Public Key Infrastructures Services and

Applications 9th European Workshop

EuroPKI 2012 Pisa Italy September 13
14 2012 Revised Selected Papers 1st
Edition Masaya Yasuda
Visit to download the full and correct content document:
https://textbookfull.com/product/public-key-infrastructures-services-and-applications-9
th-european-workshop-europki-2012-pisa-italy-september-13-14-2012-revised-select
ed-papers-1st-edition-masaya-yasuda/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Public Key Infrastructures Services and Applications

10th European Workshop EuroPKI 2013 Egham UK September
12 13 2013 Revised Selected Papers 1st Edition Fabio
Martinelli
https://textbookfull.com/product/public-key-infrastructures-
services-and-applications-10th-european-workshop-
europki-2013-egham-uk-september-12-13-2013-revised-selected-
papers-1st-edition-fabio-martinelli/

Computational Forensics 5th International Workshop IWCF

2012 Tsukuba Japan November 11 2012 and 6th
International Workshop IWCF 2014 Stockholm Sweden
August 24 2014 Revised Selected Papers 1st Edition
Utpal Garain
https://textbookfull.com/product/computational-forensics-5th-
international-workshop-iwcf-2012-tsukuba-japan-
november-11-2012-and-6th-international-workshop-
iwcf-2014-stockholm-sweden-august-24-2014-revised-selected-
papers-1st-edition/
Complex Sciences Second International Conference
COMPLEX 2012 Santa Fe NM USA December 5 7 2012 Revised
Selected Papers 1st Edition Matthew Antognoli

https://textbookfull.com/product/complex-sciences-second-
international-conference-complex-2012-santa-fe-nm-usa-
december-5-7-2012-revised-selected-papers-1st-edition-matthew-
antognoli/

Critical Information Infrastructures Security: 12th

International Conference, CRITIS 2017, Lucca, Italy,
October 8-13, 2017, Revised Selected Papers Gregorio
D'Agostino
https://textbookfull.com/product/critical-information-
infrastructures-security-12th-international-conference-
critis-2017-lucca-italy-october-8-13-2017-revised-selected-
Graphical Models for Security Second International
Workshop GraMSec 2015 Verona Italy July 13 2015 Revised
Selected Papers 1st Edition Sjouke Mauw

https://textbookfull.com/product/graphical-models-for-security-
second-international-workshop-gramsec-2015-verona-italy-
july-13-2015-revised-selected-papers-1st-edition-sjouke-mauw/

Image and Graphics 9th International Conference ICIG

2017 Shanghai China September 13 15 2017 Revised
Selected Papers Part III 1st Edition Yao Zhao

https://textbookfull.com/product/image-and-graphics-9th-
international-conference-icig-2017-shanghai-china-
september-13-15-2017-revised-selected-papers-part-iii-1st-
edition-yao-zhao/

Artificial Life and Evolutionary Computation 13th

Italian Workshop WIVACE 2018 Parma Italy September 10
12 2018 Revised Selected Papers Stefano Cagnoni

https://textbookfull.com/product/artificial-life-and-
evolutionary-computation-13th-italian-workshop-wivace-2018-parma-
italy-september-10-12-2018-revised-selected-papers-stefano-
cagnoni/

Artificial Life and Evolutionary Computation 14th

Italian Workshop WIVACE 2019 Rende Italy September 18
20 2019 Revised Selected Papers Franco Cicirelli

https://textbookfull.com/product/artificial-life-and-
evolutionary-computation-14th-italian-workshop-wivace-2019-rende-
italy-september-18-20-2019-revised-selected-papers-franco-
cicirelli/

Advances in Service Oriented and Cloud Computing

Workshops of ESOCC 2018 Como Italy September 12 14 2018
Revised Selected Papers Maria Fazio

https://textbookfull.com/product/advances-in-service-oriented-
and-cloud-computing-workshops-of-esocc-2018-como-italy-
september-12-14-2018-revised-selected-papers-maria-fazio/
 Sabrina De Capitani di Vimercati
Chris Mitchell (Eds.)

Public Key
Infrastructures,
LNCS 7868

Services
and Applications
9th European Workshop, EuroPKI 2012
Pisa, Italy, September 2012
Revised Selected Papers

123
Lecture Notes in Computer Science 7868
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Sabrina De Capitani di Vimercati
Chris Mitchell (Eds.)

Public Key
Infrastructures,
Services
and Applications
9th European Workshop, EuroPKI 2012
Pisa, Italy, September 13-14, 2012
Revised Selected Papers

13
Volume Editors
Sabrina De Capitani di Vimercati
Università degli Studi di Milano
Dipartimento de Informatica
26013 Crema, Italy
E-mail: sabrina.decapitani@unimi.it
Chris Mitchell
University of London, Royal Holloway
Egham, Surrey TW20 0EX, UK
E-mail: c.mitchell@rhul.ac.uk

ISSN 0302-9743 e-ISSN 1611-3349

ISBN 978-3-642-40011-7 e-ISBN 978-3-642-40012-4
DOI 10.1007/978-3-642-40012-4
Springer Heidelberg Dordrecht London New York

Library of Congress Control Number: 2013944638

CR Subject Classification (1998): K.6.5, C.2, E.3, D.4.6, J.1, K.4.4

LNCS Sublibrary: SL 4 – Security and Cryptology

© Springer-Verlag Berlin Heidelberg 2013

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection
with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and
executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication
or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location,
in its current version, and permission for use must always be obtained from Springer. Permissions for use
may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution
under the respective Copyright Law.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
 Preface

These proceedings contain the papers selected for presentation at the 9th Euro-
pean PKI Workshop: Research and Applications, held September 13–14, 2012,
in conjunction with ESORICS 2012, in Pisa, Italy.
In response to the call for papers, 30 papers were submitted to the workshop.
These papers were evaluated on the basis of their significance, novelty, and tech-
nical quality. Each paper was reviewed by at least three members of the Program
committee. Reviewing was double-blind meaning that the Program committee
was not able to see the names and affiliations of the authors, and the authors
were not told which committee members reviewed which papers. The Program
Committee meeting was held electronically, with intensive discussion over a pe-
riod of two weeks. Of the papers submitted, 12 were selected for presentation at
the workshop, giving an acceptance rate of 40%.
There is a long list of people who volunteered their time and energy to put
together the workshop and who deserve acknowledgment. Thanks to all the
members of the Program Committee, and the external reviewers, for all their
hard work in evaluating and discussing papers. We would like to thank Fabio
Martinelli for overall organization as General Chair of ESORICS 2012, Giovanni
Livraga, for taking care of publicity and of the workshop website, Sara Foresti
for collating this volume, and the invited speakers Kenny Paterson and Roberto
Di Pietro. We are also very grateful to all other ESORICS 2012 organizers whose
work ensured a smooth organizational process.
Last, but certainly not least, our thanks go to all the authors who submitted
papers and all the attendees. We hope you find the program stimulating.

Sabrina De Capitani di Vimercati

Chris Mitchell
 Organization

General Chair
Fabio Martinelli National Research Council - CNR, Italy

Program Chairs
Sabrina De Capitani Università degli Studi di Milano, Italy
di Vimercati
Chris Mitchell Royal Holloway, University of London, UK

Publicity Chair
Giovanni Livraga Università degli Studi di Milano, Italy

Program Committee
Lejla Batina Radboud University Nijmegen,
The Netherlands
Carlos Blanco Bueno University of Cantabria, Spain
David Chadwick University of Kent, UK
Sherman S.M. Chow University of Waterloo, Canada
Paolo D’Arco University of Salerno, Italy
Bao Feng Institute for Infocomm Research, Singapore
Simone Fischer-Huebner Karlstad University, Sweden
Sara Foresti Università degli Studi di Milano, Italy
Steven Furnell Plymouth University, UK
Peter Gutmann University of Auckland, New Zealand
Ravi Jhawar Università degli Studi di Milano, Italy
Sokratis Katsikas University of Piraeus, Greece
Dogan Kesdogan University of Siegen, Germany
Elisavet Konstantinou University of the Aegean, Greece
Costas Lambrinoudakis University of Piraeus, Greece
Herbert Leitold A-SIT, Austria
Javier Lopez University of Malaga, Spain
Fabio Martinelli National Research Council - CNR, Italy
Catherine Meadows NRL, USA
Stig Mjølsnes NTNU, Norway
Yi Mu University of Wollongong, Australia
Shishir Nagaraja University of Birmingham, UK
VIII Organization

Svetla Nikova Katholieke Universiteit Leuven, Belgium

Rolf Oppliger eSECURITY Technologies, Switzerland
Massimiliano Pala Polytechnic Institute, USA
Stefano Paraboschi Università degli Studi di Bergamo, Italy
Andreas Pashalidis K.U. Leuven, Belgium
Olivier Pereira Universite Catholique de Louvain, Belgium
Günter Pernul Universität Regensburg, Germany
Sasa Radomirovic University of Luxembourg, Luxembourg
Pierangela Samarati Università degli Studi di Milano, Italy
Sean Smith Dartmouth College, USA

External Reviewers
Au, Man Ho Netter, Michael
Coisel, Iwen Peters, Thomas
Drogkaris, Prokopios Rea, Scott
Fan, Junfeng Riesner, Moritz
Feltz, Michele Seys, Stefaan
Fischer, Lars Slamanig, Daniel
Hassan, Sabri Stengel, Ingo
Heupel, Marcel Vercauteren, Frederik
Karatas, Fatih Vrakas, Nikos
Krautsevich, Leanid Zhao, Jianjie
 Table of Contents

Cryptographic Schemas and Protocols

Analysis of Lattice Reduction Attack against the Somewhat
Homomorphic Encryption Based on Ideal Lattices . . . . . . . . . . . . . . . . . . . . 1
Masaya Yasuda, Jun Yajima, Takeshi Shimoyama, and Jun Kogure

Group Key Exchange Resilient to Leakage of Ephemeral Secret Keys

with Strong Contributiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Cheng Chen, Yanfei Guo, and Rui Zhang

Efficient Public Key Encryption Admitting Decryption by Sender . . . . . . 37

Puwen Wei and Yuliang Zheng

Public Key Infrastructure

How to Avoid the Breakdown of Public Key Infrastructures: Forward
Secure Signatures for Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . 53
Johannes Braun, Andreas Hülsing, Alex Wiesmaier,
Martı́n A.G. Vigil, and Johannes Buchmann

Personal PKI for the Smart Device Era . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

John Lyle, Andrew Paverd, Justin King-Lacroix, Andrea Atzeni,
Habib Virji, Ivan Flechais, and Shamal Faily

The Notary Based PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Martı́n A.G. Vigil, Cristian T. Moecke, Ricardo F. Custódio, and
Melanie Volkamer

Wireless Authentication and Revocation

How to Bootstrap Trust among Devices in Wireless Environments via
EAP-STLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Massimiliano Pala

Anonymity Revocation through Standard Infrastructures . . . . . . . . . . . . . . 112

Jesus Diaz, David Arroyo, and Francisco B. Rodriguez

Certificate and Trusted Computing

GeoPKI: Converting Spatial Trust into Certificate Trust . . . . . . . . . . . . . . 128
Tiffany Hyun-Jin Kim, Virgil Gligor, and Adrian Perrig
X Table of Contents

Waltzing the Bear, or: A Trusted Virtual Security Module . . . . . . . . . . . . 145

Ronald Toegl, Florian Reimair, and Martin Pirker

Digital Signatures
Cross-Unlinkable Hierarchical Group Signatures . . . . . . . . . . . . . . . . . . . . . . 161
Julien Bringer, Hervé Chabanne, and Alain Patey

Non-interactive Public Accountability for Sanitizable Signatures . . . . . . . 178

Christina Brzuska, Henrich C. Pöhls, and Kai Samelin

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

 Analysis of Lattice Reduction Attack
against the Somewhat Homomorphic Encryption
Based on Ideal Lattices

Masaya Yasuda, Jun Yajima, Takeshi Shimoyama, and Jun Kogure

Fujitsu Laboratories Ltd.

