, 1907].

2n

n!≤ λ1 · · ·λnV ≤ 2n.

Examples

Examples :• for the cube |xi| ≤ 1, the volume V is 2n and the successiveminima are all 1.• for the octahedron |x1|+ · · ·+ |xn| ≤ 1, the volume V is2n/n! and the successive minima are all 1.

Remark : Minkowski’s Theorems extend to any full ranklattice L ⊂ Rn : if b1, . . . , bn is a basis of L, taking b1, . . . , bnas a basis of Rn over R amounts to replace L by Zn.

Reference :W.M. Schmidt. Diophantine Approximation. Lecture Notes inMathematics 785, Chap. 4, Springer Verlag, 1980.

Examples




Examples




Simultaneous approximationProposition (A.K. Lenstra, H.W. Lenstra, L. Lovasz, 1982).There exists a polynomial-time algorithm that, given a positiveinteger n and rational numbers α1, . . . , αn, ε satisfying0 < ε < 1, finds integers p1, . . . , pn, q for which

|pi − qαi| ≤ ε for 1 ≤ i ≤ n and 1 ≤ q ≤ 2n(n+1)/4ε−n.

Proof. Let L be the lattice of rank n+ 1 spanned by thecolumns of the (n+ 1)× (n+ 1) matrix

1 · · · 0 −α1...

. . ....

...0 · · · 1 −αn0 · · · 0 η

with η = 2−n(n+1)/4εn+1. The inner product of any twocolumns is rational. By the LLL algorithm, there is apolynomial-time algorithm to find a reduced basis b1, . . . , bn+1

for L.

Simultaneous approximationProposition (A.K. Lenstra, H.W. Lenstra, L. Lovasz, 1982).There exists a polynomial-time algorithm that, given a positiveinteger n and rational numbers α1, . . . , αn, ε satisfying0 < ε < 1, finds integers p1, . . . , pn, q for which

|pi − qαi| ≤ ε for 1 ≤ i ≤ n and 1 ≤ q ≤ 2n(n+1)/4ε−n.

Proof. Let L be the lattice of rank n+ 1 spanned by thecolumns of the (n+ 1)× (n+ 1) matrix

1 · · · 0 −α1...

. . ....

...0 · · · 1 −αn0 · · · 0 η

with η = 2−n(n+1)/4εn+1. The inner product of any twocolumns is rational. By the LLL algorithm, there is apolynomial-time algorithm to find a reduced basis b1, . . . , bn+1

for L.

Simultaneous approximation

Since det(L) = η, we have

2n/4 det(L)1/(n+1) = ε

and|b1| ≤ ε.

Since b1 ∈ L, we can write

b1 = (p1 − qα1, p2 − qα2, . . . , pn − qαn, qη)T

with p1, . . . , pn, q ∈ Z. Hence

|pi − qαi| ≤ ε for 1 ≤ i ≤ n and |q| ≤ 2n(n+1)/4ε−n.

From ε < 1 and b1 6= 0 we deduce q 6= 0. Replacing b1 by −b1if necessary we may assume q > 0.

Dirichlet’s theorems on simultaneous

approximation

Let α1, . . . , αn be real numbers and Q > 1 an integer.(i) There exists integers p1, . . . , pn, q with

1 ≤ q < Q and |αiq − pi| ≤1

Q1/n·

(ii) There exists integers q1, . . . , qn, p with

1 ≤ max{|q1|, . . . , |qn|} < Q and |α1q1 + · · ·+ αnqn − p| ≤1

Qn·

The proofs are easy applications of Dirichlet Box Principle (seeChap. II of Schmidt LN 785).

Connection with SVP - (i)Let ε > 0. Define η = ε/Q. Consider the L be the lattice ofrank n+ 1 spanned by the columns vectors v1, . . . , vn+1 of the(n+ 1)× (n+ 1) matrix

1 · · · 0 −α1...

. . ....

...0 · · · 1 −αn0 · · · 0 η

.

If v = p1v1 + · · ·+ pnvn + qvn+1 is an element of L whichsatisfies 0 < max{|v1|, . . . , |vn+1|} < ε, then we have

1 ≤ q < Q and |αiq − pi| ≤ ε·

The determinant of L is η. From Minkowski’s first Theorem,we deduce that there exists such a vector with εn+1 = 2n+1η.With η = ε/Q we obtain εn = 2n+1/Q

Connection with SVP - (ii)Let ε > 0. Define η = ε/Q. Consider the L be the lattice ofrank n+ 1 spanned by the columns vectors v1, . . . , vn+1 of the(n+ 1)× (n+ 1) matrix

η · · · 0 0...

. . ....

...0 · · · η 0α1 · · · αn −1

.

If v = q1v1 + · · ·+ qnvn + pvn+1 is an element of L whichsatisfies 0 < max{|v1|, . . . , |vn+1|} < ε, then we have

1 ≤ qi < ε/η = Q and |α1q1 + · · ·+ αnqn − p| < ε·

The determinant of L is −ηn. From Minkowski’s firstTheorem, we deduce that there exists such a vector withεn+1 = 2n+1ηn. With η = ε/Q we obtain ε = 2n+1/Qn.

Documents

Ulaanbaatar (Mongolia) School of Mathematic and …michel.waldschmidt/articles/pdf/...September 14-20, 2015 Ulaanbaatar (Mongolia) School of Mathematic and Computer Science, National