Download textbook Advances In Cryptology Eurocrypt 2017 36Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Paris France April 30 May 4 2017 Proceedings Part I 1St Edition Je ebook all chapter pdf

Advances in Cryptology EUROCRYPT
2017 36th Annual International

Conference on the Theory and
Applications of Cryptographic
Techniques Paris France April 30 May 4
2017 Proceedings Part I 1st Edition
Jean-Sébastien Coron
Visit to download the full and correct content document:
https://textbookfull.com/product/advances-in-cryptology-eurocrypt-2017-36th-annual-i
nternational-conference-on-the-theory-and-applications-of-cryptographic-techniques-p
aris-france-april-30-may-4-2017-proceedings-part-i-1st-edition-je/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Advances in Cryptology EUROCRYPT 2017 36th Annual

International Conference on the Theory and Applications
of Cryptographic Techniques Paris France April 30 May 4
2017 Proceedings Part II 1st Edition Jean-Sébastien
Coron
https://textbookfull.com/product/advances-in-cryptology-
eurocrypt-2017-36th-annual-international-conference-on-the-
theory-and-applications-of-cryptographic-techniques-paris-france-
april-30-may-4-2017-proceedings-part-ii-1st-edition-j/
Advances in Cryptology EUROCRYPT 2018 37th Annual

of Cryptographic Techniques Tel Aviv Israel April 29
May 3 2018 Proceedings Part I Jesper Buus Nielsen
eurocrypt-2018-37th-annual-international-conference-on-the-
theory-and-applications-of-cryptographic-techniques-tel-aviv-
israel-april-29-may-3-2018-proceedings-part-i-jesper-buus/
Advances in Cryptology CRYPTO 2020 40th Annual

International Cryptology Conference Proceedings Part I
Daniele Micciancio
crypto-2020-40th-annual-international-cryptology-conference-
proceedings-part-i-daniele-micciancio/
Advances in Cryptology – ASIACRYPT 2017: 23rd

of Cryptology and Information Security, Hong Kong,
China, December 3-7, 2017, Proceedings, Part II 1st
Edition Tsuyoshi Takagi
asiacrypt-2017-23rd-international-conference-on-the-theory-and-
applications-of-cryptology-and-information-security-hong-kong-
International Cryptology Conference Proceedings Part II
Hovav Shacham
proceedings-part-ii-hovav-shacham/

International Cryptology Conference Proceedings Part II
Daniele Micciancio
proceedings-part-ii-daniele-micciancio/
Database Systems for Advanced Applications 22nd

International Conference DASFAA 2017 Suzhou China March
27 30 2017 Proceedings Part I 1st Edition Selçuk Candan
https://textbookfull.com/product/database-systems-for-advanced-
applications-22nd-international-conference-dasfaa-2017-suzhou-
china-march-27-30-2017-proceedings-part-i-1st-edition-selcuk-
candan/
Bioinformatics and Biomedical Engineering 5th

International Work Conference IWBBIO 2017 Granada Spain
April 26 28 2017 Proceedings Part I 1st Edition Ignacio
Rojas
https://textbookfull.com/product/bioinformatics-and-biomedical-
engineering-5th-international-work-conference-
iwbbio-2017-granada-spain-april-26-28-2017-proceedings-
part-i-1st-edition-ignacio-rojas/
Advances in Knowledge Discovery and Data Mining 21st

Pacific Asia Conference PAKDD 2017 Jeju South Korea May
23 26 2017 Proceedings Part I 1st Edition Jinho Kim
https://textbookfull.com/product/advances-in-knowledge-discovery-
and-data-mining-21st-pacific-asia-conference-pakdd-2017-jeju-
south-korea-may-23-26-2017-proceedings-part-i-1st-edition-jinho-
Jean-Sébastien Coron
Jesper Buus Nielsen (Eds.)
LNCS 10210
Advances in Cryptology –
EUROCRYPT 2017
36th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Paris, France, April 30 – May 4, 2017, Proceedings, Part I
123
Lecture Notes in Computer Science 10210
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Jean-Sébastien Coron Jesper Buus Nielsen (Eds.)
•
Advances in Cryptology –
EUROCRYPT 2017
36th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Paris, France, April 30 – May 4, 2017
Proceedings, Part I
123
Editors
Jean-Sébastien Coron Jesper Buus Nielsen
University of Luxembourg Aarhus University
Luxembourg Aarhus
Luxembourg Denmark
ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-56619-1 ISBN 978-3-319-56620-7 (eBook)
DOI 10.1007/978-3-319-56620-7
Library of Congress Control Number: 2017936355
LNCS Sublibrary: SL4 – Security and Cryptology
© International Association for Cryptologic Research 2017

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
Printed on acid-free paper
This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
Eurocrypt 2017, the 36th annual International Conference on the Theory and Appli-
cations of Cryptographic Techniques, was held in Paris, France, from April 30 to May
4, 2017. The conference was sponsored by the International Association for Crypto-
logic Research (IACR). Michel Abdalla (ENS, France) was responsible for the local
organization. He was supported by a local organizing team consisting of David
Pointcheval (ENS, France), Emmanuel Prouff (Morpho, France), Fabrice Benhamouda
(ENS, France), Pierre-Alain Dupoint (ENS, France), and Tancrède Lepoint (SRI
International). We are indebted to them for their support and smooth collaboration.
The conference program followed the now established parallel track system where
the works of the authors were presented in two concurrently running tracks. Only the
invited talks spanned over both tracks.
We received a total of 264 submissions. Each submission was anonymized for the
reviewing process and was assigned to at least three of the 56 Program Committee
members. Submissions co-authored by committee members were assigned to at least four
members. Committee members were allowed to submit at most one paper, or two if both
were co-authored. The reviewing process included a first-round notification followed by a
rebuttal for papers that made it to the second round. After extensive deliberations the
Program Committee accepted 67 papers. The revised versions of these papers are included
in these three-volume proceedings, organized topically within their respective track.
The committee decided to give the Best Paper Award to the paper “Scrypt Is Max-
imally Memory-Hard” by Joël Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin,
and Stefano Tessaro. The two runners-up to the award, “Computation of a 768-bit Prime
Field Discrete Logarithm,” by Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra,
Christine Priplata, and Colin Stahlke, and “Short Stickelberger Class Relations and
Application to Ideal-SVP,” by Ronald Cramer, Léo Ducas, and Benjamin Wesolowski,
received honorable mentions. All three papers received invitations for the Journal of
Cryptology.
The program also included invited talks by Gilles Barthe, titled “Automated
Proof for Cryptography,” and by Nigel Smart, titled “Living Between the Ideal and
Real Worlds.”
We would like to thank all the authors who submitted papers. We know that the
Program Committee’s decisions, especially rejections of very good papers that did not
find a slot in the sparse number of accepted papers, can be very disappointing. We
sincerely hope that your works eventually get the attention they deserve.
We are also indebted to the Program Committee members and all external reviewers
for their voluntary work, especially since the newly established and unified page limits
and the increasing number of submissions induce quite a workload. It has been an
honor to work with everyone. The committee’s work was tremendously simplified by
Shai Halevi’s submission software and his support, including running the service on
IACR servers.
VI Preface
Finally, we thank everyone else —speakers, session chairs, and rump session chairs
— for their contribution to the program of Eurocrypt 2017. We would also like to thank
Thales, NXP, Huawei, Microsoft Research, Rambus, ANSSI, IBM, Orange, Safran,
Oberthur Technologies, CryptoExperts, and CEA Tech for their generous support.
May 2017 Jean-Sébastien Coron

Jesper Buus Nielsen
Eurocrypt 2017
The 36th Annual International Conference

on the Theory and Applications of
Cryptographic Techniques
Sponsored by the International Association for Cryptologic Research
30 April – 4 May 2017

Paris, France
General Chair
Michel Abdalla ENS, France
Program Co-chairs
Jean-Sébastien Coron University of Luxembourg
Jesper Buus Nielsen Aarhus University, Denmark
Program Committee
Gilad Asharov Cornell Tech, USA
Nuttapong Attrapadung AIST, Japan
Fabrice Benhamouda ENS, France and IBM, USA
Nir Bitansky MIT, USA
Andrey Bogdanov Technical University of Denmark
Alexandra Boldyreva Georgia Institute of Technology, USA
Chris Brzuska Technische Universität Hamburg, Germany
Melissa Chase Microsoft, USA
Itai Dinur Ben-Gurion University, Israel
Léo Ducas CWI, Amsterdam, The Netherlands
Stefan Dziembowski University of Warsaw, Poland
Nicolas Gama Inpher, Switzerland and University of Versailles, France
Pierrick Gaudry CNRS, France
Peter Gaži IST Austria, Austria
Niv Gilboa Ben-Gurion University, Israel
Robert Granger EPFL, Switzerland
Nathan Keller Bar Ilan University, Israel
Aggelos Kiayias University of Edinburgh, UK
Eike Kiltz Ruhr-Universität Bochum, Germany
VIII Eurocrypt 2017
Vladimir Kolesnikov Bell Labs, USA

Ranjit Kumaresan MIT, USA
Eyal Kushilevitz Technion, Israel
Gregor Leander Ruhr-University Bochum, Germany
Tancrède Lepoint SRI International, USA
Benoît Libert ENS de Lyon, France
San Ling Nanyang Technological University, Singapore
Anna Lysyanskaya Brown University, USA
Tal Malkin Columbia University, USA
Willi Meier FHNW, Switzerland
Florian Mendel Graz University of Technology, Austria
Bart Mennink K.U. Leuven, Belgium
Ilya Mironov Google, USA
María Naya-Plasencia Inria, France
Ivica Nikolić Nanyang Technological University, Singapore
Miyako Ohkubo NICT, Japan
Rafail Ostrovsky UCLA, USA
Omkant Pandey Stony Brook University, USA
Omer Paneth Boston University, USA
Chris Peikert University of Michigan, USA
Thomas Peters UCL, Belgium
Krzysztof Pietrzak IST Austria, Austria
Emmanuel Prouff Morpho, France
Leonid Reyzin Boston University, USA
Louis Salvail University of Montreal, Canada
Yu Sasaki NTT Secure Platform Laboratories, Japan
Abhi Shelat University of Virginia, USA
Elaine Shi Cornell University, USA
Martijn Stam University of Bristol, UK
Damien Stehlé ENS de Lyon, France
John P. Steinberger Tsinghua University, China
Ingrid Verbauwhede K.U. Leuven, Belgium
Brent Waters University of Texas, USA
Daniel Wichs Northeastern University, USA
Mark Zhandry Princeton University, USA
Additional Reviewers
Michel Abdalla Martin Albrecht Daniel Apon

