lattice based cryptography ii constructions and
play

Lattice-based cryptography II Constructions and implementation - PowerPoint PPT Presentation

Dec 29, 2022 •628 likes •1.44k views

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

  1. Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27

  2. Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and encryption schemes Reaction attacks and countermeasures Lattice-based signature schemes Side-channel attacks and countermeasures July 1st, 2019 2 / 27

  3. Lattice-based cryptography Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption July 1st, 2019 3 / 27

  4. Lattice-based cryptography Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption Pro’s: The algorithms are quite fast The keys, cipher-texts, signatures are *quite small* July 1st, 2019 3 / 27

  5. Lattice-based cryptography Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption Pro’s: The algorithms are quite fast The keys, cipher-texts, signatures are *quite small* Con’s: Many design parameters to choose (and attacks to avoid) Asymptotic hardness results vs concrete security/cryptanalysis July 1st, 2019 3 / 27

  6. Lattice-based cryptography Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption Pro’s: The algorithms are quite fast The keys, cipher-texts, signatures are *quite small* Con’s: Many design parameters to choose (and attacks to avoid) Asymptotic hardness results vs concrete security/cryptanalysis Largest category of NIST post-quantum submissions Some real-life experiments (e.g. Google) July 1st, 2019 3 / 27

  7. Learning With Errors July 1st, 2019 4 / 27

  8. Learning with Errors (LWE) - Noisy inner product Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Z q , � x , y � = � n i =1 x i y i mod q usual inner-product Let s ← χ n be a secret Given pairs of ( a , b = � a , s � + e ) with a ∈ Z n q sampled uniform at random e sampled from χ (plain-) LWE: find s July 1st, 2019 5 / 27

  9. Learning with Errors (LWE) - Noisy inner product Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Z q , � x , y � = � n i =1 x i y i mod q usual inner-product Let s ← χ n be a secret Given pairs of ( a , b = � a , s � + e ) with a ∈ Z n q sampled uniform at random e sampled from χ (plain-) LWE: find s a 0 a 1 a 2 “Random” = + “Small” a n − 1 s e A b n samples July 1st, 2019 5 / 27

  10. Learning with Errors (LWE) - Noisy inner product Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Z q , � x , y � = � n i =1 x i y i mod q usual inner-product Let s ← χ n be a secret Given pairs of ( a , b = � a , s � + e ) with a ∈ Z n q sampled uniform at random e sampled from χ (plain-) LWE: find s Common choice for χ : the discrete Gaussian distribution D σ Regev showed that a hard lattice problem can be reduced to LWE D σ ( x ) 0.04 : σ = 10 : σ = 20 : σ = 30 0.03 0.02 0.01 x -40 -20 20 40 July 1st, 2019 5 / 27

  11. Learning with Errors (LWE) - Noisy inner product Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Z q , � x , y � = � n i =1 x i y i mod q usual inner-product Let s ← χ n be a secret Given pairs of ( a , b = � a , s � + e ) with a ∈ Z n q sampled uniform at random e sampled from χ (plain-) LWE: find s Common choice for χ : the discrete Gaussian distribution D σ Regev showed that a hard lattice problem can be reduced to LWE First proposals for cryptosystems were quite big... July 1st, 2019 5 / 27

  12. Ring-LWE: noisy polynomials Let q be a prime, n > 0 (usually a power of 2), Now define R = Z q [ x ] / ( x n ± 1). Can add/subtract and multiply f = f 0 + f 1 x + ... + f n − 1 x n − 1 ∈ R f i ∈ [0 , q ) f + g ∈ R fg ∈ R July 1st, 2019 6 / 27

  13. Ring-LWE: noisy polynomials Let q be a prime, n > 0 (usually a power of 2), Now define R = Z q [ x ] / ( x n ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of ( a , b = as + e ) with a ∈ R sampled uniform at random e sampled from χ ring-LWE: find s July 1st, 2019 6 / 27

  14. Ring-LWE: noisy polynomials Let q be a prime, n > 0 (usually a power of 2), Now define R = Z q [ x ] / ( x n ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of ( a , b = as + e ) with a ∈ R sampled uniform at random e sampled from χ ring-LWE: find s a a x a x 2 “Random” = + “Small” a x n − 1 s e A b 1 sample July 1st, 2019 6 / 27

