measuring simulating and exploiting the head concavity
play

Measuring, simulating and exploiting the head concavity phenomenon - PowerPoint PPT Presentation

Apr 18, 2023 •280 likes •758 views

Measuring, simulating and exploiting the head concavity phenomenon in BKZ Shi Bai 1 e 2 Weiqiang Wen 3 Damien Stehl 1 Florida Atlantic University. USA. 2 Ecole Normale Sup erieure de Lyon. France. 3 IRISA, Universit e Rennes 1. France.

  1. Measuring, simulating and exploiting the head concavity phenomenon in BKZ Shi Bai 1 e 2 Weiqiang Wen 3 Damien Stehl´ 1 Florida Atlantic University. USA. 2 ´ Ecole Normale Sup´ erieure de Lyon. France. 3 IRISA, Universit´ e Rennes 1. France. Asiacrypt 2018, Brisbane, Australia. 1 / 21

  2. Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 2 / 21

  3. Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 1. Explain and quantify the shorter-than-expected phenomenon in the head region in BKZ. 2 / 21

  4. Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 1. Explain and quantify the shorter-than-expected phenomenon in the head region in BKZ. 2. A more accurate simulator for BKZ. 2 / 21

  5. Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 1. Explain and quantify the shorter-than-expected phenomenon in the head region in BKZ. 2. A more accurate simulator for BKZ. 3. A new BKZ variant that exploits the shorter-than-expected phenomenon. 2 / 21

  6. Lattice b 1 b 2 0 � � b 2 b 2 Definition Given a set of linearly independent vectors { b 1 , · · · , b n } ⊆ Q m , the lattice L spanned by the b i ’s is n � � � L ( { b 1 , · · · , b n } ) = z i b i | z i ∈ Z . i =1 Let B be the column matrix of { b 1 , · · · , b n } and denote the lattice by L ( B ). 3 / 21

  7. Lattice b 1 b 2 0 λ 1 � � b 2 b 2 Lattice minimum Given a lattice L , the minimum λ 1 ( L ) is the norm of a shortest non-zero vector in L . 3 / 21

  8. Lattice b 1 b 2 0 � b 1 � � b 2 b 2 Bases of a lattice Given B 1 , B 2 ∈ Q m × n , then L ( B 1 ) = L ( B 2 ) iff B 2 = B 1 U for some unimodular matrix U ∈ Z n × n . 3 / 21

  9. Lattice b 1 b 2 0 � b 1 � � b 2 b 2 The BKZ lattice reduction algorithm helps to find bases like ( b 1 , b 2 ). Bases of a lattice Given B 1 , B 2 ∈ Q m × n , then L ( B 1 ) = L ( B 2 ) iff B 2 = B 1 U for some unimodular matrix U ∈ Z n × n . 3 / 21

  10. Lattice b 1 ( b ∗ 1 ) b 2 b ∗ 2 0 ∗ � ∗ b 1 ( � � b 1 ) b 2 � � � b 2 b 2 b 2 Gram-Schmidt orthogonalization Let B ∗ = ( b ∗ 1 , · · · , b ∗ n ) denote the Gram–Schmidt orthogonalization of B . i � b ∗ The determinant of a lattice L is det( L ) = � i � . 3 / 21

  11. BKZ- β reduced Given B = ( b 1 , · · · , b n ), let b ( j ) denote the orthogonal projection of b i i onto the subspace ( b 1 , · · · , b j − 1 ) ⊥ . For i < j ≤ n , let B [ i , j ] denote the (matrix) local block ( b ( i ) i , · · · , b ( i ) j ) and L [ i , j ] denote the lattice generated by B [ i , j ] . Definition A basis B is BKZ- β reduced for block size β ≥ 2 if it is size-reduced ∗ and satisfies: � b ∗ i � = λ 1 ( L [ i , min( i + β − 1 , n )] ) , ∀ i ≤ n . � b i , b ∗ j � * A basis B is size-reduced, if it satisfies | µ i , j |≤ 1 / 2 for j < i ≤ n where µ i , j = j � 2 . � b ∗ 4 / 21