Masayuki Abe Ghada Almashaqbeh Benny Applebaum
Aysajan Abidin Jacob Alperin-Sheriff Christian Badertscher
Hamza Abusalah Joël Alwen Saikrishna
Divesh Aggarwal Abdelrahaman Aly Badrinarayanan
Shashank Agrawal Elena Andreeva Shi Bai
Navid Alamati Yoshinori Aono Josep Balasch
Eurocrypt 2017 IX
Foteini Baldimtsi Ivan Damgård Shoichi Hirose

Marshall Ball Jean Paul Degabriele Viet Tung Hoang
Valentina Banciu Akshay Degwekar Justin Holmgren
Subhadeep Banik David Derler Fumitaka Hoshino
Razvan Barbulescu Apoorvaa Deshpande Pavel Hubácěk
Guy Barwell Julien Devigne Ilia Iliashenko
Carsten Baum Christoph Dobraunig Laurent Imbert
Anja Becker Frédéric Dupuis Takanori Isobe
Christof Beierle Nico Döttling Tetsu Iwata
Amos Beimel Maria Eichlseder Malika Izabachene
Sonia Belaïd Keita Emura Kimmo Jarvinen
Shalev Ben-David Xiong Fan Eliane Jaulmes
Iddo Bentov Pooya Farshim Dimitar Jetchev
Jean-François Biasse Sebastian Faust Daniel Jost
Begul Bilgin Omar Fawzi Marc Joye
Olivier Blazy Dario Fiore Herve Kalachi
Xavier Bonnetain Ben Fisch Seny Kamara
Joppe Bos Benjamin A. Fisch Chethan Kamath
Christina Boura Nils Fleischhacker Angshuman Karmakar
Florian Bourse Georg Fuchsbauer Pierre Karpman
Luis Brandao Eiichiro Fujisaki Nikolaos Karvelas
Dan Brownstein Steven Galbraith Marcel Keller
Chris Campbell Chaya Ganesh Elena Kirshanova
Ran Canetti Juan Garay Fuyuki Kitagawa
Anne Canteaut Sumegha Garg Susumu Kiyoshima
Angelo De Caro Romain Gay Thorsten Kleinjung
Ignacio Cascudo Ran Gelles Lars Knudsen
David Cash Mariya Georgieva Konrad Kohbrok
Wouter Castryck Benedikt Gierlichs Markulf Kohlweiss
Hubert Chan Oliver W. Gnilke Ilan Komargodski
Nishanth Chandran Faruk Göloğlu Venkata Koppula
Jie Chen Sergey Gorbunov Thomas Korak
Yilei Chen Dov Gordon Lucas Kowalczyk
Nathan Chenette Rishab Goyal Thorsten Kranz
Mahdi Cheraghchi Hannes Gross Fabien Laguillaumie
Alessandro Chiesa Vincent Grosso Kim Laine
Ilaria Chillotti Jens Groth Virginie Lallemand
Sherman S.M. Chow Daniel Gruss Adeline Langlois
Kai-Min Chung Jian Guo Hyung Tae Lee
Michele Ciampi Siyao Guo Jooyoung Lee
Ran Cohen Qian Guo Kwangsu Lee
Craig Costello Benoît Gérard Troy Lee
Alain Couvreur Felix Günther Kevin Lewi
Claude Crépeau Britta Hale Huijia (Rachel) Lin
Edouard Cuvelier Carmit Hazay Jiao Lin
Guillaume Dabosville Felix Heuer Wei-Kai Lin
X Eurocrypt 2017
Feng-Hao Liu Romain Poussier Mehdi Tibouchi

Atul Luykx Thomas Prest Elmar Tischhauser
Vadim Lyubashevsky Erick Purwanto Yosuke Todo
Xiongfeng Ma Carla Rafols Ni Trieu
Houssem Maghrebi Ananth Raghunathan Roberto Trifiletti
Mohammad Mahmoody Srinivasan Raghuraman Yiannis Tselekounis
Daniel Malinowski Sebastian Ramacher Furkan Turan
Alex Malozemoff Somindu Ramanna Thomas Unterluggauer
Antonio Marcedone Francesco Regazzoni Margarita Vald
Daniel P. Martin Ling Ren Prashant Vasudevan
Daniel Masny Oscar Reparaz Philip Vejre
Takahiro Matsuda Silas Richelson Srinivas Vivek Venkatesh
Christian Matt Thomas Ricosset Daniele Venturi
Alexander May Thomas Ristenpart Frederik Vercauteren
Sogol Mazaheri Florentin Rochet Ivan Visconti
Peihan Miao Mike Rosulek Vanessa Vitse
Kazuhiko Minematsu Yannis Rouselakis Damian Vizár
Ameer Mohammed Sujoy Sinha Roy Petros Wallden
Tal Moran Michal Rybár Michael Walter
Fabrice Mouhartem Carla Ràfols Lei Wang
Pratyay Mukherjee Robert Schilling Huaxiong Wang
Elke De Mulder Jacob Schuldt Mor Weiss
Pierrick Méaux Nicolas Sendrier Weiqiang Wen
Michael Naehrig Yannick Seurin Mario Werner
Yusuke Naito Ido Shahaf Benjamin Wesolowski
Kashif Nawaz Sina Shiehian Carolyn Whitnall
Kartik Nayak Siang Meng Sim Friedrich Wiemer
Khoa Nguyen Dave Singelee David Wu
Ryo Nishimaki Luisa Siniscalchi Keita Xagawa
Olya Ohrimenko Daniel Slamanig Sophia Yakoubov
Elisabeth Oswald Benjamin Smith Shota Yamada
Ayoub Otmani Akshayaram Srinivasan Takashi Yamakawa
Giorgos Panagiotakos François-Xavier Standaert Avishay Yanay
Alain Passelègue Ron Steinfeld Kan Yasuda
Kenneth G. Paterson Noah Eylon Yogev
Serdar Pehlivanoglou Stephens-Davidowitz Kazuki Yoneyama
Alice Pellet–Mary Katerina Stouka Henry Yuen
Pino Persiano Koutarou Suzuki Thomas Zacharias
Cécile Pierrot Alan Szepieniec Karol Zebrowski
Rafaël Del Pino Björn Tackmann Rina Zeitoun
Bertram Poettering Stefano Tessaro Bingsheng Zhang
David Pointcheval Adrian Thillard Ryan Zhou
Antigoni Polychroniadou Emmanuel Thomé Dionysis Zindros
Advances in Computer-Aided Cryptography
(Invited Talk)
Gilles Barthe
IMDEA Software Institute, Madrid, Spain
Designing, analyzing and implementing correct, secure and efficient cryptography are
challenging tasks. Computer-aided cryptography is a young field of research which
aims to provide rigorous tools that ease these tasks. Computer-aided cryptography
leverages advances in the broad area of formal methods, concerned with the devel-
opment of safe and correct high-assurance systems, and in particular program verifi-
cation. For security proofs, computer-aided cryptography exploits connections between
reductionist arguments in provable security and a program verification method for
verifying probabilistic couplings. To date, computer-aided cryptography has been used
for checking reductionistic security of primitives and protocols, for analyzing the
strength of implementations against side channels and physical attacks, and for syn-
thesizing new algorithms that achieve different trade-offs between efficiency and
security. The talk will present recent developments in computer-aided cryptography
and reflect on some of the challenges, benefits and opportunities in computer-aided
cryptography.
Contents – Part I
Lattice Attacks and Constructions I
Revisiting Lattice Attacks on Overstretched NTRU Parameters . . . . . . . . . . . 3

Paul Kirchner and Pierre-Alain Fouque
Short Generators Without Quantum Computers:

The Case of Multiquadratics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange,
and Christine van Vredendaal
Computing Generator in Cyclotomic Integer Rings: A Subfield Algorithm

for the Principal Ideal Problem in LjDKj 12 and Application
to the Cryptanalysis of a FHE Scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque,
Alexandre Gélin, and Paul Kirchner
Obfuscation and Functional Encryption
Robust Transforming Combiners from Indistinguishability Obfuscation

to Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Prabhanjan Ananth, Aayush Jain, and Amit Sahai
From Minicrypt to Obfustopia via Private-Key Functional Encryption . . . . . . 122

Ilan Komargodski and Gil Segev
Projective Arithmetic Functional Encryption and Indistinguishability

Obfuscation from Degree-5 Multilinear Maps . . . . . . . . . . . . . . . . . . . . . . . 152
Prabhanjan Ananth and Amit Sahai
Discrete Logarithm
Computation of a 768-Bit Prime Field Discrete Logarithm . . . . . . . . . . . . . . 185

Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra, Christine Priplata,
and Colin Stahlke
A Kilobit Hidden SNFS Discrete Logarithm Computation . . . . . . . . . . . . . . 202

Joshua Fried, Pierrick Gaudry, Nadia Heninger, and Emmanuel Thomé
Multiparty Computation I
Improved Private Set Intersection Against Malicious Adversaries . . . . . . . . . 235

Peter Rindal and Mike Rosulek
XIV Contents – Part I
Formal Abstractions for Attested Execution Secure Processors . . . . . . . . . . . 260

Rafael Pass, Elaine Shi, and Florian Tramèr
Lattice Attacks and Constructions II
One-Shot Verifiable Encryption from Lattices. . . . . . . . . . . . . . . . . . . . . . . 293

Vadim Lyubashevsky and Gregory Neven
Short Stickelberger Class Relations and Application to Ideal-SVP . . . . . . . . . 324

Ronald Cramer, Léo Ducas, and Benjamin Wesolowski
Universal Composability
Concurrently Composable Security with Shielded

Super-Polynomial Simulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Brandon Broadnax, Nico Döttling, Gunnar Hartung,
Jörn Müller-Quade, and Matthias Nagel
Unconditional UC-Secure Computation with (Stronger-Malicious) PUFs . . . . 382

Saikrishna Badrinarayanan, Dakshita Khurana, Rafail Ostrovsky,
and Ivan Visconti
Lattice Attacks and Constructions III
Private Puncturable PRFs from Standard Lattice Assumptions. . . . . . . . . . . . 415

