lattice based cryptography short integer solution sis and
play

Lattice-Based Cryptography: Short Integer Solution (SIS) and - PowerPoint PPT Presentation

Feb 29, 2024 •31 likes •971 views

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

  1. Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17

  2. Recall: Lattices ◮ Full-rank additive subgroup in Z m . O 2 / 17

  3. Recall: Lattices ◮ Full-rank additive subgroup in Z m . ◮ Basis B = ( b 1 , . . . , b m ) : m � L ( B ) = B · Z m = b 2 ( Z · b i ) i =1 b 1 O 2 / 17

  4. Recall: Lattices ◮ Full-rank additive subgroup in Z m . ◮ Basis B = ( b 1 , . . . , b m ) : m � L ( B ) = B · Z m = b 1 ( Z · b i ) i =1 b 2 O 2 / 17

  5. Recall: Lattices ◮ Full-rank additive subgroup in Z m . ◮ Basis B = ( b 1 , . . . , b m ) : m � L ( B ) = B · Z m = b 1 ( Z · b i ) i =1 b 2 O (Other representations too . . . ) 2 / 17

  6. Recall: Lattices ◮ Full-rank additive subgroup in Z m . ◮ Basis B = ( b 1 , . . . , b m ) : m � L ( B ) = B · Z m = b 1 ( Z · b i ) i =1 b 2 O (Other representations too . . . ) Hard Problems ◮ Find/detect short nonzero lattice vector(s): SVP, GapSVP, SIVP ◮ Decode under small amount of error: BDD 2 / 17

  7. A Hard Problem: Short Integer Solution ◮ Z n (e.g., q ≈ n 3 ) q = n -dimensional vectors modulo q 3 / 17

  8. A Hard Problem: Short Integer Solution ◮ Z n (e.g., q ≈ n 3 ) q = n -dimensional vectors modulo q       | | | ∈ Z n · · · a 1 a 2 a m       q | | | 3 / 17

  9. A Hard Problem: Short Integer Solution ◮ Z n (e.g., q ≈ n 3 ) q = n -dimensional vectors modulo q ◮ Goal: find nontrivial small z 1 , . . . , z m ∈ Z such that:         | | | |  + z 2 ·  + · · · + z m ·  =  ∈ Z n z 1 · 0 a 1 a 2 a m     q | | | | 3 / 17

  10. A Hard Problem: Short Integer Solution ◮ Z n (e.g., q ≈ n 3 ) q = n -dimensional vectors modulo q ◮ Goal: find nontrivial short z ∈ Z m such that:          = 0 ∈ Z n  · · · · · · · · A  z    q � �� � m 3 / 17

  11. A Hard Problem: Short Integer Solution ◮ Z n (e.g., q ≈ n 3 ) q = n -dimensional vectors modulo q ◮ Goal: find nontrivial short z ∈ Z m such that:         = 0 ∈ Z n   · · · · · · · · A  z    q � �� � m One-Way & Collision-Resistant Hash Function ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q as f A ( x ) = Ax . 3 / 17

  12. A Hard Problem: Short Integer Solution ◮ Z n (e.g., q ≈ n 3 ) q = n -dimensional vectors modulo q ◮ Goal: find nontrivial short z ∈ Z m such that:         = 0 ∈ Z n   · · · · · · · · A  z    q � �� � m One-Way & Collision-Resistant Hash Function ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q as f A ( x ) = Ax . ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . 3 / 17

  13. A Hard Problem: Short Integer Solution ◮ Z n (e.g., q ≈ n 3 ) q = n -dimensional vectors modulo q ◮ Goal: find nontrivial short z ∈ Z m such that:         = 0 ∈ Z n   · · · · · · · · A  z    q � �� � m One-Way & Collision-Resistant Hash Function ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q as f A ( x ) = Ax . ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . . . . yields solution z = x − x ′ ∈ { 0 , ± 1 } m , of norm � z � ≤ √ m . 3 / 17

  14. Cool! (but what does this have to do with lattices?) 4 / 17

  15. Cool! (but what does this have to do with lattices?) ◮ Parity-check matrix A = ( a 1 , . . . , a m ) ∈ Z n × m q defines the ‘ q -ary’ integer lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . O 4 / 17

  16. Cool! (but what does this have to do with lattices?) ◮ Parity-check matrix (0 , q ) A = ( a 1 , . . . , a m ) ∈ Z n × m q defines the ‘ q -ary’ integer lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . ( q, 0) O 4 / 17

  17. Cool! (but what does this have to do with lattices?) ◮ Parity-check matrix (0 , q ) A = ( a 1 , . . . , a m ) ∈ Z n × m q defines the ‘ q -ary’ integer lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . ◮ SIS is SVP on random lattices L ⊥ ( A ) ! ( q, 0) O 4 / 17

