Ebook Computational Cryptography Algorithmic Aspects of Cryptology 1St Edition Joppe Bos Online PDF All Chapter

Computational Cryptography:
Algorithmic Aspects of Cryptology 1st

Edition Joppe Bos
Visit to download the full and correct content document:
https://ebookmeta.com/product/computational-cryptography-algorithmic-aspects-of-cr
yptology-1st-edition-joppe-bos/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Fundamentals of Cryptography: Introducing Mathematical

and Algorithmic Foundations (Undergraduate Topics in
Computer Science) Duncan Buell
https://ebookmeta.com/product/fundamentals-of-cryptography-
introducing-mathematical-and-algorithmic-foundations-
undergraduate-topics-in-computer-science-duncan-buell/
Primary Mathematics 3A Hoerst
https://ebookmeta.com/product/primary-mathematics-3a-hoerst/
Practical Aspects of Computational Chemistry V Jerzy

Leszczynski • Manoj K. Shukla
https://ebookmeta.com/product/practical-aspects-of-computational-
chemistry-v-jerzy-leszczynski-manoj-k-shukla/
Algorithmic Aspects of Cloud Computing 5th

International Symposium ALGOCLOUD 2019 Munich Germany
September 10 2019 Revised Selected Papers Ivona Brandic
https://ebookmeta.com/product/algorithmic-aspects-of-cloud-
computing-5th-international-symposium-algocloud-2019-munich-
germany-september-10-2019-revised-selected-papers-ivona-brandic/
Detecting Regime Change in Computational Finance Data
Science Machine Learning and Algorithmic Trading 1st
Edition Jun Chen
https://ebookmeta.com/product/detecting-regime-change-in-
computational-finance-data-science-machine-learning-and-
algorithmic-trading-1st-edition-jun-chen/
Data Analysis and Related Applications, Volume 1:

Computational, Algorithmic and Applied Economic Data
Analysis 1st Edition Konstantinos N. Zafeiris
https://ebookmeta.com/product/data-analysis-and-related-
applications-volume-1-computational-algorithmic-and-applied-
economic-data-analysis-1st-edition-konstantinos-n-zafeiris/
Rust Atomics and Locks Mara Bos
https://ebookmeta.com/product/rust-atomics-and-locks-mara-bos/
Parker Hitt The Father of American Military Cryptology

1st Edition Betsy Rohaly Smoot
https://ebookmeta.com/product/parker-hitt-the-father-of-american-
military-cryptology-1st-edition-betsy-rohaly-smoot/
Practical Aspects of Vaccine Development The Practical

Aspects 1st Edition Parag Kolhe (Editor)
https://ebookmeta.com/product/practical-aspects-of-vaccine-
development-the-practical-aspects-1st-edition-parag-kolhe-editor/
LONDON MATHEMATICAL SOCIETY LECTURE NOTE SERIES
Managing Editor: Professor Endre Süli, Mathematical Institute, University of Oxford,
Woodstock Road, Oxford OX2 6GG, United Kingdom
The titles below are available from booksellers, or from Cambridge University Press at
www.cambridge.org/mathematics
359 Moduli spaces and vector bundles, L. BRAMBILA-PAZ, S.B. BRADLOW, O. GARCÍA-PRADA &
S. RAMANAN (eds)
360 Zariski geometries, B. ZILBER
361 Words: Notes on verbal width in groups, D. SEGAL
362 Differential tensor algebras and their module categories, R. BAUTISTA, L. SALMERÓN & R. ZUAZUA
363 Foundations of computational mathematics, Hong Kong 2008, F. CUCKER, A. PINKUS & M.J. TODD (eds)
364 Partial differential equations and fluid mechanics, J.C. ROBINSON & J.L. RODRIGO (eds)
365 Surveys in combinatorics 2009, S. HUCZYNSKA, J.D. MITCHELL & C.M. RONEY-DOUGAL (eds)
366 Highly oscillatory problems, B. ENGQUIST, A. FOKAS, E. HAIRER & A. ISERLES (eds)
367 Random matrices: High dimensional phenomena, G. BLOWER
368 Geometry of Riemann surfaces, F.P. GARDINER, G. GONZÁLEZ-DIEZ & C. KOUROUNIOTIS (eds)
369 Epidemics and rumours in complex networks, M. DRAIEF & L. MASSOULIÉ
370 Theory of p-adic distributions, S. ALBEVERIO, A.YU. KHRENNIKOV & V.M. SHELKOVICH
371 Conformal fractals, F. PRZYTYCKI & M. URBAŃSKI
372 Moonshine: The first quarter century and beyond, J. LEPOWSKY, J. MCKAY & M.P. TUITE (eds)
373 Smoothness, regularity and complete intersection, J. MAJADAS & A. G. RODICIO
374 Geometric analysis of hyperbolic differential equations: An introduction, S. ALINHAC
375 Triangulated categories, T. HOLM, P. JØRGENSEN & R. ROUQUIER (eds)
376 Permutation patterns, S. LINTON, N. RUŠKUC & V. VATTER (eds)
377 An introduction to Galois cohomology and its applications, G. BERHUY
378 Probability and mathematical genetics, N. H. BINGHAM & C. M. GOLDIE (eds)
379 Finite and algorithmic model theory, J. ESPARZA, C. MICHAUX & C. STEINHORN (eds)
380 Real and complex singularities, M. MANOEL, M.C. ROMERO FUSTER & C.T.C WALL (eds)
381 Symmetries and integrability of difference equations, D. LEVI, P. OLVER, Z. THOMOVA &
P. WINTERNITZ (eds)
382 Forcing with random variables and proof complexity, J. KRAJÍČEK
383 Motivic integration and its interactions with model theory and non-Archimedean geometry I, R. CLUCKERS,
J. NICAISE & J. SEBAG (eds)
384 Motivic integration and its interactions with model theory and non-Archimedean geometry II, R. CLUCKERS,
J. NICAISE & J. SEBAG (eds)
385 Entropy of hidden Markov processes and connections to dynamical systems, B. MARCUS, K. PETERSEN &
T. WEISSMAN (eds)
386 Independence-friendly logic, A.L. MANN, G. SANDU & M. SEVENSTER
387 Groups St Andrews 2009 in Bath I, C.M. CAMPBELL et al (eds)
388 Groups St Andrews 2009 in Bath II, C.M. CAMPBELL et al (eds)
389 Random fields on the sphere, D. MARINUCCI & G. PECCATI
390 Localization in periodic potentials, D.E. PELINOVSKY
391 Fusion systems in algebra and topology, M. ASCHBACHER, R. KESSAR & B. OLIVER
392 Surveys in combinatorics 2011, R. CHAPMAN (ed)
393 Non-abelian fundamental groups and Iwasawa theory, J. COATES et al (eds)
394 Variational problems in differential geometry, R. BIELAWSKI, K. HOUSTON & M. SPEIGHT (eds)
395 How groups grow, A. MANN
396 Arithmetic differential operators over the p-adic integers, C.C. RALPH & S.R. SIMANCA
397 Hyperbolic geometry and applications in quantum chaos and cosmology, J. BOLTE & F. STEINER (eds)
398 Mathematical models in contact mechanics, M. SOFONEA & A. MATEI
399 Circuit double cover of graphs, C.-Q. ZHANG
400 Dense sphere packings: a blueprint for formal proofs, T. HALES
401 A double Hall algebra approach to affine quantum Schur–Weyl theory, B. DENG, J. DU & Q. FU
402 Mathematical aspects of fluid mechanics, J.C. ROBINSON, J.L. RODRIGO & W. SADOWSKI (eds)
403 Foundations of computational mathematics, Budapest 2011, F. CUCKER, T. KRICK, A. PINKUS &
A. SZANTO (eds)
404 Operator methods for boundary value problems, S. HASSI, H.S.V. DE SNOO & F.H. SZAFRANIEC (eds)
405 Torsors, étale homotopy and applications to rational points, A.N. SKOROBOGATOV (ed)
406 Appalachian set theory, J. CUMMINGS & E. SCHIMMERLING (eds)
407 The maximal subgroups of the low-dimensional finite classical groups, J.N. BRAY, D.F. HOLT &
C.M. RONEY-DOUGAL
408 Complexity science: the Warwick master’s course, R. BALL, V. KOLOKOLTSOV & R.S. MACKAY (eds)
409 Surveys in combinatorics 2013, S.R. BLACKBURN, S. GERKE & M. WILDON (eds)
410 Representation theory and harmonic analysis of wreath products of finite groups,
T. CECCHERINI-SILBERSTEIN, F. SCARABOTTI & F. TOLLI
411 Moduli spaces, L. BRAMBILA-PAZ, O. GARCÍA-PRADA, P. NEWSTEAD & R.P. THOMAS (eds)
412 Automorphisms and equivalence relations in topological dynamics, D.B. ELLIS & R. ELLIS
413 Optimal transportation, Y. OLLIVIER, H. PAJOT & C. VILLANI (eds)
414 Automorphic forms and Galois representations I, F. DIAMOND, P.L. KASSAEI & M. KIM (eds)
415 Automorphic forms and Galois representations II, F. DIAMOND, P.L. KASSAEI & M. KIM (eds)
416 Reversibility in dynamics and group theory, A.G. O’FARRELL & I. SHORT
417 Recent advances in algebraic geometry, C.D. HACON, M. MUSTAŢǍ & M. POPA (eds)
418 The Bloch–Kato conjecture for the Riemann zeta function, J. COATES, A. RAGHURAM, A. SAIKIA &
R. SUJATHA (eds)
419 The Cauchy problem for non-Lipschitz semi-linear parabolic partial differential equations, J.C. MEYER &
D.J. NEEDHAM
420 Arithmetic and geometry, L. DIEULEFAIT et al (eds)
421 O-minimality and Diophantine geometry, G.O. JONES & A.J. WILKIE (eds)
422 Groups St Andrews 2013, C.M. CAMPBELL et al (eds)
423 Inequalities for graph eigenvalues, Z. STANIĆ
424 Surveys in combinatorics 2015, A. CZUMAJ et al (eds)
425 Geometry, topology and dynamics in negative curvature, C.S. ARAVINDA, F.T. FARRELL &
J.-F. LAFONT (eds)
426 Lectures on the theory of water waves, T. BRIDGES, M. GROVES & D. NICHOLLS (eds)
427 Recent advances in Hodge theory, M. KERR & G. PEARLSTEIN (eds)
428 Geometry in a Fréchet context, C.T.J. DODSON, G. GALANIS & E. VASSILIOU
429 Sheaves and functions modulo p, L. TAELMAN
430 Recent progress in the theory of the Euler and Navier–Stokes equations, J.C. ROBINSON, J.L.RODRIGO,
W. SADOWSKI & A. VIDAL-LÓPEZ (eds)
431 Harmonic and subharmonic function theory on the real hyperbolic ball, M. STOLL
432 Topics in graph automorphisms and reconstruction (2nd Edition), J. LAURI & R. SCAPELLATO
433 Regular and irregular holonomic D-modules, M. KASHIWARA & P. SCHAPIRA
434 Analytic semigroups and semilinear initial boundary value problems (2nd Edition), K. TAIRA
435 Graded rings and graded Grothendieck groups, R. HAZRAT
436 Groups, graphs and random walks, T. CECCHERINI-SILBERSTEIN, M. SALVATORI & E. SAVA-HUSS
(eds)
437 Dynamics and analytic number theory, D. BADZIAHIN, A. GORODNIK & N. PEYERIMHOFF (eds)
438 Random walks and heat kernels on graphs, M.T. BARLOW
439 Evolution equations, K. AMMARI & S. GERBI (eds)
440 Surveys in combinatorics 2017, A. CLAESSON et al (eds)
441 Polynomials and the mod 2 Steenrod algebra I, G. WALKER & R.M.W. WOOD
442 Polynomials and the mod 2 Steenrod algebra II, G. WALKER & R.M.W. WOOD
443 Asymptotic analysis in general relativity, T. DAUDÉ, D. HÄFNER & J.-P. NICOLAS (eds)
444 Geometric and cohomological group theory, P.H. KROPHOLLER, I.J. LEARY, C. MARTÍNEZ-PÉREZ &
B.E.A. NUCINKIS (eds)
445 Introduction to hidden semi-Markov models, J. VAN DER HOEK & R.J. ELLIOTT
446 Advances in two-dimensional homotopy and combinatorial group theory, W. METZLER &
S. ROSEBROCK (eds)
447 New directions in locally compact groups, P.-E. CAPRACE & N. MONOD (eds)
448 Synthetic differential topology, M.C. BUNGE, F. GAGO & A.M. SAN LUIS
449 Permutation groups and cartesian decompositions, C.E. PRAEGER & C. SCHNEIDER
450 Partial differential equations arising from physics and geometry, M. BEN AYED et al (eds)
451 Topological methods in group theory, N. BROADDUS, M. DAVIS, J.-F. LAFONT & I. ORTIZ (eds)
452 Partial differential equations in fluid mechanics, C.L. FEFFERMAN, J.C. ROBINSON & J.L. RODRIGO (eds)
453 Stochastic stability of differential equations in abstract spaces, K. LIU
454 Beyond hyperbolicity, M. HAGEN, R. WEBB & H. WILTON (eds)
455 Groups St Andrews 2017 in Birmingham, C.M. CAMPBELL et al (eds)
456 Surveys in combinatorics 2019, A. LO, R. MYCROFT, G. PERARNAU & A. TREGLOWN (eds)
457 Shimura varieties, T. HAINES & M. HARRIS (eds)
458 Integrable systems and algebraic geometry I, R. DONAGI & T. SHASKA (eds)
459 Integrable systems and algebraic geometry II, R. DONAGI & T. SHASKA (eds)
460 Wigner-type theorems for Hilbert Grassmannians, M. PANKOV
461 Analysis and geometry on graphs and manifolds, M. KELLER, D. LENZ & R.K. WOJCIECHOWSKI
462 Zeta and L-functions of varieties and motives, B. KAHN
463 Differential geometry in the large, O. DEARRICOTT et al (eds)
464 Lectures on orthogonal polynomials and special functions, H.S. COHL & M.E.H. ISMAIL (eds)
465 Constrained Willmore surfaces, Á.C. QUINTINO
466 Invariance of modules under automorphisms of their envelopes and covers, A.K. SRIVASTAVA,
A. TUGANBAEV & P.A.GUIL ASENSIO
467 The genesis of the Langlands program, J. MUELLER & F. SHAHIDI
468 (Co)end calculus, F. LOREGIAN
469 Computational cryptography, J.W. BOS & M. STAM
‘This volume celebrates the research career of Arjen Lenstra. The volume covers the latest research
in many areas of applied cryptography: from algorithms for factoring and discrete log, to fast
implementations of computer algebra, to the selection of cryptographic key sizes. Each topic is
masterfully covered by a top researcher in the respective area. The information covered in this
volume will serve readers for many years to come, and is sure to inspire further research on these
topics.’
– Dan Boneh, Stanford University
‘This book demonstrates the breathtaking diversity of Arjen Lenstra’s research over the last 40
years, and the deep influence his work has had on computational aspects of cryptography. Each
chapter is written by a leading domain expert and provides an “in a nutshell” overview of a specific
topic. The book is sure to become an important reference for experts and beginners alike.’
– Kenneth Paterson, ETH Zurich
‘With highly accessible surveys by leading cryptographers, this book hits all pins with a single
strike: framing the important area of “computational cryptography” through its fascinating history,
peeking into its (no less prominent) future, and celebrating the impactful research career of one of
its principal architects, Arjen Lenstra.’
– Ronald Cramer, CWI Amsterdam and Leiden University
Computational Cryptography
Algorithmic Aspects of Cryptology
Edited by
J O P P E W. B O S
NXP Semiconductors, Belgium
M A RT I J N S TA M
Simula UiB, Norway
University Printing House, Cambridge CB2 8BS, United Kingdom
One Liberty Plaza, 20th Floor, New York, NY 10006, USA
477 Williamstown Road, Port Melbourne, VIC 3207, Australia
314–321, 3rd Floor, Plot 3, Splendor Forum, Jasola District Centre,
New Delhi – 110025, India
103 Penang Road, #05–06/07, Visioncrest Commercial, Singapore 238467
Cambridge University Press is part of the University of Cambridge.

