Jeffrey Hoffstein

Brown University · Department of Mathematics

We obtain a first moment formula for Rankin–Selberg convolution L-series of holomorphic modular forms or Maass forms of arbitrary level on \({{\,\mathrm{GL}\,}}(2)\), with an orthonormal basis of Maass forms. One consequence is the best result to date, uniform in level, spectral value and weight, for the equality of two Maass or holomorphic cusp fo...

We prove that there are infinitely many Maass--Hecke cuspforms over the field $\mathbb{Q}[\sqrt{-3}]$ such that the corresponding symmetric cube $L$-series does not vanish at the center of the critical strip. This is done by using a result of Ginzburg, Jiang and Rallis which shows that the symmetric cube non-vanishing happens if and only if a certa...

We met as a group during the Homomorphic Encryption Standardization Workshop on July 13–14, 2017, hosted at Microsoft Research in Redmond, and again during the second workshop on March 15–16, 2018 in MIT. Researchers from around the world represented government, industry, and academia. There are several research groups around the world who have mad...

In this paper we work over $\Gamma_0(N)$, for any $N$ and write the spectral moment of a product of two distinct Rankin-Selberg convolutions at a general point on the critical line $\frac{1}{2}+it$ as a main term plus a sharp error term in the $t$ aspect and the spectral aspect. As a result we obtain hybrid Weyl type subconvexity results in the $t$...

We obtain a first moment formula for Rankin-Selberg convolution $L$-series of holomorphic modular forms or Maass forms of arbitrary level on $GL(2)$, with an orthonormal basis of Maass forms. One consequence is the best result to date, uniform in level, spectral value and weight, for the equality of two Maass or holomorphic cusp forms if their Rank...

In a recent paper the authors and their collaborators proposed a new hard problem, called the finite field isomorphism problem , and they used it to construct a fully homomorphic encryption scheme. In this paper, we investigate how one might build a digital signature scheme from this new problem. Intuitively, the hidden field isomorphism allows us...

In this paper we revisit the modular lattice signature scheme and its efficient instantiation known as pqNTRUSign. First, we show that a modular lattice signature scheme can be based on a standard lattice problem. The fundamental problem that needs to be solved by the signer or a potential forger is recovering a lattice vector with a restricted nor...

In this paper, a conjecture of Mazur, Rubin and Stein concerning certain averages of modular symbols is proved. To cover levels that are important for elliptic curves, namely those that are not square-free, we establish results about L-functions with additive twists that are of independent interest.

In this paper, a conjecture of Mazur, Rubin and Stein concerning certain averages of modular symbols is proved.

We describe a method for generating parameter sets, and calculating security estimates, for NTRUEncrypt. Our security analyses consider lattice attacks, the hybrid attack, subfield attacks, and quantum search. Analyses are provided for the IEEE 1363.1-2008 product-form parameter sets, for the NTRU Challenge parameter sets, and for two new parameter...

A new hard problem in number theory, based on partial evaluation of certain classes of constrained polynomials, was introduced in Hoffstein et al. (Secure user identification based on constrained polynomials, 2000) and further refined in Hoffstein et al. (Polynomial rings and efficient public key authentication, 1999; Practical signatures from the...

We develop certain aspects of the theory of shifted multiple Dirichlet series and study their meromorphic continuations. These continuations are used to obtain explicit spectral first and second moments of Rankin-Selberg convolutions. One consequence is a Weyl type estimate for the Rankin-Selberg convolution of a holomorphic cusp form and a Maass f...

We introduce a class of lattice-based digital signature schemes based on modular properties of the coordinates of lattice vectors. We also suggest a method of making such schemes transcript secure via a rejection sampling technique of Lyubashevsky (2009). A particular instantiation of this approach is given, using NTRU lattices. Although the scheme...

The emphasis of this book has been on the mathematical underpinnings of public key cryptography. We have developed most of the mathematics from scratch and in sufficient depth to enable the reader to understand both the underlying mathematical principles and how they are applied in cryptographic constructions. Unfortunately, in achieving this lauda...

