We investigate the average-case complexity of a generalization of the compact knapsack problem to arbitrary rings: given m (random) ring elements a1,..., am ∈ R and a (random) target value b ∈ R, find coefficients x1,..., xm ∈ S (where S is an appropriately chosen subset of R) such that P ai · xi = b. We consider compact versions of the generalized knapsack where the set S is large and the number of weights m is small. Most variants of this problem considered in the past (e.g., when R = Z is the ring of the integers) can be easily solved in polynomial time even in the worst case. We propose a new choice of the ring R and subset S that yields generalized compact knapsacks that are seemingly very hard to solve on the average, even for very small values of m. Namely, we prove that for any unbounded function m = ω(1) with arbitrarily slow growth rate, solving our generalized compact knapsack problems on the average is at least as hard as the worst-case instance of various approximation problems over cyclic lattices. Specific worst-case lattice problems considered in this paper are the shortest independent vector problem SIVP and the guaranteed distance decoding problem GDD (a variant of the closest vector problem, CVP) for approximation factors n 1+ǫ almost linear in the dimension of the lattice. Our results yield very efficient and provably secure one-way functions (based on worst-case complexity assumptions) with key size and time complexity almost linear in the security parameter n. Previous constructions with similar security guarantees required quadratic key size and computation time. Our results can also be formulated as a connection between the worst-case and average-case complexity of various lattice problems over cyclic and quasi-cyclic lattices.

In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic constructions hold a great promise for post-quantum cryptography, as they enjoy very strong security proofs based on worst-case hardness, relatively efficient implementations, as well as great simplicity. In addition, lattice-based cryptography is believed to be secure against quantum computers. Our focus here

Lattice-based signature schemes following the Goldreich-Goldwasser-Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes à la GGH, by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

Abstract. In this paper, we introduce a new lattice reduction technique applicable to the narrow, but important class of Hypercubic lattices, (L ∼ = Z N). Hypercubic lattices arise during transcript analysis of certain GGH, and NTRUSign signature schemes. After a few thousand signatures, key recovery amounts to discovering a hidden unitary matrix U, from its Gram matrix G = UU T. This case of the Gram Matrix Factorization Problem is equivalent to finding the shortest vectors in the hypercubic lattice, LG, defined by the quadratic form G. Our main result is a polynomial-time reduction to a conjecturally easier problem: the Lattice Distinguishing Problem. Additionally, we propose a heuristic solution to this distinguishing problem with a distributed computation of many “relatively short ” vectors. 1

NTRUEncrypt is unusual among public-key cryptosystems in that, with standard parameters, validly generated ciphertexts can fail to decrypt. This aects the provable security properties of a cryptosystem, as it limits the ability to build a simulator in the random oracle model without knowledge of the private key. We demonstrate attacks which use decryption failures to recover the private key. Such attacks work for all standard parameter sets, and one of them applies to any padding. The appropriate countermeasure is to change the parameter sets and possibly the decryption process so that decryption failures are vanishingly unlikely, and to adopt a padding scheme that prevents an attacker from directly controlling any part of the input to the encryption primitive. We outline one such candidate padding scheme.

Abstract. We present a technique to recover f ∈ Q(ζp) where ζp is a primitive pth root of unity for a prime p, given its norm g = f ∗ ¯ f in the totally real field Q(ζp + ζ −1 p). The classical method of solving this problem involves finding generators of principal ideals by enumerating the whole class group associated with Q(ζp), but this approach quickly becomes infeasible as p increases. The apparent hardness of this problem has led several authors to suggest the problem as one suitable for cryptography. We describe a technique which avoids enumerating the class group, and instead recovers f by factoring Nf, the absolute norm of f, (for example with a subexponential sieve algorithm), and then running the Gentry-Szydlo polynomial time algorithm for a number of candidates. The algorithm has been tested with an implementation in PARI. 1

Abstract. We provide an alternative method for constructing lattice-based digital signatures which does not use the “hash-and-sign ” methodology of Gentry, Peikert, and Vaikuntanathan (STOC 2008). Our resulting signature scheme is secure, in the random oracle model, based on the worst-case hardness of the Õ(n1.5)-SIVP problem in general lattices. The secret key, public key, and the signature size of our scheme are smaller than in all previous instantiations of the hash-and-sign signature, and our signing algorithm is also quite simple, requiring just a few matrix-vector multiplications and rejection samplings. We then also show that by slightly changing the parameters, one can get even more efficient signatures that are based on the hardness of the Learning With Errors problem. Our construction naturally transfers to the ring setting, where the size of the public and secret keys can be significantly shrunk, which results in the most practical to-date provably secure signature scheme based on lattices. 1

Many modern electronic systems—including personal computers, PDAs, cell phones, network routers, smart cards, and networked sensors to name a few—need to access, store, manipulate, or communicate sensitive information, making security a serious concern in their design. Embedded systems, which account for a wide range of products from the electronics, semiconductor, telecommunications, and networking industries, face some of the most demanding security concerns—on the one hand, they are often highly resource constrained, while on the other hand, they frequently need to operate in physically insecure environments. Security has been the subject of intensive research in the context of general-purpose computing and communications systems. However, security is often misconstrued by embedded system designers as the addition of features, such as specific cryptographic algorithms and security protocols, to the system. In reality, it is a new dimension that designers should consider throughout the design process, along with other metrics such as cost, performance, and power. The challenges unique to embedded systems require new approaches to security covering all aspects of embedded system design from architecture to implementation. Security processing, which refers to the computations that must be performed in a system for the purpose of security, can

For many foreseen applications of “wireless sensor networks ” (WSN) message integrity is a crucial requirement. Usually, in the area of WSN security services, such as message integrity, are realized by symmetric cryptography only, because asymmetric cryptography is considered as too demanding for typical WSN devices. However, the proposed solutions for symmetric key establishment introduce a significant computation, storage, and – most important – communication overhead. Digital signatures and key-exchange protocols based on asymmetric algorithms would be very valuable though. In the literature usually only RSA and ECC are implemented and compared for sensor nodes, though there exist a variety of innovative asymmetric algorithms. To close this gap, we investigated the efficiency and suitability of digital signature algorithms based on innovative asymmetric primitives for WSN. We chose XTR-DSA and NTRUSign and implemented both (as well as ECDSA) for MICAz motes. We have decomposed the schemes into layers and show where optimizations can be applied reasonably. Furthermore, we have analyzed, evaluated, and tweaked several algorithms with respect to execution time and memory requirements. We have benchmarked most of the implemented algorithms and give detailed information on precomputation overheads and required RAM and ROM memory. Finally, we have performed a comparative analysis of all three schemes with respect to their suitability for WSNs. We found that, while implemented in pure NesC code, NTRUSign is the winner for being 34 % faster in signature generation and 95 % faster in signature verification – compared to the de-facto standard ECDSA. To the best of our knowledge, this thesis presents the fastest implementations of signature schemes for WSNs, while using novel modifications of well-known algorithms. Our implementation of ECDSA seems to be the fastest available for MICAz hardware and the ATMega128L micro-processor. Even our implementation of XTR-DSA performs better than comparable ECDSA implementations. We presume that we present the first detailed approach to implementing XTR-DSA and NTRUSign on constrained hardware.

Generalized compact knapsacks, cyclic lattices, and efficient one-way functions*