Lecture Notes in Computer Science 2146 EditedbyG.Goos,J.HartmanisandJ.vanLeeuwen 3 Berlin Heidelberg NewYork Barcelona HongKong London Milan Paris Singapore Tokyo Joseph H. Silverman (Ed.) Cryptography and Lattices International Conference, CaLC 2001 Providence, RI, USA, March 29-30, 2001 Revised Papers 1 3 SeriesEditors GerhardGoos,KarlsruheUniversity,Germany JurisHartmanis,CornellUniversity,NY,USA JanvanLeeuwen,UtrechtUniversity,TheNetherlands VolumeEditor JosephH.Silverman BrownUniversity,MathematicsDepartment-Box1917 Providence,RI02912,USA E-mail:[email protected] Cataloging-in-PublicationDataappliedfor DieDeutscheBibliothek-CIP-Einheitsaufnahme Cryptographyandlattices:internationalconference,revisedpapers/CaLC 2001,Providence,RI,USA,March29-30,2001.JosephH.Silverman(ed.).- Berlin;Heidelberg;NewYork;Barcelona;HongKong;London;Milan; Paris;Singapore;Tokyo:Springer,2001 (Lecturenotesincomputerscience;Vol.2146) ISBN3-540-42488-1 CRSubjectClassification(1998):E.3,F.2.1,F.2.2,G.1,I.1.2,G.2,K.4.4 ISSN0302-9743 ISBN3-540-42488-1Springer-VerlagBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer-Verlag.Violationsare liableforprosecutionundertheGermanCopyrightLaw. Springer-VerlagBerlinHeidelbergNewYork amemberofBertelsmannSpringerScience+BusinessMediaGmbH http://www.springer.de ©Springer-VerlagBerlinHeidelberg2001 PrintedinGermany Typesetting:Camera-readybyauthor,dateconversionbyChristianGrosche,Hamburg Printedonacid-freepaper SPIN10840224 06/3142 543210 Preface These are the proceedings of CaLC 2001, the first conference devoted to cryp- tography and lattices. We have long believed that the importance of lattices and lattice reduction in cryptography, both for cryptographic construction and cryptographicanalysis,meritsagatheringdevotedtothistopic.Theenthusiastic responsethatwereceivedfromtheprogramcommittee,theinvitedspeakers,the many people who submitted papers, and the 90 registered participants amply confirmed the widespread interest in lattices and their cryptographic applica- tions. We thank everyone whose involvement made CaLC such a successful event; inparticularwethankNatalieJohnson,LarryLarrivee,DoreenPappas,andthe Brown University Mathematics Department for their assistance and support. March 2001 Jeffrey Hoffstein, Jill Pipher, Joseph Silverman VI Preface Organization CaLC2001wasorganizedbythe DepartmentofMathematicsatBrownUniver- sity. The programchairs express their thanks to the programcommitee and the additionalexternalrefereesfortheirhelpinselecting the papersforCaLC2001. TheprogramchairswouldalsoliketothankNTRUCryptosystemsforproviding financial support for the conference. Program Commitee (cid:127) Don Coppersmith <[email protected]> IBM Research (cid:127) Jeffrey Hoffstein (co-chair) <[email protected]>,<[email protected]> Brown University and NTRU Cryptosystems (cid:127) Arjen Lenstra <[email protected]> Citibank, USA (cid:127) Phong Nguyen <[email protected]> ENS (cid:127) Andrew Odlyzko <[email protected]> AT&T Labs Research (cid:127) Joseph H. Silverman (co-chair) <[email protected]>,<[email protected]> Brown University and NTRU Cryptosystems External Referees Ali Akhavi, Glenn Durfee, Nick Howgrave-Graham,Daniele Micciancio Sponsoring Institutions NTRU Cryptosystems, Inc., Burlington, MA <www.ntru.com> Table of Contents AnOverveiw oftheSieveAlgorithmforthe Shortest LatticeVectorProblem 1 Miklo(cid:19)s Ajtai, Ravi Kumar, and Dandapani Sivakumar Low Secret Exponent RSA Revisited ::::::::::::::::::::::::::::::::: 4 Johannes Bl¨omer and Alexander May FindingSmall Solutions to SmallDegree Polynomials::::::::::::::::::: 20 Don Coppersmith Fast Reduction of Ternary Quadratic Forms::::::::::::::::::::::::::: 32 Friedrich Eisenbrand and Gu¨nter Rote Factoring Polynomialsand 0-1 