Dan Boneh, Sam Kim, and Hart Montgomery
Constraint-Hiding Constrained PRFs for NC1 from LWE . . . . . . . . . . . . . . . 446

Ran Canetti and Yilei Chen
Zero Knowledge I
Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving

Linear Soundness Slack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Ronald Cramer, Ivan Damgård, Chaoping Xing, and Chen Yuan
Sublinear Zero-Knowledge Arguments for RAM Programs. . . . . . . . . . . . . . 501

Payman Mohassel, Mike Rosulek, and Alessandra Scafuro
Side-Channel Attacks and Countermeasures
Parallel Implementations of Masking Schemes and the Bounded Moment

Leakage Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Gilles Barthe, François Dupressoir, Sebastian Faust,
Benjamin Grégoire, François-Xavier Standaert, and Pierre-Yves Strub
Contents – Part I XV
How Fast Can Higher-Order Masking Be in Software? . . . . . . . . . . . . . . . . 567

Dahmun Goudarzi and Matthieu Rivain
Functional Encryption I
Multi-input Inner-Product Functional Encryption from Pairings . . . . . . . . . . . 601

Michel Abdalla, Romain Gay, Mariana Raykova, and Hoeteck Wee
Simplifying Design and Analysis of Complex Predicate

Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Shashank Agrawal and Melissa Chase
Elliptic Curves
Twisted l4 -Normal Form for Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . 659

David Kohel
Efficient Compression of SIDH Public Keys. . . . . . . . . . . . . . . . . . . . . . . . 679

Craig Costello, David Jao, Patrick Longa, Michael Naehrig,
Joost Renes, and David Urbanik
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

Contents – Part II
Functional Encryption II
On Removing Graded Encodings from Functional Encryption. . . . . . . . . . . . 3

Nir Bitansky, Huijia Lin, and Omer Paneth
Functional Encryption: Deterministic to Randomized Functions

from Simple Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Shashank Agrawal and David J. Wu
Lattice Attacks and Constructions IV
Random Sampling Revisited: Lattice Enumeration with Discrete Pruning . . . . 65

Yoshinori Aono and Phong Q. Nguyen
On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices

in HElib and SEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Martin R. Albrecht
Small CRT-Exponent RSA Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Atsushi Takayasu, Yao Lu, and Liqiang Peng
Multiparty Computation II
Group-Based Secure Computation: Optimizing Rounds, Communication,

and Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Elette Boyle, Niv Gilboa, and Yuval Ishai
On the Exact Round Complexity of Self-composable

Two-Party Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Sanjam Garg, Susumu Kiyoshima, and Omkant Pandey
High-Throughput Secure Three-Party Computation for Malicious

Adversaries and an Honest Majority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Jun Furukawa, Yehuda Lindell, Ariel Nof, and Or Weinstein
Symmetric Cryptanalysis I
Conditional Cube Attack on Reduced-Round Keccak Sponge Function . . . . . 259

Senyang Huang, Xiaoyun Wang, Guangwu Xu, Meiqin Wang,
and Jingyuan Zhao
XVIII Contents – Part II
A New Structural-Differential Property of 5-Round AES . . . . . . . . . . . . . . . 289

Lorenzo Grassi, Christian Rechberger, and Sondre Rønjom
Zero Knowledge II
Removing the Strong RSA Assumption from Arguments over the Integers . . . 321
Geoffroy Couteau, Thomas Peters, and David Pointcheval
Magic Adversaries Versus Individual Reduction:

Science Wins Either Way. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Yi Deng
Provable Security for Symmetric Cryptography I
The Multi-user Security of Double Encryption . . . . . . . . . . . . . . . . . . . . . . 381

Viet Tung Hoang and Stefano Tessaro
Public-Seed Pseudorandom Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Pratik Soni and Stefano Tessaro
Security Models I
Cryptography with Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Prabhanjan Ananth, Aloni Cohen, and Abhishek Jain
Fixing Cracks in the Concrete: Random Oracles with Auxiliary

Input, Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Yevgeniy Dodis, Siyao Guo, and Jonathan Katz
Provable Security for Symmetric Cryptography II
Modifying an Enciphering Scheme After Deployment . . . . . . . . . . . . . . . . . 499

Paul Grubbs, Thomas Ristenpart, and Yuval Yarom
Separating Semantic and Circular Security for Symmetric-Key Bit

Encryption from the Learning with Errors Assumption. . . . . . . . . . . . . . . . . 528
Rishab Goyal, Venkata Koppula, and Brent Waters
Security Models II
Toward Fine-Grained Blackbox Separations Between Semantic

and Circular-Security Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Mohammad Hajiabadi and Bruce M. Kapron
A Note on Perfect Correctness by Derandomization. . . . . . . . . . . . . . . . . . . 592

Nir Bitansky and Vinod Vaikuntanathan
Contents – Part II XIX
Blockchain
Decentralized Anonymous Micropayments . . . . . . . . . . . . . . . . . . . . . . . . . 609

Alessandro Chiesa, Matthew Green, Jingcheng Liu, Peihan Miao,
Ian Miers, and Pratyush Mishra
Analysis of the Blockchain Protocol in Asynchronous Networks . . . . . . . . . . 643

Rafael Pass, Lior Seeman, and Abhi Shelat
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675

Contents – Part III
Memory Hard Functions
Depth-Robust Graphs and Their Cumulative Memory Complexity. . . . . . . . . 3

Joël Alwen, Jeremiah Blocki, and Krzysztof Pietrzak
Scrypt Is Maximally Memory-Hard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Joël Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin,
and Stefano Tessaro
Symmetric-Key Constructions
Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts . . . . 65

Gorjan Alagic and Alexander Russell
Boolean Searchable Symmetric Encryption with Worst-Case

Sub-linear Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Seny Kamara and Tarik Moataz
Obfuscation I
Patchable Indistinguishability Obfuscation: iO for Evolving Software . . . . . . 127

Prabhanjan Ananth, Abhishek Jain, and Amit Sahai
Breaking the Sub-Exponential Barrier in Obfustopia . . . . . . . . . . . . . . . . . . 156

Sanjam Garg, Omkant Pandey, Akshayaram Srinivasan,
and Mark Zhandry
Symmetric Cryptanalysis II
New Impossible Differential Search Tool from Design and Cryptanalysis

Aspects: Revealing Structural Properties of Several Ciphers . . . . . . . . . . . . . 185
Yu Sasaki and Yosuke Todo
New Collision Attacks on Round-Reduced Keccak . . . . . . . . . . . . . . . . . . . 216

Kexin Qiao, Ling Song, Meicheng Liu, and Jian Guo
Obfuscation II
Lattice-Based SNARGs and Their Application to More

Efficient Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu
XXII Contents – Part III
Cryptanalyses of Candidate Branching Program Obfuscators. . . . . . . . . . . . . 278

Yilei Chen, Craig Gentry, and Shai Halevi
Quantum Cryptography
Quantum Authentication and Encryption with Key Recycling:

Or: How to Re-use a One-Time Pad Even if P ¼ NP —
Safely & Feasibly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Serge Fehr and Louis Salvail
Quantum Authentication with Key Recycling . . . . . . . . . . . . . . . . . . . . . . . 339

Christopher Portmann
Relativistic (or 2-Prover 1-Round) Zero-Knowledge Protocol

for NP Secure Against Quantum Adversaries . . . . . . . . . . . . . . . . . . . . . . . 369
André Chailloux and Anthony Leverrier
Multiparty Computation III
Faster Secure Two-Party Computation in the Single-Execution Setting. . . . . . 399

Xiao Wang, Alex J. Malozemoff, and Jonathan Katz
Non-interactive Secure 2PC in the Offline/Online and Batch Settings . . . . . . 425

Payman Mohassel and Mike Rosulek
Hashing Garbled Circuits for Free . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Xiong Fan, Chaya Ganesh, and Vladimir Kolesnikov
Public-Key Encryption and Key-Exchange
Adaptive Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Dennis Hofheinz
0-RTT Key Exchange with Full Forward Secrecy . . . . . . . . . . . . . . . . . . . . 519

Felix Günther, Britta Hale, Tibor Jager, and Sebastian Lauer
Multiparty Computation IV
Computational Integrity with a Public Random String

from Quasi-Linear PCPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Eli Ben-Sasson, Iddo Bentov, Alessandro Chiesa, Ariel Gabizon,
Daniel Genkin, Matan Hamilis, Evgenya Pergament, Michael Riabzev,
Mark Silberstein, Eran Tromer, and Madars Virza
Contents – Part III XXIII
Ad Hoc PSM Protocols: Secure Computation Without Coordination . . . . . . . 580

Amos Beimel, Yuval Ishai, and Eyal Kushilevitz
Topology-Hiding Computation Beyond Logarithmic Diameter . . . . . . . . . . . 609

Adi Akavia and Tal Moran
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

Lattice Attacks and Constructions I
Revisiting Lattice Attacks on Overstretched
NTRU Parameters
Paul Kirchner1,2 and Pierre-Alain Fouque2,3(B)

1
École Normale Supérieure, Paris, France
pkirchner@clipper.ens.fr
2
IRISA, Rennes, France
3
Université de Rennes 1 & Institut Universitaire de France, Paris, France
pierre-alain.fouque@univ-rennes1.fr
Abstract. In 2016, Albrecht, Bai and Ducas and independently Cheon,