It furthers the University’s mission by disseminating knowledge in the pursuit of
education, learning, and research at the highest international levels of excellence.
www.cambridge.org
Information on this title: www.cambridge.org/9781108795937
DOI: 10.1017/9781108854207
© Cambridge University Press 2021
This publication is in copyright. Subject to statutory exception
and to the provisions of relevant collective licensing agreements,
no reproduction of any part may take place without the written
permission of Cambridge University Press.
First published 2021
Printed in the United Kingdom by TJ Books Limited, Padstow Cornwall
A catalogue record for this publication is available from the British Library.
Library of Congress Cataloging-in-Publication Data
Names: Bos, Joppe W., editor. | Stam, Martijn, editor.
Title: Computational cryptography : algorithmic aspects of cryptology /
edited by Joppe W. Bos, NXP Semiconductors, Belgium, Martijn Stam,
Simula UiB, Norway.
Description: Cambridge, United Kingdom ; New York, NY, USA : Cambridge
University Press, 2021. | Series: London mathematical society lecture
note series | Includes bibliographical references and index.
Identifiers: LCCN 2021012303 (print) | LCCN 2021012304 (ebook) |
ISBN 9781108795937 (paperback) | ISBN 9781108854207 (epub)
Subjects: LCSH: Cryptography. | BISAC: MATHEMATICS / Number Theory |
MATHEMATICS / Number Theory
Classification: LCC QA268 .C693 2021 (print) | LCC QA268 (ebook) |
DDC 005.8/24–dc23
LC record available at https://lccn.loc.gov/2021012303
LC ebook record available at https://lccn.loc.gov/2021012304
ISBN 978-1-108-79593-7 Paperback
Cambridge University Press has no responsibility for the persistence or accuracy of
URLs for external or third-party internet websites referred to in this publication
and does not guarantee that any content on such websites is, or will remain,
accurate or appropriate.
Contents
List of Contributors page x

Preface xi
1 Introduction Joppe W. Bos and Martijn Stam 1

1.1 Biographical Sketch 1
1.2 Outline 9
Part I Cryptanalysis
2 Lattice Attacks on NTRU and LWE:

A History of Refinements Martin R. Albrecht and Léo Ducas 15
2.1 Introduction 15
2.2 Notation and Preliminaries 17
2.3 Lattice Reduction: Theory 18
2.4 Practical Behaviour on Random Lattices 20
2.5 Behaviour on LWE Instances 29
2.6 Behaviour on NTRU Instances 34
3 History of Integer Factorisation Samuel S. Wagstaff, Jr 41

3.1 The Dark Ages: Before RSA 41
3.2 The Enlightenment: RSA 47
3.3 The Renaissance: Continued Fractions 50
3.4 The Reformation: A Quadratic Sieve 55
3.5 The Revolution: A Number Field Sieve 58
3.6 An Exquisite Diversion: Elliptic Curves 62
3.7 The Future: How Hard Can Factoring Be? 67
viii Contents
4 Lattice-Based Integer Factorisation:

An Introduction to Coppersmith’s Method Alexander May 78
4.1 Introduction to Coppersmith’s Method 79
4.2 Useful Coppersmith-Type Theorems 80
4.3 Applications in the Univariate Case 85
4.4 Multivariate Applications: Small Secret Exponent RSA 95
4.5 Open Problems and Further Directions 100
5 Computing Discrete Logarithms Robert Granger and

Antoine Joux 106
5.1 Introduction 106
5.2 Elliptic Curves 110
5.3 Some Group Descriptions with Easier Discrete Logarithms 118
5.4 Discrete Logarithms for XTR and Algebraic Tori 122
5.5 Discrete Logarithms in Finite Fields of Fixed Characteristic 130
5.6 Conclusion 139
6 RSA, DH and DSA in the Wild Nadia Heninger 140

6.2 RSA 141
6.3 Diffie–Hellman 154
6.4 Elliptic-Curve Diffie–Hellman 170
6.5 (EC)DSA 174
6.6 Conclusion 181
7 A Survey of Chosen-Prefix Collision Attacks Marc Stevens 182

7.1 Cryptographic Hash Functions 182
7.2 Chosen-Prefix Collisions 186
7.3 Chosen-Prefix Collision Abuse Scenarios 190
7.4 MD5 Collision Attacks 212
Part II Implementations
8 Efficient Modular Arithmetic Joppe W. Bos, Thorsten Kleinjung

and Dan Page 223
8.1 Montgomery Multiplication 224
8.2 Arithmetic for RSA 225
8.3 Arithmetic for ECC 237
8.4 Special Arithmetic 243
Contents ix
9 Arithmetic Software Libraries Victor Shoup 251

9.2 Long-Integer Arithmetic 254
9.3 Number-Theoretic Transforms 259
9.4 Arithmetic in Z p [X] for Multi-Precision p 270
9.5 Arithmetic in Z p [X] for Single-Precision p 282
9.6 Matrix Arithmetic over Z p 286
9.7 Polynomial and Matrix Arithmetic over Other Finite Rings 289
9.8 Polynomial and Matrix Arithmetic over Z 289
9.9 The Future of NTL 291
10 XTR and Tori Martijn Stam 293

10.1 The Birth of XTR 293
10.2 The Magic of XTR 297
10.3 The Conservative Use of Tori 304
10.4 Pairings with Elliptic Curves 308
10.5 Over the Edge: Cyclotomic Subgroups Recycled 311
11 History of Cryptographic Key Sizes Nigel P. Smart and

Emmanuel Thomé 314
11.2 Attacking Symmetric Algorithms with Software and
Hardware 315
11.3 Software Attacks on Factoring and Discrete Logarithms 318
11.4 Hardware for Factoring 323
11.5 Attacking Cryptosystems Based on Elliptic Curves 325
11.6 Post-Quantum Cryptography 329
11.7 Key-Size Recommendation 332
References 335
Index 383
Contributors
Martin R. Albrecht Information Security Group, Royal Holloway, University

of London, United Kingdom
Joppe W. Bos NXP Semiconductors, Leuven, Belgium
Léo Ducas Centrum Wiskunde & Informatica (CWI), Amsterdam, The Nether-
lands
Robert Granger University of Surrey, Guildford, United Kingdom
Nadia Heninger University of California, San Diego, USA
Antoine Joux CISPA Helmholtz Center for Information Security, Saarbrücken,
Germany
Thorsten Kleinjung EPFL, Lausanne, Switzerland
Alexander May RUB, Bochum, Germany
Dan Page University of Bristol, Bristol, United Kingdom
Victor Shoup New York University, New York, USA
Nigel P. Smart imec-COSIC, KU Leuven, Leuven, Belgium
Martijn Stam Simula UiB, Bergen, Norway
Marc Stevens Centrum Wiskunde & Informatica (CWI), Amsterdam, The Nether-
lands
Emmanuel Thomé Université de Lorraine, CNRS, INRIA, Nancy, France
Samuel S. Wagstaff, Jr Purdue University, West Lafayette, USA
Preface
This book is a tribute to the scientific research career of Professor Arjen K.

Lenstra, on the occasion of his 65th birthday. Its main focus is on computa-
tional cryptography. This area, which he has helped to shape during the past
four decades, is dedicated to the development of effective methods in algo-
rithmic number theory that improve implementation of cryptosystems or that
further their cryptanalysis. Here, cryptanalysis of cryptosystems entails both
the assessment of their overall security and the evaluation of the hardness of
any underlying computational assumptions. In the latter case, the area inter-
sects non-trivially with high-performance scientific computing. The technical
chapters in this book are inspired by his achievements in computational crypto-
graphy.
Arjen is best known for his seminal work on the algorithmic aspects of vari-
ous factorisation problems. In the early 1980s, he started with efficient factori-
sation of polynomials with rational coefficients. This work led to the celebrated
Lenstra–Lenstra–Lovász lattice reduction algorithm. Furthermore, he devised
factorisation techniques for polynomials defined over other algebraic struc-
tures, such as finite fields or number fields. Towards the end of the decade, his
focus shifted to integer factorisation methods, particularly development of the
number field sieve, and its impact on the selection of strong cryptographic keys
for widely deployed cryptographic standards. His honours include the RSA
Award for Excellence in Mathematics in 2008 and his lifetime appointment as
Fellow of the International Association for Cryptologic Research (IACR) in
2009.
In addition to his rich research career, Arjen is a great educator and he
has provided lasting inspiration to many of his students. We both were lucky
enough to have him as our PhD supervisor and we will come back to our re-
spective experiences momentarily. This book is intended for students in se-
curity and cryptography as well as for security engineers and architects in
xii Preface
industry who want to develop a deeper understanding about the algorithms

used in computational cryptography.
When I (Martijn) started my PhD studies at the TU Eindhoven, Arjen was
not yet appointed as a part-time professor there, but as soon as he did, there was
an immediate click. Although he wasn’t physically in Eindhoven that often,
his availability and generosity with his time always struck me. We often met at
conferences, where he would invariably join the front row, providing me with
a running commentary, but also where he would introduce me to his wider
academic network. One peculiarity when working with Arjen is his absolute
aversion of footnotes, which he enthusiastically weeded out of early drafts
of papers and also discouraged by expecting some friendly ‘compensation’
for each footnote remaining in my final PhD thesis. When he was appointed
as a full professor at EPFL, a few years after my graduation, he asked me
whether I wanted to join as a post-doctoral researcher. During those years he
encouraged me to explore my own research agenda and helped me to mature
as an independent academic.
After I (Joppe) obtained my master’s degree in Amsterdam, the required
funding for a PhD position related to integer factorisation failed to materialise.
When Arjen learned about this, he arranged for me to come over and even-
tually start my PhD study in Lausanne. There we had the coolest equipment
to brag about at birthday parties: a cluster of PlayStation 3 game consoles.
More seriously, with his broad academic network he ensured I could collabo-
rate with the brightest minds in public-key cryptology. This led to a summer
internship under the supervision of Peter Montgomery at Microsoft Research,
where I eventually became a post-doctoral researcher which paved the way for
me to join the Competence Center Crypto & Security at NXP Semiconductors.
I learned a lot from Arjen’s direct but honest way of conducting research and
to always ask critical questions when people skim over the sometimes compli-
cated but necessary details.
It was a genuine pleasure for both of us (being PhD siblings) to honour
Arjen’s scientific career. We would like to thank all the contributors who are
leading researchers in the various fields for their participation and hope you
(the reader) will enjoy reading this book and be as enthusiastic about the fas-
cinating and interesting field of computational cryptography as we are.
1
Introduction
Joppe W. Bos and Martijn Stam
This introductory chapter provides a sketch of Arjen Klaas Lenstra’s scientific

career, followed by a preview of the technical chapters. We are indebted to
Ronald Cramer and Herman te Riele for information about Arjen’s longstand-
ing connections to CWI, Monique Amhof for providing additional information
about Arjen’s time at EPFL and Peter van Emde Boas for his kind permission
to use a photograph from his private collection.
1.1 Biographical Sketch

Arjen Klaas Lenstra was born on 2 March 1956 in Groningen, the Nether-
lands. He received a BA and an MA degree in Mathematics and Physics at
the University of Amsterdam in 1975 and 1980, respectively. The picture in
Figure 1.1 shows Arjen defending his master’s thesis. Afterwards, he obtained
a research position at CWI – the Dutch national research institute for mathe-
matics and computer science – in Amsterdam and started conducting his PhD
research. Actually, when Arjen started in 1980, the institute was still called
Mathematisch Centrum, but in 1983 it would be renamed CWI, an abbrevi-
ation for ‘Centrum voor Wiskunde en Informatica’, using the Dutch words
‘wiskunde’ for mathematics and ‘informatica’ for computer science. This re-
naming reflected the emergence of computer science as a discipline in its own
right, separate from mathematics. In retrospect, the new name CWI turned out
to be indicative for Arjen’s research career as well. Throughout, his work has
provided exemplary proof of the impressive powers summoned by harnessing
both mathematics and computer science. Since his PhD days, he has always
maintained close links with CWI, for instance, as an officially appointed advi-
sor from 2004 until 2017, but also by co-supervision of various PhD students
from CWI over the years.
2 Joppe W. Bos and Martijn Stam
Figure 1.1 Arjen defending his master’s thesis on 10 December 1980. The
committee, seated behind the desk, was formed by Th. J. Dekker, Peter van
Emde Boas and Hendrik W. Lenstra, Jr. Photo from the private collection of
van Emde Boas.
Arjen’s own PhD research at CWI was conducted under the external super-
vision of Peter van Emde Boas and, in 1984, he received his PhD degree at the
University of Amsterdam for his work on ‘polynomial time algorithms for the
factorization of polynomials’ [312, 362, 363, 364, 380], which was also the
title of his PhD thesis [365]. One key ingredient of this research became one of
his most widely known results: the Lenstra–Lenstra–Lovász (LLL) lattice basis
reduction algorithm, a polynomial time lattice basis reduction algorithm [380].
The LLL algorithm found countless applications, as described in more detail
in the LLL book [457] that was published to commemorate its 25th birthday.
Accurately predicting the effectiveness and efficiency of lattice reduction algo-
rithms continues to be a key tool in the cryptanalytic toolbox. Indeed, with the
ongoing post-quantum cryptographic standardisation effort, LLL and similar
algorithms play an essential role in determining the practical parameters for
lattice-based cryptography. This is detailed further in Chapter 2.
From 1984 to 1989, Arjen was a visiting professor at the computer science
department of the University of Chicago. During this time he retained a posi-
tion as visiting researcher at CWI and he conducted multiple summer research
visits to Digital Equipment Corporation (DEC) in Palo Alto, CA. These lat-
ter visits resulted in the famous distributed effort using factoring by electronic
mail together with Mark S. Manasse [371]. Such computational cryptanalysis
1 Introduction 3
Figure 1.2 Reward for the factorisation of the Scientific American RSA chal-
lenge.
is essential to understand the practical security strength of the Rivest–Shamir–

