lattices & factoring - iacr
TRANSCRIPT
Lattices & FactoringInvited Talk
Leo Ducas
CWI, Amsterdam, The Netherlands
PKC, May 10th, 2021
Leo Ducas (CWI) Lattices & Factoring
Modern Cryptography, This Old Thing
Cryptography is getting old.
Cryptography has reached a non-negligible age.Let’s write our history before it gets lost.
Leo Ducas (CWI) Lattices & Factoring
Modern Cryptography, This Old Thing
Cryptography is getting old.Cryptography has reached a non-negligible age.
Let’s write our history before it gets lost.
Leo Ducas (CWI) Lattices & Factoring
Modern Cryptography, This Old Thing
Cryptography is getting old.Cryptography has reached a non-negligible age.Let’s write our history before it gets lost.
Leo Ducas (CWI) Lattices & Factoring
Knapsack-based Cryptography
Typical narrative on Knapsack-based cryptography
An embarrassement to forgetAjtai single-handedly put an end to that dark Era
I do not subscribe to that narrative.If I have seen further,
it is by standing on the shoulders of Giants.– Isaac Newton
Ajtai is a Giant of Lattice-based Cryptography.Let’s enjoy the the view he had from the shoulders his own Giants.
Leo Ducas (CWI) Lattices & Factoring
Knapsack-based Cryptography
Typical narrative on Knapsack-based cryptography
An embarrassement to forgetAjtai single-handedly put an end to that dark Era
I do not subscribe to that narrative.
If I have seen further,it is by standing on the shoulders of Giants.
– Isaac Newton
Ajtai is a Giant of Lattice-based Cryptography.Let’s enjoy the the view he had from the shoulders his own Giants.
Leo Ducas (CWI) Lattices & Factoring
Knapsack-based Cryptography
Typical narrative on Knapsack-based cryptography
An embarrassement to forgetAjtai single-handedly put an end to that dark Era
I do not subscribe to that narrative.If I have seen further,
it is by standing on the shoulders of Giants.– Isaac Newton
Ajtai is a Giant of Lattice-based Cryptography.Let’s enjoy the the view he had from the shoulders his own Giants.
Leo Ducas (CWI) Lattices & Factoring
Today’s Giants
Factoring with Lattices Short VectorsC-P. Schnorr L. Adleman
Decoding Lattices by FactorizationB. Chor R. Rivest
Leo Ducas (CWI) Lattices & Factoring
Today’s Giants
Factoring with Lattices Short VectorsC-P. Schnorr L. Adleman
Decoding Lattices by FactorizationB. Chor R. Rivest
Leo Ducas (CWI) Lattices & Factoring
Part I:Factoring with Lattice Short Vectors
Leo Ducas (CWI) Lattices & Factoring
Factoring: the Quadratic Sieve [Pomerance, 1981]
Notation : ≡ for congruence modulo N
Goal: Find a non-trivial1 solution to X 2 ≡ Y 2
⇒ (X − Y )(X + Y ) ≡ 0⇒ gcd(X ± Y ,N) is a non-trivial factor of N
A two-steps process:Collect RelationsLinear Algebra
1X 6≡ ±Y mod NLeo Ducas (CWI) Lattices & Factoring
Factoring: the Quadratic Sieve [Pomerance, 1981]
Notation : ≡ for congruence modulo N
Goal: Find a non-trivial1 solution to X 2 ≡ Y 2
⇒ (X − Y )(X + Y ) ≡ 0⇒ gcd(X ± Y ,N) is a non-trivial factor of N
A two-steps process:Collect RelationsLinear Algebra
1X 6≡ ±Y mod NLeo Ducas (CWI) Lattices & Factoring
Step 1: Relation Collection
Define a factor basis: F = {p|p is primes, p ≤ B}Repeat:
Pick random X , compute Z = X 2 mod NUse trial division to write Z =
∏pei
i (pi ∈ F)If successful, store the relation X 2 ≡
∏pei
i
Until B relations are collected
The complexity trade-off
Increasing B improves the success probability of each trialBut more relations are neededThe optimum is at B = exp(O(
√log N)) = LN(1/2)
Leo Ducas (CWI) Lattices & Factoring
Step 1: Relation Collection
Define a factor basis: F = {p|p is primes, p ≤ B}Repeat:
Pick random X , compute Z = X 2 mod NUse trial division to write Z =
∏pei
i (pi ∈ F)If successful, store the relation X 2 ≡
∏pei
i
Until B relations are collected
The complexity trade-off
Increasing B improves the success probability of each trialBut more relations are neededThe optimum is at B = exp(O(
√log N)) = LN(1/2)
Leo Ducas (CWI) Lattices & Factoring
Step 2: Linear Algebra
We have collected relations:
X 21 ≡ p1
e1,1 p2e1,2 p3
e1,3 · · ·X 2
2 ≡ p1e2,1 p2
e2,2 p3e2,3 · · ·
X 23 ≡ p1
e3,1 p2e3,2 p3
e3,3 · · ·...
