lattices from worst case to average case to cryptography
play

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris - PowerPoint PPT Presentation

Oct 11, 2023 •681 likes •1.43k views

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

  1. Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16

  2. Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case to average-case 3 Basic crypto applications 2 / 16

  3. Part 1: The Smoothing Parameter and Discrete Gaussians ◮ D. Micciancio, O. Regev (FOCS 2004) “Worst-Case to Average-Case Reductions Based on Gaussian Measures” ◮ C. Gentry, C. Peikert, V. Vaikuntanathan (STOC 2008) “Trapdoors for Hard Lattices and New Cryptographic Constructions” 3 / 16

  4. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  5. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  6. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  7. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) 4 / 16

  8. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) Definition: Smoothing Parameter smooth ( L ) = min s > 0 such that ρ ( s L ∗ \ { 0 } ) ≤ negl ( n ) 4 / 16

  9. The Smoothing Parameter [AR’04,MR’04] ◮ Gaussian function ρ ( x ) = e − π � x � 2 . Scaled: ρ s ( x ) = ρ ( x / s ) . Dual L ∗ Primal L ˆ f ( w ) ∝ ρ 1 / s ( w ) for w ∈ L ∗ f s ( x ) ∝ ρ s ( L + x ) Key Fact For s ≥ smooth ( L ) , every coset has equal ∗ mass: ρ s ( L + x ) ≈ ρ s ( L ) . 4 / 16

  10. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) 5 / 16

  11. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . s O 5 / 16

  12. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . Lemma: Tail Bound [Banaszczyk’95] For any lattice L , ) ≤ 2 exp ( − π s 2 ) · ρ ( L ) ρ ( L \ s O 5 / 16

  13. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . Lemma: Tail Bound [Banaszczyk’95] For any lattice L , ) ≤ 2 exp ( − π s 2 ) · ρ ( L ) ρ ( L \ s O 5 / 16

  14. Smoothing Parameter of Z n Theorem smooth ( Z n ) ≤ ω ( √ log n ) Need to show: ρ ( s Z n \ { 0 } ) ≤ negl when s = ω ( √ log n ) . Lemma: Tail Bound [Banaszczyk’95] For any lattice L , ) ≤ 2 exp ( − π s 2 ) · ρ ( L ) ρ ( L \ s O By union bound, p := ρ ( s Z n \ { 0 } ) = ρ ( s Z n \ ) ≤ n · negl · ρ ( s Z n ) = negl · ( 1 + p ) . � 5 / 16

  15. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Dual L ∗ Primal L b 2 � b 2 � b 1 = b 1 6 / 16

  16. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Theorem B � · ω ( √ log n ) . Let B be any basis of L . Then smooth ( L ) ≤ � � Dual L ∗ Primal L b 2 � b 2 � b 1 = b 1 6 / 16

  17. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Theorem B � · ω ( √ log n ) . Let B be any basis of L . Then smooth ( L ) ≤ � � ◮ Dual basis: � b ∗ i , b j � = δ ij . (GSO in reverse.) Dual L ∗ Primal L � b ∗ 2 = b ∗ 2 b 2 � b 2 � b 1 = b 1 � b ∗ 1 b ∗ 1 6 / 16

  18. Smoothing Parameter of Any Lattice [MR’04,GPV’08] ◮ Gram-Schmidt orthogonalization � B . (Note: � � B � := max i � � b i � ≤ max i � b i � ) Theorem B � · ω ( √ log n ) . Let B be any basis of L . Then smooth ( L ) ≤ � � ◮ Dual basis: � b ∗ Fact: � � i � = 1 / � � b ∗ i , b j � = δ ij . (GSO in reverse.) b i � Dual L ∗ Primal L � b ∗ 2 = b ∗ 2 b 2 � b 2 � b 1 = b 1 � b ∗ 1 b ∗ 1 6 / 16

