Koen de Boer scite author profile

Ducas

Jeffery

et al. 2018

Aggarwal, Joux, Prakash and Santha recently introduced a new potentially quantum-safe public-key cryptosystem, and suggested that a brute-force attack is essentially optimal against it. They consider but then dismiss both Meet-in-the-Middle attacks and LLL-based attacks. Very soon after their paper appeared, Beunardeau et al. proposed a practical LLL-based technique that seemed to significantly reduce the security of the AJPS system. In this paper we do two things. First, we show that a Meet-in-the-Middle attack can also be made to work against the AJPS system, using locality-sensitive hashing to overcome the difficulty that Aggarwal et al. saw for such attacks. We also present a quantum version of this attack. Second, we give a more precise analysis of the attack of Beunardeau et al., confirming and refining their results.

Calculating the Power Residue Symbol and Ibeta

Pagano

2017

In the recent PhD thesis of Bouw, an algorithm is examined that computes the group structure of the principal units of a p-adic number eld completion. In the same thesis, this algorithm is used to compute Hilbert norm residue symbols. In the present paper, we will demonstrate two other applications.e rst application is the computation of an important invariant of number eld completions, called ibeta. e algorithm that computes ibeta is deterministic and runs in polynomial time.e second application uses Hilbert norm residue symbols and yields a probabilistic algorithm that computes the m-th power residue symbol α b m in arbitrary number elds K.is probabilistic algorithm relies on LLL-reduction and sampling of nearprimes. Using heuristics, we analyse its complexity to be polynomial expected time in n = [K : Q], log |∆ K | and the input bit size -a tentative conclusion corroborated by timing experiments. An implementation of the algorithm in Magma will be available at h ps://github.com/kodebro/powerresiduesymbol.

On the Quantum Complexity of the Continuous Hidden Subgroup Problem

Ducas

Fehr

2020

The Hidden Subgroup Problem (HSP) aims at capturing all problems that are susceptible to be solvable in quantum polynomial time following the blueprints of Shor’s celebrated algorithm. Successful solutions to this problems over various commutative groups allow to efficiently perform number-theoretic tasks such as factoring or finding discrete logarithms. The latest successful generalization (Eisenträger et al. STOC 2014) considers the problem of finding a full-rank lattice as the hidden subgroup of the continuous vector space , even for large dimensions m . It unlocked new cryptanalytic algorithms (Biasse-Song SODA 2016, Cramer et al. EUROCRYPT 2016 and 2017), in particular to find mildly short vectors in ideal lattices. The cryptanalytic relevance of such a problem raises the question of a more refined and quantitative complexity analysis. In the light of the increasing physical difficulty of maintaining a large entanglement of qubits, the degree of concern may be different whether the above algorithm requires only linearly many qubits or a much larger polynomial amount of qubits. This is the question we start addressing with this work. We propose a detailed analysis of (a variation of) the aforementioned HSP algorithm, and conclude on its complexity as a function of all the relevant parameters. Our modular analysis is tailored to support the optimization of future specialization to cases of cryptanalytic interests. We suggest a few ideas in this direction.

Random Self-reducibility of Ideal-SVP via Arakelov Random Walks

Ducas

Pellet-Mary

et al. 2020

Fixing a number eld, the space of all ideal lattices, up to isometry, is naturally an abelian group, called the Arakelov class group. This fact, well known to number theorists, has so far not been explicitly used in the literature on lattice-based cryptography. Remarkably, the Arakelov class group is a combination of two groups that have already led to signicant cryptanalytic advances: the class group and the unit torus. In the present article, we show that the Arakelov class group has more to oer. We start with the development of a new versatile tool: we prove that, subject to the Riemann Hypothesis for Hecke Lfunctions, certain random walks on the Arakelov class group have a rapid mixing property. We then exploit this result to relate the average-case and the worst-case of the Shortest Vector Problem in ideal lattices. Our reduction appears particularly sharp: for Hermite-SVP in ideal lattices of certain cyclotomic number elds, it loses no more than aÕ(√ n) factor on the Hermite approximation factor. Furthermore, we suggest that this rapid-mixing theorem should nd other applications in cryptography and in algorithmic number theory.