......
...... . . .
Combine the above to make all exponents even integers
Done by solving a linear system over F2
Obtain a solution to
X 2 ≡ Y 2 mod N
Leo Ducas (CWI) Lattices & Factoring
Step 2: Linear Algebra
We have collected relations:
X 21 ≡ p1
e1,1 p2e1,2 p3
e1,3 · · ·X 2
2 ≡ p1e2,1 p2
e2,2 p3e2,3 · · ·
X 23 ≡ p1
e3,1 p2e3,2 p3
e3,3 · · ·...
......
...... . . .
Combine the above to make all exponents even integersDone by solving a linear system over F2
Obtain a solution to
X 2 ≡ Y 2 mod N
Leo Ducas (CWI) Lattices & Factoring
Step 2: Linear Algebra
We have collected relations:
X 21 ≡ p1
e1,1 p2e1,2 p3
e1,3 · · ·X 2
2 ≡ p1e2,1 p2
e2,2 p3e2,3 · · ·
X 23 ≡ p1
e3,1 p2e3,2 p3
e3,3 · · ·...
......
...... . . .
Combine the above to make all exponents even integersDone by solving a linear system over F2
Obtain a solution to
X 2 ≡ Y 2 mod N
Leo Ducas (CWI) Lattices & Factoring
Optimizing Relation Collection
X 2 mod N is as large as N for random XMaking it smaller would improve the success of trial division
Could we aim for X 2 mod N that are significantly smaller ?
Choose X ≈√
N, so that X 2 ≈ NIf X =
√N + ε, with ε�
√N, then:
X 2 ≡ 2ε√
N + ε2
The complexity gainImproves the hidden constant in exp(O(
√log N)) = LN(1/2)
Leo Ducas (CWI) Lattices & Factoring
Optimizing Relation Collection
X 2 mod N is as large as N for random XMaking it smaller would improve the success of trial division
Could we aim for X 2 mod N that are significantly smaller ?
Choose X ≈√
N, so that X 2 ≈ NIf X =
√N + ε, with ε�
√N, then:
X 2 ≡ 2ε√
N + ε2
The complexity gainImproves the hidden constant in exp(O(
√log N)) = LN(1/2)
Leo Ducas (CWI) Lattices & Factoring
Optimizing Relation Collection
X 2 mod N is as large as N for random XMaking it smaller would improve the success of trial division
Could we aim for X 2 mod N that are significantly smaller ?