  19. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 7 / 16

  20. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 7 / 16

  21. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . 7 / 16

  22. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 7 / 16

  23. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 2 Additive: if x ∼ D L + c , s and y ∼ D L + d , t , then x + y ∼ D L + c + d , √ s 2 + t 2 7 / 16

  24. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 2 Additive: if x ∼ D L + c , s and y ∼ D L + d , t , then x + y ∼ D L + c + d , √ s 2 + t 2 3 Unpredictable: min-entropy ≥ n 7 / 16

  25. Discrete Gaussians over Lattices Suppose x ∼ Gauss ( s ) for s ≥ smooth ( L ) . 1 x belongs to uniform ∗ coset L + c [ ∀ c , ρ s ( L + c ) ≈ ρ s ( L ) ] 2 Given c , conditional distrib of x ∈ L + c is: D L + c , s ( x ) ∝ ρ s ( x ) . Gaussian-like Properties 1 High probability tail bounds: for x ∼ D L + c , s , s · √ n � x � ≤ � for unit u , |� x , u �| ≤ s · ω ( log n ) 2 Additive: if x ∼ D L + c , s and y ∼ D L + d , t , then x + y ∼ D L + c + d , √ s 2 + t 2 3 Unpredictable: min-entropy ≥ n 4 Many more . . . 7 / 16

  26. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B 8 / 16

  27. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  28. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  29. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  30. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 8 / 16

  31. Sampling a Discrete Gaussian [GPV’08,P’10] ◮ Given basis B and c ∈ R n , efficiently sample D L− c , s for s ≥ � � B � ⋆ Output distribution is ‘oblivious’ to input basis B ◮ “Nearest-plane” algorithm w/ randomized rounding [Babai’86,Klein’00] b 2 c b 1 ◮ Proof: by smoothing, D L− c , s ( plane ) depends only on dist ( c , plane ) 8 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

851 views • 58 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

909 views • 63 slides
Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and Swastik Kopparty and Shubhangi Saraf June 2018 Overview motivation main results applications one proof Motivation Arithmetization

283 views • 15 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Algorithm : Design & Analysis [6] Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds for Sorting by Comparison of Keys Worst Case Average Behavior Heapsort Heap Structure and Patial

658 views • 31 slides
Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort of x 1 , x 2 , , x n . For i = 2, 3, , n , insert x i into x 1 , x 2 , , x i 1 such that these i data items are sorted.

509 views • 31 slides
Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case) Make - Heap (1) (1) (1) (lg n ) O (lg n ) (1) Insert (1) O (lg n ) (1) Minimum Extract - Min (lg n ) (lg n ) O (lg n ) ( n

376 views • 16 slides
Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research) Damien Scieur (Samsung SAIT AI Lab, Montral) International Conference on Machine Learning 2020 Complexity Analysis in Optimization Worst-case

271 views • 12 slides
Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC) Background Deterministic QoS guarantees dictate a need for an analytical evaluation of QoS parameters: worst-case latency, worst- case

211 views • 6 slides
Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if... SAT is hard in the worst case, BUT... generating hard random instances of SAT is hard? Lipton, 1993 worst-case versus average-case complexity 1.

481 views • 22 slides
Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen High Performance Networking Group Stanford University HotNets-IV, November 2005 Introduction: Worst-case design Preference for worst-case

1.24k views • 14 slides
quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place? recursive version? data structures and algorithms merge sort: 2020 09 10 worst-case time complexity? lecture 4 best-case time complexity? in-place?

