lattices pictures problems: SVP, CVP volume/determinant, length of shortest vector algorithms: - in dimension 1, Euclidean alg - in dimension n, LLL cryptosystems - GGH trapdoor: pick reduced basis R (trapdoor key), generate big basis B of same lattice (public key), message is interpreted as a subset of B, trapdoor one-way function is sum of the appropriate vectors in B; solving CFP in R is easy (hence trapdoor key allows inversion), but hard in B (hence secure without knowledge of trapdoor key) - Ajtai-Dwork: private key is vector u from big ball public key is w_1,..,w_n,v_1,..,v_{n^3}, each chosen by picking a vector on big ball orthogonal to u and then tweaking it a little bit by a tiny error vector w's form a basis for a lattice whose interior parallelepiped is P to encrypt 0: pick random sum of v's, and reduce mod P to encrypt 1: pick a random point in interior of P decryption: compose dot-product of vector with u; if it's small, it was a 0, else it was a 1 - GGH hash function: a subset-sum like thing public key: basis vectors w_1,..,w_{n^2}, each a n-vector over Z/qZ hashing a n^2-bit message: take sum of appropriate subset of basis vectors modulo q collision-free, since any collision implies a short vector l_1,..,l_{n^2} with l_i in {-1,0,1} and \sum_i l_i w_i = 0 mod q, hence ||l|| <= n^2 cryptanalysis: - approximate relations: given vectors v_1,..,v_n over Z, find a_1,..,a_n in Z so that \sum_i a_i v_i ~= 0 (or = 0) and ||a|| is small - modular relations: given vectors v_1,..,v_n over Z/mZ, find a_1,..,a_n in Z so that \sum_i a_i v_i ~= 0 (mod m) (or = 0 (mod m)) and ||a|| is small - knapsack: given v_1,..,v_n,w in Z, find a_1,..,a_n in {0,1} so that \sum_i a_i v_i = w - minimal polynomials - breaking subset-sum hash - (breaking truncated LCG's) - coppersmith's theorem - hastad's broadcast attack on RSA - coppersmith's short padding attack on RSA