better algorithms for lwe and lwr
play

Better Algorithms for LWE and LWR Alexandre Duc, Florian Tram` er, - PowerPoint PPT Presentation

Dec 01, 2022 •204 likes •648 views

Better Algorithms for LWE and LWR Alexandre Duc, Florian Tram` er, Serge Vaudenay EPFL, Lausanne, Switzerland Eurocrypt 2015, Sofia Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 1 / 19 LWE Applications Many

  1. Better Algorithms for LWE and LWR Alexandre Duc, Florian Tram` er, Serge Vaudenay EPFL, Lausanne, Switzerland Eurocrypt 2015, Sofia Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 1 / 19

  2. LWE Applications Many crypto primitives are based on Learning With Errors Trapdoor functions + IBE [Gentry et al., 2008] Public-key and symmetric-key cryptosystems [Regev, 2009] , [Peikert, 2009] , [Applebaum et al., 2009] FHE [Brakerski and Vaikuntanathan, 2011] , [Brakerski, 2012] , [Gentry et al., 2013] Our Goal Better understand the hardness of LWE through an algorithmic analysis, in order to propose concrete security parameters for these schemes Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 2 / 19

  3. LWE Applications Many crypto primitives are based on Learning With Errors Trapdoor functions + IBE [Gentry et al., 2008] Public-key and symmetric-key cryptosystems [Regev, 2009] , [Peikert, 2009] , [Applebaum et al., 2009] FHE [Brakerski and Vaikuntanathan, 2011] , [Brakerski, 2012] , [Gentry et al., 2013] Our Goal Better understand the hardness of LWE through an algorithmic analysis, in order to propose concrete security parameters for these schemes Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 2 / 19

  4. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  5. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  6. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  7. Prior Work Lattice reduction algorithms (LLL, BKZ, ...) ) No precise analysis for large dimensions Blum-Kalai-Wasserman (BKW) Algorithm ) Asymptotic complexity well understood ⇣ ⌘ k Θ 2 for LPN log k 2 Θ ( k ) for LWE ) Precise algorithmic analysis LPN [Blum et al., 2003], [Levieil and Fouque, 2006] [Fossorier et al., 2006], [Bernstein and Lange, 2012] [Guo et al., 2014], [Bogos et al., 2015] LWE [Albrecht et al., 2013, 2014] LWR This talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 3 / 19

  8. LWE Definition Definition (LWE Oracle) Let k , q be positive integers. A Learning with Errors (LWE) oracle Π s , χ for a hidden vector s 2 Z k q and a probability distribution χ over Z q is an oracle returning 0 1 U A , � Z k q , h a , s i + ν @ a | {z } c where ν χ . Definition (Search-LWE) The Search-LWE problem is the problem of recovering the hidden secret s given n queries ( a ( j ) , c ( j ) ) 2 Z k q ⇥ Z q obtained from Π s , χ . Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 4 / 19

  9. LWE Definition Definition (LWE Oracle) Let k , q be positive integers. A Learning with Errors (LWE) oracle Π s , χ for a hidden vector s 2 Z k q and a probability distribution χ over Z q is an oracle returning 0 1 U A , � Z k q , h a , s i + ν @ a | {z } c where ν χ . Definition (Search-LWE) The Search-LWE problem is the problem of recovering the hidden secret s given n queries ( a ( j ) , c ( j ) ) 2 Z k q ⇥ Z q obtained from Π s , χ . Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 4 / 19

  10. Error Distribution(s) Two main Gaussian error distributions appear in the literature Definition (Rounded Gaussian Distribution [Regev, 2009; Albrecht et al., 2013] ) Sample x ⇠ N (0 , σ 2 ). Output d x c (mod q ) 2 ] � q 2 , q 2 ]. Definition (Discrete Gaussian Distribution [Regev, 2009; Brakerski et al., 2013] ) for x 2 ] � q 2 , q Pr[ x ] / exp( � x 2 / (2 σ 2 )) , 2] . ) Our results apply to both distributions for practical parameters ) We focus on the discrete Gaussian distribution for this talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 5 / 19

