 Good morning, everybody. I'm very honored to give my presentations today. And my talk will be about faster algorithms for approximate common divisors. And it breaks a fully homomorphic encryption challenge over the integers. And this is a joint work by my supervisor, Fong Yan, and myself. So here is my plan of presentation. I'm going to start with our brief motivation in the first place. And then I'm going to introduce the problem and explain our approach and introduce our result. And also, we find that our algorithm is also useful in a number of other applications in cryptanalysis. So I will introduce the other applications, for example, in noisy factoring and low-exponent RSA programs. And finally, I'm to give a brief conclusion of my talk. So fully homomorphic encryption schemes are more and more popular. And there are a lot of new schemes proposed each year. And it's interesting because it allows to manipulate encrypted data. There are more and more fully homomorphic encryption schemes proposed each year. But very few come with concrete parameters. And actually, I'm marketing green, but you don't see it's in green. In green, the schemes comes with parameters. But this is a very incomplete list of all the schemes. And these schemes can be based on different hard problems. For example, there are problems based on ideolytysis. And it can be based on approximate GCD problems and other things as well. And a very natural question comes is how secure are these systems? In our work, we focus our study on the schemes proposed by Von Dijk and L, a Corin and L, the schemes that are based on approximate GCD problems introduced by Hagrid Graham in 2011. In fact, this scheme uses this problem and it proposed very unusual parameters. It proposed parameters with very huge numbers. Therefore, it is not clear what is the best attack. In our work, we proposed an algorithm with a time memory trade-off for algebraic exhaustive search that gives an improved attack on the fully homomorphic encryption scheme proposed by CMMT-11. And more to that, we also give several other applications using our algorithm to the realm of cryptanalysis. For example, it can be applied to some cases of RSA and factoring. Actually, this similar time and memory trade-off trick has already appeared in stresson factoring algorithm, but we show new uses of that. So let me explain the approximate common divisor problem, and then I will go to explain our approach and try to illustrate our result. The problem of approximate common divisor problem is that the secret is the big prime p, and we are given the xi's, which are near multiples of p. That means that we are given xi's that are multiples of p, but plus some very minor noise. And the question is, if we are given these xi's, how to recover the secret prime factor p? Now, if there were no noise, and then the problem would be quite easy. That means if we are given some multiples of p, and we want to recover the number, the factor p, and what we do is just we calculate the greatest common divisor of x0 and x1. And this operation is very easy, and it's just five times of multiplication. It's just very, very quick. But now we have a little bit of noise on the xi's, and then they are not exact multiples of p. They are approximate multiples of p. And in this case, the problem becomes extremely hard. How to recover the prime factor p was we are given the xi's. A very direct method is to do it by enumeration. That means we enumerate for all possible noise. And for example, we let i enumerate all the noises and calculate the gcd of x0 and x1 minus i. Actually, x1 minus i, for all those choices, only one of them will give the exact multiples of p. And for that one case, the gcd of this scheme, of these two numbers will return p. But for all the other values of i, the gcd will return 1. Based on this observation, we already give our first trick that is we can trade the gcd operation for multiplication operation, which is cheaper. That means we can first calculate the product, and then do one final gcd operation. And that means instead of doing a lot of gcd operations, we do two powers row multiplications, which already gives five times faster than gcd. And the most important in our algorithm is that we had very big improvement in calculating this product. So in this product, we really try to enumerate the noise s represented by the set s. So in enumerating the set s, we really enumerate 0 and 1 for each digit in this bit string. And actually, the set s is quite structured. It means that actually, we can decompose the set s by the direct sum of two other sets, u and v. For the set u, we enumerate 0 and 1 for each digit in the lower end of the digit, lower end. And for v, we enumerate 0 and 1 for each digit in the higher end. As a result, every element in s can be expressed by a certain element in u and another certain element in v. So we say that s can be expressed by the direct sum of u and v. And with this property, we can develop a time memory trade-off. First, let's look at this is the naive scheme for doing the product. So we just do the product one by one. And the complexity will be the size of set s, which is 2 to the row, 2 powers row. But now, we can rewrite s, the