By Ronald Cramer (auth.), Kenneth G. Paterson (eds.)

This ebook constitutes the refereed complaints of the thirtieth Annual overseas convention at the conception and purposes of Cryptographic ideas, EUROCRYPT 2011, held in Tallinn, Estonia, in could 2011.

The 31 papers, provided including 2 invited talks, have been conscientiously reviewed and chosen from 167 submissions. The papers are equipped in topical sections on lattice-base cryptography, implementation and part channels, homomorphic cryptography, signature schemes, information-theoretic cryptography, symmetric key cryptography, assaults and algorithms, safe computation, composability, key based message defense, and public key encryption.

To complete the proof, it suﬃces to show that L(a× , IS× ) ⊆ 1q a⊥ (IS ). It can be seen by considering the elements of L(a× , IS ) corresponding to s = 1. , much shorter 1 1 |S| than guaranteed by the Minkowski upper bound det(L(a, IS )) mn = q (1− m ) n (we have det(L(a, IS )) = q (m−1)|S| because there are q n+(m−1)(n−|S|) points of L(a, IS ) in the cube [0, q − 1]mn ). Note that our lower bound approaches the |S| Minkowski bound as |S| n approaches 1, but becomes progressively looser as n 1 drops towards ≈ 1 − m .

Second phase. Eventually, A enters the second phase of the active attack, expecting a challenge from Vτ ,n (s ∈ Z22 ). 1. B O forwards v∗ as the challenge to A. 2. A answers with some (R∗ , z∗ ). 3. B O checks if rank(R∗ ) = n and wt(z∗ ⊕ R∗ T · x∗↓v∗ ) ≤ n · τ . 5) The output is 1 if both checks succeed and 0 otherwise. Claim 2. Pr[B U2 +1 (·) → 1] ≤ ατ ,n . Proof (of Claim). If R∗ does not have full rank then B outputs 0 by deﬁnition. Therefore, we now consider the case where rank(R∗ ) = n. , z = z0 ⊕ z1 is uniform as z1 is uniform).

Let n ≥ 8 be a power of 2 such that Φ = xn + 1 splits into n linear factors modulo prime q ≥ 5. Let σ ≥ n ln(2n(1 + 1/δ))/π · q 1/n , for an arbitrary δ ∈ (0, 1/2). Let a ∈ R and p ∈ Rq× . Then Prf ← DZn ,σ [(p · f + a mod q) ∈ Rq× ] ≤ n(1/q + 2δ). Proof. We are to bound the probability that p · f + a belongs to I := q, Φk by 1/q + 2δ, for any k ≤ n. The result then follows from the Chinese Remainder √ Theorem and the union bound. We have N (I) = q, so that λ1 (I) ≤ nq 1/n , by Minkowski’s theorem.