  18. Cool! (but what does this have to do with lattices?) ◮ Parity-check matrix (0 , q ) A = ( a 1 , . . . , a m ) ∈ Z n × m q defines the ‘ q -ary’ integer lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . ◮ SIS is SVP on random lattices L ⊥ ( A ) ! x ( q, 0) ◮ Syndrome u ∈ Z n q defines coset O L ⊥ u ( A ) = { x : Ax = u } , x �→ Ax reduces x modulo L ⊥ ( A ) . 4 / 17

  19. Cool! (but what does this have to do with lattices?) ◮ Parity-check matrix (0 , q ) A = ( a 1 , . . . , a m ) ∈ Z n × m q defines the ‘ q -ary’ integer lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . ◮ SIS is SVP on random lattices L ⊥ ( A ) ! ( q, 0) ◮ Syndrome u ∈ Z n q defines coset O L ⊥ u ( A ) = { x : Ax = u } , x �→ Ax reduces x modulo L ⊥ ( A ) . Worst-Case/Average-Case Connection [Ajtai’96,. . . ] Finding short ( � z � ≤ β ≪ q ) nonzero z ∈ L ⊥ ( A ) for uniformly random A ∈ Z n × m q ⇓ solving GapSVP β √ n and SIVP β √ n on any n -dim lattice. 4 / 17

  20. A “Key” Trick ◮ Generate uniform A with a short solution x (s.t. Ax = 0 ): 5 / 17

  21. A “Key” Trick ◮ Generate uniform A with a short solution x (s.t. Ax = 0 ): m for (say) ¯ 1 Choose ¯ x ← { 0 , 1 } ¯ A ← Z n × ¯ and ¯ m ≥ 2 n lg q . m q 5 / 17

  22. A “Key” Trick ◮ Generate uniform A with a short solution x (s.t. Ax = 0 ): m for (say) ¯ 1 Choose ¯ x ← { 0 , 1 } ¯ A ← Z n × ¯ and ¯ m ≥ 2 n lg q . m q 2 Let A = [ ¯ A | − ¯ x modulo L ⊥ ( ¯ A ¯ x ] and x = [ ¯ 1 ] . (We just reduced − ¯ x A ) .) 5 / 17

  23. A “Key” Trick ◮ Generate uniform A with a short solution x (s.t. Ax = 0 ): m for (say) ¯ 1 Choose ¯ x ← { 0 , 1 } ¯ A ← Z n × ¯ and ¯ m ≥ 2 n lg q . m q 2 Let A = [ ¯ A | − ¯ x modulo L ⊥ ( ¯ A ¯ x ] and x = [ ¯ 1 ] . (We just reduced − ¯ x A ) .) � ¯ � ◮ For many short solutions, let A = [ ¯ A | − ¯ A ¯ X X ] and X = . I 5 / 17

  24. A “Key” Trick ◮ Generate uniform A with a short solution x (s.t. Ax = 0 ): m for (say) ¯ 1 Choose ¯ x ← { 0 , 1 } ¯ A ← Z n × ¯ and ¯ m ≥ 2 n lg q . m q 2 Let A = [ ¯ A | − ¯ x modulo L ⊥ ( ¯ A ¯ x ] and x = [ ¯ 1 ] . (We just reduced − ¯ x A ) .) � ¯ � ◮ For many short solutions, let A = [ ¯ A | − ¯ A ¯ X X ] and X = . I ◮ Nothing special about { 0 , 1 } ¯ m : enough entropy suffices (essentially). 5 / 17

  25. A “Key” Trick ◮ Generate uniform A with a short solution x (s.t. Ax = 0 ): m for (say) ¯ 1 Choose ¯ x ← { 0 , 1 } ¯ A ← Z n × ¯ and ¯ m ≥ 2 n lg q . m q 2 Let A = [ ¯ A | − ¯ x modulo L ⊥ ( ¯ A ¯ x ] and x = [ ¯ 1 ] . (We just reduced − ¯ x A ) .) � ¯ � ◮ For many short solutions, let A = [ ¯ A | − ¯ A ¯ X X ] and X = . I ◮ Nothing special about { 0 , 1 } ¯ m : enough entropy suffices (essentially). ‘Leftover Hash’ Lemma s ◮ Over choice of ¯ x , matrix A = [ ¯ A | − ¯ A and ¯ A ¯ x ] ≈ uniform. m → Z n � � A : { 0 , 1 } ¯ ◮ Proof: family f ¯ is pairwise independent; q ¯ x has sufficient (min-)entropy. 5 / 17

  26. A “Key” Trick ◮ Generate uniform A with a short solution x (s.t. Ax = 0 ): m for (say) ¯ 1 Choose ¯ x ← { 0 , 1 } ¯ A ← Z n × ¯ and ¯ m ≥ 2 n lg q . m q 2 Let A = [ ¯ A | − ¯ x modulo L ⊥ ( ¯ A ¯ x ] and x = [ ¯ 1 ] . (We just reduced − ¯ x A ) .) � ¯ � ◮ For many short solutions, let A = [ ¯ A | − ¯ A ¯ X X ] and X = . I ◮ Nothing special about { 0 , 1 } ¯ m : enough entropy suffices (essentially). ‘Leftover Hash’ Lemma s ◮ Over choice of ¯ x , matrix A = [ ¯ A | − ¯ A and ¯ A ¯ x ] ≈ uniform. m → Z n � � A : { 0 , 1 } ¯ ◮ Proof: family f ¯ is pairwise independent; q ¯ x has sufficient (min-)entropy. Dirty Little Secret ◮ This trick — reducing a short vector modulo a lattice — is the only one-way function used in all of lattice crypto! 5 / 17

