decision reductions
play

Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol - PowerPoint PPT Presentation

Jun 14, 2023 •259 likes •505 views

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors ( LWE ) public: integers n, q secret small error from a known

  1. Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1

  2. Learning With Errors ( LWE ) public: integers n, q secret small error from a known distribution … Goal: Find s noise random secret A A S = b e + m (mod q) , n small error vector 2 2

  3. LWE Background • Introduced by Regev [R05] • q = 2, Bernoulli noise -> Learning Parity with Noise (LPN) • Extremely successful in Cryptography • IND-CPA Public Key Encryption [Regev05] • Injective Trapdoor Functions/ IND-CCA encryption [PW08] • Strongly Unforgeable Signatures [GPV08, CHKP10] • (Hierarchical) Identity Based Encryption [GPV08, CHKP10, ABB10] • Circular- Secure Encryption [ACPS09] • Leakage-Resilient Cryptography [AGV09, DGK+10, GKPV10] • (Fully) Homomorphic Encryption [GHV10, BV11b] 3

  4. LWE: Search & Decision n: size of the secret, m: #samples Public parameters q: modulus, :error distribution Find (Search) Given: Goal : find s (or e ) Distinguish (Decision) Given: Goal : decide if or 4

  5. Search-to-Decision reductions (S-to-D) Why do we care? decision search problems problems - all LWE-based constructions - their hardness is better rely on decisional LWE understood - strong indistinguishability flavor of security definitions 5

  6. Search-to-Decision reductions (S-to-D) Why do we care? decision search problems problems - all LWE-based constructions - their hardness is better rely on decisional LWE understood - strong indistinguishability flavor of security definitions  S-to-D reductions: “ Primitive Π is ABC-Secure assuming search problem P is hard ” 6

  7. Our results • Toolset for studying Search-to-Decision reductions for LWE with polynomially bounded noise . - Subsume and extend previously known ones - Reductions are in addition sample-preserving • Powerful and usable criteria to establish Search-to- Decision equivalence for general classes of knapsack functions • Use known techniques from Fourier analysis in a new context. Ideas potentially useful elsewhere 7

  8. Our results • Toolset for studying Search-to-Decision reductions for LWE with polynomially bounded noise . - Subsume and extend previously known ones - Reductions are in addition sample-preserving • Powerful and usable criteria to establish Search-to- Decision equivalence for general classes of knapsack functions • Use known techniques from Fourier analysis in a new context. Ideas potentially useful elsewhere 8

  9. Bounded knapsack functions over groups Parameters - integer m - finite abelian group G - set S = {0,…, s - 1} of integers, s: poly(m) (Random) Knapsack family Sampling where Evaluation Example (random) modular subset sum: 9

  10. Knapsack functions: Computational problems distribution over public invert Input: (search) Goal: Find x Input: Samples from either: Distinguish (decision) Goal: Label the samples Notation: family of knapsacks over G with distribution Glossary: If decision problem is hard, function is pseudorandom (PRG) If search problem is hard, function is One-Way 10

  11. Search-to-Decision: Known results Decision as hard as search when… [Impagliazzo, Naor 89] : (random) modular subset sum , cyclic group uniform over [Fischer, Stern 96]: syndrome decoding , vector group uniform over all m-bit vectors with Hamming weight w. 11

  12. Our contribution : S-to-D for general knapsack : knapsack family with range G and input s: poly(m) distribution over + One-Way PRG PRG 12

  13. Our contribution: S-to-D for general knapsack : knapsack family with range G and input s: poly(m) distribution over Main Theorem + PRG One-Way PRG 13

  14. Our contribution: S-to-D for general knapsack Main Theorem + PRG One-Way PRG ✔ PRG Much less restrictive than it seems In most interesting cases holds in a strong information theoretic sense 14

  15. S-to-D for general knapsack: Examples Subsumes One-Way PRG [IN89,FS96] and more Any group G and any distribution over Any group G with prime exponent and any distribution And many more… using known information theoretical tools (LHL, entropy bounds etc) 15

