Generating cryptographically-strong random lattice bases and recognizing rotations of ℤ^n

02/12/2021

∙

Lattice-based cryptography relies on generating random bases which are difficult to fully reduce. Given a lattice basis (such as the private basis for a cryptosystem), all other bases are related by multiplication by matrices in GL(n,ℤ). How can one sample random elements from GL(n,ℤ)? We consider various methods, finding some are stronger than others with respect to the problem of recognizing rotations of the ℤ^n lattice. In particular, the standard algorithm of multiplying unipotent generators together (as implemented in Magma's RandomSLnZ command) generates instances of this last problem which can be efficiently broken, even in dimensions nearing 1,500. Similar weaknesses for this problem are found with the random basis generation method in one of the NIST Post-Quantum Cryptography competition submissions (DRS). Other algorithms are described which appear to be much stronger.

READ FULL TEXT

Generating cryptographically-strong random lattice bases and recognizing rotations of ℤ^n

Obtuse Lattice Bases

Faster Lattice Enumeration

Lattice sieving via quantum random walks

Integral Sampler and Polynomial Multiplication Architecture for Lattice-based Cryptography

Sampling lattice points in a polytope: a Bayesian biased algorithm with random updates

Lattice reduction by cubification

Finding duality for Riesz bases of exponentials on multi-tiles

Generating cryptographically-strong random lattice bases and recognizing rotations of ℤ^n

Related Research

Obtuse Lattice Bases

Faster Lattice Enumeration

Lattice sieving via quantum random walks

Integral Sampler and Polynomial Multiplication Architecture for Lattice-based Cryptography

Sampling lattice points in a polytope: a Bayesian biased algorithm with random updates

Lattice reduction by cubification

Finding duality for Riesz bases of exponentials on multi-tiles