All Along the Ring TowerAlgebraic Structures for Fun and Profit

Thomas Prestjoint work w/

{Léo Ducas} ∪ {Thomas Pornin} ∪ {Léo Ducas, Steven Galbraith, Yang Yu}

RISC × PROMETHEUS Seminar, 03/05/2019

I Introduc on

II Three Case Studiesi Generalized Bézout Equa onsii Generalized Four Square Theoremiii Efficient La ce Decoding

III Conclusion

2 / 21

Rings in La ce-Based Cryptography

It is typical in la ce-based cryptography to use matrices with coefficientsin Zq[x]/(xd + 1) rather than Zq:1 Communica on costs typically go O(d2)⇒ O(d)2 Computa on costs typically go O(d2)⇒ O(d log d)

But in some situa ons this addi onal structure seems ineffec ve:1 Matrix decomposi on (Cholesky, Gram-Schmidt, etc.)2 Solving equa ons in a ring which is not a field (e.g. Z[x]/(xd + 1))Algorithms can take me up to Θ(d2) or Θ(d3).

3 / 21

The State of AffairsWhat naïve solu ons do:1 View Q[x]/(xd + 1) as either a Q-linear space of dimension d, an

extension field of Q of degree d, etc.2 This ignores the rich structure of cyclotomic rings and fields.

What happens when we open the black box?

4 / 21

Cyclotomic Fields - Opening the Black Box

For d a power-of-two, we note:ó Qd = Q[x]/(xd + 1) the d-th cyclotomic fieldó Zd = Z[x]/(xd + 1) the d-th cyclotomic ring

We have this tower of fields:

Q ⊊ Q2 ⊊ · · · ⊆ Qd/2 ⊊ Qd

As well as this chain of isomorphisms:

Qd ∼= (Q2)d/2 ∼= . . . ∼= (Qd/2)

2 ∼= Qd

At a high level:ó The field norm and field trace allows to move in the tower of fieldsó Ring isomorphisms allow us to move in the chain of ring isomorphisms

5 / 21

Traces and Norms in Cyclotomic Fields

Defini on: For a (finite) field extension L/K:ó The field trace is:

TrL/K : L→ K

f 7→∑

σ∈Gal(L/K)

σ(f)

ó The field norm is:

NL/K : L→ K

f 7→∏

σ∈Gal(L/K)

σ(f)

Concretely: if f(x) = fe(x2) + x · fo(x2) ∈ Qd, then f×(x) = f(−x) and:ó TrQd/Qd/2(f) = f+ f×

= 2 · fe(x2)

ó NQd/Qd/2(f) = f · f×

= f2e (x2)− x2f2o(x2)

Composi on proper es:ó TrL/K ◦TrM/L = TrM/K ó NL/K ◦NM/L = NM/K

Homomorphic proper es:ó TrL/K(a+b) = TrL/K(a)+TrL/K(b) ó NL/K(a · b) = NL/K(a) ·NL/K(b)

6 / 21

I Introduc on

II Three Case Studiesi Generalized Bézout Equa onsii Generalized Four Square Theoremiii Efficient La ce Decoding

III Conclusion

7 / 21

Problem 1 - Comple ng NTRU BasesNTRU La ces:ó Prevalent in la ce-based cryptoó Public key is A =

[1 h

], for h = g× f−1 mod (φ, q).

ó Private key is B such that B× At = 0 mod (φ, q)

Some schemes only require a par al trapdoor B =[g −f

]:

ó Fiat-Shamir [ZCHW17], encryp on [SHRS17], FHE [LTV12, BLLN13]

However, some schemes require a full trapdoor B =

[g −fG −F

]:

ó Hash-then-sign [PFH+17], IBE [DLP14], HIBE [CG17]ó More generally, anything based on trapdoor sampling [GPV08]

Problem: Given f, g ∈ Z[x]/(xd + 1), find F,G ∈ Z[x]/(xd + 1) such that:

f · G− g · F = q

8 / 21

Problem 1 - Comple ng NTRU BasesNTRU La ces:ó Prevalent in la ce-based cryptoó Public key is A =

[1 h

], for h = g× f−1 mod (φ, q).

