kuperberg s collimation sieve vs csidh chris peikert
play

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of - PowerPoint PPT Presentation

Jan 07, 2023 •736 likes •1.61k views

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

  1. Kuperberg’s Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16

  2. He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16

  3. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 / 16

  4. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 2 / 16

  5. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: 2 / 16

  6. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: CSIDH-512 breakable with ≈ 2 60 T-gates 2 / 16

  7. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: CSIDH-512 breakable with ≈ 2 60 T-gates, so falls well short of its claimed NIST level 1 p-q security. ( ≥ 2 170 / MAXDEPTH) 2 / 16

  8. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: CSIDH-512 breakable with ≈ 2 60 T-gates, so falls well short of its claimed NIST level 1 p-q security. ( ≥ 2 170 / MAXDEPTH) CSIDH-1024 breakable with ≈ 2 72 T-gates and ≈ 2 44 bits QRACM 2 / 16

  9. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: CSIDH-512 breakable with ≈ 2 60 T-gates, so falls well short of its claimed NIST level 1 p-q security. ( ≥ 2 170 / MAXDEPTH) CSIDH-1024 breakable with ≈ 2 72 T-gates and ≈ 2 44 bits QRACM, so it also falls short of level 1. 2 / 16

  10. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: CSIDH-512 breakable with ≈ 2 60 T-gates, so falls well short of its claimed NIST level 1 p-q security. ( ≥ 2 170 / MAXDEPTH) CSIDH-1024 breakable with ≈ 2 72 T-gates and ≈ 2 44 bits QRACM, so it also falls short of level 1. CSIDH-1792 2 / 16

  11. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: CSIDH-512 breakable with ≈ 2 60 T-gates, so falls well short of its claimed NIST level 1 p-q security. ( ≥ 2 170 / MAXDEPTH) CSIDH-1024 breakable with ≈ 2 72 T-gates and ≈ 2 44 bits QRACM, so it also falls short of level 1. CSIDH-1792 breakable with ≈ 2 84 T-gates and ≈ 2 48 bits QRACM 2 / 16

  12. Conclusions 1 Proposed CSIDH parameters have relatively little quantum security beyond the cost of quantum evaluation (on a uniform superposition). 2 CSIDH-512 key recovery costs, e.g., only ≈ 2 16 evaluations using ≈ 2 40 bits of quantum-accessible RAM (+ small other resources). 3 Assuming evaluation costs not much more than for the ‘best case’: CSIDH-512 breakable with ≈ 2 60 T-gates, so falls well short of its claimed NIST level 1 p-q security. ( ≥ 2 170 / MAXDEPTH) CSIDH-1024 breakable with ≈ 2 72 T-gates and ≈ 2 44 bits QRACM, so it also falls short of level 1. CSIDH-1792 breakable with ≈ 2 84 T-gates and ≈ 2 48 bits QRACM, so it also doesn’t reach level 1 possibly except for high end of MAXDEPTH range. 2 / 16

  13. CSIDH (‘sea-side’) [CastryckLangeMartindalePannyRenes’18] ◮ Isogeny-based ‘post-quantum commutative group action’ following [Couveignes’97,RostovtsevStolbunov’06] : abelian group G , set Z , action ⋆ : G × Z → Z 3 / 16

  14. CSIDH (‘sea-side’) [CastryckLangeMartindalePannyRenes’18] ◮ Isogeny-based ‘post-quantum commutative group action’ following [Couveignes’97,RostovtsevStolbunov’06] : abelian group G , set Z , action ⋆ : G × Z → Z (Other isogeny-based crypto like SIDH [JF’11,. . . ]: nonabelian, no group action.) 3 / 16

  15. CSIDH (‘sea-side’) [CastryckLangeMartindalePannyRenes’18] ◮ Isogeny-based ‘post-quantum commutative group action’ following [Couveignes’97,RostovtsevStolbunov’06] : abelian group G , set Z , action ⋆ : G × Z → Z (Other isogeny-based crypto like SIDH [JF’11,. . . ]: nonabelian, no group action.) DiffieHellman-style noninteractive key exchange with public param z ∈ Z : Alice: secret a ∈ G , public p A = a ⋆ z ∈ Z Bob: secret b ∈ G , public p B = b ⋆ z ∈ Z Shared key: a ⋆ p B = b ⋆ p A = ( a + b ) ⋆ z , by commutativity 3 / 16

  16. CSIDH (‘sea-side’) [CastryckLangeMartindalePannyRenes’18] ◮ Isogeny-based ‘post-quantum commutative group action’ following [Couveignes’97,RostovtsevStolbunov’06] : abelian group G , set Z , action ⋆ : G × Z → Z (Other isogeny-based crypto like SIDH [JF’11,. . . ]: nonabelian, no group action.) DiffieHellman-style noninteractive key exchange with public param z ∈ Z : Alice: secret a ∈ G , public p A = a ⋆ z ∈ Z Bob: secret b ∈ G , public p B = b ⋆ z ∈ Z Shared key: a ⋆ p B = b ⋆ p A = ( a + b ) ⋆ z , by commutativity ◮ Efficient! 64-byte keys, 80ms key exchange for claimed NIST level 1 quantum security: as hard as AES-128 key search 3 / 16

