all along the ring tower
play

All Along the Ring Tower Algebraic Structures for Fun and Profit - PowerPoint PPT Presentation

Jul 17, 2023 •209 likes •635 views

All Along the Ring Tower Algebraic Structures for Fun and Profit Thomas Prest joint work w/ {Lo Ducas} {Thomas Pornin} {Lo Ducas, Steven Galbraith, Yang Yu} RISC PROMETHEUS Seminar, 03/05/2019 Introducon I Three Case Studies

  1. All Along the Ring Tower Algebraic Structures for Fun and Profit Thomas Prest joint work w/ {Léo Ducas} ∪ {Thomas Pornin} ∪ {Léo Ducas, Steven Galbraith, Yang Yu} RISC × PROMETHEUS Seminar, 03/05/2019

  2. Introduc�on I Three Case Studies II Generalized Bézout Equa�ons i Generalized Four Square Theorem ii iii Efficient La�ce Decoding III Conclusion 2 / 21

  3. Rings in La�ce-Based Cryptography It is typical in la�ce-based cryptography to use matrices with coefficients in Z q [ x ] / ( x d + 1 ) rather than Z q : Communica�on costs typically go O ( d 2 ) ⇒ O ( d ) 1 2 Computa�on costs typically go O ( d 2 ) ⇒ O ( d log d ) But in some situa�ons this addi�onal structure seems ineffec�ve: 1 Matrix decomposi�on (Cholesky, Gram-Schmidt, etc.) Solving equa�ons in a ring which is not a field (e.g. Z [ x ] / ( x d + 1 ) ) 2 Algorithms can take �me up to Θ ( d 2 ) or Θ ( d 3 ) . 3 / 21

  4. The State of Affairs What naïve solu�ons do: View Q [ x ] / ( x d + 1 ) as either a Q -linear space of dimension d , an 1 extension field of Q of degree d , etc. 2 This ignores the rich structure of cyclotomic rings and fields. What happens when we open the black box? 4 / 21

  5. Cyclotomic Fields - Opening the Black Box For d a power-of-two, we note: ➳ Q d = Q [ x ] / ( x d + 1 ) the d -th cyclotomic field ➳ Z d = Z [ x ] / ( x d + 1 ) the d -th cyclotomic ring We have this tower of fields: Q ⊊ Q 2 ⊊ · · · ⊆ Q d / 2 ⊊ Q d As well as this chain of isomorphisms: Q d ∼ = ( Q 2 ) d / 2 ∼ = ( Q d / 2 ) 2 ∼ = . . . ∼ = Q d At a high level: ➳ The field norm and field trace allows to move in the tower of fields ➳ Ring isomorphisms allow us to move in the chain of ring isomorphisms 5 / 21

  6. Traces and Norms in Cyclotomic Fields Defini�on: For a (finite) field extension L / K : ➳ The field trace is: ➳ The field norm is: Tr L / K : L → K N L / K : L → K ∑ ∏ f �→ σ ( f ) f �→ σ ( f ) σ ∈ Gal ( L / K ) σ ∈ Gal ( L / K ) Concretely: if f ( x ) = f e ( x 2 ) + x · f o ( x 2 ) ∈ Q d , then f × ( x ) = f ( − x ) and: ➳ Tr Q d / Q d / 2 ( f ) = f + f × ➳ N Q d / Q d / 2 ( f ) = f · f × = 2 · f e ( x 2 ) = f 2 e ( x 2 ) − x 2 f 2 o ( x 2 ) Composi�on proper�es: ➳ Tr L / K ◦ Tr M / L = Tr M / K ➳ N L / K ◦ N M / L = N M / K Homomorphic proper�es: ➳ Tr L / K ( a + b ) = Tr L / K ( a )+ Tr L / K ( b ) ➳ N L / K ( a · b ) = N L / K ( a ) · N L / K ( b ) 6 / 21

  7. Introduc�on I Three Case Studies II Generalized Bézout Equa�ons i Generalized Four Square Theorem ii iii Efficient La�ce Decoding III Conclusion 7 / 21

