lattice cryptography
play

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set - PowerPoint PPT Presentation

Dec 28, 2023 •283 likes •1.48k views

Lattice Cryptography Lecture 24 Lattices Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n obtained by tiling with a basis Lattices A infinite set of points in R n

  1. Learning With Errors LWE: given noisy inner-products of random vectors with a hidden vector, find the hidden vector Given < a 1 , s >+ e 1 , ..., < a m , s >+ e m and a 1 ,...., a m find s . 
 a i uniform, e i Gaussian noise

  2. Learning With Errors LWE: given noisy inner-products of random vectors with a hidden vector, find the hidden vector Given < a 1 , s >+ e 1 , ..., < a m , s >+ e m and a 1 ,...., a m find s . 
 a i uniform, e i Gaussian noise LWE-Decision version: distinguish between such an input and a random input

  3. Learning With Errors LWE: given noisy inner-products of random vectors with a hidden vector, find the hidden vector Given < a 1 , s >+ e 1 , ..., < a m , s >+ e m and a 1 ,...., a m find s . 
 a i uniform, e i Gaussian noise LWE-Decision version: distinguish between such an input and a random input A ssumed to be hard (note: average-case hardness). Has been connected with worst-case hardness of GapSVP

  4. Learning With Errors LWE: given noisy inner-products of random vectors with a hidden vector, find the hidden vector Given < a 1 , s >+ e 1 , ..., < a m , s >+ e m and a 1 ,...., a m find s . 
 a i uniform, e i Gaussian noise LWE-Decision version: distinguish between such an input and a random input A ssumed to be hard (note: average-case hardness). Has been connected with worst-case hardness of GapSVP Turns out to be a very useful assumption

  5. Hash Functions and OWF

  6. Hash Functions and OWF CRHF: f( x ) = A x (mod q)

  7. Hash Functions and OWF CRHF: f( x ) = A x (mod q) x required to be a “short” vector (i.e., each co-ordinate in the range [0,d-1] for some small d)

  8. Hash Functions and OWF CRHF: f( x ) = A x (mod q) x required to be a “short” vector (i.e., each co-ordinate in the range [0,d-1] for some small d) A is an n x m matrix: maps m log d bits to n log q bits (for compression we require m > n log d q)

  9. Hash Functions and OWF CRHF: f( x ) = A x (mod q) x required to be a “short” vector (i.e., each co-ordinate in the range [0,d-1] for some small d) A is an n x m matrix: maps m log d bits to n log q bits (for compression we require m > n log d q) Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥

  10. Hash Functions and OWF CRHF: f( x ) = A x (mod q) x required to be a “short” vector (i.e., each co-ordinate in the range [0,d-1] for some small d) A is an n x m matrix: maps m log d bits to n log q bits (for compression we require m > n log d q) Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥ Simple to compute: if d small (say, d=2, i.e., x binary), f( x ) can be computed using O(n m) additions mod q

  11. Hash Functions and OWF CRHF: f( x ) = A x (mod q) x required to be a “short” vector (i.e., each co-ordinate in the range [0,d-1] for some small d) A is an n x m matrix: maps m log d bits to n log q bits (for compression we require m > n log d q) Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥ Simple to compute: if d small (say, d=2, i.e., x binary), f( x ) can be computed using O(n m) additions mod q If sufficiently compressing (say by half), a CRHF is also a OWF

  12. Average-Case/Worst-Case Connection

  13. Average-Case/Worst-Case Connection Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥

  14. Average-Case/Worst-Case Connection Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥ Considered hard when A is chosen uniformly at random

  15. Average-Case/Worst-Case Connection Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥ Considered hard when A is chosen uniformly at random This is as hard as solving certain lattice problems in the worst case (i.e., with good success probability for every instance of the problem)

  16. Average-Case/Worst-Case Connection Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥ Considered hard when A is chosen uniformly at random This is as hard as solving certain lattice problems in the worst case (i.e., with good success probability for every instance of the problem) In general average case assumptions may be risky: there will be many easy instances

  17. Average-Case/Worst-Case Connection Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥ Considered hard when A is chosen uniformly at random This is as hard as solving certain lattice problems in the worst case (i.e., with good success probability for every instance of the problem) In general average case assumptions may be risky: there will be many easy instances Worst case assumptions are OK even if most instances are easy

  18. Average-Case/Worst-Case Connection Collision yields a short vector (co-ordinates in [-(d-1),d-1]) 
 z s.t A z = 0: i.e., a short vector in the lattice L A ⊥ Considered hard when A is chosen uniformly at random This is as hard as solving certain lattice problems in the worst case (i.e., with good success probability for every instance of the problem) In general average case assumptions may be risky: there will be many easy instances Worst case assumptions are OK even if most instances are easy Connection shows that if a few instances hard, most instances are

