Professional Documents
Culture Documents
19 stars 9 forks
Star Watch
master
View code
On Bounded Distance Decoding with Predicate: Breaking the "Lattice Barrier" for the
Hidden Number Problem
https://github.com/malb/bdd-predicate/ 1/5
2022/4/22 10:36 malb/bdd-predicate: Solving BDD and uSVP with predicate
Martin R. Albrecht and Nadia Heninger. On Bounded Distance Decoding with Predicate:
Breaking the "Lattice Barrier" for the Hidden Number Problem. EUROCRYPT 2021. full version
README.md
available as Cryptology ePrint Archive: Report 2020/1540
1. To get estimates for the running times of the different algorithms for a set of
parameters, the estimate functionality can be invoked as
2. To run the solver on a randomly generated problem instance with these parameters,
use the benchmark function:
If the algorithm is not specified, the script will automatically choose one for you, but
you can also specify your chosen algorithm on the command line
3. To actually compute the secret key from input provided in a file, you can use the solve
function. You need to specify the curve to use by name:
Each line of the file is a space-separated list of the bit length of the nonce, the hex-
encoded hash used in the ECDSA signature, the hex-encoded ECDSA signature as (r,s)
concatenated together, and the hex-encoded public key. The ecdsa.sample function
will generate sample input in this form.
For the moment, our scripts assume the most significant bits of the nonce are 0. If your use
case involves known nonzero most significant bits, least significant bits, or another case, you
can either transform your signatures and hash values accordingly, or modify our script to
implement that case.
https://github.com/malb/bdd-predicate/ 2/5
2022/4/22 10:36 malb/bdd-predicate: Solving BDD and uSVP with predicate
The following example uses the scale strategy to continue searching until the solution is
found, which can deal with errors in the data, and will parallelize the algorithm in 8 threads:
If you wish to write your own script to use our functions as a library, here is a small custom
Python script that shows how to invoke the relevant functions to compute the secret key for
some randomly generated data:
if __name__=='__main__':
k = 252
m = 70
ecdsa = ECDSA(nbits=256)
lines, k_list, d = ecdsa.sample(m,make_klen_list(k,m))
solver = ECDSASolver(ecdsa,lines,m=m)
key, res = solver("bkz-enum")
if res.success:
print(hex(key))
else:
print("Failed")
Implemented Algorithms
Our algorithms solve the unique shortest vector problem augmented with a predicate.
Using Kannan's embedding this enables to solve bounded distance decoding augmented
with a predicate.
Sieving with Predicate: This algorithm performs lattice sieving followed by a check for
points v of norm bounded by (4/3)^(1/2) ⋅ gh(Λ) whether the predicate f(⋅) holds, i.e. if
f(v) = 1.
BKZ with sieving or enumeration followed by a check for each point v in the output
basis whether the predicate f(⋅) holds, i.e. if f(v) = 1.
How to Install/Run
This framework builds on
Using Conda/Manually
Using Docker
Running
from the root directory of this repository will start SageMath with recent versions of FPLLL,
FPyLLL and G6K installed. Our code is available under /bdd-predicate . Thus, e.g.
cd /bdd-predicate
load("usvp.py")
https://github.com/malb/bdd-predicate/ 4/5
2022/4/22 10:36 malb/bdd-predicate: Solving BDD and uSVP with predicate
Releases
No releases published
Packages
No packages published
Contributors 3
Languages
https://github.com/malb/bdd-predicate/ 5/5