ideal lattices and ring lwe overview and open problems
play

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris - PowerPoint PPT Presentation

Oct 14, 2022 •40 likes •810 views

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions Selected bibliography: LPR10 V.

  1. Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16

  2. Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions Selected bibliography: LPR’10 V. Lyubashevsky, C. Peikert, O. Regev. “On Ideal Lattices and Learning with Errors Over Rings,” Eurocrypt’10 and JACM’13. LPR’13 V. Lyubashevsky, C. Peikert, O. Regev. “A Toolkit for Ring-LWE Cryptography,” Eurocrypt’13. 2 / 16

  3. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 3 / 16

  4. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 3 / 16

  5. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 3 / 16

  6. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 3 / 16

  7. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 2008– Countless applications of LWE (still inefficient) 3 / 16

  8. A Brief, Selective History of Lattice Cryptography 1996 Ajtai’s worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient ring-based encryption (heuristic security) 2002 Micciancio’s ring-based one-way function with worst-case hardness (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 2008– Countless applications of LWE (still inefficient) 2010 Ring-LWE: efficient encryption, worst-case hardness () 3 / 16

  9. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . 4 / 16

  10. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � mod q q a 2 ← Z n , b 2 ≈ � a 2 , s � mod q q . . . 4 / 16

  11. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . √ n ≤ error ≪ q 4 / 16

  12. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q 4 / 16

  13. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) 4 / 16

  14. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard (. . . maybe even for quantum!) worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] 4 / 16

  15. Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) . ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’     . . . . . .     ,  = As + e A b        . . . . . . √ n ≤ error ≪ q ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard (. . . maybe even for quantum!) worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Also a classical reduction for search-LWE [P’09,BLPRS’13] 4 / 16

  16. LWE is Versatile What kinds of crypto can we do with LWE? 5 / 16

  17. LWE is Versatile What kinds of crypto can we do with LWE? Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12] 5 / 16

  18. LWE is Versatile What kinds of crypto can we do with LWE? Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12] Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] 5 / 16

  19. LWE is Versatile What kinds of crypto can we do with LWE? Public Key Encryption and Oblivious Transfer [R’05,PVW’08] Actively Secure PKE (w/o RO) [PW’08,P’09,MP’12] Identity-Based Encryption (in RO model) [GPV’08] Hierarchical ID-Based Encryption (w/o RO) [CHKP’10,ABB’10] Leakage-Resilient Crypto [AGV’09,DGKPV’10,GKPV’10,ADNSWW’10,. . . ] Fully Homomorphic Encryption [BV’11,BGV’12,GSW’13,. . . ] Attribute-Based Encryption [AFV’11,GVW’13,BGG+’14,. . . ] Symmetric-Key Primitives [BPR’12,BMLR’13,BP’14,. . . ] Other Exotic Encryption [ACPS’09,BHHI’10,OP’10,. . . ] the list goes on. . . 5 / 16

  20. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s    . . . 6 / 16

  21. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ . O ( n ) work per scalar output. 6 / 16

  22. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ . O ( n ) work per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n 6 / 16

  23. LWE is (Sort Of) Efficient ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · ·  + e = b ∈ Z q s   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ . O ( n ) work per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n ◮ Can fix A for all users, but still ≥ n 2 work to encrypt & decrypt an n -bit message 6 / 16

  24. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one (cheap)          ∈ Z n a i  ⋆ s  + e i  = b i         q product operation?     . . . . . . . . . . . . 7 / 16

  25. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one (cheap)          ∈ Z n a i  ⋆ s  + e i  = b i         q product operation?     . . . . . . . . . . . . Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? 7 / 16

  26. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one (cheap)          ∈ Z n a i  ⋆ s  + e i  = b i         q product operation?     . . . . . . . . . . . . Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! 7 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December

How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December

How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December 10, 2014 Ph.D. advisor : Louis GOUBIN Introduction Gentrys IL scheme Other FHE schemes Open questions This talk Introduction Gentrys

718 views • 58 slides
Spectrum problems for structures arising from lattices and rings lattices and rings

Spectrum problems for structures arising from lattices and rings lattices and rings

Spectrum problems for structures arising from Spectrum problems for structures arising from lattices and rings lattices and rings Hochsters Theorem for commutative Friedrich Wehrung unital rings Stone duality for bounded

1.66k views • 125 slides
Open Problems GRASTA-MAC 2015 1 Exploration with Stop in Ring with limited visibility (Franck

Open Problems GRASTA-MAC 2015 1 Exploration with Stop in Ring with limited visibility (Franck

Open Problems GRASTA-MAC 2015 1 Exploration with Stop in Ring with limited visibility (Franck Petit) Consider autonomous, identical, oblivious robots, in the Look-Compute-Move model. They have only local visibility, that is the snapshot allows

454 views • 4 slides
More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

706 views • 39 slides
A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve D. J.

A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve D. J.

