lattice based cryptography constructing trapdoors and
play

Lattice-Based Cryptography: Constructing Trapdoors and More - PowerPoint PPT Presentation

Mar 16, 2024 •31 likes •871 views

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

  1. Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18

  2. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q 2 / 18

  3. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q f A ( x ) = Ax mod q ∈ Z n q (“short” x , surjective) CRHF if SIS hard [Ajtai’96,. . . ] 2 / 18

  4. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] 2 / 18

  5. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } (0 , q ) O ( q, 0) 2 / 18

  6. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] u ( A ) = { x ∈ Z m : f A ( x ) = Ax = u mod q } ◮ Lattice interpretation: Λ ⊥ (0 , q ) x O ( q, 0) 2 / 18

  7. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ f A , g A in forward direction yield CRHFs, CPA security (w/FHE!) . . . but not much else. 2 / 18

  8. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . 3 / 18

  9. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert g A ( s , e ) = s t A + e t : find the unique preimage s (equivalently, e ) 3 / 18

  10. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) 3 / 18

  11. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) ◮ How? Use a “strong trapdoor” for A : a short basis of Λ ⊥ ( A ) [Babai’86,GGH’97,Klein’01,GPV’08,P’10] O 3 / 18

  12. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . 4 / 18

  13. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . 4 / 18

  14. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. 4 / 18

  15. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. 4 / 18

  16. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Other “Black-Box” Applications of f − 1 , g − 1 ◮ Standard Model (no RO) signatures [CHKP’10,R’10,B’10] ◮ SM CCA-secure encryption [PW’08,P’09] ◮ SM (Hierarchical) IBE [GPV’08,CHKP’10,ABB’10a,ABB’10b] ◮ Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc, . . . [PVW’08,PV’08,GHV’10,GKV’10,BF’10a,BF’10b,OPW’11,AFV’11,ABVVW’11,. . . ] 4 / 18

  17. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] 4 / 18

  18. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency 4 / 18

  19. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( msg ): let u = H ( msg ) and output Gaussian x ← f − 1 A ( u ) . ◮ Verify( msg, x ): check f A ( x ) = Ax = H ( msg ) and x short enough. ◮ Security: finding short enough preimages in f A must be hard. Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency tight, iterative, fp looser, parallel, offline g − 1 [Babai’86] [Babai’86] A f − 1 [Klein’01,GPV’08] [P’10] A 4 / 18

  20. Today “Strong” trapdoor generation and inversion algorithms: 5 / 18

  21. Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff 5 / 18

  22. Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff ✔ Tighter parameters m and s ⋆ Asymptotically optimal with small constant factors 5 / 18

  23. Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff ✔ Tighter parameters m and s ⋆ Asymptotically optimal with small constant factors ✔ New kind of trapdoor — not a basis! (But just as powerful.) 5 / 18

  24. Today “Strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inversion (cf. [A’99,AP’09] ) ⋆ Inversion of f A , g A : practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff ✔ Tighter parameters m and s ⋆ Asymptotically optimal with small constant factors ✔ New kind of trapdoor — not a basis! (But just as powerful.) ✔ More efficient applications: CCA, (H)IBE in standard model 5 / 18

  25. Overview of Methods 1 Design a fixed, public lattice defined by “gadget” matrix G . Design fast, parallel, offline algorithms for f − 1 G , g − 1 G . 6 / 18

  26. Overview of Methods 1 Design a fixed, public lattice defined by “gadget” matrix G . Design fast, parallel, offline algorithms for f − 1 G , g − 1 G . 2 Randomize G ↔ A via a “nice” unimodular transformation. (The transformation is the trapdoor!) 6 / 18

  27. Overview of Methods 1 Design a fixed, public lattice defined by “gadget” matrix G . Design fast, parallel, offline algorithms for f − 1 G , g − 1 G . 2 Randomize G ↔ A via a “nice” unimodular transformation. (The transformation is the trapdoor!) 3 Reduce f − 1 A , g − 1 f − 1 G , g − 1 to plus pre-/post-processing. A G 6 / 18

  28. Step 1: Gadget G and Inversion Algorithms ◮ Let q = 2 k . Define 1 -by- k “parity check” vector � 2 k − 1 � ∈ Z 1 × k g := 1 2 4 · · · . q 7 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &

1.2k views • 76 slides
Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,

1.27k views • 94 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Constructing a Crystal Once you specify the lattice, you can then hang a

Constructing a Crystal Once you specify the lattice, you can then hang a

Constructing a Crystal Once you specify the lattice, you can then hang a collection of atoms off of each position in the lattice Important: every lattice point (point on the scaffold) must have the exact same environment.

304 views • 18 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Logistics Assignments Crossover and Mutation Checkpoint 1 -- Problem Graded --

Logistics Assignments Crossover and Mutation Checkpoint 1 -- Problem Graded --

Logistics Assignments Crossover and Mutation Checkpoint 1 -- Problem Graded -- comments on mycourses Checkpoint 2 --Framework Mostly all graded -- comments on mycourses Checkpoint 3 -- Genotype / Phenotype Due last

422 views • 9 slides
Embeddings of Metrics on Strings and Permutations Graham Cormode joint work with S.

Embeddings of Metrics on Strings and Permutations Graham Cormode joint work with S.

Embeddings of Metrics on Strings and Permutations Graham Cormode joint work with S. Muthukrishnan, Cenk Sahinalp Miss Hepburn runs the gamut of emotions from A to B Dorothy Parker, 1933 Permutations and Strings Strings Web pages,

922 views • 42 slides
VLSI Placement Sadiq M. Sait & Habib Youssef December 1995 Placement Placement is the

VLSI Placement Sadiq M. Sait & Habib Youssef December 1995 Placement Placement is the

King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering Department of Computer Engineering VLSI Placement Sadiq M. Sait & Habib Youssef December 1995 Placement Placement is the process of

1.15k views • 52 slides
Beamline Optimization Laura Fields Northwestern University 22 January 2015 1 Introduction

Beamline Optimization Laura Fields Northwestern University 22 January 2015 1 Introduction

Beamline Optimization Laura Fields Northwestern University 22 January 2015 1 Introduction Neutrino beamlines have a lot of configurable parameters: Primary beam energy, target size/shape, horn shapes/current/

563 views • 39 slides
Inverse Kinematics (part 2) CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring

Inverse Kinematics (part 2) CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring

Inverse Kinematics (part 2) CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring 2016 Forward Kinematics We will use the vector: ... 1 2 M to represent the array of M joint DOF values

930 views • 75 slides
Parallel Shift-Invert Spectrum Slicing on Distributed Architectures with GPU Accelerators

Parallel Shift-Invert Spectrum Slicing on Distributed Architectures with GPU Accelerators

Parallel Shift-Invert Spectrum Slicing on Distributed Architectures with GPU Accelerators (pap167s1) Da David Williams-You Young, Chao o Ya Yang Sc Scalable e So Solver ers s Group up Co Computational Research Di Division La

367 views • 17 slides
Inverse kinematics Forward kinematics Given a joint configuration, what is the position of an end

Inverse kinematics Forward kinematics Given a joint configuration, what is the position of an end

Kinematics The study of motion without regard to the forces that cause it Inverse kinematics Forward kinematics Given a joint configuration, what is the position of an end point on the structure? Inverse kinematics Given the position for an

321 views • 7 slides
Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute

Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute

Existence and uniqueness of inverse Determinants Radboud University Nijmegen Basis transformations Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute for Computing and Information Sciences

944 views • 39 slides

More recommend