The Diffie–Hellman key exchange method and the Elgamal public key cryptosystem studied in Sects. 2.3 and 2.4 rely on the fact that it is easy to compute powers \(a^{n}\bmod p\), but difficult to recover the exponent n if you know only the values of a and \(a^{n}\bmod p\). An essential result that we used to analyze the security of Diffie–Hellman an...

Encryption schemes, whether symmetric or asymmetric, solve the problem of secure communications over an insecure network. Digital signatures solve a different problem, analogous to the purpose of a pen-and-ink signature on a physical document. It is thus interesting that the tools used to construct digital signatures are very similar to the tools u...

The subject of elliptic curves encompasses a vast amount of mathematics. Our aim in this section is to summarize just enough of the basic theory for cryptographic applications. For additional reading, there are a number of survey articles and books devoted to elliptic curve cryptography [14, 68, 81, 135], and many others that describe the number th...

The security of all of the public key cryptosystems that we have previously studied has been based, either directly or indirectly, on either the difficulty of factoring large numbers or the difficulty of finding discrete logarithms in a finite group. In this chapter we investigate a new type of hard problem arising in the theory of lattices that ca...

As Julius Caesar surveys the unfolding battle from his hilltop outpost, an exhausted and disheveled courier bursts into his presence and hands him a sheet of parchment containing gibberish:

In considering the usefulness and practicality of a cryptographic system, it is necessary to measure its resistance to various forms of attack. Such attacks include simple brute-force searches through the key or message space, somewhat faster searches via collision or meet-in-the-middle algorithms, and more sophisticated methods that are used to co...

In 1976, Whitfield Diffie and Martin Hellman published their now famous paper [38] entitled “New Directions in Cryptography.” In this paper they formulated the concept of a public key encryption system and made several groundbreaking contributions to this new field. A short time earlier, Ralph Merkle had independently isolated one of the fundamenta...

We present PASS RS , a variant of the prior PASS and PASS-2 proposals, as a candidate for a practical post-quantum signature scheme. Its hardness is based on the problem of recovering a ring element with small norm from an incomplete description of its Chinese remainder representation. For our particular instantiation, this corresponds to the recov...

This self-contained introduction to modern cryptography emphasizes the mathematics behind the theory of public key cryptosystems and digital signature schemes. The book focuses on these key topics while developing the mathematical tools needed for the construction and security analysis of diverse cryptosystems. Only basic linear algebra is required...

This article focuses on the theta series on the 6-fold cover of GL$_2$. We investigate the Fourier coefficients $\tau(r)$ of the theta series, and give partially proven, partially conjectured values for $\tau(\pi)^2$, $\tau(\pi^2)$ and $\tau(\pi^4)$ for prime values $\pi$.

We obtain a second moment formula for the L-series of holomorphic cusp forms, averaged over twists by Dirichlet characters modulo a fixed conductor Q. The estimate obtained has no restrictions on Q, with an error term that has a close to optimal power savings in the exponent. However, one of the contributions to the main term is a special value of...

This article gives an introduction to the multiple Dirichlet series arising from sums of twisted automorphic L-functions. We begin by explaining how such series arise from Rankin-Selberg constructions. Then more recent work, using Hartogs ’ continuation principle as extended by Bochner in place of such constructions, is described. Applications to t...

We define, and obtain the meromorphic continuation of, shifted Rankin-Selberg convolutions in one and two variables. This continuation is used to obtain a Burgess-type bound for L-series associated to modular forms of arbitrary central character, independent of progress toward the Ramaujan-Petersson conjecture.

Generalized theta functions are residues of metaplectic Eisenstein series. Even in the case of the n-fold cover of GL(2), the Fourier coefficients of these mysterious functions have not been determined beyond n = 3. However, a conjecture of Patterson illuminates the case n = 4. In this paper, we make a new conjecture concerning the Fourier coeffici...

This is a companion piece to [2], to be published on the World Wide Web. It consists of two articles. • The first article, on the Kubota symbol, gives a construction from scratch for the Kubota symbol of degree n on GL(3). • The second article is a longer version of Section 1 of [2], containing proofs that were shortened for publication. This work...