  12. The BKZ algorithm The algorithm attempts to make all local blocks satisfy above the minimality condition simultaneously. Algorithm 1 BKZ algorithm (Schnorr and Euchner) Input: A basis B = ( b 1 , · · · , b n ), a block size β . Output: A BKZ- β reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do find b such that � b ( i ) � = λ 1 ( L ( b ( i ) i , · · · , b ( i ) 3: min( n , i + β − 1) )) . SVP β : i � > λ 1 ( L ( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β − 1) )) then 5: LLL-reduce( b 1 , · · · , b i − 1 , b , b i , · · · , b min( n , i + β ) ). 6: else 7: LLL-reduce( b 1 , · · · , b min( n , i + β ) ). 8: end if 9: end for 10: until no change occurs. C. P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In FCT’91. 5 / 21

  13. The BKZ algorithm The algorithm attempts to make all local blocks satisfy above the minimality condition simultaneously. Algorithm 1 BKZ algorithm (Schnorr and Euchner) Input: A basis B = ( b 1 , · · · , b n ), a block size β . Output: A BKZ- β reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do find b such that � b ( i ) � = λ 1 ( L ( b ( i ) i , · · · , b ( i ) 3: min( n , i + β − 1) )) . SVP β : i � > λ 1 ( L ( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β − 1) )) then 5: LLL-reduce( b 1 , · · · , b i − 1 , b , b i , · · · , b min( n , i + β ) ). 6: else 7: LLL-reduce( b 1 , · · · , b min( n , i + β ) ). 8: end if 9: end for 10: until no change occurs. • [Line 3] In practice, SVP solver can be pruned enumeration or sieving. SVP Challenge. https://www.latticechallenge.org/svp-challenge/. 5 / 21

  14. Quality of BKZ- β reduced basis A concrete cryptanalysis relies on the BKZ simulator of Chen and Nguyen (ASIACRYPT’11). It uses the Gaussian heuristic on local blocks, with a modification for the tail blocks. Gaussian heuristic For any random n -dimensional lattice L , we have 1 · det ( L ) 1 / n λ 1 ( L ) ≈ GH ( L ) = v 1 / n n where v n is the volume of a unit n -ball. Y. Chen and P.Q. Nguyen. BKZ 2.0: Better lattice security estimates. In ASIACRYPT’11. 6 / 21

  15. (Simplified) Chen-Nguyen simulator Algorithm 2 (Simplified) Chen-Nguyen simulator. Input: G-S norms ( � b ∗ 1 � , · · · , � b ∗ n � ), a block size β . Output: Simulated G-S norms of BKZ β -reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do find b such that � b ( i ) � = λ 1 ( L ( b ( i ) i , · · · , b ( i ) 3: min( n , i + β − 1) )) . SVP β : i � > GH ( L (( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β ) ))) then i � = GH ( L (( b ( i ) i , · · · , b ( i ) Update � b ∗ 5: min( n , i + β ) ))) . 6: else Keep � b ∗ 7: i � unchanged. 8: end if 9: end for 10: until no change occurs. 7 / 21

  16. Practical behavior of Chen-Nguyen’s simulator Experimental log � b ∗ i � Experimental log � b ∗ i � 1 . 2 1 . 00 Chen–Nguyen simulator Chen–Nguyen simulator 0 . 50 1 . 1 i � i � log � b ∗ log � b ∗ 0 . 00 1 − 0 . 50 − 1 . 00 0 . 9 1 20 40 60 80 100 1 2 4 6 8 10 Index i Index i Gram–S. log-norms of BKZ 45 at tour 50. Same as left hand side, but zoomed in. Such “head concavity” phenomenon has been reported in 8 / 21

  17. Practical behavior of Chen-Nguyen’s simulator Experimental log � b ∗ i � Experimental log � b ∗ i � 1 . 2 1 . 00 Chen–Nguyen simulator Chen–Nguyen simulator 0 . 50 1 . 1 i � i � log � b ∗ log � b ∗ 0 . 00 1 − 0 . 50 − 1 . 00 0 . 9 1 20 40 60 80 100 1 2 4 6 8 10 Index i Index i Gram–S. log-norms of BKZ 45 at tour 50. Same as left hand side, but zoomed in. Such “head concavity” phenomenon has been reported in ◮ experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11); 8 / 21

