an efficient and parallel gaussian sampler for lattices
play

An Efficient and Parallel Gaussian Sampler for Lattices Chris - PowerPoint PPT Presentation

Sep 20, 2022 •369 likes •975 views

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010 1 / 10 Lattice-Based Crypto L R n b 2 b 1 2 / 10 Lattice-Based Crypto L R n p 1 p 2 2 / 10 Lattice-Based Crypto L R n b 2 p 1 b 1 =

  1. An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010 1 / 10

  2. Lattice-Based Crypto L ⊂ R n b 2 b 1 2 / 10

  3. Lattice-Based Crypto L ⊂ R n p 1 p 2 2 / 10

  4. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 (Images courtesy xkcd.org) 2 / 10

  5. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 ✔ Asymptotically efficient & highly parallelizable (Images courtesy xkcd.org) 2 / 10

  6. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 ✔ Asymptotically efficient & highly parallelizable ✔ Worst-case assumptions (& quantum-resistant?) [Ajtai’96,. . . ] (Images courtesy xkcd.org) 2 / 10

  7. Lattice-Based Crypto L ⊂ R n b 2 p 1 b 1 = ⇒ p 2 ✔ Asymptotically efficient & highly parallelizable ✔ Worst-case assumptions (& quantum-resistant?) [Ajtai’96,. . . ] ✔ Many rich applications: ⋆ ‘Hash-and-sign’ signatures [GPV’08, CHKP’10, R’10, B’10] ⋆ (Hierarchical) IBE [GPV’08, CHKP’10, ABB’10a, ABB’10b] ⋆ Fully homomorphic encryption [G’09, SV’10, vDGHV’10] (Images courtesy xkcd.org) 2 / 10

  8. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] 3 / 10

  9. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] 3 / 10

  10. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] Crypto Applications ◮ ‘Answering queries:’ signing, (H)IBE key extraction, (NI)ZK 3 / 10

  11. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] Crypto Applications ◮ ‘Answering queries:’ signing, (H)IBE key extraction, (NI)ZK ◮ Worst-case / average-case reductions [GPV’08,P’09,LPR’10,G’10] 3 / 10

  12. Gaussian Sampling on Lattices ◮ Given ‘good’ basis B and center c , sample discrete Gaussian on L ⋆ ‘Zero-knowledge’ operation: leaks no information about B [GPV’08] b 2 c b 1 [B’93,R’03,AR’04,MR’04,. . . ] Crypto Applications ◮ ‘Answering queries:’ signing, (H)IBE key extraction, (NI)ZK ◮ Worst-case / average-case reductions [GPV’08,P’09,LPR’10,G’10] ◮ Narrower Gaussian ⇒ smaller keys ⇒ more efficient schemes 3 / 10

  13. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  14. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  15. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  16. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 4 / 10

  17. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . 4 / 10

  18. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ 4 / 10

  19. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ ✗ Not efficient: time = Ω( n 3 ) , high-precision real arithmetic 4 / 10

  20. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ ✗ Not efficient: time = Ω( n 3 ) , high-precision real arithmetic ✗ Inherently sequential: n adaptive iterations 4 / 10

  21. The GPV Sampling Algorithm ◮ ‘Nearest-plane’ algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 Good News, and Bad News. . . ✔ Narrow: width ≈ max � � b i � = max dist between adjacent ‘planes’ ✗ Not efficient: time = Ω( n 3 ) , high-precision real arithmetic ✗ Inherently sequential: n adaptive iterations ✗ No efficiency improvement for ring-based crypto [NTRU’98,M’02,. . . ] 4 / 10

  22. Our Contributions 1 A new Gaussian sampling algorithm for lattices. 5 / 10

  23. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer 5 / 10

  24. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! 5 / 10

  25. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! ⋆ Fully parallelizable: n 2 / P operations on each of P ≤ n 2 processors 5 / 10

  26. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! ⋆ Fully parallelizable: n 2 / P operations on each of P ≤ n 2 processors ⋆ High quality: for crypto lattices, same ∗ Gaussian width as GPV 5 / 10

  27. Our Contributions 1 A new Gaussian sampling algorithm for lattices. Key Features ⋆ Simple & efficient: ≈ 4 n 2 online adds and mults, modulo a small integer Even better: ˜ O ( n ) time for ring-based schemes! ⋆ Fully parallelizable: n 2 / P operations on each of P ≤ n 2 processors ⋆ High quality: for crypto lattices, same ∗ Gaussian width as GPV 2 A general ‘convolution theorem’ for discrete Gaussians. Other applications: LWE error distribution, bi-deniable encryption [OP’10] , . . . 5 / 10

  28. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) b 2 c b 1 6 / 10

  29. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) b 2 c b 1 6 / 10

  30. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . b 2 c b 1 6 / 10

  31. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 6 / 10

  32. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 6 / 10

  33. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 ◮ Non-spherical distribution: has covariance � x · x t � ≈ B · B t . Σ := Exp x 6 / 10

