Lattice-based cryptography relies on generating random bases which are difficult to fully reduce. Given a lattice basis (such as the private basis for a cryptosystem), all other bases are related by multiplication by matrices in $GL(n,\mathbb{Z})$. We compare the strengths of various methods to sample random elements of $GL(n,\mathbb{Z})$, finding some are stronger than others with respect to the problem of recognizing rotations of the $\mathbb{Z}^n$ lattice. In particular, the standard algorithm of multiplying unipotent generators together (as implemented in Magma's RandomSLnZ command) generates instances of this last problem which can be efficiently broken, even in dimensions nearing 1,500. Likewise, we find that the random basis generation method in one of the NIST Post-Quantum Cryptography competition submissions (DRS) generates instances which can be efficiently broken, even at its 256-bit security settings. Other random basis generation algorithms (some older, some newer) are described which appear to be much stronger.
翻译:以 Lattice 为基础的加密法依赖于生成难以完全缩小的随机基数。 以 lattic 为基础( 如加密系统的私人基数), 所有其他基数都通过以 $GL (n,\ mathbb ⁇ ) 乘以基数而相关 。 我们比较了各种方法的优势, 抽样随机元素( $GL (n,\ mathbb ⁇ ) 。 在识别$\ mathb ⁇ n lattice 的旋转问题方面, 发现有些比其他基数强。 特别是, 将单能发电机合并计算的标准算法( 在 Maggma 的 RandomtsLenZ 命令中实施) 生成了最后一个问题的例子, 即便在接近 1500 的维度上也可以有效打破。 同样, 我们发现, 在 NIST 后 Quantum 加密竞争呈件( DRS) 中, 随机基数生成的方法产生了一些可以有效打破的实例,, 即使在其 256 位安全环境 。 其他随机基数 。 。 的生成算法( 一些较老的、 新的算算法) 似乎更强 。