Abstract. This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model. 1

Abstract. The security of lattice-based cryptosystems such as NTRU, GGH and Ajtai-Dwork essentially relies upon the intractability of computing a shortest non-zero lattice vector and a closest lattice vector to a given target vector in high dimensions. The best algorithms for these tasks are due to Kannan, and, though remarkably simple, their complexity estimates have not been improved since over twenty years. Kannan’s algorithm for solving the shortest vector problem (SVP) is in particular crucial in Schnorr’s celebrated block reduction algorithm, on which rely the best known generic attacks against the lattice-based encryption schemes mentioned above. In this paper we improve the complexity upper-bounds of Kannan’s algorithms. The analysis provides new insight on the practical cost of solving SVP, and helps progressing towards providing meaningful key-sizes. 1

In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic constructions hold a great promise for post-quantum cryptography, as they enjoy very strong security proofs based on worst-case hardness, relatively efficient implementations, as well as great simplicity. In addition, lattice-based cryptography is believed to be secure against quantum computers. Our focus here

. We propose two trapdoors for the Closest-Vector-Problem in lattices (CVP) related to the lattice tensor product. Using these trapdoors we set up a lattice-based cryptosystem which resembles to the McEliece scheme. 1 Keywords. Public Key Cryptosystem, Closest Vector Problem, Lattice Reduction, Trapdoor, McEliece 1 Introduction Since the invention of public key cryptography in 1976 by Di#e and Hellman [DH76] security of most cryptosystems is based on the (assumed) hardness of factoring or computing discrete logarithms. Only a few schemes based on other problems remain unbroken. Among which there is the McEliece scheme [St95] based on the computational di#culty of decoding a random code. It is still a challenge to develop new public key cryptosystem originating from the hardness of non number-theoretic problems. In a pioneer work Ajtai [A96] constructed an e#ciently computable function which is hard to invert on the average if the underlying lattice problem is intractable in th...

. At SAC '97, Itoh, Okamoto and Mambo presented a fast public key cryptosystem. After analyzing several attacks including latticereduction attacks, they claimed that its security was high, although the cryptosystem had some resemblances with the former knapsack cryptosystems, since decryption could be viewed as a multiplicative knapsack problem. In this paper, we show how to recover the private key from a fraction of the public key in less than 10 minutes for the suggested choice of parameters. The attack is based on a systematic use of the notion of the orthogonal lattice which we introduced as a cryptographic tool at Crypto '97. This notion allows us to attack the linearity hidden in the scheme. 1 Introduction Two decades after the discovery of public key cryptography, only a few asymmetric encryption schemes exist, and the most practical public key schemes are still very slow compared to conventional secret key schemes. Extensive research has been conducted on public-key cryptograp...

Lattice problems have been suggested as a potential source of computational hardness to beused in the construction of cryptographic functions that are provably hard to break. A remarkable feature of lattice-based cryptographic functions is that they can be proved secure (that is,hard to break on the average) based on the assumption that the underlying lattice problems are computationally hard in the worst-case. In this paper we give a survey of the constructions andproof techniques used in this area, explain the importance of basing cryptographic functions on the worst-case complexity of lattice problems, and discuss how this affects the traditionalapproach to cryptanalysis based on random challenges.

We survey the computational assumptions of various cryptographic schemes, and discuss the security threat posed by Shor's quantum algorithm.

We discuss the question of how to interpret reduction arguments in cryptography. We give some examples to show the subtlety and difficulty of this question.

Abstract. We describe an FPGA accelerator for the Kannan–Fincke– Pohst enumeration algorithm (KFP) solving the Shortest Lattice Vector Problem (SVP). This is the first FPGA implementation of KFP specifically targeting cryptographically relevant dimensions. In order to optimize this implementation, we theoretically and experimentally study several facets of KFP, including its efficient parallelization and its underlying arithmetic. Our FPGA accelerator can be used for both solving stand-alone instances of SVP (within a hybrid CPU–FPGA compound) or myriads of smaller dimensional SVP instances arising in a BKZ-type algorithm. For devices of comparable costs, our FPGA implementation is faster than a multi-core CPU implementation by a factor around 2.12. Keywords. FPGA, Euclidean Lattices, Shortest Vector Problem. 1

Suppose there is a movie you would be interested in watching via pay-per-view, but you refuse to purchase the feed because you believe that the supplier will sell your information to groups paying for the contact information of all the people who purchased that movie, and the association of your name to that purchase could hinder career, relationships, or increase the amount of time you spend cleaning SPAM out of your mailbox. Private Information Retrieval (PIR) will allow you to retrieve a particular feed without the supplier knowing which feed you actually got, and Symmetric Private Information Retrieval (SPIR) will assure the supplier, if the feeds are equally priced, that you received only the number of feeds you purchased. Now you can purchase without risking your name being associated with a particular feed and the supplier has gained the business of a once paranoid client. The problem of SPIR can be achieved with the cryptographic primitive Oblivious Transfer (OT). Several approaches to constructing such protocols have been posed and proven to be secure. Most attempts have aimed at reducing the amount of communication, theoretically, but this thesis compares the computational expense of the algorithms through experimentation to show that reduction of communication is less valuable in the effort of achieving a practical protocol than reducing the amount of computation. Further, this thesis introduces new protocols to compete with previous published protocols that derive security from additive homomorphic probabilistic encryption schemes, and explores means to increase the length of data handled by these protocols so that the media is more useful and the time to complete the protocol is reasonable. 3 4