Advances in Information and Computer

Security 16th International Workshop

on Security IWSEC 2021 Virtual Event
September 8 10 2021 Proceedings 1st
Edition Toru Nakanishi
Visit to download the full and correct content document:
https://ebookmeta.com/product/advances-in-information-and-computer-security-16th-i
nternational-workshop-on-security-iwsec-2021-virtual-event-september-8-10-2021-pro
ceedings-1st-edition-toru-nakanishi/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Deployable Machine Learning for Security Defense Second

International Workshop MLHat 2021 Virtual Event August
15 2021 Proceedings Communications in Computer and
Information Science Gang Wang (Editor)
https://ebookmeta.com/product/deployable-machine-learning-for-
security-defense-second-international-workshop-
mlhat-2021-virtual-event-august-15-2021-proceedings-
communications-in-computer-and-information-science-gang-wang-
editor/
Advances in Information and Computer Security 17th
International Workshop on Security IWSEC 2022 Tokyo
Japan August 31 September 2 2022 Proceedings Lecture
Notes in Computer Science 13504 Chen-Mou Cheng
(Editor)
https://ebookmeta.com/product/advances-in-information-and-
computer-security-17th-international-workshop-on-security-
iwsec-2022-tokyo-japan-august-31-september-2-2022-proceedings-
lecture-notes-in-computer-science-13504-chen-mou-ch/

Computer Vision Systems 13th International Conference

ICVS 2021 Virtual Event September 22 24 2021
Proceedings 1st Edition Markus Vincze

https://ebookmeta.com/product/computer-vision-systems-13th-
international-conference-icvs-2021-virtual-event-
september-22-24-2021-proceedings-1st-edition-markus-vincze/

Advances in Visual Computing 16th International

Symposium ISVC 2021 Virtual Event October 4 6 2021
Proceedings Part I Lecture Notes in Computer Science
George Bebis
https://ebookmeta.com/product/advances-in-visual-computing-16th-
international-symposium-isvc-2021-virtual-event-
october-4-6-2021-proceedings-part-i-lecture-notes-in-computer-
Software Technologies 16th International Conference
ICSOFT 2021 Virtual Event July 6 8 2021 Revised
Selected Papers Communications in Computer and
Information Science 1622 1st Edition Hans-Georg Fill
https://ebookmeta.com/product/software-technologies-16th-
international-conference-icsoft-2021-virtual-event-
july-6-8-2021-revised-selected-papers-communications-in-computer-
and-information-science-1622-1st-edition-hans-georg-fill/

Computer Security ESORICS 2021 26th European Symposium

on Research in Computer Security Darmstadt Germany
October 4 8 2021 Proceedings Part II Lecture Notes in
Computer Science Book 12973
https://ebookmeta.com/product/computer-security-
esorics-2021-26th-european-symposium-on-research-in-computer-
security-darmstadt-germany-october-4-8-2021-proceedings-part-ii-
lecture-notes-in-computer-science-book-12973/

Decision and Game Theory for Security 12th

International Conference GameSec 2021 Virtual Event
October 25 27 2021 Proceedings Lecture Notes in
Computer Science Branislav Bošanský (Editor)
https://ebookmeta.com/product/decision-and-game-theory-for-
security-12th-international-conference-gamesec-2021-virtual-
event-october-25-27-2021-proceedings-lecture-notes-in-computer-
science-branislav-bosansky-editor/

Information Systems and Design Second International

Conference ICID 2021 Virtual Event September 6 7 2021
Revised Selected Papers Communications in Computer and
Information Science 1539 Victor Taratukhin (Editor)
https://ebookmeta.com/product/information-systems-and-design-
second-international-conference-icid-2021-virtual-event-
september-6-7-2021-revised-selected-papers-communications-in-
computer-and-information-science-1539-victor-taratu/

Computer Analysis of Images and Patterns 19th

International Conference CAIP 2021 Virtual Event
September 28 30 2021 Proceedings Part I 1st Edition
Nicolas Tsapatsoulis
https://ebookmeta.com/product/computer-analysis-of-images-and-
patterns-19th-international-conference-caip-2021-virtual-event-
september-28-30-2021-proceedings-part-i-1st-edition-nicolas-
Volume 12835

Lecture Notes in Computer Science

Security and Cryptology

Editorial Board
Elisa Bertino
Purdue University, West Lafayette, IN, USA

Wen Gao
Peking University, Beijing, China

Bernhard Steffen
TU Dortmund University, Dortmund, Germany

Gerhard Woeginger
RWTH Aachen, Aachen, Germany

Moti Yung
Columbia University, New York, NY, USA

Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany

Juris Hartmanis
Cornell University, Ithaca, NY, USA
More information about this subseries athttp://​www.​springer.​com/​
series/​7410
Editors
Toru Nakanishi and Ryo Nojima

Advances in Information and Computer

Security
16th International Workshop on Security, IWSEC
2021, Virtual Event, September 8–10, 2021,
Proceedings
1st ed. 2021
Editors
Toru Nakanishi
Hiroshima University, Hiroshima, Japan

Ryo Nojima
National Institute of Information and Communications Technology,
Tokyo, Japan

ISSN 0302-9743 e-ISSN 1611-3349

Lecture Notes in Computer Science
Security and Cryptology
ISBN 978-3-030-85986-2 e-ISBN 978-3-030-85987-9
https://doi.org/10.1007/978-3-030-85987-9

© Springer Nature Switzerland AG 2021

This work is subject to copyright. All rights are reserved by the

Publisher, whether the whole or part of the material is concerned,
specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other
physical way, and transmission or information storage and retrieval,
electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks,

service marks, etc. in this publication does not imply, even in the
absence of a specific statement, that such names are exempt from the
relevant protective laws and regulations and therefore free for general
use.

The publisher, the authors and the editors are safe to assume that the
advice and information in this book are believed to be true and accurate
at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the
material contained herein or for any errors or omissions that may have
been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer

Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham,
Switzerland
Preface
The 16th International Workshop on Security, IWSEC 2021, was held
online (originally scheduled to be held in Tokyo, Japan), during
September 8–10, 2021. The workshop was co-organized by ISEC (the
Technical Committee on Information Security in Engineering Sciences
Society of IEICE) and CSEC (the Special Interest Group on Computer
Security of IPSJ).
This year, we categorized topics of interests into two tracks, namely,
Cryptography Track (Track A) and Cybersecurity and Privacy Track
(Track B); each track was formed by separate Program Committee
members. We received 37 submissions, 21 in Track A and 16 in Track B.
After extensive reviews and shepherding, we accepted 11 regular
papers (7 from Track A and 4 from Track B) and 3 short papers (2 from
Track A and 1 from Track B). Each submission was anonymously
reviewed by four reviewers on average. These proceedings contain
revised versions of the accepted papers. Track A consists of the
sessions on lattice-based cryptography, multiparty computation, post-
quantum cryptography, and symmetric-key cryptography. Track B
consists of the sessions on system security, machine learning and
security, and game theory and security.
The Best Paper Awards were given to “Solving the Problem of
Blockwise Isomorphism of Polynomials with Circulant Matrices” by
Yasufumi Hashimoto and to “KPRM: Kernel Page Restriction Mechanism
to Prevent Kernel Memory Corruption” by Hiroki Kuzuno and Toshihiro
Yamauchi. The Best Student Paper Award was given to “Evolving
Homomorphic Secret Sharing for Hierarchical Access Structures” by
Kittiphop Phalakarn, Vorapong Suppakitpaisarn, Nuttapong
Attrapadung, and Kanta Matsuura.
Under the COVID-19 pandemic circumstances, a number of people
contributed to the success of IWSEC 2021. We would like to thank all
authors for submitting their papers to the workshop, and we are also
deeply grateful to the members of the Program Committee and to the
external reviewers for their in-depth reviews and detailed discussions.
Last but not least, we would like to thank the general co-chairs, Tetsuya
Izu and Yuji Suga, for leading the Organizing Committee, and we would
also like to thank the members of the Organizing Committee for
ensuring the smooth running of the workshop.
Toru Nakanishi
Ryo Nojima
September 2021
IWSEC 2021 16th International Workshop on
Security Organization
Online, September 8–10, 2021
co-organized by
ISEC in ESS of IEICE
(Technical Committee on Information Security in Engineering
Sciences Society of the Institute of Electronics, Information and
Communication Engineers)
and
CSEC of IPSJ
(Special Interest Group on Computer Security of Information
Processing Society of Japan)

General Co-chairs
Tetsuya Izu Fujitsu Laboratories Ltd., Japan
Yuji Suga Internet Initiative Japan Inc., Japan

