how not to instantiate ring lwe chris peikert
play

How (Not) to Instantiate Ring-LWE Chris Peikert University of - PowerPoint PPT Presentation

Aug 26, 2022 •205 likes •861 views

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

  1. How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12

  2. Conclusions 2 / 12

  3. Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 / 12

  4. Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 ‘Peculiar’ aspects of the Ring-LWE definition and worst-case hardness theorems—adopted for generality and tightness—also yield provable immunity to the attacks (and generalizations). 2 / 12

  5. Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error distributions that are incongruous to the ring geometry. This explains their vulnerability to attacks. 2 ‘Peculiar’ aspects of the Ring-LWE definition and worst-case hardness theorems—adopted for generality and tightness—also yield provable immunity to the attacks (and generalizations). 3 For Ring-LWE security, proper choice of error distribution is essential: error should be ‘well spread’ relative to the ring and its small-norm ideals. 2 / 12

  6. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) 3 / 12

  7. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � mod q q a 2 ← Z n , b 2 ≈ � a 2 , s � mod q q . . . 3 / 12

  8. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q 3 / 12

  9. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) 3 / 12

  10. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Versatile and Hard (. . . maybe even for quantum!) worst case ≤ search-LWE ≤ decision-LWE ≤ much crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] 3 / 12

  11. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Versatile and Hard (. . . maybe even for quantum!) worst case ≤ search-LWE ≤ decision-LWE ≤ much crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Also a classical reduction for search-LWE [P’09,BLPRS’13] 3 / 12

  12. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. 3 / 12

  13. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. ◮ Cryptosystems have large keys: Ω( n 2 log 2 q ) bits. 3 / 12

  14. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q = poly ( n ) (usually) ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is (sort of) Efficient ◮ Getting one pseudorandom Z q -scalar requires an n -dim inner product. ◮ Cryptosystems have large keys: Ω( n 2 log 2 q ) bits. ◮ Inspired by NTRU [HPS’96] , for efficiency we go to the ring setting. . . 3 / 12

  15. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) 4 / 12

  16. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) 4 / 12

  17. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) 4 / 12

  18. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R q , given independent samples a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q ( e i ← χ ) . . . 4 / 12

  19. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R q , given independent samples a 1 ← R q , b 1 = a 1 · s + e 1 ∈ R q a 2 ← R q , b 2 = a 2 · s + e 2 ∈ R q ( e i ← χ ) . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R q 4 / 12

  20. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . 4 / 12

  21. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . ‘(Non-)Dual’ forms are equivalent up to χ , via a ‘tweak:’ [AP’13] 4 / 12

  22. Learning With Errors over Rings (Ring-LWE) [LPR’10] ◮ Ring R , often R = Z [ X ] / ( f ( X )) for irred. f of degree n (or R = O K ) ◮ Error distribution χ over R ∨ (usually Gaussian in ‘canonical’ geometry) ◮ Modulus q ≥ 2 defining R q := R/qR = Z q [ X ] / ( f ( X )) Search : find secret ring element s ∈ R ∨ q , given independent samples b 1 = a 1 · s + e 1 ∈ R ∨ a 1 ← R q , q b 2 = a 2 · s + e 2 ∈ R ∨ a 2 ← R q , ( e i ← χ ) q . . . Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R ∨ q !!! [LPR’10] actually defines R -LWE using ‘dual’ ideal R ∨ = t − 1 R . ‘(Non-)Dual’ forms are equivalent up to χ , via a ‘tweak:’ [AP’13] b ↔ t · b induces s ↔ t · s, e ↔ t · e. Tweak may dramatically change width and shape of χ ! 4 / 12

  23. Ring-LWE Instantiations, Hard and Easy ◮ ‘Dual’ R -LWE with wide enough (near-)spherical error is hard: worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any Galois R ) 5 / 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech

Ring Switching and Bootstrapping FHE Chris Peikert School of Computer Science Georgia Tech Oberwolfach Crypto Workshop 29 July 2014 1 / 22 Agenda 1 A homomorphic encryption tool: ring switching 2 An application: (practical!) bootstrapping

1.11k views • 98 slides
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions Selected bibliography: LPR10 V.