ó Private key is B such that B× At = 0 mod (φ, q)

Some schemes only require a par al trapdoor B =[g −f

]:

ó Fiat-Shamir [ZCHW17], encryp on [SHRS17], FHE [LTV12, BLLN13]

However, some schemes require a full trapdoor B =

[g −fG −F

]:

ó Hash-then-sign [PFH+17], IBE [DLP14], HIBE [CG17]ó More generally, anything based on trapdoor sampling [GPV08]

Problem: Given f, g ∈ Z[x]/(xd + 1), find F,G ∈ Z[x]/(xd + 1) such that:

f · G− g · F = q

8 / 21

Problem 1 - Comple ng NTRU BasesNTRU La ces:ó Prevalent in la ce-based cryptoó Public key is A =

[1 h

], for h = g× f−1 mod (φ, q).

ó Private key is B such that B× At = 0 mod (φ, q)

Some schemes only require a par al trapdoor B =[g −f

]:

ó Fiat-Shamir [ZCHW17], encryp on [SHRS17], FHE [LTV12, BLLN13]

However, some schemes require a full trapdoor B =

[g −fG −F

]:

ó Hash-then-sign [PFH+17], IBE [DLP14], HIBE [CG17]ó More generally, anything based on trapdoor sampling [GPV08]

Problem: Given f, g ∈ Z[x]/(xd + 1), find F,G ∈ Z[x]/(xd + 1) such that:

f · G− g · F = q

8 / 21

Fun fact

If we can solve the problem projected over Zd/2, i.e.:

NZd/Zd/2(f) · G′ −NZd/Zd/2(g) · F

′ = 1

for some F′,G′, then we have this rela onship over Zd:

f · (f×G′)− g · (g×F′) = 1

This leads to a simple algorithm:1 Project2 Solve3 Li

9 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊

↓ ↑

Zd/2

∋ NZd/Zd/2(f),NZd/Zd/2(g) → F[1],G[1]

⊊

↓ ↑

Zd/4

∋ NZd/Zd/4(f),NZd/Zd/4(g) → F[2],G[2]

⊊

↓ ↑

...

......

...

⊊

↓ ↑

Z

∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g)

→ F[1],G[1]

⊊

↓ ↑

Zd/4

∋ NZd/Zd/4(f),NZd/Zd/4(g) → F[2],G[2]

⊊

↓ ↑

...

......

...

⊊

↓ ↑

Z

∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g)

→ F[1],G[1]

⊊ ↓

↑

Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g)

→ F[2],G[2]

⊊

↓ ↑

...

......

...

⊊

↓ ↑

Z

∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g)

→ F[1],G[1]

⊊ ↓

↑

Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g)

→ F[2],G[2]

⊊ ↓

↑

......

...

...

⊊

↓ ↑

Z

∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g)

→ F[1],G[1]

⊊ ↓

↑

Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g)

→ F[2],G[2]

⊊ ↓

↑

......

...

...

⊊ ↓

↑

Z ∋ NZd/Z(f),NZd/Z(g)

→ F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g)

→ F[1],G[1]

⊊ ↓

↑

Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g)

→ F[2],G[2]

⊊ ↓

↑

......

...

...

⊊ ↓

↑

Z ∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g)

→ F[1],G[1]

⊊ ↓

↑

Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g)

→ F[2],G[2]

⊊ ↓

↑

......

......

⊊ ↓ ↑Z ∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g)

→ F[1],G[1]

⊊ ↓

↑

Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g) → F[2],G[2]

⊊ ↓ ↑...

......

...

⊊ ↓ ↑Z ∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g

→ F,G

⊊ ↓

↑

Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g) → F[1],G[1]⊊ ↓ ↑

Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g) → F[2],G[2]

⊊ ↓ ↑...

......

...

⊊ ↓ ↑Z ∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g → F,G

⊊ ↓ ↑Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g) → F[1],G[1]

⊊ ↓ ↑Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g) → F[2],G[2]

⊊ ↓ ↑...

......

...

⊊ ↓ ↑Z ∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Outline of the Solver

Zd ∋ f, g → F,G

⊊ ↓ ↑Zd/2 ∋ NZd/Zd/2(f),NZd/Zd/2(g) → F[1],G[1]

⊊ ↓ ↑Zd/4 ∋ NZd/Zd/4(f),NZd/Zd/4(g) → F[2],G[2]

⊊ ↓ ↑...

......

...

⊊ ↓ ↑Z ∋ NZd/Z(f),NZd/Z(g) → F[ℓ],G[ℓ]

At each lower level:ó The coefficients grow (in bitsize) by a factor 2...ó ... but the number of coefficients is divided by 2.