  8. g f However, some schemes require a full trapdoor B : G F Hash-then-sign [PFH 17], IBE [DLP14], HIBE [CG17] More generally, anything based on trapdoor sampling [GPV08] x d x d Problem: Given f g x 1 , find F G x 1 such that: f G g F q Problem 1 - Comple�ng NTRU Bases NTRU La�ces: ➳ Prevalent in la�ce-based crypto [ 1 , for h = g × f − 1 mod ( φ , q ) . h ] ➳ Public key is A = ➳ Private key is B such that B × A t = 0 mod ( φ , q ) [ g − f ] Some schemes only require a par�al trapdoor B = : ➳ Fiat-Shamir [ZCHW17], encryp�on [SHRS17], FHE [LTV12, BLLN13] 8 / 21

  9. x d x d Problem: Given f g x 1 , find F G x 1 such that: f G g F q Problem 1 - Comple�ng NTRU Bases NTRU La�ces: ➳ Prevalent in la�ce-based crypto [ 1 , for h = g × f − 1 mod ( φ , q ) . h ] ➳ Public key is A = ➳ Private key is B such that B × A t = 0 mod ( φ , q ) [ g − f ] Some schemes only require a par�al trapdoor B = : ➳ Fiat-Shamir [ZCHW17], encryp�on [SHRS17], FHE [LTV12, BLLN13] [ g ] − f However, some schemes require a full trapdoor B = : G − F ➳ Hash-then-sign [PFH + 17], IBE [DLP14], HIBE [CG17] ➳ More generally, anything based on trapdoor sampling [GPV08] 8 / 21

  10. Problem 1 - Comple�ng NTRU Bases NTRU La�ces: ➳ Prevalent in la�ce-based crypto [ 1 , for h = g × f − 1 mod ( φ , q ) . h ] ➳ Public key is A = ➳ Private key is B such that B × A t = 0 mod ( φ , q ) [ g − f ] Some schemes only require a par�al trapdoor B = : ➳ Fiat-Shamir [ZCHW17], encryp�on [SHRS17], FHE [LTV12, BLLN13] [ g ] − f However, some schemes require a full trapdoor B = : G − F ➳ Hash-then-sign [PFH + 17], IBE [DLP14], HIBE [CG17] ➳ More generally, anything based on trapdoor sampling [GPV08] Problem: Given f , g ∈ Z [ x ] / ( x d + 1 ) , find F , G ∈ Z [ x ] / ( x d + 1 ) such that: f · G − g · F = q 8 / 21

  11. Fun fact If we can solve the problem projected over Z d / 2 , i.e.: N Z d / Z d / 2 ( f ) · G ′ − N Z d / Z d / 2 ( g ) · F ′ = 1 for some F ′ , G ′ , then we have this rela�onship over Z d : f · ( f × G ′ ) − g · ( g × F ′ ) = 1 This leads to a simple algorithm: 1 Project 2 Solve 3 Li� 9 / 21

  12. F G F 1 G 1 N d 2 f N d 2 g d d F 2 G 2 N d 4 f N d 4 g d d . . . . . . . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ⊊ Z d / 2 ⊊ Z d / 4 ⊊ . . . ⊊ Z 10 / 21

  13. F G F 1 G 1 F 2 G 2 N d 4 f N d 4 g d d . . . . . . . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ⊊ Z d / 4 ⊊ . . . ⊊ Z 10 / 21

  14. F G F 1 G 1 F 2 G 2 . . . . . . . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ⊊ . . . ⊊ Z 10 / 21

  15. F G F 1 G 1 F 2 G 2 . . . N f N g F G d d At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . ⊊ Z 10 / 21

  16. F G F 1 G 1 F 2 G 2 . . . F G At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . ↓ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) ∋ Z 10 / 21

  17. F G F 1 G 1 F 2 G 2 . . . At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . ↓ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) F [ ℓ ] , G [ ℓ ] ∋ → Z 10 / 21

  18. F G F 1 G 1 F 2 G 2 At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ ↓ ⊊ . . . . . . . . . . . . ↓ ↑ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) F [ ℓ ] , G [ ℓ ] ∋ → Z 10 / 21

  19. F G F 1 G 1 At each lower level: The coefficients grow (in bitsize) by a factor 2... ... but the number of coefficients is divided by 2. Space-saving trick: recompute lazily N i f N i g at each step Allows a linear �me-memory trade-off by a factor log n Outline of the Solver f , g Z d ∋ ↓ ⊊ N Z d / Z d / 2 ( f ) , N Z d / Z d / 2 ( g ) Z d / 2 ∋ ↓ ⊊ F [ 2 ] , G [ 2 ] N Z d / Z d / 4 ( f ) , N Z d / Z d / 4 ( g ) Z d / 4 ∋ → ↓ ↑ ⊊ . . . . . . . . . . . . ↓ ↑ ⊊ N Z d / Z ( f ) , N Z d / Z ( g ) F [ ℓ ] , G [ ℓ ] ∋ → Z 10 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tower & Tower & Tower & Tower & Ashbourne Ashbourne Ashbourne Ashbourne

