how to use a short basis trapdoors for hard lattices and
play

How to Use a Short Basis: Trapdoors for Hard Lattices and New - PowerPoint PPT Presentation

May 27, 2023 •692 likes •1.48k views

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14 Digital Signatures 2 / 14 Digital Signatures (public) (secret) 2 / 14

  1. How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14

  2. Digital Signatures 2 / 14

  3. Digital Signatures (public) (secret) 2 / 14

  4. Digital Signatures (public) “I love you” ✔ (secret) 2 / 14

  5. Digital Signatures (public) “It’s over” ✗ (secret) 2 / 14

  6. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 3 / 14

  7. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 f x y Dom Dom 3 / 14

  8. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom 3 / 14

  9. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 3 / 14

  10. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 ◮ Candidates: [RSA78,Rabin79,Paillier99] ✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . . 3 / 14

  11. Trapdoor Permutations [DiffieHellman76] ◮ Public function f , secret “trapdoor” f − 1 x y Dom Dom f − 1 ◮ Candidates: [RSA78,Rabin79,Paillier99] ✔ “General assumption” ✔ Applications: digital signatures, OT, NIZK, . . . ◮ All rely on hardness of factoring ✗ Complex: 2048 -bit exponentiation ✗ Lack of diversity ✗ Broken by quantum algorithms [Shor] 3 / 14

  12. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] 4 / 14

  13. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ] 4 / 14

  14. Lattice-Based Cryptography What’s To Like ◮ Simple & efficient: linear ops, small integers ◮ Resist subexp & quantum attacks (so far) ◮ Security from worst-case hardness [Ajtai,. . . ] What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev] 2 Public-key encryption [AjtaiDwork,Regev] 3 Recent developments [LyubMicc,PeikWat,. . . ] What’s Missing ◮ Everything else! Practical signatures, protocols, “advanced” crypto, . . . 4 / 14

  15. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions 5 / 14

  16. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f D R 5 / 14

  17. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f D R 5 / 14

  18. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R 5 / 14

  19. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R 5 / 14

  20. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 5 / 14

  21. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 5 / 14

  22. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW] , NCE [CDMW] , NISZK [PV] , . . . 5 / 14

  23. Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions x y f − 1 D R • Generate ( x , y ) in two equivalent ways: f − 1 f y y x x D R • “As good as” trapdoor permutations in many applications 2 “Hash and sign” signatures: FDH etc. 3 Identity-based encryption, OT [PVW] , NCE [CDMW] , NISZK [PV] , . . . New Algorithmic Tool ◮ “Oblivious decoder” on lattices 5 / 14

  24. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n b 2 � L = ( Z · b i ) i = 1 b 1 O 6 / 14

  25. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) b 1 i = 1 O b 2 6 / 14

  26. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) b 1 i = 1 O b 2 Shortest Vector Problem (SVP γ ) ◮ Given B , find (nonzero) v ∈ L within γ factor of shortest. 6 / 14

  27. Lattices A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: β n t � L = ( Z · b i ) b 1 i = 1 O b 2 Shortest Vector Problem (SVP γ ) ◮ Given B , find (nonzero) v ∈ L within γ factor of shortest. Absolute Distance Decoding (ADD β ) ◮ Given B and target t ∈ R n , find some v ∈ L within distance β . 6 / 14

  28. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] 7 / 14

  29. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP γ · n SVP γ as hard as every lattice random lattice 7 / 14

  30. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP β · n ADD β as hard as every lattice random lattice ◮ Decoding hard on average, too 7 / 14

  31. Complexity of Lattice Problems SVP γ in the Worst Case γ = O ( 1 ) poly ( n ) 2 n 2 n time NP-hard poly ( n ) time [Ajt,Mic,Kho] [AKS] [LLL,Sch] Average-Case ◮ [Ajtai96,. . . ,MicciancioRegev04] : SVP β · n ADD β as hard as every lattice random lattice ◮ Decoding hard on average, too Bottom Line ◮ On random lattices, SVP γ and ADD β seem exponentially hard 7 / 14