We establish a link between certain Whittaker coefficients of the generalized metaplectic theta functions, first studied by Kazhdan and Patterson [14], and the coefficients of the stable Weyl group multiple Dirichlet series defined in [3]. The generalized theta functions are the residues of Eisenstein series on a metaplectic n-fold cover of the gen...

We provide a brief history and overview of lattice based cryptography and cryptanalysis: shortest vector problems, closest vector problems, subset sum problem and knapsack systems, GGH, Ajtai-Dwork and NTRU. A detailed discussion of the algorithms NTRUEncrypt and NTRUSign follows. These algorithms have attractive operating speed and keysize and are...

We show that a cuspidal normalized Hecke eigenform g of level one and even weight is uniquely determined by the central values of the family of Rankin– Selberg L-functions L(s, fÄg){L(s, f\otimes g)} , where f runs over the Hecke basis of the space of cusp forms of level one and weight k with k varying over an infinite set of even integers.

We present the new NTRUEncrypt parameter generation algorithm, which is designed to be secure in light of recent attacks that combine lattice reduction and meet-in-the-middle (MITM) techniques. The parameters generated from our algorithm have been submitted to several standard bodies and are presented at the end of the paper.

Weyl group multiple Dirichlet series were associated with a root system Φ and a number field F containing the n-th roots of unity by Brubaker, Bump, Chinta, Friedberg and Hoffstein [3] and Brubaker, Bump and Friedberg [4] provided n is sufficiently large; their coefficients involve n-th order Gauss sums. The case where n is small is harder, and is...

Given a root system Φ of rank r and a global field F containing the n-th roots of unity, it is possible to define a Weyl group multiple Dirichlet series whose coefficients are n-th order Gauss sums. It is a function of r complex variables, and it has meromorphic continuation to all of C r , with functional equations forming a group isomorphic to th...

Let K=\mathbbQ(Ö{-3})K=\mathbb{Q}(\sqrt{-3}) and let GL(2,\mathbbAK)GL(2,\mathbb{A}_K) . Consider the family of twisted L-functions L(s,>> X1/2-e\gg X^{1/2-\epsilon} . These results are obtained by introducing and studying three different families of weighted double Dirichlet series. These series are related by functional equations, some of whi...

Let n 2, let F be a global field containing a full set of n-th roots of unity, and let be an isobaric automorphic representation of GLr(AF). We establish asymptotic estimates for the sum of the n-th order twisted L-functions of , L(s, ), for s such that Re(s) > max(1 1/r,1/2) if n = 2 and Re(s) > 1 1/(r + 1) if n > 2. As an application we establish...

This report explicitly refutes the analysis behind a recent claim that NTRUEncrypt has a bit security of at most 74 bits. We also sum up some existing literature on NTRU and lattices, in order to help explain what should and what should not be classed as an improved at- tack against the hard problem underlying NTRUEncrypt. We also show a connection...

4. This allows a reduction in the size of the public key, while maintaining the security of the key against lattice attacks. This increased lattice security is combined with the use of trinary form for private keys, which increases the possible combinatorial security for a given key size. 2. We note that the structure of signatures in the transpose...

Let π be a cuspidal automorphic representation of . Given any prime integer n, suppose there exists a single nonvanishing nth-order twist of the L-series associated to π at the center of the critical strip. We use the method of multiple Dirichlet series to establish that there exist infinitely many such nonvanishing nth-order twists of the L-series...

this paper we present a complementary fast authentication and digital signature scheme, which we call NtruSign, based on the same underlying hard problem in the same lattices used by NTRU. Henceforth the original NTRU public key encryption/decryption algorithm will be referred to as NtruEncrypt NOTE, 2013-11: The signature scheme described in this...

Let n3 be a fixed integer and let F be a global field containing the n-th roots of unity. In this paper we study the collective behavior of the n-th order twists of a fixed Hecke L-series for F. To do so, we introduce a double Dirichlet series in two complex variables (s, w) which is a weighted sum of the twists, and obtain its meromorphic continua...