Program Co-chairs
Toru Nakanishi Hiroshima University, Japan
Ryo Nojima NICT, Japan

Poster Chair
Mitsuaki Akiyama NTT, Japan

Publication Chair
Chen-Mou Cheng Kanazawa University, Japan

Local Organizing Committee

Mitsuaki Akiyama NTT, Japan
Chen-Mou Cheng Kanazawa University, Japan
Xuping Huang
Advanced Institute of Industrial Technology, Japan
Yasuhiko Ikematsu Kyushu University, Japan
Satoru Izumi National Institute of Technology, Sendai College, Japan
Kaisei Kajita Japan Broadcasting Corporation, Japan
Kazuya Kakizaki NEC, Japan
Noboru Kunihiro University of Tsukuba, Japan
Minako Ogawa Toshiba Corporation, Japan
Toshiya Shimizu Fujitsu Laboratories Ltd., Japan
Yuta Takata Deloitte Tohmatsu Cyber LLC, Japan
Atsushi Takayasu NICT, Japan
Hiroshi Tsunoda Tohoku Institute of Technology, Japan
Sven Wohlgemuth SECOM Co., Ltd., Japan
Masaya Yasuda Rikkyo University, Japan

Program Committee
Track A: Cryptography Track
Chen-Mou Cheng Kanazawa University, Japan
Sherman S.M. Chow The Chinese University of Hong Kong, Hong Kong
Geoffroy Couteau CNRS, IRIF, Université de Paris, France
Bernardo David IT University of Copenhagen, Denmark
Antonio Faonio EURECOM, France
Akinori Hosoyamada NTT, Japan
Yuichi Komano Toshiba Corporation, Japan
Florian Mendel Infineon Technologies, Germany
Kazuhiko Minematsu NEC, Japan
Khoa Nguyen Nanyang Technological University, Singapore
Koji Nuida Kyushu University, Japan
Jae Hong Seo Hanyang University, Republic of Korea
Yannick Seurin Agence Nationale de la Securite des Systemes
d'Information, France
Daniel Slamanig AIT Austrian Institute of Technology, Austria
Willy Susilo University of Wollongong, Australia
Katsuyuki Takashima Waseda University, Japan
Atsushi Takayasu NICT, Japan
Mehdi Tibouchi NTT, Japan
Damien Vergnaud Sorbonne Université/Institut Universitaire de
France, France
Yuyu Wang University of Electronic Science and Technology of China,
China
Yohei Watanabe The University of Electro-Communications, Japan
Bo-Yin Yang Academia Sinica, Taiwan
Kazuki Yoneyama Ibaraki University, Japan

Track B: Cybersecurity and Privacy Track

Mitsuaki Akiyama NTT, Japan
Josep Balasch KU Leuven, Belgium
Gregory Blanc Telecom SudParis, France
Herve Debar Telecom SudParis, France
Josep Domingo-Ferrer Universitat Rovira i Virgili, Catalonia
Koki Hamada NTT, Japan
Yuichi Hayashi Nara Institute of Science and Technology, Japan
Hiroaki Kikuchi Meiji University, Japan
Frederic Majorczyk DGA-MI/CentraleSupelec, France
Yuji Suga Internet Initiative Japan Inc., Japan
Giorgos Vasiliadis Qatar Computing Research Institute HBKU, Greece
Takeshi Yagi NTT Security (Japan) KK, Japan
Akira Yamada KDDI Research, Inc., Japan
Takumi Yamamoto Mitsubishi Electric Corporation, Japan
External Reviewers
Behzad Abdolmaleki
Yusuke Aikawa
Ming-Shing Chen
Nariyoshi Chida
Heewon Chung
Valerio Cini
Reo Eriguchi
Daisuke Fujimoto
Jingnan He
Jingwei Hu
Yasuhiko Ikematsu
Toshiyuki Isshiki
Tezuka Masayuki
William H.Y. Mui
Yuto Otsuki
Sebastian Ramacher
Bagus Santoso
Martin Schlä ffer
Kazumasa Shinagawa
Chuanjie Su
Xiangyu Su
Erkan Tairi
Junko Takahashi
Xiuhua Wang
Takuya Watanabe
Huangting Wu
Takanori Yasuda
Quan Yuan
Contents
Lattice-Based Cryptography
A Trace Map Attack Against Special Ring-LWE Samples
Yasuhiko Ikematsu, Satoshi Nakamura and Masaya Yasuda
Shortest Vectors in Lattices of Bai-Galbraith’s Embedding Attack
on the LWR Problem
Shusaku Uemura, Kazuhide Fukushima, Shinsaku Kiyomoto,
Momonari Kudo and Tsuyoshi Takagi
System Security
KPRM:​Kernel Page Restriction Mechanism to Prevent Kernel
Memory Corruption
Hiroki Kuzuno and Toshihiro Yamauchi
(Short Paper) Evidence Collection and Preservation System with
Virtual Machine Monitoring
Toru Nakamura, Hiroshi Ito, Shinsaku Kiyomoto and
Toshihiro Yamauchi
Multiparty Computation
Evolving Homomorphic Secret Sharing for Hierarchical Access
Structures
Kittiphop Phalakarn, Vorapong Suppakitpaisarn,
Nuttapong Attrapadung and Kanta Matsuura
Machine Learning and Security
Understanding Update of Machine-Learning-Based Malware
Detection by Clustering Changes in Feature Attributions
Yun Fan, Toshiki Shibahara, Yuichi Ohsita, Daiki Chiba,
Mitsuaki Akiyama and Masayuki Murata
Proposal of Jawi CAPTCHA Using Digraphia Feature of the Malay
Language
Hisaaki Yamaba, Ahmad Saiful Aqmal Bin Ahmad Sohaimi,
Shotaro Usuzaki, Kentaro Aburada, Masayuki Mukunoki,
Mirang Park and Naonobu Okazaki
Post-Quantum Cryptography (1)
Solving the Problem of Blockwise Isomorphism of Polynomials
with Circulant Matrices
Yasufumi Hashimoto
FFT Program Generation for Ring LWE-Based Cryptography
Masahiro Masuda and Yukiyoshi Kameyama
Symmetric-Key Cryptography
Optimum Attack on 3-Round Feistel-2 Structure
Takanori Daiza and Kaoru Kurosawa
Post-Quantum Cryptography (2)
An Intermediate Secret-Guessing Attack on Hash-Based Signatures
Roland Booth, Yanhong Xu, Sabyasachi Karati and Reihaneh Safavi-
Naini
(Short Paper) Analysis of a Strong Fault Attack on Static/​
Ephemeral CSIDH
Jason T. LeGrow and Aaron Hutchinson
(Short Paper) Simple Matrix Signature Scheme
Changze Yin, Yacheng Wang and Tsuyoshi Takagi
Game Theory and Security
Moving Target Defense for the CloudControl Game
Koji Hamasaki and Hitoshi Hohjo
Author Index
Lattice-Based Cryptography
© Springer Nature Switzerland AG 2021
T. Nakanishi, R. Nojima (eds.), Advances in Information and Computer Security,
Security and Cryptology 12835
https://doi.org/10.1007/978-3-030-85987-9_1

A Trace Map Attack Against Special

Ring-LWE Samples
Yasuhiko Ikematsu1 , Satoshi Nakamura2 and Masaya Yasuda3
(1) Institute of Mathematics for Industry, Kyushu University, Fukuoka,
Japan
(2) NTT Secure Platform Laboratories, Tokyo, Japan
(3) Department of Mathematics, Rikkyo University, Tokyo, Japan

Yasuhiko Ikematsu
Email: ikematsu@imi.kyushu-u.ac.jp

Satoshi Nakamura
Email: satoshi.nakamura.xn@hco.ntt.co.jp

Masaya Yasuda (Corresponding author)

Email: myasuda@rikkyo.ac.jp

Abstract
The learning with errors (LWE) problem is one of the hard problems
supporting the security of modern lattice-based cryptography. Ring-
LWE is the analog of LWE over the ring of integers of a cyclotomic field,
and it has provided efficient cryptosystems. In this paper, we give
cryptanalysis against ring-LWE using the trace map over the ring of
integers of a cyclotomic field, without using any reduction to other
structured lattice problems. Since it maps to a ring of a smaller degree,
a trace map attack is expected to be able to decrease the hardness of
ring-LWE. However, the trace map does not necessarily transform ring-
LWE samples to samples over the smaller ring with a common secret.
We give a sufficient and necessary condition on a pair of ring-LWE
samples for which the trace map attack is applicable. We call such a pair
of samples special. We demonstrate how efficiently the trace map attack
can solve ring-LWE when a special pair of samples is given. Specifically,
we compare blocksizes of the Blockwise Korkine-Zolotarev (BKZ)
algorithm required for solving ring-LWE in the trace map attack and a
standard attack. Moreover, we discuss the (in)feasibility of the trace
map attack for random ring-LWE samples to evaluate how the trace
map attack can give a threat against ring-LWE-based cryptosystems on
a practical side.