  27. Another Hard Problem: Learning With Errors [Regev’05] ◮ As before, dimension n and modulus q ≥ 2 6 / 17

  28. Another Hard Problem: Learning With Errors [Regev’05] ◮ As before, dimension n and modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . 6 / 17

  29. Another Hard Problem: Learning With Errors [Regev’05] ◮ As before, dimension n and modulus q ≥ 2 , error rate α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Errors e i ← χ = Gaussian over Z , width αq . αq > √ n 6 / 17

  30. Another Hard Problem: Learning With Errors [Regev’05] ◮ As before, dimension n and modulus q ≥ 2 , error rate α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , width αq . αq > √ n 6 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
Applications of Lattices in Telecommunications Amin Sakzad Dept of Electrical and Computer

Applications of Lattices in Telecommunications Amin Sakzad Dept of Electrical and Computer

Sphere Decoder Algorithm Lattice Reduction Algorithms Integer-Forcing Linear Receiver Lattice-based Cryptography Applications of Lattices in Telecommunications Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University

772 views • 76 slides
Cultivating Powerful Collaborations & Relationships CULTIVATING POWERFUL COLLABORATIONS &

Cultivating Powerful Collaborations & Relationships CULTIVATING POWERFUL COLLABORATIONS &

Part 4 of Moving from Service to Solutions Modeled from Solutions U Cultivating Powerful Collaborations & Relationships CULTIVATING POWERFUL COLLABORATIONS & RELATIONSHIPS WORKSHOP GOALS 1. Understand the value of cultivating

228 views • 12 slides
Math21b Final Review Spring 2015 selected slides Oliver Knill, May 4, 2015 n x m matrix

Math21b Final Review Spring 2015 selected slides Oliver Knill, May 4, 2015 n x m matrix

Math21b Final Review Spring 2015 selected slides Oliver Knill, May 4, 2015 n x m matrix Columns: n rows and m image of basis columns vectors -1 -1 -1 =B A (AB) Matrices T T T =B A (AB) -1 A B = B A B = S A S similarity in

495 views • 38 slides
Lecture 2.3: Inhomogeneous differential equations and affine spaces Matthew Macauley Department

Lecture 2.3: Inhomogeneous differential equations and affine spaces Matthew Macauley Department

Lecture 2.3: Inhomogeneous differential equations and affine spaces Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4340, Advanced Engineering Mathematics M. Macauley (Clemson)

442 views • 12 slides
ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for

ONSAGERS SOLUTION OF THE ISING MODEL COULD HAVE BEEN GUESSED Manuel Kauers Institute for Algebra JKU Joint work with Doron Zeilberger 1 2 3 Let A be the number of edges joining sites of the same color 4 Let A be the number of

1.98k views • 129 slides
ASICs and Front-End Motherboards ASIC schedule and ProtoDUNE Run 2 Marco Verzocchi Fermilab 6

ASICs and Front-End Motherboards ASIC schedule and ProtoDUNE Run 2 Marco Verzocchi Fermilab 6

DUNE Preliminary Design Review of ASICs and Front-End Motherboards ASIC schedule and ProtoDUNE Run 2 Marco Verzocchi Fermilab 6 February 2020 The question . Is the ASIC development schedule compatible with the desire of using final

244 views • 6 slides
A simple solution for static backgrounds in cubic superstring field theory Ruggero Noris

A simple solution for static backgrounds in cubic superstring field theory Ruggero Noris

A simple solution for static backgrounds in cubic superstring field theory A simple solution for static backgrounds in cubic superstring field theory Ruggero Noris Politecnico di Torino, INFN Workshop on Fundamental Aspects of String Theory

312 views • 20 slides
Input Products for Weighted Extended Top-down Tree Transducers Andreas Maletti Universitat

Input Products for Weighted Extended Top-down Tree Transducers Andreas Maletti Universitat

Input Products for Weighted Extended Top-down Tree Transducers Andreas Maletti Universitat Rovira i Virgili Tarragona, Spain andreas.maletti@urv.cat London, ON August 17, 2010 Input Products for WXTT A. Maletti 1 Machine

828 views • 44 slides
Preservation of Recognizability for Weighted Extended Top-down Tree Transducers Andreas Maletti

Preservation of Recognizability for Weighted Extended Top-down Tree Transducers Andreas Maletti

Preservation of Recognizability for Weighted Extended Top-down Tree Transducers Andreas Maletti Institute for Natural Language Processing University of Stuttgart andreas.maletti@ims.uni-stuttgart.de Nara, Japan September 7, 2011

1.46k views • 105 slides

More recommend