Space-saving trick: recompute lazily Ni(f),Ni(g) at each stepó Allows a linear me-memory trade-off by a factor ℓ = log n

10 / 21

Toy Example

sage: f8, g8-x^7 + 3*x^6 - x^4 + 4*x^3 + 6*x^2 - 2*x - 4,x^7 - x^6 - 2*x^5 - 4*x^3 - 3*x^2 - x + 7sage: f4, g4-51*x^3 + 51*x^2 - 54*x - 17, -33*x^3 - 4*x^2 - 47*x + 57sage: f2, g2-2049*x + 3196, -1576*x + 6335sage: f1, g114412817, 42616001sage: F1, G15126443, 15157932sage: F2, G22495*x - 399, 3844*x - 2025sage: F4, G4-22*x^3 + 39*x^2 - 23*x - 14, -x^3 - 45*x + 5sage: F8, G8-x^7 - x^5 + 3*x^4 + 3*x^3 - 3*x^2 + 4,2*x^7 - x^6 - x^5 - x^4 - 3*x^3 + x^2 + x - 4

11 / 21

Performances

Method Time complexity1 Space complexity1Resultant [HHGP+03] O(d(d2 + B)) O(d2B)HNF [SS11] O(d3B) O(d2B)

This work (Fast) O((dB)log2 3 log d) [Kara] O(d(B+ log d) log d)O(dB) [SchöStr]

This work (Compact) O((dB)log2 3 log2 d) [Kara] O(d(B+ log d))O(dB) [SchöStr]

We gain in prac ce:ó a factor 100 in memory (3 MB→ 30 kB)ó a factor 100 in me (2 sec. → 20 msec.)

1B = log2 ||(f, g)||12 / 21

Problem 2 - Generalized Four Square Theorem

Problem: Given A ∈ Rn×n, compute B1, . . . ,Bk ∈ Rn×n such that

AA⋆ +∑i

BB⋆ = C · In

Algorithmic solu ons:

ó R = R,ó R = R[x]/(φ),ó R = Z,ó R = Z[x]/(xd+1),

k = 1:k = 1:k = O(1):k = O(log d):

Cholesky [Pei10]Babylonian method [DN12]ia.cr/2019/320This talk + ia.cr/2019/320

13 / 21

Simplified Problem

Simplified problem: Given a ∈ Z[x]/(xd + 1), compute polynomialsb1, . . . , blog2(d) ∈ Z[x]/(xd + 1) such that for some constant C:

aa+∑i

bibi = C,

where · denotes the Hermi an adjoint (in our case, a(x) = a(x−1)).

A empt 1: Galois conjuga on and Hermi an adjoint compose nicely:

TrQd/Qd/2(aa) = aa+ (aa)× = aa+ a×a× ∈ Zd/2

, We have projected the problem over Zd/2./ Unfortunately repea ng this trick doesn’t scale well.

14 / 21

A Scalable Solu onA empt 2: Let aa = g; g is self-adjoint so we can write g = glow + glow. Letb(x) = 1− x · go,low(x2), then:

g+ bb = ge(x2) + x · go,low(x2) + x · go,low(x2)

+ (1− x · go,low(x2)) · (1− x · go,low(x2))= (1+ ge + go,low · go,low)(x2)

, We have projected the problem over Zd/2., This trick scales well with repe on./ It incurs a growth on the coefficients’ sizes..., ... but composes nicely with gadget decomposi on:õ We write g = g0 + 2 · g1 + · · ·+ 2kgk,õ Then we apply this trick on each gi.

This effec vely mi gates the size growth.

Consequence: We can compute b1, . . . , bk in Zd such that

aa+∑i

bibi = C,

with k = O(log ∥g∥∞ + log d).

15 / 21

A Scalable Solu onA empt 2: Let aa = g; g is self-adjoint so we can write g = glow + glow. Letb(x) = 1− x · go,low(x2), then:

g+ bb = ge(x2) + x · go,low(x2) + x · go,low(x2)

+ (1− x · go,low(x2)) · (1− x · go,low(x2))= (1+ ge + go,low · go,low)(x2)

, We have projected the problem over Zd/2., This trick scales well with repe on./ It incurs a growth on the coefficients’ sizes...

, ... but composes nicely with gadget decomposi on:õ We write g = g0 + 2 · g1 + · · ·+ 2kgk,õ Then we apply this trick on each gi.

This effec vely mi gates the size growth.