Keywords Ring-LWE – Trace map – Lattices – Lattice basis reduction

1 Introduction
Recently, lattice-based cryptography has been studied to construct
various cryptosystems, including post-quantum cryptography (PQC)
and high-functional encryption such as fully homomorphic encryption.
In particular, the National Institute of Standards and Technology (NIST)
has proceeded with a PQC standardization since 2015 [33]. At the
second-round submission in 2019, 26 proposals were accepted,
including 12 lattice-based cryptosystems. In July 2020, NIST selected
15 of the second-round candidates to move onto the third round of the
standardization process [27]. Of 15 advancing candidates, 7 proposals
have been selected as finalists, and 8 as alternate candidates. Regarding
lattice-based cryptosystems, 5 proposals are included in finalists, and 2
in alternate candidates. The security of the lattice-based proposals
relies on the hardness of either LWE or NTRU problem (e.g., see [3] for
details). Precisely, 3 module-LWE and 2 NTRU proposals have been
selected as finalists. (Module-LWE [11, 21] is the analog of LWE over a
module lattice that addresses shortcomings in both LWE and ring-
LWE.) Module-LWE and NTRU are both structured lattice problems,
and they are a central target of algebraic cryptanalysis in lattice-based
cryptography.
The NTRU problem is the hard problem underlying the NTRU
cryptosystem [18]. NTRU and FALCON are the NTRU-based finalists in
NIST’s PQC standardization process. The problem can be reduced to the
shortest vector problem (SVP) in the NTRU lattice, associated with an
ideal of the ring for two integers n and q. Lattice basis
reduction such as LLL [22] and BKZ [32] is a strong tool to solve lattice
problems, and its hybrid with the meet-in-the-middle, proposed in [19],
is the best-known attack to solve the NTRU problem in practice. For a 2-
power integer n, let denote the ring of integers of
the 2n-th cyclotomic field . The overstretched NTRU
problem is a variant of NTRU that uses the quotient ring
with a large modulus q, and it is available to construct fully
homomorphic encryption [23]. In algebraic cryptanalysis, Cheon et al.
in [15] made use of the trace map to reduce the overstretched NTRU
problem to lattice problems in smaller dimensions. Albrecht et al. in [2]
proposed a subfield attack by using the norm map to break the
overstretched NTRU problem with a huge modulus q. The LWE problem
is the hard problem proposed by Regev [31] that asks to find a solution
from a system of linear equations over with errors for a modulus q.
The ring-LWE problem is the ring-based analog of LWE [24] that uses
the same base ring R as in the overstretched NTRU. Informally, given
ring-LWE samples with , it asks to find its

secret for a modulus q. Advantages of ring-LWE are its

compactness and efficiency since each ring element yields an n-
dimensional information in its coefficients. In particular, qTesla,
NewHope, and LAC had been ring-LWE-based candidates in the second
round of NIST’s PQC standardization process [33]. In contrast, module-
LWE is less algebraically structured than ring-LWE, and it is at least as
hard as ring-LWE. In NIST’s PQC standardization process, SABER,
CRYSTALS-KYBER, and CRYSTALS-DILITHIUM are based on module-
LWE (precisely, SABER is based on module-LWR, learning with
rounding), and they are selected as the third-round finalists [27]. There
are several recent works on reductions between ring-LWE and module-
LWE [4, 10, 30, 34]. However, both ring-LWE and module-LWE are
generally reduced to standard LWE by expressing every ring element as
its coefficient vector in an estimate of security level.
 In this paper, we consider cryptanalysis using the trace map against
ring-LWE rather than module-LWE since ring-LWE is more
algebraically structured and it can be regarded as module-LWE with a
module of rank 1. For a 2-power integer n, let denote
the ring of integers of the 2n-th cyclotomic field
, where is a primitive 2n-th root of
unity in . Let K denote the maximal real subfield in L, and its ring
of integers. The trace map is defined by mapping every
element to . Since the ranks of R and as -

modules are respectively equal to n and , we expect that the trace map
could decrease the degree of ring-LWE. However, unlike the case of
NTRU, it has difficulty to use the trace map for solving ring-LWE due to
that the trace map is linear but not multiplicative over R. Precisely,
given a ring-LWE sample over with , a ring-
LWE relation does not hold over ,
except for the case where the secret . In this paper, we give a
sufficient and necessary condition on a pair of ring-LWE samples for
which a trace map attack is applicable. We call such a typical sufficient
condition special. We also demonstrate how efficiently the trace map
attack can solve ring-LWE when a special pair of samples is given.
Specifically, we compare blocksizes of BKZ required in both the trace
map and the standard attack for success to recover the secret of ring-
LWE. (Here the standard attack means the canonical reduction of ring-
LWE to standard LWE by coefficient representation. The success
probability and the complexity of both the trace map and the standard
attacks depend on blocksizes of BKZ.) Moreover, we discuss the
(in)feasibility of the trace map attack for randomly chosen ring-LWE
samples. Specifically, we estimate the probability that a special pair of
ring-LWE samples is included among randomly chosen samples, to
evaluate the practical impact of the trace map attack.
 Notation. The symbols , , , and denote the ring of integers,
the field of rational numbers, the field of real numbers, and the field of
complex numbers, respectively. For an odd prime q, let denote a set
of representatives of integers modulo q as . We

represent all vectors in row format. For ,

, let denote the inner product .

We also let denote the Euclidean norm defined as .

We write by the transpose of a matrix .

2 Preliminaries from Lattices to LWE Problems

In this section, we shall present mathematical and algorithmic
background on lattices, and then recall the LWE and the ring-LWE
problems.

2.1 Mathematical and Algorithmic Background on

Lattices
In this subsection, we present basic definitions and properties on
lattices and computational lattice problems, which shall be used later
for reduction of the LWE problem and its variants. We also recall lattice
basis reduction algorithms, which are strong tools to solve lattice
problems (e.g., see [12, 28, 36] for details).
Lattices and Their Bases. Let d be a positive integer. For linearly
independent vectors in the d-dimensional Euclidean space
, the set of all their integral combinations
is called a (full-rank) lattice in of dimension d. The set

is called a basis of L, and the matrix whose i-th row is is called a

basis matrix. (We simply write , the lattice spanned by the
rows of .) Two matrix bases and span the same lattice if and
only if there exists a unimodular matrix satisfying . The
volume of L is defined as for a basis matrix of L. It
is independent of the choice of matrix bases. For each i, the i-th
successive minimum of L, denoted by , is the minimum of
over all i linearly independent vectors in L. In
particular, the first minimum means the norm of a non-zero
shortest vector in L.
The Gram-Schmidt orthogonalization for an ordered basis
is the orthogonal vectors , recursively defined as
and for

We expand the Gram-Schmidt coefficients as a square matrix ,

where let for all and for all k. Let denote the
matrix whose i-th row is for . Then it is clear that
and hence by the orthogonality of Gram-Schmidt

vectors for the lattice . For each , let denote the

orthogonal projection from onto the orthogonal supplement of the

-vector space as
Main Lattice Problems. Here we introduce main computational
problems for lattices. The most famous lattice problem is the shortest
vector problem (SVP); “Given a basis of a lattice L, find a
shortest non-zero vector in L, that is, a vector such that
.” Ajtai [1] proved that SVP is NP-hard under randomized
reductions. It can be relaxed by an approximate factor; “Given a basis of
a lattice L and an approximation factor , find a non-zero vector
in L such that .” Approximate-SVP is exactly SVP when
. For a lattice L of dimension d and a measurable set C in , the

Gaussian Heuristic predicts that the number of lattice vectors in C is

roughly equal to . In particular, if we take C as the ball of
radius centered at the origin in , then we can expect

. Denote by the volume of the unit

ball in , thus . Therefore the norm of a non-zero

shortest vector in L is roughly expected as

(1)

by using Stirling’s formula for .