1-1, Kamikodanaka 4-chome, Nakahara-ku, Kawasaki, 211-8588, Japan
{myasuda,jyajima,shimo}@labs.fujitsu.com,
kogure@jp.fujitsu.com

Abstract. In 2009, Gentry first proposed a concrete method for con-

structing a fully homomorphic encryption (FHE) scheme, which supports
arbitrary operations on encrypted data. The construction of the FHE
scheme starts from a somewhat homomorphic encryption (SHE) scheme,
which only supports limited operations but can be much faster than the
FHE scheme. The Gentry’s scheme is based on ideal lattices, and Chen
and Nguyen estimated that it needs at least 10,000 lattice dimension
to make the FHE scheme secure. In contrast, the security of the SHE
scheme can be guaranteed for lower lattice dimensions, depending on
the possible operations which are determined by key parameters. The
aim of this paper is to classify which key parameters are feasible to be
solved. We attack the lattice problem of lower dimensions by practical
lattice reduction algorithms, and estimate the key parameters which can
be solved in practice.

Keywords: somewhat homomorphic encryption, lattices, LLL, BKZ.

1 Introduction

A homomorphic encryption is a public key encryption scheme that supports

operations on encrypted data. There are many previously known homomor-
phic encryption schemes that support either addition or multiplication on en-
crypted data (for example, Paillier [21], RSA [22]). Recently, a concrete method
for constructing an FHE scheme was proposed by Gentry [10,11]. After the
Gentry’s breakthrough work, it becomes popular to research on applications
with FHE schemes, mainly including cloud computing (see [14] for example).
At present, there are three main variants of FHE schemes: one based on ideal
lattices [10,11,12,26] which was first proposed by Gentry, one based on inte-
gers [7,8], finally one based on ring learning with errors (ring-LWE) [2,3,4].
The construction of these FHE schemes starts from an SHE scheme supporting
limited operations on encrypted data. Since SHE schemes have the advantage
of much faster processing performance and more compact than FHE schemes

C. Mitchell and S. De Capitani di Vimercati (Eds.): EuroPKI 2012, LNCS 7868, pp. 1–16, 2013.

c Springer-Verlag Berlin Heidelberg 2013
2 M. Yasuda et al.

(see [7,12] for implementation results), it is also coming to attention to research

on applications with SHE schemes (see [16] for example).
We here focus on the SHE scheme based on ideal lattices. In general, the
hardness of lattice problems is much less understood than that of the integer
factoring problem and the discrete logarithm problem. Recently, the security of
the FHE scheme based on ideal lattices was analyzed by Chen and Nguyen [6],
and their research implies that it needs at least 10, 000 dimension to make the
lattice problem to be hard in the FHE scheme. On the other hand, the security
of the SHE scheme can be guaranteed for lattices of lower dimensions, depending
on the possible operations on encrypted data. Our motivation arises from the
question “which lattice dimension should we take in applying the SHE scheme for
a concrete system?”. The possible operations of the SHE scheme on encrypted
data are determined by key parameters, and hence we need to select secure key
parameters achieving application scenarios. However, since experimental results
for attacking the lattice problem ensuring the security of the SHE scheme have
been hardly reported, it is impossible to select secure key parameters. Lattice re-
duction algorithms are often used for breaking lattice-based cryptosystems (see
[19] for example). In this paper, we attack the lattice problem of dimensions
128, 256 and 512 ensuring the security of the SHE scheme by the LLL [17] and
the BKZ [23,24] algorithms, which are the most practical lattice reduction algo-
rithms. We also analyze the hardness of the lattice problem of higher dimensions
based on our experimental results, and estimate the key parameters which can
be solved by these lattice reduction algorithms. As a feedback, we believe that
our results might help one to select secure key parameters in applying the SHE
scheme.

Related Work: In [6,20], Chen and Nguyen analyzed the security of the FHE
scheme based on ideal lattices (They in [5] also analyzed the security of the
FHE scheme based on integers). In particular, they examined the security of
the Gentry and Halevi’s challenges [13], which are public problems for the FHE
scheme based on ideal lattices. The hardness of lattice problems is essentially
related to the Hermite constant, and lattice problems are easier as the Hermite
constant grows. There are four problems in the Gentry and Halevi’s challenges,
and each problem has Hermite constant 1.67, 1.14, 1.03 and 1.0081 [6, Table
5], respectively (corresponding lattice dimension is 512, 2048, 8192 and 32768,
respectively). They reported on an attack on the toy example with Hermite
constant 1.67 and estimated that the challenge problem with Hermite constant
1.14 should take at most 45 core years. For the challenge problem with Hermite
constant 1.03, they also estimated that it takes at most 68,582 core years. They
suggest that it needs at least 10,000 lattice dimension to guarantee the security
of the FHE scheme based on ideal lattices with an enough margin.

Our Results: In lower dimensions, the FHE scheme based on ideal lattices has
relatively high Hermite constant due to making the scheme to support arbitrary
operations on encrypted data (see [12, Section 10.1] for BDD-hardness parameter
 Analysis of Lattice Reduction Attack against the SHE Scheme 3

μ). On the other hand, the Hermite constant of the SHE scheme depends on key
parameters (n, t) mainly determining the possible operations on encrypted data,
where n is the lattice dimension and t is the bit length of coefficients in the secret
key matrix (see §2.3 below for the construction of the SHE scheme). Hence the
SHE scheme of lower dimensions may have both safety and functionality. Our
experimental results show that almost key parameters of dimension 512 or less
are solved by the BKZ algorithm at realistic time. Hence, we conclude that it
needs at least 1024 lattice dimension to apply the SHE scheme to scenarios in
which it needs more than one multiplication on encrypted data. By analysis
based on our experimental results, we show that it needs at least 2048 (resp.
4096) lattice dimension to make the SHE scheme to support 5 (resp. 10) times
multiplication on encrypted data.

2 Review of the SHE Scheme Based on Ideal Lattices

To fix our notations, we review the SHE scheme implemented by Gentry and
Halevi (without optimization) [12, Part I].

2.1 Lattices and Lattice Reduction Algorithms

Fix an integer number n. Let B ∈ Rn×n be a matrix and let bi ∈ Rn denote
the i-th row of B for i = 1, . . . , n. Denote by L(B) the set of all integral linear
combinations of the bi ’s:
 n 

L(B) = mi bi : mi ∈ Z, ∀i ,
i=1

which is a subgroup of Rn . We say that the subgroup L(B) is a (full-rank) lattice

of dimension n if b1 , . . . , bn are linearly independent. In this case, we say that
the matrix B is a basis of the lattice L(B). Every lattice has an infinite number
of lattice bases. If B1 and B2 are two bases of a lattice L, then there exists an
unimodular matrix U ∈ GLn (Z) satisfying B1 = U · B2 . Since det(U ) = ±1, the
value | det(B)| is invariant for any basis B of L and denoted by det(L). For a
basis B of L, we let
 n 

P(B) = xi bi : xi ∈ [−1/2, 1/2), ∀i
i=1

denote its associated half-open parallelepiped. We note that the volume of P(B)
is precisely equal to det(L). Furthermore, every lattice L has a unique Hermite
normal form basis HNF(L) = (bij ), where bij = 0 for all i < j, bjj > 0 for all j,
and bij ∈ [−bjj /2, +bjj /2) for all i > j. Given any basis of L, we can compute the
basis HNF(L) by Gaussian elimination. Note that the basis HNF(L) typically
serves as the public key representation of the lattice (see [18] for example).
A lattice reduction algorithm is an algorithm that takes a basis of L as input,
and outputs a basis B = [b1 , . . . , bn ]t of L with short and nearly orthogonal
4 M. Yasuda et al.

vectors b1 , . . . , bn . The Hermite factor of a lattice reduction algorithm is defined

by ||b1 ||/ det(L)1/n with the output basis [b1 , . . . , bn ]t , where ||b|| denotes the
Euclidean norm of a vector b (assume ||b1 || ≤ ||b2 || ≤ · · · ≤ ||bn ||). We can
consider the Hermite factor as an index to measure the quality of a lattice
reduction algorithm. Note that the quality is better as the Hermite factor is
smaller. The most practical lattice reduction algorithms are the followings:
LLL: it is a polynomial-time algorithm [17]. It follows from experimental results
of Gama and Nguyen [9, Fig. 4] that the best Hermite factor of the LLL
algorithm is 1.018n in practice.
BKZ: it is a blockwise generalization of the LLL algorithm with subexponential
complexity [23,24]. The BKZ algorithm uses a blockwise parameter β. As β
grows, we expect to improve the Hermite factor, but to increase the running
time. According to [6,9], a small blocksize β around 20 in any dimension
achieves the best time/quality compromise in practice. Although β ≥ 40 in
high dimension can find shorter and shorter lattice vectors, BKZ with this
β does not terminate in a reasonable time. In this paper, we focus on BKZ
with β ≈ 20 (Chen and Nguyen in [6] researched on the behavior of BKZ
with high blocksize). Furthermore, it follows from [9, Section 5.2] that the
best Hermite factor of the BKZ algorithm with β ≈ 20 is predicted to be
1.01n in practice (see also [9, Fig. 5]).

2.2 Homomorphic Encryption Schemes

A conventional public key encryption scheme consists of three algorithms, namely,
KeyGen, Encrypt, and Decrypt. KeyGen is a randomized algorithm which takes a
security parameter λ as input, and outputs a secret key sk and a public key pk.
Encrypt is a randomized algorithm that takes the public key pk and a plaintext b as
input, and outputs a ciphertext c. Decrypt takes the secret key sk and a ciphertext
c as input, and outputs the plaintext b. In addition to these three algorithms, a ho-
momorphic encryption scheme has an efficient algorithm Evaluate, which takes as
input the public key pk, a circuit C, and a tuple of ciphertexts c1 , . . . , ct  for the
input wires of C, and outputs a ciphertext c. Note that Evaluate stands for the op-
erations on encrypted data. To classify the possible operations of a homomorphic
encryption scheme on encrypted data, we define the correctness as follows (see [11,
Definition 2.1.1] for details): A homomorphic encryption scheme is correct for a
circuit C if we have
Decrypt(Evaluate(Ψ, C, pk), sk) = C(b1 , . . . , bt )
for any tuple of ciphertexts Ψ = c1 , . . . , ct  with ci = Encrypt(bi , pk). For a
homomorphic encryption scheme E, the possible operations of E on encrypted
data are the circuits for which E are correct.