Choose X ≈√
N, so that X 2 ≈ NIf X =
√N + ε, with ε�
√N, then:
X 2 ≡ 2ε√
N + ε2
The complexity gainImproves the hidden constant in exp(O(
√log N)) = LN(1/2)
Leo Ducas (CWI) Lattices & Factoring
Aiming Better [Schnorr 1991]
A RelaxationThe left-hand-side needs not be square, B-smooth can do as well:
p1e′
1p2e′
2p3e′
3 · · · ≡ p1e1p2
e2p3e3 · · ·
1 ≡ p1e1−e′
1p2e2−e′
2p3e3−e′
3 · · ·
Our New GoalFind positive exponents (e′1, e′2, e′3, . . .) such that
p1e′
1p2e′
2p3e′
3 · · · ≈ N
This is an (approximate) knapsack problem !
e′1 ln p1 + e′2 ln p2 + e′3 ln p3 + · · · ≈ ln N
Leo Ducas (CWI) Lattices & Factoring
Aiming Better [Schnorr 1991]
A RelaxationThe left-hand-side needs not be square, B-smooth can do as well:
p1e′
1p2e′
2p3e′
3 · · · ≡ p1e1p2
e2p3e3 · · ·
1 ≡ p1e1−e′
1p2e2−e′
2p3e3−e′
3 · · ·
Our New GoalFind positive exponents (e′1, e′2, e′3, . . .) such that
p1e′
1p2e′
2p3e′
3 · · · ≈ N
This is an (approximate) knapsack problem !
e′1 ln p1 + e′2 ln p2 + e′3 ln p3 + · · · ≈ ln N
Leo Ducas (CWI) Lattices & Factoring
Aiming with lattices [Schnorr 1991]
Choose a constant C to rewrite the knapsack as a lattice CVP
ln p1ln p2
ln p3. . .
ln pnC ln p1 C ln p2 C ln p3 · · · C ln pn
·
e′
1e′
2e′
3...
e′n
≈
000...0
C ln N
Knapsack 6= CVPThe lattice solution (e′1, e′2, e′3, . . .) may not have positive exponents
But that might be OK !
u/v ≈ N ⇒ u ≈ vN, therefore S = u − vN may be smallQuality degrades as v =
∏e′
i <0 p−eii gets larger
Leo Ducas (CWI) Lattices & Factoring
Aiming with lattices [Schnorr 1991]
Choose a constant C to rewrite the knapsack as a lattice CVP
ln p1ln p2
ln p3. . .
ln pnC ln p1 C ln p2 C ln p3 · · · C ln pn
·
e′
1e′
2e′
3...
e′n
≈
000...0
C ln N
Knapsack 6= CVPThe lattice solution (e′1, e′2, e′3, . . .) may not have positive exponents
But that might be OK !
u/v ≈ N ⇒ u ≈ vN, therefore S = u − vN may be smallQuality degrades as v =
∏e′
i <0 p−eii gets larger
Leo Ducas (CWI) Lattices & Factoring
Attempting Average-Case Analysis
Lattice Pitfalls
The lattice is not full dimensional apply due projectionsGaussian Heuristic seems invalid for certain CThe `2 norm is a bit inadequate `1 more relevantNaive predictions of `2/`1 can also fail
Trial Division Pitfall
B-Smoothness probability of S = u − vN lower than expected
pi |u ∨ pi |v ⇒ pi 6 |S
Mind the Variants
Most papers force B = pn or B = 1. Here: B unconstrained.The diagonal part of the lattice may vary as well.
Leo Ducas (CWI) Lattices & Factoring
Experiments
10 20 30 40 50 600
0.2
0.4
0.6
0.8
1
Lattice dimension n
logS
/lo
gN
N: 50 bitsN: 100 bitsN: 200 bitsN: 400 bitsQS baseline
The size of S roughly dictates the cost of the non-lattice stepsFor factoring a 100-bits N, to beat QS at the non-lattice steps, weshould need a lattice dimension of at least n ≥ 50.