Tower & Tower & Tower & Tower & Ashbourne Ashbourne Ashbourne Ashbourne

Tower & Tower & Tower & Tower & Ashbourne Ashbourne Ashbourne Ashbourne Cabinet Presentation Fire Safety: UK Building Regulations Comparison Slough Borough Council England Scotland Wales Tower & Ashbourne

497 views • 23 slides
Tower Operation Management System TOMS Hu Yuming, China Background Tower control is one of

Tower Operation Management System TOMS Hu Yuming, China Background Tower control is one of

Tower Operation Management System TOMS Hu Yuming, China Background Tower control is one of the most complex parts in ATC service. A typical tower control consists of many particular procedures and steps . ACC Tower Tower Cruise TMA

543 views • 17 slides
PRIMARILY RESIDENTIAL DEVELOPMENT Approved office development New offices in the mixed- use

PRIMARILY RESIDENTIAL DEVELOPMENT Approved office development New offices in the mixed- use

TOWER 4 TOWER 2 RESIDENTIAL RESIDENTIAL 120,000 sq. ft. 275,000 sq. ft. TOWER 1 TOWER 5 RESIDENTIAL RESIDENTIAL 165,000 sq. ft. 130,000 sq. ft. HOTEL 150,000 sq.ft PROJECT VISION The proposed redevelopment of Eau Claire Market is a

258 views • 10 slides
Tower Hamlets Together: Discovery Phase Findings and next steps Tower Hamlets Vanguard Outcomes

Tower Hamlets Together: Discovery Phase Findings and next steps Tower Hamlets Vanguard Outcomes

Tower Hamlets Together: Discovery Phase Findings and next steps Tower Hamlets Vanguard Outcomes Framework Articulates our ambition to improve health and social care outcomes and experience for Tower Hamlets citizens Is co-produced

251 views • 12 slides
Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
PAUL PARFITT BAE/MAE Structural Option Senior Thesis Tower 333 May 4 th 2007 Tower 333

PAUL PARFITT BAE/MAE Structural Option Senior Thesis Tower 333 May 4 th 2007 Tower 333

PAUL PARFITT BAE/MAE Structural Option Senior Thesis Tower 333 May 4 th 2007 Tower 333 Introduction Proposal Lateral System Redesign Elimination of Moment Frames Core-Only Solution Cost Analysis & Schedule Reduction

814 views • 43 slides
Proposed Telecommunications Tower 7 Harlech Court, Markham Ontario Why is the tower needed?

Proposed Telecommunications Tower 7 Harlech Court, Markham Ontario Why is the tower needed?

Proposed Telecommunications Tower 7 Harlech Court, Markham Ontario Why is the tower needed? Maintain the current wireless infrastructure presently located within the community Voice (phone) Data (email, SMS) Internet service (web)

316 views • 12 slides
lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

Crystal Extraction from the Recycler Ring A.I. Drozhdin Fermi National Accelerator Laboratory P.O. Box 500, Batavia, Illinois 60510 May 31, 2012 1 Recycler Ring Lattice The choices to install the crystal in the Recycler Ring would be

427 views • 13 slides
New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of Sheffield) V. V. Bavula, New criteria for a ring to have a semisim- ple left quotient ring. Arxiv:math.RA:1303.0859. talk-NewCrit-SS-lQuot.tex 1

359 views • 15 slides
pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower

pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower

pump tower function tests Shuoxing Wu WA105-3x1x1 bi-weekly meeting 27.07.2016 LAr pump tower Shuoxing Wu ETHZ 2 LAr pump tower function test self-recirculation to simulate outer LAr bath real operation condition h valves open pump

57 views • 5 slides
A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic stat No el magnetic states es induced b induced by ring e ring exchange change Members: Tsutomu Momoi (RIKEN) Kenn Kubo (Aoyama Gakuinn Univ.)