Adleman (RSA) cryptosystem [501], which is related to the presumed hardness
of integer factorisation. It marked the start of Arjen’s research in all compu-
tational aspects of integer factorisation, leading to his involvement in virtu-
ally all integer factorisation records. His records include the factorisation of
the ninth Fermat number [382] using the first implementation of the number
field sieve [381], solving the famous Scientific American RSA challenge [24]
by using the quadratic sieve algorithm [478], the kilo-bit [22] special num-
ber field sieve factorisation [474], new elliptic-curve integer factorisation [388]
records by using game consoles [90] and the factorisation of the RSA-768 chal-
lenge [327] (but see also [90, 117, 118, 143, 156, 165, 329, 371, 372, 384]).
His work on the Scientific American RSA challenge was even featured on the
front page of the New York Times on 12 October 1988 and, after some delay,
he and his collaborators received their due reward for solving this challenge,
as evidenced by Figure 1.2. His brother Hendrik would eventually refer to him
as ‘world champion in factoring’.
Arjen’s involvement led to many practical optimisations of these algorithms
[167, 224, 372, 392, 428] and most notably to the development of the num-
ber field sieve [381]. A historical overview of integer factorisation techniques,
including the asymptotically best methods to which Arjen contributed, is pro-
vided in Chapter 3.
In order to run integer factorisation algorithms on a large variety of com-
puter architectures, a portable and fast arbitrary-length integer arithmetic soft-
ware library was needed. Arjen developed the software library FreeLIP (1988–
1992), later maintained by Paul Leyland. FreeLIP was used in the early integer
factorisation records and formed the early backbone of Shoup’s Number The-
ory Library (NTL). More details about the relationship between FreeLIP, NTL,
and other high-performance, portable software libraries for doing number the-
ory are outlined and explained in Chapter 9.
Recall that Arjen’s PhD research on polynomial factoring included the LLL
algorithm for lattice reduction. In 1996, Coppersmith [136, 137] showed how
the LLL algorithm can be used to factor poorly generated RSA keys in poly-
nomial time. Lattice-based integer factorisation methods are the main topic of
Chapter 4. In this chapter, the details behind Coppersmith’s method and how
to use this for assessing the security of the RSA cryptosystem are explained.
Showing the practical impact of various asymptotic methods and deter-
mining, for given circumstances, which is superior is one of the main in-
gredients when recommending cryptographic key sizes in standards. Arjen
pioneered the concrete extrapolation of known factoring and DLP methods
to determine meaningful bit-level security estimates for common cryptosys-
tems, including their long-term security. His contributions in this field are
widely known and valued by academia, industry and government agencies
alike [328, 368, 376, 379] and served as the foundation to determine the ex-
act key sizes for different security levels for virtually all public-key crypt-
ographic standards. More details about the history of selecting appropriate
cryptographic keys and current recommendations are described in Chapter 11.
From 1989 to 1996, Arjen held various positions at Bell Communica-
tions Research, Morristown, NJ, in the Mathematics and Cryptology Research
Group. From 1996 to 2002 he was Vice President of Emerging Technologies
in the Corporate Technology Office of Citibank and from 2002 to 2004 Vice
President, Information Security Services, still at Citibank. He joined Lucent
Technologies’ Bell Labs in 2004 where he stayed until the end of 2005.
In addition to his corporate positions at Citibank and later Bell Labs, from
2000 to the end of 2005 Arjen held a position as part-time professor at the
Department of Mathematics and Computer Science at the Technische Univer-
siteit Eindhoven in the Netherlands. When the appointment was still being
negotiated, the Dean had to keep the Faculteitsraad (‘Departmental Council’)
informed, although without mentioning any concrete names. At the time, the
Dean happened to be his brother Jan Karel, who appeared to take some plea-
sure in referring to an excellent candidate for a part-time professorship as a
reknowned Dutch cryptographer who – tongue in cheek – had turned banker.
At the beginning of this period, Arjen invented XTR, together with Eric
Verheul [375, 377, 378]. In Eindhoven, Arjen remotely supervised a number
of PhD students, including this book’s second editor, whose topic was related
to XTR [559, 560]. An overview of XTR and subsequent developments is pro-
vided in Chapter 10.
At the start of 2006, Arjen was appointed a professor at the École
1 Introduction 5
Figure 1.3 Photo of Arjen in front of the PS3 cluster taken in 2014. Copy-
right @Tamedia Publications romandes/Sabine Papilloud.
Polytechnique Fédérale de Lausanne (EPFL) in Lausanne, Switzerland. At

EPFL, it is customary for professors to name their group a ‘laboratory’ with
associated acronym. Arjen proudly settled on LACAL, as it worked both in
French and in English. Of course, for any abbreviation to work in both those
languages, it helps if this is a palindrome and LACAL fitted the bill perfectly.
In English it stands for LAboratory for Cryptologic ALgorithms, whereas in
French it reads LAboratoire de Cryptologie ALgorithmique.
At LACAL, Arjen continued his focus on the design and analysis of algo-
rithms used in cryptographic protocols or security assessments. Given Arjen’s
interest in computational cryptography, in hindsight it was no surprise that
he started to investigate cheap and powerful alternatives to conventional com-
puter clusters, culminating in the purchase of 215 first generation PlayStation 3
(PS3) game consoles in 2007. The purchase of this exotic computer cluster co-
incided with the start of the PhD of this book’s first editor in Arjen’s group
at EPFL. Arjen and his cluster were featured in a local newspaper in 2014; a
photo as used by the newspaper of Arjen posing in front of the cluster is shown
in Figure 1.3.
The main motivation for using the PS3 game console for computational
cryptography was the Cell processor: a powerful general-purpose processor,
which on the first generation PS3s could be accessed using Sony’s hypervisor.
What made a PS3’s Cell processor especially interesting were its eight Syner-
gistic Processing Units (SPUs), although when running Linux only six of these
SPUs can be used (as one is disabled and one is reserved by the hypervisor).
Each SPU runs independently from the others at 3.2GHz, using its own 256
kilobyte of fast local memory for instructions and data. It is cache-less and
has 128 registers of 128 bits each, allowing Single Instruction, Multiple Data
(SIMD) operations on 16 8-bit, 8 16-bit, or 4 32-bit integers. This opens up a
myriad of algorithmic possibilities to enhance cryptographic as well as crypt-
analytic applications. Indeed, a wide variety of projects were executed on the
PS3 cluster.
A particular notorious one was a continuation of Arjen’s previous work with
Xiaoyun Wang and Benne de Weger related to the possibility of constructing
meaningful hash collisions for public keys [369, 385]. This research effort, led
by Marc Stevens, resulted in short chosen-prefix collisions for MD5 and, more
impactful, rogue CA certificates [570, 573, 574]. The details are described in
Chapter 7.
The PS3 cluster was also used by the first author for a PhD project to com-
pute a 112-bit elliptic curve discrete logarithm, an effort roughly equivalent to
14 full 56-bit DES key searches and, at the time, a new ECDLP record [89, 91].
It is worth highlighting that members of Arjen’s lab LACAL played an impor-
tant role in the fall of discrete logarithms in finite fields of fixed character-
istic over the past decade. Arjen’s involvement in computing discrete loga-
rithms [91, 330, 366] as well as recent progress is detailed in Chapter 5.
Other computational research sparked by the cluster include fast modular
multiplication [85, 86, 90]. Chapter 8 provides a detailed description on fast
modular reduction.
Working with the cluster was a fun and unique experience: after all, not ev-
ery PhD student gets the opportunity to work with such challenging computer
equipment. The bespoke installation of the cluster also led to some hilarious
moments. At some point, after a global power glitch at EPFL, the PhD students
(first author included) had to climb the racks in order to manually switch on
every PS3 again, all much to Arjen’s entertainment.
In an original twist on ‘dual-use cryptography’, Arjen had part of the cluster
reconfigured as PlayLab: a room of 25 PS3s equipped with game controllers
and headsets (see Figure 1.4). This room was used to host groups of children
between 7 and 18 years old. There were various kinds of demos and presen-
tations, ranging from explaining the Cell processor as an eight-headed dragon
to a live demo on MD5 password cracking. The presentations in the PlayLab
always ended with the opportunity for the children to play some games. Arjen
himself is not in any sense a gamer, a fact that is emphasised in an interview in
2011 [607]:
1 Introduction 7
Figure 1.4 PlayLab: a room of 25 PS3s equipped with game controllers and
headsets for visits of groups of children aged 7 to 18.
My first exposure to computer games was in 1974, in the basement of the mathematics
department of the university of Amsterdam, where about half a dozen terminals were
remotely connected to Amsterdam’s only computer (a CDC with 12-bit bytes, and com-
putationally speaking probably less powerful than a current microwave oven). It may
have been the dungeon-like environment or the unhealthy look of those who were play-
ing, but it did not attract me and that never changed. But, 25 of our playstations are
equipped with monitors and students can come and play one of the many games that
we have.
Besides these computational results, Arjen has a keen interest in the security
assessment of widely deployed security systems. One year he enthusiastically
returned from the RSA conference with a sizeable stash of security dongles
that, upon pressing a button, would reveal a supposedly random six-digit se-
curity code. He had been using this exact same device for some application
already and, after an eery feeling of not-quite-randomness, he had started keep-
ing track of the numbers, which indeed revealed a pattern. Now, the question
was whether the problem was device specific or not, so upon spotting a large
bowl of such devices at the RSA conference, he quietly set upon collecting a
few more samples to confirm his suspicions. After a responsible disclosure to
those hosting the stand with the bowl, the bowl promptly disappeared for the
rest of the conference. Yet, enough devices had been secured to task a mas-
ter’s student with pressing the button sufficiently often to reverse-engineer and
successfully cryptanalyse the device.
More seriously, the interest in deployed security system extended to imple-

mentation mistakes or misuse [374, 386]. An age-old adage in cryptanalysis
is ‘to look for plaintext’. In the context of RSA public keys, specifically the
public moduli, this can be translated to look for primes (indeed!) or common
factors. It turns out RSA moduli are often not as random as one might wish.
Progress in this fascinating area is described in Chapter 6.
Arjen’s expertise, broad interest and entertaining way of asking questions,
make him a regular member of PhD committees. Memorable are the moments
where he asks seemingly naive questions which, in the heat of a defense, can
catch a candidate off guard. In one instance, a candidate working on lattice
reduction to find the shortest vector was asked why one would not look for the
longest vector in lattice instead. In another instance, a candidate working on
weaknesses of RSA when either the public exponent e or the private exponent
d is small, was asked what would happen if e and d are small simultaneously.
Among EPFL students, Arjen is well known for his clear, fun and interesting
lectures. To illustrate examples, he often uses characters from popular televi-
sion series, for example from the American television sitcom The Big Bang
Theory. The students’ appreciation is highlighted by him twice receiving the
‘polysphère de faculté IC’ (the teaching award handed out by the students from
the computer science department), first in 2008 and then again in 2018. Even
more impressively, in 2011 he received the overall, EPLF-wide best teaching
award (the ‘polysphère d’or’).
The Big Bang Theory also featured at LACAL’s movie lunches, where the
team watched an episode of the series, or 30 to 45 minutes of a movie, ev-
ery day while eating: one summer we consumed a substantial part of the
best Spaghetti Westerns. Perhaps it is a tradition inspired by an earlier one,
where Arjen would watch the latest movies with Professor Johannes Buch-
mann while visiting the flagship conference ‘Crypto’ in Santa Barbara, USA.
One such movie was Pulp Fiction, an all-time favorite. Indeed, Arjen’s pref-
erence for movies from the director Quentin Tarantino or the Coen brothers
is no secret. His ideal table partner would be Jules Winnfield (a character in
Pulp Fiction played by Samuel L. Jackson) ‘to make philosophy lessons less
unbearable’ [177]. His adoration for Tarantino even made it into a scientific
publication: see e.g. ‘that’s a bingo’ [327, Section 2.5] from the movie Inglou-
rious Basterds.
1 Introduction 9
1.2 Outline
Computational cryptography has two sides: a potentially destructive side and
a constructive one. The destructive side challenges the hardness assumptions
underlying modern cryptographic systems by the development of suitable
number-theoretic algorithms; the constructive side offers techniques and rec-
ommendations that help implement and deploy cryptosystems. Although the
two sides are intricately intertwined, this book is divided into two parts ac-
cordingly. The first part is dedicated to cryptanalysis, whereas the second part
focusses on the implementation aspects of computational cryptography.
In Chapter 2, ‘Lattice Attacks on NTRU and LWE: A History of Refine-
ments’, Martin R. Albrecht and Léo Ducas provide an overview of the ad-
vances and techniques used in the field of lattice reduction algorithms. Four
decades after its invention, the LLL algorithm still plays a significant role in
cryptography, not least because it has become one of the main tools to assess
the security of a new wave of lattice-based cryptosystems intended for the new
post-quantum cryptographic standard. The runtime of the LLL algorithm was
always well understood, but the quality of its output, i.e., how short its output
vectors were, could be hard to predict, even heuristically. Yet, an important
aspect in the evaluation of the new lattice schemes are accurate predictions of
the hardness of the underlying lattice problems, which crucially relies on esti-
mating the ‘shortness’ of the vectors that can be efficiently found using lattice
reduction and enumeration. Albrecht and Ducas have been on the forefront of
improving such estimators and build upon their expertise in their chapter.
In Chapter 3, ‘History of Integer Factorisation’, Samuel S. Wagstaff, Jr, gives
a thorough overview of the hardness of one of the cornerstones of modern
public-key cryptography. The history starts with the early effort by Eratos-
thenes and his sieve, eventually leading to the modern number field sieve, cur-
rently the asymptotically fastest general-purpose integer factorisation method
known. Also included are ‘special’ integer factorisation methods like the el-
liptic curve method, where the run-time depends mainly on the size of the
unknown prime divisor. Modern factorisation efforts often include a gradual
escalation of different methods, so it is essential to be familiar with a wide
range of methods and the essence of all relevant algorithms is explained clearly.
Wagstaff’s chapter is based on his far more extensive book on the same topic
[611].
In Chapter 4, ‘Lattice-Based Integer Factorisation: An Introduction to Cop-
persmith’s Method’, Alexander May investigates the use of LLL to factor in-
tegers as pioneered by Coppersmith. Conceptually, Coppersmith’s method can
be deceptively simple: given additional information about an integer to factor
(e.g., the knowledge that an RSA key pair (N, e) has a small corresponding
private exponent d), derive a system of equations with a small root that reveals
the factorisation and use LLL to find the small root. As a result, it becomes
possible to explore exponentially sized search spaces, while preserving poly-
nomial time using the famous LLL lattice reduction algorithm. Yet, exploiting
Coppersmith’s method in a cryptographic context optimally often involves a
number of clever choices related to which system of equations to consider. At
first, a tantalisingly annoying problem where the choice may appear obvious
only in retrospect. May uses his extensive experience in improving the state of
the art to explain the reasoning behind various applications in his chapter.
In Chapter 5, ‘Computing Discrete Logarithms’, Robert Granger and An-
toine Joux discuss the question ‘how hard is it to compute discrete logarithms
in various groups?’. The key ideas and constructions behind the most efficient
algorithms for solving the discrete logarithm problem are detailed, with a focus
on the recent advances related to finite fields of extension degree >1. A high-
light is the rapid development, in the period 2012–2014, of quasi-polynomial
time algorithms to solve the DLP in finite fields of fixed charaterstic. Both
Granger and Joux contributed significantly to this development, albeit on com-
peting teams. For this book, they join forces and explain how different ideas
eventually led to the fall of the fixed characteristic finite field discrete logarithm
problem.
In Chapter 6, ‘RSA, DH and DSA in the Wild’, Nadia Heninger outlines
the various cryptographic pitfalls one can – but really should not – make in
practice. Often it is possible to bypass the ‘hard’ mathematical problem a cryp-
tosystem is based upon, and instead take advantage of implementation, deploy-
ment or protocol mistakes to extract the private key. Often, the techniques used
are excellent examples of the interplay of mathematics and computer science,
requiring a combination of ingenuity to find the core idea and perseverance to
exploit the weakness in practice. Heninger gives a wide-ranging overview of
the multitude of cryptographic implementation vulnerabilities that have been
found in the past decades and their impact in practice, including a fair num-
ber where she was personally involved in identifying the vulnerability. In her
chapter, she wonders whether after several decades of implementation chaos
and catastrophic vulnerabilities, we are doomed, but concludes that there is
hope yet by bringing into practice the lessons learned.
In Chapter 7, ‘A Survey of Chosen-Prefix Collision Attacks’, Marc Stevens
surveys the technical advances, impact and usage of collision attacks for the
most widely used cryptographic hash functions. Cryptographic hash functions
are the Swiss army knives within cryptography and are used in many ap-
plications including digital signature schemes, message authentication codes,
1 Introduction 11
password hashing, cryptocurrencies and content-addressable storage. Stevens