There are many cryptographic constructions in which one uses a random power or multiple of an element in a group or a ring. We describe a fast method to compute random powers and multiples in certain important situations including powers in the Galois field , multiples on Koblitz elliptic curves, and multiples in NTRU convolution polynomial rings....

This paper develops an analytic theory of Dirichlet series in several complex variables which possess sufficiently many functional equations. In the first two sections it is shown how straightforward conjectures about the meromorphic continuation and polar divisors of certain such series imply, as a consequence, precise asymptotics (previously conj...

A new authentication and digital signature scheme called the NTRU Signature Scheme (NSS) is introduced. NSS provides an authenti- cation/signature method complementary to the NTRU public key cryp- tosystem. The hard lattice problem underlying NSS is similar to the hard problem underlying NTRU, and NSS similarly features high speed, low footprint, a...

We describe an implementation of the PASS polynomial au- thentication and signature scheme (5, 6) that is suitable for use in highly constrained environments such as SmartCards and Wireless Applica- tions. The algorithm underlying the PASS scheme, as described in (5, 6), already features high speed and a small footprint, and these are further enhan...

In this note we describe a variety of methods that may be used to increase the speed and efficiency of the NTRU public key cryptosystem.

We develop some of the theory of automorphic forms in the function field setting. As an application, we find formulas for the number of ways a polynomial over a finite field can be written as a sum of k squares, k⩾2. As a consequence, we show every polynomial can be written as a sum of 4 squares. We also show, as in the classical case, that these r...

this paper is to submit the NTRU public key cryptosystem for consideration for inclusion into the P1363A standard. NTRU was originally presented by Jeffrey Hoffstein in the rump session at CRYPTO '96, and was published in [HPS] in 1998. Since that time, NTRU Cryptosystems, Inc. has issued a number of technical reports. In some cases, these reports...

A new "hard problem" in number theory, based on partial evaluation of certain classes of constrained polynomials, was proposed in [5]. In this paper we present a highly efficient public key authentication scheme based on a combination of this problem and a more traditional factorization problem. We call this scheme PASS for Polynomial Authenticatio...

. We describe NTRU, a new public key cryptosystem. NTRU features reasonably short, easily created keys, high speed, and low memory requirements. NTRU encryption and decryption use a mixing system suggested by polynomial algebra combined with a clustering principle based on elementary probability theory. The security of the NTRU cryptosystem comes f...

. Multiple NTRU encryptions of a single message using a single key may compromise the security of the message. In this report we analyze this situation and describe scrambling techniques which allows secure multiple transmissions of a single message. As observed in [1, x3.3], if a single message is encrypted multiple times using a single NTRU publi...

. Multiple NTRU encryptions of a single message using a single key may compromise the security of the message. In this report we analyze this situation and describe scrambling techniques which allows secure multiple transmissions of a single message. As observed in [1, x3.3], if a single message is encrypted multiple times using a single NTRU publi...

A basic idea of Dirichlet is to study a collection of interesting quantitiesfangn1 by means of its Dirichlet series in a complex variable w: P n1ann w. In this paper we examine this construction when the quantities an are themselves innite series in a second complex variable s, arising from number theory or representation theory. We survey a body o...

Following eariler work of Kubota and Mennicke, the major work of Bass, Milnor and Serre [1] constructed characters of congruence subgroups of the modular subgroups of SL(n) and Sp(2n) over a totally complex number field, which are related to the power residue symbol. They do not obtain the lowest possible level of these Kubota characters, nor does...

1. A brief history of nonvanishing theorems. The nonvanishing of a Dirichlet series 2 a(n)n~\ or the existence of a pole, at a particular value of s often has applications to arithmetic. Euler gave the first example of this, showing that the infinitude of the primes follows from the pole of Ç(s) at s = 1. A deep refinement was given by Dirichlet, w...

Without Abstract

Let k be a number field of degree n and let D k denote the absolute value of the discriminant of k. We let K k denote the residue of (~(s), the zeta function of k, at s = 1. In most applications, K k is estimated from above by first estimating ffk(cr) where a is real and greater than 1. Usually, ~k(Cr) is bounded above by ~(~)", where if(s) is the...

Without Abstract