lattice based cryptography i
play

Lattice-based cryptography (I) Thijs Laarhoven ts - PowerPoint PPT Presentation

Aug 25, 2022 •337 likes •872 views

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

  1. Lattice-based cryptography (I) Thijs Laarhoven ♠❛✐❧❅t❤✐❥s✳❝♦♠ ❤tt♣✿✴✴✇✇✇✳t❤✐❥s✳❝♦♠✴ PQCrypto Summer School 2017 (June 20, 2017)

  2. Part 1: Lattices, cryptography, and lattice basis reduction Thijs Laarhoven ♠❛✐❧❅t❤✐❥s✳❝♦♠ ❤tt♣✿✴✴✇✇✇✳t❤✐❥s✳❝♦♠✴ PQCrypto Summer School 2017 (June 20, 2017)

  3. Lattices What is a lattice? O

  4. Lattices What is a lattice? b 2 b 1 O

  5. Lattices What is a lattice? b 2 b 1 O

  6. Lattices Shortest Vector Problem (SVP) b 2 b 1 s O

  7. Lattices Shortest Vector Problem (SVP) b 2 b 1 s O - s

  8. Lattices Closest Vector Problem (CVP) t b 2 b 1 O

  9. Lattices Closest Vector Problem (CVP) t b 2 v b 1 O

  10. Lattices Lattice basis reduction b 2 b 1 r 2 r 1 O

  11. Outline Motivation: GGH encryption Lattice basis reduction Gauss reduction LLL reduction BKZ reduction

  12. Outline Motivation: GGH encryption Lattice basis reduction Gauss reduction LLL reduction BKZ reduction

  13. GGH cryptosystem Overview � � r 1 Private key: R = r 2 � � b 1 Public key: B = b 2 Encrypt m : v = m B c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  14. GGH cryptosystem Private key � � r 1 Private key: R = r 2 � � b 1 Public key: B = b 2 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  15. GGH cryptosystem Private key � � r 1 Private key: R = r 2 � � b 1 Public key: B = r 2 b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  16. GGH cryptosystem Public key � � r 1 Private key: R = r 2 � � b 1 Public key: B = r 2 b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  17. GGH cryptosystem Public key � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  18. GGH cryptosystem Encryption � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  19. GGH cryptosystem Encryption � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 b 2 r 1 Encrypt m : v v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  20. GGH cryptosystem Encryption � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  21. GGH cryptosystem Decryption with good basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  22. GGH cryptosystem Decryption with good basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  23. GGH cryptosystem Decryption with good basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  24. GGH cryptosystem Decryption with good basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v' v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  25. GGH cryptosystem Decryption with bad basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  26. GGH cryptosystem Decryption with bad basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  27. GGH cryptosystem Decryption with bad basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  28. GGH cryptosystem Decryption with bad basis � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v = m B O v' c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  29. GGH cryptosystem Overview � � r 1 b 2 Private key: R = r 2 b 1 � � b 1 Public key: B = r 2 c b 2 r 1 Encrypt m : v v = m B O c = v + e Decrypt c : v ′ = ⌊ c R − 1 ⌉ R m ′ = v ′ B − 1

  30. Outline Motivation: GGH encryption Lattice basis reduction Gauss reduction LLL reduction BKZ reduction

  31. Gauss reduction b 2 b 1 O

  32. Gauss reduction b 2 b 1 O

  33. Gauss reduction b 1 b 2 O

  34. Gauss reduction b 1 b 2 O

  35. Gauss reduction b 1 b 2 O

  36. Gauss reduction b 1 b 2 O

  37. Gauss reduction b 1 b 2 O

  38. Gauss reduction Given B = { b 1 , b 2 } , repeat two steps: • Swap : If � b 1 � > � b 2 � , then swap b 1 and b 2 . • Reduce : While � b 2 ± b 1 � < � b 2 � , replace b 2 ← b 2 ± b 1 .

  39. Gauss reduction Given B = { b 1 , b 2 } , repeat two steps: • Swap : If � b 1 � > � b 2 � , then swap b 1 and b 2 . • Reduce : While � b 2 ± b 1 � < � b 2 � , replace b 2 ← b 2 ± b 1 . At the end, b 1 is a shortest (non-zero) lattice vector and b 2 a “second shortest” (non-zero) lattice vector.

  40. Gauss reduction

  41. Gauss reduction

  42. LLL algorithm Lenstra-Lenstra-Lovasz (LLL) algorithm [ LLL82 ] • Blockwise generalization of Gauss reduction • Do reductions / swaps on ( b i , b i + 1 ) for i = 1,..., n − 1

  43. LLL algorithm

  44. LLL algorithm

  45. LLL algorithm

  46. BKZ algorithm Lenstra-Lenstra-Lovasz (LLL) algorithm [ LLL82 ] • Blockwise generalization of Gauss reduction • Do reductions / swaps on ( b i , b i + 1 ) for i = 1,..., n − 1

  47. BKZ algorithm Lenstra-Lenstra-Lovasz (LLL) algorithm [ LLL82 ] • Blockwise generalization of Gauss reduction • Do reductions / swaps on ( b i , b i + 1 ) for i = 1,..., n − 1 • Basis quality deteriorates with the dimension n ◮ Theoretically: � b 1 � ≤ 1.075 n · det ( � ) ◮ Experimentally: � b 1 � ≈ 1.022 n · det ( � )

