fit5124 advanced topics in security lecture 1 lattice
play

FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. - PowerPoint PPT Presentation

Mar 10, 2023 •155 likes •460 views

Introduction FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regevs Lecture Notes on Lattices in

  1. Introduction FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regev’s Lecture Notes on ‘Lattices in Computer Science’, Tel Aviv University, Fall 2004, and Vinod Vaikuntanathan’s course on Lattices in Computer Science, MIT. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 1/29

  2. Introduction First Module In a Nutshell Lattice-Based Cryptography is a cutting-edge cryptographic ‘technology’. Has several interesting properties: Very fast Public-Key Cryptographic Operations (useful for performance-critical applications). Provable Security Guarantees Believed ‘Post Quantum Computer’ Security Allows more powerful cryptographic functionalities (in some cases not previously possible), e.g. Fully Homomorphic Encryption (FHE): communication-efficient privacy-preserving computation protocols (later in unit!) This Lecture: Brief introduction to lattices, hard computational problems, and some related mathematics (more to be introduced gradually in following lectures). Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 2/29

  3. Introduction Lecture Outline Lecture Outline: Motivation and Intro. to Lattice-Based Cryptography Lattice-Based Crypto: Brief History Lattices: Concepts and intro. to the mathematics Lattices: Hard Computational Problems – SVP Random Crypto. Lattices: SIS Problem SIS Application: Collision-Resistant Hash Function Following Lectures: Cryptanalysis: How Secure is lattice-based crypto? How to choose parameters? How to use Lattice-based crypto to build encryption and signature schemes? How to make lattice-based crypto. efficient? Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 3/29

  4. Introduction Motivation: Why study Lattice-Based Crypto? Lattice-Based Cryptography has several interesting properties: Computational Efficiency: High-speed crypto algorithms Novel and Powerful Cryptographic Functionalities (e.g. Fully Homomorphic Encryption – FHE) Strong Provable Security Guarantees Believed Post Quantum Security Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 4/29

  5. Introduction Motivation: Post Quantum World Today: Public-key crypto is essential for secure web transactions. Deployed public-key cryptosystems based on Factorization or Discrete-Logarithm problems. But: Shor (1994) showed Fact/DL solvable efficiently on large scale quantum computer . Quantum computer technology is currently primitive (15 = 3 × 5), but for how long? Lattice-based crypto seems to resist quantum attacks! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 5/29

  6. Introduction Motivation: Efficiency Popular cryptosystems are relatively inefficient; For security level 2 n : RSA – key length � O ( n 3 ), computation � O ( n 6 ). ECC – key length � O ( n ), computation � O ( n 2 ). Structured (‘Ring based’) Lattices – key length and computation � O ( n ) asymptotically, as n grows towards infinity . In Practice, for typical security parameter n ≈ 100, with best current schemes, typically have: Structured Lattice crypto. Computation ≈ 100 times faster than RSA Structured Lattice crypto. ciphertext/key length ≈ RSA key/ciphertext length Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 6/29

  7. Introduction Motivation: Provable Security Guarantees Brief History of Lattice-Based Crypto 1978: Knapsack public-key cryptosystem (Merkle-Hellman). Trapdoor One-way Function: f ( x 1 , . . . , x n ) = � i ≤ n g i · x i . Public: persumably hard knapsack set ( g 1 , . . . , g n ). Secret Trapdoor: easy knapsack ( g ′ 1 , . . . , g ′ n ), g ′ i > 2 · g ′ i − 1 . Public-Secret Relation: g i = a · g ′ i mod q , i = 1 , . . . , n . 1982: Poly-time secret recovery attack (Shamir). 1980s: for( i = 1 ; i < N ; i + + ) { repair; attack; } Problem with Heuristic Designs: Special random instances – shortcut attacks can exist! Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 7/29

  8. Introduction Motivation: Provable Security Guarantees 1996: One-Way Func./Encryption with worst case to average case security proof (Ajtai/Ajtai-Dwork) – Introduction of SIS problem. Proof that no shortcut attacks exist – any attack implies solving hard worst-case instances of lattice problems! 1996: Efficient ( � O ( n ) time/space) and Practical but heuristic security NTRU encryption (Hoffstein et al) – ideal lattices. 2002: Efficient lattice-based one-way function with security proof – ideal lattices (Micciancio). 2005: Lattice-Based public-key encryption with security proof – Introduction of LWE Problem (Regev). 2005-2015: Many Developments, e.g. Improved Techniques/Proofs (Fourier analysis, Gaussians), Crypto. Hash Functions, Trapdoor signatures, ID-Based Encryption (IBE), Attribute-Based Encryption (ABE), Zero-Knowledge Proofs, Oblivious Transfer, Fully-Homomorphic Encryption (FHE), Cryptographic Multilinear Maps, Program Obfuscation,... Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 8/29