Another famous lattice problem is the closest vector problem (CVP);
“Given a basis of a lattice L and a target vector , find a
vector in L closest to , that is, a vector such that the distance
is minimized.” It is known that CVP is at least as hard as SVP.
(See the textbook [25].) As in the case of SVP, we can relax CVP by an
approximate factor. Approximate-CVP is at least as hard as
approximate-SVP with the same factor. From a practical point of view,
both problems are considered equally hard, due to Kannan’s
embedding technique [20], transforming approximate-CVP into
approximate-SVP. (See Subsect. 2.2 below for the embedding for solving
the LWE problem.)
The security of modern lattice-based cryptosystems is based on the
hardness of cryptographic problems, such as LWE and NTRU problems.
Such problems are reduced to approximate-SVP or approximate-CVP
(e.g., see [3] for details).
Lattice Basis Reduction. Given arbitrary basis of a lattice, lattice
basis reduction aims to find a new basis of the same lattice with short
and nearly-orthogonal vectors. (Such basis is called to be reduced or
good.) It is a mandatory tool in solving lattice problems.
Reduction Algorithms. Below we introduce two typical algorithms.
These algorithms output short lattice vectors, not necessarily the
shortest ones.
LLL (Lenstra-Lenstra-Lovász). It is the celebrated algorithm by
Lenstra, Lenstra and Lová sz [22]. For a reduction parameter
, an ordered basis is called -LLL-reduced if it

satisfies two conditions; (i) Size-reduction condition: The Gram-

Schmidt coefficients satisfy for all . (ii)

Lová sz’ condition: It holds for all .

The LLL algorithm [22] finds an LLL-reduced basis by swapping

adjacent basis vectors when they do not satisfy Lová sz’
condition. Its complexity is polynomial in dimension d. Moreover, LLL
is applicable also for linearly dependent vectors to remove the linear
dependency.
BKZ (Blockwise Korkine-Zolotarev). It is a blockwise
generalization of LLL. For an ordered basis of a lattice L
and two indexes , let denote the lattice spanned by the
local projected block basis
 (The projected block lattice depends on the choice of a basis and its
order.) For a blocksize , an ordered basis of a
lattice L is called -BKZ-reduced if it is size-reduced and it satisfies
for with . The BKZ

algorithm [32] finds an almost -BKZ-reduced basis, and it calls LLL

to reduce every local block lattice before finding a shortest
vector in the block lattice. Since larger decreases , it can

find a shorter lattice vector. However, the computational cost is more

expensive as increases, since it is dominant to find a shortest
vector in every block lattice of dimension . Specifically, the running
time of BKZ depends on algorithms of SVP subroutine (such as ENUM
and Sieve), and hence the complexity of BKZ is at least exponential in
.
The Hermite Factor. It is a good index to measure the practical output
quality of a reduction algorithm. The Hermite factor is defined by
, where is a shortest basis vector output by a

reduction algorithm for a lattice L of dimension d. (The first vector of a

reduced basis is shorter than other vectors in general.) Smaller
means that it can find a shorter lattice vector. It was shown in [17] by
exhaustive experiments that for practical reduction algorithms such as
LLL and BKZ, their root factor converges to a constant for high

dimensions . For example, it achieves around 1.0219 by LLL

and 1.0128 by BKZ with blocksize for random lattices,
respectively. Moreover, under the Gaussian Heuristic and some
heuristic assumptions, a limiting value of the root Hermite factor of
BKZ (or BKZ 2.0 [14], an improved BKZ) with large blocksize is
predicted in [13] as

(2)

(Recall that is the volume of the -dimensional unit ball.) There are
experimental evidences supporting this prediction for . More
precisely, in a simple form based on the Gaussian Heuristic, the Gram-
Schmidt norms of a -BKZ-reduced basis of volume 1 is
predicted as

(3)

This is reasonably accurate in practice for and (see [13,

14, 37]).

2.2 LWE and Ring-LWE Problems

In this subsection, we recall the LWE problem and also describe how to
reduce it to main lattice problems such as SVP and CVP. We then recall
the ring-LWE problem, the ring-based analog of LWE.
The LWE Problem. We let denote the reduction of an
integer a by modulo q.
Question 1 (LWE). Let n be a dimension parameter, q a modulus
parameter, and an error distribution over . (The distribution is
often taken the discrete Gaussian distribution.) Let denote a
secret with entries chosen uniformly at random from . Given d
samples with

(4)
where ’s are uniformly chosen at random from and ’s are
sampled from . Then two questions are asked; (i) Decision-LWE is to
distinguish whether a given vector is obtained

from (4) for some , or uniformly at random. (ii) Search-LWE is to

recover the secret from LWE samples (4).

It was shown in [31] that Decision- and Search-LWE are equivalent

when the prime modulus q is bounded by some polynomial in n. We
focus on Search-LWE for a practical cryptanalysis, and we do not
restrict the number of samples d for simplicity. From d samples (4), we
set an error vector and a target vector .
We set as the matrix whose i-th row is for . Then
samples (4) are written as a pair satisfying

(5)

In other words, Search-LWE asks us to recover the secret or

equivalently the error vector from an LWE instance
satisfying (5).
Reduction to Lattice Problems. There are a number of strategies
for solving Search-LWE. (See the survey work [7].) Here we recall how
to reduce Search-LWE to lattice problems. Given an LWE instance
, we let

denote a q-ary lattice of dimension d. (See [26] for q-ary lattices.) The
rows of the matrix

form a system of generators of the lattice, where denotes the

identity matrix. A basis matrix of the lattice is obtained by
computing LLL (or Hermite normal form) for the rows of . Then we
can regard the target vector as a vector bounded in distance from
. The minimum distance between and over

is equal to the norm of the error vector by (5) if it is sufficiently

short. (In general setting, the error vector is considerably shorter than
the modulus prime q.) Technically speaking, this is a reduction of
Search-LWE to the bounded distance decoding (BDD) problem, a
particular case of CVP.
There are several methods such as Kannan’s embedding [20] to
reduce BDD to unique-SVP, a particular case of SVP finding a non-zero
shortest vector in a lattice L under for some factor
. The basic procedure of Kannan’s embedding for an LWE
instance is as follows; With a basis matrix of the q-ary
lattice , we construct the matrix

(6)
Set . Its dimension is and volume is equal to
for almost . Then the lattice includes a very

short vector , since it satisfies

by the condition (5). In general setting,
embedding vectors are shortest in . By reducing enough by
lattice reduction, we can recover , from which the error vector is
obtained.
Known Estimates for Reduction Algorithms. As described above,
a suitable reduction algorithm is required to find the vector in .
Below we recall two known estimates which algorithm is required for
succeeding to recover .
2008 Estimate. It is the estimate for solving unique-SVP by Gama
and Nguyen [17]. They showed that a reduction algorithm with Hermite
factor can recover the shortest vector in unique-SVP with gap factor
if for some empirical constant . We apply it to Search-
LWE. Assume that the vector is the shortest in the lattice . We
simply predict that the second successive minimum of equals to
(see Eq. (1) for ). Then the gap factor in unique-SVP
over is larger than

Therefore, in order to recover , the Hermite factor is required to

satisfy

(7)
It has been investigated in [5, 6] by experiments that the constant lies
in between 0.3 and 0.4 in using BKZ. In most cases, an optimal number
of samples d is around 2n or 3n to maximize the right-hand side in (7).
(See also [26].) On the other hand, Search-LWE becomes harder as d
approaches n.
2016 Estimate. It is another estimate discussed in [8], in which the
evolution of the Gram-Schmidt lengths is investigated in processing of
BKZ. More precisely, it compares the expected length of the projected
shortest vector with the Gram-Schmidt lengths simulation (3) of
BKZ. A recent comparison [9] showed that this improves the 2008
estimate for high LWE dimensions such as .
The Ring-LWE Problem. It is parametrized by a ring R over of
degree n, a prime modulus q defining the quotient ring ,
and an error distribution over R outputting “small” ring elements.
The ring R is often taken as the ring of integers in the cyclotomic field
of 2-power degree n where denotes a primitive 2n-th
root of unity (that is., ), and some kind of
discretized Gaussian distribution in the canonical embedding
, mapping each element to the vector for odd

. We stress that the canonical embedding and complex

numbers are used mainly for security proofs (e.g., see [29]), and they
never need to be computed explicitly for construction.
Question 2 (Ring-LWE). For a secret , the ring-LWE
distribution over is sampled by choosing
uniformly at random, choosing , and outputting the pair
satisfying

(8)
Then two questions are asked like standard LWE; decision and search
versions. We only introduce the search version; “Given independent
samples from for a uniformly random , find the secret
s(x).”

