lattice cryptography introduction and open problems
play

Lattice Cryptography: Introduction and Open Problems Daniele - PowerPoint PPT Presentation

Jul 21, 2023 •285 likes •1.21k views

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open

  1. Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 1 / 32

  2. Point Lattices The simplest example of lattice is Z n = { ( x 1 , . . . , x n ): x i ∈ Z } Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 2 / 32

  3. Point Lattices The simplest example of lattice is Z n = { ( x 1 , . . . , x n ): x i ∈ Z } Other lattices are obtained by applying a linear transformation B : x = ( x 1 , . . . , x n ) �→ Bx = x 1 · b 1 + · · · + x n · b n (0 , 1) b 2 B b 1 (1 , 0) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 2 / 32

  4. Lattice Cryptography cryptanalysis crypto design today 1982 1996 Lenstra, Lenstra, Lovasz (1982) : The “LLL” paper “Factoring Polynomials with Rational Coefficients” Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 3 / 32

  5. Lattice Cryptography cryptanalysis crypto design today 1982 1996 Lenstra, Lenstra, Lovasz (1982) : The “LLL” paper “Factoring Polynomials with Rational Coefficients” Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Ajtai (1996) : “Generating Hard Instances of Lattice Problems” Marks the beginning of the modern use of lattices in the design of cryptographic functions Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 3 / 32

  6. Ajtai’s paper (quotes) “cryptography . . . generation of a specific instance of a problem in NP which is thought to be difficult”. “NP-hard problems” “very famous question (e.g., prime factorization).” “Unfortunately ‘difficult to solve’ means . . . in the worst case” “no guidance about how to create [a hard instance]” “possible solution” “find a set of randomly generated problems”, and 1 “show that if there is an algorithm which [works] with a positive 2 probability, then there is also an algorithm which solves the famous problem in the worst case.” “In this paper we give such a class of random problems.” Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 4 / 32

  7. Example: Discrete Logrithm (DLOG) p : a prime Z ∗ p : multiplicative group p : generator of (prime order sub-)group G = { g i : i ∈ Z } ⊆ Z ∗ g ∈ Z ∗ p Input: h = g i mod p DLOG Problem Given p , g , h , recover i (modulo q = o ( g )) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 5 / 32

  8. Example: Discrete Logrithm (DLOG) p : a prime Z ∗ p : multiplicative group p : generator of (prime order sub-)group G = { g i : i ∈ Z } ⊆ Z ∗ g ∈ Z ∗ p Input: h = g i mod p DLOG Problem Given p , g , h , recover i (modulo q = o ( g )) Random Self Reducibility If you can solve DLOG for random g and h (with some probability), then you can solve it for any g , h in the worst-case. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 5 / 32

  9. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  10. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  11. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  12. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib 4 Find j = DLOG ( g ′ , h ′ ) = ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  13. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib 4 Find j = DLOG ( g ′ , h ′ ) = ib 5 Output j / b (mod q ). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  14. DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g , h 2 Compute g ′ = g a and h ′ = h ab for random a , b ∈ Z ∗ q . 3 Notice: g ′ , h ′ ∈ G are (almost) uniformly random h ′ = h ab = g iab = ( g ′ ) ib 4 Find j = DLOG ( g ′ , h ′ ) = ib 5 Output j / b (mod q ). Conclusion We know how to choose g , h ∈ G . But, how do we choose G ? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32

  15. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  16. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log | G | . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  17. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log | G | . This is not the same: For any n , there are (exponentially) many primes p . Typically, p is chosen at random among all n -bit primes Assumption is still average-case: DLOG is hard for random p . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  18. DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n -dimensional lattices grows superpolynomially (or exponentially) in n . Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log | G | . This is not the same: For any n , there are (exponentially) many primes p . Typically, p is chosen at random among all n -bit primes Assumption is still average-case: DLOG is hard for random p . We do not know how to reduce DLOG ( Z ∗ p ) to DLOG ( Z ∗ q ). RSR provides no guidance on how to choose p . Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32

