a history of lattice based
play

A History of Lattice-Based Encryption (in order of increasing - PowerPoint PPT Presentation

Jul 24, 2023 •368 likes •849 views

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

  1. A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012

  2. Lattice-Based Encryption Schemes 1. NTRU [Hoffstein, Pipher , Silverman ‘98] 2. LWE-Based [Regev ‘05] 3. Ring-LWE Based [L, Peikert, Regev ’10] 4. “NTRU - like” with a proof of security [Stehle, Steinfeld ‘11] Lattice-Based Crypto & Applications 2 Bar-Ilan University, Israel 2012

  3. Subset Sum Problem Subset-Sum Based [L, Palacio, Segev ‘10] LWE-Based [Regev ‘05] Ring-LWE Based [L, Peikert, Regev ’10] “ NTRU- like” with a proof of security [Stehle, Steinfeld ‘11] NTRU [Hoffstein, Pipher , Silverman ‘98] Lattice-Based Crypto & Applications 3 Bar-Ilan University, Israel 2012

  4. THE SUBSET SUM PROBLEM Lattice-Based Crypto & Applications 4 Bar-Ilan University, Israel 2012

  5. Subset Sum Problem a i , T in Z M a i are chosen randomly T is a sum of a random subset of the a i a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Lattice-Based Crypto & Applications 5 Bar-Ilan University, Israel 2012

  6. Subset Sum Problem a i , T in Z 49 a i are chosen randomly T is a sum of a random subset of the a i 15 31 24 3 14 11 15 + 31 + 14 = 11 (mod 49) Lattice-Based Crypto & Applications 6 Bar-Ilan University, Israel 2012

  7. How Hard is Subset Sum? a i , T in Z M a 1 a 2 a 3 … a n T Find a subset of a i 's that sums to T (mod M) Hardness Depends on: • Size of n and M • Relationship between n and M Lattice-Based Crypto & Applications 7 Bar-Ilan University, Israel 2012

  8. Complexity of Solving Subset Sum M 2 log²(n) 2 n 2 n log(n) 2 n² 2 Ω(n) poly(n) poly(n) run-time “generalized birthday attacks” “lattice reduction attacks” [FlaPrz05,Lyu06,Sha08] [LagOdl85,Fri86] Lattice-Based Crypto & Applications 8 Bar-Ilan University, Israel 2012

  9. Subset Sum Crypto  Why?  simple operations  exponential hardness  very different from number theoretic assumptions  resists quantum attacks Lattice-Based Crypto & Applications 9 Bar-Ilan University, Israel 2012

  10. Subset Sum is “Pseudorandom” [Impagliazzo-Naor 1989]: For random a 1 ,...,a n in Z M and random x 1 ,...,x n in {0,1}, distinguishing the distribution (a 1 ,...,a n , a 1 x 1 +...+a n x n mod M) n+1 ) from the uniform distribution U(Z M is as hard as finding x 1 ,...,x n Lattice-Based Crypto & Applications 10 Bar-Ilan University, Israel 2012

  11. What About Public-Key Encryption?  Many early attempts  None of them had proofs of security  All seem to be broken Lattice-Based Crypto & Applications 11 Bar-Ilan University, Israel 2012

  12. Merkle-Hellman Cryptosystem a 1 ,...,a n are super-increasing (a j > a 1 +...+a j-1 ) knowing a 1 ,...,a n and a 1 x 1 +...+a n x n , we can recover all the x i Secret key: Super-increasing a 1 ,...,a n , and M > a 1 +...+a n and r such that gcd(r,M)=1 Public Key: w i =ra i mod M Encrypt(x 1 ,...,x n )=w 1 x 1 +...+w n x n =r(a 1 x 1 +...+a n x n ) Decrypt(T): Compute r -1 T mod M and recover all x i Lattice-Based Crypto & Applications 12 Bar-Ilan University, Israel 2012

  13. Merkle-Hellman Cryptosystem a 1 ,...,a n are super-increasing (a j > a 1 +...+a j-1 ) knowing a 1 ,...,a n and a 1 x 1 +...+a n x n , we can recover all the x i Secret key: Super-increasing a 1 ,...,a n , and M > a 1 +...+a n and r such that gcd(r,M)=1 Public Key: w i =ra i mod M Encrypt(x 1 ,...,x n )=w 1 x 1 +...+w n x n =r(a 1 x 1 +...+a n x n ) Decrypt(T): Compute r -1 T mod M Not Random!! (was exploited in attacks) and recover all x i Lattice-Based Crypto & Applications 13 Bar-Ilan University, Israel 2012