  19. Succinct Keys

  20. Succinct Keys The hash function is described by an n x m matrix over Z q , where n is the security parameter and m > n

  21. Succinct Keys The hash function is described by an n x m matrix over Z q , where n is the security parameter and m > n Large key and correspondingly large number of operations

  22. Succinct Keys The hash function is described by an n x m matrix over Z q , where n is the security parameter and m > n Large key and correspondingly large number of operations Using “ideal lattices”

  23. Succinct Keys The hash function is described by an n x m matrix over Z q , where n is the security parameter and m > n Large key and correspondingly large number of operations Using “ideal lattices” Have more structure: a random basis for such a lattice can be represented using just m elements of Z q (instead of mn)

  24. Succinct Keys The hash function is described by an n x m matrix over Z q , where n is the security parameter and m > n Large key and correspondingly large number of operations Using “ideal lattices” Have more structure: a random basis for such a lattice can be represented using just m elements of Z q (instead of mn) Matrix multiplication can be carried out faster (using FFT) with Õ(m) operations over Z q (instead of O(mn))

  25. Succinct Keys The hash function is described by an n x m matrix over Z q , where n is the security parameter and m > n Large key and correspondingly large number of operations Using “ideal lattices” Have more structure: a random basis for such a lattice can be represented using just m elements of Z q (instead of mn) Matrix multiplication can be carried out faster (using FFT) with Õ(m) operations over Z q (instead of O(mn)) Security depends on worst-case hardness of same problems as before, but when restricted to ideal lattices

  26. Public-Key Encryption

  27. Public-Key Encryption NTRU/GGH approach: Private key is a “good” basis, and the public key is a “bad basis”

  28. Public-Key Encryption NTRU/GGH approach: Private key is a “good” basis, and the public key is a “bad basis” Worst basis (one that can be efficiently computed from any basis): Hermite Normal Form (HNF) basis

  29. Public-Key Encryption NTRU/GGH approach: Private key is a “good” basis, and the public key is a “bad basis” Worst basis (one that can be efficiently computed from any basis): Hermite Normal Form (HNF) basis To encrypt a message, encode it (randomized) as a short “noise vector” u. Output c = v+u for a lattice point v that is chosen using the public basis

  30. Public-Key Encryption NTRU/GGH approach: Private key is a “good” basis, and the public key is a “bad basis” Worst basis (one that can be efficiently computed from any basis): Hermite Normal Form (HNF) basis To encrypt a message, encode it (randomized) as a short “noise vector” u. Output c = v+u for a lattice point v that is chosen using the public basis To decrypt, use the good basis to find v as the closest lattice vector to c, and recover u=c-v

  31. Public-Key Encryption NTRU/GGH approach: Private key is a “good” basis, and the public key is a “bad basis” Worst basis (one that can be efficiently computed from any basis): Hermite Normal Form (HNF) basis To encrypt a message, encode it (randomized) as a short “noise vector” u. Output c = v+u for a lattice point v that is chosen using the public basis To decrypt, use the good basis to find v as the closest lattice vector to c, and recover u=c-v NTRU Encryption: use lattices with succinct basis

  32. Public-Key Encryption NTRU/GGH approach: Private key is a “good” basis, and the public key is a “bad basis” Worst basis (one that can be efficiently computed from any basis): Hermite Normal Form (HNF) basis To encrypt a message, encode it (randomized) as a short “noise vector” u. Output c = v+u for a lattice point v that is chosen using the public basis To decrypt, use the good basis to find v as the closest lattice vector to c, and recover u=c-v NTRU Encryption: use lattices with succinct basis Conjectured to be CPA secure for appropriate lattices. No security reduction known to simple lattice problems

  33. Public-Key Encryption

  34. Public-Key Encryption A subset-sum approach:

  35. Public-Key Encryption A subset-sum approach: Encryption of bit 0 is a point from a uniform distribution (over an interval of integers); encryption of 1 comes from a “wavy” distribution of secret period

  36. Public-Key Encryption A subset-sum approach: Encryption of bit 0 is a point from a uniform distribution (over an interval of integers); encryption of 1 comes from a “wavy” distribution of secret period Public-key gives several points from the wavy distribution that can be combined (subset sum) to get more points from the wavy distribution

  37. Public-Key Encryption A subset-sum approach: Encryption of bit 0 is a point from a uniform distribution (over an interval of integers); encryption of 1 comes from a “wavy” distribution of secret period Public-key gives several points from the wavy distribution that can be combined (subset sum) to get more points from the wavy distribution Secret-key consists of the period: enough for a statistical test to distinguish the two distributions