  19. DLOG vs Lattices (2) Alternative assumption DLOG( p n ) is hard when p n is the smallest prime > 2 n . Equivalent to worst-case family of problems (indexed by n ) Ad-hoc: problem definition seems rather arbitrary Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 8 / 32

  20. DLOG vs Lattices (2) Alternative assumption DLOG( p n ) is hard when p n is the smallest prime > 2 n . Equivalent to worst-case family of problems (indexed by n ) Ad-hoc: problem definition seems rather arbitrary There is more: Lattice problems in dimension n reduce to lattice problems in dimension m > n : ⇒ B O B = O ∞ No such reduction for DLOG: ? DLOG ( p n ) = ⇒ DLOG ( p n +1 ) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 8 / 32

  21. DLOG vs Lattices (3) Other (natural) representations: G = ( Z ∗ p , · ) ≡ ( Z p − 1 , +) but “DLOG” in ( Z p − 1 , +) is easy. Other (still natural) groups: G = Z ∗ pq Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32

  22. DLOG vs Lattices (3) Other (natural) representations: G = ( Z ∗ p , · ) ≡ ( Z p − 1 , +) but “DLOG” in ( Z p − 1 , +) is easy. Other (still natural) groups: G = Z ∗ pq Question Assume one of DLOG ( Z p ) and DLOG ( Z p · q ) is polynomial time solvable, and one is not. Which group family would you choose? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32

  23. DLOG vs Lattices (3) Other (natural) representations: G = ( Z ∗ p , · ) ≡ ( Z p − 1 , +) but “DLOG” in ( Z p − 1 , +) is easy. Other (still natural) groups: G = Z ∗ pq Question Assume one of DLOG ( Z p ) and DLOG ( Z p · q ) is polynomial time solvable, and one is not. Which group family would you choose? Chinese Reminder Theorem (CRT): Z pq ≈ Z p × Z q DLOG ( Z ∗ ⇒ DLOG ( Z ∗ p ) = pq ) . Reduction in the other direction requires factoring. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Lattice Based Cryptography Eduardo Morais advisor: Ricardo Dahab Unicamp

Introduction to Lattice Based Cryptography Eduardo Morais advisor: Ricardo Dahab Unicamp

Introduction to Lattice Based Cryptography Eduardo Morais advisor: Ricardo Dahab Unicamp ASCrypto 2013 October 18, 2013 Agenda Introduction Definitions Dual Lattices q-ary Lattices Hard Problems Schemes Goldreich,

1.66k views • 119 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois Ncourtois@ slb.com SchlumbergerSema Louveciennes France Bruges - 26/11/2002 STORK Cryptography Workshop 1 Design of Block Ciphers and Hash

429 views • 4 slides
and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and

Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and

Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 12-16, 2013, (UCI) Daniele Micciancio Foundations of Lattice Cryptography This Talk Introduction

799 views • 32 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Open problems in coding and cryptography Grard Cohen May 2, 2012 1 / 1 Outline 1 Packings 2

Open problems in coding and cryptography Grard Cohen May 2, 2012 1 / 1 Outline 1 Packings 2

Open problems in coding and cryptography Grard Cohen May 2, 2012 1 / 1 Outline 1 Packings 2 W*M 3 Cloud encoding: packing by coverings 4 Group coverings 5 Identification 6 Frequency allocation: covering by packings 7 Witness 8 Non malleable

542 views • 41 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Background on lattice reduction Our results Our technical ideas and argument Conclusion and open problems Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL, UK London-ish Lattice Coding &

1.91k views • 167 slides
Centaur Verification Approach Jared Davis, Warren Hunt, Jr., Anna Slobodova, Sol Swords Bob

Centaur Verification Approach Jared Davis, Warren Hunt, Jr., Anna Slobodova, Sol Swords Bob

Centaur Verification Approach Jared Davis, Warren Hunt, Jr., Anna Slobodova, Sol Swords Bob Boyer, Gary Byers, Matt Kaufmann, Robert Krug November, 2010 Computer Sciences Department Centaur Technology, Inc. University of Texas 7600-C N.