  17. CSIDH (‘sea-side’) [CastryckLangeMartindalePannyRenes’18] ◮ Isogeny-based ‘post-quantum commutative group action’ following [Couveignes’97,RostovtsevStolbunov’06] : abelian group G , set Z , action ⋆ : G × Z → Z (Other isogeny-based crypto like SIDH [JF’11,. . . ]: nonabelian, no group action.) DiffieHellman-style noninteractive key exchange with public param z ∈ Z : Alice: secret a ∈ G , public p A = a ⋆ z ∈ Z Bob: secret b ∈ G , public p B = b ⋆ z ∈ Z Shared key: a ⋆ p B = b ⋆ p A = ( a + b ) ⋆ z , by commutativity ◮ Efficient! 64-byte keys, 80ms key exchange for claimed NIST level 1 quantum security: as hard as AES-128 key search ◮ Signatures [Stolbunov’12,DeFeoGalbraith’19,BeullensKleinjungVercauteren’19] : pk + sig = 1468 bytes at same claimed security level 3 / 16

  18. Attacking the CSIDH, Quantumly ◮ Secret-key recovery: given z, a ⋆ z ∈ Z , find a ∈ G (or equivalent) 4 / 16

  19. Attacking the CSIDH, Quantumly ◮ Secret-key recovery: given z, a ⋆ z ∈ Z , find a ∈ G (or equivalent) Reduces to Hidden-Shift Problem (HShP) on G [ChildsJaoSoukharev’10] 4 / 16

  20. Attacking the CSIDH, Quantumly ◮ Secret-key recovery: given z, a ⋆ z ∈ Z , find a ∈ G (or equivalent) Reduces to Hidden-Shift Problem (HShP) on G [ChildsJaoSoukharev’10] Quantum HShP Algorithm Ingredients [Kuperberg’03,. . . ] 1 Oracle outputs random ‘labeled’ quantum states, by evaluating ⋆ on a uniform superposition over G . 4 / 16

  21. Attacking the CSIDH, Quantumly ◮ Secret-key recovery: given z, a ⋆ z ∈ Z , find a ∈ G (or equivalent) Reduces to Hidden-Shift Problem (HShP) on G [ChildsJaoSoukharev’10] Quantum HShP Algorithm Ingredients [Kuperberg’03,. . . ] 1 Oracle outputs random ‘labeled’ quantum states, by evaluating ⋆ on a uniform superposition over G . 2 Sieve combines labeled states to generate ‘more favorable’ ones. 4 / 16

  22. Attacking the CSIDH, Quantumly ◮ Secret-key recovery: given z, a ⋆ z ∈ Z , find a ∈ G (or equivalent) Reduces to Hidden-Shift Problem (HShP) on G [ChildsJaoSoukharev’10] Quantum HShP Algorithm Ingredients [Kuperberg’03,. . . ] 1 Oracle outputs random ‘labeled’ quantum states, by evaluating ⋆ on a uniform superposition over G . 2 Sieve combines labeled states to generate ‘more favorable’ ones. 3 Measurement of ‘very favorable’ state recovers bit(s) of hidden shift. 4 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
["si:saId] Why CSIDH? Drop-in post-quantum replacement for (EC)DH.

["si:saId] Why CSIDH? Drop-in post-quantum replacement for (EC)DH.

CSIDH : An Efficient Post-Quantum Commutative Group Action Wouter Castryck 1 Tanja Lange 2 Chloe Martindale 2 Lorenz Panny 2 Joost Renes 3 1 KU Leuven 2 TU Eindhoven 3 Radboud Universiteit Brisbane, 6 December 2018 ["si:saId] Why CSIDH?

934 views • 57 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
LHC Collimation Project Status Stefano Redaelli, CERN, BE-ABP for the Collimation Project and

LHC Collimation Project Status Stefano Redaelli, CERN, BE-ABP for the Collimation Project and

20 th US-LARP Collaboration Meeting - CM20 April 8 th -10 th , 2013 Embassy Suites - Napa Valley, CA, USA LHC Collimation Project Status Stefano Redaelli, CERN, BE-ABP for the Collimation Project and HL-LHC-WP5 teams The HiLumi LHC Design

602 views • 45 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
FCC-hh: Collimation system design M. Fiascaris with R. Bruce and S. Redaelli Acknowledgements

FCC-hh: Collimation system design M. Fiascaris with R. Bruce and S. Redaelli Acknowledgements