  16. Proof Sketch Inverter Distinguisher Input: Input: g , g . x Goal: Distinguish Goal: Find x Reminder 16

  17. Proof Sketch step 1 step 2 Inverter Predictor Distinguisher <= <= Input: Input: g , g . x Input: g , g . x , r Goal: Distinguish Goal: find x . r (mod t) Goal: Find x Proof follows outline of [IN89] Step 1 : Goldreich – Levin replaced by general conditions for inverting given noisy predictions for x . r (mod t) for possibly composite t -Tool: learning heavy Fourier coefficients of general functions [AGS03] Step 2 : Given a distinguisher, we get a predictor satisfying general conditions of step 1. Proof significantly more involved than [IN89] 17

  18. Our results • Toolset for studying Search-to-Decision reductions for LWE with polynomially bounded noise . - Subsume and extend previously known ones - Reductions are in addition sample-preserving • Powerful and usable criteria to establish Search-to- Decision equivalence for general classes of knapsack functions • Use known techniques from Fourier analysis in a new context. Ideas potentially useful elsewhere 18

  19. What about LWE? m A , A s + g 1 g 2 …g m g 1 g 2 …g m , e e G n G is the parity check matrix for the code generated by A Error e from LWE  unknown input of the knapsack If A is “ random ”, G is also “ random ” 19

  20. What about LWE? A , A s + g 1 g 2 …g m g 1 g 2 …g m , e e G The transformation works in the other direction as well Putting all the pieces together… Search Search Decision Decision ( A , As + e ) <= ( G , Ge ) <= ( G ’ , G ’ e ) <= ( A’ , A’s’ + e ) S-to-D for knapsack 20

  21. LWE Implications LWE reductions follow from knapsacks reductions over All known Search-to-Decision results for LWE/LPN with bounded error [BFKL93, R05, ACPS09, KSS10] follow as a direct corollary Search-to-Decision for new instantiations of LWE 21

  22. LWE: Sample Preserving S-to-D Previous reductions poly(m) A <= decision m A ’ b ’ b , search , Ours: sample-preserving If we can solve decision LWE given m samples, we can solve search LWE given m samples Caveat: Inverting probability goes down (seems unavoidable) 22

  23. Why care about #samples?  LWE-based schemes often expose a certain number of samples, say m  With sample-preserving S-to-D we can base their security on the hardness of search LWE with m samples  Concrete algorithmic attacks against LWE [MR09, AG11] are sensitive to the number of exposed samples • for some parameters, LWE is completely broken by [AG11] if number of given samples above a certain threshold 23

  24. Open problems Sample preserving reductions for 1. LWE with unbounded noise - used in various settings [Pei09, GKPV10, BV11b, BPR11] - some reductions known [Pei09] but not sample-preserving 2. ring LWE - Samples (a, a*s+e) where a, s, e drawn from R =Z q [x]/<f(x)> - non sample-preserving reductions known [LPR10] 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 4: NP and beyond Arijit Bishnu 04.02.2010 Reductions and NP -completeness Decision

Lecture 4: NP and beyond Arijit Bishnu 04.02.2010 Reductions and NP -completeness Decision

Reductions and NP -completeness Decision versus Search Another Class: coNP The Classes EXP and NEXP Lecture 4: NP and beyond Arijit Bishnu 04.02.2010 Reductions and NP -completeness Decision versus Search Another Class: coNP The Classes EXP

645 views • 60 slides
Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal explanation of reductions: We have two problems, X and Y. Suppose we have a black-box solving problem X in polynomial-time. Can we use the black-box

1.38k views • 32 slides
Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus Advanced Programming Languages expression: Andrew Myers ( x e ) ( x e { x / x }) (if x FV e ) Cornell University

358 views • 3 slides
CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions are a way of saying, If problem B can be solved, then problem A can as well 2 / 17 Reductions Reductions are a way of saying, If problem B

640 views • 28 slides
Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions

Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions

Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions Continued 2.1.1 The Satisfiability Problem (SAT) 2.1.1.1 Propositional Formulas Definition 2.1.1. Consider a set of boolean variables x 1 , x 2 , . . .