The number of samples can be considered as an additional parameter

of ring-LWE, but we here do not restrict it for simplicity. Sample
generators of LWE and ring-LWE are implemented in the Sage
mathematics software SageMath [16].
Reduction to LWE. We describe how to reduce ring-LWE samples to
LWE samples. We express every polynomial
of as its coefficient vector

. Let (a(x), b(x)) be a ring-LWE sample

satisfying (8). For the coefficient vector of a(x),
we put the matrix

Then the condition (8) is expressed as in the

coefficient representation, since the i-th row of corresponds to
 for every i. Namely, one ring-LWE sample corresponds to n

LWE samples .
We consider multiple ring-LWE samples. For example, let
and be two ring-LWE samples with
for . As above, we obtain LWE
condition from each . By combining them,
we get the condition

This condition implies that we have 2n LWE samples from two ring-
LWE samples. To solve ring-LWE, we basically reduce multiple ring-
LWE samples to (standard) LWE samples, from which we recover the
coefficient vector of the secret. (In general, it is hard to solve ring-
LWE from only one sample by lattice attacks.)
Recent Works on Cryptanalysis of Ring-LWE. There are a number of
recent works on reductions among ring-LWE and other structured LWE
problems. In 2017, Albrecht and Deo [4] gave a reduction from module-
LWE of rank d with modulus q to ring-LWE with modulus over a 2-

power cyclotomic field. This gives a conclusion that module-LWE is

polynomial-time equivalent to ring-LWE over a 2-power cyclotomic
field. In 2019, Wang and Wang improved the reduction of [4] to obtain a
reduction from worst-case decision module-LWE to average-case
decision ring-LWE over any cyclotomic field [34]. (See also the recent
work [10] for reductions of module-LWE to lattice problems.) Recently,
Peikert and Pepin [30] unified and simplified various reductions among
algebraically structured LWE variants, including ring-LWE and module-
LWE. Different from these works, the aim of this paper is to give a direct
attack against ring-LWE without using any reduction to other
structured LWE problems.
3 A Trace Map Attack Against the Ring-LWE
Problem
For a 2-power integer n, we consider , the basic ring
defining the ring-LWE problem. We regard R as the ring of integers of
the 2n-th cyclotomic field . (Recall that
denotes a primitive 2n-th root of unity.) Let K denote the subfield in L
generated by over . Then K is the maximal real subfield of L

and its ring of integers is the subring of R generated by (e.g.,

see [35] for a proof). We now define trace maps as

where ‘ ’ is the restriction map of to the integer ring R. In this

section, we shall make use of the trace map to solve the ring-LWE
problem efficiently. In particular, since the set
(9)
gives a -basis of the ring with , the trace map enables us to
reduce the degree of the ring-LWE problem over R from n to m (cf., the
set is a -basis of the ring R).

3.1 Special Pairs of Ring-LWE Samples

For a prime q, let denote the map from to
induced by the trace map . Our basic strategy for attack is
to reduce the ring-LWE problem over to that over via the trace
map. Consider two ring-LWE samples over

(10)
with for , where s(x) is a secret and
an error polynomial. We now apply the trace map for these
samples to obtain

(11)

by the linearity of the trace map. If the secret s(x) is an element of , it

holds for any element a(x) of .
Therefore, in this case, we obtain ring-LWE samples over from the
condition (11) with secret . However, we cannot obtain such
samples over in general, since the trace map is not multiplicative.
For general , we shall give a condition on (11) so that
we can obtain ring-LWE samples over having a common secret. We
regard the first equation in (11) as the basic ring-LWE sample
on associated with a secret . We

assume that the secret is invertible in . (The probability that the

secret is invertible is overwhelmingly high for a large prime q. See
Sect. 4 below.) Then we express the second equation in (11) as

(12)
The element must be public to publish the pair as a
ring-LWE sample over associated with the secret ,
which is common with the basic sample . For example, if
the condition is satisfied for some , then it
satisfies

and hence the element can be computed from public ring-LWE

samples (10). Below we summarize the above discussion:

Proposition 1 We consider two ring-LWE samples (10) over .

– We assume that the secret s(x) is an element of . Then the two

pairs transformed by the trace map

can be regarded as two ring-LWE samples over associated with

common secret s(x) and error polynomials and
, respectively.
– For a general secret , we consider

as a ring-LWE sample over associated with a secret

and an error polynomial . Assume that the
secret is invertible in , and let

(13)

Then the pair satisfying (12) can be regarded as a

ring-LWE sample with the same secret and error
if and only if the element is public. In particular, if
for some , then and it can be
recovered from public information and . We say such
pairs of ring-LWE samples “special”.

3.2 A Trace Map Attack Against Special Pairs of

Ring-LWE Samples
As described in Proposition 1, special pairs of ring-LWE samples over
can be reduced to certain ring-LWE samples over with a
common secret via the trace map. Here we shall describe the procedure
of a trace map attack. We consider a special pair of ring-LWE
samples (10) over , satisfying for some . (The
element is public and it is expressed as (13).) To recover the secret
s(x) of ring-LWE samples (10), we perform the below procedure:
Step 1. From Proposition 1, we first consider two ring-LWE samples
over
 (14)

with common secret and two error polynomials

and . In this step, we recover the error
polynomials by reducing the ring-LWE problem to BDD and then to
unique-SVP, as described in the previous section. The main advantage of
this attack is that the dimension of the reduced lattice is , the half
size of the standard reduction described in the previous section. (In
general, a lattice problem is much easier as its dimension decreases.)
More precisely, since the set (9) gives a basis of the ring , every
element of is uniquely expressed as

with , and we then define an isomorphism map

We also denote by the composition map of with . We clearly

have

for any element in . Moreover, we

define a map from the ring to the set of matrices with entries
in as
Then we reduce two ring-LWE samples (14) over to 2m LWE
samples of dimension m associated with the secret , which
satisfies
(15)
Step 2. We next take an integer i with to consider a new pair
of ring-LWE samples and , which

clearly satisfy the special condition . Thus we apply

the first step to this pair in order to recover the error polynomials
for . (Note that the norm of the coefficient vector

of is the same as that of .) Since for each it

satisfies

we can recover each error from and as

Then the secret s(x) can be easily recovered from either or .

As described above, the trace map attack requires twice lattice
attacks against different pairs of ring-LWE samples. But the attack
reduces samples over rings from to via the trace map. It enables
us to halve the dimension of reduced lattices, which would make lattice
problems much easier to be solved.

Remark 1 Given any sample with

, we select an element and make a
new sample to obtain a special pair.
However, since the coefficients of the new
error polynomial are large for almost elements , and it
is very hard to solve ring-LWE with large errors. On the other hand, the
error polynomial still has small norm for simple elements
such as . But in this case, since coefficient vectors of

and are almost linearly dependent over , it is also hard to solve

ring-LWE with such samples by lattice reduction attacks. That is, the
trace map attack is applicable in practice for a special pair of samples
with linearly independent and over .

Remark 2 As mentioned in Sect. 1, both the trace and the norm maps
have been considered in cryptanalysis against the NTRU problem. Since
the norm map is multiplicative but not additive, it is not
straightforward to apply it to ring-LWE. Specifically, a ring-LWE relation

does not hold in general for any ring-LWE sample (a(x), b(x)) with
, where ‘ ’ denotes the norm map. In
particular, the small ring element cannot be extracted from
the element .

3.3 Comparison with the Standard Attack

In this section, we compare the trace map attack with a standard attack
for concrete ring-LWE parameters. Specifically, we compare required
blocksizes for BKZ to succeed to solve ring-LWE by the trace map and
standard attacks against a special pair of samples (10). Here the
standard attack means the canonical reduction of ring-LWE to standard
LWE, which is also reduced to BDD and then to unique-SVP, as
described in Sect. 2.2.
Verification for Small Parameters by Experiments. We verified
by experiments the effect of the trace map attack for small parameters.
For our experiments, we chose and 128 as the degree
parameter of ring-LWE, and fixed the prime modulus
parameter. We generated a special pair of ring-LWE samples (10) over
as follows; We randomly chose a secret , and two error
polynomials and in with binary
coefficients. (That is, we consider binary ring-LWE in our experiments.)
Then we chose randomly from , generated the other
polynomial for randomly chosen , and computed
over to obtain for .
All experiments were performed using SageMath [16] on 1.3 GHz
Intel core i5. We also used two reduction algorithms LLL and BKZ with
blocksize for solving ring-LWE with a special pair of samples.
We had experimented 20 times for every parameter set. For the case
(resp., ), LLL (resp., BKZ with ) was sufficient to
solve ring-LWE by the trace map attack. On the other hand, the
standard attack could solve the case by not LLL but BKZ with
. With regard to the running time for , the trace map
attack and the standard attack took about 0.74 and 12.31 seconds on
average, respectively. Furthermore, the standard attack could neither
solve the case by LLL nor BKZ with . We estimate that
the standard attack requires at least for BKZ to solve the case
.
Comparison for Large Parameters. The success probability and
the complexity of both the trace map and the standard attacks depend
on blocksizes of BKZ (see [3] for estimates of the complexity of BKZ).
Here we compare two attacks on which blocksizes of BKZ are required
for solving large ring-LWE parameters.
In order to succeed to solve ring-LWE, we estimate from (7) that the
standard attack requires the root Hermite factor at most