FCC-hh: Collimation system design M. Fiascaris with R. Bruce and S. Redaelli Acknowledgements to X. Buffat, R. De Maria, D. Mirarchi, D. Schulte, R. Tomas Outline Introduction FCC challenges for collimation The LHC collimation

830 views • 39 slides
Experience in Beam Collimation Dating back to my work as PL LHC Collimation, Machine Coordinator

Experience in Beam Collimation Dating back to my work as PL LHC Collimation, Machine Coordinator

Experience in Beam Collimation Dating back to my work as PL LHC Collimation, Machine Coordinator LHC and EIC for LEP2 SuperKEKB: Challenges for the High Luminosity Frontier 30 - 31 January 2020, KEK, Japan Ralph W. Amann Leading Scientist

680 views • 44 slides
On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory of Cryptography Conference 5 March 2006 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 1 / 9 Error Correction (in the

1.04k views • 58 slides
New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

960 views • 68 slides
Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC 2019 1 / 13 Algebraic Learning With Errors A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE,

954 views • 57 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of

Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD78,Gen09] FHE lets you do this:

1.36k views • 98 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

861 views • 65 slides
CSC 411 Lecture 14: Probabilistic Models II Roger Grosse, Amir-massoud Farahmand, and Juan

CSC 411 Lecture 14: Probabilistic Models II Roger Grosse, Amir-massoud Farahmand, and Juan

CSC 411 Lecture 14: Probabilistic Models II Roger Grosse, Amir-massoud Farahmand, and Juan Carrasquilla University of Toronto UofT CSC 411: 14-Probabilistic Models II 1 / 42 Overview Bayesian parameter estimation MAP estimation Gaussian

799 views • 42 slides
The story of the film so far... X a c.r.v. with p.d.f. f and g : R R : then Y = g ( X ) is a

The story of the film so far... X a c.r.v. with p.d.f. f and g : R R : then Y = g ( X ) is a

The story of the film so far... X a c.r.v. with p.d.f. f and g : R R : then Y = g ( X ) is a Mathematics for Informatics 4a random variable and E ( Y ) = g ( x ) f ( x ) dx Jos e Figueroa-OFarrill variance : Var ( X ) =

530 views • 5 slides
CS70: Lecture 20. Review: Expectation Uniform Distribution Distributions; Independent RVs Roll a

CS70: Lecture 20. Review: Expectation Uniform Distribution Distributions; Independent RVs Roll a

CS70: Lecture 20. Review: Expectation Uniform Distribution Distributions; Independent RVs Roll a six-sided balanced die. Let X be the number of pips (dots). Then X is equally likely to take any of the values { 1 , 2 ,..., 6 } . We say 1. Review:

197 views • 6 slides
Acton-Boxborough Regional School District FY15 Budget Vote Transitional Regional School

Acton-Boxborough Regional School District FY15 Budget Vote Transitional Regional School

2/6/2014 Acton-Boxborough Regional School District FY15 Budget Vote Transitional Regional School Committee Meeting February 6, 2014 1 ABRSD FY15 Proposed Budget January 15, 2014 $77,068,121 Reduction of Case Assessment ($129,896)

136 views • 13 slides
Hyperuniformity on the Sphere Peter Grabner (joint work with J. Brauchart and W. Kusner)

Hyperuniformity on the Sphere Peter Grabner (joint work with J. Brauchart and W. Kusner)

Hyperuniformity on the Sphere Peter Grabner (joint work with J. Brauchart and W. Kusner) Institute for Analysis and Number Theory Graz University of Technology Workshop on Computation and Optimization of Energy, Packing, and Covering

595 views • 27 slides
Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation techniques Additive perturbation Multiplicative perturbation Privacy metrics Privacy metrics Summary Definition of dataset Column

280 views • 23 slides
Graph-based Nearest Neighbor Search: From Practice to Theory Liudmila Prokhorenkova, Aleksandr

Graph-based Nearest Neighbor Search: From Practice to Theory Liudmila Prokhorenkova, Aleksandr

Graph-based Nearest Neighbor Search: From Practice to Theory Liudmila Prokhorenkova, Aleksandr Shekhovtsov ICML 2020 Liudmila Prokhorenkova Graph-based Nearest Neighbor Search ICML 2020 1 / 16 Nearest neighbor search Dataset D = { x 1 , . .

578 views • 33 slides
Cost-Based Optimization Database Systems: The Complete Book Ch 2.3, 6.1-6.4,15, 16.4-16.5 1

Cost-Based Optimization Database Systems: The Complete Book Ch 2.3, 6.1-6.4,15, 16.4-16.5 1

Cost-Based Optimization Database Systems: The Complete Book Ch 2.3, 6.1-6.4,15, 16.4-16.5 1 Optimizing 2 Optimizing Some equivalence rules are always good Which? 2 Optimizing Some equivalence rules are always good

949 views • 58 slides

More recommend