2.3 Construction of the SHE Scheme Based on Ideal Lattices

Let f (x) be an irreducible polynomial of degree n defined by f (x) = xn +1, where
n is a power of two. Let R = Z[x]/(f (x)) denote the ring of integer polynomials
modulo f (x). Since the map
 Analysis of Lattice Reduction Attack against the SHE Scheme 5

R v(x) = v0 + v1 x + · · · vn−1 xn−1 → v = (v0 , v1 , . . . , vn−1 ) ∈ Zn

gives an isomorphism R Zn as Z-modules, we can view each element of R

as both a polynomial v(x) and a vector v. In the followings, we give a brief
construction of the SHE scheme due to [12, Part I]:
KeyGen: To generate both public and secret keys, we need key parameters (n, t):
the lattice dimension n which must be a power of two, and the bit length t
of coefficients in the generating vector v ∈ Zn . Then KeyGen consists of the
following two steps:
(i) We first choose an n-dimensional vector v = (v0 , v1 , . . . , vn−1 ) ∈ Zn ,
where each entry vi is chosen at random as a signed integer
n−1 of t-bit. Let
v(x) be the corresponding polynomial defined by v(x) = i=0 vi xi ∈ R.
Consider the rotation basis
⎡ ⎤
v0 v1 v2 · · · vn−1
⎢ −vn−1 v0 v1 · · · vn−2 ⎥
⎢ ⎥
⎢ −vn−2 −vn−1 v0 · · · vn−3 ⎥
V =⎢ ⎥. (1)
⎢ .. .. .. . . .. ⎥
⎣ . . . . . ⎦
−v1 −v2 −v3 · · · v0
Since the i-th row vector of the matrix V corresponds to the polynomial
v(x) · xi ∈ R under the isomorphism R Zn , we can see that the
subgroup L = L(V ) of Z is a lattice of dimension n. In particular, we
n

have the following relation:

R Zn
∪ ∪
(v(x)) L = L(V ),

where (v(x)) denotes the principal ideal of R generated by v(x).

(ii) We next compute the Hermite normal form basis B = HNF(L) from the
basis V , and check whether the generating vector v is good or not. We
say that v is good if B has the form
⎡ ⎤
det(L) 0 0 · · · 0
⎢ ∗ 1 0 ··· 0 ⎥
⎢ ⎥
⎢ ∗ 0 1 ··· 0 ⎥
B=⎢ ⎥. (2)
⎢ .. .. .. . . .. ⎥
⎣ . . . . . ⎦
∗ 0 0 ··· 1
According to Gentry and Halevi’s experiments, for a randomly chosen
vector v ∈ Zn this condition is met with probability roughly 0.5, irre-
spective of key parameters (n, t) [12, Section 3]. We repeat Step (i) and
(ii) until we find a good generating vector v.
Then we set V (resp. B) as the secret key (resp. public key) of the SHE
scheme. For the sake of simplicity, we here call V (resp. B) the secret key
matrix (resp. public key matrix ).
6 M. Yasuda et al.

Encrypt: To encrypt a bit b ∈ {0, 1} with the public key matrix B, we first choose
a random noise vector u = (u0 , u1 , . . . , un−1 ) with each entry ui ∈ {0, 1}.
Note that the number of nonzero entries in the noise vector u is always
between 15 and 20 in the setting of Gentry and Halevi [12, Section 5.2]. We
set a = 2u + b · e = (2u0 + b, 2u1 , . . . , 2un−1 ) with e = (1, 0, . . . , 0). Then a
ciphertext is given by the vector

c = a mod B := a − a × B −1  × B ∈ P(B),

where q = (q0 , q1 , . . . , qn−1 ) ∈ Zn denotes the rounding vector of a

rational vector q = (q0 , q1 , . . . , qn−1 ) as defined in [12, Notations of Section
2]. We here say the vector a the masked plaintext corresponding to c (cf.
[12] for notations). Since the public key matrix B has the special form (2),
it follows from [12, Section 5] that any ciphertext c has the form (c, 0, · · · , 0)
with c ∈ Z, and hence we can view a ciphertext vector c as the integer c.
Decrypt: To decrypt a ciphertext c with the secret key matrix V , we first recover
the corresponding masked plaintext as follows:

a = c mod V = c − c × V −1  × V (3)

Note that we can recover the masked plaintext a if the vector a is included
in the set P(V ) (see [12, Section 6] for details). We then output a0 mod 2 as
the decryption result, where a0 denotes the first entry of the vector a.
Evaluate: Let c1 = (c1 , 0, . . . , 0), c2 = (c2 , 0, . . . , 0) be two ciphertexts. The op-
eration on encrypted data for the addition circuit Add is defined by

Evaluate(c1 , c2 , Add, B) = (c1 + c2 , 0, . . . , 0) mod B.

Note that the right-hand side of the above equation is equal to c1 +c2 mod B,
where c1 + c2 denotes the addition of the corresponding polynomials in
the ring R. Similarly, we define the operation on encrypted data for the
multiplication circuit Mul.

2.4 Correctness of the SHE Scheme

Let c1 , c2 be two ciphertexts. Let a1 = 2u1 + b1 · e, a2 = 2u2 + b2 · e denote the
corresponding masked plaintexts. Then we have

a1 + a2 = (b1 + b2 ) · e + 2(u1 + u2 ) ∈ R,
  
noise vector
a1 × a2 = (b1 · b2 ) · e + 2(b1 · u2 + b2 · u1 ) + 4u1 × u2 ∈ R.
  
noise vector

We note that the above two vectors are the masked plaintexts corresponding to the
operated ciphertexts Evaluate(c1 , c2 , Add, B) and Evaluate(c1 , c2 , Mul, B), re-
spectively. Since we can decrypt a ciphertext if the corresponding masked plain-
text is included in the set P(V ), it is possible to add and multiply ciphertexts
 Analysis of Lattice Reduction Attack against the SHE Scheme 7

Encryption (B: the public key matrix)

....................................................................................................................................................................................................................................................................................................................................................................
......... ....
.... ...
... .........
... +noise vector u
..............................................................................................
modB
.................................................................................. .

plaintext b .............................................................................................
masked plaintext a .................................................................................
ciphertext c
.. . ..
......... ........ ..
... mod2 ..
.. modV ....
......
........... ..
..
............
.
. .
.......................................................................................................................................................................................................................................................................................................................................................... .
.. ..
... .
Decryption (V : the secret key matrix) .... ...
........ .....
...................................................................................................................................
Attack to get a without V

Fig. 1. The construction of the SHE scheme (§2.3) and the attack (§3.1)

before the size of the noise vector grows in the corresponding masked plaintext
beyond the decryption radius 2t of the secret key matrix V (see [12, Section 2.4]
for details). We see from the above two equations that multiplication on encrypted
data makes the size of the noise vector in the masked plaintext to grow quite larger
than addition.
From their experiments, Gentry and Halevi evaluate the possible operations
of the SHE scheme as follows [12, Section 7]: To handle the operation represented
by a polynomial of degree d with m variables, we roughly need to set the bit
length t so that  
m
2 t ≥ cd × , (4)
d
where c is close to the minimal Euclidean norm of masked plaintexts (note that
c is not really
√ a constant). Since the minimal Euclidean norm is approximately
equal to 2 20 ≈ 9 from Encrypt of §2.3, we here assume c = 9 for the sake of
simplicity (assume that the number of the nonzero entries of the noise vectors
u is always between 15 and 20). Note that the possible operations on encrypted
data decrease as the number of the nonzero entries of the noise vectors increases.
By the inequality (4), we need to set t ≥ 20 (resp. t ≥ 35) in making the SHE
scheme to support 5 (resp. 10) times multiplication on encrypted data.

3 Experiments of the Attack against the SHE Scheme

In this section, we describe our experiments of the attack against the SHE scheme
based on ideal lattices and report our experimental results.

3.1 Method of the Attack

We describe the attack against the SHE scheme, due to Kannan’s embedding
technique [15] (see also Fig. 1 for the whole image). Given the public key matrix
B generated by key parameters (n, t) and a ciphertext c. Let L = L(B) be the
lattice generated by B. To find the plaintext b corresponding to c without the
secret key matrix, we consider the (n + 1) × (n + 1)-matrix C defined by
 
B 0t
C= (5)
c 1
8 M. Yasuda et al.

and let L = L(C) denote the lattice generated by C. Note that C is generated
only by (B, c). Let a be the masked plaintext corresponding to c. Since we have
c = a + v for some v ∈ L, the vector v  := (c − v, 1) = (a, 1) is an element of L .
Note that we have ||v  || ≈ 9 from Encrypt of §2.3. Since the size of v  is very small,
we may assume that v  is a non-zero shortest vector of L . We next reduce the
matrix C by a lattice reduction algorithm, and let red(C) = [b1 , . . . , bn+1 ]t be the
reduced basis of L such that b1 is the smallest vector among b1 , . . . , bn+1 ∈ L .
Then we have b1 = kv  with k ∈ Z if the lattice reduction algorithm has enough
quality to output very small lattice vector b1 . Since we see the constant k from
the last coefficient of b1 , we can get the vector v  from b1 and hence find the
masked plaintext a corresponding to the ciphertext c. Hence we get the plaintext
b = a mod 2 only from (B, c) (without the secret key).

Example 1. We give an easy example of the case n = 4. For a generating vector

v = (112, 99, −125, 77), we have the secret key matrix V and the public key
matrix B as follows:
⎡ ⎤ ⎡ ⎤
112 99 −125 81 1143821449 0 0 0
⎢ −81 112 99 −125 ⎥ ⎢ ⎥
V =⎢ ⎥ , B = HNF(V ) = ⎢ 982623548 1 0 0 ⎥ .
⎣ 125 −81 112 99 ⎦ ⎣ 480851699 0 1 0 ⎦
−99 125 −81 112 190648369 0 0 1

For a plaintext b = 1, choose a noise vector u = (1, 0, 1, 1) and set a = 2u+b·e =

(3, 0, 2, 2) as a masked plaintext. Then a ciphertext is given by

c = a mod B = (−199178684, 0, 0, 0).

To find b without V , we set C to be the 5 × 5-matrix as (5) and reduce the

matrix C by the LLL algorithm. Then we have
⎡ ⎤
3 0 2 2 1
⎢ −7 −81 24 11 −44 ⎥
⎢ ⎥
LLL(C) = ⎢⎢ −23 −49 −26 18 86 ⎥
⎥.
⎣ 63 18 −129 64 −58 ⎦
67 −44 31 −149 31

We get the masked plaintext a = (3, 0, 2, 2) from the first row of the reduced
matrix. Therefore we get b = 3 mod 2 = 1 only from (B, c) in this example.