810 views • 77 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1 / 13 Agenda 1 Polynomial rings, ideal lattices and Ring-LWE 2 Basic Ring-LWE encryption 3 Fully homomorphic encryption Selected bibliography:

840 views • 64 slides
Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC 2019 1 / 13 Algebraic Learning With Errors A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE,

954 views • 57 slides
The Geometry of Rings Chris Peikert Georgia Institute of Technology ECRYPT II Summer School on

The Geometry of Rings Chris Peikert Georgia Institute of Technology ECRYPT II Summer School on

The Geometry of Rings Chris Peikert Georgia Institute of Technology ECRYPT II Summer School on Lattices Porto, Portugal 2 Oct 2012 1 / 13 LWE Over Rings (Over-Simplified) [LPR10] Ring R := Z [ X ] / (1 + X n ) for some n = 2 k , R q :=

1.31k views • 79 slides
HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart HE Over

HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart HE Over

FIELD-SWITCHING IN HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart HE Over Cyclotomic Rings Denote the field = ( ) /( ) Its ring of integers is =

614 views • 37 slides
Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

1 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . . . . . . . Abhishek Banerjee 1 Hai Brenner 2 Gatan Leurent 3 Chris Peikert 1 Alon Rosen 2

568 views • 29 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory of Cryptography Conference 5 March 2006 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 1 / 9 Error Correction (in the

1.04k views • 58 slides
New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

960 views • 68 slides
Measuring families of curves by approximation modulus Jan MAL Y a joint work with Olli Martio

Measuring families of curves by approximation modulus Jan MAL Y a joint work with Olli Martio

Measuring families of curves by approximation modulus Jan MAL Y a joint work with Olli Martio and Vendula Honzlov a Exnerov a Faculty of Mathematics and Physics, Charles University, Prague Geometric Measure Theory Mathematics

850 views • 50 slides
Axial Gaps in HQ 05/16/2011 Collaboration Meeting 16, Montauk - NY May 16 th to 18 th 2011 B.

Axial Gaps in HQ 05/16/2011 Collaboration Meeting 16, Montauk - NY May 16 th to 18 th 2011 B.

Axial Gaps in HQ 05/16/2011 Collaboration Meeting 16, Montauk - NY May 16 th to 18 th 2011 B. Collins - H. Felice J. Krishnan D. Dietderich Parameters affecting the gap sizes Winding tension relaxation winding tension Young

171 views • 6 slides
Modular Arithmetic Addition and Subtraction Modulus 9 0 mod 9 = 0 9 mod 9 = 0 1 mod 9 = 1 10

Modular Arithmetic Addition and Subtraction Modulus 9 0 mod 9 = 0 9 mod 9 = 0 1 mod 9 = 1 10

Modular Arithmetic Addition and Subtraction Modulus 9 0 mod 9 = 0 9 mod 9 = 0 1 mod 9 = 1 10 mod 9 = 1 0 2 mod 9 = 2 11 mod 9 = 2 8 1 3 mod 9 = 3 12 mod 9 = 3 7 2 4 mod 9 = 4 13 mod 9 = 4 5 mod 9 = 5 14 mod 9 = 5 6 3 6 mod 9 =

212 views • 8 slides
DTTF/NB479: Dszquphsbqiz Day 8 Announcements: Please use pencil on quizzes if possible

DTTF/NB479: Dszquphsbqiz Day 8 Announcements: Please use pencil on quizzes if possible

DTTF/NB479: Dszquphsbqiz Day 8 Announcements: Please use pencil on quizzes if possible Questions? Today: Congruences Chinese Remainder Theorem Modular Exponents Hill Cipher implementation Encryption Easy to do in MATLAB.

466 views • 14 slides
Primes in arithmetic progressions to large moduli James Maynard University of Oxford Second

Primes in arithmetic progressions to large moduli James Maynard University of Oxford Second

Primes in arithmetic progressions to large moduli James Maynard University of Oxford Second Symposium in Analytic Number Theory, Cetraro July 2019 James Maynard Primes in arithmetic progressions to large moduli Introduction How many primes

734 views • 34 slides
Verilog HDL:Digital Design and Modeling Chapter 4 Expressions Chapter 4 Expressions

Verilog HDL:Digital Design and Modeling Chapter 4 Expressions Chapter 4 Expressions

Chapter 4 Expressions 1 Verilog HDL:Digital Design and Modeling Chapter 4 Expressions Chapter 4 Expressions 2 Page 120 //example of using a parameter module param1 (a, b, cin, sum); parameter width = 8; input [width-1:0] a, b;

393 views • 25 slides
Connectedness properties of the set where the iterates of an entire function are unbounded John

Connectedness properties of the set where the iterates of an entire function are unbounded John

Connectedness properties of the set where the iterates of an entire function are unbounded John Osborne (joint work with Phil Rippon and Gwyneth Stallard) Postgraduate Conference in Complex Dynamics 11 - 13 March 2015 The set of points whose

507 views • 38 slides
Protons aft fter bombarding the target at MOMENT NuFact2015 Rio de Janeiro iro, , Brazi zil

Protons aft fter bombarding the target at MOMENT NuFact2015 Rio de Janeiro iro, , Brazi zil

Protons aft fter bombarding the target at MOMENT NuFact2015 Rio de Janeiro iro, , Brazi zil th - 15 th Aug 2015 10 10 th 15 th Cai MENG Institute of High Energy Physics, CAS, Beijing Outline 1 Introduction and Motivation 2 Methods

213 views • 19 slides

More recommend