connections between learning with errors and the dihedral
play

Connections between Learning with Errors and the Dihedral Coset - PowerPoint PPT Presentation

Dec 18, 2022 •300 likes •492 views

Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint work with Zvika Brakerski, Damien Stehl, and Weiqiang Wen LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ( a 1 , a 1 , s + e

  1. Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint work with Zvika Brakerski, Damien Stehlé, and Weiqiang Wen

  2. LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ( a 1 , � a 1 , s � + e 1 mod q ) . . . ( a m , � a m , s � + e m mod q ) with � e � ≪ q , find s .

  3. LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given DCP: Given ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s .

  4. LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ≤ DCP: Given [Regev’02] ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s .

  5. LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ≤ DCP: Given [Regev’02] ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s . Does not improve upon classical algorithms

  6. LWE and DCP Dimension: n , modulus: q = poly( n ) LWE: Given ≤ DCP: Given [Regev’02] ( a 1 , � a 1 , s � + e 1 mod q ) | 0 , x 1 � + | 1 , x 1 + s mod N � . . . . . . ( a m , � a m , s � + e m mod q ) | 0 , x ℓ � + | 1 , x ℓ + s mod N � with � e � ≪ q , find s . find s . Does not improve upon classical algorithms BKW / lattices: Kuperberg: � � log q 2 O (log ℓ +log N/ log ℓ ) O n · (log q − log ei )2 2 The reduction produces ℓ = poly( n ) , N = 2 n 2

  7. Inverse direction Is DCP ≤ LWE? ◮ might give a strong evidence for quantum hardness of LWE ◮ DCP might be too ‘hard’ for LWE: DCP ≤ SubsetSum 1 · c [Reg’02], but SubsetSum log n ≤ LWE ≤ Vec. SubsetSum > log n 1

  8. Inverse direction Is DCP ≤ LWE? ◮ might give a strong evidence for quantum hardness of LWE ◮ DCP might be too ‘hard’ for LWE: DCP ≤ SubsetSum 1 · c [Reg’02], but SubsetSum log n ≤ LWE ≤ Vec. SubsetSum > log n 1 No, but we show that EDCP ≤ LWE

  9. Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D )

  10. Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP U - EDCP � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z

  11. Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP U - EDCP � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z Main result: LWE G - EDCP U - EDCP < DCP ⇐ ⇒ ⇐ ⇒ ⇐ ⇒ hides polynomial loses

  12. Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP n,q,r U - EDCP n,q,M � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z LWE n,q, G - EDCP n,q,r U - EDCP n,q,c · r q DCP 2 n log q r · poly( n ) Dimension modulus st. dev. G - EDCP n,q,r/ √ n LWE n,q,q/r

  13. Extended DCP EDCP DCP for a distr. D � D ( j ) | j � | x + j · s � | 0 � | x � + | 1 � | x + s � j ∈ sup ( D ) G - EDCP n,q,r U - EDCP n,q,M � M − 1 � ρ r ( j ) | j � | x + j · s � j =0 | j � | x + j · s � j ∈ Z Quantum rejection sampling, Ozols et al. LWE n,q, G - EDCP n,q,r U - EDCP n,q,c · r q DCP 2 n log q r · poly( n ) Dimension modulus st. dev. G - EDCP n,q,r/ √ n LWE n,q,q/r

  14. Results via average case lattice problems [Reg02]+[LM09] LWE n,q, DCP 2 n log q [2 n 2 ] q G - EDCP n,q,r U - EDCP n,q,c · r r · poly( n )

  15. Results via average case lattice problems [Reg02]+[LM09] LWE n,q, DCP 2 n log q [2 n 2 ] q G - EDCP n,q,r U - EDCP n,q,c · r r · poly( n ) 1 -dim UDCP was already considered in [Childs-van Dam’07]: M − 1 � | j � | x + j · s mod 2 n � j =0 √ n 2 n/c 2 2 M Runtime 2 n poly( n ) poly( n ) [CvD’07] [Brakerski et. al] LWE √ n, 2 LWE 1 , 2 n , 2 n √ n G - EDCP 1 , 2 n ,M U - EDCP 1 , 2 n ,M √ n , 2 M M

  16. G-EDCP ≤ LWE � � e � |� a , s � + e � ρ 1 QFT q r e ∈ Z q QFT a � ρ r ( j ) | j � | x + j · s mod q � j ∈ Z (1) (2)

  17. G-EDCP ≤ LWE � � e � |� a , s � + e � ρ 1 QFT q r e ∈ Z q QFT a � ρ r ( j ) | j � | x + j · s mod q � j ∈ Z (1) (2) � � ω � ( x + j · s ) , a � (1) : · ρ r ( j ) | j � | a � q a ∈ Z n j ∈ Z q

  18. G-EDCP ≤ LWE � � e � |� a , s � + e � ρ 1 QFT q r e ∈ Z q QFT a � ρ r ( j ) | j � | x + j · s mod q � j ∈ Z (1) (2) � � ω � ( x + j · s ) , a � (1) : · ρ r ( j ) | j � | a � q a ∈ Z n j ∈ Z q j + � a , s � + b � � � � PSF � � ω j · ( � a , s � + b ) (2) : · ρ r ( j ) | b � − − → ρ 1 /r | b � q q b ∈ Z q j ∈ Z b ∈ Z q j ∈ Z