number, the loop of s, by the loop of u and v, because s is the sum. We can express s as the sum of u and v. So we can rewrite it in this way. And look at this inner loop. Actually, u i is not changed in this inner loop. So actually, we can pack this inner loop by a product of polynomials, product of factors like this. And we calculate this polynomial as the product of these factors. And then we evaluate this polynomial on the points u i, which gives exactly the same result as before. But this time, this product can be calculated in time square root of the 2 to the row over 2. And in fact, because this polynomial is independent of u i, we can exchange this procedure. We can put it out of the loop. So it looks like something like that. This is our final algorithm. We first calculate the polynomial, which is of degree 2 powers row over 2. And then we evaluate this polynomial on 2 powers row over 2 points. In conclusion, in fact, our scheme is required to do two things. First, we construct such polynomials in time 2 to the row over 2. And then we are able to construct, evaluate. There are already classical algorithms for evaluate this polynomial on 2 powers row over 2 points. I will explain these two parts. The first part is that we are able to construct polynomial using product tree. And this will cost time 2 powers s time complexity. And then we are also able to evaluate a polynomial of degree less than 2 powers s on 2 powers s points in time to power, cross-linear of 2 powers s. And how do we do that? First step is we have to construct a product tree of x minus a i with a i being the points we want to evaluate. And this will cost cross-linear of 2 powers s. And the second step is that we calculate, we evaluate the value of f a i. And in fact, since actually f a i is just f x modular x minus a i. So our evaluation is actually just the calculation of modular. But we do it in a clever way using the previous product tree. So it can be done in cross-linear of 2 powers s. Let me first introduce how we construct the product tree. We are given 2 powers s number of smaller line factors. And we group them by pairs. So we calculate the product of each pairs. And for the leaf level, there will be 2 power s minus 1 pairs. And then we group them by 2 by 2 again. And calculate that pair, calculate the product of each pairs again, and group 2 by 2. And each time at each level, there will be half of the polynomials than the previous level. But the degree of the polynomial is going to be twice as large as the previous level. Therefore, the total complexity is almost the same for each level. And finally, we reach the top with the rs levels. And the total complexity will be cross-linear in 2 power s. And then I show how to do the evaluation with a polynomial of degree at most 2 power s, 2 power s points in time to cross-linear of 2 power s. So the first step is to construct a polynomial tree with x minus ai being the points to be evaluated. This we already show can be done in cross-linear of 2 power s. And the second step is to evaluate fai. And this is the product tree that we constructed in the first step. So when we evaluate this, we're actually calculating the modular. And this modular calculation, we do it in a top-down manner. That means at first, we have fx, which is of degree 2 to the s, 2 power s. Then we calculate the modular of fx, the fx modular, this polynomial, which is in the second level of the product tree, and this polynomial as well. And since the second level has degree, the polynomial has degree 2 power s minus 1, that means that the result of this thing has half the degree as fx. But each time, when we calculate the modulus, we have twice as many polynomials to calculate. Therefore, again, in each level, our calculation, the time cost for calculation is almost the same again. And when we go down to the leaf that gives us the evaluation for all fai, and the total complexity is, again, quasi-linear into power s. This is a time memory exchange, because for a star, the product of the tree, it costs 2 power s. So this finishes the introduction of the algorithm itself. And here is the result. In the original schemes proposed by CMNT, and they proposed four challenges, twice more, medium and large, with different claims security levels, to the 42, to the 52, to the 62, to the 72 operations. And we implemented our algorithms, we launched our implementations, and we get our new security level shown in red. And actually, due to the limitation of our machines, we can only settle for the suboptimal parameters. And some additional implementation tricks can be found in the paper, which is also very interesting. We also gave an estimation of the security level for best performance of our algorithm, supposing that we have access to more memory. So suppose if we have memory of 240 gigabytes, then the medium challenge can be cracked in 76 CPU days. And for example, if we have 25 trillion bits of memory, and then the largest challenge can be cracked in nine CPU years. And you can see there is a big gap between the claim security and the new security level. And actually, there are also other attacks proposed by Cohn-Hinger, their attack is based on lattices. And however, according to