(16)

for which we take as the number of LWE samples in the right-

hand side of (7). Recall that is the combined vector of
coefficient vectors of two error polynomials and . For binary
ring-LWE with the above case , the Eq. (16) implies
that it requires , for which we set and

for simplicity. (Recall that the empirical constant lies

bewteen 0.3 and 0.4.) Furthermore, we estimate from (2) that around
is required for BKZ to achieve such . In contrast, the trace

map attack reduces ring-LWE over to that over . Thus it requires

the root Hermite factor at most

(17)

where denotes the combined vector in (15) and

we take as the number of LWE samples. (Recall that , the
degree of polynomial defining .) We simply estimate
with an enough merge. For binary ring-LWE with the

above case , the trace map attack requires

. It is sufficient for BKZ with blocksize to achieve

such , as shown in above experiments. (Recall that the root Hermite

factor of BKZ with is around 1.0128, as mentioned in

Subsect. 2.1.)
Table 1. Comparison of required blocksizes of BKZ in standard and trace map
attacks (The standard attack means the canonical reduction from ring-LWE to
standard LWE. Required root Hermite factors are estimated from (16) and (17),

respectively.)

Ring-LWE parameters Required blocksizes of BKZ

n Standard attack Trace map attack

128 11 4 ( ) ( )

8 ( ) ( )

12 4 ( ) ( )

8 ( ) ( )

256 13 4 ( ) ( )

8 ( ) ( )

14 4 ( ) ( )

8 ( ) ( )
Ring-LWE parameters Required blocksizes of BKZ

n Standard attack Trace map attack

512 15 4 ( ) ( )

8 ( ) ( )

16 4 ( ) ( )

8 ( ) ( )

In Table 1, we give a comparison of required blocksizes of BKZ in

the standard and the trace map attacks for solving several ring-LWE
instances . We estimate required root Hermite factors in

both attacks from (16) and (17), respectively, and we also estimate
required blocksizes of BKZ to achieve target from the Eq. (2).

For the sake of simplicity, we consider that every coefficient of error

polynomials in R is sampled from the discrete Gaussian distribution
with standard deviation . (We can apply our discussion to other kinds
of distributions.) We roughly estimate and

We see from Table 1 that the trace map attack requires considerably
smaller blocksizes than the standard attack. We also see that the
difference of required blocksizes between both attacks increases as the
degree parameter n increases. In particular, the difference of blocksizes
is larger than at least 100 for cases . Since the complexity of
BKZ is at least exponential in as described in Subsect. 2.1, the trace
map attack is much faster than the standard attack, and it becomes
more efficient for larger n. For example, in the case
 , the difference of blocksizes is 130 from
Table 1, and thus the trace map attack is at least times faster than
the standard attack.

4 (In)feasibility of Trace Map Attack for Random

Samples
As mentioned in Proposition 1, the trace map attack requires a strong
condition between two ring-LWE samples over . (We recall that such
the typical condition is called special in Proposition 1.) In this section,
we discuss the (in)feasibility of the trace map attack for random ring-
LWE samples. Specifically, we investigate the probability that randomly
chosen ring-LWE samples includes a special pair.
Let denote the group of invertible elements in . Since
for a large prime q, we assume that any elements are
randomly chosen from for a simple discussion.

Lemma 1 Let be two randomly chosen elements in . Then

the probability that there exists an element satisfying
or is around with .

Proof Since , the following two conditions are equivalent:

(1) There exists satisfying . (2) Conversely, there exists
satisfying . In particular, such an element is in .
Thus the probability of the lemma is equal to the probability that
is contained in the set . Therefore it is equal to

This completes a proof of this lemma.

For a small parameter set , the probability that two
ring-LWE samples satisfy the special condition is roughly equal to
. Thus, it is considered that given two ring-LWE samples

of cryptographic size hardly meet the special condition.

Below we consider how many samples are necessary to find a
special pair.

Lemma 2 Given elements with , the

probability that there exists a pair satisfying the special

condition is around .

Proof Let be the canonical homomorphism. It is

clear that two elements satisfy the special condition if and
only if . Thus, we would like to find a collision under the
map . Since the number of roughly equals to , we see from
the birthday paradox that elements are necessary to find such a

collision with the probability around .

Remark 3 A trace map can be defined for a finite extension L/K.

Therefore a trace map attack can be constructed for such an extension.
However, as the extension degree increases, the probability
that special ring-LWE samples are met becomes much less. Throughout
this paper, we have considered the minimum degree case for
and . We see from the discussion in this

section that we rarely meet special ring-LWE samples even in the

minimum degree case .
Remark 4 Module-LWE is the analogue of LWE over modules,
introduced in [11, 21], which is between LWE and ring-LWE.
Specifically, module-LWE uses a free -module of rank d for a positive
integer d. Like in the case of standard LWE, a module-LWE sample is a
pair of with satisfying

over the ring , where is a secret and is

an error (cf., Eq. (4)). The particular case corresponds to ring-

LWE. For two module-LWE samples and with
and , a trace map attack is applicable
if there exist elements satisfying for all
. The probability that such condition is met becomes much
less as the rank d increases.