  19. Open questions ◮ how to make use of several shifts (exact complexity of Kuperberg’s algorithm with multiple shifts). ◮ trade samples vs. shifts: UDCP self-reduction allowing to trade ℓ for M ? ◮ extend quantum rejection sampling to ring-lwe states

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dihedral Sieving Phenomena Sujit Rao, Joe Suk 31 July 2017 1/14 Outline Cyclic sieving

Dihedral Sieving Phenomena Sujit Rao, Joe Suk 31 July 2017 1/14 Outline Cyclic sieving

Dihedral Sieving Phenomena Sujit Rao, Joe Suk 31 July 2017 1/14 Outline Cyclic sieving Sieving for general groups Sieving for dihedral groups Examples of dihedral sieving Future work 2/14 Cyclic Sieving Phenomenon (CSP) Definition X be a

156 views • 15 slides
Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors CS-121 Logic errors Syntax Errors Syntax Errors An error in which a C++ grammar rule has been violated. Are flagged at compile time Missing ;

338 views • 5 slides
On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 1 1 Tel Aviv University 2 Georgia Institute of Technology Eurocrypt 2010 1 / 12 The Learning With Errors Problem [Regev05]

819 views • 59 slides
Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook zgr Dagdelen DIMACS Workshop on the Mathematics of

339 views • 33 slides
10 Learning Strategies @ Home Learning Connections Sutherland Secondary School @MrHockley

10 Learning Strategies @ Home Learning Connections Sutherland Secondary School @MrHockley

10 Learning Strategies @ Home Learning Connections Sutherland Secondary School @MrHockley GHockley@sd44.ca Habit an acquired behaviour pattern regularly followed until it has become almost involuntary or automatic Study Zone Location,

529 views • 20 slides
Composite Sieving Techniques: Dihedral Action on Cluster Complexes Zachary Stier Julian Wellman

Composite Sieving Techniques: Dihedral Action on Cluster Complexes Zachary Stier Julian Wellman

Composite Sieving Techniques: Dihedral Action on Cluster Complexes Zachary Stier Julian Wellman Zixuan Xu UMN REU July 25, 2019 Stier, Wellman, Xu Dihedral Sieving Phenomena July 25, 2019 1 / 29 Outline Motivation : cyclic and

569 views • 34 slides
Learning Machines Seminars 2020-11-05 Uncertainty in deep learning Olof Mogren, PhD RISE

Learning Machines Seminars 2020-11-05 Uncertainty in deep learning Olof Mogren, PhD RISE

Learning Machines Seminars 2020-11-05 Uncertainty in deep learning Olof Mogren, PhD RISE Research Institutes of Sweden Our world is full of uncertainties: measurement errors, modeling errors, or uncertainty due to test-data being

325 views • 31 slides
Peer Prediction Mechanisms and their Connections to Machine Learning Jens Witkowski ETH

Peer Prediction Mechanisms and their Connections to Machine Learning Jens Witkowski ETH

Peer Prediction Mechanisms and their Connections to Machine Learning Jens Witkowski ETH Zurich Game Theory Meets Computational Learning Theory Dagstuhl June 22, 2017 Joint work with David C. Parkes (Harvard) and Rafael Frongillo

831 views • 16 slides
On Dihedral Group Invariant Boolean Functions (Extended Abstract) Subhamoy Maitra 1 Sumanta

On Dihedral Group Invariant Boolean Functions (Extended Abstract) Subhamoy Maitra 1 Sumanta

Motivation Our Results/Contribution Summary On Dihedral Group Invariant Boolean Functions (Extended Abstract) Subhamoy Maitra 1 Sumanta Sarkar 1 Deepak Kumar Dalai 2 1 Applied Statistics Unit Indian Statistical Institute, Kolkata. 2 Project

1.16k views • 87 slides
Exploring Your Program Connections to Land based Learning Webinar Presentation

Exploring Your Program Connections to Land based Learning Webinar Presentation

Exploring Your Program Connections to Land based Learning Webinar Presentation Aboriginal Head Start On Reserve (AHSOR) October 2020 www.fnha.ca Learning Objectives: o Review Exploring Your Program Series o Understand the

441 views • 28 slides
Lecture 2.2: Dihedral groups Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 2.2: Dihedral groups Matthew Macauley Department of Mathematical Sciences Clemson

Lecture 2.2: Dihedral groups Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4120, Modern Algebra M. Macauley (Clemson) Lecture 2.2: Dihedral groups Math 4120, Modern Algebra

460 views • 7 slides
Unified error reporting -- A worthy goal? Andi Kleen, Intel Corporation Sep 2009

Unified error reporting -- A worthy goal? Andi Kleen, Intel Corporation Sep 2009

Unified error reporting -- A worthy goal? Andi Kleen, Intel Corporation Sep 2009 andi@firstfloor.org errors standardized errors machine checks pci-express errors platform errors thermal errors APEI storage errors IO errors SMART events