  32. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S s 2 b 1 s 1 b 2 8 / 14

  33. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  34. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  35. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  36. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  37. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  38. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  39. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] s 2 s 1 8 / 14

  40. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] 8 / 14

  41. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 8 / 14

  42. GGH Signatures [GoldreichGoldwasserHalevi96] ◮ “Hard” (public) verification basis B , short (secret) signing basis S ◮ Sign with “nearest-plane” algorithm [Babai] Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 2 Secret key leakage • Total break after several signatures [NguyenRegev] 8 / 14

  43. Gaussians and Lattices 9 / 14

  44. Gaussians and Lattices 9 / 14

  45. Gaussians and Lattices 9 / 14

  46. Gaussians and Lattices “Uniform” in R n when std dev ≥ shortest basis [Regev,MicciancioRegev] 9 / 14

  47. Our Trapdoor Function ◮ “Hard” public basis B , s 2 short secret basis S [Ajtai99,AP08] b 1 s 1 b 2 10 / 14

  48. Our Trapdoor Function ◮ “Hard” public basis B , short secret basis S [Ajtai99,AP08] ◮ Input v ∈ L , error e 10 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n

1.48k views • 118 slides
Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts ttts Tenerife PQCrypto Conference (January 31, 2018) Lattices What is a lattice? O Lattices What

1.59k views • 136 slides
Hard Core Exclusion Models on Lattices: Rods, Rectangles and Discs Joyjit Kundu ( Institute of

Hard Core Exclusion Models on Lattices: Rods, Rectangles and Discs Joyjit Kundu ( Institute of

Hard Core Exclusion Models on Lattices: Rods, Rectangles and Discs Joyjit Kundu ( Institute of Mathematical Sciences, Chennai ) ! Deepak Dhar ( Tata Institute of Fundamental Research, Mumbai ) ! Jrgen Stilck ( Universidade Federal Fluminense,

1.02k views • 91 slides
Short-Term Rentals (STRs) STRs provide transient accommodations on a short-term basis The

Short-Term Rentals (STRs) STRs provide transient accommodations on a short-term basis The

Short-Term Rentals (STRs) STRs provide transient accommodations on a short-term basis The property owner may or may not be What is a STR? present during the stay Technology improvements have helped improve STRs popularity Airbnb

406 views • 23 slides
Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/

Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/

Overview The Result The Technique Example Conclusion Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/ Magma LIP CNRS/ENSL/U. Lyon/INRIA/UCBL ANTS-IX, July 2010 Overview The Result The

387 views • 19 slides
Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere

Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere

Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere packings. Lattices. B = ( B 1 , . . . , B n ) basis of Euclidean space ( R n , ( , )) . L = { n i =1 a i B i | a i Z } lattice.

250 views • 24 slides
What is a Short T erm Rental (STR) ? A short - term rental , or vacation rental , is the renting

What is a Short T erm Rental (STR) ? A short - term rental , or vacation rental , is the renting

What is a Short T erm Rental (STR) ? A short - term rental , or vacation rental , is the renting out of a furnished home, apartment or condominium for a short - term stay. The owner of the property usually will rent out on a weekly basis, but some

487 views • 20 slides
Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems

Recall Cycle-Free Codes and Lattices Lattices from Codes Codes from Lattices Lattices from Codes or Codes from Lattices Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013

851 views • 55 slides
Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an

Lecture 9: Theta functions and lattices May 12, 2020 1 / 7 Lattices in R n A lattice is an additive subgroup R n such that Z n ( is free on n generators) b Z R R n ( spans the whole real vector space) # n +

246 views • 7 slides
Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toni Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toni Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toni Pitassi, Hao Wei IAS, December 5, 2017 Ian Mertz (U. of Toronto) Short Proofs are Hard to Find IAS, December 5, 2017 1 / 35 Introduction Proof complexity