Vectors:::::::::::::::::::::::::::::::: 45 Mark van Hoeij Approximate Integer CommonDivisors ::::::::::::::::::::::::::::::: 51 Nick Howgrave-Graham Segment LLL-Reduction of Lattice Bases ::::::::::::::::::::::::::::: 67 Henrik Koy and Claus Peter Schnorr Segment LLL-Reduction with FloatingPoint Orthogonalization:::::::::: 81 Henrik Koy and Claus Peter Schnorr TheInsecurityofNyberg-RueppelandOtherDSA-LikeSignatureSchemes with PartiallyKnown Nonces:::::::::::::::::::::::::::::::::::::::: 97 Edwin El Mahassni, Phong Q. Nguyen, and Igor E. Shparlinski DimensionReduction Methods for ConvolutionModular Lattices ::::::::110 Alexander May and Joseph H. Silverman ImprovingLattice Based Cryptosystems Using the Hermite Normal Form :126 Daniele Micciancio The Two Faces of Lattices in Cryptology::::::::::::::::::::::::::::::146 Phong Q. Nguyen and Jacques Stern A 3-DimensionalLattice Reduction Algorithm:::::::::::::::::::::::::181 Igor Semaev The Shortest Vector Problem in Lattices with Many Cycles :::::::::::::194 M(cid:23)arten Trolin Multisequence Synthesis over an Integral Domain ::::::::::::::::::::::206 Li-ping Wang and Yue-fei Zhu Author Index::::::::::::::::::::::::::::::::::::::::::::::::::::219 An Overview of the Sieve Algorithm for the Shortest Lattice Vector Problem Miklo´s Ajtai, Ravi Kumar, and Dandapani Sivakumar IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120 {ajtai,ravi,siva}@almaden.ibm.com We present an overview of a randomized 2O(n) time algorithm to compute a shortest non-zero vector in an n-dimensional rational lattice. The complete details of this algorithm can be found in [2]. AlatticeisadiscreteadditivesubgroupofRn.Onewaytospecifyalatticeis throughabasis.AbasisB ={b1,...,bn}isasetoflinearlyin(cid:1)dependentvectors in Rn. The lattice generated by a basis B is L = L(B) = { ni=1cibi |ci ∈Z}. The shortest lattice vector problem (SVP) is the problem of finding a shortest non-zerovector(under somenorm,usually (cid:8) )in L.The α-approximateversion 2 of SVP is to find a non-zero lattice vector whose length is at most α times the length of a shortest non-zero lattice vector. SVP has a rich history. Gauss and Hermite studied an equivalent of SVP in the context of minimizing quadratic forms [4,7]. Dirichlet formulated SVP undertheguiseofdiophantineapproximations.Usingtheconvexbodytheorem, Minkowski gave an existential bound on the shortest vector in a lattice [13]. Though the extended Euclidean GCD algorithm can be used to solve SVP in two dimensions, the first algorithmic breakthrough in n dimensions was ob- tained in a celebrated result of Lenstra, Lenstra, and Lov´asz [10], who gave an algorithm (the LLL algorithm) that computes a 2n/2-approximate shortest vectorin polynomialtime. This wasimprovedin a generalizationofthe LLL al- gorithm by Schnorr [14], who obtained a hierarchy of algorithms that provide a uniform trade-off between the running time and the approximationfactor. This algorithm runs in nO(1)kO(k) steps to solve a kO(n/k)-approximate SVP. For in- stance,a polynomial-time versionofthis algorithmimprovesthe approximation factor obtained by the LLL algorithm to 2n(loglogn)2/logn. Kannan [8] obtained a 2O(nlogn) time algorithm for the exact SVP. The constant in the exponent of this algorithm was improved to about 1/2 by Helfrich [6]. Recently, Kumar and Sivakumar solved the decision versionof n3-approximateSVP in 2O(n) time [9]. Onthe hardnessfront, SVP for the L∞ norm wasshown to be NP-complete by vanEmde Boas [3]. Ajtai [1] provedthat SVP under the (cid:8) normis NP-hard 2 under randomized reductions. Miccian√cio [12] showed that the α-approximate SVP remains NP-hard for any α < 2. Lagarias, Lenstra, and Schnorr [11] showedthatn-approxim(cid:2)ateSVPisunlikelytobeNP-hard.GoldreichandGold- wasser [5] showed that n/logn-approximate SVP is unlikely to be NP-hard. Wesketcharandomized2O(n) algorithmforSVP(in(cid:8) norm)foralatticeL 2 in Rn. In fact, in 2O(n) time, our algorithm can find all α-approximate shortest vectors for any constant α≥1. J.H.Silverman(Ed.):CaLC2001,LNCS2146,pp.1–3,2001. (cid:2)c Springer-VerlagBerlinHeidelberg2001 2 Mikl´os Ajtai, RaviKumar,and DandapaniSivakumar WemakeafewsimplifyingassumptionsaboutthelatticeL:(1)thelengthof shortestvectorisatleast1andatmost2—thiscanberealizedbyappropriately scaling L; (2) the length of the longest vector in the basis is at most 2O(n) — this can be realized by appropriate applications of the LLL algorithm. Wecreatealarge(sidesofexponentiallength)parallelepipedP thatis fairly closetobeingacube.Thenweuniformlysamplealargenumberoflatticepoints z1,...,zN, N = 2O(n), from P ∩L, and to each sample zi, we add a uniform perturbation vector yi of expected length O(1) to obtain a sequence of points x1,...,xN.For eachperturbed lattice pointxi, we will keeptrack oftwo lattice points: its “true identity” zi, and an “approximator”ai, initially set to 0. Then, we use the following sieve procedure — given sufficiently many points in Rn of length atmostR, identify a smallset of“representatives”fromthe set of points and a large set of “survivors”such that for every survivor point, there is a representative at distance at most R/2. We repeatedly apply the sieve to thevectorsxi−ai;foreachsurvivorxi−ai withrepresentativexj−aj,weknow thatthe distance betweenxi−ai andxj−aj is abouthalfthe distancebetween xi and ai. Therefore, ai +xj −aj is a better approximation to xi, and since xj is close to its true identity zj, we define the new approximator for xi to be ai+zj−aj. In these steps, once the true identity of a point is revealed,we will not use it in the future. We repeat this process until the distance between the points and their approximators are bounded by another constant. Finally, if xi still survives and has an approximatorai, output the lattice point wi =zi−ai. Since both zi and ai are close to xi, with high probability, the length of wi is bounded by a constant. We will denote this process as the basic algorithm. Note that if the basic algorithmstops with a non-zerowi, we already havea constantfactor approximationalgorithmforSVP. Toensure thatwi is non-zero with good probability and to obtain the shortest vector, we make the following argument. Let u denote a shortest vector in L. Let w = wi be a lattice point of constant length that is output by the procedure above. Let x be a sample point from which w was obtained, and let z ∈L be the true identity of x. Since the perturbations are small, we can argue that the probability (conditioned on x being a sample) that one of z±u is the true identity of x is at least 2−O(n) times the probability that z is the true identity of x. Furthermore — and this is the crucial point — the basic algorithm is oblivious to the true identity of x. Using this fact, we will argue that for some w, w+u has at least 2−O(n) times the probability of w to be the output of the basic algorithm. Since the number oflatticepointsintheballofconstantradiusaroundtheoriginisatmost2O(n), we obtain that there is at least one w ∈L whose probability of being output is at least 2−O(n) and w+u has the probability of being output at least 2−O(n). Therefore,byrepeatingthebasicalgorithm2O(n) timeswecanensurethatwith high probability both w and w + u are output. Thus, the final algorithm is the following: repeat the basic algorithm 2O(n) times, take all possible pairwise differences of the points output by the basic algorithm, and output the shortest of these vectors. More details of this algorithm can be found in [2].