was one of the driving forces in turning initial weaknesses in the compression
function into practical attacks against various widely deployed protocols re-
lying on hash function collision resistance for their security. In his chapter, he
explains how each scenario involves the development of slightly different ideas
to exploit weaknesses in especially MD5.
Chapters 2 to 7 constitute the ‘Cryptanalysis’ part of the book. They directly
affect the vast majority of currently deployed public-key cryptography, as well
as an important family of future, post-quantum schemes. In the second part
of this book, ‘Implementations’, the emphasis shifts to techniques and recom-
mendations to deploy public-key cryptosystems.
In Chapter 8, ‘Efficient Modular Arithmetic’, Joppe W. Bos, Thorsten Klein-
jung and Dan Page discuss how to realise efficient modular arithmetic in prac-
tice on a range of platforms. They cover generic modular multiplication rou-
tines such as the popular Montgomery multiplication as well as special routines
for primes of a specific shape. Moreover, especially fast methods are outlined
that might produce errors with a very small probability. Such faster ‘sloppy
reduction’ techniques are especially beneficial in cryptanalytic settings. Bos,
Kleinjung and Page have all been involved in various cryptographic and crypt-
analytic record-setting software implementations. In their chapter, they explain
how to select the most efficient modular arithmetic routines for the cryptologic
implementation task at hand.
In Chapter 9, ‘Arithmetic Software Libraries’, Victor Shoup provides a peek
under the hood of NTL, a software library for doing number theory, as well as
its relation to a few other related software libraries. NTL supports data struc-
tures and arithmetic operations manipulating signed, arbitrary-length integers,
as well as extensions dealing with vectors, matrices, finite fields, and poly-
nomials over the integers. These mathematical objects are essential building
blocks for any efficient cryptologic implementation. As Shoup explains, he
started development of NTL around 1990 in order to implement novel number-
theoretic algorithms and determine at what point theoretical, asymptotic gains
turned practical. NTL has become an essential tool for number-theoretic crypt-
analysis to answer how well algorithms perform in practice and contains sev-
eral algorithms for lattice basis reduction, including LLL. As explained in
Shoup’s chapter, NTL might have been initially based on FreeLIP, and it con-
tinues to evolve to make best use of GMP and modern hardware to provide
cutting-edge performance.
In Chapter 10, ‘XTR and Tori’, Martijn Stam discusses how to work effi-
ciently and compactly in certain multiplicative subgroups of finite fields. The
emphasis is on XTR, which works in the cyclotomic subgroup of F p6 . Stam
worked extensively on speeding up XTR and related systems based on alge-

braic tori and uses his first-hand knowledge to provide a historical perspective
of XTR in his chapter.
In Chapter 11, ‘History of Cryptographic Key Sizes’, Nigel P. Smart and
Emmanuel Thomé provide an overview of improvements over the years in es-
timating the security level of the main cryptographic hardness assumptions.
These improvements heavily rely on the algorithmic innovations discussed in
Chapters 2 to 5, but combining all those ideas into concrete key-size recom-
mendations is not immediate. Smart and Thomé have been at the forefront of
cryptanalytic research and recommending cryptographic key sizes and con-
clude with current recommendations in their chapter.
P AR T I
CRYPTANALYSIS
2
Lattice Attacks on NTRU and LWE:
A History of Refinements
Martin R. Albrecht and Léo Ducas
2.1 Introduction
Since its invention in 1982, the Lenstra–Lenstra–Lovász (LLL) lattice re-
duction algorithm [380] has found countless applications. In cryptanaly-
sis, the two most prominent applications of LLL and its generalisations,
e.g., Slide [205], Block-Korkine–Zolotarev (BKZ) [512, 520] and Self-Dual
BKZ (SD-BKZ) [425], are factoring RSA keys with extra information on the
secret key via Coppersmith’s method [136, 451] (see the chapter by Alexander
May) and the cryptanalysis of lattice-based schemes.
After almost 40 years of cryptanalytic applications, predicting and optimis-
ing lattice reduction algorithms remains an active area of research. While we
do have theorems bounding the worst-case performance of these algorithms,
those bounds are asymptotic and not necessarily tight when applied to practi-
cal or even cryptographic instances. Reasoning about the behaviour of those
algorithms relies on heuristics and approximations, some of which are known
to fail for relevant corner cases.
Recently, decades after Arjen Lenstra and his co-authors gave birth to this
fascinating and lively research area, this state of affairs became a more press-
ing issue. Motivated by post-quantum security, standardisation bodies, govern-
ments and industries started to move towards deploying lattice-based crypto-
graphic algorithms. This spurred the refinement of those heuristics and approx-
imations, leading to a better understanding of the behaviour of these algorithms
over the past few years.
Lattice reduction algorithms, such as LLL and BKZ, proceed with re-
peated local improvements to the lattice basis, and each such local improve-
ment means solving the short(est) vector problem in a lattice of a smaller di-
mension. Therefore, two questions arise: how costly is it to find those local
16 Martin R. Albrecht and Léo Ducas
improvements and what is the global behaviour when those improvements are
applied.
While these two questions may not be perfectly independent, we will, in
this chapter, survey the second one, namely, the global behaviour of such algo-
rithms, given oracle access for finding local improvements. Our focus on the
global behaviour is motivated by our intent to draw more of the community’s
attention to this aspect. We will take a particular interest in the behaviour of
such algorithms on a specific class of lattices, underlying the most popular
lattice problems to build cryptographic primitives, namely the Learning with
Errors (LWE) problem and the NTRU problem. We will emphasise the approx-
imations that have been made, their progressive refinements and highlight open
problems to be addressed.
2.1.1 LWE and NTRU

The LWE problem and the NTRU problem have proven to be versatile build-
ing blocks for cryptographic applications [104, 218, 274, 493]. For both of
these problems, there exist ring and matrix variants. More precisely, the origi-
nal definition of NTRU is the ring variant [274] and the matrix variant is rarely
considered whereas for LWE the original definition is the matrix variant [494]
with a ring variant being defined later [401, 561]. In this chapter, we gener-
ally treat the matrix variants since our focus is on lattice reduction for general
lattices.
Definition 2.1 (LWE [494]). Let n, q be positive integers, χ be a probability
distribution on Z and s be a uniformly random vector in Znq . We denote by Ls,χ
the probability distribution on Znq ×Zq obtained by choosing a ∈ Znq uniformly at
random, choosing e ∈ Z according to χ and considering it in Zq , and returning
(a, c) = (a, a, s + e) ∈ Znq × Zq .
Decision-LWE is the problem of deciding whether pairs (a, c) ∈ Znq × Zq are
sampled according to Ls,χ or the uniform distribution on Znq × Zq .
Search-LWE is the problem of recovering s from pairs (a, c) = (a, a, s + e) ∈
Znq × Zq sampled according to Ls,χ .
We note that the above definition puts no restriction on the number of sam-
ples, i.e., LWE is assumed to be secure for any polynomial number of samples.
Further, since for many choices of n, q, χ solving Decision-LWE allows solv-
ing Search-LWE [105, 494] and vice versa, it is meaningful just to speak of
the LWE problem (for those choices of parameters). By rewriting the system
in systematic form [23], it can be shown that the LWE problem, where each
component of the secret s is sampled from the error distribution χ, is as secure
2 Lattice Attacks on NTRU and LWE: A History of Refinements 17
as the problem for uniformly random secrets. LWE with such a secret, follow-
ing the error distribution, is known as normal form LWE. We will consider
normal form LWE in this chapter. Furthermore, in this note, the exact spec-
ification of the distribution χ will not matter, and we may simply specify an
LWE instance by giving the standard deviation σ of χ. We will, furthermore,
implicitly assume that χ is centred, i.e., has expectation 0. We may also write
LWE in matrix form as A · s + e ≡ c mod q. The NTRU problem [274] is
defined as follows.
Definition 2.2 (NTRU [274]). Let n, q be positive integers, f, g ∈ Zq [x] be
polynomials of degree n sampled from some distribution χ, subject to f being
invertible modulo a polynomial φ of degree n, and let h = g/ f mod (φ, q).
The NTRU problem is the problem of finding f, g given h (or any equivalent
solution (xi · f, xi · g) for some i ∈ Z).
Concretely, the reader may think of φ = xn + 1 when n is a power of two and
χ to be some distribution producing polynomials with small coefficients. The
matrix variant considers F, G ∈ Zn×n
q such that H = G · F−1 mod q.
2.2 Notation and Preliminaries

All vectors are denoted by bold lower case letters and are to be read as column
vectors. Matrices are denoted by bold capital letters. We write a matrix B as
B = (b0 , . . . , bd−1 ) where bi is the ith column vector of B. If B ∈ Rm×d has full-
column rank d, the lattice Λ generated by the basis B is denoted by Λ(B) =
{B·x | x ∈ Zd }. A lattice is q-ary if it contains q Zd as a sublattice, e.g., {x ∈ Zdq |

x · A ≡ 0} for some A ∈ Zd×d . We denote by (b0 , . . . , bd−1 ) the Gram–Schmidt
(GS) orthogonalisation of the matrix (b0 , . . . , bd−1 ). For i ∈ {0, . . . , d − 1}, we
denote the orthogonal projection to the span of (b0 , . . . , bi−1 ) by πi ; π0 denotes
‘no projection’, i.e., the identity. We write πv for the projection orthogonal
to the space spanned by v. For 0 ≤ i < j ≤ d, we denote by B[i: j] the local
projected block (πi (bi ), . . . , πi (b j−1 )), and when the basis is clear from context,
by Λ[i: j] the lattice generated by B[i: j] . We write lg(·) for the logarithm to base
two.
The Euclidean norm of a vector v is denoted by v. The volume (or de-

terminant) of a lattice Λ(B) is vol(Λ(B)) = i bi . It is an invariant of the
lattice. The first minimum of a lattice Λ is the norm of a shortest non-zero
vector, denoted by λ1 (Λ). We use the abbreviations vol(B) = vol(Λ(B)) and
λ1 (B) = λ1 (Λ(B)).
The Hermite constant γβ is the square of the maximum norm of any shortest
vector in all lattices of unit volume in dimension β:

γβ = sup λ21 (Λ) | Λ ∈ Rβ , vol(Λ) = 1 .
Minkowski’s theorem allows us to derive an upper bound γβ = O(β), and
this bound is reached up to a constant factor: γβ = Θ(β).
2.3 Lattice Reduction: Theory

All lattices of dimension d ≥ 2 admit infinitely many bases, and two bases
B, B generate (or represent) the same lattice if and only if B = B · U for some
unimodular matrix U ∈ GLd (Z). In other words, the set of (full-rank) lattices
can be viewed as the quotient GLd (R)/ GLd (Z). Lattice reduction is the task of
finding a good representative of a lattice, i.e., a basis B ∈ GLd (R) representing
Λ ∈ GLd (R)/ GLd (Z).
While there exists a variety of formal definitions for what is a good repre-
sentative, the general goal is to make the Gram–Schmidt basis B as small as
possible. Using the simple size-reduction algorithm (see [454, Algorithm 3]),
it is possible to also enforce the shortness of the basis B itself.

It should be noted that because we have an invariant i bi = vol(Λ), we
cannot make all GS vectors small at the same time, but the goal becomes to
balance their lengths. More pictorially, we consider the log profile of a basis as
the graph of ( i = lg bi )i=0...d−1 as a function of i. By the volume invariant,
the area under this graph is fixed, and the goal of reduction is to make this
graph flatter.
A very strong1 notion of reduction is the Hermite–Korkine–Zolotarev
(HKZ) reduction, which requires each basis vector bi to be a shortest non-zero
vector of the remaining projected lattice Λ[i:d] . The Block-Korkine–Zolotarev
(BKZ) reduction relaxes HKZ, only requiring bi to be close-to-shortest in a
local ‘block’. More formally, we have the following.
Definition 2.3 (HKZ and BKZ [454]). The basis B = (b0 , . . . , bd−1 ) of a lattice
Λ is said to be HKZ reduced if bi = λ1 (Λ(B[i:d] )) for all i < d. It is said BKZ
reduced with block size β and ≥ 0 if bi ≤ (1 + ) · λ1 (Λ(B[i:min(i+β,d)] )) for
all i < d.
In practice, the BKZ algorithm [512, 520] and its terminated variant [257]
1 HKZ should nevertheless not be considered to be the strongest notion of reduction. Indeed
HKZ is a greedy definition, speaking of the shortness of each vector individually. One could
go further and require, for example, Λ[0:d/2] to be a densest sublattice of Λ [491].
Algorithm 2.1 High-level description of the BKZ algorithm.

Input: LLL-reduced lattice basis B and block size β
1: repeat
2: for i ← 0 to d − 2 do
3: LLL on B[i:min(i+β,d)]
4: v ← find a short vector in Λ B[i:min(i+β,d)]
5: insert v into B at index i and handle linear dependencies with LLL
6: until until no more change
are commonly employed to perform lattice reduction. BKZ is also the algo-
rithm we will focus on in this chapter.
The BKZ algorithm will proceed by enforcing the condition bi ≤ (1 + ) ·
λ1 (Λ(B[i:min(i+β,d)] )) cyclically for i = 0, . . . , d − 2, 0, . . . , d − 2, 0 . . . , see Algo-
rithm 2.1. However, each modification of bi may invalidate the same condition
for j i. The value of , which allows to account for numerical instability, is
typically chosen very close to 0 (say 0.01); we may sometimes omit it and just
speak of a BKZ-β reduced basis. Overall, we obtain the following guarantees
for the BKZ algorithm.
Theorem 2.4 (BKZ). If a basis B is BKZ-β reduced with parameter > 0 it
satisfies

• b0 ≤ (1 + ) · γβ β−1 +1 · vol(Λ(B))1/d (Hermite factor) and
d−1
d−1
• b0 ≤ (1 + ) · γβ β−1 · λ1 (Λ(B)) (approximation factor).
Remark. The approximation factor is established in [517], the Hermite factor
√ d−1
bound is claimed in [206]. In [257] a bound of 2 · γβ β−1 +3 is established for
√ d−1
the terminating variant. In [258] this bound is improved to K · β β−1 +0.307 for
some universal constant K.
Asymptotically, the lattice reduction algorithm with best, known worst-case
guarantees is Slide reduction [205]. We refer to its introduction by Gama and
Nguyen [205] for a formal definition, which requires the notion of duality, and
only state some of its guarantees concerning Gram–Schmidt length here.
Theorem 2.5 (Slide reduction [205]). If a basis B is Slide reduced for param-
eters β | d and > 0 it satisfies
d−1
• b0 ≤ (1 + ) · γβ β−1 · vol(Λ(B))1/d (Hermite factor) and
d−β
• b0 ≤ (1 + ) · γβ β−1 · λ1 (Λ(B)) (approximation factor).
In practice, BKZ is not implemented as in Algorithm 2.1. Most notably,

stronger preprocessing than LLL is applied. A collection of improvements to
the algorithm (when enumeration is used to instantiate the SVP oracle) are
collectively known as BKZ 2.0 [122] and implemented, e.g., in FPLLL [587]
and thus Sage [562]. Slide reduction is also implemented in FPLLL.
2.4 Practical Behaviour on Random Lattices

2.4.1 Shape Approximation
The Gaussian heuristic predicts that the number |Λ∩B| of lattice points inside a
measurable body B ⊂ Rn is approximately equal to vol(B)/ vol(Λ). Applied to
Euclidean d-balls, it leads to the following prediction of the length of a shortest
non-zero vector in a lattice.
Definition 2.6 (Gaussian heuristic). We denote by gh(Λ) the expected first
minimum of a lattice Λ according to the Gaussian heuristic. For a full-rank
lattice Λ ⊂ Rd , it is given by
1/d
vol(Λ)
1/d Γ 1 + d2 d
gh(Λ) = = √ · vol(Λ)1/d ≈ · vol(Λ)1/d ,
vol(B) π 2πe
where B denotes the d-dimensional Euclidean ball. We also denote by gh(d)
the quantity gh(Λ) of any d-dimensional lattice Λ of volume 1: gh(d) ≈
√
d/2πe. For convenience we also denote lgh(x) for lg(gh(x)).
Combining the Gaussian heuristic with the definition of a BKZ reduced ba-
sis, after BKZ-β reduction we expect

lg vol(Λ(B[i:min(i+β,d)] ))
i = lg λ1 (Λ(B[i:min(i+β,d)] )) ≈ lgh(min(β, d − i)) +
min(β, d − i)
min(i+β,d)−1
j=i j
= lgh(min(β, d − i)) + .
min(β, d − i)
If d β this linear recurrence implies a geometric series for the bi .
Considering one block of dimension β and unit volume, we expect i = (β −
i − 1) · lg(αβ ) for i = 0, . . . , β − 1 and some αβ . We obtain
β−1
1
0 = (β − 1) · lg(αβ ) ≈ lgh(β) + j · lg(αβ )
β j=0
= lgh(β) + (β − 1)/2 · lg(αβ ).