355 views • 12 slides
Budget Proposal Personnel/BOCES Personnel Reductions Personnel Reductions Assistant

Budget Proposal Personnel/BOCES Personnel Reductions Personnel Reductions Assistant

2020-2021 Staffing and Budget Proposal Personnel/BOCES Personnel Reductions Personnel Reductions Assistant Superintendent for School Administration Supervisor of Special Programs HS English positions due to retirement BOCES

595 views • 13 slides
Recommended Round 2 March Budget Reductions GENERAL FUND SUMMARY TOTAL REDUCTIONS ROUNDS

Recommended Round 2 March Budget Reductions GENERAL FUND SUMMARY TOTAL REDUCTIONS ROUNDS

ATTACHMENT A FY 2013-14 Already Approved Round 1 VSIP and Recommended Round 2 March Budget Reductions GENERAL FUND SUMMARY TOTAL REDUCTIONS ROUNDS 1-2: Recommended Reductions in NCC: ($4,262,491) Total Personnel Materials

373 views • 6 slides
Successful Emission Reductions in Yard Locomotives Yard Emissions Reductions Repower Slug

Successful Emission Reductions in Yard Locomotives Yard Emissions Reductions Repower Slug

Successful Emission Reductions in Yard Locomotives Yard Emissions Reductions Repower Slug Locomotives Shore Power Norfolk Southern Repower Successes Georgia (GA EPD/GDOT Grant) Atlanta - 10 GP33ECO Mother and Slug

485 views • 21 slides
Dj Q All Over Again: Tighter and Broader Reductions of q -Type Assumptions Melissa Chase -

Dj Q All Over Again: Tighter and Broader Reductions of q -Type Assumptions Melissa Chase -

Asiacrypt 2016, Hanoi Bilinear Groups and Assumptions Reductions Symmetric Schemes Conclusions Dj Q All Over Again: Tighter and Broader Reductions of q -Type Assumptions Melissa Chase - MSR Redmond Mary Maller - University College London

662 views • 51 slides
S C DECISION E N C E decision science SDS CMU What is Decision Science? Behavioral

S C DECISION E N C E decision science SDS CMU What is Decision Science? Behavioral

S C DECISION E N C E decision science SDS CMU What is Decision Science? Behavioral and analytical approaches to understanding decision making Understand and improve human decision making Based in Psychology + integrates

571 views • 10 slides
A proposal for User-Defined Reductions in OpenMP A. Duran 1 , R. Ferrer 1 , M. Klemm 2 , B. de

A proposal for User-Defined Reductions in OpenMP A. Duran 1 , R. Ferrer 1 , M. Klemm 2 , B. de

A proposal for User-Defined Reductions in OpenMP A. Duran 1 , R. Ferrer 1 , M. Klemm 2 , B. de Supinski 3 , E. Ayguad 1 1 BSC, 2 Intel, 3 LLNL June 16th 2010 Outline Motivation 1 UDR Design rationale 2 Declaring UDRs 3 Array reductions 4

532 views • 36 slides
Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible MSE 2400 EaLiCaRA consequences, including chance event Dr. Tom Way outcomes, resource costs, and

568 views • 8 slides
Near-Term and Long-Term Emissions Reductions: Technology, Coverage, and Costs Panel II

Near-Term and Long-Term Emissions Reductions: Technology, Coverage, and Costs Panel II

Congressional Budget Office Near-Term and Long-Term Emissions Reductions: Technology, Coverage, and Costs Panel II Directors Conference on Climate Change November 16, 2007 U.S. Greenhouse Gas Emissions Reductions in 2030 (Not including

286 views • 10 slides
GHG reductions potentials and GHG reductions potentials and mitigation costs in world regions

GHG reductions potentials and GHG reductions potentials and mitigation costs in world regions

The 13th AIM International Workshop The 13th AIM International Workshop 16- 16 -18, February 200 18, February 2007 7 NIES, Tsukuba, Japan NIES, Tsukuba, Japan GHG reductions potentials and GHG reductions potentials and mitigation costs in

297 views • 19 slides
1 Baysian networks for decision analysis The TV show problem as a BN Problems More than

1 Baysian networks for decision analysis The TV show problem as a BN Problems More than

Several names Decision graphs Decision trees Influence diagrams Decision graphs I A certain kind of strictly symmetric decision trees Decisions and utilities No forgetting assumption LIMIDs Limited Memory

596 views • 6 slides
1 Baysian networks for decision analysis The TV show problem as a BN Problems Choice 1

1 Baysian networks for decision analysis The TV show problem as a BN Problems Choice 1

Several names Decision graphs Decision trees Influence diagrams Decision graphs I A certain kind of strictly symmetric decision trees Decisions and utilities No forgetting assumption LIMIDs Limited Memory