518 views • 21 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
Treasurers Institute Sun, Nov. 17, 2019 Property Tax Errors Property Tax Errors Property Tax

Treasurers Institute Sun, Nov. 17, 2019 Property Tax Errors Property Tax Errors Property Tax

Treasurers Institute Sun, Nov. 17, 2019 Property Tax Errors Property Tax Errors Property Tax Errors Property Tax Errors Historically, DCCA presented the Tax Levy training. Last Dept of Revenue Property Tax Rate and Levy Manual Dated Dec

960 views • 57 slides
Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A b e 1 LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has small entries from a matrix in A Z q

514 views • 12 slides
ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors Strings ex. This is a string Data Structure a particular way of organizing data for computers Dictionary type of data

454 views • 42 slides
Decision Trees Ranking and Unranking Prof. Tesler Math 184A Winter 2017 Prof. Tesler Decision

Decision Trees Ranking and Unranking Prof. Tesler Math 184A Winter 2017 Prof. Tesler Decision

Decision Trees Ranking and Unranking Prof. Tesler Math 184A Winter 2017 Prof. Tesler Decision Trees; Ranking and Unranking Math 184A / Winter 2017 1 / 33 Permutations of [ 3 ] in lexicographic order List the permutations of [ 3 ] in one-line

480 views • 33 slides
2016 New York EB-5 &amp; Investment Immigration Convention (A1)Hot Investor Issues in EB-5

2016 New York EB-5 &amp; Investment Immigration Convention (A1)Hot Investor Issues in EB-5

2016 New York EB-5 &amp; Investment Immigration Convention (A1)Hot Investor Issues in EB-5 Advanced Panel Speakers: Jinhee Wilde Wilde &amp; Associates LLC Mona Shah Mona Shah &amp; Associates Parisa Karaahmet Fragomen Worldwide John

310 views • 3 slides
Tutorial Tutorial A2 is out, its called Inpainting Tutorial Tutorial A2 is out, its called

Tutorial Tutorial A2 is out, its called Inpainting Tutorial Tutorial A2 is out, its called

Tutorial Tutorial A2 is out, its called Inpainting Tutorial Tutorial A2 is out, its called Inpainting Tutorial Tutorial A2 is out, its called Inpainting How do you think this can be done? Due to popular demand, theres no new GUI to

400 views • 25 slides
= a a m ; a m m = 1,2,3 Consider : Is it possible that all three Omegas are EQUAL , i.e.

= a a m ; a m m = 1,2,3 Consider : Is it possible that all three Omegas are EQUAL , i.e.

Smoothly Varying OrthoNormal Triads : Recall that for any smoothly varying unit vector: u = u u with 1 u = u u = u u u u = 0 For a smoothly varying but Rigid-OrthoNormal Basis: a 3 = m a m a m

447 views • 9 slides
Week 06 practice Get familiar with functions and arrays Note: In this practice, you can assume

Week 06 practice Get familiar with functions and arrays Note: In this practice, you can assume

CS31: Introduction to Computer Science I Week 06 practice Get familiar with functions and arrays Note: In this practice, you can assume all the parameters passed into these functions are valid (i.e., size is greater than 0, array is large

426 views • 6 slides
CISC 4090: Theory of Computation Chapter 1 Regular Languages Xiaolan Zhang, adapted from slides

CISC 4090: Theory of Computation Chapter 1 Regular Languages Xiaolan Zhang, adapted from slides

CISC 4090: Theory of Computation Chapter 1 Regular Languages Xiaolan Zhang, adapted from slides by Prof. Werschulz Fordham University Department of Computer and Information Sciences Spring, 2014 Xiaolan Zhang, adapted from slides by Prof.

989 views • 95 slides
C ' AB 6 c i , j ' j p &amp; 1 # # a 1,0 a 1,1 a 1, n &amp; 1 b 1,0 b 1,1 b 1, n &amp; 1 a i , k

C ' AB 6 c i , j ' j p &amp; 1 # # a 1,0 a 1,1 a 1, n &amp; 1 b 1,0 b 1,1 b 1, n &amp; 1 a i , k

# # a 0,0 a 0,1 a 0, n &amp; 1 b 0,0 b 0,1 b 0, n &amp; 1 C ' AB 6 c i , j ' j p &amp; 1 # # a 1,0 a 1,1 a 1, n &amp; 1 b 1,0 b 1,1 b 1, n &amp; 1 a i , k b k , j A ' B ' ! ! &quot; ! ! ! &quot; ! k ' 0 a m &amp; 1,0 a m &amp; 1,1 # a m

344 views • 3 slides
How to Write Fast Numerical Code Spring 2011 Lecture 13 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 13 Instructor: Markus Pschel TA: Georg

How to Write Fast Numerical Code Spring 2011 Lecture 13 Instructor: Markus Pschel TA: Georg Ofenbeck Miscellaneous No class next Monday, April 11 th (Sechseluten) Midterm exam: Friday, April 15 th Today Solving linear systems

526 views • 7 slides

More recommend