  34. A First Attempt c �→ B · ⌊ B − 1 · c ⌉ $ . ◮ [Babai’86] ‘simple rounding:’ (Fast & Parallel!) ◮ Deterministic rounding is insecure [NguyenRegev’06] . . . . . . but what about randomized rounding? b 2 c b 1 ◮ Non-spherical distribution: has covariance � x · x t � ≈ B · B t . Σ := Exp x Covariance can be measured — and it leaks B ! (up to rotation) 6 / 10

  35. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) 7 / 10

  36. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) ⇒ covariance s 2 I . Spherical Gaussian ⇐ 7 / 10

  37. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) ⇒ covariance s 2 I . Spherical Gaussian ⇐ 2 Convolution of Gaussians: + = Σ = s 2 I Σ 1 + Σ 2 = 7 / 10

  38. Inspiration: Some Facts About Gaussians 1 Continuous Gaussian ⇐ ⇒ positive definite covariance matrix Σ . (pos def: u t Σ u > 0 for all unit u .) ⇒ covariance s 2 I . Spherical Gaussian ⇐ 2 Convolution of Gaussians: + = Σ = s 2 I Σ 1 + Σ 2 = 3 Given Σ 1 , how small can s be? For Σ 2 := s 2 I − Σ 1 , 7 / 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sampling and Reporting for Sampler 1 and 2 Certification Sampling and Reporting for Sampler 1 and 2

Sampling and Reporting for Sampler 1 and 2 Certification Sampling and Reporting for Sampler 1 and 2

Sampling and Reporting for Sampler 1 and 2 Certification Sampling and Reporting for Sampler 1 and 2 Certification Jennifer Hill, PE Peter Nathanson, PE Daniel B. Stephens & Associates Independent Contractor 505.353.9106 peternathanson@kunm.org

2k views • 188 slides
Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio (UCSD) Nicholas Genise (UCSD) Modern Cryptography Founded on Mathematics / Complexity Theory Start from mathematical problem P that is

461 views • 32 slides
Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction Lattices based Signatures Before Gaussian Sampling Preventing Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

984 views • 67 slides
PM Sampler Placement and Sampler Errors! Why should Regulatory and Agricultural Industries Care?

PM Sampler Placement and Sampler Errors! Why should Regulatory and Agricultural Industries Care?

PM Sampler Placement and Sampler Errors! Why should Regulatory and Agricultural Industries Care? Dr. Michael Buser USDA Agricultural Research Service Cotton Production and Processing Research Unit Lubbock, TX (806) 746-5353 x 104 Office

307 views • 11 slides
Multilevel LDPC Lattices with Efficient Encoding and Decoding and a Generalization of Construction

Multilevel LDPC Lattices with Efficient Encoding and Decoding and a Generalization of Construction

Multilevel LDPC Lattices with Efficient Encoding and Decoding and a Generalization of Construction D Danilo Silva Paulo R. B. da Silva Department of Electrical and Electronic Engineering Federal University of Santa Catarina (UFSC), Brazil

755 views • 63 slides
More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

706 views • 39 slides
Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona

Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona

Efficient sampling for Gaussian linear regression with arbitrary priors P. Richard Hahn (Arizona State), Jingyu He (Chicago Booth), Hedibert Lopes (INSPER) November 21, 2018 1 Motivation Goal: run a Gaussian linear regression and a new prior

1.01k views • 52 slides
Computing and Communications 2. Information Theory -Gaussian Channel Ying Cui Department of

Computing and Communications 2. Information Theory -Gaussian Channel Ying Cui Department of

1896 1920 1987 2006 Computing and Communications 2. Information Theory -Gaussian Channel Ying Cui Department of Electronic Engineering Shanghai Jiao Tong University, China 2017, Autumn 1 Outline Gaussian Channel Parallel Gaussian

586 views • 19 slides
CS 240A: Solving Ax = b in parallel Dense A: Gaussian elimination with partial pivoting (LU)

CS 240A: Solving Ax = b in parallel Dense A: Gaussian elimination with partial pivoting (LU)

CS 240A: Solving Ax = b in parallel Dense A: Gaussian elimination with partial pivoting (LU) Same flavor as matrix * matrix, but more complicated Sparse A: Gaussian elimination Cholesky, LU, etc. Graph algorithms Sparse A:

589 views • 25 slides
Energy-efficient parallel software for mobile hand-held devices Antti P Miettinen , Nokia Research

Energy-efficient parallel software for mobile hand-held devices Antti P Miettinen , Nokia Research

Energy-efficient parallel software for mobile hand-held devices Antti P Miettinen , Nokia Research Center Vesa Hirvisalo, Helsinki University of Technology Mobile-phone view to parallel SW Parallel == efficient? Not always

283 views • 9 slides
R goes Mobile: Efficient Scheduling for Parallel R Programs on Heterogeneous Embedded Systems

R goes Mobile: Efficient Scheduling for Parallel R Programs on Heterogeneous Embedded Systems

