lattices
pictures
problems: SVP, CVP
volume/determinant, length of shortest vector
algorithms:
- in dimension 1, Euclidean alg
- in dimension n, LLL
cryptosystems
- GGH trapdoor: pick reduced basis R (trapdoor key),
generate big basis B of same lattice (public key),
message is interpreted as a subset of B, trapdoor one-way function
is sum of the appropriate vectors in B;
solving CFP in R is easy (hence trapdoor key allows inversion),
but hard in B (hence secure without knowledge of trapdoor key)
- Ajtai-Dwork:
private key is vector u from big ball
public key is w_1,..,w_n,v_1,..,v_{n^3},
each chosen by picking a vector on big ball orthogonal to u
and then tweaking it a little bit by a tiny error vector
w's form a basis for a lattice whose interior parallelepiped is P
to encrypt 0: pick random sum of v's, and reduce mod P
to encrypt 1: pick a random point in interior of P
decryption: compose dot-product of vector with u;
if it's small, it was a 0, else it was a 1
- GGH hash function: a subset-sum like thing
public key: basis vectors w_1,..,w_{n^2}, each a n-vector over Z/qZ
hashing a n^2-bit message:
take sum of appropriate subset of basis vectors modulo q
collision-free, since any collision implies a short vector
l_1,..,l_{n^2} with l_i in {-1,0,1} and \sum_i l_i w_i = 0 mod q,
hence ||l|| <= n^2
cryptanalysis:
- approximate relations: given vectors v_1,..,v_n over Z,
find a_1,..,a_n in Z so that \sum_i a_i v_i ~= 0 (or = 0)
and ||a|| is small
- modular relations: given vectors v_1,..,v_n over Z/mZ,
find a_1,..,a_n in Z so that \sum_i a_i v_i ~= 0 (mod m) (or = 0 (mod m))
and ||a|| is small
- knapsack: given v_1,..,v_n,w in Z, find a_1,..,a_n in {0,1}
so that \sum_i a_i v_i = w
- minimal polynomials
- breaking subset-sum hash
- (breaking truncated LCG's)
- coppersmith's theorem
- hastad's broadcast attack on RSA
- coppersmith's short padding attack on RSA