lattices to cryptography chris peikert
play

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of - PowerPoint PPT Presentation

Oct 09, 2022 •394 likes •909 views

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

  1. Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12

  2. Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all ∗ of lattice cryptography 3 Lots of applications 2 / 12

  3. A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q         = 0 ∈ Z n  · · · · · · · · A z    q     � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) 3 / 12

  4. A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q         = 0 ∈ Z n  · · · · · · · · A z    q     � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) (0 , q ) ◮ Just SVP on random ‘ q -ary’ lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . ( q, 0) O 3 / 12

  5. A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q         = 0 ∈ Z n  · · · · · · · · A z    q     � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) (0 , q ) ◮ Just SVP on random ‘ q -ary’ lattice L ⊥ ( A ) = { z ∈ Z m : Az = 0 } . x ( q, 0) ◮ x �→ Ax reduces x modulo L ⊥ ( A ) . O 3 / 12

  6. A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q         = 0 ∈ Z n  · · · · · · · · A z    q     � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) Worst-Case/Average-Case Connection [Ajtai’96,. . . ,MR’04,GPV’08,MP’13] Finding solution z with � z � ≤ β ≪ q (for uniformly random A ) ⇓ solving GapSVP β √ n and SIVP β √ n on any n -dim lattice. 3 / 12

  7. A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q         = 0 ∈ Z n  · · · · · · · · A z    q     � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) One-Way & Collision-Resistant Hash Function ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q as f A ( x ) = Ax . 3 / 12

  8. A Hard Problem: Short Integer Solution , find short nonzero z ∈ Z m such that: ◮ Goal: given uniform A ∈ Z n × m q         = 0 ∈ Z n  · · · · · · · · A z    q     � �� � m (When m ≥ n log q , short solutions are guaranteed to exist.) One-Way & Collision-Resistant Hash Function ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q as f A ( x ) = Ax . ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . . . . yields solution z = x − x ′ ∈ { 0 , ± 1 } m , of norm � z � ≤ √ m . 3 / 12

  9. Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). 4 / 12

  10. Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). 4 / 12

  11. Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). Is it one-way? Pseudorandom? 4 / 12

  12. Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). Is it one-way? Pseudorandom? ◮ Lattice interpretation: BDD on b L ( ¯ A ) = { v ≡ ¯ b Ax 1 mod q } . ◮ Search ⇔ decision: Ax is pseudorandom. 4 / 12

  13. Another (?) Hard (?) Problem: Learning With Errors A | I n ] ∈ Z n × ( m + n ) ◮ Wlog, A = [ ¯ . q For m ≥ n log q , function x �→ Ax is regular ( ⇒ many preimages). ◮ What about m ≪ n log q ? E.g., m = n ? m = 100 ? Map x �→ Ax = Ax 1 + x 2 is highly injective (whp). Is it one-way? Pseudorandom? ◮ Lattice interpretation: BDD on b L ( ¯ A ) = { v ≡ ¯ b Ax 1 mod q } . ◮ Search ⇔ decision: Ax is pseudorandom. ◮ As hard as worst case problems on m -dim lattices [Regev’05,P’09] . 4 / 12

  14. The two amazingly simple tricks behind all of lattice cryptography... 5 / 12

  15. Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 6 / 12

  16. Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 6 / 12

  17. Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 2 Let u = − [ A | I n ] · x and A ′ = [ u | A ] . � 1 � Then [ A ′ | I n ] = u + [ A | I n ] · x = 0 . x 6 / 12

  18. Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 2 Let u = − [ A | I n ] · x and A ′ = [ u | A ] . � 1 � Then [ A ′ | I n ] = u + [ A | I n ] · x = 0 . x ◮ For many solutions, let U = − [ A | I n ] · X and A ′ = [ U | A ] . � I k Then [ A ′ | I n ] · � = 0 . X 6 / 12