  14. CRYPTOSYSTEM BASED ON SUBSET SUM [L, PALACIO, SEGEV 2010] Lattice-Based Crypto & Applications 14 Bar-Ilan University, Israel 2012

  15. Subset Sum Cryptosystem  Semantically secure based on Subset Sum for M ≈ n n  Main tools Subset sum is pseudo-random Addition in (Z q ) n is “kind of like” addition in Z M where M=q n  The proof is very simple Lattice-Based Crypto & Applications 15 Bar-Ilan University, Israel 2012

  16. Facts About Addition Want to add 4679 + 3907 + 8465 + 1343 mod 10 4 2 1 2 4 6 7 9 4 6 7 9 3 9 0 7 3 9 0 7 8 4 6 5 8 4 6 5 1 3 4 3 1 3 4 3 6 2 7 4 8 3 9 4 Adding n numbers (written in base q) modulo q m → carries < n If q>>n, then Adding with carries ≈ Adding without carries (i.e. in Z M ) (i.e. in (Z q ) n ) Lattice-Based Crypto & Applications 16 Bar-Ilan University, Israel 2012

  17. So... 1 1 0 1 4 6 7 9 1 1 0 1 4 6 7 9 3 9 0 7 3 9 0 7 8 4 6 5 8 4 6 5 1 6 4 3 1 6 4 3 + 2 1 1 0 8 1 1 9 = 0 2 2 9 = NOT Pseudorandom! Pseudorandom based on Subset Sum! Lattice-Based Crypto & Applications 17 Bar-Ilan University, Israel 2012

  18. Column Subset Sum Addition Is Also Pseudorandom 4 6 7 9 1 1 0 3 9 0 7 1 1 9 + = 8 4 6 5 0 1 8 1 6 4 3 1 0 0 Lattice-Based Crypto & Applications 18 Bar-Ilan University, Israel 2012

  19. “Hybrid” Subset Sum Addition Is Also Pseudorandom 1 0 0 1 4 6 7 9 0 3 9 0 7 9 8 4 6 5 8 pseudorandom 1 6 4 3 0 1 1 1 0 0 + 6 3 2 2 0 = Lattice-Based Crypto & Applications 19 Bar-Ilan University, Israel 2012

  20. Encryption Scheme r A A s t t + = {0,1} n + {0,1} n n x n Z q = u v Public Key Lattice-Based Crypto & Applications 20 Bar-Ilan University, Israel 2012

  21. Encryption Scheme r A A s t t + = + = u v Is pseudo-random based on the hardness of the subset sum problem Lattice-Based Crypto & Applications 21 Bar-Ilan University, Israel 2012

  22. Encryption Scheme r A A s t t + = + = u v v r r = + A A s s + r + = A A s s Lattice-Based Crypto & Applications 22 Bar-Ilan University, Israel 2012

  23. Encryption Scheme r A A s t t + = + = u v r u + = A s s r ≈ v + = s A Lattice-Based Crypto & Applications 23 Bar-Ilan University, Israel 2012

  24. Encryption Scheme r A A s t t + = + = u v Encryption of 0 v - u = s Lattice-Based Crypto & Applications 24 Bar-Ilan University, Israel 2012

  25. Encryption Scheme r A A s t t + = + = u v + 0 q/2 = Encryption of 1 u v’ u v’ - + q/2 = s Lattice-Based Crypto & Applications 25 Bar-Ilan University, Israel 2012

  26. CRYPTOSYSTEM BASED ON LWE [REGEV 2005] Lattice-Based Crypto & Applications 26 Bar-Ilan University, Israel 2012

  27. Encryption Scheme (what we needed) r A A s t t + = + = u v “small” Pseudorandom Lattice-Based Crypto & Applications 27 Bar-Ilan University, Israel 2012

  28. Picking the “Carries” • In Subset Sum: carries were deterministic • What if … we pick the “carries” at random from some distribution? Lattice-Based Crypto & Applications 28 Bar-Ilan University, Israel 2012