  11. Error Distribution(s) Two main Gaussian error distributions appear in the literature Definition (Rounded Gaussian Distribution [Regev, 2009; Albrecht et al., 2013] ) Sample x ⇠ N (0 , σ 2 ). Output d x c (mod q ) 2 ] � q 2 , q 2 ]. Definition (Discrete Gaussian Distribution [Regev, 2009; Brakerski et al., 2013] ) for x 2 ] � q 2 , q Pr[ x ] / exp( � x 2 / (2 σ 2 )) , 2] . ) Our results apply to both distributions for practical parameters ) We focus on the discrete Gaussian distribution for this talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 5 / 19

  12. Error Distribution(s) Two main Gaussian error distributions appear in the literature Definition (Rounded Gaussian Distribution [Regev, 2009; Albrecht et al., 2013] ) Sample x ⇠ N (0 , σ 2 ). Output d x c (mod q ) 2 ] � q 2 , q 2 ]. Definition (Discrete Gaussian Distribution [Regev, 2009; Brakerski et al., 2013] ) for x 2 ] � q 2 , q Pr[ x ] / exp( � x 2 / (2 σ 2 )) , 2] . ) Our results apply to both distributions for practical parameters ) We focus on the discrete Gaussian distribution for this talk Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 5 / 19

  13. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

  14. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Partition queries according to values of first block [ 0 0 1 ] [ 2 -1 4 ] [ -2 0 1 ] � 1 [ 0 0 1 ] [ -2 0 1 ] [ -5 1 -1 ] 2 [ 0 0 -1 ] [ 3 3 -4 ] [ 0 4 2 ] 0 [ 0 0 2 ] [ 0 2 0 ] [ -1 4 -3 ] � 5 [ 0 0 -2 ] [ -1 1 -3 ] [ 5 5 1 ] 3 [ 0 0 -2 ] [ -2 5 -5 ] [ 1 3 -4 ] 2 . . . BKW reduction in Z 9 11 , r = 3 , b = 3 Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

  15. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Partition queries according to values of first block, and combine [ 0 0 1 ] [ 2 -1 4 ] [ -2 0 1 ] � 1 � + [ 0 0 1 ] [ -2 0 1 ] [ -5 1 -1 ] 2 [ 0 0 -1 ] [ 3 3 -4 ] [ 0 4 2 ] 0 [ 0 0 2 ] [ 0 2 0 ] [ -1 4 -3 ] � 5 + [ 0 0 -2 ] [ -1 1 -3 ] [ 5 5 1 ] 3 + [ 0 0 -2 ] [ -2 5 -5 ] [ 1 3 -4 ] 2 . . . BKW reduction in Z 9 11 , r = 3 , b = 3 Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

  16. The BKW Algorithm Reduction Phase ( [Blum et al., 2003; Albrecht et al., 2013] ) In each oracle query, split a into r blocks of b elements ( r · b = k ) �⇥ ⇤ ⇥ ⇤ ⇥ ⇤ � a 1 . . . a b a b +1 . . . a 2 b . . . a ( r � 1) b +1 . . . a rb | c Partition queries according to values of first block, and combine [ 0 0 1 ] [ 2 -1 4 ] [ -2 0 1 ] � 1 � + [ 0 0 0 ] [ 4 -1 3 ] [ 3 -1 2 ] � 3 [ 0 0 0 ] [ 5 2 0 ] [ -2 4 3 ] � 1 [ 0 0 2 ] [ 0 2 0 ] [ -1 4 -3 ] � 5 + [ 0 0 0 ] [ -1 3 -3 ] [ 4 -2 -2 ] � 2 + [ 0 0 0 ] [ -2 -4 -5 ] [ 0 -4 4 ] � 3 . . . BKW reduction in Z 9 11 , r = 3 , b = 3 Florian Tram` er (EPFL) Better Algorithms for LWE and LWR Eurocrypt 2015 6 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For

Greedy Algorithms Chapter 16 1 CPTR 430 Algorithms Greedy Algorithms Greedy Algorithms For some optimization problems, dynamic programming algorithms are overkill A greedy algorithm always makes a choice that looks best at the moment

1.09k views • 65 slides
Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms

Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms

Evolutionary Algorithms CS 478 - Evolutionary Algorithms 1 Evolutionary Computation/Algorithms Genetic Algorithms l Simulate natural evolution of structures via selection and reproduction, based on performance (fitness) l Type of

524 views • 30 slides
Graph Algorithms Chapter 22 1 CPTR 430 Algorithms Graph Algorithms Why Study Graph Algorithms?