R goes Mobile: Efficient Scheduling for Parallel R Programs on Heterogeneous Embedded Systems Helena Kotthaus, Andreas Lang Olaf Neugebauer, Peter Marwedel 03/07/2017 SFB 876 Parallel Machine Learning Algorithms Challenge: Regression Model

299 views • 15 slides
Gaussian Processes for Sample Efficient Reinforcement Learning with RMAX-like Exploration Tobias

Gaussian Processes for Sample Efficient Reinforcement Learning with RMAX-like Exploration Tobias

Gaussian Processes for Sample Efficient Reinforcement Learning with RMAX-like Exploration Tobias Jung and Peter Stone Department of Computer Science University of Texas at Austin { tjung,pstone } @cs.utexas.edu Outline: 1. Motivation &

349 views • 18 slides
Near-Optimal Sensor Placements in Gaussian Processes: Theory, Efficient Algorithms and Empirical

Near-Optimal Sensor Placements in Gaussian Processes: Theory, Efficient Algorithms and Empirical

Journal of Machine Learning Research 9 (2008) 235-284 Submitted 9/06; Revised 9/07; Published 2/08 Near-Optimal Sensor Placements in Gaussian Processes: Theory, Efficient Algorithms and Empirical Studies Andreas Krause KRAUSEA @ CS . CMU . EDU

657 views • 50 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Why Gaussian and Cauchy Functions Computationally . . . Are Efficient in Filled Function Method:

Why Gaussian and Cauchy Functions Computationally . . . Are Efficient in Filled Function Method:

Formulation of the . . . Need for Smoothing Need to Select an . . . We May Need Several . . . Why Gaussian and Cauchy Functions Computationally . . . Are Efficient in Filled Function Method: Resulting Requirement . . . A Possible Explanation

513 views • 17 slides
Gaussian Filter The Gaussian filter 1 2 1 A Gaussian kernel gives less 1 2 4 2 weight to

Gaussian Filter The Gaussian filter 1 2 1 A Gaussian kernel gives less 1 2 4 2 weight to

Gaussian Filter The Gaussian filter 1 2 1 A Gaussian kernel gives less 1 2 4 2 weight to pixels further from 16 the center of the window 1 2 1 This kernel is an approximation of a Gaussian function Gaussian filtering versus mean

405 views • 11 slides
Thresholds in random CSPs Nike Sun (Berkeley) Counting complexity and phase transitions Simons

Thresholds in random CSPs Nike Sun (Berkeley) Counting complexity and phase transitions Simons

Thresholds in random CSPs Nike Sun (Berkeley) Counting complexity and phase transitions Simons Institute, Berkeley 28 January 2016 Plan for the talk Introduction: random k -SAT model Threshold conjecture, Friedguts theorem Statistical

1.67k views • 142 slides
to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

CrashMonkey: A Framework to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram University of Texas at Austin Crash Consistency File-system updates change multiple blocks on storage Data blocks, inodes,

499 views • 46 slides
Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab

Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab

Improved Bounds on the Dot Product under Random Projection and Random Sign Projection Ata Kab an School of Computer Science The University of Birmingham Birmingham B15 2TT, UK http://www.cs.bham.ac.uk/ axk KDD 2015, Sydney, 10-13

280 views • 23 slides
Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**,

Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**,

Hig igh-Throughput Secure Three-Party Computation for Mali licious Adversaries and an Honest Majority Jun Furukawa*, Yehuda Lindell**, Ariel Nof** and Or Weinstein** *NEC corporation, Israel **Bar-Ilan University, Israel Eurocrypt 2017

699 views • 54 slides
Nodal lines of random waves Many questions and few answers M. Sodin (Tel Aviv) Ascona, May 2010

Nodal lines of random waves Many questions and few answers M. Sodin (Tel Aviv) Ascona, May 2010

Nodal lines of random waves Many questions and few answers M. Sodin (Tel Aviv) Ascona, May 2010 1 Random 2D wave : random superposition of solutions to f + 2 f = 0 Examples: Random spherical harmonic of

496 views • 28 slides
Scale-up Graph Processing: A Storage-centric View Eiko Yoneki University of Cambridge Amitabha Roy

Scale-up Graph Processing: A Storage-centric View Eiko Yoneki University of Cambridge Amitabha Roy

Scale-up Graph Processing: A Storage-centric View Eiko Yoneki University of Cambridge Amitabha Roy EPFL SIGMOD GRADES June 23, 2013 Graph Storage Storing and accessing graphs is a challenge Edge traversal produces an access pattern that is

473 views • 13 slides
Probability and Statistics for Computer Science

Probability and Statistics for Computer Science

Probability and Statistics for Computer Science many problems are naturally classifica4on problems---Prof. Forsyth Credit: wikipedia Hongye

570 views • 53 slides
DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen

DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen

DART: Directed Automated Random Testing PLDI 2005 Patrice Godefroid 1 Nils Klarlund 1 Koushik Sen 2 1 Bell Laboratories, Lucent Technologies 2 University of Illinois at Urbana-Champaign November 10, 2015 Presented by Markus 1/20 Introduction

1.58k views • 102 slides

More recommend