Solving for αβ assuming equality we obtain αβ = gh(β)2/(β−1) .

Applying the same argument to a basis in dimension d β with i = (d −
(d−1)/2
i − 1) · lg(αβ ) for i = 0, . . . , d − 1, we get b0 /vol(Λ)1/d = αd−1
β /αβ =
α(d−1)/2
β = gh(β)(d−1)/(β−1) . This is known as the geometric series assumption
(GSA).
Definition 2.7 (GSA [518]). Let B be a BKZ-β reduced basis of a lattice of
volume V. The geometric series assumption states that
d − 1 − 2i 1
lg bi = i = · lg(αβ ) + lg V,
2 d
where αβ = gh(β)2/(β−1) .
The above assumption is reasonably accurate in the case β d (and β
50), but it ignores what happens in the last d − β coordinates. Indeed, the last
block is HKZ reduced, and should therefore follow the typical profile of an
HKZ reduced basis.
Under the Gaussian heuristic, we can predict the shape 0 . . . d−1 of an HKZ
reduced basis, i.e., the sequence of expected norms for the vectors bi . This,
as before, implicitly assumes that all the projected lattices Λi also behave as
random lattices. The sequence is inductively defined as follows.
Definition 2.8. The (unscaled) HKZ shape of dimension d is defined by the
following sequence for i = 0, . . . , d − 1:
1
hi = lgh(d − i) − hj .
d−i j<i
This leads to the following refinement of the GSA.

Definition 2.9 (Tail-adapted geometric series assumption (TGSA)). Let B be
a BKZ-β reduced basis of a lattice of volume V. The TGSA states that
d − 1 − 2i
i = · lg αβ + s if 0 ≤ i ≤ d − β ,
2
i = hi−(d−β) + d−β − h0 if d − β ≤ i < d ,
where s ∈ R is the scaling term such that i = lg V.
We plot an example for a basis after BKZ reduction under the GSA and
the TGSA in Figure 2.1 to illustrate their respective shapes. In Figure 2.1 we
chose d = 2 β to highlight the difference between the two models. As can be
seen from that figure, the first few indices of the HKZ shape drop slower than
predicted by the GSA and the last indices drop faster.
GSA
TGSA
0 200 400 600 800 1000

i
Figure 2.1 GSA and TGSA for d = 1000 and β = 500.
√
Appealing to the Gaussian heuristic, we may also replace γβ , i.e., worst-
case bounds, with gh(β), i.e., average-case expectations, in Theorems 2.4
and 2.5. This suggests the following heuristics.
Definition 2.10 (Estimates for block reductions). If a basis B is BKZ-β re-
duced for 50 β d we expect
√ d−1
αβ · vol(Λ(B))1/d (Hermite factor)
b0 min
αd−1
β · λ1 (Λ(B)) (approximation factor).
If a basis B is Slide reduced with parameter β we expect
⎧√
⎪
⎪
⎨ αβ d−1 · vol(Λ(B))
1/d
(Hermite factor)
b0 min ⎪⎪
⎩ d−β
αβ · λ1 (Λ(B)) (approximation factor).
The cases over which the minimum is taken define two regimes: the ‘Hermite
regime’ and the ‘approximation regime’.
If the lattice is random, then λ1 ≈ gh(Λ) and we expect to be in the Hermite
regime; the approximation regime is only triggered by the presence of an un-
usually short vector. In the Hermite regime, we can replace by ≈ and we will
discuss what happens in the approximation regime further in Section 2.5.4.
We note that the literature usually writes the above approximate equations
1/d
in terms of the so-called root-Hermite factor δβ (b0 /vol(Λ)1/d ) . We can
√ 1−1/d √
therefore establish that δβ = αβ ≈ αβ . We note that making this approx-
imation or not leads to the ‘−1 discrepancy’ blamed on [19] in a footnote
·10−2
6
4
lg(αβ )
2 lg(δβ ) with δβ as in Eq. (2.1)

Average observed lg(αβ )
0
0 10 20 30 40 50 60 70 80 90
β
Figure 2.2 Experimentally observed slopes of 16 lattices compared with δβ

as predicted in Eq. (2.1). The input lattices are q-ary lattices in dimension
d = 170 with q = 220 − 3; the experimental lg(αβ ) are established using a
least-square fit of the log Gram–Schmidt vectors.
of [15]: the analysis of [19] simply did not apply this approximation step.
In [121] an expression for δβ is given as
β 1
1 2(β−1)
lim δβ = · (π β) β (2.1)
β→∞ 2πe
assuming d β. Experimentally, Eq. (2.1) also holds with good accuracy for
β > 50 and typical d used in cryptography (say, d ≥ c · β for some c > 1). We
compare experimentally observed lg(αβ ) with the right-hand side of Eq. (2.1)
in Figure 2.2.
2.4.2 Simulators
While the (T)GSA provides a first rough approximation of the shape of a basis,
it is known to be violated in small dimensions [122]. Indeed, it also does not
hold exactly for larger block sizes when d is a small multiple of β, the case
most relevant to cryptography. Furthermore, it only models the shape after the
algorithm has terminated, leaving open the question of how the quality of the
basis improves throughout the algorithm. To address these points, Chen and
Nguyen [122] introduced a simulator for the BKZ algorithm which is often re-
ferred to as the ‘CN11 simulator’. It takes as input a list of i representing the
i−1
i
−i
i − i−1
0 200 400 600 800 1000 1200 1400

i
Figure 2.3 CN11 simulator output for β = 500 on random q-ary lattice in
dimension d = 1500.
shape of the input basis and a block size β. It then considers blocks i , . . . , i+β−1
of dimension β, establishes the expected norm of the shortest vector in this
block using the Gaussian heuristic and updates i . To address that the Gaussian
heuristic does not hold for β < 50, the simulator makes use of a precomputed
list of the average norms of a shortest vector of random lattices in small di-
mensions. The simulator keeps on going until no more changes are made or a
provided limit on the number of iterations or ‘tours’ is reached.
The simulator is implemented, for example, in FPyLLL [588] and thus in
Sage. In Figure 2.3 we plot the output of the simulator for a basis in dimension
1500 with block size 500 (solid line). We also plot the derivative (dotted line)
to illustrate that the GSA also does not hold for i < d − β. In fact, we observe
a ripple effect, with the tail shape exhibiting a damped echo towards the left of
the basis. The TGSA is in some sense only a first-order approximation, only
predicting the first ripple.
A further simulation refinement was proposed in [27]. Building upon [631],
the authors confirmed that the CN11 simulator can be pessimistic about the
norm of the first vector output by BKZ. This is because it assumes that the
shortest vector in a lattice always has the norm that is predicted by the Gaus-
sian heuristic. By, instead, modelling the norm of the shortest vector as a ran-
dom variable, the authors were able to model the ‘head concavity’ behaviour
of BKZ as illustrated in Figure 2.4 after many tours and in small block sizes.
They also proposed a variant of the BKZ algorithm (pressed-BKZ) that is tai-
lored to exploit this phenomenon. For example, they manage to reach a basis
Experiment
CN11 simulator [122]
BSW18 simulator [27]
0 20 40 60 80 100
i
Figure 2.4 Head concavity: dimension d = 2000 and block size β = 45 after
2000 tours, reproduced from [27].
reduction equivalent to BKZ-90 while only using block size 60. The authors
note, though, that the head concavity phenomenon does not significantly af-
fect cryptographic block sizes. Indeed, exploiting luck on this random variable
seems to be interesting for small block sizes only.
2.4.3 q-ary Lattices and the Z-Shape

Recall that both NTRU and LWE give rise to q-ary lattices. These lattices al-
ways contain the vector (q, 0, . . . , 0) and all its permutations. These so-called
‘q-vectors’ can be considered short, depending on the parameters of the in-
stance being considered, and might be shorter than what we would expect to
obtain following predictions such as the GSA or the TGSA. Furthermore, some
of those q-vectors naturally appear in the typical basis construction of q-ary lat-
tices. Even when this is not the case, they can be made explicit by computing
the Hermite Normal Form.
To predict lattice reduction on such bases, we may observe that one of the
guarantees of the LLL algorithm is that the first vector b0 never gets longer. For
certain parameters this can contradict the GSA. In fact, if b∗i does not change
for all i < j, then b∗j cannot become longer either, which means that after the
reduction algorithm has completed we may still have many such q-vectors at
the beginning of our basis, unaffected by the reduction. It is therefore tempting
to predict a piecewise linear profile, with two pieces. It should start with a flat
line at lg q, followed by a sloped portion following the predicted GSA slope.
8
Input shape
6 GSA prediction for LLL
LLL reduced bases
4
2
i
−2
−4
0 20 40 60 80 100 120 140 160 180
i
Figure 2.5 GSA and q-ary lattice contradiction. Norms of Gram–Schmidt

vectors of 180-dimensional random q-ary lattices with q = 17 and volume
q80 . The grey, blurry lines plot i for LLL reduced bases of 16 independent
lattices.
In fact, the shape has three pieces, and this is easy to argue for LLL, since
LLL is a self-dual algorithm.2 This means in particular that the last Gram–
Schmidt vector cannot get shorter, and following the same argument, we can
conclude that the basis must end with a flat piece of 1-vectors. All in all, the
basis should follow a Z-shape, and this is indeed experimentally the case [280,
625], as depicted in Figure 2.5, where we picked a small q to highlight the
effect. We shall call such a prediction [169, 625] the ZGSA.
It is tempting to extend such a ZGSA model to other algorithms beyond LLL
and this has been used for example in [169]. We might also attempt to refine
it to a ZTGSA model, where we put an HKZ tail just before the flat section
of Gram–Schmidt vectors of norm 1. However, this is a questionable way of
reasoning, because BKZ, unlike LLL, is not self-dual. However, it is worth
noting that it seems possible to force BKZ to behave in such a way, simply by
restricting BKZ to work on the indices up i < j, where j is carefully calibrated
so that bj ≈ 1. This is not self-dual, but up to the tail of BKZ, it would
produce a Z-shape as well.
Yet, we could also let BKZ work freely on the whole basis, and wonder
what would happen. In other words, we may ask whether it is preferable to
apply such a restriction to BKZ or not. A natural approach to answering this
2 This is not entirely true, as the size-reduction condition is not self-dual, but the constraints on
the Gram–Schmidt vectors themselves are, which is enough for our purpose.
4 CN11 simulator [122]

ZGSA [169]
2
i
0 20 40 60 80 100 120 140 160 180

i
Figure 2.6 BKZ behaviour on q-ary lattice bases with small q. Norms of
Gram–Schmidt vectors (grey, blurry lines) after BKZ-65 reduction of 16 180-
dimensional q-ary lattices with q = 17 and volume q80 compared with models
from the literature.
question would be to simply use the CN11 simulator, however, it appears that
the Z-shape is very poorly simulated. Indeed, while the simulator can easily
maintain q-vectors when they are shorter than the one locally predicted by
the Gaussian heuristic, the phenomenon on the right end of the Z seems more
complicated: some 1-vectors are replaced by Gram–Schmidt vectors of norm
strictly less than 1, but not all, see Figure 2.6. Thus, we see the Z-shape known
from the literature but with the addition of a kink in the tail block.
Simulating or predicting the behaviour of BKZ on q-ary lattices is still open,
but it would allow addressing the question if it can be exploited. A partial an-
swer seems obtainable by defining a specialised variant of the Gaussian heuris-
tic that takes orthogonal sublattices into account. Although we are not certain
that a deeper study of this phenomenon would lead to cryptanalytic advances, it
is nevertheless quite frustrating to have to resort to Z(T)GSA without a perfect
understanding of the behaviour of lattice reduction on this class of lattices.
2.4.4 Random Blocks?

The heuristic analysis of BKZ is based on the assumption that each sublattice
considered by the algorithm ‘behaves like a random lattice’ (strong version),
or at least that the expectation or distribution of its shortest vector is the same
as for a random lattice (weak version).
More formally, we would have to define the notion of a random lattice,
invoking the Haar measure. However, we can nevertheless interrogate this

heuristic without going into those details here. Indeed, as we can see in Fig-
ure 2.2, the predicted slopes below dimension 30 are far from the actual be-
haviour. In fact, the predictions for small block sizes are nonsensical as they
predict a flatter slope as β decreases below 30 and even an inversion of the
slope below block size ≈ 10.
Although we can observe the prediction and the observation converging for
block sizes above 50, what level of precision do we attribute to those pre-
dictions? Given the phenomena perturbing the GSA surveyed in this chapter
(heads, tails, ripples), how pertinent are the data from Figure 2.2? Pushing ex-
perimental evidence a bit further would be reassuring here: although we do not
expect surprises, it would be good to replace this expectation with experimen-
tal evidence.
But, more conceptually, we note that making the strong version of the heuris-
tic assumption (each block behaves like a random lattice) is self-contradictory.
Indeed, the model leads us to conclude that the shape is essentially a line, at
least when β d and the considered block B[κ:κ+β] is far from the head and
the tail, i.e., κ β, d − κ β. But this block, like all other blocks, is fully
HKZ-reduced: since bκ+i is a shortest vector of Λ(B[κ+i:κ+i+β] ), it is also a short-
est vector of Λ(B[κ+i:κ+β] ). Yet, HKZ-reduced bases of random lattices have a
concave shape not a straight slope.
We do not mean to discredit the current methodology to predict attacks
on lattice-based schemes; current evidence does suggest predictions such as
Eq. (2.5) in Section 2.5.4 are reasonably precise. In particular, the above argu-
ment does not rule out the weak version of the hypothesis: the shortest vector
of those non-random blocks may still have an expected length following the
Gaussian heuristic. In fact, for random lattices, it is known that the length of
the shortest vector is increasingly concentrated around the Gaussian heuristic;
there may be increasingly fewer lattices that fall far from it, which may explain
why a bias in the distribution of the lattices themselves does not translate to a
bias on the length of its shortest vector.
However, we wish to emphasise that the question of the distribution of those
local blocks is at the centre of our understanding of lattice reduction algo-
rithms but remains open. While even formulating specific yet relevant ques-
tions seems hard, this phenomenon suggests itself as a challenging but pressing
area to study.
2.5 Behaviour on LWE Instances

We can reformulate the matrix form of the LWE equation c − A · s ≡ e mod q
as a linear system over the integers as

qI −A ∗ c e
· + =
0 I s 0 s
or homogeneously as
⎛ ⎞ ⎛ ⎞ ⎛ ⎞
⎜⎜⎜qI −A c⎟⎟⎟ ⎜⎜⎜∗⎟⎟⎟ ⎜⎜⎜e⎟⎟⎟
⎜⎜⎜ ⎟ ⎜ ⎟ ⎜ ⎟
B = ⎜⎜⎜ 0 I 0⎟⎟⎟⎟⎟ , B · ⎜⎜⎜⎜⎜ s ⎟⎟⎟⎟⎟ = ⎜⎜⎜⎜⎜s⎟⎟⎟⎟⎟ , (2.2)
⎝ ⎠ ⎝ ⎠ ⎝ ⎠
0 0 t 1 t
where t is some chosen constant and ∗ stands in for an arbitrary vector. In
other
words, there exists an element in the lattice spannedby B with expected
norm (n + m) · σ2 + t2 . Let d = n + m + 1. If we have (n + m) · σ2 + t2 <
gh(Λ(B)) ≈ d
2π·e · qn/d then B admits an unusually short vector. With a slight
abuse of notation, we will refer to the (column) vector (eT , sT , t)T simply as
(e, s, t).
Remark. We note that when t q then Λ (B) is not a q-ary lattice as, in this
case, (0, . . . , 0, q)T Λ. The reader may think t = 1, which is commonly used
in practice albeit being slightly worse compared to t = σ, which maximises
λ2 (Λ)/λ1 (Λ) and which makes the problem easier.
2.5.1 Kannan Embedding