  9. Introduction Lattices: Basic Concepts Point lattices: an area of math. combinining matrix/vector algebra (linear algebra) and integer variables. Both geometry ad algebra play a role. Before we begin: Notations Z : Set of integers, : R : Set of real numbers Z q : Ring of integers modulo q   b 1   b 2   vectors – by default columns: � b =  , with coordinates b i ,   . .  . b n i = 1 , . . . , n . Convert to a row vector using transpose: b T = [ b 1 b 2 · · · b n ]. � Measures of length (aka norm) for vectors: �� n Euclidean norm (aka ‘length’, ‘2-norm’): � � i =1 b 2 b � = i . Infinity norm (aka ‘max’ norm): � � b � ∞ = max i | b i | . Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 9/29

  10. Introduction Lattices: Basic Concepts Definition An n -dimensional (full-rank) lattice L ( B ) is the set of all integer linear combinations of some basis set of linearly independent vectors � b 1 , . . . ,� b n ∈ R n : L ( B ) = { c 1 · � b 1 + c 2 · � b 2 + · · · + c n · � b n : c i ∈ Z , i = 1 , . . . , n } . Call n × n matrix B = ( � b 1 , . . . ,� b n ) a basis for L ( B ). Example in 2 Dimensions ( n = 2) � 1 � � 1 . 2 � � ,� b 1 = b 2 = , 0 1 � − 0 . 6 � � − 0 . 4 � � ,� b ′ b ′ 1 = 2 = 2 3 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 10/29

  11. Introduction Lattices: Basic Concepts Definition An n -dimensional (full-rank) lattice L ( B ) is the set of all integer linear combinations of some basis set of linearly independent vectors � b 1 , . . . ,� b n ∈ R n : L ( B ) = { c 1 · � b 1 + c 2 · � b 2 + · · · + c n · � b n : c i ∈ Z , i = 1 , . . . , n } . Call n × n matrix B = ( � b 1 , . . . ,� b n ) a basis for L ( B ). L is discrete group in R n , under addition. Example in 2 Dimensions ( n = 2) � 1 � 1 . 2 � � � ,� b 1 = b 2 = , 0 1 � − 0 . 6 � � − 0 . 4 � � ,� b ′ b ′ 1 = 2 = 2 3 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 11/29

  12. Introduction Lattices: Basic Concepts Definition For an n -dim. lattice basis B = ( � b 1 , . . . ,� b n ) ∈ R n × n , the fundamental paralellepiped (FP) of B , denoted P ( B ), is the set of all real-valued [0 , 1)-linear combinations of some basis set of linearly independent vectors � b 1 , . . . ,� b n ∈ R n : P ( B ) = { c 1 · � b 1 + c 2 · � b 2 + · · · + c n · � b n : 0 ≤ c i < 1 , i = 1 , . . . , n } . The translated FPs (in grey in example below) tile the whole n -dim. real vector space span ( B ) = R n spanned by B . Example in 2 Dimensions ( n = 2) � 1 � � 2 � Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 12/29 � ,� b = b = .

  13. Introduction Lattices: Basic Concepts There are (infinitely!) many different bases for a lattice. Question: Given a lattice L with basis B , how can we tell if B ′ is another basis for L ? Geometric Ans.: count L points contained in P ( B ′ ) Lemma There is exactly one L point contained in P ( B ′ ) (the � 0 vector) if and only if B ′ is a basis of L. Algebraic Ans.: Look at determinant of the matrix relating B ′ to B Lemma B ′ is a basis of L ( B ) if and only if B ′ = B · U for some n × n integer matrix U with det( U ) = ± 1 (we call such a U a unimodular matrix). Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 13/29

  14. Introduction Lattices: Basic Concepts Multiple Bases / FP Examples in 2 dim. Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 1: Lattice-Based Crypto. I Mar 2016 14/29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33 Plan

932 views • 39 slides
FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware

450 views • 29 slides
FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics

Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics

Outline Introduction CS 239 Subject of class Advanced Topics in Network Class topics and organization Security Reading material Class web page Peter Reiher Grading April 3, 2006 Projects Office hours Lecture

442 views • 8 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security

Network provider Security Markus Peuhkuri 2005-04-28 Lecture topics Basics of security Security threats Regulators and ISP security Some headlines Davie-Besse nuclear reactor control network

482 views • 17 slides
Review and Preview Lecture 12 Further Topics in Compilers Advanced Language features

Review and Preview Lecture 12 Further Topics in Compilers Advanced Language features

