IEEE 1363.1-2008
$62.83
IEEE Standard Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices
Published By | Publication Date | Number of Pages |
IEEE | 2008 |
New IEEE Standard – Inactive-Reserved. Specifications of common public-key cryptographic techniques based on hard problems over lattices supplemental to those considered in IEEE 1363 and IEEE P1363a, including mathematical primitives for secret value (key) derivation, public-key encryption, identification and digital signatures, and cryptographic schemes based on those primitives. Specifications of related cryptographic parameters, public keys and private keys. Class of computer and communications systems is not restricted.
PDF Catalog
PDF Pages | PDF Title |
---|---|
1 | IEEE Std 1363.1-2008 Front Cover |
3 | Title Page |
6 | Introduction Notice to users Laws and regulations Copyrights |
7 | Updating of IEEE documents Errata Interpretations Patents Participants |
9 | CONTENTS |
11 | Important Notice 1. Overview 1.1 Scope 1.2 Purpose |
12 | 2. Normative references 3. Definitions, acronyms, and abbreviations 3.1 Definitions |
19 | 3.2 Acronyms and abbreviations |
21 | 4. Types of cryptographic techniques 4.1 General model 4.2 Schemes |
22 | 4.3 Additional methods 4.4 Algorithm specification conventions |
23 | 5. Mathematical notation |
25 | 6. Polynomial representation and operations 6.1 Introduction 6.2 Polynomial representation 6.3 Polynomial operations 6.3.1 Polynomial multiplication 6.3.2 Reduction of a polynomial mod q 6.3.3 Inversion in (Z/qZ)[X]/(XN – 1) |
28 | 7. Data types and conversions 7.1 Bit strings and octet strings 7.2 Converting between integers and bit strings (I2BSP and BS2IP) 7.2.1 Integer to bit string primitive (I2BSP) |
29 | 7.2.2 Bit string to integer primitive (BS2IP) 7.3 Converting between integers and octet strings (I2OSP and OS2IP) 7.3.1 Integer to octet string primitive (I2OSP) 7.3.2 Octet string to integer primitive (OS2IP) |
30 | 7.4 Converting between bit strings and right-padded octet strings (BS2ROSP and ROS2BSP) 7.4.1 Bit string to right-padded octet string primitive (BS2ROSP) 7.4.2 Right-padded octet string to bit string primitive (ROS2BSP) |
31 | 7.5 Converting between ring elements and bit strings (RE2BSP and BS2REP) 7.5.1 Ring element to bit string primitive (RE2BSP) 7.5.2 Bit string to ring element primitive (BS2REP) |
32 | 7.6 Converting between ring elements and octet strings (RE2OSP and OS2REP) 7.6.1 Ring element to octet string primitive (RE2OSP) 7.6.2 Octet string to ring element primitive (OS2REP) 8. Supporting algorithms 8.1 Overview |
33 | 8.2 Hash functions 8.3 Encoding methods 8.3.1 General 8.3.2 Blinding polynomial generation methods (BPGM) |
34 | 8.4 Supporting algorithms 8.4.1 Mask generation functions |
35 | 8.4.2 Index generation function |
38 | 9. Short vector encryption scheme (SVES) 9.1 Encryption scheme (SVES) overview 9.2 Encryption scheme (SVES) operations 9.2.1 Key generation |
39 | 9.2.2 Encryption operation |
41 | 9.2.3 Decryption operation |
43 | 9.2.4 Key pair validation methods 9.2.5 Public key validation |
45 | Annex A (informative) Security considerations A.1 Lattice security: background A.1.1 Lattice definitions |
46 | A.1.2 Hard lattice problems A.1.3 Theoretical complexity of hard lattice problems A.1.4 Lattice reduction algorithms |
47 | A.1.5 The Gaussian heuristic and the closest vector problem |
48 | A.1.6 Modular lattices: definition A.1.7 Modular lattices and quotient polynomial rings A.1.8 Balancing CVP in modular lattices |
49 | A.1.9 Fundamental CVP ratios in modular lattices A.1.10 Creating a balanced CVP for modular lattices containing a short vector |
50 | A.1.11 Modular lattices containing (short) binary vectors |
51 | A.1.12 Convolution modular lattices A.1.13 Heuristic solution time for CVP in modular lattices |
52 | A.1.14 Zero-forcing A.2 Experimental solution times for NTRU lattices—full key recovery A.2.1 Experimental solution times for NTRU lattices using BKZ reduction |
54 | A.2.2 Alternative target vectors A.3 Combined lattice and combinatorial attacks on LBP-PKE keys and messages A.3.1 Overview A.3.2 Lattice strength |
55 | A.3.3 Reduced lattices and the “cliff” A.3.3.1 Running time to obtain a given profile |
56 | A.3.3.2 The cliff height α and ps |
58 | A.3.4 Combinatorial strength A.3.4.1 Combinatorial attacks on LBP-PKE keys and messages A.3.4.2 Combinatorial strength in the hybrid case |
60 | A.3.5 Summary A.4 Other security considerations for LBP-PKE encryption A.4.1 Entropy requirements for key and salt generation A.4.2 Reduction mod q A.4.3 Selection of N A.4.4 Relationship between q and N A.4.5 Form of q |
61 | A.4.6 Leakage of m’(1) A.4.7 Relationship between p, q, and N A.4.8 Adaptive chosen ciphertext attacks |
62 | A.4.9 Invertibility of g in Rq A.4.10 Decryption failures A.4.11 OID |
63 | A.4.12 Use of hash functions by supporting functions A.4.13 Generating random numbers in [0, N – 1] A.4.14 Attacks based on variation in decryption times |
64 | A.4.15 Choosing to attack r or m A.4.16 Quantum computers A.4.17 Other considerations A.5 A parameter set generation algorithm |
65 | A.6 Possible parameter sets A.6.1 Size-optimized A.6.1.1 ees401ep1 |
66 | A.6.1.2 ees449ep1 A.6.1.3 ees677ep1 |
67 | A.6.1.4 ees1087ep2 A.6.2 Cost-optimized |
68 | A.6.2.1 ees541ep1 A.6.2.2 ees613ep1 |
69 | A.6.2.3 ees887ep1 A.6.2.4 ees1171ep1 |
70 | A.6.3 Speed-optimized A.6.3.1 ees659ep1 |
71 | A.6.3.2 ees761ep1 A.6.3.3 ees1087ep1 |
72 | A.6.3.4 ees1499ep1 A.7 Security levels of parameter sets A.7.1 Assumed security levels versus current knowledge |
73 | A.7.2 Potential research |
74 | Annex B (informative) Bibliography |