3.2 Algorithm of the Attack

In Algorithm 1, we show our algorithm of attacking the SHE scheme by lattice
reduction algorithm. Algorithm 1 takes the lattice dimension n, the bit length
t of coefficients in the secret key matrix, and the frequency  of the attack
as input, and outputs the success probability p of the attack. In Step 1, we
compute key pair (V, B) generated by input key parameters (n, t). In Step 3, we
generate a ciphertext c of a randomly chosen plaintext b with a random noise
 Analysis of Lattice Reduction Attack against the SHE Scheme 9

Algorithm 1. The attack against the SHE scheme by lattice reduction algorithm
Input: (n, t, ), where n is the lattice dimension which must be a power of two, t is
the bit length of coefficients in the secret key matrix, and  is the frequency of the
attack.
Output: The success probability p of the attack.
1: Generate key pair (V, B):

– We choose a good n-dimensional vector v = (v0 , v1 , . . . , vn−1 ), where each

entry vi is chosen at random as a signed integer of t-bit. We set the secret key
matrix V as the equation (1) and compute the public key matrix B = HNF(V ).
Set m = 0.
– Furthermore, we reduce B by the LLL algorithm, and denote it by LLL(B).

2: for i = 1 to  do
3: Generate a ciphertext c:

– For a randomly chosen plaintext b ∈ {0, 1}, choose a random noise vector
u such that the number of nonzero entries in u is always 15 (cf. Encrypt
of §2.3). Set a = 2u + b · e and compute a ciphertext c = a mod B. Note
that we have ||a|| ≈ 8 in our setting. Furthermore, reduce the ciphertext c
module LLL(B): c = c mod LLL(B).

4: Attack to get a without the secret key matrix V (see §3.1 for the method of the
attack):
 
LLL(B) t 0
– Consider an (n + 1) × (n + 1)-matrix C given by C = as the
c 1
equation (5).
– We reduce the matrix C by lattice reduction algorithm (use either the LLL
or the BKZ algorithm in our experiments). In the case where the first row of
the reduced matrix is proportional to the vector v  = (a, 1), let m ← m + 1.
This case means that it succeeded to get a without V , and hence to get b.

5: end for
6: Output the success probability p = m/ × 100 (%) of the attack.

vector u. Assume that the number of the nonzero entries of u is always 15 in our
experiments. In Step 4, we attack to get the masked plaintext a corresponding to
c without the secret key matrix V (see §3.1 for the method of the attack). Note
that we need to select either the LLL or the BKZ algorithm for the attack in
this step (see Table 1 for the selection). We repeat Step 3 and 4 for  times (see
Step 2-5). In Step 6, we output the success probability p of the attack defined
by p = m/ × 100 (%), where m is the success frequency of the attack. Note that
we compute the reduced public key matrix LLL(B) in Step 1 and use it in Step
4 for speeding up the computation. Note that this speed-up does not influence
the success probability of the attack.
We implemented Algorithm 1 by using the NTL library [25], in which both the
LLL and the BKZ algorithms are implemented. We also used the GMP library
10 M. Yasuda et al.

Table 1. Experimental parameters

Input parameters of Algorithm 1 Selection of lattice Key

dimension n bit length t frequency  reduction in Step 4 pattern∗
128 4, 5, 6, 7, 8 1000 LLL 10
LLL
256 4, 5, 6, 7, 8 1000 10
BKZ 10
11, 12, 13, 14, 15 100 LLL
512 10
6, 7, 8, 9, 10 100 BKZ 10
∗
For each triple (n, t, ), we changed the key pair (V, B) by randomly choosing
the generating vector v for 10 times.

Table 2. Average running time of Step 4 of Algorithm 1 in the case n = 512 (Ex-
periment was conducted in a CPU Intel Xeon X3460 running at 2.80GHz with 8GB
memory)

The LLL algorithm case

bit length t 11 12 13 14 15
average (sec) 4109 4413 6743 9281 8391

The BKZ algorithm case

bit length t 6 7 8 9 10
average (sec) 1164 1327 6640 10234 13820

as the primary long integer package (see [25, A Tour of NTL: Using NTL with
GMP]). In the NTL library, there are exact-arithmetic variants and a number
of floating point variants for the LLL algorithm. Since the floating point variant
G LLL XD is faster than the exact-arithmetic variant LLL, we used G LLL XD in
the cases n = 128 and 256. However, we used the exact-arithmetic variant LLL
in the case n = 512 because of precision problems [25]. We took δ = 0.99 as
the reduction parameter of the LLL algorithm in all cases. Similarly to the LLL
algorithm, there are a number of variants for the BKZ algorithm. In our exper-
iments, we used the arbitrary precision floating point variant BKZ RR, which
is useful for large precision and magnitudes. We took the default parameters in
the NTL library as input of BKZ RR (the blocksize β = 10 and the reduction
parameter δ = 0.99 etc., see [25] for details). Since the Hermite factor of the
BKZ algorithm with β = 10 is very close to that with β = 20 [9, Fig. 5], we
expect that our experiments with β = 10 are applied for estimating the attack
of the BKZ algorithm with β ≈ 20.

3.3 Experimental Results

Table 1 shows experimental parameters. Fig. 2 and 3 show our experimental

results of the cases n = 256 and 512 (All parameters of the case n = 128 were
solved by the LLL algorithm): For each triple (n, t, ) of input parameters of
Algorithm 1, we give the success probability p of the attack in Fig. 2 and 3.
 Analysis of Lattice Reduction Attack against the SHE Scheme 11

The case n = 256 The case n = 512

100 100
99.9 100 98.8 100
90 90

) 80 ) 80
% 79.65 %
( (
y 70
ty 70
itil iil
b 60 b 60
a a
b b
o
r 50 o
r 50
p p
s 40 s 40
s s
e e
c c 30 31.8
c 30 c
u u
s s 20
20
LLL 10
LLL
10
4.62 Av. of LLL Av. of LLL
0 0 0 0 0
4 5 6 7 8 11 12 13 14 15
bit length t of coefficients in the secret key matrix bit length t of coefficients in the secret key matrix

Fig. 2. Experimental results on the success probability by the LLL algorithm in the
cases n = 256 and 512

Furthermore, for each pair (n, t) of key parameters of the SHE scheme, we also
give the average success probability of the attack for 10 key patterns in Fig. 2
and 3. Table 2 shows average running time of Step 4 of Algorithm 1 in the case
n = 512. Note that once we precompute the reduced public key matrix LLL(B),
we only have to compute Step 4 of Algorithm 1 to get the plaintext b without
the secret key matrix. Our experimental results show the followings:

– We see from Fig. 2 and 3 that the success probability of the attack increases
as the bit length t grows. This implies by the inequality (4) that the more
plentiful the possible operations of the SHE scheme over encrypted data, the
higher the success probability of the attack becomes.
– We see from Fig. 2 that almost all key parameters (n, t) were solved by the
LLL algorithm in the case n = 256. Furthermore, we see from Fig. 3 that key
parameters (n, t) with n = 512 and t ≥ 7 were solved by the BKZ algorithm
with β = 10 at realistic time (see Table 2). Therefore, to make the SHE
scheme to support more than one multiplication over encrypted data, we
need to set n ≥ 1024 by the inequality (4).

4 Estimation of the Attack for Higher Dimensions

In this section, we study the hardness of the lattice problem ensuring the security
of the SHE scheme based on our experimental results, and estimate the key
parameters (n, t) which can be solved by the LLL and the BKZ algorithms. The
lattice problem ensuring the security of the SHE scheme is as follows (BDDP =
Bounded Distance Decoding Problem, see also [12, Section 2.1]):

Definition 1 (γ-BDDP). Let γ > 1 and let B be a basis of a lattice L of dimen-

sion n. Let c be a vector such that dist(L, c) = minv∈L {||c − v||} ≤ det(L)1/n /γ.
The goal is to find the element v of L such that ||c − v|| = dist(L, c).
12 M. Yasuda et al.

The case n = 256 The case n = 512

100 100
100 100 100 100 100 97.3 100 100
90 90

) 80 ) 80
%
(% (
70
y 70 y
tli tli
i i
b 60 b 60
a a
b b
o
ro 50 r
p
50
p
ss s 40
40 s
e e
c c 30
c 30 c
u
s u
s
20 20
BKZ 10 10
BKZ 10
10
Av. of BKZ 10 0.5 Av. of BKZ 10
0 0 0
4 5 6 7 8 6 7 8 9 10
bit length t of coefficients in the secret key matrix bit length t of coefficients in the secret key matrix

Fig. 3. Same as Fig. 2, but by the BKZ algorithm with β = 10

To study the hardness of γ-BDDP, we give the following lattice problem (uSVP
= unique Shortest Vector Problem, see also [9, Section 2.2]):
Definition 2 (δ-uSVP). Given a lattice L of dimension n and a gap δ > 1
such that λ2 (L)/λ1 (L) ≥ δ, find a non-zero shortest vector of L, where λi (L)
denotes the i-th minimum of L defined by the minimum of max1≤j≤i ||v j || over
all i linearly independent lattice vectors v 1 , . . . , v i ∈ L.

4.1 Reducing BDDP to uSVP

Let B be the public key matrix of the SHE scheme generated by key parameters
(n, t) (see §2.3 for generating B), and set L = L(B) as in §3.1. The security of
the SHE scheme is based on the hardness of γ-BDDP with
det(L)1/n 2t
γ= ≈ , (6)
min ||a|| min ||a||
where min ||a|| denotes the minimum of ||a|| over all masked plaintexts a (see [11]
for details). Given a ciphertext c with μ := dist(L, c) = det(L)1/n /γ ≈ min ||a||.
Consider the (n + 1) × (n + 1)-matrix C defined as (5) and set L = L(C) as
in §3.1. Note that the vector v  := (c − v, 1) is an element of L , where v is
the element of L such that μ = ||c − v||. We also note that γ-BDDP is to find
the lattice vector v ∈ L. As in §3.1, we assume that v  is a non-zero shortest
vector of L . To find v ∈ L, we only have to find v  ∈ L . Therefore we can
reduce γ-BDDP to uSVP with the gap δ  = λ2 (L )/λ1 (L ). The method of the
attack described in §3.1 is to solve the reduced uSVP by using a lattice reduction
algorithm.
Let w be an element of L with ||w|| = λ1 (L). Since v  and (w, 0) are linearly
independent lattice vectors of L , we have λ2 (L ) ≤ λ1 (L) by the definition

of
 λni (L ). Furthermore, a random lattice L of dimension n satisfies λ1 (L) ≈
2πe · det(L)1/n
asymptotically with overwhelming probability (see [1] for a
proof). Then we have
 Analysis of Lattice Reduction Attack against the SHE Scheme 13

Table 3. The uSVP gap δ(n, t) and the average success probability of the attack by
the LLL algorithm (see Fig. 2 for the average success probability of the attack)

The case n = 256

bit length t 4 5 6 7 8
uSVP gap δ(n, t) 7.7 15.5 31.0 61.9 123.9
average success probability 0% 4.62% 79.65% 99.9% 100%

The case n = 512

bit length t 11 12 13 14 15
uSVP gap δ(n, t) 1401.6 2803.1 5606.2 11212.5 22424.9
average success probability 0% 0% 31.8% 98.8% 100%

Table 4. Same as Table 3, but by the BKZ algorithm with β = 10 (see Fig. 3 for the
average success probability of the attack)

The case n = 256

bit length t 4 5 6 7 8
uSVP gap δ(n, t) 7.7 15.5 31.0 61.9 123.9
average success probability 100% 100% 100% 100% 100%

The case n = 512

bit length t 6 7 8 9 10
uSVP gap δ(n, t) 43.8 87.6 175.2 350.4 700.8
average success probability 0% 0.5% 97.3% 100% 100%

 
 λ1 (L) n det(L)1/n n
δ ≤ ≈ · ≈γ· =: δ(n, t) (7)
μ2 + 1 2πe min ||a|| 2πe
by the assumption that v  is a shortest vector of L . We here assume that the
lattice L generated by the public key matrix B has the property same as random
lattices. Note that uSVP becomes easier as the gap grows. To evaluate the SHE
scheme more safely, we here consider δ(n, t) defined in (7) as the uSVP gap
instead of δ  .