  15. Ring-LWE: noisy polynomials Let q be a prime, n > 0 (usually a power of 2), Now define R = Z q [ x ] / ( x n ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of ( a , b = as + e ) with a ∈ R sampled uniform at random e sampled from χ ring-LWE: find s Common choice for χ : the discrete Gaussian distribution D n σ Related to problems in ideal (or “cyclic”) lattices D σ ( x ) 0.04 : σ = 10 : σ = 20 : σ = 30 0.03 0.02 0.01 x -40 -20 20 40 July 1st, 2019 6 / 27

  16. Ring-LWE: noisy polynomials Let q be a prime, n > 0 (usually a power of 2), Now define R = Z q [ x ] / ( x n ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of ( a , b = as + e ) with a ∈ R sampled uniform at random e sampled from χ ring-LWE: find s Common choice for χ : the discrete Gaussian distribution D n σ Related to problems in ideal (or “cyclic”) lattices Many design choices (e.g. NTRU: q = 2 ℓ ; n prime; χ sparse) July 1st, 2019 6 / 27

  17. Lattice-based Key-Exchange July 1st, 2019 7 / 27

  18. Mimic Diffie-Hellman key-exchange Recall Diffie-Hellman key-exchange Alice Public: G = � g � , | G | = n Bob a ← $ [1 , n ) b ← $ [1 , n ) pub A pub A = g a pub B = g b pub B K A = ( pub B ) a = g ab K B = ( pub A ) b = g ab July 1st, 2019 8 / 27

  19. Mimic Diffie-Hellman key-exchange Recall Diffie-Hellman key-exchange Alice Public: G = � g � , | G | = n Bob a ← $ [1 , n ) b ← $ [1 , n ) pub A pub A = g a pub B = g b pub B K A = ( pub B ) a = g ab K B = ( pub A ) b = g ab Both parties end up with shared key K = g ab July 1st, 2019 8 / 27

  20. LWE key-exchange: noisy Diffie-Hellman ring-LWE key-exchange Public: g ∈ R , distribution χ = D n Alice Bob σ b , e ′ ← $ χ a , e ← $ χ pub A pub A = ga + e pub B = gb + e ′ pub B S A = ( pub B ) a S B = ( pub A ) b = gab + e ′ a = gab + eb July 1st, 2019 9 / 27

  21. LWE key-exchange: noisy Diffie-Hellman ring-LWE key-exchange Public: g ∈ R , distribution χ = D n Alice Bob σ b , e ′ ← $ χ a , e ← $ χ pub A pub A = ga + e pub B = gb + e ′ pub B S A = ( pub B ) a S B = ( pub A ) b = gab + e ′ a = gab + eb a , b , e , e ′ ← D n σ , so small! Keys are approximately equal: gab + e ′ a ≈ gab + eb July 1st, 2019 9 / 27

  22. LWE key-exchange: noisy Diffie-Hellman ring-LWE key-exchange Public: g ∈ R , distribution χ = D n Alice Bob σ b , e ′ ← $ χ a , e ← $ χ pub A pub A = ga + e pub B = gb + e ′ pub B S A = ( pub B ) a S B = ( pub A ) b = gab + e ′ a = gab + eb a , b , e , e ′ ← D n σ , so small! Keys are approximately equal: gab + e ′ a ≈ gab + eb Need a way to get shared secret bits July 1st, 2019 9 / 27

  23. LWE key-exchange: mapping coefficients How to map coefficients to bits Alice and Bob obtained close vectors S A , S B ∈ Z n q July 1st, 2019 10 / 27

  24. LWE key-exchange: mapping coefficients How to map coefficients to bits Alice and Bob obtained close vectors S A , S B ∈ Z n q “the edge” 0 ≡ q 1 0 3 q/ 4 q/ 4 q/ 2 July 1st, 2019 10 / 27

  25. LWE key-exchange: mapping coefficients How to map coefficients to bits Alice and Bob obtained close vectors S A , S B ∈ Z n q “the edge” 0 ≡ q 1 0 3 q/ 4 q/ 4 Alice : 0 Bob : 0 q/ 2 July 1st, 2019 10 / 27