Jeong and Lee presented very similar attacks to break the NTRU cryp-
tosystem with larger modulus than in the NTRUEncrypt standard. They
allow to recover the secret key given the public key of Fully Homomor-
phic Encryption schemes based on NTRU ideas. Hopefully, these attacks
do not endanger the security of the NTRUEncrypt, but shed new light
on the hardness of the NTRU problem. The idea consists in decreasing
the dimension of the NTRU lattice using the multiplication matrix by
the norm (resp. trace) of the public key in some subfield instead of the
public key itself. Since the dimension of the subfield is smaller, so is the
dimension of the lattice and better lattice reduction algorithms perform.
In this paper, we first propose a new variant of the subfield attacks
that outperforms both of these attacks in practice. It allows to break
several concrete instances of YASHE, a NTRU-based FHE scheme, but
it is not as efficient as the hybrid method on smaller concrete parame-
ters of NTRUEncrypt. Instead of using the norm and trace, the multi-
plication by the public key in a subring allows to break smaller para-
meters and√we show that in Q(ζ2n ), the time complexity is polynomial
for q = 2Ω( n log log n) . Then, we revisit the lattice reduction part of the
hybrid attack of Howgrave-Graham and analyze the success probability
of this attack using a new technical tool proposed by Pataki and Tural.
We show that, under some heuristics, this attack is more efficient than
the subfield attack and works in any ring for large q, such as the NTRU
Prime ring. We insist that the improvement on the analysis applies even
for relatively small modulus; although if the secret is sparse, it may
not be the fastest attack. We also derive a tight estimation of security
for (Ring-) LWE and NTRU assumptions and perform many practical
experiments.
1 Introduction
NTRU has been introduced by Hoffstein, Pipher and Silverman since 1996
in [26] and has since resisted many attacks [13,21,22,27]. NTRU is one of the
most attractive lattice-based cryptosystems since it is very efficient, and many
c International Association for Cryptologic Research 2017
J.-S. Coron and J.B. Nielsen (Eds.): EUROCRYPT 2017, Part I, LNCS 10210, pp. 3–26, 2017.
DOI: 10.1007/978-3-319-56620-7 1
4 P. Kirchner and P.-A. Fouque
Ring-LWE cryptosystems have a NTRU variant. Ducas, Lyubashevsky and Prest

propose an Identity Based Encryption scheme based on NTRU [20] (albeit with
a much larger standard deviation), López-Alt, Tromer and Vaikuntanathan
describe a Fully Homomorphic Encryption scheme [32], which is improved in
a scheme called YASHE [6,31], and Ducas et al. propose a very fast signature
scheme called BLISS [19].
Currently, the most efficient and heuristic attack on NTRU has been given
by Kirchner and Fouque in [29] which has subexponential-time complexity in
2(n/2+o(n))/ log log q , but the o(n) is too large to lead to attack for given para-
meters. To date, the most efficient attack on practical NTRU parameters is the
so-called hybrid attack described by Howgrave-Graham in [27].
The key recovery problem of NTRU is the following problem: given a public
key h = f /g in some polynomial ring Rq = Zq [X]/(X n − 1) for n prime, q a
small integer and the euclidean norms of f , g are small, recover f and g or a small
multiple of them. In NTRUEncrypt, f and g are two sparse polynomials of degrees
strictly smaller than n and coefficients {−1, 0, 1}. It is easy to see that the public
key cannot be uniformly distributed in the whole ring, since the entropy is too
small. In [42], Stehlé and Steinfeld, show that if f and g are generated using a
Gaussian distribution of standard deviation σ ≈ q 1/2 , then the distribution of
the public key is statistically indistinguishable from the uniform distribution.
State-of-the-Art Lattice Algorithm on NTRU. In [13], Coppersmith and
Shamir show that the (2n)-dimensional lattice Lcs generated by the columns of
the matrix
R
qIn Mh q
,
0 In
R
where Mh q denotes the multiplication by the public key h in the ring Rq , con-
tains the vector (f , ḡ). It is easy to show that for ḡ = g(1/X) in Rq , we have
h · ḡ = f . By reducing this lattice, it is possible to find (f , ḡ) which is short if
(f , g) is. Finally, Coppersmith and Shamir show that for cryptographic purposes,
it is sufficient to recover a small solution, maybe not the smallest one to decrypt.
In 2001, May showed in [33] how to exploit that the shifts of the target vector,
i.e. xi · f in Rq are also contained in the Lcs lattice. Consequently, we only have
to recover one of the n shifts of the target vector and the smallest vector is not
unique. The idea of May consists in constructing a lattice that contains as a short
vector only one of the shift and such that the gap between the first and second
minima of the lattice will be higher. This gap is an important parameter when
running lattice reduction algorithm. If we take into account that the vector
of the secret key contains {0, ±1}-coefficients, there is a unique long run of
0-coefficients. For one of the n shifts, we can assume that this run is for instance
in the first r coefficients and if we multiply the (n + 1)th to (n + r)th columns of
Lcs matrix by a suitable large constant, only this shift will be a solution for the
new lattice. He also introduces the projection technique to reduce the dimension
of Lcs from 2n to (1 + α)n for 0 < α ≤ 1 by removing the last columns of the
matrix MO K
h or of the last rows of the original matrix. The main idea is that it
Revisiting Lattice Attacks on Overstretched NTRU Parameters 5
suffices that among the n equations corresponding to h · ḡ = f , some of them will

not be fulfilled. Experimentally, since there is no other small vector except the n
shifts, then there will be no other vector with small entries in these coefficients
and we will recover the target.
In [27], Howgrave-Graham makes various experiments on NTRU lattice and
proposes a mix between lattice reduction and a combinatorial technique, known
as Odlyzko’s meet-in-the-middle attack on NTRU. The first phase of the algo-
rithm starts by reducing the original matrix corresponding to Lcs and we can
see that lattice algorithms first reduce the column vectors in the middle of the
matrix. This process that treats the columns in a symmetric manner between
[n − r, n + r] is also used in [21] in the symplectic reduction. Consequently, it is
more efficient to begin by reducing a small dimensional matrix in the center of the
original Coppersmith-Shamir matrix and then another combinatorial technique
can take into account the small coefficients in the short vector by guessing some
part of the secret key. In the following, we will speak of the middle technique.
More recently, in [1,12], Cheon, Jeong and Lee at ANTS 2016 and Albrecht,
Bai and Ducas at CRYPTO 2016, described a new attack on NTRU-like cryp-
tosystems. An attack based on similar ideas was proposed by Jonsson, Nguyen
and Stern in [23, Sect. 6]. It uses the fact that for cyclotomic number fields,
there exist subfields that allow to reduce the dimension of the lattice. The sub-
field attack recovers the norm of the secret key in these subfields, which are
smaller than in the classical NTRU lattice. In the maximal real subfield K+
of a power of two cyclotomic field K for instance, the norm can be written as
NK/K+ (f ) = f f̄ which is small if f is small and NK/K+ (f ) is of dimension half.
The lattice Lnorm is generated by the columns of the matrix of dimension n:

O
qIn/2 Mhh̄K+
.
0 In/2
The vector (NK/K+ (f ), NK/K+ (g)) is small in Lnorm . By the Gaussian heuristic,

the expected length of the shortest vector in the lattice Lnorm is qn/(2πe), and
the norm of f depends on the density of non-zero coefficients is of size around n.
For standard NTRU parameters and when n is greater than q, lattice reduction
algorithms will not recover the secret key. However, if q is large as in the case
of FHE cryptosystems to allow a large number of multiplication steps before
boostraping, then this attack can be interesting. We have not been able to apply
it for other cryptosystems, for instance on IBE and signature schemes [20].
The drawback of this technique is√ that q has to be very large compared to n.
We estimate asymptotically q = 2Ω( n log log n) for a polynomial time complexity.
Our Results. In this paper, we revisit the lattice attacks on NTRU by consider-
ing the subfield idea, the projection of May and the middle lattice of Howgrave-
Graham in the context of large modulus.
1. We first propose a new subfield attack and give, contrary to [1,12], a precise
analysis by considering the projection technique for power of two cyclotomic
fields. We show that using the multiplication matrix by the public key in
a subring (which has the same size as the subfield), leads to more efficient
attacks. In particular, we were able to attack concrete parameters proposed in
YASHE based on overstretched NTRU [6,7,10,14–16,30,31], meaning that we
can recover a decryption key for smaller modulus q, compared to the previous
approaches [1,12]. The previous attacks use the norm over the subfield in [1]
or the trace in [12]. It would also be possible for instance to use all the
coefficients of the characteristic polynomial. Our attack using the subring is
better than the two previous ones since in the same configuration, we can
choose exactly the size of the subfield as the number of coordinates (remove
some rows or project the lattice) in Sect. 3.
2. Secondly, we analysis lattice reduction algorithm on the full Lcs lattice using
a nice lemma due to Petaki and Tural [38] on the volume of sublattices with
high rank (Sect. 4). We show that reducing this lattice allows us to achieve
similar performances as in the projection and subfield attacks. We do not rely
in our analysis on the Hermite factor (or approximate factor). This is the first
time that the high number of small lattice vectors (shifts) are used to improve
the analysis of the attack against NTRU. May used it to run lattice reduction
on smaller dimensional lattices. The high dimensional low volume sublattice
(formed by the shift vectors) makes the approximate-SVP problem for NTRU
lattices substantially easier to solve by lattice reduction than generic lattices
of the same dimension when the modulus is sufficiently large. This result is
true in any ring and can be applied for instance on NTRUPrime with large
q. In practice, we run experiment using the middle technique in order to use
small dimension lattices.
3. We make experiments (Sect. 5) to understand the behaviour of lattice reduc-
tion algorithm and derive precise predictions when this attack will work
(Sect. 6). We show that also experimentally the subfield attack is not more
efficient than the middle technique on the original matrix. Consequently, we
mount this attack to break FHE with NTRU and overstretched NTRU Prime
scheme. Experimental computations show that if we are able to reduce this
matrix, we recover a basis consisting of n small vectors, which are rotated
version of the secret key. Finally, we provide a tight asymptotical security
estimate of NTRU and LWE schemes in order to give exact predictions for
these attacks by considering the Dual-BKZ [37].
We want to stress that the subfield attack we propose is not needed to break
the schemes. We first discovered our subfield attack and the experiments shown
in Fig. 1 have been obtained using it. The experiments on NTRUPrime with
overstretched parameters (Fig. 2) have been achieved by reducing the middle
lattice in the standard lattice. We experimentally recovered the same results for
Fig. 1 using the middle lattice later and we conclude that the subfield attack
is not needed to improve results on NTRU, but it could be useful to attack
multilinear maps [1,12].
2 Preliminaries
Algebraic Number Field. An algebraic number field (or simply number field)
K is a finite (algebraic) field extension of the field of rational numbers Q. An
algebraic number ζ ∈ C is a root of a polynomial f (x) ∈ Q[x] and is called
an algebraic integer if f (x) is a monic (leading coefficient is 1), polynomial in
Z[x]. The minimal polynomial of ζ is a monic polynomial f (x) ∈ Q[x] of least
positive degree such that f (ζ) = 0 and the minimal polynomial of an algebraic
integer is in Z[x]. The set of all algebraic integers form a ring: the sum and
product of two algebraic integers is an algebraic integer. The ring of integers
of a number field K = Q[ζ], obtained by adjoining ζ to Q, is the ring OK =
{x ∈ K : x is an algebraic integer}. Let f (x) be the minimal polynomial of ζ of
degree n, then as f (ζ) = 0, there is an isomorphism between Q[x] mod f (x) and
K, defined by x → ζ and K can be seen as an n-dimensional vector space over
Q with power basis {1, ζ, . . . , ζ n−1 }. The conjugates of ζ are defined as all the
roots of its minimal polynomial.
A number field K = Q[ζ] of degree n has exactly n field homomorphisms
σi : K → C that fix every element of Q and they map ζ to each of its conjugates.
An embedding whose image lies in R (real root of f (x)) is called a real embedding;
otherwise it is called a complex embedding. Since complex root of f (x) come in
pairs, so do complex embeddings. The number of real ones is denoted s1 and the
number of pairs of complex ones s2 , so we get n = s1 + 2s2 . By convention, we
let {σj }j∈[s1 ] be the real embedding and order the complex embeddings so that
σs1 +s2 +j = σs1 +j for j ∈ [s2 ]. The canonical embedding σ : K → Rs1 × C2s2 is
defined by
σ(x) = (σ1 (x), . . . , σn (x)).
The canonical embedding σ is a field homomorphism from K to Rs1 ×C2s2 , where
multiplication and addition in Rs1 × C2s2 are component-wise. The discriminant
ΔK of K is the determinant of the matrix (σi (αj ))i,j , where (αj ) is a set of n
elements of K.
For elements H ⊆ Rs1 × C2s2 ⊂ Cn where
H = {(x1 , . . . , xn ) ∈ Rs1 × C2s2 : xs1 +s2 +j = xs1 +j , ∀j ∈ [s2 ]},
we can identify elements of K to their canonical embeddings in H and speak of
the geometric canonical norms on K as x as σ(x) 2 = ( i∈[n] |σi (x)|2 )1/2 .