4.2 Hardness of the Reduced uSVP

Gama and Nguyen analyzed the hardness of uSVP based on their experimental
results [9]. Their results imply that the minimum gap for which a lattice reduc-
tion algorithm solves uSVP is proportional to its Hermite factor (see [9, Section
3.3]). Then we can set

δLLL = cLLL · 1.018n and δBKZ = cBKZ · 1.01n (∃cLLL , cBKZ > 0)

as the minimum gap for which we can solve uSVP by the LLL algorithm and
the BKZ algorithm with β ≈ 20, respectively (see §2.1 for the Hermite factor of
14 M. Yasuda et al.

the LLL and the BKZ algorithms). In our experiments, we set min ||a|| ≈ 8 (see
Step 3 of Algorithm 1). Therefore we can reduce the lattice problem ensuring
the security of the SHE scheme to uSVP with the gap

n
δ(n, t) = 2t−3 · (8)
2πe
by (6) and (7). Table 3 and 4 show the uSVP gap δ(n, t) and the average success
probability of the attack in our experiments. Since the value δLLL = cLLL ·
1.018n must be close to the minimum gap δ(n, t) for which the average success
probability of the attack by the LLL algorithm is greater than 0%, we have

cLLL ≈ δ(n, t)/1.018n ≈ 0.16 with (n, t) = (256, 5)

from Table 3. Note that we choose not (n, t) = (512, 13) but (256, 5) to evaluate
the SHE scheme more safely. By a similar argument, we have

cBKZ ≈ δ(n, t)/1.01n ≈ 0.54 with (n, t) = (512, 7)

from Table 4. Therefore we roughly estimate that we can solve the lattice problem
ensuring the security of the SHE scheme by the LLL algorithm (resp. the BKZ
algorithm with β ≈ 20) if δLLL ≤ δ(n, t) with cLLL = 0.16 (resp. δBKZ ≤ δ(n, t)
with cBKZ = 0.54). From the above arguments, we can consider

TLLL = {(n, t) : 0.16 · 1.018n ≤ δ(n, t)} and

TBKZ = {(n, t) : 0.54 · 1.01n ≤ δ(n, t)}

as the set of key parameters (n, t) which are feasible to be solved by the LLL
algorithm and the BKZ algorithm with β ≈ 20, respectively. In Fig. 4, we show
the area of TLLL and TBKZ with n = 1024, 2048, 4096 and 8192.

5 Conclusions and Future Work

We attacked the lattice problem (γ-BDDP) of dimensions 128, 256 and 512 en-
suring the security of the SHE scheme based on ideal lattices, and reported our
experimental results (see Fig. 2 and 3 for the results). Our experimental results
show that it needs at least 1024 lattice dimension to make the SHE scheme to
support more than one multiplication over encrypted data. We also studied the
hardness of the lattice problem based on our experimental results, and estimated
the key parameters (n, t) which are feasible to be solved by the LLL algorithm
and the BKZ algorithm with β ≈ 20 (see Fig. 4). For example, we see from Fig.
4 that it needs at least 2048 (resp. 4096) lattice dimension to make the SHE
scheme to support 5 (resp. 10) times multiplication on encrypted data since we
need to set t ≥ 20 (resp. t ≥ 35) in this case from the arguments in §2.4 (We
here assume the condition that the number of the nonzero entries of the noise
vectors is always between 15 and 20 as in [12]). Our future work is to evaluate
the security level of key parameters which are infeasible to be solved by the LLL
algorithm and the BKZ algorithm with β ≈ 20.
 Analysis of Lattice Reduction Attack against the SHE Scheme 15

250

LLL
206.75
200 BKZ with block size around 20

t
150
th
gn
e
l 115.26
ti 100 101.82
b

56.96
50 49.61

23.76 28.06
13.86
0
1024 2048 4096 8192
lattice dimension n

Fig. 4. The area of TLLL and TBKZ (the key parameters (n, t) in the upper left area
are feasible to be solved by the LLL algorithm and the BKZ algorithm with β ≈ 20,
respectively)

Acknowledgments. We thank Phong Nguyen for reviewing the draft of this

paper and giving useful comments. We also thank anonymous reviewers for their
helpful comments.

References

1. Ajtai, M.: Generating random lattices according to the invariant distribution. Draft
of March 2006 (2006)
2. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic en-
cryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theo-
retical Computer Science Conference, ITCS 2012, pp. 309–325. ACM (2012)
3. Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE
and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011.
LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)
4. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from
(standard) LWE. In: Symposium on Foundations of Computer Science, FOCS 2011,
pp. 97–106. IEEE (2011)
5. Chen, Y., Nguyen, P.Q.: Faster Algorithms for Approximate Common Divi-
sors: Breaking Fully-Homomorphic-Encryption Challenges over the Integers. In:
Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp.
502–519. Springer, Heidelberg (2012)
6. Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: Lee, D.H.,
Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidel-
berg (2011)
7. Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic encryp-
tion over the integers with shorter public keys. In: Rogaway, P. (ed.) CRYPTO
2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011)
16 M. Yasuda et al.

8. van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic
encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS,
vol. 6110, pp. 24–43. Springer, Heidelberg (2010)
9. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EU-
ROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)
10. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Symposium on
Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)
11. Gentry, C.: A fully homomorphic encryption scheme (2009) (manuscript)
12. Gentry, C., Halevi, S.: Implementing Gentry’s fully-homomorphic encryption
scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp.
129–148. Springer, Heidelberg (2011)
13. Gentry, C., Halevi, S.: Public Challenges for Fully-Homomorphic Encryption,
http://researcher.ibm.com/view_project.php?id=1548
14. IBM Press release,
http://www-03.ibm.com/press/us/en/pressrelease/27840.wss
15. Kannan, R.: Improved algorithms for integer programming and related lattice prob-
lems. In: Symposium on Theory of Computing, STOC 1983, pp. 193–206. ACM
(1983)
16. Lauter, K., Naehrig, M., Vaikuntanathan, V.: Can Homomorphic Encryption be
Practical? In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security
Workshop, CCSW 2011, pp. 113–124. ACM (2011)
17. Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational co-
efficients. Math. Ann. 261, 515–534 (1982)
18. Micciancio, D.: Improving lattice based cryptosystems using the hermite normal
form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer,
Heidelberg (2001)
19. Nguyen, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem
from Crypto’97. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp.
288–304. Springer, Heidelberg (1999)
20. Nguyen, P.Q.: Lattice reduction algorithms: Theory and practice. In: Paterson,
K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 2–6. Springer, Heidelberg
(2011)
21. Paillier, P.: Public-key cryptosystems based on composite degree residuosity
classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238.
Springer, Heidelberg (1999)
22. Rivest, R., Shamir, A., Adelman, L.: A method for obtaining digital signatures and
public-key cryptosystems. Communications of the ACM 21, 120–126 (1978)
23. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms
and solving subset sum problems. Math. Programming 66, 181–199 (1994)
24. Schnorr, C.-P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved
lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995.
LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)
25. Shoup, V.: Number Theory C++ Library (NTL) version 5.5.2,
http://www.shoup.net/ntl/
26. Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small
key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS,
vol. 6056, pp. 420–443. Springer, Heidelberg (2010)
 Group Key Exchange Resilient to Leakage
of Ephemeral Secret Keys with Strong
Contributiveness

Cheng Chen1,2 , Yanfei Guo1,2 , and Rui Zhang1,

1
State Key Laboratory of Information Security (SKLOIS)
Institute of Information Engineering (IIE), Chinese Academy of Sciences (CAS)
{chencheng,guoyanfei}@is.iscas.ac.cn, r-zhang@iie.ac.cn
2
Graduate University of Chinese Academy of Sciences

Abstract. A group key exchange (GKE) protocol enables users to set

up a common secret key to be used later. There are three major security
definitions regarding GKE: authenticated key exchange (AKE-security),
mutual authentication (MA-security) and contributiveness. In this paper,
we propose a stronger model in which both internal state and ephemeral
key leakage is considered in different exposure levels. On the other hand,
we demonstrate the previous definition on contributiveness is weak, and
cannot provide necessary security guarantees. As a solution, we give a
stronger definition for contributiveness that is suitable in most interesting
cases. We then present an efficient GKE protocol secure in our stronger
model. Finally, as an independent interest, we revisit the security of a
previous GKE protocol (BGS+ ), showing it fails to provide the desirable
security requirement defined in its own model.

Keywords: group key exchange, strong contributiveness, ephemeral key

leakage.

1 Introduction

A group key exchange (GKE) protocol enables users to set up a common secret
key. It is useful in applications with multiple users, such as video conferences,
secure multicast, etc. Historically, there are three security goals considered for
GKE, which we briefly explain below.
A basic security requirement for group key exchange is authenticated key
exchange security (AKE-security) [2,3,13,11], which concerns the privacy of the
session key. Another security requirement is called mutual authentication (MA-
security) [12,6,5,9], which states that each honest user should agree on the same

Contact author. Supported by the Fund of the National Science Foundation of
China (No. 61100225), IIEs Cryptography Research Project (No. Y2Z0011102),
the Strategic Priority Research Program of the Chinese Academy of Sciences (No.
XDA06010701) and the One Hundred Person Project of the Chinese Academy of
Sciences.