  38. Public-Key Encryption A subset-sum approach: Encryption of bit 0 is a point from a uniform distribution (over an interval of integers); encryption of 1 comes from a “wavy” distribution of secret period Public-key gives several points from the wavy distribution that can be combined (subset sum) to get more points from the wavy distribution Secret-key consists of the period: enough for a statistical test to distinguish the two distributions CPA Security: distinguishing the uniform and wavy distributions can be used to distinguish between noise added to lattices obtained as duals of lattices either with no short vector or with a unique short vector

  39. Dual Lattice Given a lattice L, the dual lattice is L* = { x |or all y ∈ L, <x,y> ∈ Z } 1 / 5 L L* 5 0 0 Slide courtesy Oded Regev

  40. L* - the dual of L L* L √ n 1 / 0 n Case 1 0 n √ n Case 2 0 Slide courtesy Oded Regev

  41. Public-Key Encryption

  42. Public-Key Encryption An LWE based approach:

  43. Public-Key Encryption An LWE based approach: Public-key is (A,P) where P=AS+E, for random matrices (of appropriate dimensions) A and S, and a noise matrix E over Z q

  44. Public-Key Encryption An LWE based approach: Public-key is (A,P) where P=AS+E, for random matrices (of appropriate dimensions) A and S, and a noise matrix E over Z q To encrypt an n bit message, first map it to a vector v in (a sparse sub-lattice of) Z qn ; pick a random vector a with small coordinates; ciphertext is ( u , c ) where u = A T a and c = P T a + v

  45. Public-Key Encryption An LWE based approach: Public-key is (A,P) where P=AS+E, for random matrices (of appropriate dimensions) A and S, and a noise matrix E over Z q To encrypt an n bit message, first map it to a vector v in (a sparse sub-lattice of) Z qn ; pick a random vector a with small coordinates; ciphertext is ( u , c ) where u = A T a and c = P T a + v Decryption using S: recover message from c - S T u = v + E T a

  46. Public-Key Encryption An LWE based approach: Public-key is (A,P) where P=AS+E, for random matrices (of appropriate dimensions) A and S, and a noise matrix E over Z q To encrypt an n bit message, first map it to a vector v in (a sparse sub-lattice of) Z qn ; pick a random vector a with small coordinates; ciphertext is ( u , c ) where u = A T a and c = P T a + v Decryption using S: recover message from c - S T u = v + E T a Allows a small error probability; can be made negligible by first encoding the message using an error correcting code

  47. Public-Key Encryption An LWE based approach: Public-key is (A,P) where P=AS+E, for random matrices (of appropriate dimensions) A and S, and a noise matrix E over Z q To encrypt an n bit message, first map it to a vector v in (a sparse sub-lattice of) Z qn ; pick a random vector a with small coordinates; ciphertext is ( u , c ) where u = A T a and c = P T a + v Decryption using S: recover message from c - S T u = v + E T a Allows a small error probability; can be made negligible by first encoding the message using an error correcting code CPA security: By LWE assumption, the public-key is indistinguishable from random; and, encryption under random (A,P) loses essentially all information about the message

  48. Public-Key Encryption An LWE based approach: Public-key is (A,P) where P=AS+E, for random matrices (of appropriate dimensions) A and S, and a noise matrix E over Z q To encrypt an n bit message, first map it to a vector v in (a sparse sub-lattice of) Z qn ; pick a random vector a with small coordinates; ciphertext is ( u , c ) where u = A T a and c = P T a + v Decryption using S: recover message from c - S T u = v + E T a Allows a small error probability; can be made negligible by first encoding the message using an error correcting code CPA security: By LWE assumption, the public-key is indistinguishable from random; and, encryption under random (A,P) loses essentially all information about the message LWE also used for CCA secure PKE

  49. Signatures

  50. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis

  51. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis To sign a message, hash it (using an RO) to a random point m in R n and use the good basis to find a lattice point close to it

  52. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis To sign a message, hash it (using an RO) to a random point m in R n and use the good basis to find a lattice point close to it e.g. with s = B � B -1 m � , we have s - m = B z for z ∈ [ ½ ,- ½ ] n

  53. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis To sign a message, hash it (using an RO) to a random point m in R n and use the good basis to find a lattice point close to it e.g. with s = B � B -1 m � , we have s - m = B z for z ∈ [ ½ ,- ½ ] n Intuitively, it is hard to find such a point using the HNF basis

  54. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis To sign a message, hash it (using an RO) to a random point m in R n and use the good basis to find a lattice point close to it e.g. with s = B � B -1 m � , we have s - m = B z for z ∈ [ ½ ,- ½ ] n Intuitively, it is hard to find such a point using the HNF basis However, multiple signatures can leak B