Review and Preview Lecture 12 Further Topics in Compilers Advanced Language features Object-Oriented Languages objects, classes Functional Languages function closures lazy evaluation advanced type systems

220 views • 18 slides
CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

840 views • 61 slides
Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos

Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos

Cryptocurrencies Course: EPL682 Advanced Security Topics Instructor: Elias Athanasopoulos SoK: Research perspective and challenges for Bitcoin and cryptocurrency Joseph Bonneau , Andrew Miller , Jeremy Clark, Arvind Narayanan

794 views • 43 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides
Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone users over the years Leading app stores 2019 Smartphones are becoming increasingly ubiquitous With great popularity Comes great

385 views • 37 slides
Introduction to Communications Security Markus Peuhkuri 2005-01-18 Lecture topics How to

Introduction to Communications Security Markus Peuhkuri 2005-01-18 Lecture topics How to

Introduction to Communications Security Markus Peuhkuri 2005-01-18 Lecture topics How to complete course Basic topics on security Risk estimation What should be protected Why

218 views • 9 slides
Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in

Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in

Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in Computa8onal Genomics Genome Polymorphisms A Human TCGAGGTATTAAC Genealogy The ancestral chromosome From SNPS

490 views • 36 slides
Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS

Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS

Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 18 Page 1 CS 236 Online Outline Routing security DNS security Lecture 18 Page 2

556 views • 31 slides
Advanced Programming Introduction Course Description The Goal The Motivation Lectures

Advanced Programming Introduction Course Description The Goal The Motivation Lectures

Advanced Programming Introduction Course Description The Goal The Motivation Lectures and Assignments Programming Platform Resources Evaluation Lab: problems, projects, essays easy Exam: written test hard What

450 views • 30 slides
Combinatorial representations Peter J. Cameron December 2011 Joint work with Max Gadouleau and

Combinatorial representations Peter J. Cameron December 2011 Joint work with Max Gadouleau and

Combinatorial representations Peter J. Cameron December 2011 Joint work with Max Gadouleau and Sren Riis see arXiv 1109.1216 Matroids As we have heard several times in the last week or so, a matroid is a structure for describing the linear

832 views • 67 slides
11. Reference Types int t = x; x = y; y = t; Reference Types: Definition and Initialization,

11. Reference Types int t = x; x = y; y = t; Reference Types: Definition and Initialization,

Swap! // POST: values of x and y have been exchanged void swap(int&amp; x, int&amp; y) { 11. Reference Types int t = x; x = y; y = t; Reference Types: Definition and Initialization, Pass By Value, Pass by } Reference, Temporary Objects,

598 views • 11 slides
11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing system Standardization vs Historical artifacts Constructed Writing Systems Computing and its influence on writing Types of Writing

528 views • 24 slides
-Tamari lattices via subword complexes Cesar Ceballos ( joint with Arnau Padrol and Camilo

-Tamari lattices via subword complexes Cesar Ceballos ( joint with Arnau Padrol and Camilo

-Tamari lattices via subword complexes Cesar Ceballos ( joint with Arnau Padrol and Camilo Sarmiento) The 78th S eminaire Lotharingien de Combinatoire Ottrott, March 28, 2016 In this talk Theorem The -Tamari lattice is the dual of a

622 views • 37 slides
Lazy Evaluation Announcements Promises Delay Creates a Promise From the Revised 5 Report on the

Lazy Evaluation Announcements Promises Delay Creates a Promise From the Revised 5 Report on the

Lazy Evaluation Announcements Promises Delay Creates a Promise From the Revised 5 Report on the Algorithmic Language Scheme ( delay &lt;expression&gt; ) The delay construct is used together with the procedure force to implement lazy evaluation or

531 views • 13 slides
Laziness Advanced functional programming - Lecture 3a Trevor L. McDonell (&amp; Wouter Swierstra)

Laziness Advanced functional programming - Lecture 3a Trevor L. McDonell (&amp; Wouter Swierstra)

Laziness Advanced functional programming - Lecture 3a Trevor L. McDonell (&amp; Wouter Swierstra) 1 Laziness 2 square :: Integer -&gt; Integer square x = x * x square (1 + 2) = -- magic happens in the computer 9 A simple expression How do

559 views • 39 slides
Property Based Testing; Lazy Evaluation Liam OConnor University of Edinburgh LFCS (and UNSW)

Property Based Testing; Lazy Evaluation Liam OConnor University of Edinburgh LFCS (and UNSW)

Property Based Testing Example Coverage Lazy Evaluation Homework Software System Design and Implementation Property Based Testing; Lazy Evaluation Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Property Based

487 views • 25 slides

More recommend