The field norm of an element a ∈ K is defined as NK/Q (a) = i∈[n] σi (a).
Note that the norm of an algebraic integer is in Z as the constant coeffi-
cient of theminimal polynomial. Let L a subfield of K, the relative norm of
NK/L (a) = σi ∈Gal(K/L) σi (a), where Gal(K/L) contains the elements that fix

L. The trace of a ∈ K is defined TrK/Q (a) = i∈[n] σi (a) and is the trace of the
endomorphism y → ay and of its matrix representation.
Let K a number field of dimension n, which has a subfield L of dimension
m | n. For simplicity, we assume that K is a Galois extension of Q, with Galois
group G; and G is the subgroup of G fixing L. It is a standard fact that
|G | = n/m.
Notice that elements of the Galois group permute or conjugate the coordi-
nates in Rr × Cs , and therefore the norm is invariant by elements of G:
∀σ ∈ G, σ(x) = x .
We call NK/L : K → L the relative norm, with NK/L (a) the determinant of
the L-linear endomorphism x → ax. It is known that we have:
NK/L (a) = σ(a).

σ∈H
We can bound the norm using the inegality of arithmetic and geometric
means:
n
a
|NK/Q (a)| ≤ √ .
n
The operator norm for the euclidean norm is denoted · op and is defined as
a op = supx∈K∗ ax / x . Remark that it is simply the maximum of √ the norm
of the coordinates in Rr × Cs . Also, it is sub-multiplicative and x ≤ n x op .
Let O be an order of K, that is O ⊂ K and O is a commutative group which
is isomorphic as an abelian group to Zn . We define OL as O ∩ L, and is an order
of L. We denote by Vol(L) the volume of the lattice L, which is the square root
of the determinant of the Gram matrix corresponding to any basis of L. We
define Δ to be the square of the volume of O, and likewise for ΔL with respect
to OL .
We define
L −→ O
ML
a : x −→ ax
for any lattice L ⊂ O and a ∈ O; and we also denote MLa the corresponding
matrix for some basis of L.

Cyclotomic Field. In the case of cyclotomic field defined by Φf (x) = k∈Z∗
f
(x − ζfk ), where ζf = e2iπ/f ∈ C, a primitive f-root of unity. Thus, Φf (x) has

degree n = ϕ(f), is monic and irreducible over Q and its the minimal polynomial
of the algebraic integer ζf . The fth cyclotomic field is Q[ζf ] and its ring of integers
is Z[ζf ], also called the cyclotomic ring. In this case, there are 2s2 = n = ϕ(f)
complex canonical embeddings (no real ones), defined by σi (ζf ) = ζfi for i ∈ Z∗f .
For an element x = ζ j ∈ K in the power √basis of K, all the embeddings of
x have magnitude 1, and hence x can 2 = n and x can ∞ = 1 as well as the
coefficient embedding. The discriminant of the fth cyclotomic field of degree
n = ϕ(f) is ΔK ≤ nn .
In the cyclotomic case, we can define the maximal real subfield K + = Q[ζf +
−1
ζf ], which only contains real numbers. It has index 2 in K and its degree is n/2.
The rings of integers OK + of K + is simply Z[ζf + ζf−1 ]. The embeddings σ1 , σ−1
both fix every elements in K+ and the relative norm NK/K + (a) = σ1 (a) · σ−1
n−1
(a) = a · ā. If we represent a as a polynomial a(x) = ai xi ∈ Q[x]/Φf (x),
n−1 i=0
then ā(x) = a(1/x) = a0 − i=1 ai xi .
Ideals in the Ring of Integers. The ring of integers OK of a number field K
of degree n is a free Z-module of rank n, i.e. the set of all Z-linear combinations
of some integral basis {b1 , . . . , bn } ⊂ OK . It is also a Q-basis for K. In the case
of cyclotomic field, the power basis {1, ζf , . . . , ζfn−1 } is an integral basis of the
cyclotomic ring Z[ζf ] which is isomorphic to Zn with n = ϕ(f).
It is well known that
fφ(f)
Vol(Z[ζf ])2 = φ(f)/(p−1)
.
p|f p
In particular, if f is a power of two, Vol(Z[ζf ]) = (f/2)f/4 . In this case, we also

f/2−1
have that (ζfi )i=0 is an orthogonal basis for the norm · .
Lattices. Let B = {b1 , . . . , bn } be a basis of a lattice L. Given B, the LLL
algorithm outputs a vector v ∈ L satisfying v 2 ≤ 2n/2 ·det(L)1/n in polynomial
time in the size of its input.
Theorem 1 (Minkowski).
√ For any lattice L of dimension n, there exists x ∈
L \ {0} with x ≤ nVol(L)1/n .
We give a theorem for estimating the running time of lattice based algorithms:
Theorem 2. Given a lattice L of dimension n, we can find a non-zero vector
in L of norm less than β n/β Vol(L)1/n in deterministic time smaller than 2O(β)
times the size of the description of L, for any β < n/2. With b∗i the Gram-
Schmidt norms of the output basis, we have b∗i /b∗j ≤ β O((j−i)/β+log β) . Further-
more, the maximum of the Gram-Schmidt norms of the output basis is at most
the maximum of the Gram-Schmidt norms of the input basis.
Proof. Combine the semi-block Korkin-Zolotarev reduction [40] and the efficient
deterministic shortest vector algorithm [36] with block size Θ(β) for the first
point. Schnorr’s algorithm combines the use of LLL reduction on a (possibly)
linearly dependent basis, which is known to not increase the maximum of the
Gram-Schmidt norms, and the insertion of a vector in position i whose projected
norm is less than b∗i . Also, the b∗i decrease by a factor of at most β O(log β) in
a block, and the first Gram-Schmidt norms of blocks decrease by a factor of at
most β O(β) .
Lattice Analysis. We also use the GSA assumption [41], which states that the
Gram-Schmidt norms output by a lattice reduction follow a geometric sequence.
If we draw the the curve with the log of the Gram-Schmidt norms, we see a line
with slope log β/β is the case of BKW (it is not accurate for the last ones than
follows a parabola instead). Usually, we use the fact that the minimum of the
Gram-Schmidt norms has to be smaller than the norm of the smallest vector in
Another random document with
no related content on Scribd:
him for four years holding the place of konzertmeister in Liszt’s
orchestra at Weimar. Then he is konzertmeister in Hannover, where
he married Amalie Weiss, a singer of unrivalled art. Still later he went
to Berlin, where, as teacher and quartet leader, he stood for the very
highest ideals of his art. The famous Joachim quartet, which his spirit
may be said almost to have created, consisted of Joachim, De Ahna
(1835-1892), once a pupil of Mayseder, Emanuel Wirth, violist, who
succeeded Rappoldi in 1877, and Robert Hausmann (1852-1909).
De Ahna was succeeded by J. C. Kruse (b. 1859), and Kruse in
1897 by Karl Halir. Joachim gave himself with deepest devotion to
the study of Beethoven’s works; and probably his performances of
the last quartets of Beethoven have established a standard of
excellence in chamber music which may never be exalted further.
Brahms wrote his violin concerto especially for Joachim, who alone
for many years was able to play it. Here is but another case where
the great virtuoso stands behind the great composer. Kreutzer,
Clement, and Rode all have entered in spirit into the immortality of
great music through Beethoven. David stands behind the concerto of
Mendelssohn, Joachim behind that of Brahms.
So, too, there is a great virtuoso just behind three of the most
successful of modern concertos: Sarasate behind the first concerto
of Lalo, the very substance of Bruch’s second concerto and his
Scottish Fantasia. Pablo de Sarasate (1844-1908) came from his
native land of Spain to Paris in 1856. Already as a boy of ten he had
astonished the Spanish court. Into his small hands had already come
a priceless Stradivari, gift of the queen of Spain. After three years’
study under Alard in Paris he entered upon his career of virtuoso,
which took him well over the face of the world, from the Orient to the
United States. The numerous short pieces which he has composed
are tinged with Spanish color. There are gypsy dances, Spanish
dances, the Jota Aragonesa, romances and fantasias, all of which
are brilliant and many of which are at present among the favorite
solos of all violinists.
The Norwegian violinist, Ole Bull (1810-1880), who achieved an

international fame, should be mentioned in this connection. His
compositions, in slight forms or transcriptions, enjoyed considerable
popularity.
On the whole the technique of violin playing has hardly advanced