our estimation, their attacks actually runs not very efficiently. It's even slower than naive enumeration. Therefore, it's not very practical. And now, actually, this time memory trade-off trick is very useful even in other realms of cryptanalysis. And here I will show four examples, and nosy factoring and our low exponent RSA schemes. And in general, in fact, as long as the set S to be enumerated can be represented by the direct sum of some equal sized sets, U and V. That means if S, the element of S, can be written as the sum of some elements in U and some elements in V, then there is possibility to perform our time memory trade-off to really lower down the cost of enumeration to the square root of the original naive enumeration by first constructing a polynomial and then evaluate it on the second set. And especially, in fact, S doesn't have to be just consecutive numbers as in the previous case. And therefore, it finds numerous applications in other situations. For example, here is an example where S doesn't to be consecutive numbers. For example, consider that we have a number N, which is a product of two prime factors, P and Q. And after some, for example, side channel attack, P is known except for k bits. And in this case, we can enumerate 0 and 1 for each unknown bits of P. But in fact, there is a structure to this enumeration so that we can divide the set of enumeration into composite into the direct sum of two sets. In the first set, we enumerate 0 and 1 for half of the unknown bits. And for the second one, we enumerate 0 and 1 for the remaining unknown bits. And therefore, it is decomposed into the direct sum of two sets. And then we can evaluate, create an polynomial, evaluate it on all xi. And finally, the complexity is 2 powers k over 2, which is the square root of the naive enumeration. And actually, compared to Coppersmith's method, no methods do not have to be consecutive. In Coppersmith's method, they can have unknown bits. But these unknown bits really have to be very together. And there is a very similar example. For example, now n equals to the product of P and Q. And after, say, a side-time attack, we have a P prime, which differs from P by k bits. But this time, we don't know which positions are flipped. So in this case, again, it is possible to decompose the enumeration space into the direct sum of some other two sets. For example, we can cut the P prime split into two halves. And for one set, we select k over 2 amount, n over 2 bits. And this gives a total amount of selection is n over 2, choose k over 2 numbers. And the other set, we does the same. And using the time memory trade-off trick, we can do this in complexity of square root of n choose k, which is almost the square root of the naive enumeration scheme. And another application to RSA's Chinese remainder theorem signature scheme. There is an RSA's Chinese remainder signature scheme saying that if we know our message, and then somehow we get 40 RSA signature s, by, for example, interfering with the signature procedure, we get 40 signature s. And then we can totally recover the key by calculating GCD of this formula. Now, in the original setting, we are really required to know the entire, we are complete message, complete knowledge of m. But now, actually, with our time memory trade-off, we are not, we can apply to the case where m has k noisy bits. For example, this could be the case where m is full of padding bits. And in this case, we can do enumeration square root, at the cost of square root of the naive enumeration, by applying the decomposition into two direct sum sets. And other applications to message recovery attacks, too. This happens when we have, after a decryption of a false attack, m is known except for k bits. And as before, we decompose, and we evaluate, and this time memory trade-off gives a very obvious speed up. And to conclude, we can always square the running time for algebraic excessive search, which had already found a faster attack on some photohomomorphic encryption scheme. And it also shows other applications to cryptanalysis, like noisy factoring and low exponent RSA. And we can ask other questions as well. For example, is it, the square root, is this really the best running time possible to calculate the product of consecutive numbers? Since consecutive numbers, there seems to be a structure in it. Is there possible to do better than square root? And then, if there are more efficient attacks on approximate GCD, we saw other attacks like Korn and Heininger based on lattice, but if there are more efficient and other attacks. And can we use more excise to speed up this attack? What we use is only X0 and X1, and is there a possible possibility to use more excise to achieve a better attack? And more in the aspect of analysis of photohomomorphic encryption schemes. Now there are a lot of works on photohomomorphic encryption schemes, but very few on the attacks. However, if we really want to know how practical and secure is the photohomomorphic encryption scheme, we need more works on attacks and concrete parameters. And that's all. And thank you very much. I'm waiting for your questions. So we have time for one question. No questions, so let's thank the speaker again.