A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Sieving small integers 0 using primes 2 3 5 7: 1

646 views • 42 slides
Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont

Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont

Lattices Computational complexity Complexity of cyclic lattices Well-rounded cyclic lattices Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont McKenna College Undergraduate Summer Research Program

1.17k views • 65 slides
I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers

O N THE R ESOLUTIONS OF ( SOME ) S IMPLICIAL F ORESTS S ARA F ARIDI D ALHOUSIE U NIVERSITY I = ( M 1 , . . . , M q ) monomial ideal in polynomial ring. Question. What are the Betti numbers i,j ( I ) ? Eliahou-Kervaire Splittings: When I = J + K

289 views • 25 slides
Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1 / 13 Agenda 1 Polynomial rings, ideal lattices and Ring-LWE 2 Basic Ring-LWE encryption 3 Fully homomorphic encryption Selected bibliography:

840 views • 64 slides
Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and

Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and

Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and Bilinear Maps Shuichi Katsumata (The University of Tokyo) Shota Yamada (AIST) ASIACRYPT Born in 1991 (Japan) Me Born in 1991 (Japan) Background

850 views • 62 slides
On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 1 1 Tel Aviv University 2 Georgia Institute of Technology Eurocrypt 2010 1 / 12 The Learning With Errors Problem [Regev05]

819 views • 59 slides
Ring of Integers of Abelian Number Fields and Algebraic Lattices Robson Ricardo de Araujo

Ring of Integers of Abelian Number Fields and Algebraic Lattices Robson Ricardo de Araujo

Ring of Integers of Abelian Number Fields and Algebraic Lattices Robson Ricardo de Araujo dearaujorobsonricardo@gmail.com Prof. Dr. Antonio Aparecido de Andrade (orientador) andrade@ibilce.unesp.br SP Coding and Information School January

367 views • 5 slides
Amalgamated algebras along an ideal: a class of ring extensions related to Nagatas

Amalgamated algebras along an ideal: a class of ring extensions related to Nagatas

1 2 3 4 5 6 7 8 Amalgamated algebras along an ideal: a class of ring extensions related to Nagatas idealization Marco Fontana Dipartimento di Matematica

1.67k views • 124 slides
For an (associative but not necessarily commutative) ring with identity A , there is a (not

For an (associative but not necessarily commutative) ring with identity A , there is a (not

B UCHBERGER T HEORY FOR E FFECTIVE A SSOCIATIVE R INGS T. M., Seven variations on standard bases , (1988) A solution if the ring is a vectorspace over a field A PEL J., Computational ideal theory in finitely generated extension rings , T.C.S. 224

815 views • 47 slides
Lattices from Maximal Quaternion Orders with Full Diversity Cintya Wink de Oliveira Benedito

Lattices from Maximal Quaternion Orders with Full Diversity Cintya Wink de Oliveira Benedito

Lattices from Maximal Quaternion Orders with Full Diversity Cintya Wink de Oliveira Benedito Postdoctoral Research Associate at University of Campinas - IMECC/UNICAMP Scholarship: CNPq Poster proposal: Construct ideal lattices on totally

152 views • 4 slides
Ideal lattices in multicubic fields Andrea LESAVOUREY Thomas PLANTARD Willy SUSILO School of

Ideal lattices in multicubic fields Andrea LESAVOUREY Thomas PLANTARD Willy SUSILO School of

Ideal lattices in multicubic fields Andrea LESAVOUREY Thomas PLANTARD Willy SUSILO School of Computing and Information Technology University of Wollongong Andrea LESAVOUREY Multicubic fields 1 / 39 Outline Motivation 1 Cryptography

911 views • 69 slides
The MySQL Ecosystem - understanding it, not running away from it! Colin Charles, Chief Evangelist,

The MySQL Ecosystem - understanding it, not running away from it! Colin Charles, Chief Evangelist,

The MySQL Ecosystem - understanding it, not running away from it! Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter FOSDEM, Brussels, Belgium 4 February 2018

634 views • 35 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides
Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

1 Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the

683 views • 32 slides
Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of

2.51k views • 157 slides
Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly

Ring Signatures Monero Oct. 14, 2019 Overview Privacy Hierarchy Monero Secretly signing a transaction Secretly receiving a transaction Privacy Hierarchy Everything open Bitcoin Pseudonymous, amount open Privacy Hierarchy

911 views • 45 slides
CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1 2 Joint work with: C. Boura, N. Gama, D. Jetchev 1 / 30 Homomorphic encryption Given ( c 1 , c 2 , . . . , c k ) = ( E ( m 1 ) , E ( m 2 ) , . . .

497 views • 48 slides
OpenKeychain: An Architecture for Cryptography with Smart Cards and NFC Rings on Android Dominik

OpenKeychain: An Architecture for Cryptography with Smart Cards and NFC Rings on Android Dominik

Institute of Operating Systems and Computer Networks Operating System Email Crypto Provider binds to API key management secret key creation access control Security Token PIN/password caching per client operating system with IM NFC

704 views • 27 slides
12

12

12 Network Security, Principles and Practice,2nd Ed. :

575 views • 20 slides

More recommend