Lattice-Based Cryptography Chris Peikert University of Michigan - PowerPoint PPT Presentation

Another Hard Problem: Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) , error distribution ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’   � � b t = s t A + e t  · · · A · · · , · · · · · ·  √ n ≤ error ≪ q , ‘rate’ α ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard ( n/α ) -approx worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] 9 / 24

Another Hard Problem: Learning With Errors [Regev’05] ◮ Parameters: dimension n , modulus q = poly ( n ) , error distribution ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’   � � b t = s t A + e t  · · · A · · · , · · · · · ·  √ n ≤ error ≪ q , ‘rate’ α ◮ Decision: distinguish ( A , b ) from uniform ( A , b ) LWE is Hard ( n/α ) -approx worst case decision-LWE ≤ crypto ≤ search-LWE ≤ lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Also fully classical reductions, for worse params [Peikert’09,BLPRS’13] 9 / 24

LWE is Versatile What kinds of crypto can we do with LWE? 10 / 24

LWE is Versatile What kinds of crypto can we do with LWE? ✔ Key Exchange, Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ Block Ciphers, PRFs 10 / 24

LWE is Versatile What kinds of crypto can we do with LWE? ✔ Key Exchange, Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ Block Ciphers, PRFs ✔✔ Identity-Based Encryption (w/ RO) ✔✔ Hierarchical ID-Based Encryption (w/o RO) 10 / 24

LWE is Versatile What kinds of crypto can we do with LWE? ✔ Key Exchange, Public Key Encryption ✔ Oblivious Transfer ✔ Actively Secure Encryption (w/o random oracles) ✔ Block Ciphers, PRFs ✔✔ Identity-Based Encryption (w/ RO) ✔✔ Hierarchical ID-Based Encryption (w/o RO) !!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies and much, much more. . . 10 / 24

Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q 11 / 24

Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q 11 / 24

Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q 11 / 24

Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As 11 / 24

Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As ( A , u , v , k ) 11 / 24

Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As ( A , u , v , k ) by decision-LWE 11 / 24

Key Exchange from LWE [Regev’05,LP’11] r ← Z n (error) s ← Z n (error) A ← Z n × n q u t ≈ r t · A ∈ Z n q v ≈ A · s ∈ Z n q r t · v ≈ r t As k ≈ u t · s ≈ r t As ( A , u , v , k ) by decision-LWE 11 / 24

Efficiency from Rings 12 / 24

SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q    . . . 13 / 24

SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. 13 / 24

SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n 13 / 24

SIS/LWE are (Sort Of) Efficient ◮ Getting one pseudorandom scalar b i ∈ Z q requires an n -dim   . . mod- q inner product . � �   · · · a i · · · s  + e i = b i ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. ◮ Cryptosystems have rather large keys:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n ◮ Inherently ≥ n 2 time to encrypt & decrypt an n -bit message. 13 / 24

Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q 14 / 24

Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? 14 / 24

Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! 14 / 24

Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! Answer ◮ ‘ ⋆ ’ = multiplication in a polynomial ring: e.g., Z q [ X ] / ( X n + 1) . Fast and practical with FFT: n log n operations mod q . 14 / 24

Wishful Thinking. . . ◮ Get n pseudorandom scalars         . . . . . . . . from just one (cheap) . . . .         product operation?  ∈ Z n a i  ⋆ s  + e i  = b i         q     . . . . ◮ Replace Z n × n . . . . -chunks by Z n q . . . . . q Question ◮ How to define the product ‘ ⋆ ’ so that ( a i , b i ) is pseudorandom? ◮ Careful! With small error, coordinate-wise multiplication is insecure! Answer ◮ ‘ ⋆ ’ = multiplication in a polynomial ring: e.g., Z q [ X ] / ( X n + 1) . Fast and practical with FFT: n log n operations mod q . ◮ Same ring structures used in NTRU cryptosystem [HPS’98] , compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ] 14 / 24

LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR 15 / 24

LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR ⋆ Elements of R q are deg < n polynomials with mod- q coefficients ⋆ Operations in R q are very efficient using FFT-like algorithms 15 / 24

LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR ⋆ Elements of R q are deg < n polynomials with mod- q coefficients ⋆ Operations in R q are very efficient using FFT-like algorithms ◮ Search : find secret ring element s ( X ) ∈ R q , given: a 1 ← R q , b 1 = s · a 1 + e 1 ∈ R q a 2 ← R q , b 2 = s · a 2 + e 2 ∈ R q ( e i ∈ R are ‘small’) a 3 ← R q , b 3 = s · a 3 + e 3 ∈ R q . . . 15 / 24

LWE Over Rings, Over Simplified ◮ Let R = Z [ X ] / ( X n + 1) for n a power of two, and R q = R/qR ⋆ Elements of R q are deg < n polynomials with mod- q coefficients ⋆ Operations in R q are very efficient using FFT-like algorithms ◮ Search : find secret ring element s ( X ) ∈ R q , given: a 1 ← R q , b 1 = s · a 1 + e 1 ∈ R q a 2 ← R q , b 2 = s · a 2 + e 2 ∈ R q ( e i ∈ R are ‘small’) a 3 ← R q , b 3 = s · a 3 + e 3 ∈ R q . . . ◮ Decision : distinguish ( a i , b i ) from uniform ( a i , b i ) ∈ R q × R q (with noticeable advantage) 15 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 16 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 16 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish ( a i , b i ) from ( a i , b i ) , then you can find s . 16 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish ( a i , b i ) from ( a i , b i ) , then you can find s . ◮ Then: decision R -LWE ≤ lots of crypto 16 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10] ◮ Two main theorems (reductions): worst-case approx-SVP ≤ search R -LWE ≤ decision R -LWE on ideal lattices in R (quantum, (classical, any R = O K ) any cyclotomic R ) 1 If you can find s given ( a i , b i ) , then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish ( a i , b i ) from ( a i , b i ) , then you can find s . ◮ Then: decision R -LWE ≤ lots of crypto ⋆ If you can break the crypto, then you can distinguish ( a i , b i ) from ( a i , b i ) . . . 16 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . 17 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 17 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ 17 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 17 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into C n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 2 Minkowski: ‘canonical embedding.’ Let ω = exp( πi/n ) ∈ C , so roots of X n + 1 are ω 1 , ω 3 , . . . , ω 2 n − 1 . Embed: ( a ( ω 1 ) , a ( ω 3 ) , . . . , a ( ω 2 n − 1 )) ∈ C n a ( X ) ∈ R �→ 17 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into C n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 2 Minkowski: ‘canonical embedding.’ Let ω = exp( πi/n ) ∈ C , so roots of X n + 1 are ω 1 , ω 3 , . . . , ω 2 n − 1 . Embed: ( a ( ω 1 ) , a ( ω 3 ) , . . . , a ( ω 2 n − 1 )) ∈ C n a ( X ) ∈ R �→ Both + and · are coordinate-wise. 17 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X n + 1) for power-of-two n . (Or R = O K .) ◮ An ideal I ⊆ R is closed under + and − , and under · with R . To get ideal lattices, embed R and its ideals into R n . How? 1 Obvious answer: ‘coefficient embedding’ a 0 + a 1 X + · · · + a n − 1 X n − 1 ∈ R ( a 0 , . . . , a n − 1 ) ∈ Z n �→ + is coordinate-wise, but analyzing · is cumbersome. 2 Minkowski: ‘canonical embedding.’ Let ω = exp( πi/n ) ∈ C , so roots of X n + 1 are ω 1 , ω 3 , . . . , ω 2 n − 1 . Embed: ( a ( ω 1 ) , a ( ω 3 ) , . . . , a ( ω 2 n − 1 )) ∈ C n a ( X ) ∈ R �→ Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding. 17 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X 2 + 1) . Embeddings map X �→ ± i . σ ( X ) = ( i, − i ) σ (1) = (1 , 1)

