Modern Computer Algebra

Gathen, Joachim von zur; Gerhard, Jürgen

doi:10.1017/cbo9781139856065

Cited by 927 publications

(1,472 citation statements)

References 0 publications

Supporting

Mentioning

1,405

Contrasting

Unclassified

Order By: Relevance

“…Furthermore, we can write φ i as r i , where r is a primitive (2n)-th root of unity modulo q. This implies that the Chinese Remainder Theorem in R q provides a natural fast Discrete Fourier Transform, and thus multiplication of elements of R q can be performed within O(n log n) additions and multiplications modulo q (see [7,Ch. 8 The R-LWE problem For s ∈ R q and ψ a distribution in R q , we de ne A s,ψ as the distribution obtained by sampling the pair (a, as+e) with (a, e) ← U (R q )×ψ.…”

Section: Ideal Lattices and Algebraic Number Theorymentioning

confidence: 99%

Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

Stehlé¹,

Steinfeld²

2011

Lecture Notes in Computer Science

334

356

View full text Add to dashboard Cite

Abstract. NTRUEncrypt, proposed in 1996 by Ho stein, Pipher and Silverman, is the fastest known lattice-based encryption scheme. Its moderate key-sizes, excellent asymptotic performance and conjectured resistance to quantum computers could make it a desirable alternative to factorisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic elds. Our main contribution is to show that if the secret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem.

show abstract

Section: Ideal Lattices and Algebraic Number Theorymentioning

confidence: 99%

Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

Stehlé¹,

Steinfeld²

2011

Lecture Notes in Computer Science

334

356

View full text Add to dashboard Cite

show abstract

“…One potential issue with this method is the presence of repeated factors. Square-free factorisation has been extensively studied as it is a common first step in many polynomial factorisation algorithms (for example, see [37,Ch. 14]).…”

Section: Choosing Polynomialsmentioning

confidence: 99%

On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes

Procter

Cid

2014

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega's Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen's cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. Finally, we greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class.

show abstract

“…We recall some results from [9] and [6] about rational sets of commutative monoids (see for instance [12, 3.3]) or [13, 7.4], [14]), and also [15], [7], [11] for complexity results).…”

Section: Proposition 2 ([4])mentioning

confidence: 99%