548 views • 7 slides
1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

Worst-Case vs. Average Case CSE 473: Artificial Intelligence Expectimax, Uncertainty, Utilities max min 10 10 9 100 Dieter Fox [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188

394 views • 8 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal MaxPlanckInstitut f ur Informatik Saarbr ucken Germany Jyrki Katajainen Datalogisk Institut Kbenhavns Universitet Denmark July 1998 Worst-Case Ef

161 views • 12 slides
Average Connectivity and Average Edge-connectivity in Graphs Suil O joint work with Jaehoon Kim

Average Connectivity and Average Edge-connectivity in Graphs Suil O joint work with Jaehoon Kim

Average Connectivity and Average Edge-connectivity Average Connectivity and Matching Average Edge-connectivity in Regular Graphs Average Connectivity and Average Edge-connectivity in Graphs Suil O joint work with Jaehoon Kim University of

869 views • 68 slides
VTA 03.12.2019 | TU Darmstadt | ESA | F. Stock | 1 TaPaSCo Framework Builds complete

VTA 03.12.2019 | TU Darmstadt | ESA | F. Stock | 1 TaPaSCo Framework Builds complete

TaPaSCo: Task-Parallel System Composer for FPGAs Deploy VTA on More Platforms Samuel Gro, Florian Stock, Carsten Heinz, Jaco A. Hofmann, Lukas Sommer, Lukas Weber, Andreas Koch Embedded Systems and Applications Group, TU Darmstadt VTA

467 views • 18 slides
WiP Abstract: A Framework on Profiling Cross- Domain Noise Propagation in Control CPS Feng Tan 1 ,

WiP Abstract: A Framework on Profiling Cross- Domain Noise Propagation in Control CPS Feng Tan 1 ,

WiP Abstract: A Framework on Profiling Cross- Domain Noise Propagation in Control CPS Feng Tan 1 , Liansheng Liu 2 , Stefan Winter 3 , Qixin Wang 1 , Neeraj Suri 3 , Lei Bu 4 , Yu Peng 2 , Xue Liu 5 , Xiyuan Peng 2 1 The Hong Kong Polytechnic

48 views • 3 slides
Software Engineering I (02161) Week 8 Assoc. Prof. Hubert Baumeister DTU Compute Technical

Software Engineering I (02161) Week 8 Assoc. Prof. Hubert Baumeister DTU Compute Technical

Software Engineering I (02161) Week 8 Assoc. Prof. Hubert Baumeister DTU Compute Technical University of Denmark Spring 2013 Contents Software Development Process (cont.) From Requirements to Design: CRC Cards Version control Resource

615 views • 58 slides
International Centre for Tax and Development www.ictd.ac 1. Tax after the Pandemic: Can Africa

International Centre for Tax and Development www.ictd.ac 1. Tax after the Pandemic: Can Africa

International Centre for Tax and Development www.ictd.ac 1. Tax after the Pandemic: Can Africa Raise the Revenue It Needs? Mick Moore 15 th June 2020 International Centre for Tax and Development International Centre for Tax and Development

205 views • 18 slides
Supersymmetry Without Prejudice James Gainer May 12, 2009 James Gainer Supersymmetry Without

Supersymmetry Without Prejudice James Gainer May 12, 2009 James Gainer Supersymmetry Without

Supersymmetry Without Prejudice James Gainer May 12, 2009 James Gainer Supersymmetry Without Prejudice SUSY Without Prejudice This talk is based on JHEP 0902:023,2009/ arXiv:0812.0980 [hep-ph] arXiv:0903.4409 [hep-ph] Works in

377 views • 22 slides
SUSY Without Prejudice : I Background & Experimental Constraints We will restore

SUSY Without Prejudice : I Background & Experimental Constraints We will restore

SUSY Without Prejudice : I Background & Experimental Constraints We will restore science to its rightful place C. F. Berger, J. S. Gainer, J. L. Hewett & TGR 1 arXiv: 0812.0980 02/11/2009 The MSSM has many nice

680 views • 25 slides
LArSoft Work Plan for 2017 by: Erica Snider and Katherine Lato Last updated 8/29/17 Background

LArSoft Work Plan for 2017 by: Erica Snider and Katherine Lato Last updated 8/29/17 Background

LArSoft Work Plan for 2017 by: Erica Snider and Katherine Lato Last updated 8/29/17 Background .................................................................................................................................................. 1

827 views • 7 slides

More recommend