how to share a lattice trapdoor
play

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures - PowerPoint PPT Presentation

Feb 22, 2024 •269 likes •678 views

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel , Chris Peikert Georgia Institute of Technology June 26, 2013 ACNS 2013, Banff, Alberta, Canada 1/11 Threshold Cryptography Setting: A

  1. How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel , Chris Peikert Georgia Institute of Technology June 26, 2013 ACNS 2013, Banff, Alberta, Canada 1/11

  2. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. ACNS 2013, Banff, Alberta, Canada 2/11

  3. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Digital signature scheme: ◮ KeyGen �→ sk to a privileged party, publish vk ◮ Sign ( µ, sk ) �→ σ ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ without sk . ACNS 2013, Banff, Alberta, Canada 2/11

  4. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Threshold signatures: ◮ KeyGen �→ � sk � i to each party i , publish vk � s � i is i ’s share of secret s ◮ Sign ( µ, � sk � i from ≥ h honest parties ) �→ σ (e.g. [Shamir’79]) ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ without sk . ACNS 2013, Banff, Alberta, Canada 2/11

  5. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Threshold signatures: ◮ KeyGen �→ � sk � i to each party i , publish vk � s � i is i ’s share of secret s ◮ Sign ( µ, � sk � i from ≥ h honest parties ) �→ σ (e.g. [Shamir’79]) ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ with ≤ t shares of sk . ACNS 2013, Banff, Alberta, Canada 2/11

  6. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Threshold signatures: ◮ KeyGen �→ � sk � i to each party i , publish vk � s � i is i ’s share of secret s ◮ Sign ( µ, � sk � i from ≥ h honest parties ) �→ σ (e.g. [Shamir’79]) ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ with ≤ t shares of sk . ⋆ Threshold efficiency: • Verify runtime and vk size independent of ℓ • Efficient and minimally interactive Sign (not general MPC!) ACNS 2013, Banff, Alberta, Canada 2/11

  7. Threshold Versions of Classical Cryptoschemes ◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ACNS 2013, Banff, Alberta, Canada 3/11

  8. Threshold Versions of Classical Cryptoschemes ◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ◮ All broken by the quantum algorithm of Shor ’97. ACNS 2013, Banff, Alberta, Canada 3/11

  9. Threshold Versions of Classical Cryptoschemes ◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ◮ All broken by the quantum algorithm of Shor ’97. ◮ Lattices for the post-quantum world... (Image courtesy wikipedia.org) ACNS 2013, Banff, Alberta, Canada 3/11

  10. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ACNS 2013, Banff, Alberta, Canada 4/11

  11. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ◮ Sign ( sk, µ ) : ⋆ Sample x ∈ Z m q : Ax = H ( µ ) ∈ Z n q . (Image courtesy cryptoexperts.com/tlepoint) ACNS 2013, Banff, Alberta, Canada 4/11

  12. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ◮ Sign ( sk, µ ) : ⋆ Sample x ∈ Z m q : Ax = H ( µ ) ∈ Z n q . ◮ Verify ( vk, µ, x ) : ⋆ Accept iff x is short and Ax = H ( µ ) . (Image courtesy cryptoexperts.com/tlepoint) ACNS 2013, Banff, Alberta, Canada 4/11

  13. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ◮ Sign ( sk, µ ) : ⋆ Sample x ∈ Z m q : Ax = H ( µ ) ∈ Z n q . ◮ Verify ( vk, µ, x ) : ⋆ Accept iff x is short and Ax = H ( µ ) . IBE using sampling for key extraction [GPV’08] HIBE using trapdoor delegation [CHKP’10] ABE, group signatures, . . . [AFV’11, GKV’10] (Image courtesy cryptoexperts.com/tlepoint) ACNS 2013, Banff, Alberta, Canada 4/11

  14. Threshold Lattice-Based Schemes Challenges: ◮ Complex early KeyGen algorithms [Ajtai’99, AlwenPeikert’09] ◮ GPV sampling involves adaptive iterations ACNS 2013, Banff, Alberta, Canada 5/11

  15. Threshold Lattice-Based Schemes Challenges: ◮ Complex early KeyGen algorithms [Ajtai’99, AlwenPeikert’09] ◮ GPV sampling involves adaptive iterations Prior work: ◮ Encryption [BD’10, MSs’11, XXZ’11] ◮ Signatures [CLRS’10, FGM’10] ACNS 2013, Banff, Alberta, Canada 5/11

  16. Contribution Threshold Protocols: trapdoor generation, discrete Gaussian sampling, and trapdoor delegation = ⇒ lattice-based threshold signatures and (H)IBE Properties: ◮ Information-theoretic security ◮ Optimal thresholds ◮ Efficiency/security params independent of # parties ◮ Inefficiency/interactivity limited to offline phase ⋆ Offline phase: computation at keygen time ⋆ Online phase: computation once syndrome is known ACNS 2013, Banff, Alberta, Canada 6/11

  17. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] ACNS 2013, Banff, Alberta, Canada 7/11

  18. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] Definition Short R is a trapdoor for A if AR = G . ACNS 2013, Banff, Alberta, Canada 7/11

  19. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] Definition Short R is a trapdoor for A if AR = G . ◮ Key Generation: ⋆ Sample uniform ¯ A and random short ¯ R . � ¯ ⋆ Output A = [ ¯ A | G − ¯ A ¯ � R ] and R = R . I ACNS 2013, Banff, Alberta, Canada 7/11

  20. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] Definition Short R is a trapdoor for A if AR = G . ◮ Key Generation: ⋆ Sample uniform ¯ A and random short ¯ R . � ¯ ⋆ Output A = [ ¯ A | G − ¯ A ¯ � R ] and R = R . I ◮ Given u , how to sample short Gaussian x with Ax = u using R ? ACNS 2013, Banff, Alberta, Canada 7/11