  29. So... 1 1 0 1 4 6 7 9 2 3 0 1 4 6 7 9 3 9 0 7 3 9 0 7 8 4 6 5 8 4 6 5 1 6 4 3 1 6 4 3 + 2 1 1 0 + 1 3 2 1 0 2 2 9 7 2 0 3 = = Pseudorandom Pseudorandom based on based on LWE [Reg ‘ 05] Subset Sum Lattice-Based Crypto & Applications 29 Bar-Ilan University, Israel 2012

  30. LWE vs. Subset Sum • The Subset Sum assumption has “deterministic noise ” • The LWE assumption is more “versatile” LWE Problem a 1 a 2 s + e = b . . . n 2 a m Lattice-Based Crypto & Applications n 30 Bar-Ilan University, Israel 2012

  31. LWE vs. Subset Sum • The Subset Sum assumption has “deterministic noise ” • The LWE assumption is more “versatile” Subset Sum Problem s a 1 a 2 … a n = b n 2 + Lattice-Based Crypto & Applications 31 n Bar-Ilan University, Israel 2012

  32. LWE / Subset Sum Encryption r A A s t t + = + = u v n-bit Encryption Have Want Õ(n) / Õ(n 2 ) Public Key Size O(n) Secret Key Size Õ(n) / Õ (n 2 ) O(n) Ciphertext Expansion Õ(n) / Õ (1) O(1) Encryption Time Õ(n 3 ) / Õ (n 2 ) O(n) Õ(n 2 ) Decryption Time O(n) Lattice-Based Crypto & Applications 32 Bar-Ilan University, Israel 2012

  33. CRYPTOSYSTEM BASED ON RING-LWE [L, PEIKERT, REGEV 2010] Lattice-Based Crypto & Applications 33 Bar-Ilan University, Israel 2012

  34. Source of Inefficiency of LWE Getting just one extra random-looking 2 8 7 3 1 2 1 + = * number requires n random numbers 0 and a small error element. 2 1 Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot” 2 1 8 0 + = * 7 2 3 1 Lattice-Based Crypto & Applications 34 Bar-Ilan University, Israel 2012

  35. Use Polynomials f(x) is a polynomial x n + a n-1 x n-1 + … + a 1 x + a 0 R = Z p [x]/(f(x)) is a polynomial ring with • Addition mod p • Polynomial multiplication mod p and f(x) Each element of R consists of n elements in Z p In R: • small+small = small • small*small = small (depending on f(x) ) Lattice-Based Crypto & Applications 35 Bar-Ilan University, Israel 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
Neutrinoless Double Beta Decay from Lattice QCD Amy Nicholson UC Berkeley Lattice 2016

Neutrinoless Double Beta Decay from Lattice QCD Amy Nicholson UC Berkeley Lattice 2016

Neutrinoless Double Beta Decay from Lattice QCD Amy Nicholson UC Berkeley Lattice 2016 Southampton, UK Pauli 1930 History Chadwick 1932 Racah Majorana 1937 1937 Fermi 1934 Goppert-Mayer 1935 Lepton Number Neutrinos have no known

721 views • 59 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat).

Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat).

Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat). Yoichi IKEDA (RCNP , Osaka Univ.) HAL QCD (Hadrons to Atomic nuclei from Lattice QCD) S. Aoki, D. Kawai, T. Miyamoto, K. Sasaki (YITP , Kyoto Univ.)

772 views • 42 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Lattice Coding &amp; Crypto Meeting Antonio Campello Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore (Huawei Technologies France) Discrete Gaussian Measures f : R n R + D : [0 , 1] is a

917 views • 33 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com http://www.thijs.com/ EiPSI seminar

Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com http://www.thijs.com/ EiPSI seminar

Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com http://www.thijs.com/ EiPSI seminar (February 11th, 2019) Lattices What is a lattice? O Lattices What is a lattice? b 2 b 1 O Lattices What is a lattice? b 2 b 1 O Lattices

1.59k views • 120 slides
Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp;

Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp;

Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp; Applications 1 Bar-Ilan University, Israel 2012 Outline LLL sketch Application to Subset Sum Application to SIS Application to LWE Lattice

716 views • 49 slides
Huey-Wen Lin Lattice 2016, Southampton, UK Parton Distribution Functions This talk is based