Leo Ducas (CWI) Lattices & Factoring
Experiments
10 20 30 40 50 600
0.2
0.4
0.6
0.8
1
Lattice dimension n
logS
/lo
gN
N: 50 bitsN: 100 bitsN: 200 bitsN: 400 bitsQS baseline
The size of S roughly dictates the cost of the non-lattice stepsFor factoring a 100-bits N, to beat QS at the non-lattice steps, weshould need a lattice dimension of at least n ≥ 50.
Leo Ducas (CWI) Lattices & Factoring
My two Cents
It’s a deep and brilliant idea . . . that doesn’t seem to work /A solid complexity analysis is still missing
and appears quite challenging . . .It nevertheless found applications beyond factoring
An attempt at proving SVP ≥ Factoring [Adleman 1995]A sucessful proof of NP-hardness for SVP [Ajtai 1998]Idea reused for in relation to the abc-conjecture [Bright 2014]Idea reused in a Module-LLL Algorithm [LPSW 2019]
Leo Ducas (CWI) Lattices & Factoring
My two Cents
It’s a deep and brilliant idea . . . that doesn’t seem to work /A solid complexity analysis is still missing
and appears quite challenging . . .It nevertheless found applications beyond factoring
An attempt at proving SVP ≥ Factoring [Adleman 1995]A sucessful proof of NP-hardness for SVP [Ajtai 1998]Idea reused for in relation to the abc-conjecture [Bright 2014]Idea reused in a Module-LLL Algorithm [LPSW 2019]
Leo Ducas (CWI) Lattices & Factoring
A Surprising Twist [Ajtai 1998]
Recall the gap between Knapsack and SVP
Knapsack solutions ∈ {0, 1}n, SVP solution Zn
Knapsack was known to be NP-hard, but not SVP
The key Insight
{0, 1}n solutions in Schnorr-Adleman lattice are incorrespondence with smooth and square-free integersWe know how to count those !
A proof that SVP ≥ Knapsack
Therefore SVP is NP-hardLearn more from Daniele’s talk next week at the RISC seminar
Leo Ducas (CWI) Lattices & Factoring
A Surprising Twist [Ajtai 1998]
Recall the gap between Knapsack and SVP
Knapsack solutions ∈ {0, 1}n, SVP solution Zn
Knapsack was known to be NP-hard, but not SVP
The key Insight
{0, 1}n solutions in Schnorr-Adleman lattice are incorrespondence with smooth and square-free integersWe know how to count those !
A proof that SVP ≥ Knapsack
Therefore SVP is NP-hardLearn more from Daniele’s talk next week at the RISC seminar
Leo Ducas (CWI) Lattices & Factoring
A Surprising Twist [Ajtai 1998]
Recall the gap between Knapsack and SVP
Knapsack solutions ∈ {0, 1}n, SVP solution Zn
Knapsack was known to be NP-hard, but not SVP
The key Insight
{0, 1}n solutions in Schnorr-Adleman lattice are incorrespondence with smooth and square-free integersWe know how to count those !
A proof that SVP ≥ Knapsack
Therefore SVP is NP-hardLearn more from Daniele’s talk next week at the RISC seminar
Leo Ducas (CWI) Lattices & Factoring
Part II:Decoding Lattices by Factorization
Leo Ducas (CWI) Lattices & Factoring
Dense Lattice with Efficient Decoding
In this whole section we work with the `1 norm !
Bounded Distance Decoding with radius r
Given t = v + e where v ∈ L and ‖e‖ ≤ rRecover v and e
Unique solution guaranteed for r ≤ λ1(L)/2.
Minkowsky’s bound
λ1(L)det(L)1/n ≤ O(n)
We want a lattice and decoding alg. close to this bound.
Leo Ducas (CWI) Lattices & Factoring
Chor-Rivest Cryptosystem and Friends
The Key Idea [Chor Rivest 1988]
Subset-sums is hardSubset-product is easy (trial divisions)Take logarithm, disguise the later as the former, get crypto.