C. Mitchell and S. De Capitani di Vimercati (Eds.): EuroPKI 2012, LNCS 7868, pp. 17–36, 2013.

c Springer-Verlag Berlin Heidelberg 2013
18 C. Chen, Y. Guo, and R. Zhang

key, even in the presence of malicious insiders. Apart from that for a two-party
counterpart, usually AKE-security cannot guarantee MA-security in the group
GKE setting.
A third security notion is contributiveness against malicious insiders which
we want to explain a little more. A GKE protocol with contributiveness ensures
that a proper subset of insiders cannot predetermine the session key. Since GKE
is different from key distribution protocol: in a key distribution protocol, the
session key is chosen by a single trusted party and transmitted to the other par-
ties, and in a GKE protocol parties interact with each other in order to compute
the key. In addition, none of the GKE protocol participants is trusted to choose
the group key on behalf of other participants. This trust relationship implies the
main difference between group key exchange and group key distribution proto-
cols. Obviously, some misbehaving participants in a GKE protocol may try to
influence the resulting group key, thereby disrupting this trust relationship, and
also causing further security threats. For example, lack of contributiveness may
allow malicious insiders to establish “covert channels” by fixing the probability
distribution of the session key agreed with a collaborating outsider beforehand
[18,8]. If the session key is to be used for the purpose of achieving confidentiality
or authentication of future communication, this will allow a misbehaving insider
to leak the sensitive information without communicating with the outsider after
the protocol session begins.
Another security related to contributiveness, key control, was defined in [17] in
the context of two-party key exchange against malicious insiders, requiring that
an adversary should not influence the group key computation significantly. Later,
Ateniese et al. introduced a notion called contributory group key agreement,
saying each player in a GKE protocol equally contributes to the session key thus
guarantees its freshness. Bohli et al. [6] and Bresson and Manulis [4] unified these
definitions into their own model, called contributiveness. A GKE protocol with
contributiveness ensures that a proper subset of insiders cannot predetermine
the session key. Recently Gorantla et al. [10] extended contributiveness to the
UC framework.
We note that the definitions of contributiveness [6,4,5] still allow some ma-
licious insiders predetermine partial (or several bits) of the session key. Some
misbehaving participants can still influence the distribution of the session key
thus key freshness can never be guaranteed in a real sense. Even worse, if the
session key is used in conjunction with other cryptographic constructions like
encryption schemes or message authentication codes (MACs), one cannot guar-
antee whether those schemes are secure, since the session keys are not chosen
from the correct distributions.
Another importance issue in GKE is session information leakage. Most previ-
ous GKE works [2,3,13,11] allow the adversary to learn session state through a
single query but restricting the leakage of ephemeral secrets to sessions for which
the adversary does not need to distinguish the key. [15] present a GKE model
to accommodate leakage of ephemeral secrets against the target session. How-
ever, the model restricts the adversary making queries on session state. Their
 Group Key Exchange Resilient to Leakage of Ephemeral Secret Keys 19

protocol [15] becomes insecure if the internal state of an unattacked session is

leaked. In other words, leaking one session’s state affects the security of other
non-partnered sessions. In the practical scenarios, it is reasonable to consider
the leak of internal state in some sessioin. For instance, exposure in malicious
terminals will result that the adversary learns all values computed or used at
the party except the static key stored in the smart card. But this should not
compromise any other unexposed sessions.

1.1 Related Work

Bresson et al. [2,3] first analyzed the security of GKE protocols under formal
models and their major considerations were AKE-security and MA-security. Katz
and Shin [12] defined insider security for GKE protocols by separating the re-
quirements of mutual authentication into agreement on the session key and se-
curity against insider impersonation attacks. Bohli et al. [6] revisited this notion
in the weak corruption model, where session state is not revealed. They also
presented insider attacks on the protocols of Katz and Yung [13] and Kim et
al. [11]. Later, Bresson and Manulis [5] unified the insider security notions of
Katz and Shin into their definition of mutual authentication. Gorantla et. al. [9]
subsequently modeled KCI attacks on GKE protocols in the presence of both
outsiders and insiders.
LaMacchia, Lauter and Mityagin [14] allowed ephemeral key leakage in the
target session in the framework of two-party key exchange, and their work mo-
tives a lot of subsequent work [19,16,7]. Manulis et al. [15] presented a general
GKE model that takes into account ephemeral key leakage, and proposed an
implicitly authenticated tripartite key exchange (3KE) protocol which remains
secure in the presence of ephemeral secret leakage. But leakage of internal state
and malicious insiders were not considered in their model. Recently, Zhao et al.
[20] extended the GBG model by allowing ephemeral key leakage in the target
session and malicious insiders. They proposed the BGS+ protocol based on the
BGS [6] protocol. Unfortunately, we will see below that the BGS+ protocol is
not secure, therefore, it was open till this work whether a concrete GKE pro-
tocol can provide all the three security properties with ephemeral key leakage
resilience in the target session.

1.2 Our Contributions

Our contributions are three-fold:
First, we take into account a stronger adversary model which allows both
ephemeral secret and internal state leakage as adversary’s capabilities. For AKE-
security, we put forward a new definition of freshness. The freshness requirement
prevents the adversary from revealing internal state during the attacked session,
but revealing ephemeral secret is allowed. Our model confines to the minimum
the effects of the considered adversarial behaviors.
Next, we consider a stronger flavor of contributiveness for GKE, namely, the
winning requirement for an adversary is relaxed in the following sense: in the
20 C. Chen, Y. Guo, and R. Zhang

previous definitions [5,20], an adversary is said to defeat contributiveness, if it

can force the output session key to be equal to a value predetermined before
the protocol starts. In our definition, we require it wins the game if it can affect
the distribution of the session key, say, the last bit. To remark, our security
model then seems to be the strongest one till now, however, we demonstrate
that actually it is necessary for most interesting applications, since the session
key is usually used in other protocols, which should be drawn from uniform
distributions.
Finally, we propose a GKE protocol that can be proved secure in our model
under reasonable assumptions, thus solve the open problem listed in Sec. 1.1.
To emphasize, our protocol is very efficient. It has only two rounds, and each
party sends and receives a few messages. As an independent interest, we revisit
the security of a GKE protocol (BGS+ ) [20]. We show there is an attack against
their paper, then it is concluded that the BGS+ GKE protocol fails to meet its
own security requirements.

2 The Model of GKE

Inspired by Manulis et al.’s work [15], we propose a stronger model for GKE pro-
tocols that considers stronger adversary model and security goals in the presence
of malicious participants.

2.1 Protocol Execution and Participants

Protocol Participants and Initialization. Let U := {U1 , . . . , UN } be a set of

potential protocol participants and each user Ui ∈ U is assumed to hold a static
private/public key pair (ski , pki ) generated by some algorithm Gen(1κ ) on a
security parameter 1κ during the initialization phase.

Protocol Sessions and Instances. Any subset of U can decide at any time to
execute a new protocol session and establish a common group key. Participation
of some U ∈ U in multiple sessions is modeled through a number of instances
{ΠUs |s ∈ [1, . . . , n], U ∈ U}, i.e. the ΠUs is the s-th session of U .
Each instance is invoked via a message to U with a unique session identifier.
We assume that the session identifier is derived during the run of the protocol.
The session identifier of an instance ΠUs is denoted by sidsU . This value is known
to all oracles participating in the same session. We assume that each party knows
the other participants for each protocol instance. Similarly, the partner identifier
of an instance ΠUs denotes pidsU , which contains the identities of participating
users (including U ). In the invoked session ΠUs accepts if the protocol execution
is successful, in particular ΠUs holds then the computed group key SKUs .

Session state. Every ΠUs maintains an internal state information statesU which is
composed of all private, ephemeral information used during the protocol execu-
tion excluding the long-lived key skU (moreover the long-lived key is specific to
Another random document with
no related content on Scribd:
 “Origami”—free form. Danree Productions. 12 min., sd., color, 16
mm. © Danree Productions; 1Mar74 (in notice: 1973); MP25724.

MP25725.
Interpersonal process recall. A Media Associates production. 25
min., sd., color, 16 mm. Appl. au.: Norman I. Kagan. © Norman I.
Kagan; 15Dec73; MP25725.

MP25726.
Busch Gardens West. Gardner Advertising Company. 14 min., sd.,
color, 16 mm. © Anheuser-Busch, Inc.; 1Apr74; MP25726.

MP25727.
The Emerging woman. Women’s Film Project. 40 min., sd., b&w,
16 mm. NM: compilation & additions. © The Women’s Film Project;
1Apr74; MP25727.

MP25728.
Safety for the new employee. A Marshall Maintenance production.
23 min., sd., color, 16 mm. © Marshall Maintenance; 30Dec73;
MP25728.

MP25729.
Heart attack. National Broadcasting Company, Inc. 51 min., sd.,
color, 16 mm. © National Broadcasting Company, Inc.; 18Jul74;
MP25729.

MP25730.
Tools for cutting: stone axes to lasers. Coronet Instructional
Media, a division of Esquire, Inc. 22 min., sd., color, 16 mm. ©
Coronet Instructional Media, a division of Esquire, Inc.; 10Jun74;
MP25730.
MP25731.
Building better paragraphs. Coronet Instructional Media, a
division of Esquire, Inc. 2nd ed. 12 min., sd., color, 16 mm. ©
Coronet Instructional Media, a division of Esquire, Inc.; 12Jun74;
MP25731.

MP25732.
Listen well, learn well. Coronet Instructional Media, a division of
Esquire, Inc. 2nd ed. 12 min., sd., color, 16 mm. © Coronet
Instructional Media, a division of Esquire, Inc.; 31May74; MP25732.

MP25733.
Pankin and child, day of tournament. Colgate Palmolive Company.
Made by William Esty Company, Inc. 30 sec., sd., color, 16 mm. ©
Colgate Palmolive Company; 20Apr74; MP25733.

MP25734.
Christ’s church through the ages. Motion Picture Department,
Brigham Young University. 18 min., sd., color, 16 mm. © Brigham
Young University; 25Apr74; MP25734.

MP25735.
Volunteer. Pfizer, Inc. 30 sec., sd., color, 16 mm. © Pfizer, Inc.;
1Jan73 (in notice: 1972); MP25735.

MP25736.
A Place for Aunt Lois. Wombat Productions, Inc. 17 min., sd.,
color, 16 mm. © Wombat Productions, Inc.; 17Jan74; MP25736.

MP25737.
Programming in a VS environment. Pt. 2. Edutronics Systems
International. 9 min., sd., color, 16 mm. (Virtual storage concepts) ©
Edutronics Systems International, Inc.; 13Aug74; MP25737.

MP25738.
The Shakers. Tom Davenport Films. 29 min., sd., color, 16 mm.
Appl. au.: Tom Davenport. © Tom Davenport Films; 1Jul74;
MP25738.

MP25739.
The Combination set. Visual Instruction Productions, a
department of Victor Kayfetz Productions, Inc. 13 min., sd., color, 16
mm. Prev. pub. 15Oct73, MP24550–24553. NM: compilation,
abridgement & editorial revision. © Victor Kayfetz Productions, Inc.;
15Jun74; MP25739.

MP25740.
The Combination square. L. S. Stannett Company. Made by Visual
Instruction Productions, a department of Victor Kayfetz Productions.
13 min., sd., color, 16 mm. Prev. pub. 15Oct73, MP24554–24557.
NM: compilation, abridgement & editorial revision. © Victor Kayfetz
Productions, Inc.; 15Jun74; MP25740.