Huey-Wen Lin Lattice 2016, Southampton, UK Parton Distribution Functions This talk is based

Huey-Wen Lin Lattice 2016, Southampton, UK Parton Distribution Functions This talk is based on Flavor Structure of the Nucleon Sea from Lattice QCD, PRD 91, 054510 [arXiv:1402.1462] Nucleon Helicity and T ransversity Parton

786 views • 37 slides
Lattice and Hypergraph MERT Graham Neubig Nara Institute of Science and Technology (NAIST)

Lattice and Hypergraph MERT Graham Neubig Nara Institute of Science and Technology (NAIST)

Lattice and Hypergraph MERT Lattice and Hypergraph MERT Graham Neubig Nara Institute of Science and Technology (NAIST) 12/20/2012 1 Lattice and Hypergraph MERT Papers Introduced: Lattice-based Minimum Error Rate Training for

691 views • 39 slides
Grothendieck expansions of symmetric polynomials Jason Bandlow (joint work with Jennifer Morse)

Grothendieck expansions of symmetric polynomials Jason Bandlow (joint work with Jennifer Morse)

Grothendieck expansions of symmetric polynomials Jason Bandlow (joint work with Jennifer Morse) University of Pennsylvania August 3rd, 2010 FPSAC San Francisco State University Outline Symmetric functions TableauxSchur expansions

1.14k views • 87 slides
Rings of singularities ICTP-Trieste Lectures, January 2010 Helmut Lenzing Institut f ur

Rings of singularities ICTP-Trieste Lectures, January 2010 Helmut Lenzing Institut f ur

Rings of singularities ICTP-Trieste Lectures, January 2010 Helmut Lenzing Institut f ur Mathematik, Universit at Paderborn, 33095 Paderborn, Germany E-mail address : helmut@math.uni-paderborn.de Abstract. We show how to associate to a

306 views • 30 slides
COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

A Framework for Cryptographic Problems from Linear Algebra Carl Bootland , Wouter Castryck, Alan Szepieniec and Frederik Vercauteren Dept. of Electrical Engineering, COSIC KU Leuven COSIC A Framework for Cryptographic Problems from Linear

731 views • 48 slides
Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Schur-rings (S-rings) Automorphism groups of S-rings Final (personal) remarks Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel joint work with Mikhail Klin Institut fr Algebra Technische

1.47k views • 98 slides
Congruences and Residue Class Rings (Chapter 2 of J. A. Buchmann, Introduction to Cryptography,

Congruences and Residue Class Rings (Chapter 2 of J. A. Buchmann, Introduction to Cryptography,

Congruences and Residue Class Rings (Chapter 2 of J. A. Buchmann, Introduction to Cryptography, 2nd Ed., 2004) Shoichi Hirose Faculty of Engineering, University of Fukui S. Hirose (U. Fukui) Congruences and Residue Class Rings 1 / 44

829 views • 44 slides
Algebraically closed fields with several valuation rings Will Johnson March 4, 2018 Will Johnson

Algebraically closed fields with several valuation rings Will Johnson March 4, 2018 Will Johnson

Algebraically closed fields with several valuation rings Will Johnson March 4, 2018 Will Johnson Multi-valued fiels March 4, 2018 1 / 23 Main results Theorem Let O 1 , . . . , O n be arbitrary valuation rings on K = K alg . The structure ( K

781 views • 57 slides
Counting points on elliptic curves over finite fields and beyond Ren e Schoof Universit` a

Counting points on elliptic curves over finite fields and beyond Ren e Schoof Universit` a

Counting points on elliptic curves over finite fields and beyond Ren e Schoof Universit` a di Roma Tor Vergata Prehistory In his article in the 1967 Cassels-Fr ohlich volume on class field theory, Swinnerton-Dyer reports on the

586 views • 42 slides
Process Address Spaces and Binary Formats Don Porter 1 CSE 306: Opera.ng Systems Background

Process Address Spaces and Binary Formats Don Porter 1 CSE 306: Opera.ng Systems Background

CSE 306: Opera.ng Systems Process Address Spaces and Binary Formats Don Porter 1 CSE 306: Opera.ng Systems Background Weve talked some about processes This lecture: discuss overall virtual memory organizaBon Key abstracBon:

654 views • 34 slides

More recommend