  26. LWE key-exchange: mapping coefficients How to map coefficients to bits Alice and Bob obtained close vectors S A , S B ∈ Z n q “the edge” 0 ≡ q 1 0 3 q/ 4 q/ 4 Alice : 1 Bob : 1 q/ 2 July 1st, 2019 10 / 27

  27. LWE key-exchange: mapping coefficients How to map coefficients to bits Alice and Bob obtained close vectors S A , S B ∈ Z n q “the edge” 0 ≡ q 1 0 3 q/ 4 q/ 4 Alice : 0 Bob : 1 q/ 2 July 1st, 2019 10 / 27

  28. LWE key-exchange: mapping coefficients How to map coefficients to bits Alice and Bob obtained close vectors S A , S B ∈ Z n q “the edge” 0 ≡ q 1 0 3 q/ 4 q/ 4 Error! Alice : 0 Bob : 1 q/ 2 July 1st, 2019 10 / 27

  29. LWE key-exchange: reconciliation Mapping coefficients by fixed map induces many errors Better idea: use two mappings and let Bob decide on which map Choose map where S B is far from edge Map 0 0 ≡ q Map 1 0 ≡ q 0 1 0 3 q/ 4 q/ 4 3 q/ 4 q/ 4 1 q/ 2 q/ 2 July 1st, 2019 11 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Position-Based Quantum Cryptography: Impossibility and Constructions Harry Buhrman, Christian

Position-Based Quantum Cryptography: Impossibility and Constructions Harry Buhrman, Christian

Position-Based Quantum Cryptography: Impossibility and Constructions Harry Buhrman, Christian Schaffner Serge Fehr Nishanth Chandran, Ran Gelles Rafail Ostrovsky Vipul Goyal CRYPTO 2011 http://arxiv.org/abs/1009.2490 Wednesday, August 17,

461 views • 18 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
Gausss law and Hilbert space constructions for U(1) lattice gauge theories David B. Kaplan

Gausss law and Hilbert space constructions for U(1) lattice gauge theories David B. Kaplan

Gausss law and Hilbert space constructions for U(1) lattice gauge theories David B. Kaplan & Jesse R. Stryker Institute for Nuclear Theory University of Washington Next steps in Quantum Science for HEP Work based on arXiv:1806.08797

594 views • 38 slides
Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire

Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire

Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire dInformatique de l Ecole polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik, Croatia, June 9 2016 Smith

512 views • 29 slides
Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR

Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR

Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR The Connected World CR 2 Information Storage CR 3 Increased Security Breaches 81% more in 2015 CR

1.46k views • 29 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
Enc Encryp ypted Sear ed Search h Seny Kamara Brown University 2 3 4 Q: Why is this

Enc Encryp ypted Sear ed Search h Seny Kamara Brown University 2 3 4 Q: Why is this

Enc Encryp ypted Sear ed Search h Seny Kamara Brown University 2 3 4 Q: Why is this happening? 5 Big Data Industry and Governments want more data NaDonal security Machine learning Business analyDcs NLP

431 views • 30 slides
Cryptography Seny Kamara Cryptography Group Microsoft Research Outline Cloud Architecture

Cryptography Seny Kamara Cryptography Group Microsoft Research Outline Cloud Architecture

Cloud Cryptography Seny Kamara Cryptography Group Microsoft Research Outline Cloud Architecture What is cloud computing? o Cloud Ecosystem Who provides and who consumes cloud services? o Cloud Cryptography What are the security

637 views • 34 slides
Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

T-79.159 Cryptography and Data Security Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 24.03.2004 Lecture 9: Secret Sharing,

1.45k views • 33 slides
On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018 2 2

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018 2 2

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018 2 2 2 So, how do we know all of this is secure? 2 The sad truth is: We dont! Not really. So, how do we know all of this is secure? 2 The

1.56k views • 70 slides
S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of Research: Symmetric Cryptography From Russia With Love Cryptanalysis of a Theorem Conclusion Curriculum Currently : post-doc at SECRET in Inria Paris

1.39k views • 99 slides
IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF Security Tutorial? Security is important in all protocols; not just protocols in the security area IETF specs mandated to have a security

1.29k views • 95 slides

More recommend