MP25741.
The Bevel protractor. L. S. Stannett Company. Made by Visual
Instruction Productions, a department of Victor Kayfetz Productions.
13 min., sd., color, 16 mm. Prev. pub. 15Oct73, MP24558–24562.
NM: compilation, abridgement & editorial revision. © Victor Kayfetz
Productions, Inc.; 15Jun74; MP25741.

MP25742.
Evolution of the red star. Adam K. Beckett. 7 min., sd., color, 16
mm. © Adam K. Beckett; 28Nov73; MP25742.

MP25743.
 Heavy-light. Adam K. Beckett. 7 min., sd., color, 16 mm. © Adam
K. Beckett; 18Oct73; MP25743.

MP25744.
Sausage City. Adam K. Beckett. 6 min., sd., color, 16 mm. © Adam
K. Beckett; 25Mar74; MP25744.

MP25745.
Flesh flows. Adam K. Beckett. 7 min., sd., color, 16 mm. © Adam
K. Beckett; 25Mar74; MP25745.

MP25746.
Friend. Avon Products. Made by UniWorld Group, Inc. 30 sec., sd.,
color, 16 mm. © Avon Products, Inc.; 13Aug74; MP25746.

MP25747.
Report on Greece. Time, Inc. 18 min., sd., b&w, 16 mm. (The
March of time, vol. 12, no. 7) © Time, Inc.; 22Feb46; MP25747.

MP25748.
Freedom. Corridor Productions, Inc. 3 min., sd., color, 16 mm.
(Contemporary values series) © Corridor Productions, Inc.;
23Aug74; MP25748.

MP25749.
Truth. Corridor Productions, Inc. 3 min., sd., color, 16 mm.
(Contemporary values series) © Corridor Productions, Inc.;
23Aug74; MP25749.

MP25750.
 Peace child. Prairie Bible Institute in cooperation with Regions
Beyond Missionary Union. 28 min., sd., color, 16 mm. Appl. au.:
Edward G. Tizzard. © Edward G. Tizzard; 25Mar74; MP25750.

MP25751.
The Missed period. Population Dynamics. 12 min., sd., color, 16
mm. © Population Dynamics; 30Apr74; MP25751.

MP25752.
Nutrition and black Americans. Lee Creative Communications,
Inc. 28 min., sd., color, 16 mm. © Lee Creative Communications,
Inc.; 4May74; MP25752.

MP25753.
Poisonous plants. The Arnold Arboretum of Harvard University.
26 min., sd., color, 16 mm. © The President and Fellows of Harvard
College; 1Apr74; MP25753.

MP25754.
Indian conversation. Lucyann Kerry. 13 min., sd., color, 16 mm. ©
Lucyann Kerry; 1Jun74; MP25754.

MP25755.
Basket builder. Lucyann Kerry. 12 min., sd., color, 16 mm. ©
Lucyann Kerry; 15Jan74; MP25755.

MP25756.
Hot on the job. Diverse Industries, Inc. 12 min., si., b&w, Super 8
mm. © Diverse Industries, Inc.; 15Dec73; MP25756.

MP25757.
 Patrol procedures 5: Nondomestic field problems. Woroner Films,
Inc. 22 min., sd., color, 16 mm. (Officer training) Add. ti.: Patrol
procedures 5: Field problems. © Woroner Films, Inc.; 24Aug73;
MP25757.

MP25758.
Pursuit driving, Defensive driving 4. Woroner Films, Inc. 25 min.,
sd., color, 16 mm. (Officer training) Add. ti.: Defensive driving 4:
Pursuit driving. © Woroner Films, Inc.; 21Sep73; MP25758.

MP25759.
Patrol procedures 4: Special situations. Woroner Films, Inc. 25
min., sd., color, 16 mm. (Officer training) © Woroner Films, Inc.;
18May73; MP25759.

MP25760.
Mountain family in Europe. Institut fuer Film und Bild.
Distributed by Films, Inc. 9 min., sd., color, 16 mm. (Man and his
world series) Appl. au.: Public Media, Inc. NM: abridgment. ©
Public Media, Inc.; 7Jun71; MP25760.

MP25761.
Measuring blood pressure, an introduction for paramedical
personnel. Merck, Sharp and Dohme. 10 min., sd., color, 16 mm.
Add. ti.: Measuring blood pressure, a guide for paramedical
personnel. © Merck, Sharp and Dohme, division of Merck and
Company, Inc. (in notice: Merck and Company, Inc.); 1May74;
MP25761.

MP25762.
Hans/Woodcrafter. William Esty Company, Inc. 30 sec., sd., color,
16 mm. © Colgate Palmolive Company; 6Oct73; MP25762.
MP25763.
Hans/Woodcrafter. William Esty Company, Inc. 1 min., sd., color,
16 mm. NM: additions. © Colgate Palmolive Company; 28Oct73;
MP25763.

MP25764.
Garner Ted Armstrong. Program 584. Worldwide Church of God.
29 min., sd., color, videotape (3/4 inch) © Worldwide Church of
God; 22Apr74; MP25764.

MP25765.
Garner Ted Armstrong. Program 545. Ambassador College. 29
min., sd., color, videotape (3/4 inch) in cassette. © Ambassador
College; 22Jan74; MP25765.

MP25766.
Garner Ted Armstrong. Program 458. Ambassador College. 28
min., sd., color, videotape (3/4 inch) in cassette. © Ambassador
College; 24Aug73; MP25766.

MP25767.
Birds of Bharatpur. A Don Meier production. 23 min., sd., color, 16
mm. (Mutual of Omaha’s Wild kingdom) Appl. author: Mutual of
Omaha. © Mutual of Omaha; 13Sep74; MP25767.

MP25768.
Brink of extinction. A Don Meier production. 23 min., sd., color, 16
mm. (Mutual of Omaha’s Wild kingdom) Appl. author: Mutual of
Omaha. © Mutual of Omaha; 4Oct74; MP25768.

MP25769.
 Control and extinguishment of LNG spills and spill fires at high
LNG boil-off rates. American Gas Association. 15 min., si., color, 16
mm. © American Gas Association; 8May74; MP25769.

MP25770.
Concepts of data control. Edutronics Systems International, Inc. 8
min., sd., color, 16 mm. © Edutronics Systems International, Inc.;
2Aug74; MP25770.

MP25771.
The Data control function. Edutronics Systems International, Inc.
10 min., sd., color, 16 mm. (Data control) © Edutronics Systems
International, Inc.; 24Jun74; MP25771.

MP25772.
Debugging techniques. Edutronics Systems International, Inc. 11
min., sd., color, 16 mm. (Data communications) © Edutronics
Systems International, Inc.; 2Aug74; MP25772.

MP25773.
The 129 card data recorder. Edutronics Systems International, Inc.
12 min., sd., color, 16 mm. (Keypunch I/O) Add. ti.: The 129 data
recorder. © Edutronics Systems International, Inc.; 14Aug74;
MP25773.

MP25774.
The 029 data transcribing device. Edutronics Systems
International, Inc. 13 min., sd., color, 16 mm. (Keypunch I/O) ©
Edutronics Systems International, Inc.; 10Jul74; MP25774.

MP25775.
Mechanical models of psychotherapy. Division of Instructional
Aids, University of Oregon Medical School. 33 min., sd., color,
videotape (3/4 inch) in cassette. Appl. author: Paul H. Blachly. ©
Paul H. Blachly; 23Sep74; MP25775.

MP25776.
Handi Wipes 1001 uses with bowling tag. Colgate Palmolive
Company. 30 sec., sd., color, 16 mm. © Colgate Palmolive Company;
15Jul74; MP25776.

MP25777.
Handi Wipes 1001 uses, revised. Colgate Palmolive Company. 30
sec., sd., color, 16 mm. © Colgate Palmolive Company; 15Jul74;
MP25777.

MP25778.
VSAM macro coding and debugging. International Business
Machines Corporation. 58 min., sd., color, videotape (1/2 inch) in
cassette. (IBM independent study program) © International
Business Machines Corporation, accepted alternative: IBM
Corporation; 25Mar74; MP25778.

MP25779.
VSAM concepts and access method services usage (DOS/VS)
International Business Machines Corporation. 34 min., sd., color,
videotape (1/2 inch) in cassette. (IBM independent study program)
© International Business Machines Corporation, alternative
designation: IBM Corporation; 25Mar74; MP25779.

MP25780.
Basic shooting techniques. Sports Instruction Aids. 6 min., sd.,
color, 16 mm. © Sports Instruction Aids; 15Nov73; MP25780.

MP25781.
 Fakes and drives. Sports Instruction Aids. 6 min., sd., color, 16
mm. © Sports Instruction Aids; 15Nov73; MP25781.

MP25782.
Jump shot from the dribble. Sports Instruction Aids. 5 min., sd.,
color, 16 mm. Add. ti.: Jump from the dribble. © Sports Instruction
Aids; 15Nov73; MP25782.

MP25783.
Close to the basket moves. Sports Instruction Aids. 6 min., sd.,
color, 16 mm. © Sports Instruction Aids; 15Nov73; MP25783.

MP25784.
Free throws. Sports Instruction Aids. 6 min., sd., color, 16 mm. ©
Sports Instruction Aids; 15Nov73; MP25784.

MP25785.
Alpen satisfied revised. Colgate Palmolive Company. 30 sec., sd.,
color, 16 mm. Add. ti.: I’m satisfied revised. © Colgate Palmolive
Company; 1Sep74; MP25785.

MP25786.
Dominion. Stan Brakhage. 5 min., si., color, 16 mm. © Stan
Brakhage; 24Sep74; MP25786.

MP25787.
The Nature and control of canine hookworm disease. Jensen-
Salsbery Laboratories Division, division of Richardson-Merrell, Inc.
17 min., sd., color, 16 mm. © Jensen-Salsbery Laboratories Division,
division of Richardson-Merrell, Inc.; 22Jul74 (in notice: 1973);
MP25787.
MP25788.
Pinocchio’s birthday party. Family Entertainment Corporation
presentation. Made by Intercom Films, Ltd. Released by K-tel
Motion Pictures. 85 min., sd., color, 35 mm. © Family
Entertainment Corporation; 10Aug74 (in notice: 1973); MP25788.

MP25789.
Food: more for your money. Alfred Higgins Productions, Inc. 14
min., sd., color, 16 mm. © Alfred Higgins Productions, Inc.; 1Oct74;
MP25789.

MP25790.
Examination of the foot. The American Humane Association. 11
min., sd., color, videotape (3/4 inch) in cassette. (Introduction to
horse care) © The American Humane Association; 1Jun74 (in notice:
1973); MP25790.

MP25791.
Loading and transportation. The American Humane Association.
13 min., sd., color, videotape (3/4 inch) in cassette. (Introduction to
horse care) © The American Humane Association; 1Jun74 (in notice:
1973); MP25791.

MP25792.
Haltering and restraint. The American Humane Association. 14
min., sd., color, videotape (3/4 inch) in cassette. (Introduction to
horse care) © The American Humane Association; 1Jun74 (in notice:
1973); MP25792.