Consequence: We can compute b1, . . . , bk in Zd such that

aa+∑i

bibi = C,

with k = O(log ∥g∥∞ + log d).

15 / 21

A Scalable Solu onA empt 2: Let aa = g; g is self-adjoint so we can write g = glow + glow. Letb(x) = 1− x · go,low(x2), then:

g+ bb = ge(x2) + x · go,low(x2) + x · go,low(x2)

+ (1− x · go,low(x2)) · (1− x · go,low(x2))= (1+ ge + go,low · go,low)(x2)

, We have projected the problem over Zd/2., This trick scales well with repe on./ It incurs a growth on the coefficients’ sizes..., ... but composes nicely with gadget decomposi on:õ We write g = g0 + 2 · g1 + · · ·+ 2kgk,õ Then we apply this trick on each gi.

This effec vely mi gates the size growth.

Consequence: We can compute b1, . . . , bk in Zd such that

aa+∑i

bibi = C,

with k = O(log ∥g∥∞ + log d).

15 / 21

A Scalable Solu onA empt 2: Let aa = g; g is self-adjoint so we can write g = glow + glow. Letb(x) = 1− x · go,low(x2), then:

g+ bb = ge(x2) + x · go,low(x2) + x · go,low(x2)

+ (1− x · go,low(x2)) · (1− x · go,low(x2))= (1+ ge + go,low · go,low)(x2)

, We have projected the problem over Zd/2., This trick scales well with repe on./ It incurs a growth on the coefficients’ sizes..., ... but composes nicely with gadget decomposi on:õ We write g = g0 + 2 · g1 + · · ·+ 2kgk,õ Then we apply this trick on each gi.

This effec vely mi gates the size growth.

Consequence: We can compute b1, . . . , bk in Zd such that

aa+∑i

bibi = C,

with k = O(log ∥g∥∞ + log d).15 / 21

Problem 3 - Efficient La ce Decoding

Problem: Given B ∈ Zn×nd and c ∈ SpanQd

(B), compute v ∈ Λ(B) such that

||v− c|| is small.

Equivalent: Given B ∈ Zn×nd and t ∈ Qn

d, compute z ∈ Znd such that

||(z− t) · B|| is small.

Algorithmic solu ons:

ó High quality,O((nd)2) opera ons

ó Lower quality,O(n2d log d) opera ons

ó High quality,O(n2d log d) opera ons

(Randomized) nearest plane[Bab85, GPV08](Randomized) round-off[Bab85, Pei10]Fast Fourier orthogonaliza onia.cr/2015/1014

16 / 21

How to Find a Close Vector

Round-Off Algorithm:1 t← c · B−1

2 z← ⌊t⌉

3 Output v← z · B

Nearest Plane Algorithm:1

1 t← c · B−1

2 For j = n down to 1:1 tj ← tj +

∑i>j(ti − zi) · Li,j

2 zj ← ⌊tj⌉

3 Output v← z · B

Output: Output:

c c

1Requires precompu ng the Gram-Schmidt orthogonalisa on (GSO) of B: B = L · B..17 / 21

How to Find a Close Vector

Round-Off Algorithm:1 t← c · B−1

2 z← ⌊t⌉

3 Output v← z · B

Nearest Plane Algorithm:1

1 t← c · B−1

2 For j = n down to 1:

1 tj ← tj +∑

i>j(ti − zi) · Li,j

2 zj ← ⌊tj⌉

3 Output v← z · B

Output: Output:

c c

1Requires precompu ng the Gram-Schmidt orthogonalisa on (GSO) of B: B = L · B .17 / 21

Tricks and Tips (1/2)Consider the simplified case where we want this to be small:

(z− t) · b

Using the ring isomorphism Qd ∼= (Qd/2)2, this is equivalent to:[

ze − te zo − to]·[

be boxbo be

]︸ ︷︷ ︸

B

Why this is nice:ó We can orthogonalize the second row of B w.r.t. to the first one:

b2 ← b2 −⟨b2,b1⟩b2,b1︸ ︷︷ ︸L2,1

·b1

ó We can apply this “break and orthogonalize” trick recursively.ó This structured decomposi on then allows a faster nearest plane

algorithm.18 / 21

Tricks and Tips (2/2)

Addi onal tricks:ó Equivalent decomposi on:

(B = L · B)︸ ︷︷ ︸GSO

⇐⇒ (B · B⋆ = L · BB⋆ · L⋆)︸ ︷︷ ︸LDL decomposi on

The LDL decomposi on is more amenable to a recursive applica on ofour trick; this yields a complexity O(d log2 d).