  21. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ACNS 2013, Banff, Alberta, Canada 8/11

  22. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u . ACNS 2013, Banff, Alberta, Canada 8/11

  23. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u ; but Rz is skewed. ACNS 2013, Banff, Alberta, Canada 8/11

  24. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u ; but Rz is skewed. ◮ Convolution lemma [P’10] : covariance and syndrome are additive = ⇒ add p from a different skewed Gaussian. ACNS 2013, Banff, Alberta, Canada 8/11

  25. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u ; but Rz is skewed. ◮ Convolution lemma [P’10] : covariance and syndrome are additive = ⇒ add p from a different skewed Gaussian. Standalone sample algorithm: ◮ Offline: Sample p , store with w = Ap . ◮ Online: Given u , sample z with Gz = u − w . Output x = p + Rz . ACNS 2013, Banff, Alberta, Canada 8/11

  26. Sampling in a Threshold Setting Given A , R , and u , sample short Gaussian x with Ax = u . Offline: ◮ Threshold sample shares of p and store with public w = Ap . ◮ Threshold sample and store shares of syndrome correction data. Online: (party i ) ◮ Retrieve � p � i and w . ◮ Assemble � Rz � i for Gaussian z with Gz = u − w . ◮ Broadcast � x � i = � p � i + � Rz � i and reconstruct x . ACNS 2013, Banff, Alberta, Canada 9/11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas; ntroducing the lattice gas; 2) Analytic description of the lattice gas; 3) Program objectives; 4) How to implement it (efficiently); 5)

321 views • 28 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides
New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27 Introduction Introduction: CDH versus DDH group G , element G G of

954 views • 60 slides
Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Birmingham High Energy Physics Group - Particle Physics Seminar, University of Birmingham, 08.06.2016 Andreas Jttner Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on the lattice 4. Pushing

713 views • 52 slides
Lattice Points in Polytopes Richard P. Stanley U. Miami & M.I.T. A lattice polygon Georg

Lattice Points in Polytopes Richard P. Stanley U. Miami & M.I.T. A lattice polygon Georg

Lattice Points in Polytopes Richard P. Stanley U. Miami & M.I.T. A lattice polygon Georg Alexander Pick (18591942) P : lattice polygon in R 2 (vertices Z 2 , no self-intersections) Boundary and interior lattice points Picks

1.4k views • 120 slides
Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Lattice Methods in Field Theory Contents 1. Motivation 2. BasicsEuclidean quantisation 3.

Lattice Methods in Field Theory Contents 1. Motivation 2. BasicsEuclidean quantisation 3.

Lattice Methods in Field Theory Contents 1. Motivation 2. BasicsEuclidean quantisation 3. Lattice gauge fields Jonathan Flynn 4. Lattice fermions University of Southampton 5. Lattice QCD 6. Numerical simulations BUSSTEPP 2002

550 views • 22 slides
When is the lattice of closure operators on a subgroup lattice again a subgroup lattice? Martha

When is the lattice of closure operators on a subgroup lattice again a subgroup lattice? Martha

When is the lattice of closure operators on a subgroup lattice again a subgroup lattice? Martha Kilpack 1 and Arturo Magidin 2 1 Brigham Young University 2 University of Louisiana at Lafayette Groups St Andrews 2017 Martha Kilpack and Arturo

1.43k views • 77 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Review on Lattice Muon g-2 HVP Calculation Kohtaroh Miura (GSI Helmholtz-Instute Mainz) Lattice

Review on Lattice Muon g-2 HVP Calculation Kohtaroh Miura (GSI Helmholtz-Instute Mainz) Lattice

Introduction Challenges and Progresses Discussion Summary and Conclusions Review on Lattice Muon g-2 HVP Calculation Kohtaroh Miura (GSI Helmholtz-Instute Mainz) Lattice 2018, 36th International Symposium on Lattice Field Theory, Michigan

885 views • 49 slides
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2 , 3 Hemanta K. Maji 4 Amit Sahai 3 Alexander A. Sherstov 3 1 Microsoft Research, India 2 Technion 3 University of California, Los Angeles 4 Purdue

488 views • 21 slides
Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser Department of Computer Science, Columbia University New York, NY 10027 {jbell, swapneel, kaiser}@cs.columbia.edu 1. There is no connection

367 views • 17 slides
Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

879 views • 74 slides
An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS

An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS

An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS Tsinghua University, China Outline l Background l Rule extraction algorithm l Modeling l Experiments l Conclusion 2 Outline l

664 views • 40 slides
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of

Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of

Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 1 / 22 Zero-Knowledge Proof

531 views • 22 slides
References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf Fully Homomorphic Encryption Gentry, C., Computing arbitrary functions of encrypted

233 views • 7 slides
Complexity Theory J org Kreiker Chair for Theoretical Computer Science Prof. Esparza TU M

Complexity Theory J org Kreiker Chair for Theoretical Computer Science Prof. Esparza TU M

Complexity Theory J org Kreiker Chair for Theoretical Computer Science Prof. Esparza TU M unchen Summer term 2010 1 Lecture 15 Public Coins and Graph (Non)Isomorphism 2 Intro Goal and Plan Goal understand public coins and their

391 views • 20 slides
List edge multicoloring in bounded cyclicity graphs Dniel Marx Budapest University of

List edge multicoloring in bounded cyclicity graphs Dniel Marx Budapest University of

List edge multicoloring in bounded cyclicity graphs Dniel Marx Budapest University of Technology and Economics dmarx@cs.bme.hu 1 List edge multicoloring Generalization of list edge coloring: multiple colors have to be assigned to each

551 views • 38 slides

More recommend