  18. Practical behavior of Chen-Nguyen’s simulator Experimental log � b ∗ i � Experimental log � b ∗ i � 1 . 2 1 . 00 Chen–Nguyen simulator Chen–Nguyen simulator 0 . 50 1 . 1 i � i � log � b ∗ log � b ∗ 0 . 00 1 − 0 . 50 − 1 . 00 0 . 9 1 20 40 60 80 100 1 2 4 6 8 10 Index i Index i Gram–S. log-norms of BKZ 45 at tour 50. Same as left hand side, but zoomed in. Such “head concavity” phenomenon has been reported in ◮ experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11); ◮ and modeled by Yu and Ducas (SAC’17). Y. Yu and L. Ducas. Second Order Statistical Behavior of LLL and BKZ. In SAC’17. 8 / 21

  19. A better simulator using the distribution of λ 1 in random lattices. 9 / 21

  20. Tools Let Γ n = {L ∈ R n | vol ( L ) = 1 } be the set of all full rank- n lattices with unit volume. Chen [Cor. 3.1.4] and S¨ odergren [Thm. 1]: Distribution of minimum in random lattices Sample L uniformly in Γ n . The distribution of v n · λ 1 ( L ) n converges in distribution to Expo (1 / 2) as n → ∞ . Take λ 1 ( L ) as a random variable Y , then Y = X 1 / n · GH ( L ) for X sampled from Expo (1 / 2). Y. Chen. R´ eduction de r´ eseau et s´ ecurit´ e concr` ete du chiffrement compl` etement homomorphe. PhD thesis, Universit´ e Paris Diderot, 2013. A. S¨ odergren. On the poisson distribution of lengths of lattice vectors in a random lattice. Mathematische Zeitschrift, 2011. 10 / 21

  21. A probabilistic BKZ simulator Algorithm 3 The new BKZ simulator (simplified) Input: G-S norms ( � b ∗ 1 � , · · · , � b ∗ n � ), a block size β . Output: Simulated G-S norms of BKZ- β -reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do 3: Sample X from Expo[1/2]. i � > X 1 /β · GH ( L ( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β − 1) )) then i � = X 1 /β · GH ( L ( b ( i ) i , · · · , b ( i ) Update � b ∗ 5: min( n , i + β ) )) . 6: else Keep � b ∗ 7: i � unchanged. 8: end if 9: end for 10: until no change occurs. 11 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

d i E Concavity and Curve Sketching a l l u d Dr. Abdulla Eid b A College of Science .

d i E Concavity and Curve Sketching a l l u d Dr. Abdulla Eid b A College of Science .

Section 13.3 d i E Concavity and Curve Sketching a l l u d Dr. Abdulla Eid b A College of Science . r D MATHS 104: Mathematics for Business II Dr. Abdulla Eid (University of Bahrain) Concavity 1 / 18 Concavity Increasing

299 views • 18 slides
Concavity MCV4U: Calculus &amp; Vectors Consider the graph of y = x 3 below. Concavity and Points

Concavity MCV4U: Calculus &amp; Vectors Consider the graph of y = x 3 below. Concavity and Points

c u r v e s k e t c h i n g c u r v e s k e t c h i n g Concavity MCV4U: Calculus &amp; Vectors Consider the graph of y = x 3 below. Concavity and Points of Inflection J. Garvin J. Garvin Concavity and Points of Inflection Slide 1/21

332 views • 4 slides
Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

1.88k views • 85 slides
National Seminar The Gambias tourism sector: Measuring its value chain and exploiting its

National Seminar The Gambias tourism sector: Measuring its value chain and exploiting its

National Seminar The Gambias tourism sector: Measuring its value chain and exploiting its potential Coco Ocean Resort 23 rd May, 2019 Presenter: Ya Awa Nyassi Senior Planner Ministry of Tourism &amp; Culture of The Gambia

758 views • 9 slides
MATH 12002 - CALCULUS I 3.3: Concavity &amp; Inflection Points Professor Donald L. White