beyond Paganini. Practically little or no advance has been possible.
But undoubtedly this once miraculous technique is now within the
grasp of all the great virtuosi of the present day. To mention these
would go beyond the purpose of this chapter, which has been, in so
far as possible, to select from the list of hundreds a few men that
have united, so to speak, the technique of the violin to the general
progress of music, through their influence as players, as teachers, as
composers, or as mentors, so far as violin music is concerned, to
greater composers.
The mass of music composed by the great violinists of the

nineteenth century is immense. The works of large proportions as
well as those of small were composed with perhaps the chief aim of
revealing the scope of the instrument; and as for the concertos it is
hardly unfair to say that they were composed with the additional
purpose of offering to the composer the best chance to display his
individual style as a player. Certainly of these many composers
Spohr and Vieuxtemps were the most capable as musicians in a
general way; and as it must be granted that both were at their best in
the performance of their own concertos, so it may be said that their
concertos rose to their highest value under the fingers of their
creators. To that same value they have not otherwise risen.
The concerto is, after all, a long piece of music in symphonic

proportions, and time seems to have proved that it must justify itself
by more than display of the special qualities of a certain instrument.
There must be in addition to this something of genuine musical
value. The thoughts which it expresses—for so we must name the
outpourings of a musical inspiration which have no substance but
sound—must be first worthy of expression. There must be melody
and harmony of distinct and vivid character. These the concertos of
the violin-composers oftenest lack; and therefore from the point of
view of pure music, one finds in them a lack not only of originality but
of strength.
Their short pieces stand a better chance of a longer life, because in

them a slender idea is not stretched to fill a broad form, and because
for a short time sheer beauty of sound, such as the violin is capable
of, and dexterity of fingers are a sufficient delight to the ear.
VII
In turning to the violin pieces of the great masters of music one finds
first and foremost ideas, great or charming, which are wholly worthy
of expression. As these find their outlet in music in melody, harmony,
and rhythm, and take their shape in form, melody becomes
intensified and suggests as well as sings, harmony is enriched, form
developed and sustained. Only the solo sonatas of Bach have
demanded such manifold activity from the violin alone. Other
composers have called to the aid of their ideas some other
instrument—pianoforte, organ, or orchestra. The great masters have
indeed placed no small burden of the frame and substance of such
compositions on the shoulders of this second instrument, usually the
pianoforte. Hence we have music which is no longer solo music for
the violin, but duets in which both instruments play an obbligato part.
Such are the violin sonatas of Beethoven, Brahms, César Franck
and others, thoroughly developed, well-articulated and often truly
great music.
Beethoven wrote ten sonatas for pianoforte and violin, all but one
between the years 1798 and 1803. This was a time when his own
fame as a virtuoso was at its height, and the pianoforte part in all the
sonatas calls for technical skill and musicianship from the pianist.
Upon the violinist, too, they make no less claim. In fact Beethoven’s
idea of this duet sonata as revealed in all but the last, that in G
major, opus 96, is the idea of a double concerto, both performers
displaying the best qualities and the most brilliant of their
instruments, the pianist at the same time adding the harmonic
background and structural coherence which may well be conceived
as orchestral. It is not surprising then to find in these works
something less of the ‘poetic idea’ than may be discovered, or has
been, in the sonatas for pianoforte alone, the string quartets, and the
symphonies. Beethoven is not concerned solely with poetic
expression in music. And not only many of the violin sonatas, but the
horn sonata and the 'cello sonatas, were written for a certain player,
and even for a special occasion.
Of the three sonatas, opus 12, written not later than 1798 and
dedicated to the famous Italian Salieri, then resident in Vienna, little
need be said. On the whole they are without conspicuous distinction
in style, treatment, or material; though certain movements, especially
the slow movements of the second and third sonatas, are full of deep
feeling. Likewise the next two sonatas, that in A minor, opus 23, and
that in F major, opus 24, are not of great significance in the list of
Beethoven’s works, though the former speaks in a highly
impassioned vein, and the latter is so frankly charming as to have
won for itself something of the favor of the springtime.
Shortly after these Beethoven composed the three sonatas, opus 30,
dedicated to the Czar of Russia, in which there is at once a more
pronounced element of virtuosity and likewise a more definite poetic
significance. The first and last of this set are in A major and G major,
and show very clearly the characteristics which are generally
associated with these keys. The former is vigorous, the latter
cheerful. Both works are finely developed and carefully finished in
style, and the Tempo di minuetto in the latter is one of the most
charming of Beethoven’s compositions. The sonata in C minor which
stands between these two is at once more rough-hewn and
emotionally more powerful.
The sonata in A, opus 47, is the ninth of the violin sonatas of

Beethoven. It was written especially for the English violinist, George
Bridgetower, with whom Beethoven played it for the first time on the
17th or 24th of May, 1803. According to the violinist himself, who
was, by the way, a mulatto and exceedingly mannered, he altered a
passage in this performance of the work which greatly pleased
Beethoven. However this may be, Beethoven later fell out with him,
and subsequently dedicated the sonata to the great violinist
Rodolphe Kreutzer, who came to Vienna in the suite of General
Bernadotte. It has since been known as the Kreutzer Sonata. It is an
imposing and brilliant work, but it may be fairly said that it owes its
general popularity to the favor of virtuosi to whom it offers a grateful
test of technical ability. Emotionally the first movement alone is of
sustained and impressive meaning. The theme of the Andante is of
great sweetness, but the variations are hardly more than a series of
more and more elaborate ornamentations, designed for the benefit of
the players. The brilliant last movement seems to have been first
conceived for the preceding sonata in A major, opus 30, No. 1.
Toward the end of 1812 the French violinist, Pierre Rode, came to
Vienna, and to this event alone is probably due the last of
Beethoven’s sonatas for pianoforte and violin. If he had set out to
exhaust the possibilities of brilliant effect in the combination of the
two instruments, he achieved his goal, as far as it was attainable
within the limits of technique at that time, in the Kreutzer Sonata.
Then for a period of nine years he lost interest in the combination.
When he turned to it again, for this sonata in G, opus 96, it was with
far deeper purpose. The result is a work of a fineness and reserve,
of a pointed style, and cool meaning. It recalls in some measure the
Eighth Symphony, and like that symphony has been somewhat
eclipsed by fellow works of more obvious and striking character. Yet
from the point of view of pure and finely-wrought music it is the best
of the sonatas for pianoforte and violin. Mention has already been
made of the first performance of the work, given on the 29th of
December, 1812, by Rode and Beethoven’s pupil, the Archduke
Rudolph.
The concerto for violin and orchestra, opus 61, must be given a
place among his masterpieces. It belongs in point of time between
the two great pianoforte concertos, in G major and E-flat major; and
was first performed by the violinist Franz Clement, to whom it was
dedicated, at a concert in the Theater an der Wien, on December 23,
1806. Difficult as the concerto is for the violinist, Beethoven has
actually drawn upon only a few of the characteristics of the
instrument, and chiefly upon its power over broad, soaring melody.
He had written a few years earlier two Romances, opus 40 and opus
50, for violin and orchestra, which may be taken as preliminary
experiments in weaving a solo-violin melody with the many strands
of the orchestra. The violin part in the concerto is of noble and
exalted character, and yet at the same time gives to the instrument
the chance to express the best that lies within it.
The plan of the work is suggestively different from the plan of the last
two concertos for pianoforte. In these Beethoven treats the solo
instrument as a partner or at times as an opponent of the orchestra,
realizing its wholly different and independent individuality. At the very
beginning of both the G major and the E-flat major concertos, the
piano asserts itself with weight and power equal to the orchestra’s,
and the ensuing music results as it were from the conflict or the
union of these two naturally contrasting forces. The violin has no
such independence from the orchestra, of which, in fact, it is an
organic member. The violin concerto begins with a long orchestral
prelude, out of which the solo instrument later frees itself, as it were,
and rises, to pursue its course often as leader, but never as
opponent.[52]
The few works by Schubert for pianoforte and violin belong to the
winter of 1816 and 1817, and, though they have a charm of melody,
they are of relatively slight importance either in his own work or in
the literature for the instrument. There are a concerto in D major;
three sonatinas, in D, A minor, and G minor, opus 137, Nos. 1, 2, 3;
and a sonata in A, opus 162.
There are two violin sonatas by Schumann, in A minor, opus 105,

and in D minor, opus 121. Both are works belonging to the last years
of his life, and both reflect a sad and gloomy spirit; but both contain
much that is rarely beautiful. They will strike the ear at once as more
modern than those of Beethoven, mostly of course because of the
treatment of the pianoforte. Here it may well be mentioned that
improvements in the pianoforte rather changed the problem of
writing duet sonatas such as these. The new power of the instrument
might easily threaten the violin with extinction. On the whole
Schumann’s handling of the combination is remarkably successful.
He is inclined now and then to treat the pair of instruments in unison
—as in the first movement of the sonata in A minor—which is a rank
waste of the beauties which the diversity in the natures of pianoforte
and violin makes possible. On the other hand, such a movement as
that in G major in the second sonata, its unusual beginning with a
melody given by the violin in pizzicato chords, and its third statement
of the melody in rich double-stops, is a masterpiece.[53]
The only considerable contribution by Mendelssohn to the literature

of the violin is the concerto written for and first performed by
Ferdinand David. A sonata in F minor, opus 4, is without distinction.
But the concerto must be reckoned as one of Mendelssohn’s
greatest works. Certainly, standing as it does between the concerto
of Beethoven, on the one hand, and that of Brahms, on the other, it
cannot but appear small in size and slight in content. But the themes,
especially the chief theme of the first movement, are well chosen,
the orchestral part exquisitely and thoroughly finished, and the
treatment of the violin, thanks to David, smoothly effective. The
cadenza—is it Mendelssohn or David?—is of sterling worth, and it is
happily arranged in the movement as a whole before the third
section, so that the hearer has not the shock which accompanies the
enforced dragging in of virtuoso stuff in most cadenzas. It glides
naturally out of what came before, and slowly flows back into the
course of the movement.
There are three violin sonatas by Brahms which hold a very high
place in music. The first, opus 78, in G major, was written after the
first and second symphonies and even the violin concerto had been
made public (Jan. 1, 1879). It has, perhaps, more than any of his
earlier works, something of grace and pleasant warmth, of those
qualities which made the second symphony acceptable to more than
his prejudiced friends. Certainly this sonata, which was played with
enthusiasm by Joachim all over Europe, made Brahms’ circle of
admirers vastly broader than it had been before.
The workmanship is, of course, highly involved and recondite. There