  19. Trick #1: Generate Random Instance with Solution(s) ◮ Generate (pseudo)random A ′ with a short solution: 1 Choose A ← Z n × m and short x . q 2 Let u = − [ A | I n ] · x and A ′ = [ u | A ] . � 1 � Then [ A ′ | I n ] = u + [ A | I n ] · x = 0 . x ◮ For many solutions, let U = − [ A | I n ] · X and A ′ = [ U | A ] . � I k Then [ A ′ | I n ] · � = 0 . X ◮ Of course, we can also multiply on the left: Let u t = x t � A � u t � and A ′ = � . I m A 6 / 12

  20. Key Agreement/Encryption A ∈ Z n × m q s r 7 / 12

  21. Key Agreement/Encryption A ∈ Z n × m q s r u = [ A I n ] r v t = s t � A � I m 7 / 12

  22. Key Agreement/Encryption A ∈ Z n × m q s r u = [ A I n ] r v t = s t � A � I m k b = v t · r 1 + err k a = s t 1 · u + err ≈ s t ≈ s t 1 Ar 1 1 Ar 1 7 / 12

  23. Key Agreement/Encryption A ∈ Z n × m q s r u = [ A I n ] r v t = s t � A � I m k b = v t · r 1 + err k a = s t 1 · u + err ≈ s t ≈ s t 1 Ar 1 1 Ar 1 ( A , u , v , k a ) 7 / 12

  24. Key Agreement/Encryption A ∈ Z n × m q s u v t = s t � A � I m k a = s t 1 · u + err ( A , u , v , k a ) 7 / 12

  25. Key Agreement/Encryption A ∈ Z n × m q u v t ( A , u , v , k a ) 7 / 12

  26. Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and   · · · g t · · · · · · g t · · ·      ∈ Z n × nk G = . ...   q  · · · g t · · · 8 / 12

  27. Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and   · · · g t · · · · · · g t · · ·     ∈ Z n × nk  G = . ...   q  · · · g t · · · q , can compute x ∈ { 0 , 1 } nk s.t. Gx = u . ◮ Invert SIS: given u ∈ Z n 8 / 12

  28. Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and   · · · g t · · · · · · g t · · ·      ∈ Z n × nk G = . ...   q  · · · g t · · · q , can compute x ∈ { 0 , 1 } nk s.t. Gx = u . ◮ Invert SIS: given u ∈ Z n More generally, can sample a Gaussian x ← G − 1 ( u ) . 8 / 12

  29. Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and   · · · g t · · · · · · g t · · ·     ∈ Z n × nk  G = . ...   q  · · · g t · · · q , can compute x ∈ { 0 , 1 } nk s.t. Gx = u . ◮ Invert SIS: given u ∈ Z n More generally, can sample a Gaussian x ← G − 1 ( u ) . Can generate ( x , u ) in two equivalent ways: G − 1 G ≡ u ← Z n Gauss → x u x q 8 / 12

  30. Trick #2: Inverting an Easy Function ◮ A special parity-check matrix: let g t = [1 2 4 · · · 2 k − 1 ≥ q 2 ] and   · · · g t · · · · · · g t · · ·      ∈ Z n × nk G = . ...   q  · · · g t · · · ◮ Invert LWE: given v = x t � G � ≈ [ x 1 2 x 1 · · · 2 k − 1 x 1 · · · ] , find x . I 8 / 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

1.03k views • 59 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1

Cryptography from Rings Chris Peikert University of Michigan HEAT Summer School 13 Oct 2015 1 / 13 Agenda 1 Polynomial rings, ideal lattices and Ring-LWE 2 Basic Ring-LWE encryption 3 Fully homomorphic encryption Selected bibliography:

840 views • 64 slides
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of

Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions Selected bibliography: LPR10 V.

