Jean-Sébastien Coron, David Naccache, Julien P. Stern (auth.), Michael Wiener (eds.)

Crypto ’99, the 19th Annual Crypto convention, used to be backed through the foreign organization for Cryptologic learn (IACR), in cooperation with the IEEE computing device Society Technical Committee on safeguard and privateness and the pc technological know-how division, collage of California, Santa Barbara (UCSB). the final Chair, Donald Beaver, used to be liable for neighborhood association and registration. this system Committee thought of 167 papers and chosen 38 for presentation. This year’s convention software additionally integrated invited lectures. i used to be happy to incorporate within the software UeliM aurer’s presentation “Information Theoretic Cryptography” and Martin Hellman’s presentation “The Evolution of Public Key Cryptography.” this system additionally included the conventional Rump consultation for casual brief shows of latest effects, run through Stuart Haber. those complaints contain the revised types of the 38 papers authorized through this system Committee. those papers have been chosen from all of the submissions to the convention in keeping with originality, caliber, and relevance to the sector of cryptology. Revisions weren't checked, and the authors undergo complete accountability for the contents in their papers.

We will see that our attack against the hidden subset sum problem can be adapted to the affine hidden subset sum problem. It appears that the complexity of these problems is similar. 3 Lattice Reduction and the Orthogonal Lattice Throughout the paper, we call lattice any subgroup of Zm for some integer m. If L is a lattice, we denote by det(L) its determinant (or volume), and Λ(L) the Euclidean norm of a shortest non-zero vector of L. A classical result of Minkowski states that for any integer d, there is a constant γ(d) such that for all d-dimensional lattice L: Λ(L) ≤ γ(d) det(L)1/d .

Since we have about n2 quadratic equations in about rn variables, we get ≈ 1/r 2 . 006, which is marginally smaller than the threshold stated above. We thus have to use the relinearization scheme which considers products of 8 xi values, and to solve a huge system of O(n8 ) linear equations in O(n8 ) variables, which is polynomial but impractical. For larger fields F, both r and n drop considerably if we keep fixed both the degree q r of the secret polynomial and the size q n of the cleartext space (for example, when we replace F2 by F7 , r drops from 13 to 4 and n drops from 100 to 36).

Since the αi ’s are v random, the n-dimensional lattice vα⊥ may be considered as random, so that: √ √ Λ(v⊥ ) ≈ γ n det(vα⊥ )1/n ≈ γM 1/n (n/3)1/(2n) n. We then estimate pu for some well-chosen vectors u. M − 1], the expectation of the square of each coordinate of α1 x1 + · · · + αn xn is roughly: n× 1 2 2 1 M2 1 M2 × + (n2 − n) × × ≈ n M . 2 3 4 4 16 Hence E( k 2 ) ≈ mn2 /16, and we note that E( xj 2 ) ≈ m/2. It follows that for any u (we again assume that the variance is negligible): pu ≈ u √ n × m/2 + mn2 /16 ≈ n m u /4.