is a thematic relationship between the first and last movements,[54]
and the themes and even the accompaniment are put to learned
uses. But the style is gracious and charming, the treatment of the
violin wholly satisfactory, and the combination of the two instruments
close and interesting.
The second sonata, opus 100, did not appear until seven years after
the first. Here again there is warmth and grace of style, though the
impression the work makes as a whole is rather more serious than
that made by the earlier sonata. Of course at a time when Brahms
and Wagner were being almost driven at each other by their ardent
friends and backers the resemblance between the first theme of this
sonata in A major and the melody of the Prize Song in the
Meistersinger did not pass unnoticed. The resemblance is for an
instant startling, but ceases to exist after the first four notes.
The third sonata, that in D minor, opus 108, appeared two years
later. On the whole it has more of the sternness one cannot but
associate with Brahms than either of those which precede it. There
are grotesque accents in the first movement, and also a passage of
forty-six measures over a dominant pedal point, and even the
delightful movement in F-sharp minor (un poco presto e con
sentimento) has a touch of deliberateness. The slow movement on
the other hand is direct, and the last movement has a strong, broad
swing.
No violin sonatas show more ingenuity in the combining of the two

instruments than those of Brahms. Mr. Thomas F. Dunhill in his book
on Chamber Music,[55] chooses from each of them a passage which
really represents a new effect in this field of which one would have
thought all the effects discovered.
The concerto for violin and orchestra stands among Brahms’
supreme achievements, a giant among concertos matched only by
that of Beethoven. It is not a matter for surprise that Brahms, who in
many ways deliberately tried to follow Beethoven, and who even
here chose the same key (D major) that Beethoven chose for his
concerto, chose likewise the old-fashioned form of concerto. The
work gains ponderance by reason of the long orchestral introduction
in both the first and second movements. There is, likewise, as in the
pianoforte concertos, too conscious a suppression of superficial
brilliance. But what is this slight heaviness compared to the soaring
power of its glorious themes? Truly the violin rises high above the
orchestra as on wings of light.
The treatment of the violin relates the concerto to Joachim even

more definitely than the dedication. It is full of the most exacting
difficulties, some of which in the last movement gave even Joachim
pause. The double-stops, however, and the frequent passages in
two voices were, after all, effects in which Joachim was especially
successful. Some of the close co-operation of the two great masters
on this single great masterpiece is revealed in the correspondence
which passed between Joachim and Brahms and happily has been
preserved.
VIII
Turning now to music in its more recent developments, we shall find
that each nation has contributed something of enduring worth to the
literature of the violin. Certainly, high above all modern sonatas, and
perhaps above all sonatas for pianoforte and violin, stands that by
César Franck, dedicated to M. Eugène Ysäye. By all the standards
we have, this work is immortally great. From the point of view of style
it presents at their best all the qualities for which Franck’s music is
valued. There are the fineness in detail and the seemingly
spontaneous polyphonic skill, the experiments, or rather the
achievements in binding the four movements into a unified whole by
employing the same or cognate thematic material in all, the
chromatic alterations of harmonies and the almost unlimited
modulations. Besides these more or less general qualities, the
pianoforte and the violin are most sympathetically combined, and the
treatment of both instruments is varied and interesting. Franck’s
habit of short phrases here seems wholly proper, and never
suggests as it does in some of his other works a too intensive
development of musical substance. In short this sonata, full of
mystical poetry, is a flawless masterpiece, from the opening
movement that seems like a dreamy improvisation, to the sunny
canon at the end of the work.
This is by no means the only brilliant accomplishment of the French

composers in violin music. Lalo’s Concerto in F minor, opus 20, and
his Spanish Symphony for violin and orchestra, opus 21, must be
given a place among the most successful of modern compositions.
They were both composed between 1873 and the beginning of 1875.
Both were dedicated to Sarasate, whose influence contributed not a
little to their perfection of style, and who was the first to play them in
public. The ‘Spanish Symphony’ was greatly admired by
Tschaikowsky and apparently put the thought of writing his own
concerto into his head. In a letter to Mme. von Meck, written in
March, 1878, he showed a positive enthusiasm for Lalo’s work which
had recently become known to him through the performance by the
‘very modern’ violinist Sarasate. And of Lalo he wrote that, like Léo
Delibes and Bizet, he shunned studiously all routine commonplaces,
sought new forms without wishing to appear profound, and, unlike
the Germans, cared more for musical beauty than for mere respect
of the old traditions. Besides these two concertos Lalo wrote within
the next few years a ‘Romance-Serenade,’ a ‘Norwegian Fantasia,’
and a Concerto Russe, for violin and orchestra.
Sarasate seems to have stimulated almost all of the composers with

whom he came in contact. Saint-Saëns wrote three concertos for
violin and orchestra, opus 20, in A major, opus 58, in C major, and
opus 61, in B minor, and dedicated all to Sarasate. Of these the third
is the broadest in form and the most impressing, and is a favorite
among its fellows as the second concerto for pianoforte, opus 22, is
among the five works in that form. It was composed in 1880 and
played for the first time by Sarasate. Saint-Saëns wrote besides
these three concertos an ‘Introduction and Rondo Capriccioso,’ opus
28, a ‘Romanze,’ opus 48, and a ‘Concert Piece,’ opus 62, for violin
and orchestra, and two sonatas—opus 75, in D minor, and opus 102,
in E-flat major—for violin and pianoforte. There is also a brilliant
Havanaise, opus 83, for violin and orchestra.
There is a sonata for violin and piano by Gabriel Fauré, opus 13,
which has won favor, and which Saint-Saëns characterized as
géniale. The year 1905 heard the first performance of the admirable
violin sonata in C major of M. Vincent d’Indy.
Among the Scandinavian composers Grieg holds the highest rank,

and his three sonatas for violin and pianoforte are among the favorite
compositions for this combination. Their charm is like that of his
other works, and consists not a little in the presence of a distinct
national idiom which, until one becomes thoroughly used to it, strikes
the ear with delightful freshness. The three sonatas are respectively
opus 8, in F major, opus 13, in G major, and opus 45, in C minor.
The last is a fiery, dramatic work. The two earlier ones are
characterized by grace and charm. With the exception of the
pianoforte concerto in A minor, Grieg showed himself nowhere more
successful than in these sonatas in the treatment of form. His ideas
are generally slight, and his workmanship delicate and refined.
Hence he is at his best in short pieces. But the violin sonatas are on
the whole well sustained, and the themes in the last of them, and
particularly the chief theme of the first movement, have a breadth
quite unusual in the great part of his music.
Of far broader conception, however, than the sonatas, are the two
brilliant concertos by Christian Sinding, the first in A major, opus 45,
the second in D major, opus 60. Concerning his music in general M.
Henry Marteau, the eminent French violinist who introduced the first
concerto to the public and who is a close friend of Sinding, has
written: 'He is very Norwegian in his music, but less so than Grieg,
because his works are of far broader conception and would find
themselves cramped in the forms that are so dear to Grieg.’[56]
Among the Russians, Tschaikowsky’s concerto for violin in D major,

opus 35, is one of the greatest written for the instrument. Of
Tschaikowsky’s admiration for the Spanish Symphony of Lalo,
mention has already been made. After this had prompted him to
write a concerto of his own, the work went on with astonishing
rapidity; was, in fact, roughly on paper within the space of a month. It
was first performed on December 4, 1884, at a Philharmonic concert
in Vienna by Adolf Brodsky (b. 1851). It was originally dedicated to
Leopold Auer (b. 1845), but Tschaikowsky later re-dedicated it to
Brodsky, having heard that Auer had dissuaded Émile Sauret from
playing it in Petrograd. As to the difficulties of the work much may be
gleaned from a letter written by Brodsky to Tschaikowsky after the
first performance. Among other things he wrote: 'I had the wish to
play the concerto in public ever since I first looked it through. * * * I
often took it up and often put it down, because my laziness was
stronger than my wish to reach the goal. You have, indeed, crammed
too many difficulties into it. * * * One can play it again and again and
never be bored; and this is a most important circumstance for the
conquering of its difficulties.’[57]
Of the three movements only the last (allegro vivacissimo, 2-4, D

major) has a distinctly Russian flavor. This comes to it not only from
the nature of the two chief themes, which are in the character of
Russian folk-songs, but from the gorgeous coloring, both harmonic
and orchestral, the wildness of climaxes, and the Slavic idiom of
repeating a single phrase over and over again. It is a riotous piece of
music, this last movement, full of an animation, almost a madness
which is intoxicating. Hanslick heard in it only the brutal and
wretched jollity of a Russian Kermesse; but his fierce judgment has
not been supported by the public or by the profession.
There is a concerto for violin in A minor, opus 82, by Alexander