185 views • 6 slides
Chapter 7 Inferences Based on a Single Sample: Estimation with Confidence Intervals

Chapter 7 Inferences Based on a Single Sample: Estimation with Confidence Intervals

Chapter 7 Inferences Based on a Single Sample: Estimation with Confidence Intervals Large-Sample Confidence Interval for a Population Mean How to estimate the population mean and assess the estimates reliability? is an estimate of

465 views • 24 slides
Monte Carlo Methods Lecture slides for Chapter 17 of Deep Learning www.deeplearningbook.org Ian

Monte Carlo Methods Lecture slides for Chapter 17 of Deep Learning www.deeplearningbook.org Ian

Monte Carlo Methods Lecture slides for Chapter 17 of Deep Learning www.deeplearningbook.org Ian Goodfellow Last updated 2017-12-29 Roadmap Basics of Monte Carlo methods Importance Sampling Markov Chains (Goodfellow 2017) Randomized

480 views • 21 slides
Reducing Sampling Error in the Monte Carlo Policy Gradient Estimator Josiah Hanna and Peter Stone

Reducing Sampling Error in the Monte Carlo Policy Gradient Estimator Josiah Hanna and Peter Stone

Reducing Sampling Error in the Monte Carlo Policy Gradient Estimator Josiah Hanna and Peter Stone Department of Computer Science The University of Texas at Austin 50 millions 21 days, millions actions taken of games 1.5 years of compute

513 views • 19 slides
15-780 Graduate Artificial Intelligence: Probabilistic inference J. Zico Kolter (this

15-780 Graduate Artificial Intelligence: Probabilistic inference J. Zico Kolter (this

15-780 Graduate Artificial Intelligence: Probabilistic inference J. Zico Kolter (this lecture) and Nihar Shah Carnegie Mellon University Spring 2020 1 Outline Probabilistic graphical models Probabilistic inference Exact inference

665 views • 39 slides
Meet Our Panelists Stanley &quot;Skip&quot; Pruss Dr. Edward E. Timm, PhD, PE Former Dir. of MI

Meet Our Panelists Stanley &quot;Skip&quot; Pruss Dr. Edward E. Timm, PhD, PE Former Dir. of MI

2020 Securing a Brighter Future without Line 5 or an Oil Tunnel Meet Our Panelists Stanley &quot;Skip&quot; Pruss Dr. Edward E. Timm, PhD, PE Former Dir. of MI Dept. of Retired as Senior Scientist, Energy, Labor, and Dow Chemical Company

687 views • 33 slides
HYTHE TOWN CENTRE FLOODING And prevention 20.05.19 15 slides 3.41 3.26 The Promenade 2.37

HYTHE TOWN CENTRE FLOODING And prevention 20.05.19 15 slides 3.41 3.26 The Promenade 2.37

HYTHE TOWN CENTRE FLOODING And prevention 20.05.19 15 slides 3.41 3.26 The Promenade 2.37 2.77 2.67 3.03 2.72 2.72 Post Office No.16 2.55 Philpotts 3.16 Prospect Place 2.94 2.40 2.65 No. 17 2.94 No.21A 2.68 Ferrymans

332 views • 15 slides
twelve moments and shear typically statically indeterminate types rigid frames:

twelve moments and shear typically statically indeterminate types rigid frames:

A RCHITECTURAL S TRUCTURES : Rigid Frames F ORM, B EHAVIOR, AND D ESIGN ARCH 331 rigid frames have no D R. A NNE N ICHOLS pins S PRING 2018 frame is all one body lecture joints transfer twelve moments and shear typically

546 views • 9 slides
eleven rigid frames: compression &amp; buckling Rigid Frames 1 Elements of Architectural

eleven rigid frames: compression &amp; buckling Rigid Frames 1 Elements of Architectural

E LEMENTS OF A RCHITECTURAL S TRUCTURES : F ORM, B EHAVIOR, AND D ESIGN ARCH 614 D R. A NNE N ICHOLS S PRING 2019 lecture eleven rigid frames: compression &amp; buckling Rigid Frames 1 Elements of Architectural Structures S2019abn http://

556 views • 31 slides

More recommend