Variants/Follow-ups [Lenstra ’90, Li Ling Xing Yeo ’17].Originally over Fp[X ]; variants over Z:
[Naccache Stern ’97, Okamoto Tanaka Uchiyama ’00].
A Coding Gem Hidden Inside
[Brier et al. ’15]: Remove crypto from [NS’97], hides a gooddecodable binary code.[D. Pierrot ’18]: [CR88, OTU00], hides a good decodable lattice.
Leo Ducas (CWI) Lattices & Factoring
Chor-Rivest Cryptosystem and Friends
The Key Idea [Chor Rivest 1988]
Subset-sums is hardSubset-product is easy (trial divisions)Take logarithm, disguise the later as the former, get crypto.
Variants/Follow-ups [Lenstra ’90, Li Ling Xing Yeo ’17].Originally over Fp[X ]; variants over Z:
[Naccache Stern ’97, Okamoto Tanaka Uchiyama ’00].
A Coding Gem Hidden Inside
[Brier et al. ’15]: Remove crypto from [NS’97], hides a gooddecodable binary code.[D. Pierrot ’18]: [CR88, OTU00], hides a good decodable lattice.
Leo Ducas (CWI) Lattices & Factoring
Chor-Rivest Cryptosystem and Friends
The Key Idea [Chor Rivest 1988]
Subset-sums is hardSubset-product is easy (trial divisions)Take logarithm, disguise the later as the former, get crypto.
Variants/Follow-ups [Lenstra ’90, Li Ling Xing Yeo ’17].Originally over Fp[X ]; variants over Z:
[Naccache Stern ’97, Okamoto Tanaka Uchiyama ’00].
A Coding Gem Hidden Inside
[Brier et al. ’15]: Remove crypto from [NS’97], hides a gooddecodable binary code.[D. Pierrot ’18]: [CR88, OTU00], hides a good decodable lattice.
Leo Ducas (CWI) Lattices & Factoring
Chor-Rivest Lattice (over the integers)Choose a modulus M = 3k
And a factor basis F = {2, 5, 7, 11, 13, . . . , pn}B := pn ∼ n ln n
Define the morphism ψ : Zn → (Z/MZ)∗:ψ : x 7→
∏pxi
i mod MAnd finally define the kernel lattice
L := kerψ ={
v ∈ Zn |∏
pvii = 1 mod M
}.
The lattice can be computed efficiently !
Discrete logarithms modulo M = 3k is easyRewrites as a subset-sum lattice
L ={
v ∈ Zn |∑
vi dlog pi = 0 mod ϕ(M)}
Leo Ducas (CWI) Lattices & Factoring
Chor-Rivest Lattice (over the integers)Choose a modulus M = 3k
And a factor basis F = {2, 5, 7, 11, 13, . . . , pn}B := pn ∼ n ln n
Define the morphism ψ : Zn → (Z/MZ)∗:ψ : x 7→
∏pxi
i mod MAnd finally define the kernel lattice
L := kerψ ={
v ∈ Zn |∏
pvii = 1 mod M
}.
The lattice can be computed efficiently !
Discrete logarithms modulo M = 3k is easyRewrites as a subset-sum lattice
L ={
v ∈ Zn |∑
vi dlog pi = 0 mod ϕ(M)}
Leo Ducas (CWI) Lattices & Factoring
Lattice Parameters
Lattice parameters
dimL = ndetL ≤ ϕ(M) ≤ M
Claim: λ1(L) ≥ log M/ log B (Not exactly true . . . )
Recall that L = {v ∈ Zn |∏
pvii = 1 mod M}.
For v 6= 0 to be in L,∏
pvii must wrap around mod M
In particular B‖v‖1 ≥ M (This proof is a bit bogus !)
Instantiate with k = n, i.e. M = 3n
λ1(L)det(L)1/n ≥ O
( nlog n
)That is only O(log n) factor away from Minkowsky bound.