MATH 12002 - CALCULUS I 3.3: Concavity &amp; Inflection Points Professor Donald L. White

MATH 12002 - CALCULUS I 3.3: Concavity &amp; Inflection Points Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 5 Concavity Definition A function f is concave up on

71 views • 5 slides
Logarithmic concavity of weight multiplicities for irreducible sl n ( C ) -representations

Logarithmic concavity of weight multiplicities for irreducible sl n ( C ) -representations

Logarithmic concavity of weight multiplicities for irreducible sl n ( C ) -representations arXiv:1906.09633 June Huh, Jacob P. Matherne, Karola M esz aros, Avery St. Dizier Institute for Advanced Study, University of Oregon, Cornell

745 views • 41 slides
Simulating Chromosome Segregation Qi Zheng Simulating Chromosome Segregation Qi Zheng

Simulating Chromosome Segregation Qi Zheng Simulating Chromosome Segregation Qi Zheng

High Performance Research Computing Simulating Chromosome Segregation Qi Zheng Simulating Chromosome Segregation Qi Zheng Department of Epidemiology &amp; Biostatistics, Texas A&amp;M University What motivated this study? The

211 views • 10 slides
Simulating Syst Simulating Systems in Gr ems in Ground V ound Vehicle hicle Design Design

Simulating Syst Simulating Systems in Gr ems in Ground V ound Vehicle hicle Design Design

Simulating Syst Simulating Systems in Gr ems in Ground V ound Vehicle hicle Design Design Frederic ederick J. k J. Ross ss Direct Director or, Gr , Ground T ound Transpor ansportation tation Agenda Ag Simulating Syst Simulat ng

306 views • 29 slides
Log-Concavity of Characteristic Polynomials and Toric Intersection Theory Eric Katz (University

Log-Concavity of Characteristic Polynomials and Toric Intersection Theory Eric Katz (University

Log-Concavity of Characteristic Polynomials and Toric Intersection Theory Eric Katz (University of Waterloo) joint with June Huh (University of Michigan) February 18, 2013 Eric Katz (Waterloo) Log-concavity February 18, 2013 1 / 30

485 views • 30 slides
Measuring Location: z-scores Example 1 Distribution of head circumference for male soldiers is

Measuring Location: z-scores Example 1 Distribution of head circumference for male soldiers is

Measuring Location: z-scores Example 1 Distribution of head circumference for male soldiers is approximately normal with mean = 22.8 inches and std. dev. 1.1 inches. a) What percent of soldier have head circumference greater than 23.9

610 views • 21 slides
Longest increasing subsequences and log concavity Mikl os B ona University of Florida

Longest increasing subsequences and log concavity Mikl os B ona University of Florida

Longest increasing subsequences and log concavity Mikl os B ona University of Florida Marie-Louise Bruner Technische Universit at Wien Bruce Sagan Michigan State University www.math.msu.edu/sagan October 5, 2015 The basic

211 views • 10 slides
Measuring Wellbeing and embedding evidence Richard Thurston Head of Research for Children,

Measuring Wellbeing and embedding evidence Richard Thurston Head of Research for Children,

Rights, Indicators &amp; Outcomes , Children in Wales Annual Conference, Newport, 24 th -25 th Nov 2009 Measuring Wellbeing and embedding evidence Richard Thurston Head of Research for Children, Education, Lifelong-learning &amp; Skills,

620 views • 15 slides
Simulating Search Strategies Simulating Search Strategies for Gnutella for Gnutella Chun Wai

Simulating Search Strategies Simulating Search Strategies for Gnutella for Gnutella Chun Wai

ENSC 835: HIGH-PERFORMANCE NETWORKS FINAL PROJECT PRESENTATIONS Fall 2003 Simulating Search Strategies Simulating Search Strategies for Gnutella for Gnutella Chun Wai Wai Chan Chan Chun http://www.sfu.ca/~cchany/ENSC835

463 views • 20 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head

Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head

Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head Pharmacovigilance and Special Access Branch 11 November 2015 Risk Minimisation Programme You have identified the risks to be mitigated. You have

219 views • 17 slides
Simulating What is Measured Closing the Loop between Experiment and Simulation Michael