More generally, we can consider this approach to solving LWE as solving an
instance of the bounded distance decoding problem (BDD) using a solver for
the unique shortest vector problem.
Definition 2.11 (α-Bounded Distance Decoding (BDDα )). Given a lattice ba-
sis B, a vector t, and a parameter 0 < α < 1/2 such that the Euclidean distance
dist(t, B) < α · λ1 (B), find the lattice vector v ∈ Λ(B) that is closest to t.
Remark. In our definition above we picked α < 1/2, which guarantees a
unique solution. The problem can be generalised to 1/2 < α ≤ 1 where we
expect a unique solution with high probability.
We can view LWE with a fixed number of samples as an instance of BDD
(with overwhelming probability over the choice of the samples). Asymptoti-
cally, for any polynomially bounded γ ≥ 1 there is a reduction from BDD1/(√2 γ)
to uSVPγ [26]. The unique shortest vector problem (uSVP) is defined as fol-
lows.
Definition 2.12 (γ-unique Shortest Vector Problem (uSVPγ )). Given a lattice
Λ such that λ2 (Λ) > γ · λ1 (Λ) find a non-zero vector v ∈ Λ of length λ1 (Λ).
This reduction is essentially the embedding technique, due to Kannan [311],
presented at the beginning of this section, combined with some tricks to im-
prove the parameters of the reduction. For the remaining of this section, we will
discuss how strong we require lattice reduction to be to find a unique shortest
vector which can then be used to recover the secret values of an LWE instance.
2.5.2 Asymptotic Handwaving

Recall that in Definition 2.10 two regimes are defined, the Hermite regime
and the approximation regime. Now, consider decision LWE. On the one hand,
when c is just a random vector then the lattice spanned by B is a random q-ary
lattice and we are in the Hermite regime, i.e., λ1 (Λ(B)) ≈ gh(Λ(B)). On the
other hand, when c is formed as in LWE then Λ(B) contains (e, s, t) and we
expect λ1 (Λ(B)) = (e, s, t). Now, if this is sufficiently smaller than gh(Λ(B))
then we are in the approximation regime. Thus, one way to distinguish LWE
from uniform is to detect the ‘phase transition’ between the two regimes, the
point when the approximation regime ‘kicks in’, i.e., when
√ 2d−2 √
αβ · λ1 (Λ(B)) < αβ d−1 · vol(Λ(B))1/d for BKZ and
√ 2d−2β √
αβ · λ1 (Λ(B)) < αβ d−1 · vol(Λ(B))1/d for Slide reduction.
Rearranging we obtain the following success conditions
√
λ1 (Λ(B)) < αβ 1−d · vol(Λ(B))1/d with BKZ and (2.3)
√
λ1 (Λ(B)) < αβ 2β−d−1 · vol(Λ(B))1/d with Slide reduction (2.4)
for solving decision LWE in block size β.
2.5.3 The 2008 Estimates

Gama and Nguyen [206] performed experiments in small block sizes to estab-
lish when lattice reduction finds a unique shortest vector. They considered two
classes of semi-orthogonal lattices and Lagarias–Odlyzko lattices [350] which
permit to estimate the gap λ2 (Λ)/λ1 (Λ) between the first and second minimum
of the lattice. For all three families, it was observed in [206] that LLL and
BKZ seem to recover a unique shortest vector with high probability whenever
√
λ2 (Λ)/λ1 (Λ) ≥ τβ · αβ d , where τβ < 1 is an empirically determined constant
that depends on the lattice family, algorithm and block size used.
In [11] an experimental analysis of solving LWE based on the same estimate

was carried out for lattices of the form of Eq. (2.2). This lattice contains an
unusually short vector v = (e, s, t) of squared norm v2 = s2 + e2 + t2 and
we expect λ1 (Λ)2 = v2 . Thus, when t2 ≈ e2 + s2 respectively t = 1 this
√ √
implies λ1 (Λ) ≈ 2 (n + m) · σ respectively λ1 (Λ) ≈ n + m · σ. The second
minimum λ2 (Λ) is assumed to correspond to the Gaussian heuristic for the
lattice (a more refined argument would consider the Gaussian heuristic of Λ =
πv (Λ), but these quantity are very close for relevant parameters). Experiments
in [11] using LLL and BKZ with small block sizes (5 and 10) were interpreted
to matched the 2008 estimate, providing constant values for τβ for lattices of
the form of Eq. (2.2), depending on the chosen algorithm, for a 10 per cent
success rate. Overall, τβ was found to lie between 0.3 and 0.4 when using
BKZ.
We note that we may interpret this observation as being consistent with In-
equality (2.3).
2.5.4 The 2016 Estimate

The 2008 estimates offer no insight into why the algorithm behaves the way it
does but only provide numerically established constants that seem to somewhat
vary with the algorithm or the block size. In [19] an alternative estimate was
outlined. The estimate predicts that (e, s, t) can be found if