Leo Ducas (CWI) Lattices & Factoring
Lattice Parameters
Lattice parameters
dimL = ndetL ≤ ϕ(M) ≤ M
Claim: λ1(L) ≥ log M/ log B (Not exactly true . . . )
Recall that L = {v ∈ Zn |∏
pvii = 1 mod M}.
For v 6= 0 to be in L,∏
pvii must wrap around mod M
In particular B‖v‖1 ≥ M (This proof is a bit bogus !)
Instantiate with k = n, i.e. M = 3n
λ1(L)det(L)1/n ≥ O
( nlog n
)That is only O(log n) factor away from Minkowsky bound.
Leo Ducas (CWI) Lattices & Factoring
Decoding Chor-Rivest Lattice
Bounded Distance Decoding with radius r = log M/ log B
Given t = v + e where v ∈ L and ‖e‖ ≤ rRecover v and e
Compute
f =∏
ptii mod M =
∏pvi
i∏
peii mod M
=∏
peii mod M
Note∏
peii ≤ Br ≤ M: we know it over Z not just modM
Factorize it by trial division: recover e
Leo Ducas (CWI) Lattices & Factoring
Decoding Chor-Rivest Lattice
Bounded Distance Decoding with radius r = log M/ log B
Given t = v + e where v ∈ L and ‖e‖ ≤ rRecover v and e
Compute
f =∏
ptii mod M =
∏pvi
i∏
peii mod M
=∏
peii mod M
Note∏
peii ≤ Br ≤ M: we know it over Z not just modM
Factorize it by trial division: recover e
Leo Ducas (CWI) Lattices & Factoring
Dealing with Negative Errors
Now assume 2 · Br <√
M.
f =n∏
ei >0pei
i ·∏ei <0
peii = u/v mod M.
Lemma (Recovering u, v given f and M)
Let u, v ,M be coprime s.t. u, v <√
M/2, and let f = u/v mod M.Then, ±(u, v) are the shortest vectors of the 2-dimensional lattice
L = {(x , y) ∈ Z2|x − fy = 0 mod M}.
In particular, given f and M, one can recover (u, v) in poly-time.
Leo Ducas (CWI) Lattices & Factoring
The last mile ?
We are still O(log n) away from Minkowsky’s bound...The issue is that we do not have enough small primes.To get down to O(1) away from Minkowsky’s bound, we need
n primes of ‘size’ O(1).
Switching back from Z to Fp[X ] doesn’t improve asymptoticsElliptic curves could ?And what about Mordell-Weil lattices ? [Shioda ’91, Elkies ’94]
A Recent ResultUsing a completely different approach (construction D lattice overBCH codes), we are now O(
√log n) away from Minkowsky’s bound
[Mook Peikert 2020]
Leo Ducas (CWI) Lattices & Factoring
The last mile ?
We are still O(log n) away from Minkowsky’s bound...The issue is that we do not have enough small primes.To get down to O(1) away from Minkowsky’s bound, we need
n primes of ‘size’ O(1).
Switching back from Z to Fp[X ] doesn’t improve asymptoticsElliptic curves could ?And what about Mordell-Weil lattices ? [Shioda ’91, Elkies ’94]
A Recent ResultUsing a completely different approach (construction D lattice overBCH codes), we are now O(
√log n) away from Minkowsky’s bound
[Mook Peikert 2020]
Leo Ducas (CWI) Lattices & Factoring
Why Cryptographers Should Care
Chor-Rivest Knapsack Cryptosystem is not Broken
And offers very short ciphertexts !The underlying assumption is intriguing, especially quantumly
Some kind of reverse of discrete logarithm problem
Chor-Rivest Decoding can be practical [Li Ling Xing Yeo 2017]
Better decoding in a pure LWE-based scheme ?
And for Something Completely Different [Galbraith Li 2020]
VBB Obfuscation of ”near-equality” tests !