Ideal Lattices ◮ Say R = Z [ X ] / ( X 2 + 1) . Embeddings map X �→ ± i . ◮ I = � X − 2 , − 3 X + 1 � is an ideal in R . σ ( X ) = ( i, − i ) σ (1) = (1 , 1) σ ( X − 2) σ ( − 3 X + 1) 18 / 24

Ideal Lattices ◮ Say R = Z [ X ] / ( X 2 + 1) . Embeddings map X �→ ± i . ◮ I = � X − 2 , − 3 X + 1 � is an ideal in R . σ ( X ) = ( i, − i ) σ (1) = (1 , 1) σ ( X − 2) σ ( − 3 X + 1) (Approximate) Shortest Vector Problem ◮ Given (an arbitrary basis of) an arbitrary ideal I ⊆ R , find a nearly shortest nonzero a ∈ I . 18 / 24

Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? 19 / 24

Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 19 / 24

Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) 19 / 24

Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) ⋆ Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n -dim lattices is known. 19 / 24

Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) ⋆ Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n -dim lattices is known. ⋆ But 2 O ( √ n log n ) -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16] 19 / 24

Complexity of Ideal Lattices 1 We know approx- R -SVP ≤ R -LWE (quantumly). Other direction? Can we solve R -LWE using an oracle for approx- R -SVP? R -LWE samples ( a i , b i ) don’t readily translate to ideals in R . 2 How hard/easy is poly ( n ) - R -SVP? (In cyclotomics etc.) ⋆ Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n -dim lattices is known. ⋆ But 2 O ( √ n log n ) -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16] ⋆ There is a 2 Ω( √ n/ log n ) barrier for the main technique. Can it be circumvented? 19 / 24

Implementations 20 / 24

Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. 21 / 24

Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. 21 / 24

Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. 21 / 24

Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. ◮ Frodo [BCDMNNRS’16] : removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128 -bit quantum security. 21 / 24

Key Exchange ◮ NewHope [ADPS’15] : Ring-LWE key exchange a la [LPR’10,P’14] , with many optimizations and conjectured ≥ 200 -bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. ◮ Frodo [BCDMNNRS’16] : removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128 -bit quantum security. About 10x slower than NewHope, but only ≈ 2x slower than ECDH. 21 / 24

Digital Signatures ◮ Most implementations follow design from [Lyubashevsky’09/’12,. . . ] . 22 / 24

Digital Signatures ◮ Most implementations follow design from [Lyubashevsky’09/’12,. . . ] . ◮ BLISS [DDLL’13] : optimized implementation in this framework. 22 / 24

Digital Signatures ◮ Most implementations follow design from [Lyubashevsky’09/’12,. . . ] . ◮ BLISS [DDLL’13] : optimized implementation in this framework. ◮ Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4 . 0 4 . 0 0 . 1 7 . 5 ECDSA-256 0 . 5 0 . 25 9 . 5 2 . 5 BLISS 5 . 6 7 . 0 8 . 0 33 (Conjectured ≥ 128 bits of security, openssl implementations.) 22 / 24

Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). 23 / 24

Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records 23 / 24

Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records ◮ Λ ◦ λ (L O L) [CrockettPeikert’16] : a general-purpose, high-level framework aimed at advanced lattice cryptosystems. 23 / 24

Other Implementations ◮ HElib [HaleviShoup] : an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records ◮ Λ ◦ λ (L O L) [CrockettPeikert’16] : a general-purpose, high-level framework aimed at advanced lattice cryptosystems. Focuses on modularity, safety, and consistency with best theory. 23 / 24

Conclusions ◮ Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’ 24 / 24

Conclusions ◮ Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’ ◮ Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing. 24 / 24

Conclusions ◮ Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’ ◮ Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing. ◮ A big success story for rigorous theory and practical engineering alike! 24 / 24