5 Conclusion
We discussed a cryptanalysis for ring-LWE using the trace map over the
integer ring of the 2n-th cyclotomic field for a 2-
power integer n. Specifically, we gave a sufficient and necessary
condition on a pair of ring-LWE samples for which the trace map attack
is applicable (Proposition 1). As a typical case, the trace map attack can
efficiently solve ring-LWE with a special pair of samples. We see from
Table 1 that the trace map attack requires much smaller blocksizes of
BKZ than the standard attack for success to recover the secret. This
shows that the trace map attack drastically decreases the hardness of
ring-LWE when a special pair of samples is given. (Note that the
complexities of both the trace map and the standard attacks depend on
BKZ, and the complexity of BKZ is at least exponential in an input
Another random document with
no related content on Scribd:
 WELL, WHO IS PRUNES?
2nd Episode of the great Dramatic Serial,
THE TRUTH, NOTHING BUT THE TRUTH, SO HELP ME GOD.
Same scene as the first Episode—the Third Degree Room
of the Grand Jury of the United States Senate. Mr.
Senator Walsh leading question asker of a body of men
noted for their inquisitiveness.
Doortender of This Torture Chamber
Who will we call first today?
Senator Walsh
Call the Editorial Writer of that newspaper.
Doorman
But, Mr. Walsh, we just called him yesterday.
Senator Walsh
I know we did but call him again. A whole lot is happening in this
country between yesterday and today. Now Mr. Bennett who was it
that you referred to as the Principal in those wires to Palm Beach?
Mr. Bennett
Why, Senator Curtis.
Senator Heflin
Curses on the Luck. I thought it was Coolidge.
Senator Harrison
Wish it had of been Coolidge. It’s no novelty to get a Senator in
Wrong.
Senator Walsh
What did you confer with Curtis about?
Mr. Bennett
About the Editorial Policy of our Paper.
Senator Walsh
Well what does the Editorial Policy of any Paper amount to? You
don’t suppose anybody reads those things do you? Why one Ad is
worth more to a paper than 40 Editorials. That will be all for you Mr.
Bennett.
Senator Caraway
Just a minute before you go. Who was Peaches in those Telegrams?
Mr. Bennett
I don’t remember.
Senator Robinson
Yes, and who was Prunes? I hope it referred to no Democrat.
Senator Walsh
Call Mr. Curtis.
Senator Walsh
Senator Curtis, will you tell the Grand Jury in your own way just what
happened between you and this Editorial Writer of the Washington
Post.
Mr. Curtis
Yes Sir.
Senator Walsh
What was it?
Mr. Curtis
Nothing.
Senator Walsh
You mean you didn’t confer with this Gentleman?
Mr. Curtis
I did not.
Senator Walsh
But you know him?
Mr. Curtis
Never saw him in my life.
Senator Walsh
But you have heard of him?
Mr. Curtis
Never in my life.
Senator Walsh
But you know of the Washington Post?
Mr. Curtis
Yes sir, I have heard it.
Senator Walsh
Heard it? What do you mean you heard it?
Mr. Curtis
I have heard Sousa’s Band play it many a time.
Senator Walsh
Play what?
Mr. Curtis
Washington’s Post.
Senator Walsh
It’s not a tune; it’s a Newspaper. You talk like a Congressman.
Where are you from?
 Mr. Curtis
Kansas.
Senator Walsh
That will be all.
Senator Caraway
Just a minute, Mr. Curtis, Who is Peaches?
Mr. Curtis
I don’t know unless it’s Jim Reed.
Senator Heflin
Just a minute. I object to the Republican Senator’s slur on the fair
name of the Democratic Party. This Investigation is supposed to be
Non Sectarian, and I object to having Politics dragged in, just to
make a Republican Holiday.
Senator Robinson
And I want to know who Prunes was.
Mr. Curtis
You mean you want to know who Prunes IS.
Senator Lenroot
Mr. Walsh, and Gentlemen of the Vigilance Committee there is a Bell
Boy over at my Hotel and he just got it from the chauffeur of a
Prominent Oil Man, that Major Leonard Wood’s Son had just heard
that his Father was offered the Nomination for the Presidency 3 and
a Half years ago, if he would appoint Mr. Jake Hamon Secretary of
the Interior. Now that is a very serious charge, and one that I think
this Committee should look into at once. Public affairs have come to
a fine Climax when a Man in this Country offers to make another one
President. I tell you it is undermining the confidence of the Great
American People and when you do that you shake the very Bulwarks
of the American Constitution. I think a Subpœna should be issued for
Mr. Wood’s Son at once and if this is so I am for a swift and speedy
trial for the Culprits.
Senator Walsh
I am for calling Mr. Wood himself. There’s one thing that this
Committee has proven that it won’t take, and that is Hear Say
Evidence. So call Mr. Wood himself.
Mr. Moses
(The Senator one, Not the Apostle One)
But, Mr. Walsh, Mr. Wood is in the Philippines.
Senator Walsh
I thought he was home. Haven’t they got their Independence yet?
Mr. Moses
No, Mr. Coolidge wouldn’t give it to them.
Senator Walsh
What’s the matter? Have they struck oil, too?
Mr. Moses
No, Mr. Coolidge told them that a Nation that would not support
Wood’s Administration certainly would not be able to support one of
their own.
Senator Heflin
Well, how did America get Independence? They didn’t support
Wood.
Senator Reed
Who said we had any independence?
Senator Lodge
(The Confucius of Nahant)
I object to having the President of these United States’ name
dragged into this thing. I think when a Man occupies the exalted
position that he does that his name should not be degraded by
having it mentioned in The Senate. Now I know that he is doing the
best he can. I have known him ever since he got prominent enough
for me to know. In the eight months that I have known him, I have
found him to be patient, honest, and a Man who would not knowingly
rob a single Filipino of his Liberty. This is simply a Political trick to
drag his name into this Philippine muddle.
Senator Heflin
Yes but he sent the Filipinos the Wire didn’t he! And it’s wires that we
are here to investigate ain’t it?
Senator Harrison
Does the exalted Senator from Massachusetts recall that during the
late Democratic Administration, he himself during the talk on
European Affairs mentioned not only once, but twice, the name of
the then President, Mr. Wilson? Now he don’t want us to mention his
President.
Senator Heflin
Well it’s funny to me that a Country can’t get their Liberty, when they
have advanced far enough to have the Champion Bantamweight
Prize Fighter of the World. I know Countries that have their Liberty,
when they can’t even produce a good Golf Player and that’s the
lowest form of Civilization.
Senator Caraway
I would like to ask Mr. Lodge if he knows who Peaches is.
Senator Lodge
I do not. It’s the only subject I ever admitted being ignorant on.
Senator Robinson
Well, I want to know who Prunes IS.
Senator Lodge
You mean who Prunes AM, don’t you?
 Senator Robinson
Darn it; that man is a bear on Grammar.
Senator Walsh
I think the committee should adjourn until we can get Mr. Wood
himself.
Doorman
Excuse me, Mr. Walsh, but there is a Gentleman out here who wants
to testify in regard to the Doheny and Sinclair leases. What can I tell
him?
Senator Walsh
Oh, yes, I had forgotten about those. Tell him as soon as we get this
Wood for President affair settled, and Jack Dempsey’s mysterious
sickness, and Babe Ruth’s collapse, that we will be able to get to
that Oil Lease thing again.
Senator Copeland
Mr. Walsh, I was in New York last night and I heard Mr. Vanderlip
make a Speech to the Rotary Club of Coney Island, and he said, “I
have it on absolutely reliable authority that George Washington
never crossed the Delaware. That fellow you see in the Picture in the
middle of the Boat was a fellow doubling for him, and if I am called I
will be glad to give this information that I possess to the Senate
Investigating Committee.”
Senator Walsh
Mr. Secretary, call Mr. Vanderlip at once.
Mr. Lenroot
Let’s not call him until tomorrow, Mr. Walsh, as he will make another
speech tonight perhaps on what he discovered about Lincoln. So we
can quiz him on both men at once.
Mr. Caraway
Well, before we adjourn, I want to know who Peaches is.
 Mr. Robinson
Well, I want to know who Prunes WERE.
POLITICS GETTING READY TO JELL
 POLITICS GETTING READY TO JELL
The Illiterate Digest, after reviewing the news, finds that Politics is
sure at the point when it is about to jell. My old friend Jim Reed from
the smelly banks of the Kaw River has broke out again. If you have
done anything against the welfare or conventions of the United
States, and everybody has passed their various opinions on you,
and you think you have been roasted to a dark bay, why, until Jim
Reed breaks out on you, you haven’t been called anything.
Well, it was kinder funny Jim was to make a Washington Day
speech. Naturally everyone supposed it to be on George
Washington, but it was the only speech ever made on Washington’s
Birthday that didn’t have a word about Washington. He didn’t even
mention his name. I don’t know that McAdoo, Denby, Daugherty,
Doheny, and others will consider it much Flattery, but it will go down
in History as being the only time they ever replaced Washington.
Reed wouldn’t have been any good making a speech on
Washington, anyway. He would have been expected to compliment
him and I doubt if he could think of anything George had ever done
that really was worth while.
Vanderlip made a speech at the Rotary Club of Ossining, New York,
that astonished the United States. Now that speech didn’t astonish
me near as much as the knowledge that Ossining had a Rotary Club.
For the sake of the unfingerprinted ones, I will state that Ossining is
the Town where Sing Sing is permanently located. Now if Ossining
has a Rotary Club they certainly had to take in some Lay Members
from this Musically named Institution.
But when you come to think of it, just think what a Distinguished
Rotary Club they could have at that. Rotary is composed of one of
the best of each line of work or business. Just think what a
competitive thing it would be trying to find in Ossining the leading
Burglar sojourning with them at the time, or the most representative
Pickpocket to represent them in the Club. And Bankers! Mr.
Vanderlip must have felt right at home up there. There are more
Bankers in Ossining than any Town of its size in the United States.
A two year residence is necessary to be able to join the Rotary. Can
you imagine them questioning members of Sing Sing, “Have you
been a resident of this Town for two years?” and the answer would
be, “Yes Sir, constantly.”
So, as I say, it was not the things Mr. Vanderlip said that attracted the
unusual attention. It was the distinguished audience that he
delivered it to. Just to show you the difference: Appearing before the
Rotary Club of Sing Sing he caused a commotion by his Speech. He
took the same Act down to Washington and nobody would listen to
him. It shows you have to have an intelligent audience. Up in Sing
Sing they got what he was talking about but down in Washington it
went right over their heads.
I know, for last winter while playing in New York I was asked to go
over to a big Charity affair given by the 400 of 5th Avenue. I thought I