MP25793.
Flight. Stan Brakhage. 5 min., si., color, 16 mm. © Stan Brakhage;
13Aug74; MP25793.
MP25794.
Kaybolt Wrecking Company. Division of Archives, History and
Records Management, Florida Department of State. Made by Joyous
Lake, Inc. 28 min., sd., color, 16 mm. © Division of Archives, History
and Records Management, Florida Department of State; 21Mar74;
MP25794.

MP25795.
Respect. Corridor Productions, Inc. 3 min., sd., color, 16 mm.
(Contemporary values series) © Corridor Productions, Inc.;
23Aug74; MP25795.

MP25796.
Shorin ryu kata, goju-shiho. Kenjer Martial Arts Productions. 17
min., si., color, Super 8 mm. Add. ti.: Shorin ryu, goju-shiho kata. ©
Kenjer Martial Arts Productions; 6Jun74; MP25796.

MP25797.
Bookkeeping and accounting: how do you figure in? Coronet
Instructional Media, a division of Esquire, Inc. 11 min., sd., color, 16
mm. (Bookkeeping and you, 2nd ed.) © Coronet Instructional
Media, a division of Esquire, Inc.; 21Feb74; MP25797.

MP25798.
Gliding motility in the algae. Ryan W. Drum & Robert Day Allen. 6
min., si., color, Super 8 mm. in cartridge. (Cells and cell processes)
© Harper and Row, Publishers, Inc.; 8Oct73; MP25798.

MP25799.
Albert Camus: a self portrait. Learning Company of America, a
division of Columbia Pictures Industries, Inc. 20 min., sd., color, 16
mm. NM: a new film incorporating some prev. pub. material. ©
Learning Company of America, a division of Columbia Pictures
Industries, Inc.; 18May72 (in notice: 1971); MP25799.

MP25800.
Selling to women. Chrysler Corporation. 18 min., sd., color, Super
8 mm. in cartridge. Appl. au.: Ross Roy, Inc. © Chrysler
Corporation; 25Jul74; MP25800.

MP25801.
Play—is trying out. Allegra May, Kathy Sylva & Jerome S. Bruner.
Distributed by John Wiley and Sons, Inc. 25 min., sd., color, 16 mm.
(Bruner series—cognitive development) © Allegra May, Kathy Sylva
& Jerome S. Bruner; 1Dec73; MP25801.

MP25802.
One, two, many: early object handling. Karlen Lyons, Allegra May
& Jerome Bruner. Distributed by John Wiley and Sons, Inc. 15 min.,
sd., color, 16 mm. (Bruner series—cognitive development) © Karlen
Lyons, Allegra May & Jerome Bruner; 1Dec73 (in notice: 1972);
MP25802.

MP25803.
Garner Ted Armstrong. Program 559. Ambassador College. 30
min., sd., color, videotape (3/4 inch) in cassette. © World Wide
Church of God; 21Feb74; MP25803.

MP25804.
Auto-body sheet metal man’s helper: removing a dent and pulling
out a simple dent (basic hand skills) Robert Heller Productions, Inc.
6 motion pictures (4 min. each), si., color, Super 8 mm. in cartridges.
(Automotive damage correction series, set 1) © Robert Heller
Productions, Inc. & McGraw-Hill, Inc.; 12Sep73; MP25804.
MF25805.
Auto-body sheet metal man: applying a patch and repairing a torn
section (basic hand skills) Robert Heller Productions, Inc. 8 motion
pictures (4 min. each), si., color, Super 8 mm. in cartridges.
(Automotive damage correction series, set 2) © Robert Heller
Productions, Inc. & McGraw-Hill, Inc.; 12Sep73; MP25805.

MP25806.
Auto painter’s helper; removing a scratch (basic hand skills)
Robert Heller Productions, Inc. 7 motion pictures (4 min. each), si.,
color, Super 8 mm. in cartridges. (Automotive damage correction
series, set 3) © Robert Heller Productions, Inc. & McGraw-Hill, Inc.;
12Sep73; MP25806.

MP25807.
Auto painter: refinishing a panel (basic hand skills) Robert Heller
Productions, Inc. 7 motion pictures (4 min. each), si., color, Super 8
mm. in cartridges. (Automotive damage correction series, set 4) ©
Robert Heller Productions, Inc. & McGraw-Hill, Inc.; 12Sep73;
MP25807.

MP25808.
Gillette Street. A production of KERA-TV newsroom. 29 min., sd.,
color, 16 mm. (Urban design issues in Texas) Appl. au.: Public
Communication Foundation for North Texas. © Public
Communication Foundation for North Texas; 16Oct74; MP25808.

MP25809.
ABBA presents. ABBA Productions. 3 min., sd., b&w, 16 mm. ©
ABBA Productions; 23Sep74; MP25809.

MP25810.
 Not a sparrow falls. Sparrow Productions. 28 min., sd., color, 16
mm. Appl. au.: The Salvation Army. © The Salvation Army; 1Jun74;
MP25810.

MP25811.
Growth of cassava (Manihot utilissima) Film Production Unit,
Iowa State University of Science and Technology. Produced in
cooperation with Escuela Agricola Pan Americana & the
Organization for Tropical Studies. 3 min., si., color, 16 mm. (Tropical
biology) © Iowa State University a.a.d.o. Iowa State University of
Science and Technology; 1Oct74 (in notice: 1973); MP25811.

MP25812.
Before it’s too late. Woroner Films, Inc. Produced in cooperation
with National Crime Prevention Institute, University of Louisville. 28
min., sd., color, 16 mm. © Woroner Films, Inc.; 26Sep74; MP25812.

MP25813.
Basic security surveys. Woroner Films, Inc. 25 min., sd., color, 16
mm. (Crime prevention) © Texas Criminal Justice Division, State of
Texas; 16Oct74; MP25813.

MP25814.
Introduction and theory of crime prevention. Woroner Films, Inc.
23 min., sd., color, 16 mm. (Crime prevention) Add. ti.: Introduction
to crime prevention. © Texas Criminal Justice Division, State of
Texas; 16Oct74; MP25814.

MP25815.
Penny Lane. Albert Davidson. Produced in association with the
Mechanical Bank Collectors of America. A film created by Arnold L.
Leibovit. 10 min., sd., color, 16 mm. © Albert Davidson (in notice: Al
Davidson); 24Aug74; MP25815.
MP25816.
The Text of light. Stan Brakhage. 75 min., si., color, 16 mm. © Stan
Brakhage; 2Oct74; MP25816.

MP25817.
The Struggle for Vicksburg. Centron Educational Films. 19 min.,
sd., color, 16 mm. Appl. au.: Centron Corporation, Inc. © Centron
Corporation, Inc.; 12Jul74; MP23817.

MP25818.
In the year of the pig. The Monday Film Production Company.
Released by New Yorker Films. 97 min., sd., b&w, 16 mm. NM: 60%
new footage. © The Monday Film Production Company; 25Oct68;
MP25818.

MP25819.
The View from the crib. The American Institutes for Research. 15
min., sd., color, 16 mm. (Early childhood education series) ©
American Institutes for Research; 16Apr74; MP25819.

MP25820.
Science of survival. The Virginia Tech Film Unit & Department of
Food Science and Technology, College of Agriculture and Life
Sciences, Virginia Polytechnic Institute and State University. 21 min.,
sd., color, 16 mm. © Virginia Polytechnic Institute and State
University; 30Mar74; MP25820.

MP25821.
El Camino—a beautiful value. General Motors Corporation. 8 min.,
sd., color, Super 8 mm. in cartridge. Add. ti.: 1975 Chevrolet El
Camino. © General Motors Corporation; 13Aug74; MP25821.

MP25822.
 1975 Chevrolet Camaro. General Motors Corporation. 5 min., sd.,
color, Super 8 mm. in cartridge. Add. ti.: Camaro ’75. © General
Motors Corporation (in notice: Chevrolet Motor Division, General
Motors Corporation); 23Aug74; MP25822.

MP25823.
Bearcat Baker’s Filmed boxing course. George Williams known as
Bearcat Baker. 5 min., sd., color, 16 mm. Add. ti.: Bearcat Baker’s
Filmed basic boxing course. © George Williams known as Bearcat
Baker; 2Oct74; MP25823.

MP25824.
Back to school. Colgate Palmolive Company. 30 seconds, sd., color,
16 mm. Add. ti.: A Neat glue for neat people—back to school. ©
Colgate Palmolive Company; 13Aug74; MP25824.

MP25825.
Use of art therapy in a vocational milieu. ICD Rehabilitation and
Research Center. 22 min., sd., b&w, videotape (1/2 inch) in reel. ©
ICD, a.a.d.o. ICD Rehabilitation and Research Center; 30Jul74;
MP25825.

MP25826.
Manual positive pressure ventilation (bag and mask) American
College of Physicians. 7 min., sd., color, Super 8 mm. in cassette.
(American College of Physicians medical skills library) Add. ti.:
Manual positive pressure measurement (bag and mask) © American
College of Physicians; 1Aug74; MP25826.

MP25827.
Meet Lynd Ward and May McNeer. Jaqueline Shachter. 30 min.,
sd., b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 26Feb74; MP25827.
MP25828.
Meet Jean Fritz. Jaqueline Shachter. 30 min., sd., b&w, videotape
(1/2 inch) (Profiles in literature) © Jaqueline Shachter; 28Mar74;
MP25828.

MP25829.
Meet Letta Schatz. Jaqueline Shachter. 60 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25829.

MP25830.
Meet Kristin Hunter. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25830.

MP25831.
Meet Judy Blume. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25831.

MP25832.
Meet Keith Robertson. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25832.

MP25833.
Meet Eve Merriam. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25833.

MP25834.
 Meet Arnold Lobel. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25034.

MP25835.
Meet Pura Belpre. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25835.

MP25836.
Meet Richard Lewis. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25836.

MP25837.
Meet Marguerite de Angeli. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25837.

MP25838.
Meet Joe and Beth Krush. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25838.

MP25839.
Meet Elizabeth Gray Vining. Jaqueline Shachter. 30 min., sd.,
b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 28Mar74; MP25839.

MP25840.
Meet Joan Lexau. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25840.
MP25841.
Meet Tom and Muriel Feelings. Jaqueline Shachter. 30 min., sd.,
b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 28Mar74; MP25841.

MP25842.
Meet Madeleine L’Engle. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25842.

MP25843.
Meet Lloyd Alexander, Evaline Ness, Ann Durrell. Jaqueline
Shachter. 30 min., sd., b&w, videotape (1/2 inch) (Profiles in
literature) © Jaqueline Shachter; 28Mar74; MP25843.

MP25844.
Meet Jeanne and Robert Bendick. Jaqueline Shachter. 30 min.,
sd., b&w, videotape (1/2 inch) (Profiles in literature) © Jaqueline
Shachter; 28Mar74; MP2584.

MP25845.
Meet Joseph Krumgold. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25845.

MP25846.
Meet Eleanor Cameron. Jaqueline Shachter. 30 min., sd., b&w,
videotape (1/2 inch) (Profiles in literature) © Jaqueline Shachter;
28Mar74; MP25846.

MP25847.