Simulating What is Measured Closing the Loop between Experiment and Simulation Michael

Simulating What is Measured Closing the Loop between Experiment and Simulation Michael Bussmann, Axel Huebl Computational Radiation Physics Helmholtz-Center Dresden Rossendorf Xrays &amp; Lasers Simulating Matter when it is only

476 views • 22 slides
Information Retrieval Introduction 1 Hamid Beigy Sharif university of technology October 6, 2018

Information Retrieval Introduction 1 Hamid Beigy Sharif university of technology October 6, 2018

Information Retrieval Information Retrieval Introduction 1 Hamid Beigy Sharif university of technology October 6, 2018 1 Some slides have been adapted from slides of Manning, Yannakoudakis, and Sch utze. Hamid Beigy | Sharif university of

248 views • 21 slides
Dermoscopy Image? Catarina Barata and Carlos Santiago Computer and Robot Vision Lab Motivation

Dermoscopy Image? Catarina Barata and Carlos Santiago Computer and Robot Vision Lab Motivation

How Important Is Each Dermoscopy Image? Catarina Barata and Carlos Santiago Computer and Robot Vision Lab Motivation Dermoscopy Datasets 100000 10000 1000 100 2013 2014 2015 2016 2017 2018 2019 Computer and Robot Vision Lab 2

1.06k views • 29 slides
Lecture 1: Introduction and the Boolean Model Information Retrieval Computer Science Tripos Part

Lecture 1: Introduction and the Boolean Model Information Retrieval Computer Science Tripos Part

Lecture 1: Introduction and the Boolean Model Information Retrieval Computer Science Tripos Part II Helen Yannakoudakis 1 Natural Language and Information Processing (NLIP) Group helen.yannakoudakis@cl.cam.ac.uk 2018 1 Based on slides from

663 views • 45 slides
Rby : An Embedding of Alloy in Ruby Aleksandar Milicevic , Ido Efrati, and Daniel Jackson

Rby : An Embedding of Alloy in Ruby Aleksandar Milicevic , Ido Efrati, and Daniel Jackson

Rby : An Embedding of Alloy in Ruby Aleksandar Milicevic , Ido Efrati, and Daniel Jackson {aleks,idoe,dnj}@csail.mit.edu 1 What exactly is this embedding? 2 What exactly is this embedding? alloy API for ruby? 2 What exactly is this

990 views • 83 slides
Integrity Constraints In the electrical domain, what if we predict that a light should be on, but

Integrity Constraints In the electrical domain, what if we predict that a light should be on, but

Integrity Constraints In the electrical domain, what if we predict that a light should be on, but observe that it isnt? What can we conclude? We will expand the definite clause language to include integrity constraints which are rules that

410 views • 16 slides
UI-ASSIST WORKSHOP THEME 8 INDIA UPDATES UI-ASSIST MINIWORKSHOP Presentation 3.1 By

UI-ASSIST WORKSHOP THEME 8 INDIA UPDATES UI-ASSIST MINIWORKSHOP Presentation 3.1 By

UI-ASSIST WORKSHOP THEME 8 INDIA UPDATES UI-ASSIST MINIWORKSHOP Presentation 3.1 By Santanu Mishra, IIT Kanpur N P Padhy, IIT Roorkee Theme-8: Lab Pilots &amp; Validation 2 Theme 8: Objectives Reconfigurable Distribution Development

351 views • 18 slides
for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat

for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat

Simplified security arguments for hash-based signatures Andreas Hlsing Eindhoven University of Technology The quantum threat Shors algorithm breaks RSA, (EC)DSA, (EC)DH, Grovers algorithm asymptotically reduces complexity of

694 views • 48 slides
Triality in Little String Theories Stefan Hohenegger GGI Workshop: String Theory from a

Triality in Little String Theories Stefan Hohenegger GGI Workshop: String Theory from a

Triality in Little String Theories Stefan Hohenegger GGI Workshop: String Theory from a Worldsheet Perspective Galileo Galilei Institute, 29 Apr. 2019 based on work in collaboration with: Brice Bastian, Amer Iqbal and Soo-Jong Rey hep-th

2.08k views • 184 slides

More recommend