√
β/d · (e, s, t) ≈ β · σ2 < αβ 2β−d−1 · Vol(Λ(B))1/d , (2.5)
under the geometric series assumption (until a projection of the unusually short
vector is found). The right-hand side of the inequality is the expected norm of
the Gram–Schmidt vector at index d −β (see Definition 2.7). The left-hand side
is an estimate for πd−β ((e, s, t)) . If the inequality holds then πd−β ((e, s, t)) is a
shortest vector in B[d−β:d] and will thus be found by BKZ and inserted at index
d − β. This is visualised in the top part of Figure 2.7. Subsequent calls to an
SVP oracle on B[d−2β+1:d−β+1] would insert πd−2β+1 ((e, s, t)) at index d − 2β + 1
etc.
The 2016 estimate was empirically investigated and confirmed in [15]. The
authors ran experiments in block sizes up to 78 and observed that a BKZ man-
aged to recover the target vector with good probability as predicted in [19]. An
example is given in the bottom part of Figure 2.7. Furthermore, they showed
(under the assumption that vectors are randomly distributed in space) that once
BKZ has set bi = πd−β ((e, s, t)), calls to LLL are expected to suffice to recover
(e, s, t) itself.
Another random document with
no related content on Scribd:
“Bear!” and instantly out of their sleeping bags popped Alexey and
Aneguin, eager to get the first bear sighted since our ship sank. We
heard a couple of shots, and our mouths began to water. Um-m!
Bear steaks for dinner! But it was all wasted for soon the two Indians
were back, empty-handed and disgusted. The bear had been in such
excellent trim that they had had to fire at a thousand yards on a
rapidly reciprocating target as that bear humped himself over the ice,
and they had of course missed. However, it didn’t matter much,
claimed Alexey, as the bear was only a dirty brown one and not very
big, a remark which prompted the captain to ask innocently,
“Sour grapes, Alexey?” but Alexey only looked at him puzzled.
Grapes, sour or otherwise, never grew in his latitudes, so I’m afraid
he missed the point. Quieting our disappointed stomachs as best we
could, once more we turned in. But we got the bear. In the late
afternoon, Seaman Görtz, who had the watch the while the rest of us
slept, spotted him once again. This time Görtz kept his mouth shut
while the bear advanced to within five hundred yards of our camp,
and then, unnoticed, our lookout managed to crawl within a hundred
yards of him to plant two bullets in that bear where they did the most
good!
Now that we had him, he turned out to be a very fine bear indeed,
even Alexey admitting that ungrudgingly, and soon the air over that
floe was filled with an appetizing aroma of sizzling bear steaks that
fairly intoxicated us. We envied no man on earth his evening meal
that night as, disdaining pemmican, we gorged ourselves on bear.
But we needed it. When we broke camp and started for the island
ahead, we found ourselves with nothing but moving ice over which to
work our sledges.
For two days, mostly in fog, we fought our way toward that island,
with the floes breaking under us, sliding away from us, and the whole
pack alive around us. A gale blew up, and on the off side of the
hummocks about us, a bad surf broke and kept us drenched. Finally
on the third day, we found ourselves opposite the dimly visible
western tip of the island, with nothing but a forlorn chance left of ever
making the solid ground that so desperately we ached to rest
ourselves on. With but a few hundred yards remaining before the
pack finally drifted us past it forever, we sighted ahead a long floe of
heavy blue ice extending in toward the land, with only a few
openings between the floe and ours. We bridged the gaps, bounced
our sledges and boats over, and made good a mile and a half across
that floe. There we found more broken ice and water, which with
difficulty we started to cross in the fog by passing a line to a floe
beyond and using a smaller cake as a ferryboat, when suddenly the
fog lifted and there over our heads, some 2500 feet high, towered a
huge cliff, and sweeping past it as in a millrace were the floes on
which we rode!
We finished our ferry, ending on a moderate-sized floe drifting
rapidly past the fixed ice piled up at the base of the cliff, with the
southwest cape, our last slim chance to make the land, not far off.
For over two weeks we had dragged and struggled toward that
island; now in despair we found ourselves being helplessly swept by
it!
Our little floe, covered with sledges, men and dogs, whirled and
eddied in the race, spinning crazily, and threatening to break up any
moment, when we noted that if only it should make the next spin in
the right direction, it might touch a corner against the ice fringing the
land. We waited breathlessly. It did!
“Away, Chipp!” shouted De Long, and in an instant our sledges
started to move off that spinning floe. The first got away perfectly, the
second nearly went overboard, the third sledge shot into the sea,
carrying Cole with it, and the fourth was only saved by Erichsen who,
with superhuman strength, shoved an ice cake in for a bridge. We
couldn’t get the boat sledges over; our floe was already starting to
crack up. Working frenziedly as it broke, the few of us left on the floe
pushed the boats, their sledges still under them, off into the water
and the men already landed started to haul the boats over to them,
when away drifted the last remnant of that ice cake, carrying with it
De Long, Iversen, Aneguin and me, together with six dogs! For a few
minutes we were in a bad way, threatening to drift clear of the island
on that tiny ice cake with no food, except perhaps the dogs; while the
men ashore ran wildly along the ice-foot, unable to help us in any
manner.
Fortunately for us, a little further along a swirl drove our floe in
against a grounded berg for a second and dogs and all, we made a
wild leap for it; successfully too, for only three of us landed in the
water. Aneguin, the Indian, proved the best broad jumper. He landed
safely enough on the berg and dragged the rest of us up and out.
Soon reunited again, behind our dripping captain the entire ship’s
company straggled across the ice-foot to solid ground (the steep
face of the cliff), where clinging to the precipice with one hand, the
captain for the third time on our voyage displayed his silken banner,
proudly rammed its staff for a moment into the soil, and exclaimed,
“Men, this is newly discovered land. I therefore take possession of
it in the name of the President of the United States, and name it,
“Bennett Island!”
The men, most of them (except the five who had landed with me
on Henrietta Island) with their feet on solid ground for the first time in
two years, cheered lustily. Jack Cole then sang out,
“All hands, now. Three cheers fer Cap’n De Long!” in which all
again joined except Collins and (for the first time in his life managing
to keep his mouth shut when anybody gave him an order) Newcomb.
But our happy captain, not noticing that, turned to his executive
officer and jocularly remarked,
“We’ve been a long time afloat, Mr. Chipp. You may now give the
men all the shore leave they wish on American soil!”
It was July 28th when we landed; we stayed a week on Bennett
Island, resting mainly, while Nindemann and Sweetman worked
strenuously repairing our boats. All were badly damaged and
unseaworthy from the pounding they had received in the pack. The
whaleboat especially, our longest boat, had suffered severely and
every plank in its stern was sprung wide open. Sweetman did the
best he could in hurrying repairs, pouring grease into the leaking
seams and refastening planks, but it was a slow job nevertheless.
While this was going on, the men explored Bennett Island, which
we found to be of considerable extent (we never got to its northwest
cape), probably thirty miles long and over ten miles wide, very
mountainous, with many glaciers, running streams, no game we ever
saw, and thousands of birds nesting on the cliffs. This island, at least
three times the size of Henrietta Island, nicely finished off the honors
due the Bennett family, for we now had one each for Mr. Bennett, his
sister, and his mother.
Geologically, we found the island interesting. I discovered a thick
vein of bituminous coal, and Dr. Ambler found many deposits of
amethyst crystals, but what took our fancy most were the birds. We
knocked down innumerable murres with stones, which, fried in bear’s
grease, we ate with great relish. But they proved too much for Dr.
Ambler’s stomach, laying him in his tent for over a day.
On August 4th, with the boats all repaired, we made ready to
leave. To the southward of Bennett Island, the pack looked to us
badly broken up with enough large water openings to make it seem
that thereafter we could proceed mostly in the boats among drifting
floes, keeping the sledges for use when required. To this end, since
the dogs would be less necessary and feeding them on our
pemmican an unwarranted further drain on our stores, De Long
ordered ten broken-down dogs to be shot to avoid their suffering
should we abandon them, keeping only the twelve best for future
sledging, including husky Snoozer who was by now quite the
captain’s pet.
By sledge over the pack we had travelled almost exactly a
hundred miles in a straight line from where the Jeannette had sunk
to Bennett Island, though over the winding track as we actually
crossed the drifting ice we had dragged our sledges more than a
hundred and eighty miles and in so doing had ourselves tramped far
beyond a thousand miles on foot. We prepared hopefully to rely from
then on mainly on our boats, and for this purpose the captain
rearranged the parties, breaking up the sledge and tent groups in
which we previously had journeyed.
Into the first cutter with himself he took a total of thirteen—Dr.
Ambler, Mr. Collins, Nindemann, Erichsen, Kaack, Boyd, Alexey,
Lee, Noros, Dressler, Görtz and Iversen.
Into the second cutter (a smaller boat) under Lieutenant Chipp’s
command, he put ten—Mr. Dunbar, Sweetman, Sharvell, Kuehne,
Starr, Manson (later transferred to my boat), Warren, Johnson, and
Ah Sam (who later to lighten still further the second cutter, was
transferred to De Long’s boat).
Into the whaleboat, of which he gave me the command, also went
ten—Lieutenant Danenhower, Mr. Newcomb, Cole, Bartlett, Aneguin,
Wilson, Lauterbach, Leach, and Tong Sing.
Thus we made ready, with De Long commanding the largest and
roomiest boat, Chipp commanding the smallest boat, and me in
command of the whaleboat, considerably our longest craft though
not our greatest in carrying capacity. And promptly there flared up in
the Arctic an echo of that Line and Staff officer controversy agitating
our Navy at home. (At home, it lasted until the Spanish War showed
that we engineers were as important in winning battles as deck
officers, and maybe more so.)
I, as an engineer officer, belonged to the Staff; Danenhower, as a
deck officer, belonged to the Line, which alone maintained the claim
to actual command of vessels afloat. A whaleboat was not much of a
vessel, but nevertheless Danenhower, when he heard of the
assignments, promptly informed me he was going to protest to the
captain.
“Go ahead, Dan,” I said. “That’s perfectly all right with me.” So the
navigator went to the captain to object to a staff officer being given
command while he, a line officer, was put under my orders. In that
congested camp on Bennett Island, he didn’t have far to go to find
the skipper.
“Captain,” asked Dan, “what’s my status in the whaleboat?”
“You are on the sicklist, sir,” replied De Long.
“Who has command of the boat?” persisted Dan.
“Mr. Melville, under my general command.”
“And in case of a separation of the boats?” questioned the
navigator. “Suppose we lose you?”
“In that case,” said the captain, “Mr. Melville has my written orders
to command that boat and what to do with her.”
“Am I under his orders?”
“Yes, so far as it may be necessary for you to receive orders from
him.”
“But that puts me under the orders of a staff officer!” objected Dan
strenuously.
“Well, you’re unfit to take command of the boat yourself,” pointed
out the skipper. “You can’t see, Mr. Danenhower. I can’t put you on
duty now. So long as you remain on the sicklist, you will be assigned
to no military control whatever.”
“Why can’t I be put in a boat with a line officer, then?” asked Dan,
the idea of having to report to a staff officer rankling badly.
“Because I have no line officer left to put in that boat with you, and
because I have seen fit so to distribute our party. I want one line
officer in each boat. In an emergency, Mr. Melville may wish to have
your advice on matters of seamanship.”
“Well then,” replied Danenhower vehemently, “I remonstrate
against being kept on the sicklist.”
“But you’re sick and that’s nonsensical,” said De Long curtly.
“Why, sir, haven’t I the right to remonstrate?”
“You have, and I’ve heard you, and your remonstrance has no
effect,” replied the captain bluntly. “I’ve had the anxiety of your care
and preservation for two years and your coming to me on these
points now is simply an annoyance. I will not assign you to duty till
you’re fit for it, and that will be when the doctor discharges you from
the sicklist. I will not put other people’s lives in jeopardy by
committing them to your charge, and I consider your urging me to do
so is very un-officer-like conduct.”
Taken aback at this barbed comment on his complaint,
Danenhower asked hesitantly,
“Am I to take that as a private reprimand?”
“You can take it any way you please, Mr. Danenhower,” concluded
the irritated De Long, walking away to supervise the loading of the
first cutter, leaving the crestfallen navigator no alternative but to
come back to join me in the whaleboat.
“Don’t take it so hard, Dan,” I suggested. “Too bad about your
eyes, of course, but it can’t be helped now. We’ve always been the
best of friends and we’re not going to let this change things. As long
as you’re in the whaleboat, you can count on me, old man, not to say
or do anything that’ll hurt your feelings as an officer. Hop in, now;
we’re shoving off!”
Already delayed two days by bad weather, on August 6th we got
away from Bennett Island, with intense satisfaction, though the wind
had died away, being able to get underway in our boats under oars,
carrying the sledges and our twelve remaining dogs. The boats, of
course, packed with men, food, records, sledges, and dogs, were
heavily overloaded and in no condition to stand rough weather, but
we had smooth water and we made two miles before bringing up
against a large ice island. Here we lost most of our dogs, who not
liking water anyway, and objecting still more to the unavoidable
mauling they were getting in the crowded boats from the swinging
oars, promptly deserted the moment they saw ice again, by leaping
out on the floe, and we were unable to catch them. We worked
around the ice pack in the boats, by evening getting to its southern
side, where we camped on the ice, with five miles between us and
Bennett Island, a good day’s work and a heaven-sent relief from
sledging.
The weather was startlingly clear. Looking back, we got a
marvelous view of the island. When we had first reached it in late
July, its appearance was quite summery with mossy slopes and
running streams, but now winter had hit it with a vengeance.
Everything on it was snow-covered and the streams were freezing.
We regarded it with foreboding. The first week of August and the
brief Arctic summer was fading away, with four hundred miles before
us still to go on our journey to the Lena Delta. We must hurry, or the
open leads we now had for the boats would all soon freeze over.
For two weeks we stood on to the southwest, boating and
sledging. With luck in pushing away the ice with boathooks, we might
make five or six miles between broken floes before we met a pack
we could not get through afloat, when it was a case of unload the
boats, mount them on their sledges, and drag across the ice. By the
second day of this, we were down to two dogs, Snoozer and
Kasmatka, all the rest having deserted, but these two special
favorites were kept tied and so prevented from decamping. The boat
work, whether under sail or oars, was hard labor. There was no open
sea, merely leads in the open pack, and over most of these leads,
the weather was now cold enough to freeze ice a quarter of an inch
thick over night. We found we could not row through this, so the
leading boat, usually the first cutter, had to break a way, and all day
long men were poised in her bows with boathooks and oars breaking
up the ice ahead. And we had before us several hundred miles of
this!
The weather was bad, mostly fog, snow squalls, and some gales,
but because of the vast amount of floating ice, there was no room for
a heavy sea to kick up, and when a moderate sea rose, we always
hauled out on the nearest floe. And so camping on the ice at night,
hauling out for dinner, and making what we could under sail or oars
in between when we were not sledging over the pack, we stood on to
the southwest for the New Siberian Islands. At the end of one week’s
journeying, the snowfalls became frequent and heavy, troubling us
greatly, though they did provide us with good drinking water which
was an improvement over the semi-salted snow we got on the main
pack. By now it was the middle of August, sixty days since we had
left the Jeannette, and the expiration of the period for which originally
we had provided food. We were hundreds of miles from our
destination, and our food was getting low. Of course had it not been
for our going on short rations soon after our start, our position would
now be precarious, since the few seals, birds, and the solitary bear
we got, while luxurious breaks in our menu so long as they lasted
(which wasn’t long) meant little in the way of quantity.
By August 16th, nine days underway from Bennett Island, we had
made only forty miles—not very encouraging. Next day we did better
—ten miles under sail with only one break, but the day after, it was
once more all pulling with the oars and smashing ice ahead and slow
work again. But on August 19th we saw so much open water that we
joyfully imagined we were near the open sea at last. We loosed our
sails and until noon went swiftly onward with the intention of getting
dinner in our boats for the first time without hauling out on the ice,
and then continuing on all night also. Suddenly astern of us we saw
Chipp’s boat hastily douse sail, run in against a floe, and promptly
start to unload.
There was nothing for the rest of us (cursing fluently at the delay)
to do except to round to and secure to the ice till Chipp came up, and
long before he had managed that, the ice came down on us from all
sides before a northeast wind, so that shortly it looked as if there
was nothing but ice in the world. Chipp finally sledged his boat over
the pack to join us and we learned the ice had closed on him
suddenly, stove a bad hole in his port bow, and he had to haul out
hurriedly to keep from sinking.
By three p.m., Chipp had his boat repaired, using a piece of
pemmican can for a patch, and we were again ready. Each boat had
its sledge, a heavy oaken affair, slung athwartships across the
gunwales just forward of the mast. Abaft that, the boats were
jammed with men and supplies, the result being that they were both
badly overloaded and topheavy.
With great difficulty we poled our way through ice drifts packed
about us to more open water and made sail again before a
freshening breeze, De Long in the first cutter leading, my whaleboat
in the middle, and Chipp with the second cutter astern of all. We felt
we must be nearing the northerly coasts of the New Siberian Islands,
which we hoped to sight any moment and perhaps even reach by
night.
The breeze grew stronger and the sea started to kick up. My
whaleboat began to roll badly, taking in water over the gunwales,
and at the tiller I found it difficult to hold her steady on the course,
though with some bailing we got along fairly well, and so it seemed
to me did the first cutter ahead. But the second cutter astern, the
shortest boat of the three, was behaving very badly in that sea—
rolling heavily, sticking her nose into the waves instead of rising to
them, and evidently making considerable water. Hauling away a little
on my quarter and drawing up so he could hail the captain ahead,
Chipp bellowed down the wind,
“Captain! I’ve either got to haul out on the ice or heave overboard
this sledge! If I don’t, I’ll swamp!”
De Long decided to haul out. He waved to Chipp and me (he
being to leeward, we couldn’t hear him) indicating that we were to
haul out on a floe nearby on our lee side. The near side of that floe,
its windward side, had a bad surf breaking over the ice, so we tried
to weather a point on the floe and get around to its lee where we
could see a safe cove to haul out in, but our unwieldy boats would
not sail close enough to the wind, and we failed to make it. Chipp’s
case by this time was desperate; his boat was badly flooded and in
spite of all the bailing his men could do, the waterlogged cutter
seemed ready to sink under him. There was nothing for it but to land
on the weather side of the ice, which dangerous maneuver, with a
rolling sea breaking badly on the floe and shooting surf high into the
air, was skilfully accomplished without, to our intense relief,
smashing all our boats beyond repair.
The gale grew worse. It was now 7:30 p.m. and beginning to get
dark. (Between the later season of the year and our being farther
south, we no longer had the midnight sun with us, but instead about
eight hours of darkness.) There was no hope of further progress that
night, so we pitched camp on the floe, while the gale started to push
ice in about us from all directions.
That night before supper, the captain called Chipp and me to his
tent. The question for discussion was the boat sledges. We had
since leaving Bennett Island broken up all our other provision
sledges and burned them for fuel. Chipp strenuously insisted that the
boat sledges be treated likewise immediately.
“Captain,” he said, “I’m surprised I’m here to talk about it even! My
boat’s so topheavy with that sledge across her rails, a dozen times I
thought she’d either founder or capsize. And a man can’t swim a
minute in these clothes in that ice water. If she’d sunk under me,
long before you or the chief could’ve beat back against that wind to
pick us up, we’d all be gone!”
With Chipp’s facts, honestly enough stated, De Long was inclined
to agree and so was I, but the question was too serious to be
decided out of hand. On our first journey across the pack, the
sledges were our salvation, and it was the heavy boats (holding us
back like anchors) which we then gravely considered abandoning
lest our party perish before we ever reached water. Now the situation
was reversed; it was those boats, dragged across the ice at the cost
of indescribable agony, which had become our main hope of escape,
but still could we afford to abandon the sledges which so obviously
now imperilled our safety in the boats? We were not yet out of the
pack; one had only to poke his head through the tent flap to see as
much ice as ever we had seen. And if we had to sledge over much
more of the pack to get south, without those boat sledges we
couldn’t do it. What then should be done with the sledges?
With our lives very likely depending on that decision, we
considered it deeply. The conclusion, concurred in by all, was that
the certainty of disaster if we kept the sledges, outweighed the
possibility of being now caught permanently in pack ice, unable to
move except by sledging, and De Long finally give the order to burn
the sledges. In a few minutes, knives and hatchets in the hands of
sailors eager to make an end of those incubi before the captain
could change his mind, had reduced them to kindling and they were
burning merrily beneath our pots. No man regretted seeing them go
who had toiled in the harnesses dragging them and their bulky
burden of boats across the ice pack, laboring as men have never
done before, and as I hope may never have to again.
Further to help Chipp, the captain in expectation next morning of a
long voyage among the New Siberian Islands, decided to even
matters somewhat more by removing from Chipp’s stubby cutter,
only sixteen feet long, part of its load. Accordingly he decreased its
crew by two men, taking Ah Sam (our Chinese cook who had since
the sinking of the Jeannette with nothing but pemmican on the menu,
not cooked a meal, serving instead only as a beast of burden like all
others) into the first cutter with him, and sending Manson, a husky
Swedish seaman, to join my crew in the whaleboat. In addition, De
Long took into the first cutter part of Chipp’s supply of pemmican, still
more to lighten his boat which was certainly a worse sea boat than
either my twenty-five foot long whaleboat or his own twenty foot long
cutter.
With these rearrangements, we camped for the night in the midst
of a howling gale drifting snow about our tents, the while we
earnestly hoped that the wind would break up the pack in the
morning, and allow us to proceed.
But instead, for ten wearing days we lay in that camp, unable to
launch a boat and unable of course to sledge them over the broken
pack, while the weather varied between gales with heavy snow and
dismal fogs, and we ate our hearts out in inaction, watching our
scanty food supplies constantly melting away with no progress to
show for it. Our hard bread gave out altogether, our coffee was all
used up, and our menu came down to two items only, pemmican and
tea three times a day, with an ounce of our fast-vanishing lime-juice
for breakfast to ward off scurvy. To save what little alcohol we had
left (we had been using it for fuel for making tea and coffee) we
continued to burn up the kindling from our boat sledges, but long
before we broke camp, even that was all gone, and we started again
on our precious alcohol.
The tobacco gave out (each man had been permitted to take one
pound with him from the Jeannette). To the captain, an inveterate
pipe smoker, this was a severe trial and left him perfectly wretched,
till Erichsen, who still had a trifle left, generously shared with him the
contents of his pouch. De Long declined to take more than a pipeful,
but Erichsen insisting on an even division of his trifling remnant, the
skipper found he had enough for three smokes. Immediately seeking
out the doctor and Nindemann, he divided with them and together
they puffed on their pipes, in a mixed state of happiness and despair
watching the last tobacco from the Jeannette curling upward in
smoke wreaths into the Arctic air.
Next day, like the others, they were smoking used tea leaves and
getting little solace from them.
Our second day in this camp, through a rift in the fog we sighted
land twenty miles to the southward, in the captain’s opinion the
island of New Siberia, one of the largest islands of the New Siberian
group and the one farthest eastward in that archipelago.
As the days went by and in the fog and snow we drifted westward
with the pack before an easterly gale, the knowledge of that
unapproachable island added to our aggravations. We could do little
except repair our boats (which, using pemmican tallow, rags, and
lampwick for caulking materials, Nindemann and Sweetman labored
at) and wait for the pack to open, a constant watch night and day
being set with orders that if a lead appeared, we should immediately
launch our boats into it. But none showed up. In desperation at the
delay, which was bringing us face to face with the prospect of
starvation, De Long again sent for Chipp and me.
“Mr. Chipp,” he asked, “can you move your boat across this ice to
the land?”
“No,” said Chipp flatly. “It’ll stave in her bottom trying to ride her on
her keel.”
“Mr. Melville,” turning to me, “can you get the whaleboat across? Is
this any worse than when you landed with the dinghy on Henrietta
Island?”
“Captain,” I replied sadly, “no worse, but it’s as bad; the ice is just
as much alive. And I didn’t take the little dinghy to Henrietta Island,
even on her sledge; I left her at the edge of the moving pack. I can
get the whaleboat across this ice to that island if you order me, sir,
but when she gets there, she’ll be worthless as a boat.”
“Well, in that case,” remarked De Long, bitterly disappointed at our
views, “it’s no use taking them there.” And while he didn’t voice it,
there was little question but that he deeply regretted having ever cut
up the boat sledges. In my opinion, however, sledges or no sledges,
we couldn’t safely get those boats through to the land over that
swirling ice between. We started to leave.
“Hold on a moment,” ordered De Long, pulling a book out from
under his parka, “there’s something else.” He pushed his head out
the tent flap, called to the man on watch in the snow. “Send Seaman
Starr in here!”
In a moment or two, Starr, with his snow-flecked bulk practically
filling the tent, stood beside us. The captain opened the book. It was
in German, one of Petermann’s publications, the best we had on
New Siberia and the Lena Delta. Starr, aside from his Russian, could
also read German, and as he translated, De Long, Chipp, and I
followed on the chart, putting down Petermann’s data on the islands,
and especially on the Lena Delta, where near Cape Barkin were
marked winter huts and settlements, a signal station similar to a
lighthouse, and the indication that there we could get native pilots to
take us up the Lena. At this time the captain warned me that should
we be separated, Cape Barkin was to be our rendezvous. At that
point the delta formed a right-angled corner. To the westward from
Cape Barkin, the coast ran due west; but at the cape itself, the coast
turned and ran sharply south for over a hundred miles, while through
both the northern and the eastern faces of this corner-like delta, the
Lena discharged in many branches to the sea. But Cape Barkin at
this corner we must make—there between the pilots and the
settlements shown by Petermann, our voyage would end and our
troubles would be over. The remainder of our journey home would
merely be a tedious and probably a slow trip on reindeer sledges
southward from the Siberian coast inland fifteen hundred miles to
Irkutsk, then a long jaunt westward by post coaches to Moscow, and
so back to America. The captain marked it all out, made two copies
of his chart, one for me and one for Chipp, and then dismissing Starr,
told us,
“There are your charts with the courses laid out to Cape Barkin. As
I informed you in my written order at Bennett Island, Melville, if
unfortunately we are separated, you will continue on till you make
the mouth of the Lena River, and without delay ascend the Lena to a
Russian settlement from which you can be forwarded with your party
to a place of safety and easy access. Try to reach some settlement
large enough to feed and shelter your men before thinking about
waiting for me. And the same for you, Chipp. That’s all, gentlemen.
Be ready to start the instant the ice breaks.” He drew out his pipe,
ending the discussion. We took our charts and departed, leaving the
skipper trying to light off a pipeful of damp tea leaves.
On August 29th, after ten days of fuming in idleness during which
time our pack drifted first westward and then southward, the weather
cleared a bit and we found ourselves between Fadejovski and New
Siberia Islands, and closer to Fadejovski, the western one of the pair.
At noon, Dunbar scouting on the pack, reported a lead half a mile
away. Immediately we broke camp, and carrying our provisions on
our backs while we carefully skidded our boats along on their keels,
we dragged across that half mile of floe to the water and launched
our boats, thankful even for the chance the remainder of the
afternoon to fight our way through swirling ice cakes to the
southward. The drift in that lead was rapid, the broken ice there was
violently tumbling and eddying, and as we swept down the bleak
coast five miles off Fadejovski Island unsheltered from the intense
cold, with oars and boat hooks savagely fending off those heaving
floes on all sides of us to keep our frail boats from being crushed, it
was like making passage through the very gates of hell! For two
horrible days we worked along the coast fighting off impending death
in that swirling maelstrom of ice, when with the pack thinning
somewhat, we managed at last to work our way to land on the
southerly end of Fadejovski, three weeks underway since leaving
Bennett Island, and humbly grateful to find ourselves disembarking
still alive.
We stayed one night on a mossy slope trying to thaw our frozen
feet by tramping on something other than ice, and as Dunbar
expressively put it, “Sanding our hoofs.” They needed it. The most
pleased member of our party was Snoozer, now our sole remaining
dog, who joyously tore round chasing lemmings, while we sought for
real game which we didn’t find. And that night was served out our
last ration of lime-juice which so heroically salvaged by Starr from
the sinking Jeannette, had shielded us from scurvy for two and a half
months on our tramp over the ice. But we saw the last drops of that
unsavory medicine disappear without regret and without foreboding
for the future, for now we were nearing the open sea and our voyage
was nearing its end.
Next morning we shoved off from the south end of Fadejovski,
only to discover despondently that we had embarked on a twelve
days’ odyssey through the New Siberian Archipelago before which
our previous sufferings seemed nothing. We had not wholly lost the
ice; instead we had only added to our previous perils some new
ones—vast hidden shoals, bitter freezing weather, long nights of
sitting motionless and cramped in our open boats, while the Arctic
winds mercilessly pierced our unshielded bodies, and the hourly
dread of drowning in a gale.
It was seventy miles over the sea to Kotelnoi, the next island
westward in the group. To get there, instead of being able to sail
directly west, we found we had to stand far to the southward of
Fadejovski to clear a shoal, getting out of sight of land. When night
caught us far out in the open sea, we discovered even there shoals
with less than two feet of water, over which a heavy surf was
breaking badly. Standing off into deeper water, we beat all night into
the wind to save ourselves from destruction, for we had no anchors
in our boats. Wet, miserable, frozen by spray coming over, we
stayed in the boats, so crowded we could not move our freezing
legs. At dawn we stood on again westward, with streaming ice
bobbing all about us, traveling before a fresh breeze all day. In the
late afternoon, having lost sight of Chipp and the second cutter, his
boat being unable to keep up, we finally spotted a floe sizeable
enough to camp on. De Long signalled me to stop; we promptly
secured to it and waited for Chipp to catch up, meanwhile for the first
time in thirty-six hours stretching our wet forms out in our sleeping
bags on the ice, while a gale blew up, snow fell, and the sea got very
rough, which gave us grave concern over our missing boat. By
daylight there was so much pack ice surrounding our two boats, it
seemed unbelievable we had arrived there by water, and our anxiety
for Chipp increased. We lay all day icebound, all night, and all next
day, occasionally sighting the mountains on Kotelnoi Island, perhaps
ten miles to the westward. And then Chipp and the second cutter
finally showed up, coasting the north side of our floe, half a mile
away across the pack, and soon Chipp and Kuehne, walking across
the ice, were with us. They had had a terrible time the night we lost
them; long before they sighted any floes, the gale caught them, and
over the stern where Chipp and Dunbar sat steering, icy seas
tumbled so badly that all hands bailing hardly kept the boat afloat till
they finally found a drifting floe. When at last he steered in under the
lee of the ice, but one man, Starr, was still able to jump from the boat
and hold her in with the painter while the others, badly frozen, could
barely crawl out over the gunwale. He himself and Dunbar in the
sternsheets found themselves so cramped from sitting at the tiller
that they could not even crawl and had to be lifted by Starr from the
boat. To warm up his men, Chipp had served out immediately two
ounces of brandy each, but Dunbar was so far gone that he promptly
threw his up and fainted. The second day, underway again, he had
kept westward for thirty miles before sighting us in the late afternoon,
and there he was, with his crew badly knocked out, in the open water
on the edge of the pack surrounding us completely.
To get underway next morning, there was nothing for it but to
move our two boats over the ice to where Chipp’s was, and with no
sledges, we faced that portage over bad ice with deep trepidation.
Five men, headed by Nindemann, went ahead with our solitary pick-
ax and some carpenter’s chisels to level a road. We carried all our
clothes and knapsacks on our backs, but De Long dared not take the
pemmican cans from the boats, for so scanty was our food supply
getting that the chance of any man’s stumbling and losing a can of
pemmican down a crack in the ice was a major tragedy not to be
risked. So food and all, the boats had to be skidded on their keels
over the ice, leaving long strips of oak peeled off the keels by the
sharp floe edges as we dragged along. As carefully as we could, all
hands at a time on one boat, we lightered them along that half mile,
and when after seven fearful hours of labor we got them into the
water, it was with unmitigated joy we saw they still floated.
We made a hasty meal of cold pemmican, and all hands
embarked. De Long, last off to board his cutter, was bracing himself
on the floe edge to climb aboard, when the ice gave way beneath
him, and he went overboard, disappearing completely beneath the
surface. Fortunately, Erichsen in the cockpit got a grip on him while
he was still totally submerged (for he might not ever have risen
except under the widespread pack) and hauled him, completely
soaked to the skin, in over the stern. Without delay, except to wipe
the water from his eyes, the captain signalled us to make sail.
We fought again fog, ice, and shoals for six hours more to cover
the last ten miles to Kotelnoi, and when night finally caught us, all we
knew was that we were on a sandbank where we gladly pitched
camp, in total ignorance of whether we had made the island itself or
an offshore bank and caring less so long as we could stop. We found
some driftwood on the bank, made a fire, and soon, most of all the
captain still in his soaked clothes, we were trying to warm ourselves
around it. So ended September 4th.
The next two days we tried to struggle west along the south coast
of Kotelnoi, largest island of the archipelago, but a blinding snow-
storm and ice closing in held us to our sand spit. Going inshore,
some of the men found the long-deserted huts of the fossil ivory
hunters, and even a few elephant tusks, but not a trace of game, and
our supply of pemmican kept on shrinking.
Signs of physical breakdown were becoming plain enough in our
company. Our rations were slender and unsatisfying. Long hours on
end of sitting cramped and soaked in wet clothes and icy water, often
unable in the overcrowded boats even to stretch a leg to relieve it, no
chance in the boats to stretch out and sleep at all, and the mental
strain of working those small boats in tumbling seas and through
tossing ice, were beginning to tell. On the pack at least, each night
we could camp and stretch ourselves in our bags to rest after each
day of toil; now except when bailing, we were compelled to endure
the cold motionless.
Captain De Long’s feet were giving way. Swollen with cold and
with toes broken out with chilblains, he could barely move about, and
then only in great pain. Dunbar looked older than ever, fainted
frequently, and the doctor said his heart showed a weakness that
might carry him off under any strain. De Long admonished the ice-
pilot to give up all work and take things easy, but even merely sitting
up in the boat was a strain which could not be avoided. To keep him
braced up, the doctor gave him a flask of brandy with orders to use it
regularly. Danenhower’s eyes continued the same—poor, but with
one eye at least partly usable when the sun did not shine, which
fortunately for Dan in all that fog and snow was most of the time. But
Dan continued to pester the doctor to put him off the sicklist, driving
Ambler nearly wild that he should be nagged to consider such an
unethical request. Others too began to complain—Erichsen of his
feet, Cole of a general dullness in his head. As for all the rest of us,
gaunt and underfed, with seamed and cracked faces, untrimmed
whiskers, haggard eyes, shivering bodies, and raw and bleeding
hands and feet, against a really well man we would have stood out
as objects of horror, but there being none such amongst us, our
appearance excited no special comment among ourselves.
Our third day on Kotelnoi, we managed to work a few miles to the
westward along the coast, rowing and dragging our boats along the
sand, making perhaps thirteen miles inshore of the ice pack which
we could not penetrate to the sea beyond. But on September 7th,
before an early morning northeast breeze with the temperature well
below freezing, the pack opened up and we sailed away through
drifting ice streaming before the wind, for Stolbovoi Island, sixty-five
miles southwest. By noon, I concluded that somehow I must have
stove in the bottom of my boat, for we were making water faster than
it could be bailed and the boat started to sink. Signalling the others, I
hastily ran alongside a nearby floe, where my crew had a lively time
getting the whaleboat up on the ice before she went from under us.
Capsizing her to learn the damage, I was much relieved to find we
had only knocked the plug up out of the drain hole. We found the
plug beneath the overturned boat, tried it again in the hole, and
found it projected through an inch. Evidently bumping on some ice
beneath the bilge had knocked it out, so I sawed off the projection to
prevent a recurrence, righted and floated my boat again. Meanwhile
being on the ice, we all had dinner and shoved off again.
With a fair breeze, we stood southwest for Stolbovoi Island, fifty
miles off now. The breeze freshened and we made good progress,
too good indeed for Chipp and the second cutter, as both De Long
and I had to double reef our sails to avoid completely losing Chipp
astern again. The sea increased somewhat, the boats rolled badly,
and we had to bail continuously, but as we were getting along toward
the Lena, that didn’t worry us, nor did the fact that being poor sailors,
Collins, Newcomb, and Ah Sam became deathly seasick again.
We kept on through the night, delayed a bit from midnight until
dawn by streaming ice we couldn’t see and cold, wet, and wretched
as usual. Several times during the night we were nearly smashed by
being hurled by surf against unseen floes. Once, under oars, I had to
tow the captain’s boat clear of a lee shore of ice from which he
couldn’t claw off, to save him from destruction. But after daybreak,
we could see better our dangers and avoid them in time, so that we
stood on all day till four in the afternoon, when having been
underway thirty-three hours in extreme danger and discomfort, the
captain signalled to haul out and camp on a solitary floe nearby.
Long before this, we should have hit Stolbovoi, but a shift in the wind
had apparently carried us by it to the north.
After a cold night on this floe, at four in the morning on September
9th we were again underway through rain and snow. By afternoon
we were picking a path through an immense field of drifting floes
which luckily we penetrated and got through to the southwest, when
sighting a low island to the westward, evidently Semenovski, the last
island of the New Siberian Archipelago between us and the Lena, we
abandoned all idea of searching to the southward for Stolbovoi which
we had never sighted, and headed west instead for Semenovski. As
luck would have it, the wind of which we had too much the day
before to suit some members of our party, now died away completely
and out went our oars. Through a calm sea we rowed the lumbering
boats for six hours, warming up the oarsmen at any rate, though
horribly chafing their frozen hands. Then, a fog setting in at 10 p.m.,
and it being impossible to see the other boats, the captain sang out
through the night to haul out on the ice, where by candlelight we ate
our pemmican.
Next day, September 10th, still rowing through the fog, we made
Semenovski by noon, and after a passage of one hundred and ten
miles from Kotelnoi, we beached our boats and camped for a much