489 views • 31 slides
TYPICAL FLOOR PLAN CLUB HOUSE DEVELOPMENT MAIN ENTRANCE 3 BHK TOWER - C 3 BHK TOWER - B 4 BHK

TYPICAL FLOOR PLAN CLUB HOUSE DEVELOPMENT MAIN ENTRANCE 3 BHK TOWER - C 3 BHK TOWER - B 4 BHK

TYPICAL FLOOR PLAN CLUB HOUSE DEVELOPMENT MAIN ENTRANCE 3 BHK TOWER - C 3 BHK TOWER - B 4 BHK TOWER - A SITE LAYOUT MAIN ENTRANCE 3 BHK UNIT PLAN 4 BHK UNIT PLAN FACTSHEET : Rs. 100/sft for Garden Facing Units in advance at the time of

98 views • 5 slides
Analysis of Hope Point Tower Proposal 7-18-17 DRAFT 1 Hope Point Tower q Parcel 42, west

Analysis of Hope Point Tower Proposal 7-18-17 DRAFT 1 Hope Point Tower q Parcel 42, west

Analysis of Hope Point Tower Proposal 7-18-17 DRAFT 1 Hope Point Tower q Parcel 42, west bank of Providence River, north of I-195, south of downtown. q A mixed-use project with residential, retail & parking to be built in a single phase.

528 views • 9 slides
T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

The generic model Nongeometric properties A systematic source A topos-theoretic Nullstellensatz This talk in a nutshell: There is a certain ring, the generic ring , which is special in that it is conserva- tive : It has exactly

855 views • 26 slides
EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union: challenges and strategic responses Colloquium 27 October 2015 Dr. Graeme P. Herd , Professor of Transnational Security Studies, George C. Marshall

344 views • 9 slides
Adverbs & Numerals M&R 135, 8286 ENG240Y Old English / Wed 13 Oct 2010 Adverbs

Adverbs & Numerals M&R 135, 8286 ENG240Y Old English / Wed 13 Oct 2010 Adverbs

Adverbs & Numerals M&R 135, 8286 ENG240Y Old English / Wed 13 Oct 2010 Adverbs An adverb is a word modifying a verb, adjective, or other adverb. Adverbs divide into: - adverbs of time (now, then, tomorrow, forever) -

469 views • 11 slides
GENERAL BODY MEETING ISLAMIC CENTER OF MARYLAND (ICM) June 1, 2013 ISLAMIC CENTER OF MARYLAND

GENERAL BODY MEETING ISLAMIC CENTER OF MARYLAND (ICM) June 1, 2013 ISLAMIC CENTER OF MARYLAND

GENERAL BODY MEETING ISLAMIC CENTER OF MARYLAND (ICM) June 1, 2013 ISLAMIC CENTER OF MARYLAND MEETING GROUND RULES This is the General Body meeting called by the Board of Trustees (BOT) as required by the ICM By-laws. Attendees need to

644 views • 49 slides
How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux

How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux

How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux December 4, 2014 Blacklist in practice The backbone of security ! Traffic analysis : Firewall : iptables , netfilter IDS : l7-filter

319 views • 15 slides
DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A.

DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A.

DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A. Gondree, and Zachary N. J. Peterson. In NDSS'15 Presented by Fengwei Zhang Wayne State University CSC 6991 Advanced Computer Security 1

576 views • 21 slides
Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

577 views • 34 slides
The Great Struggle Accretions Sunday rest Satans agency in the serpents actions

The Great Struggle Accretions Sunday rest Satans agency in the serpents actions

The Great Struggle Accretions Sunday rest Satans agency in the serpents actions The type of fruit eaten The date/time of year of Christs birth The number of magi Mary Magdalens profession Doctrine Orthodox

380 views • 18 slides
Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara Schmid Institute of Information Security Recap Security Protocols We have defined the Dolev-Yao adversary communicating agents that follow a

618 views • 51 slides
Differential Attacks on PIN Processing APIs Graham Steel LSV Overview Photo: redspotted/Flickr

Differential Attacks on PIN Processing APIs Graham Steel LSV Overview Photo: redspotted/Flickr

Differential Attacks on PIN Processing APIs Graham Steel LSV Overview Photo: redspotted/Flickr 1/15 Verizon Breach Report 2008 Released April 2009 2/15 Verizon Breach Report 2008 Released April 2009 While statistically not a large

409 views • 29 slides

More recommend