Leo Ducas (CWI) Lattices & Factoring
Part III:A Critique of Research in
Lattice-Based Cryptography
Leo Ducas (CWI) Lattices & Factoring
The SIS/LWE Monoculture2
Due creditsSIS/LWE formalism have achieved impressive feats, and thefoundational work from TCS experts was exceptionally thorough.
But . . .
Worst-case hardness is not a silver bulletand does not dispense us from cryptanalysis
We have locked ourselves in subspace of designsand current designs likely far from optimal
Some very interesting ideas have been buriedif not demoted to cryptographic sins
2Not a critique of the contributions, but of what we have done of them.Leo Ducas (CWI) Lattices & Factoring
The SIS/LWE Monoculture2
Due creditsSIS/LWE formalism have achieved impressive feats, and thefoundational work from TCS experts was exceptionally thorough.
But . . .
Worst-case hardness is not a silver bulletand does not dispense us from cryptanalysis
We have locked ourselves in subspace of designsand current designs likely far from optimal
Some very interesting ideas have been buriedif not demoted to cryptographic sins
2Not a critique of the contributions, but of what we have done of them.Leo Ducas (CWI) Lattices & Factoring
A Diversity of Lattices
Zn, the Saddest of all LatticesAll algorithmic tasks (encode, decode, sample) in lattice-basedcryptography are reduced to Z or Zn.Yet, geometrically (packing, covering, . . . ) Zn is the worst lattice.
There are so many more !Root lattices3 , Leech lattice, Construction D lattices, Barnes-Welllattices, Craig’s lattices, Schnorr-Adleman lattices, Chor-Rivestlattices, Mordell-Weil lattices, . . .
http://www.math.rwth-aachen.de/˜Gabriele.Nebe/LATTICES/
3If you ever deal with prime cyclotomics rings, please readhttps://www.math.leidenuniv.nl/scripties/BachVanWoerden.pdf
Leo Ducas (CWI) Lattices & Factoring
A Diversity of Lattices
Zn, the Saddest of all LatticesAll algorithmic tasks (encode, decode, sample) in lattice-basedcryptography are reduced to Z or Zn.Yet, geometrically (packing, covering, . . . ) Zn is the worst lattice.
There are so many more !Root lattices3
, Leech lattice, Construction D lattices, Barnes-Welllattices, Craig’s lattices, Schnorr-Adleman lattices, Chor-Rivestlattices, Mordell-Weil lattices, . . .
http://www.math.rwth-aachen.de/˜Gabriele.Nebe/LATTICES/
3If you ever deal with prime cyclotomics rings, please readhttps://www.math.leidenuniv.nl/scripties/BachVanWoerden.pdf
Leo Ducas (CWI) Lattices & Factoring
A Diversity of Lattices
Zn, the Saddest of all LatticesAll algorithmic tasks (encode, decode, sample) in lattice-basedcryptography are reduced to Z or Zn.Yet, geometrically (packing, covering, . . . ) Zn is the worst lattice.
There are so many more !Root lattices3 , Leech lattice, Construction D lattices, Barnes-Welllattices, Craig’s lattices, Schnorr-Adleman lattices, Chor-Rivestlattices, Mordell-Weil lattices, . . .
http://www.math.rwth-aachen.de/˜Gabriele.Nebe/LATTICES/
3If you ever deal with prime cyclotomics rings, please readhttps://www.math.leidenuniv.nl/scripties/BachVanWoerden.pdf
Leo Ducas (CWI) Lattices & Factoring
Cryptography Strives in Diversity !
Lattice-based Cryptography needs:More diversity of BackgroundsMore diversity of Point of ViewMore diversity of GoalsMore diversity of People !
Thank You !
Leo Ducas (CWI) Lattices & Factoring
Cryptography Strives in Diversity !
Lattice-based Cryptography needs:More diversity of BackgroundsMore diversity of Point of ViewMore diversity of GoalsMore diversity of People !
Thank You !
Leo Ducas (CWI) Lattices & Factoring