576 views • 32 slides
Publishing date: 19/ 01/ 2015 Document title: 4b - Oil and gas UK slides ACER meeting 5 Dec 2014

Publishing date: 19/ 01/ 2015 Document title: 4b - Oil and gas UK slides ACER meeting 5 Dec 2014

Publishing date: 19/ 01/ 2015 Document title: 4b - Oil and gas UK slides ACER meeting 5 Dec 2014 We appreciate your feedback Please click on the icon to take a 5 online survey and provide your feedback about this document UK gas industry

348 views • 15 slides
Ordering Metro Lines by Block Crossings Martin Fink Lehrstuhl f ur Informatik I Universit

Ordering Metro Lines by Block Crossings Martin Fink Lehrstuhl f ur Informatik I Universit

Ordering Metro Lines by Block Crossings Martin Fink Lehrstuhl f ur Informatik I Universit at W urzburg Joint work with Sergey Pupyrev 1 /18 Metro Maps Vienna 2 /18 Metro Maps Paris 3 /18 Metro Maps Metro Lines 4

1.2k views • 119 slides
Evaluating the Impact of Interconnections in Quantum-dot Cellular Automata (QCA) Frank Sill Torres

Evaluating the Impact of Interconnections in Quantum-dot Cellular Automata (QCA) Frank Sill Torres

Evaluating the Impact of Interconnections in Quantum-dot Cellular Automata (QCA) Frank Sill Torres 1,2 , Robert Wille 1,3 , Marcel Walter 2 , Philipp Niemann 1,2 , Daniel Groe 1,2 , Rolf Drechsler 1,2 1 DFKI GmbH (Germany), 2 University of Bremen

379 views • 18 slides
video to text task Jia Chen 1 , Shizhe Chen 2 , Qin Jin 2 , Alexander Hauptmann 1 1 Carnegie Mellon

video to text task Jia Chen 1 , Shizhe Chen 2 , Qin Jin 2 , Alexander Hauptmann 1 1 Carnegie Mellon

INF entrance to TRECVID2018 video to text task Jia Chen 1 , Shizhe Chen 2 , Qin Jin 2 , Alexander Hauptmann 1 1 Carnegie Mellon University 2 Renmin University of China Content Recap and what's new Network architecture Limitation of

363 views • 14 slides
Model Checking as A Reachability Problem Moshe Y. Vardi Rice University Engines of Progress:

Model Checking as A Reachability Problem Moshe Y. Vardi Rice University Engines of Progress:

Model Checking as A Reachability Problem Moshe Y. Vardi Rice University Engines of Progress: Semiconductor Technology Gordon Moore (co-founder of Intel) predicted in 1965 that the transistor density of semiconductor chips would double

486 views • 38 slides
Dominance as a New Trusted Computing Primitive for the IoT Meng Xu (Georgia Tech) Manuel Huber

Dominance as a New Trusted Computing Primitive for the IoT Meng Xu (Georgia Tech) Manuel Huber

1 Dominance as a New Trusted Computing Primitive for the IoT Meng Xu (Georgia Tech) Manuel Huber (Fraunhofer AISEC) Zhichuang Sun (Northeastern University) Paul England (Microsoft Research) Marcus Peinado (Microsoft Research) Sangho Lee

4.28k views • 49 slides
Basics of Complexity Complexity = resources time space ink gates energy

Basics of Complexity Complexity = resources time space ink gates energy

Basics of Complexity Complexity = resources time space ink gates energy Complexity is a function Complexity = f (input size) Value depends on: problem encoding adj. list vs. adj matrix model of

326 views • 17 slides

More recommend