  55. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis To sign a message, hash it (using an RO) to a random point m in R n and use the good basis to find a lattice point close to it e.g. with s = B � B -1 m � , we have s - m = B z for z ∈ [ ½ ,- ½ ] n Intuitively, it is hard to find such a point using the HNF basis However, multiple signatures can leak B Fix (heuristic): Perturbation, to make it harder to recover B

  56. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis To sign a message, hash it (using an RO) to a random point m in R n and use the good basis to find a lattice point close to it e.g. with s = B � B -1 m � , we have s - m = B z for z ∈ [ ½ ,- ½ ] n Intuitively, it is hard to find such a point using the HNF basis However, multiple signatures can leak B Fix (heuristic): Perturbation, to make it harder to recover B Fix [GPV’08]: instead of rounding off to B � B -1 m � , sample from a distribution that does not leak B. Security (in ROM) reduces to worst-case hardness assumptions.

  57. Signatures GGH/NTRU approach: Secret key is a good basis, and the public key is a bad (i.e., HNF) basis To sign a message, hash it (using an RO) to a random point m in R n and use the good basis to find a lattice point close to it e.g. with s = B � B -1 m � , we have s - m = B z for z ∈ [ ½ ,- ½ ] n Intuitively, it is hard to find such a point using the HNF basis However, multiple signatures can leak B Fix (heuristic): Perturbation, to make it harder to recover B Fix [GPV’08]: instead of rounding off to B � B -1 m � , sample from a distribution that does not leak B. Security (in ROM) reduces to worst-case hardness assumptions. Quadratic key size/signing complexity (unlike NTRUSign)

  58. Signatures

  59. Signatures Using CRHF (not in ROM)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and

Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and

Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 12-16, 2013, (UCI) Daniele Micciancio Foundations of Lattice Cryptography This Talk Introduction

799 views • 32 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open

1.21k views • 91 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides
RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

22nd IEEE Symposium on Computer Arithmetic RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core Procedure Jean-Claude Bajard , Julien Eynard Nabil Merkiche , Thomas Plantard Sorbonne

383 views • 25 slides
BoAT: Future Entry of AIoT Leo Lin PlatON Chief Innovation Officer BoAT-Blockchain of AI Things

BoAT: Future Entry of AIoT Leo Lin PlatON Chief Innovation Officer BoAT-Blockchain of AI Things

BoAT: Future Entry of AIoT Leo Lin PlatON Chief Innovation Officer BoAT-Blockchain of AI Things IoT Device Wallet Protect valuable data from the source Blockchain By 2025, thea global data volume will reach 175ZB , among which IoT device data

102 views • 7 slides
White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud

White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud

White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud &amp; Implementation Paris, June 27-28 2017 Overview 1 What is white-box crypto? 2 White-box compilers for signatures 3 White-box

543 views • 29 slides
Arrangements Cryptography Lecture Course in Autumn Term 2013 Will have two lectures (Tue 2pm,

Arrangements Cryptography Lecture Course in Autumn Term 2013 Will have two lectures (Tue 2pm,

Organisation Organisation Overview Overview Historic Ciphers Historic Ciphers Symmetric Ciphers Symmetric Ciphers Arrangements Cryptography Lecture Course in Autumn Term 2013 Will have two lectures (Tue 2pm, Fri 11am and one exercise

239 views • 12 slides
White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to protect a cryptographic key? Well, put it in a smartcard of course! ... or any piece of secure hardware But... Secure hardware is expensive

1.6k views • 98 slides
C u s t o m c r y p t o p o l i c i e s b y e x a m p l e s T o m

C u s t o m c r y p t o p o l i c i e s b y e x a m p l e s T o m

C u s t o m c r y p t o p o l i c i e s b y e x a m p l e s T o m M r z P r i n c i p a l S W E n g i n e e r , R e d H a t 1 A G E N D A W h a t w e l l b

963 views • 41 slides
Midterm Recap Misuse of Crypto and Future Work Clipper chip A lesson in poorly

Midterm Recap Misuse of Crypto and Future Work Clipper chip A lesson in poorly

Midterm Recap Misuse of Crypto and Future Work Clipper chip A lesson in poorly designed protocols Clipper Clipper Goal: Support encrypted communication Confidentiality between devices Goal: Permit law enforcement

639 views • 59 slides
PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 27 December 2015 D-Wave quantum computer isnt universal . . .

789 views • 65 slides
Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Cryptography : how to talk in a secret language in public You broke ! my heart Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock box Only Alice Bob slams knows the the door combination

81 views • 7 slides

More recommend