Ebook Computational Cryptography Algorithmic Aspects of Cryptology 1St Edition Joppe Bos Online PDF All Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Computational Cryptography Algorithmic Aspects of Cryptology 1St Edition Joppe Bos Online PDF All Chapter

Uploaded by

Copyright:

Available Formats

Computational Cryptography:

Algorithmic Aspects of Cryptology 1st

Fundamentals of Cryptography: Introducing Mathematical

Primary Mathematics 3A Hoerst

Practical Aspects of Computational Chemistry V Jerzy

Algorithmic Aspects of Cloud Computing 5th

Data Analysis and Related Applications, Volume 1:

Rust Atomics and Locks Mara Bos

Parker Hitt The Father of American Military Cryptology

Practical Aspects of Vaccine Development The Practical

Cambridge University Press is part of the University of Cambridge.

List of Contributors page x

1 Introduction Joppe W. Bos and Martijn Stam 1

2 Lattice Attacks on NTRU and LWE:

3 History of Integer Factorisation Samuel S. Wagstaﬀ, Jr 41

4 Lattice-Based Integer Factorisation:

5 Computing Discrete Logarithms Robert Granger and

6 RSA, DH and DSA in the Wild Nadia Heninger 140

7 A Survey of Chosen-Preﬁx Collision Attacks Marc Stevens 182

8 Eﬃcient Modular Arithmetic Joppe W. Bos, Thorsten Kleinjung

9 Arithmetic Software Libraries Victor Shoup 251

10 XTR and Tori Martijn Stam 293

11 History of Cryptographic Key Sizes Nigel P. Smart and

Martin R. Albrecht Information Security Group, Royal Holloway, University

This book is a tribute to the scientiﬁc research career of Professor Arjen K.

industry who want to develop a deeper understanding about the algorithms

This introductory chapter provides a sketch of Arjen Klaas Lenstra’s scientiﬁc

1.1 Biographical Sketch

is essential to understand the practical security strength of the Rivest–Shamir–

Polytechnique Fédérale de Lausanne (EPFL) in Lausanne, Switzerland. At

More seriously, the interest in deployed security system extended to imple-

password hashing, cryptocurrencies and content-addressable storage. Stevens

worked extensively on speeding up XTR and related systems based on alge-

2.1.1 LWE and NTRU

2.2 Notation and Preliminaries

vector in all lattices of unit volume in dimension β:

2.3 Lattice Reduction: Theory

Algorithm 2.1 High-level description of the BKZ algorithm.

In practice, BKZ is not implemented as in Algorithm 2.1. Most notably,

2.4 Practical Behaviour on Random Lattices

= lgh(β) + (β − 1)/2 · lg(αβ ).

Solving for αβ assuming equality we obtain αβ = gh(β)2/(β−1) .

This leads to the following reﬁnement of the GSA.

0 200 400 600 800 1000

Figure 2.1 GSA and TGSA for d = 1000 and β = 500.

2 lg(δβ ) with δβ as in Eq. (2.1)

Figure 2.2 Experimentally observed slopes of 16 lattices compared with δβ

0 200 400 600 800 1000 1200 1400

2.4.3 q-ary Lattices and the Z-Shape

Figure 2.5 GSA and q-ary lattice contradiction. Norms of Gram–Schmidt

4 CN11 simulator [122]

0 20 40 60 80 100 120 140 160 180

2.4.4 Random Blocks?

invoking the Haar measure. However, we can nevertheless interrogate this

2.5 Behaviour on LWE Instances

2.5.1 Kannan Embedding

2.5.2 Asymptotic Handwaving

2.5.3 The 2008 Estimates

In [11] an experimental analysis of solving LWE based on the same estimate

2.5.4 The 2016 Estimate

You might also like