  48. BKZ algorithm Lenstra-Lenstra-Lovasz (LLL) algorithm [ LLL82 ] • Blockwise generalization of Gauss reduction • Do reductions / swaps on ( b i , b i + 1 ) for i = 1,..., n − 1 • Basis quality deteriorates with the dimension n ◮ Theoretically: � b 1 � ≤ 1.075 n · det ( � ) ◮ Experimentally: � b 1 � ≈ 1.022 n · det ( � ) Blockwise Korkine-Zolotarev (BKZ) reduction [ Sch87, SE94 ] • Blockwise generalization of Korkine-Zolotarev reduction • Do reductions / swaps on ( b i ,..., b i + k − 1 ) for i = 1,..., n − k + 1 • Blocksize k offers time-quality tradeoff

  49. LLL algorithm

  50. BKZ algorithm

  51. BKZ algorithm Lenstra-Lenstra-Lovasz (LLL) algorithm [ LLL82 ] • Blockwise generalization of Gauss reduction • Do reductions / swaps on ( b i , b i + 1 ) for i = 1,..., n − 1 • Basis quality deteriorates with the dimension n ◮ Theoretically: � b 1 � ≤ 1.075 n · det ( � ) ◮ Experimentally: � b 1 � ≈ 1.022 n · det ( � ) Blockwise Korkine-Zolotarev (BKZ) reduction [ Sch87, SE94 ] • Blockwise generalization of Korkine-Zolotarev reduction • Do reductions / swaps on ( b i ,..., b i + k − 1 ) for i = 1,..., n − k + 1 • Blocksize k offers time-quality tradeoff

  52. BKZ algorithm Lenstra-Lenstra-Lovasz (LLL) algorithm [ LLL82 ] • Blockwise generalization of Gauss reduction • Do reductions / swaps on ( b i , b i + 1 ) for i = 1,..., n − 1 • Basis quality deteriorates with the dimension n ◮ Theoretically: � b 1 � ≤ 1.075 n · det ( � ) ◮ Experimentally: � b 1 � ≈ 1.022 n · det ( � ) Blockwise Korkine-Zolotarev (BKZ) reduction [ Sch87, SE94 ] • Blockwise generalization of Korkine-Zolotarev reduction • Do reductions / swaps on ( b i ,..., b i + k − 1 ) for i = 1,..., n − k + 1 • Blocksize k offers time-quality tradeoff BKZ uses exact SVP algorithm in dimension k as subroutine

  53. BKZ algorithm Lenstra-Lenstra-Lovasz (LLL) algorithm [ LLL82 ] • Blockwise generalization of Gauss reduction • Do reductions / swaps on ( b i , b i + 1 ) for i = 1,..., n − 1 • Basis quality deteriorates with the dimension n ◮ Theoretically: � b 1 � ≤ 1.075 n · det ( � ) ◮ Experimentally: � b 1 � ≈ 1.022 n · det ( � ) Blockwise Korkine-Zolotarev (BKZ) reduction [ Sch87, SE94 ] • Blockwise generalization of Korkine-Zolotarev reduction • Do reductions / swaps on ( b i ,..., b i + k − 1 ) for i = 1,..., n − k + 1 • Blocksize k offers time-quality tradeoff BKZ uses exact SVP algorithm in dimension k as subroutine Next hour: How to solve exact SVP in high dimensions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

22nd IEEE Symposium on Computer Arithmetic RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core Procedure Jean-Claude Bajard , Julien Eynard Nabil Merkiche , Thomas Plantard Sorbonne

383 views • 25 slides
Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

1 Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago; Ruhr University Bochum 2 2000 Cohen cryptosystem Public key: vector of integers K = ( K 1 ; : : : ; K N ) { X; : : : ; X } N .

1.84k views • 164 slides
Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

1 Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the

683 views • 32 slides
Todays Agenda Wrap up of Number Theory (Sec. 3.7) Fermats Little Theorem Public

Todays Agenda Wrap up of Number Theory (Sec. 3.7) Fermats Little Theorem Public

Todays Agenda Wrap up of Number Theory (Sec. 3.7) Fermats Little Theorem Public Key Cryptography (RSA) Strings and Languages (Chap. 12) Based on Rosen and slides by K. Busch 1 Fermats little theorem: For any prime and

357 views • 14 slides
IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and Christina Ppper 25.02.2020 NDSS Symposium, San Diego, USA Motivation: Internet Passes 2 LTE Security Aims Mutual Authentication Traffic

766 views • 15 slides
Mix-Nets Lecture 19 Some tools for electronic-voting (and other things) Mix-Nets Mix-Nets

Mix-Nets Lecture 19 Some tools for electronic-voting (and other things) Mix-Nets Mix-Nets

Mix-Nets Lecture 19 Some tools for electronic-voting (and other things) Mix-Nets Mix-Nets Originally proposed by Chaum (1981) for anonymous communication Mix-Nets Originally proposed by Chaum (1981) for anonymous communication Input: a

1.65k views • 120 slides
Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are

Cryptography Hard Problems encryption message encryption key algorithm Some problems are hard to solve. No polynomial time algorithm is known. Transmission E.g., NP-hard problems such as machine scheduling, Channel bin packing,

516 views • 8 slides
Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring

Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring

Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Joining the RSA Cryptosystem: Quick Review First, Bob randomly chooses two

293 views • 14 slides
Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15

Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15

Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15 ndncomm2015 1 What is content-based confidentiality? Confidentiality stays with content independent from where the content is

456 views • 11 slides
How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20 november 2019 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1 1 LWE hard

1.07k views • 81 slides
Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1

Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1

Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1 Content-based confidentiality Confidentiality stays with content independent from where the content is independent from how it is

647 views • 10 slides

More recommend