810 views • 77 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

851 views • 58 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 1 1 Tel Aviv University 2 Georgia Institute of Technology Eurocrypt 2010 1 / 12 The Learning With Errors Problem [Regev05]

819 views • 59 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography

How (Not) to Instantiate Ring-LWE Chris Peikert University of Michigan Security and Cryptography for Networks 1 September 2016 1 / 12 Conclusions 2 / 12 Conclusions 1 Prior insecure Ring-LWE instantiations turn out to use quite narrow error

861 views • 65 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
6.869 Model-based Vision Topics: Advances in Computer Vision Hypothesize and test

6.869 Model-based Vision Topics: Advances in Computer Vision Hypothesize and test

6.869 Model-based Vision Topics: Advances in Computer Vision Hypothesize and test Interpretation Trees Prof. Bill Freeman Alignment Interpretation trees Model-based vision Hypothesis generation methods Hypothesize

358 views • 11 slides
Of Visions & Revelations 2 Corinthians 12:113 I. Of Visions, 2 Corinthians 12:16 II. Of

Of Visions & Revelations 2 Corinthians 12:113 I. Of Visions, 2 Corinthians 12:16 II. Of

Of Visions & Revelations 2 Corinthians 12:113 I. Of Visions, 2 Corinthians 12:16 II. Of Revelations , 2 Cor. 12:710 III. The signs of an apostle, 2 Cor. 12:1113 1 Of Visions & Revelations 2 Corinthians 12: 113 Pauls

234 views • 9 slides
S. Jindariani M.A.Cummings, C.Group, R.Patterson G.Pawloski, R.Zwaska

S. Jindariani M.A.Cummings, C.Group, R.Patterson G.Pawloski, R.Zwaska

S. Jindariani M.A.Cummings, C.Group, R.Patterson G.Pawloski, R.Zwaska N.Varelas (March 2013) 9/17/13 S.Jindariani, Mar'2013 UEC meeting 1 General First year

600 views • 11 slides
Tech Nation Visa Scheme Wednesday 28 th March 2018 Ward Hadaway Guest WiFi Email:

Tech Nation Visa Scheme Wednesday 28 th March 2018 Ward Hadaway Guest WiFi Email:

Tech Nation Visa Scheme Wednesday 28 th March 2018 Ward Hadaway Guest WiFi Email: guest@wardhadaway.com Password: F1rew0rk$ Newcastle | Leeds | Manchester 2 Housekeeping Ward Hadaway Guest WiFi Email: guest@wardhadaway.com Password:

820 views • 32 slides
Dark sector searches at BaBar and Belle and outlook for Belle II Christopher Hearty University of

Dark sector searches at BaBar and Belle and outlook for Belle II Christopher Hearty University of

Dark sector searches at BaBar and Belle and outlook for Belle II Christopher Hearty University of British Columbia / IPP March 23, 2017 U.S. Cosmic Visions: New Ideas in Dark Matter Outline Search for invisible decays of a dark photon

508 views • 35 slides
A/K/A Apocalypse A/K/A Apocalypse ( apokalupsis ) A/K/A

A/K/A Apocalypse A/K/A Apocalypse ( apokalupsis ) A/K/A

A/K/A Apocalypse A/K/A Apocalypse ( apokalupsis ) A/K/A Apocalypse ( apokalupsis ) unveiling or disclosing I wanna see this. I hear its based on a true story.

1.35k views • 86 slides
FAITH AND WORK: A PRACTICAL THEOLOGY OF WORK God Will, Gudiance and Decision Making Part VI 2

FAITH AND WORK: A PRACTICAL THEOLOGY OF WORK God Will, Gudiance and Decision Making Part VI 2

FAITH AND WORK: A PRACTICAL THEOLOGY OF WORK God Will, Gudiance and Decision Making Part VI 2 Week 8 I. Case Studies II. Lessons Learned Brief Review III. The Doing Paradigm IV. Gods Will and Guidance Todays Topics: Gods Will and

695 views • 13 slides
Is Heaven Is Real , well, real? Do people have visions from God, like Paul explains in 2

Is Heaven Is Real , well, real? Do people have visions from God, like Paul explains in 2

Is Heaven Is Real , well, real? Do people have visions from God, like Paul explains in 2 Corinthians 12:1ff? It has become increasingly popular in certain denominational circles to dwell upon amazing revelatory experiences.

342 views • 10 slides

More recommend