had a pretty good line of Gags, as there was quite a lot happening
every day of Public interest. So I go over and start in telling them
what I had read in the Papers and nobody even cracked a smile,
much less laughed. So I just kept on trying remarks on every subject
that had been in the papers since Bryan last got a Hair cut. But it
was about one of the worst Flops I ever encountered, and I have had
some beauts in my time.
Well, of course, I felt terrible about it, so just by a coincidence on the
very next night I had promised to go up to Ossining and do an act for
(at that time it wasn’t called the Rotary Club). I think then they called
it Inmates. There was no show—just me alone went up to add to the
hardships of Prison Life. Well I never knew I had as many friends in
the World. I knew everybody up there. I was twice as much at home
as I had been on 5th Avenue the night before. So now I know why
Vanderlip picked out Ossining for his Annual February Oration.
I started in on those same Jokes on up-to-date things that had
flopped so completely at the Millionaire’s Charity affair. Why, say,
they just started right in dying laughing at them. I was sorry Ziegfeld
wasn’t there, as I would have got a raise in salary if he had heard
how my act went. I don’t care what I talked about they knew all about
it.
Ordinarily, I only do about 15 or 20 minutes but up there I did an
Hour and a Quarter. I was so tickled I offered to take all the whole
audience of 12 hundred down to the Follies and pay their way in to
see our Show. Now you know I must feel pretty good with myself,
when I offer to spend my Dough like that. A lot of people would be
kinder sore at the 400 because they didn’t laugh like these 12
hundred did, but I am not. I don’t blame them. If I had their money I
wouldn’t read either. So I can understand very readily why
Vanderlip’s act didn’t go so big in Washington as it did in Ossining.
Of course Van and I use just the opposite methods in our Stage
performances. Every Gag I tell must be based on truth. No matter
how much I may exaggerate it, it must have a certain amount of
Truth. Vanderlip bases his Gags on Rumor.
Now Rumor travels Faster, but it don’t stay put as long as Truth. I
will, however, give him credit for one thing. While here lately
everybody is telling what he has heard, and all about this and that
rumor, why, he thought of by far the best ones I have heard up to
now.
That’s no small accomplishment I tell you, in this year of Rumors, to
be able to say at the end of it: “Well, I told the best ones.”
His were so good that before his audience got through applauding at
Sing Sing (or rather Ossining) why, they had him on the stand at
Washington. That’s the first time a Theatrical troup ever jumped from
Ossining to Washington.
They even put him on ahead of Fall, Sinclair, and all the Headliners.
TWO LONG LOST FRIENDS FOUND
AT LAST
THEY REHEARSED THEIR OLD ACT HERE YESTERDAY.
 TWO LONG LOST FRIENDS FOUND
AT LAST
Well, sir, I have a real Message for my readers. It looked like it would
be just the ordinary Article with no flavor or Backbone or Truth, and
with no real underlying news or wisdom, that is, nothing that the
people would be glad to know and read. As I say, that is the kind of
Article I thought it would be. But as I picked up the morning Papers,
why, I read who was in our midst out here in Sunny California. Well,
sir, it struck me like a thunderbolt here was news which my public
had been longing for for years and here I had found it out!
Well, I says to myself, this is too good to keep, for here people had
been wondering all this time for just what I knew now. I kinder hated
to leave the East on account of thinking I would be out of touch with
some of our National Characters but I find that sooner or later they
all arrive out here and start in fighting off Real Estate men the same
as shooing away Mosquitoes on Long Island.
Well, who should blow in but two of our old long-lost friends, and I
know that even ’Frisco (who is jealous of any one being here) will be
glad to hear they are here well and hearty, and rehearsed their old
Act here yesterday and people enjoyed them just as much as they
did in the old days.
Both of these Boys were on the big time and were well known all
around the Circuit, and any time they took the Platform standing by
the side of a Pitcher of ice water and a glass, why, it just meant 6
columns starting on the front page and ending among the want ads. I
bet you hadn’t heard of them in years and will thank me for
resurrecting this information for you.
I can’t keep it any longer. I did want to keep it till the finish of this to
tell you but I must tell you now who they are—William J. Bryan and
Billy Sunday!
Neither did I, but they are, and looking fine.
You know, if you have lost any one, look out here, because sooner or
later they will come here to visit relatives, for anybody that has
relatives comes here so he can write back to other relatives.
They are both just resting here (so is everybody else). Mr. Bryan is
waiting till he finds out where the next Democratic Convention will be
held, and then be there ready to knock any aspiring Presidential
Candidate on the head the minute it shows above the mob.
The only way they will ever fool W. J. is some presidential year
decide not to run any one. Then it will be a good joke on him; he will
have no one to object to.
Of course, now we don’t hear much of Democratic Candidates, as
both sides are busy watching to see what Cal. will do. When he first
become President there seemed to be quite a Sentiment to nominate
him again for Vice President.
Everybody was wondering how he would come out of the Coal strike
situation, and figured his political life or death depended on how he
decided, so he just fools everybody by appointing some other man to
settle it. Now, no other President had ever been smart enough to
think of a thing like that; they tried to do it themselves, so I think he
will go a long ways. He figured, why should I get in wrong when I can
get some man to do it for me, so he just looked around until he found
some other fellow who had a political future.
He said, “Gifford, you go get in wrong with which ever side you
decide against.” Now, the minute a Crisis comes up, all he has to do
is to remember some Republican name and appoint him to settle it
for him.
Now the only Crisis that Mr. Coolidge can possibly get into, himself,
is running out of Republicans to appoint. In that case he would have
to appoint a Democrat which would bring on a worse Crisis than the
one he appointed him to settle.
But I am not here to talk about Cal. and what he is doing. I am here
to tell you of these two long lost Prodigals that I discovered in the
wilds of this Village. They were preaching in a Pulpit. I guess that’s
why no one had seen them for so long. Both these Boys, in the good
old days used to talk in a Tent. Now you can always attract a crowd
in a Tent, for they figure that it might be a Circus. Come to think of it,
their Acts were similar; either one of them could take a Dictionary
and sink an enemy with words at 40 paces.
Bryan’s speeches have been the only thing to look forward to at a
Democratic Convention for years. He has sent more Presidential
Candidates home without a Reception Committee meeting them
than any Monologist living. He can take a batch of words and
scramble them together and leaven them properly with a hunk of
Oratory and knock the White House door knob right out of a
Candidate’s hand.
Bryan has made more Political speeches than Germany has Marks.
He kissed, when they were Babies, every man and woman in the
United States who is now up to the age of 45. He has juggled the
destinies of America more than any two Presidents because he has
the choosing or rejecting of them.
His career has varied from Non-intoxication to Evolution; his hobbies
have jumped from Grape juice to Monkeys. He tries to prove that we
did not descend from the Monkey, but he unfortunately picked a time
when the actions of our people prove that we did. He, undoubtedly,
is one of our greatest minds and in most of his Theories he has been
just too far ahead of the mob.
He preached Prohibition at a time when it meant Political Suicide for
himself. I bet the next Democratic Candidate for President, no matter
how strong he may think he is, would rather have the support of W.
J. Bryan than any doubtful State in the Union.
Now that brings to us his accomplice, Willie Sunday, who I
discovered staggering from one of our Local Pulpits last Sunday. To
some of you who can’t or don’t wish to remember, Billy passed out
just as Andy Volstead made his entrance. Now Barnum invented the
Tent, but Billy Sunday filled it. He can get more people into a tent
than an Iowa Picnic at Long Beach, California.
He is the only man in Ecclesiastical or Biblical history that ever had
to train physically, for a sermon. He brought more converts to
Prohibition before the 18th Amendment come in, than the 18th
Amendment has converted to Prohibition since it went in.
He is the first preacher to specialize on Liquor. While Bryan’s
oratorical wrath in the later years has been hurled at Darwin, Billy
Sunday picks his opponent with a carelessness that is almost
reckless.
I suppose that he has had more mortal worldly combats with the
Devil himself than any man living. He has challenged the Devil
publicly more times than Wills, the Negro, has Jack Dempsey.
People have been going for years to hear Billy, just figuring that if
they didn’t go that night it might be the very night the Devil would
hear what Billy was calling him and come up, and they might miss
what would happen.
I don’t know this Devil myself but if he heard Billy say these things
and didn’t come up and call him for it, I think less of him than Billy
does. Of course, the Devil may be just good natured, and figure,
well, he can’t hurt ME, and if he can get anything out of it why let him
go ahead.
Now, of course, you can get a fellow wrong. Billy used to lay all the
drinking on to this Devil, and claimed that if we had Prohibition we
could lick this Devil. Now we got Prohibition, I don’t think he can
legitimately lay the present drinking onto the Devil.
Course, from this I don’t want you to think I am taking sides in this
thing. I don’t know either one personally. But, as I say, there is a
chance that they both may have each other wrong. As I say, Billy
must have something on the Devil or he wouldn’t dare to call him
what he does, especially if the Devil can hear him, and I tell you the
Devil must be pretty low if he don’t answer him, that is, if he hears
him.
I have always figured that the reason that the Devil didn’t arise and
respond was Billy’s slang was too much for him. But Billy sure did do
a lot of good in the old days, and no matter if you didn’t like his style
of sermon, you sure didn’t get a chance to do any sleeping.
So I hope we can keep them both out here with us, and help to get
some of our population’s mind on the Church on Sunday instead of
being continually looking for lots.
THEY NOMINATED EVERYBODY BUT
THE FOUR HORSEMEN