Glazounoff, composed in 1904 and first performed at a Queen’s Hall
concert in London, by Mischa Elman, on October 17, 1905. The work
is dedicated to Leopold Auer, to whom, as has just been mentioned,
Tschaikowsky originally dedicated his concerto for violin. It is a work
without distinction.
Modern Violinists. From top left to bottom right: Pablo Sarasate,
Fritz Kreisler,
Eugène Ysäye. Jacques Thibaud.
The violin concerto of Sibelius in D minor, opus 47, was composed in
1905 and first played by Karl Halir in Berlin, October 19, 1905. It is a
work of far greater power than that of Glazounoff. Mrs. Rosa
Newmarch in her monograph on Sibelius,[58] likens the difficulties in
it to those of the Tschaikowsky concerto, which were for a while
considered insurmountable. The concerto is in three movements of
which the first is gloomy and forbidding, though poignant in the
extreme, the second noble and more classic, the last—the coda of
which was added by Pietro Floridia—savagely effective.
In Germany we meet with Sarasate again in the second concerto

and Scottish Fantasy by Max Bruch. These are the best known of
Bruch’s works for violin and orchestra, among which may be
mentioned a first concerto, opus 26, in G minor, a Romance, opus
42, an Adagio Appassionato, opus 57, and a Serenade, opus 75.
The second concerto, opus 44, was, according to Bruch, inspired by
stories of the Carlist wars in Spain, told by Sarasate. It was
composed in Bonn in 1877, ten years after the first, and was first
publicly performed by Sarasate, in London, during the fall of that
year. In form it is free and rhapsodical, consisting of an adagio
movement, then a movement in recitative style, and a final rondo. All
through the work the solo violin predominates. The Scottish
Fantasia, composed a year or two later, was dedicated to Sarasate.
The use of Scotch songs in the five movements is so free that
English critics could hardly recognize them, and were angry.
Among more recent works for the violin by German composers the
sonata by Richard Strauss stands conspicuous. This is an early work
—opus 18—and its popularity is already on the wane. There is a
concerto in A major, opus 101, by Max Reger, and a Suite im alten
Stil for violin and piano, opus 93. There are concertos by Gernsheim,
as well: but on the whole there has been no remarkable output of
music for the violin in Germany since that of Brahms and of Max
Bruch.
Karl Goldmark, the Bohemian composer, has written two concertos,
of which the first, opus 28, in A minor, offers an excellent example of
the composer’s finished and highly pleasing style. The second
concerto, without opus number, is among his later works. Two suites
for piano and violin, opus 11 and opus 43, were made familiar by
Sarasate. Dvořák’s concerto, opus 53, has been frequently played.
He composed as well a Romance, opus 11, for violin and orchestra,
and a sonatina, opus 100, for violin and pianoforte. The works of
Jenö Hubay are of distinctly virtuoso character.
The Italian Leone Sinigaglia became known to the world by his

concerto for violin, opus 20, in A major, played in Berlin in 1901 by
his countryman, Arrigo Serrato. Later works include a Rapsodia
piemontese for violin and orchestra, and a Romance for the same
combination, opus 29. The violin music of Emanuel Móor, including a
concerto and a remarkably fine suite for violin unaccompanied, has
yet to be better known. Georges Enescou first attracted attention by
compositions for the violin. On the whole, however, it may be said
that the violin is awaiting a new contribution to its literature. This
contribution is doubtless delayed by the great attention given at the
present day to the piano, the orchestra, or other combinations of
instruments, by which the modern growth in harmony and the
change in ideas of polyphony may be given a full expression. Until
these various ideas have become firmly rooted and well-grown, the
violin will profit but vicariously by them.
FOOTNOTES:
[51] This famous arrangement was published by the Maison Richault in Paris as
Thème de Rode, chanté avec variations dans le Barbier de Séville en Italien par
Mmes. Sontag, Alboni, Trebelli; en français par Mlle. Maria Bailly; paroles
françaises d’Adolph Larmande, avec accompagnement de piano par L. Moreau.
See Notice sur Rode, by F. A. A. Paroisse-Pougin (Paris, 1874).
[52] See Paul Bekker: ‘Beethoven.’ Berlin, 1913.
[53] Joachim had in his possession a concerto for violin by Schumann, written
likewise near the end of his life.
[54] The theme of the last movement can be found in two songs, Regenlied and
Nachklang, opus 59, published seven years earlier.
[55] ‘Chamber Music.’ London, 1913.
[56] See Song Journal, November 10, 1895.
[57] See Modest Tschaikowsky: ‘Life of Peter Ilyitch Tschaikowsky.’
[58] ‘Jean Sibelius, a Finnish Composer.’

CHAPTER XIV
THE BEGINNINGS OF CHAMBER
MUSIC
The term ‘chamber music’; fifteenth-century dances; lute music,
early suites; vocal ‘chamber music’—Early ‘sonatas’: Gabrieli;
Rossi; Marini; etc.—Vitali, Veracini, Bassani and Corelli; Corelli’s
pupils; Vivaldi; Bach and Handel.
I
In giving an account of early chamber music we may confine
ourselves to the consideration of early instrumental music of certain
kinds, although the term at first did not apply to pure instrumental
music alone. Chamber music in the sixteenth century meant
instrumental or vocal music for social and private purposes as
distinguished from public musical performances in churches or in
theatres. In its modern sense chamber music applies, of course, only
to instrumental ensembles, and it is therefore not necessary to dwell
upon the vocal side of chamber music beginnings, except where, as
in its incipient stages, music was written for both kinds of
performances.[59] In searching for examples of early chamber music,
therefore, we must above all consider all such music, vocal or
instrumental, as was not composed for the use of the church or
theatre. Properly speaking the accompanied art-songs of the
fourteenth and fifteenth centuries, which were discussed in Vol. I,
Chapter IX, of our narrative history, represent the very beginnings of
artistic instrumental music that during the following three centuries
developed into pure instrumental chamber music. In forwarding this
development the dance music of the period and other instrumental
compositions of the fifteenth century were important factors.
The fifteenth century dances such as the Pawirschwantz, the

Fochsschwantz, and others, employed the polyphonic style peculiar
to the vocal compositions of the time. They lacked inspiration and
were of a restless character because of frequent changes of rhythm.
There was little to distinguish them from each other; they were in
fact, in the words of Michael Prætorius, ‘as like as eggs,’ and their
general character was not different from that of the vocal
compositions of the same period. Probably no modern ear could
listen to them with enjoyment.
Presumably this music was to be played on any instrument, without

differentiation. No single instrument was especially favored until the
following century, when the perfection and the popularity of the lute
helped to bring chamber music into existence. This instrument was
indeed so highly perfected and the players so skilled that they were
able to perform upon it even difficult polyphonic works. This gave an
opportunity to the people to become acquainted, through private
performances, with a great number of musical compositions. To
satisfy the demands of their friends lutenists arranged and
transcribed for their instruments all kinds of compositions, including
even entire six-part masses. While these arrangements served their
purpose they were probably not more satisfactory than the pianoforte
arrangement of orchestral scores today. Pieces of polyphonic
character were also composed directly for the lute, and bore such
names as Ricercar, Fantasia, Præludium, Preambel, Trio, Trium,
Toccata, Tartar le corde, etc. Besides this the lutenists produced a
large amount of music in a more popular vein, popular tunes,
dances, and descriptive pieces including ‘battles,’ ‘echoes,’ ‘bird-
songs,’ in which the composer’s intention was often not self-evident.

Download textbook Advances In Cryptology Eurocrypt 2017 36Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Paris France April 30 May 4 2017 Proceedings Part I 1St Edition Je ebook all chapter pdf

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Download textbook Advances In Cryptology Eurocrypt 2017 36Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Paris France April 30 May 4 2017 Proceedings Part I 1St Edition Je ebook all chapter pdf

Uploaded by

Copyright:

Available Formats

Advances in Cryptology EUROCRYPT

2017 36th Annual International

Advances in Cryptology EUROCRYPT 2017 36th Annual

Advances in Cryptology EUROCRYPT 2018 37th Annual

Advances in Cryptology CRYPTO 2020 40th Annual

Advances in Cryptology – ASIACRYPT 2017: 23rd

Advances in Cryptology CRYPTO 2020 40th Annual

Database Systems for Advanced Applications 22nd

Bioinformatics and Biomedical Engineering 5th

Advances in Knowledge Discovery and Data Mining 21st

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Library of Congress Control Number: 2017936355

LNCS Sublibrary: SL4 – Security and Cryptology

© International Association for Cryptologic Research 2017

Printed on acid-free paper

This Springer imprint is published by Springer Nature

May 2017 Jean-Sébastien Coron

The 36th Annual International Conference

Sponsored by the International Association for Cryptologic Research

30 April – 4 May 2017

Vladimir Kolesnikov Bell Labs, USA

Michel Abdalla Martin Albrecht Daniel Apon

Foteini Baldimtsi Ivan Damgård Shoichi Hirose

Feng-Hao Liu Romain Poussier Mehdi Tibouchi

IMDEA Software Institute, Madrid, Spain

Lattice Attacks and Constructions I

Revisiting Lattice Attacks on Overstretched NTRU Parameters . . . . . . . . . . . 3

Short Generators Without Quantum Computers:

Computing Generator in Cyclotomic Integer Rings: A Subfield Algorithm

Obfuscation and Functional Encryption

Robust Transforming Combiners from Indistinguishability Obfuscation

From Minicrypt to Obfustopia via Private-Key Functional Encryption . . . . . . 122

Projective Arithmetic Functional Encryption and Indistinguishability

Computation of a 768-Bit Prime Field Discrete Logarithm . . . . . . . . . . . . . . 185

A Kilobit Hidden SNFS Discrete Logarithm Computation . . . . . . . . . . . . . . 202

Improved Private Set Intersection Against Malicious Adversaries . . . . . . . . . 235

Formal Abstractions for Attested Execution Secure Processors . . . . . . . . . . . 260

Lattice Attacks and Constructions II

One-Shot Verifiable Encryption from Lattices. . . . . . . . . . . . . . . . . . . . . . . 293

Short Stickelberger Class Relations and Application to Ideal-SVP . . . . . . . . . 324

Concurrently Composable Security with Shielded

Unconditional UC-Secure Computation with (Stronger-Malicious) PUFs . . . . 382

Lattice Attacks and Constructions III

Private Puncturable PRFs from Standard Lattice Assumptions. . . . . . . . . . . . 415

Constraint-Hiding Constrained PRFs for NC1 from LWE . . . . . . . . . . . . . . . 446

Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving

Sublinear Zero-Knowledge Arguments for RAM Programs. . . . . . . . . . . . . . 501

Side-Channel Attacks and Countermeasures

Parallel Implementations of Masking Schemes and the Bounded Moment

How Fast Can Higher-Order Masking Be in Software? . . . . . . . . . . . . . . . . 567

Multi-input Inner-Product Functional Encryption from Pairings . . . . . . . . . . . 601

Simplifying Design and Analysis of Complex Predicate

Twisted l4 -Normal Form for Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . 659

Efficient Compression of SIDH Public Keys. . . . . . . . . . . . . . . . . . . . . . . . 679

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

On Removing Graded Encodings from Functional Encryption. . . . . . . . . . . . 3

Functional Encryption: Deterministic to Randomized Functions

Lattice Attacks and Constructions IV

Random Sampling Revisited: Lattice Enumeration with Discrete Pruning . . . . 65

On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices

Small CRT-Exponent RSA Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Group-Based Secure Computation: Optimizing Rounds, Communication,

On the Exact Round Complexity of Self-composable

High-Throughput Secure Three-Party Computation for Malicious