Graph Algorithms Chapter 22 1 CPTR 430 Algorithms Graph Algorithms Why Study Graph Algorithms?

Graph Algorithms Chapter 22 1 CPTR 430 Algorithms Graph Algorithms Why Study Graph Algorithms? Mathematical graphs seem to be relatively specialized and abstract Why spend so much time and effort on algorithms for such an obscure area?

744 views • 47 slides
- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

algorithmic composition dForm + IM WS2010 Inst. f. Arch. a. Media packing algorithms packing algorithms packing algorithms p a c k i n g packing algorithms packing algorithms algorithms packing packing algorithm 1 algorithms - -

39 views • 3 slides
Algorithms Chapter 3 Chapter Summary Algorithms n Example Algorithms n Algorithmic Paradigms

Algorithms Chapter 3 Chapter Summary Algorithms n Example Algorithms n Algorithmic Paradigms

Algorithms Chapter 3 Chapter Summary Algorithms n Example Algorithms n Algorithmic Paradigms Growth of Functions n Big- O and other Notation Complexity of Algorithms Algorithms Section 3.1 Section Summary Properties of Algorithms

847 views • 83 slides
Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander

Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander

Algorithms Theory Algorithms Theory 10 10 Greedy Algorithms G d Al ith Dr. Alexander Souza Winter term 11/12 Greedy algorithms 1 1. Introductory remarks Introductory remarks 2. Basic examples: The coin-changing problem

504 views • 19 slides
Randomized Algorithms Randomized Algorithms Two Types of Randomized Algorithms Two Types of

Randomized Algorithms Randomized Algorithms Two Types of Randomized Algorithms Two Types of

Randomized Algorithms Randomized Algorithms Two Types of Randomized Algorithms Two Types of Randomized Algorithms and and Some Complexity Classes Some Complexity Classes Speaker: Chuang-Chieh Lin Advisor: Professor Maw-Shang Chang National

910 views • 52 slides
The Role of Algorithms in Computing Chapter 1 1 CPTR 430 Algorithms The Role of Algorithms in

The Role of Algorithms in Computing Chapter 1 1 CPTR 430 Algorithms The Role of Algorithms in

The Role of Algorithms in Computing Chapter 1 1 CPTR 430 Algorithms The Role of Algorithms in Computing What is an Algorithm? Any well-defined computational procedure that takes some value (or set of values)its input and produces some

321 views • 13 slides
Algorithms X. Zhang Fordham Univ. 1 Real World applications of algorithms Algorithms for

Algorithms X. Zhang Fordham Univ. 1 Real World applications of algorithms Algorithms for

Algorithms X. Zhang Fordham Univ. 1 Real World applications of algorithms Algorithms for solving specific, complex, real world problems: Google's success is largely due to its PageRank algorithm, which determines importance"

1.03k views • 46 slides
Mathematical Analysis of Genetic Algorithms Genetic Algorithms are not appropriate for

Mathematical Analysis of Genetic Algorithms Genetic Algorithms are not appropriate for

Mathematical Analysis of Genetic Algorithms Genetic Algorithms are not appropriate for certain problems where finding the exact global optimum is required. Genetic Algorithms are non-deterministic. However, there are theories about

271 views • 5 slides
Genetic Algorithms Welcome to this introduction to Genetic Algorithms. The objective of this paper

Genetic Algorithms Welcome to this introduction to Genetic Algorithms. The objective of this paper

Jesse Anderson CSCI 446, Artificial Intelligence Michelle Van Dyne 11-16-2016 Genetic Algorithms Welcome to this introduction to Genetic Algorithms. The objective of this paper is to inform you, the reader, on Genetic Algorithms and give

564 views • 9 slides
Efficient Algorithms P and NP So far, we have developed algorithms for finding shortest

Efficient Algorithms P and NP So far, we have developed algorithms for finding shortest

Efficient Algorithms P and NP So far, we have developed algorithms for finding shortest paths in graphs, CISC5835, Algorithms for Big Data minimum spanning trees in graphs, CIS, Fordham Univ. matchings in bipartite graphs,

