Results 1  10
of
25
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
 Journal of Cryptology
, 2000
"... . We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable ass ..."
Abstract

Cited by 66 (16 self)
 Add to MetaCart
. We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1=2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of HowgraveGraham and Smart who recently introduced that topic. Our attack is based on a connection with the hidden number problem (HNP) introduced at Crypto '96 by Boneh and Venkatesan in order to study the bitsecurity of the DiffieHellman key exchange. The HNP consists, given a prime number q, of recovering a number ff 2 IFq such that for many known random t 2 IFq ...
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
 Design, Codes and Cryptography
, 2000
"... Nguyen and Shparlinski recently presented a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of ..."
Abstract

Cited by 34 (10 self)
 Add to MetaCart
Nguyen and Shparlinski recently presented a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1/2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of HowgraveGraham and Smart who introduced the topic. Here, we obtain similar results for the elliptic curve variant of DSA (ECDSA).
Segment LLLReduction of Lattice Bases.
, 2001
"... . We improve practical algorithms for LLLreduction of lattice bases in the sense of Lenstra, Lenstra, Lovász [LLL82]. We organize LLLreduction in segments of size k, replacing in the original LLLalgorithm individual basis vectors by segments of k consecutive vectors. Local LLLreduction of segmen ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
. We improve practical algorithms for LLLreduction of lattice bases in the sense of Lenstra, Lenstra, Lovász [LLL82]. We organize LLLreduction in segments of size k, replacing in the original LLLalgorithm individual basis vectors by segments of k consecutive vectors. Local LLLreduction of segments is done using local coordinates of dimension k. Segment LLLreduced bases, a variant of LLLreduced bases, saves a factor n in the running time compared to standard LLLreduction of lattices of dimension n. The concept of iterated segments yields a novel reduction concept admitting a divide and conquer approach. The resulting reduction algorithm runs in O(n 3 log 2 n) arithmetic steps for integer lattices of dimension n with basis vectors of length 2 n .
Security of the most significant bits of the Shamir message passing scheme
 MATH. COMP
, 2000
"... Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden ” element α of a finite field Fp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from F ∗ p.Unfor ..."
Abstract

Cited by 19 (13 self)
 Add to MetaCart
Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden ” element α of a finite field Fp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from F ∗ p.Unfortunately the applications to the computational security of most significant bits of private keys of some finite field exponentiation based cryptosystems given by Boneh and Venkatesan are not quite correct. For the DiffieHellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized in our recent paper. Here a similar analysis is given for the Shamir message passing scheme. The results depend on some bounds of exponential sums.
Lattice reduction by random sampling and birthday methods
 In Proc. STACS 2003, Eds. H. Alt and M. Habib, LNCS 2607
, 2003
"... Abstract. We present a novel practical algorithm that given a lattice basis b1,..., bn finds in O(n 2 ( k 6)k/4) average time a shorter vector than b1 provided that b1 is ( k 6)n/(2k) times longer than the length of the shortest, nonzero lattice vector. We assume that the given basis b1,..., bn has ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. We present a novel practical algorithm that given a lattice basis b1,..., bn finds in O(n 2 ( k 6)k/4) average time a shorter vector than b1 provided that b1 is ( k 6)n/(2k) times longer than the length of the shortest, nonzero lattice vector. We assume that the given basis b1,..., bn has an orthogonal basis that is typical for worst case lattice bases. The new reduction method samples short lattice vectors in high dimensional sublattices, it advances in sporadic big jumps. It decreases the approximation factor achievable in a given time by known methods to less than its fourthth root. We further speed up the new method by the simple and the general birthday method. 1
Cryptanalysis of the Revised NTRU signature scheme
 in Proc. of Eurocrypt’02, LNCS 2332
, 2002
"... Abstract. In this paper, we describe a threestage attack against Revised NSS, an NTRUbased signature scheme proposed at the Eurocrypt 2001 conference as an enhancement of the (broken) proceedings version of the scheme. The first stage, which typically uses a transcript of only 4 signatures, effect ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. In this paper, we describe a threestage attack against Revised NSS, an NTRUbased signature scheme proposed at the Eurocrypt 2001 conference as an enhancement of the (broken) proceedings version of the scheme. The first stage, which typically uses a transcript of only 4 signatures, effectively cuts the key length in half while completely avoiding the intended hard lattice problem. After an empirically fast second stage, the third stage of the attack combines latticebased and congruencebased methods in a novel way to recover the private key in polynomial time. This cryptanalysis shows that a passive adversary observing only a few valid signatures can recover the signer’s entire private key. We also briefly address the security of NTRUSign, another NTRUbased signature scheme that was recently proposed at the rump session of Asiacrypt 2001. As we explain, some of our attacks on Revised NSS may be extended to NTRUSign, but a much longer transcript is necessary. We also indicate how the security of NTRUSign is based on the hardness of several problems, not solely on the hardness of the usual NTRU lattice problem. 1
Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001
"... In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), a signature scheme apparently related to the same hard problem, was proposed. In this paper, we show that the problem on ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), a signature scheme apparently related to the same hard problem, was proposed. In this paper, we show that the problem on which NSS relies is much easier than anticipated, and we describe an attack that allows ecient forgery of a signature on any message. Additionally, we demonstrate that a transcript of signatures leaks information about the secret key: using a correlation attack, it is possible to recover the key from a few tens of thousands of signatures. The attacks apply to the recently proposed parameter sets NSS2513SHA11, NSS3473SHA11, and NSS5033SHA11 in [2]. Following the attacks, NTRU researchers have investigated enhanced encoding/verification methods in [11].
On the Unpredictability of Bits of the Elliptic Curve DiffieHellman Scheme
"... Let E=F p be an elliptic curve, and G 2 E=F p . Dene the Die{Hellman function on E=F p as DH E;G (aG; bG) = abG. We show that if there is an ecient algorithm for predicting the LSB of the x or y coordinate of abG given hE ; G; aG; bGi for a certain family of elliptic curves, then there is an algori ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Let E=F p be an elliptic curve, and G 2 E=F p . Dene the Die{Hellman function on E=F p as DH E;G (aG; bG) = abG. We show that if there is an ecient algorithm for predicting the LSB of the x or y coordinate of abG given hE ; G; aG; bGi for a certain family of elliptic curves, then there is an algorithm for computing the Die{Hellman function on all curves in this family. This seems stronger than the best analogous results for the Die{Hellman function in F p . Boneh and Venkatesan showed that in F p computing approximately (log p) 1=2 of the bits of the Die{Hellman secret is as hard as computing the entire secret. Our results show that just predicting one bit of the Elliptic Curve Die{Hellman secret in a family of curves is as hard as computing the entire secret. 1