1.13k views • 100 slides
Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toniann Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toniann Pitassi, Hao

Short Proofs are Hard to Find Ian Mertz University of Toronto Joint work w/ Toniann Pitassi, Hao Wei ICALP, July 10, 2019 Ian Mertz (U. of Toronto) Short Proofs are Hard to Find ICALP, July 10, 2019 1 / 20 Introduction Proof complexity

915 views • 53 slides
Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007

Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007

Transcendental lattices and supersingular reduction lattices of a singular K3 surface Keio, 2007 September Ichiro Shimada (Hokkaido University, Sapporo, JAPAN) By a lattice, we mean a finitely generated free Z -module equipped with a

611 views • 31 slides
Randomness in Computing L ECTURE 22 Last time Probabilistic method The Second Moment

Randomness in Computing L ECTURE 22 Last time Probabilistic method The Second Moment

Randomness in Computing L ECTURE 22 Last time Probabilistic method The Second Moment Method Conditional expectation inequality Lovasz Local Lemma Today Probabilistic method Lovasz Local Lemma (LLL) Algorithmic LLL

580 views • 18 slides
Randomness in Computing L ECTURE 23 Last time Probabilistic method Lovasz Local Lemma

Randomness in Computing L ECTURE 23 Last time Probabilistic method Lovasz Local Lemma

Randomness in Computing L ECTURE 23 Last time Probabilistic method Lovasz Local Lemma (LLL) Algorithmic LLL Today Probabilistic method Algorithmic LLL Applications of LLL 4/16/2020 Sofya Raskhodnikova;Randomness in

449 views • 15 slides
New Constructive Aspects of the Lov asz Local Lemma, and their Applications Aravind Srinivasan

New Constructive Aspects of the Lov asz Local Lemma, and their Applications Aravind Srinivasan

New Constructive Aspects of the Lov asz Local Lemma, and their Applications Aravind Srinivasan University of Maryland, College Park June 15, 2011 Collaborators: Bernhard Haeupler (MIT) & Barna Saha (UMD) Aravind Srinivasan University of

485 views • 32 slides
The LLL Algorithm Phong Nguy n http://www.di.ens.fr/~pnguyen May 2010, Luminy 1982 L.

The LLL Algorithm Phong Nguy n http://www.di.ens.fr/~pnguyen May 2010, Luminy 1982 L.

The LLL Algorithm Phong Nguy n http://www.di.ens.fr/~pnguyen May 2010, Luminy 1982 L. Lovsz A. Lenstra H. Lenstra 3 What is LLL or L ? The LLL Algorithm A popular algorithm presented in a legendary article published in 1982:

1.29k views • 118 slides
LatticeHacks Daniel J. Bernstein, Nadia Heninger, Tanja Lange https://latticehacks.cr.yp.to

LatticeHacks Daniel J. Bernstein, Nadia Heninger, Tanja Lange https://latticehacks.cr.yp.to

LatticeHacks Daniel J. Bernstein, Nadia Heninger, Tanja Lange https://latticehacks.cr.yp.to https://latticehacks.cr.yp.to 1 What do all these headlines have in common? Lattices. https://latticehacks.cr.yp.to 3 We can do two important things

1.75k views • 137 slides
Max Vladymyrov and Miguel A. Carreira-Perpi n an Electrical Engineering and Computer

Max Vladymyrov and Miguel A. Carreira-Perpi n an Electrical Engineering and Computer

Locally Linear Landmarks for large-scale manifold learning Max Vladymyrov and Miguel A. Carreira-Perpi n an Electrical Engineering and Computer Science University of California, Merced http://eecs.ucmerced.edu Spectral

493 views • 18 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business

Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business

Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business Carnegie Mellon University Acknowledgments: David Bergman, Andre A. Cire, Sam Hoda, and John N. Hooker NSF, Google Summary What can MDDs do for

1.39k views • 109 slides

More recommend