514 views • 8 slides
Algorithms in Nature Nature inspired algorithms http://www.cs.cmu.edu/~02317/ Ziv Bar-Joseph

Algorithms in Nature Nature inspired algorithms http://www.cs.cmu.edu/~02317/ Ziv Bar-Joseph

Algorithms in Nature Nature inspired algorithms http://www.cs.cmu.edu/~02317/ Ziv Bar-Joseph Matt Ruffalo zivbj@cs.cmu.edu mruffalo@andrew.cmu.edu GHC 7715 GHC 8006 Topics Introduction (1 Week) Classic algorithms (4 weeks)

1.68k views • 28 slides
Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline What is algorithm: word origin, first algorithms, algorithms of todays world Sequential algorithms, Parallel algorithms, approximation

828 views • 62 slides
Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline

Algorithms for Big Data CISC5835 Fordham Univ. Instructor: X. Zhang Lecture 1 Outline What is algorithm: word origin, first algorithms, algorithms of todays world Sequential algorithms, Parallel algorithms, approximation

332 views • 21 slides
Algorithms and Architecture 1 Introduction to Algorithms Alexandre David 1 Outline Notion

Algorithms and Architecture 1 Introduction to Algorithms Alexandre David 1 Outline Notion

Algorithms and Architecture 1 Introduction to Algorithms Alexandre David 1 Outline Notion of algorithms, GCD example. Algorithmic problem solving. Problem types. Sorting example. Numerical example. Analyzing algorithms.

333 views • 12 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
Placement ECE6133 Physical Design Automation of VLSI Systems Prof. Sung Kyu Lim School of

Placement ECE6133 Physical Design Automation of VLSI Systems Prof. Sung Kyu Lim School of

Placement ECE6133 Physical Design Automation of VLSI Systems Prof. Sung Kyu Lim School of Electrical and Computer Engineering Georgia Institute of Technology Placement The process of arranging the circuit components on a layout surface.

1.4k views • 70 slides
FY 2020 Supplemental Comprehensive Housing Counseling NOFA: Grant Application Training Audio is

FY 2020 Supplemental Comprehensive Housing Counseling NOFA: Grant Application Training Audio is

FY 2020 Supplemental Comprehensive Housing Counseling NOFA: Grant Application Training Audio is only available by conference call Please call: 844-291-5491 Participant Access Code: 9786696 to join the conference call portion of the webinar

1.12k views • 86 slides
Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business

Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business

Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business Carnegie Mellon University Acknowledgments: David Bergman, Andre A. Cire, Sam Hoda, and John N. Hooker NSF, Google Summary What can MDDs do for

1.39k views • 109 slides
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faug` ere, P . Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014 - Buenos Aires, Argentina

613 views • 36 slides
Advanced Algorithms (VIII) Shanghai Jiao Tong University Chihao Zhang April 26, 2020 The

Advanced Algorithms (VIII) Shanghai Jiao Tong University Chihao Zhang April 26, 2020 The

Advanced Algorithms (VIII) Shanghai Jiao Tong University Chihao Zhang April 26, 2020 The Probabilistic Method The Probabilistic Method Design a probability space The Probabilistic Method Design a probability space Show that Pr[the object

1.01k views • 87 slides
Mixed Integer Linear Programming Combinatorial Problem Solving (CPS) Javier Larrosa Albert

Mixed Integer Linear Programming Combinatorial Problem Solving (CPS) Javier Larrosa Albert

Mixed Integer Linear Programming Combinatorial Problem Solving (CPS) Javier Larrosa Albert Oliveras Enric Rodr guez-Carbonell May 8, 2020 Mixed Integer Linear Programs A mixed integer linear program (MILP, MIP) is of the form min c

1.28k views • 102 slides
The Variational Predictive Natural Gradient Da Tang 1 Rajesh Ranganath 2 1 Columbia University 2

The Variational Predictive Natural Gradient Da Tang 1 Rajesh Ranganath 2 1 Columbia University 2

The Variational Predictive Natural Gradient Da Tang 1 Rajesh Ranganath 2 1 Columbia University 2 New York University June 12, 2019 Variational Inference Latent variable models: p ( x , z ; ) = p ( z ) p ( x | z ; ). Variational

481 views • 20 slides

More recommend