ó Working only in the FFT domain: Discarding useless conversionsfurther reduces the total complexity to O(d log d).

19 / 21

Summary (non-exhaus ve)

Speed-ups in the presence of a ring:ó Most of efficient la ce-based cryptography

Speed-ups in the presence of tower of rings (this talk):ó Using ring isomorphisms: ia.cr/2015/1014ó Using the field norm: ia.cr/2019/015ó Using trace-like proper es: ia.cr/2019/230

Exploi ng automorphisms:ó Homomorphic encryp onó Zero-Knowledge proofs [dPLS18]

20 / 21

Key takeaway

If you cannot trivially exploit the presence of a ring...

... use its par cular structure!

21 / 21

L Babai.On lova´sz’ la ce reduc on and the nearest la ce pointproblem.In Proceedings on STACS 85 2Nd Annual Symposium on Theore calAspects of Computer Science, New York, NY, USA, 1985.Springer-Verlag New York, Inc.

Joppe W. Bos, Kris n Lauter, Jake Lo us, and Michael Naehrig.Improved security for a ring-based fully homomorphic encryp onscheme.In Mar jn Stam, editor, 14th IMA Interna onal Conference onCryptography and Coding, volume 8308 of LNCS, pages 45–64.Springer, Heidelberg, December 2013.

Peter Campbell and Michael Groves.Prac cal post-quantum hierarchical iden ty-based encryp on.16th IMA Interna onal Conference on Cryptography and Coding,2017.http://www.qub.ac.uk/sites/CSIT/FileStore/Filetoupload,785752,en.pdf.

Léo Ducas, Vadim Lyubashevsky, and Thomas Prest.Efficient iden ty-based encryp on over NTRU la ces.

21 / 21

In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part II,volume 8874 of LNCS, pages 22–41. Springer, Heidelberg, December2014.Léo Ducas and Phong Q. Nguyen.Faster Gaussian la ce sampling using lazy floa ng-point arithme c.In Wang and Sako [WS12], pages 415–432.

Rafaël del Pino, Vadim Lyubashevsky, and Gregor Seiler.La ce-based group signatures and zero-knowledge proofs ofautomorphism stability.In David Lie, Mohammad Mannan, Michael Backes, and XiaoFengWang, editors, ACM CCS 18, pages 574–591. ACM Press, October2018.Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan.Trapdoors for hard la ces and new cryptographic construc ons.In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC,pages 197–206. ACM Press, May 2008.

Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H.Silverman, and William Whyte.NTRUSIGN: Digital signatures using the NTRU la ce.

21 / 21

In Marc Joye, editor, CT-RSA 2003, volume 2612 of LNCS, pages122–140. Springer, Heidelberg, April 2003.

Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan.On-the-fly mul party computa on on the cloud via mul key fullyhomomorphic encryp on.In Howard J. Karloff and Toniann Pitassi, editors, 44th ACM STOC,pages 1219–1234. ACM Press, May 2012.

Chris Peikert.An efficient and parallel Gaussian sampler for la ces.In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages80–97. Springer, Heidelberg, August 2010.

Thomas Prest, Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner,Vadim Lyubashevsky, Thomas Pornin, Thomas Ricosset, Gregor Seiler,William Whyte, and Zhenfei Zhang.Falcon.Technical report, Na onal Ins tute of Standards and Technology,2017.available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.

21 / 21

John M. Schanck, Andreas Hulsing, Joost Rijneveld, and PeterSchwabe.Ntru-hrss-kem.Technical report, Na onal Ins tute of Standards and Technology,2017.available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.

Damien Stehlé and Ron Steinfeld.Making NTRU as secure as worst-case problems over ideal la ces.In Kenneth G. Paterson, editor, EUROCRYPT 2011, volume 6632 ofLNCS, pages 27–47. Springer, Heidelberg, May 2011.

Xiaoyun Wang and Kazue Sako, editors.ASIACRYPT 2012, volume 7658 of LNCS. Springer, Heidelberg,December 2012.Zhenfei Zhang, Cong Chen, Jeffrey Hoffstein, and William Whyte.pqntrusign.Technical report, Na onal Ins tute of Standards and Technology,2017.available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.

21 / 21