new and old proof systems for lattice problems
play

New (and Old) Proof Systems for Lattice Problems Navid Alamati - PowerPoint PPT Presentation

Aug 16, 2022 •273 likes •960 views

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

  1. New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13

  2. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . 2 / 13

  3. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . 2 / 13

  4. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . ◮ Statistical ZK (SZK): “ ≈ ” means statistically indistinguishable. 2 / 13

  5. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . ◮ Statistical ZK (SZK): “ ≈ ” means statistically indistinguishable. ◮ Honest-verifier SZK ≡ general SZK [GSV’98] . 2 / 13

  6. Zero-Knowledge Proofs [GoldwasserMicaliRackoff’85] ◮ A protocol allowing an unbounded Prover P to convince a skeptical, bounded Verifier V that some x ∈ L . ◮ The (honest) verifier learns nothing more than the truth of statement: ∃ efficient simulator S such that ∀ x ∈ L : View V [ P ( x ) ↔ V ( x )] ≈ S ( x ) . ◮ Statistical ZK (SZK): “ ≈ ” means statistically indistinguishable. ◮ Honest-verifier SZK ≡ general SZK [GSV’98] . ◮ SZK proofs are powerful: secure against unbounded malicious P ∗ , V ∗ . 2 / 13

  7. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . 3 / 13

  8. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. 3 / 13

  9. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. SZK versus NISZK ⋆ Both SZK and NISZK have complete problems [SV’97, GSV’99] 3 / 13

  10. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. SZK versus NISZK ⋆ Both SZK and NISZK have complete problems [SV’97, GSV’99] ⋆ SZK is closed under complement [SV’97] , but NISZK is not known to be. 3 / 13

  11. Noninteractive SZK [GoldreichSahaiVadhan’99] ◮ Consists of only one message from P to V . ◮ Both P and V have access to a uniformly random string. SZK versus NISZK ⋆ Both SZK and NISZK have complete problems [SV’97, GSV’99] ⋆ SZK is closed under complement [SV’97] , but NISZK is not known to be. ⋆ NISZK is closed under complement ⇐ ⇒ NISZK = SKZ [GSV’99] 3 / 13

  12. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n b 1 � L = ( Z · b i ) i =1 b 2 O 4 / 13

  13. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n b 1 � L = ( Z · b i ) x i =1 b 2 O ◮ Represent coset x + L ∈ ( R n / L ) by unique ¯ x ∈ ( x + L ) ∩ P ( B ) . 4 / 13

  14. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n b 1 � L = ( Z · b i ) i =1 b 2 O λ 1 ◮ Represent coset x + L ∈ ( R n / L ) by unique ¯ x ∈ ( x + L ) ∩ P ( B ) . ◮ Minimum distance: length of shortest nonzero lattice vector λ 1 ( L ) = min 0 � = v ∈L � v � . 4 / 13

  15. Lattices ◮ An n -dimensional lattice L ⊂ R n is a discrete additive subgroup, generated by a (non-unique) basis B = { b 1 , . . . , b n } : n � L = ( Z · b i ) i =1 ◮ Represent coset x + L ∈ ( R n / L ) by unique ¯ x ∈ ( x + L ) ∩ P ( B ) . ◮ Minimum distance: length of shortest nonzero lattice vector λ 1 ( L ) = min 0 � = v ∈L � v � . ◮ Covering radius: maximum distance from the lattice µ ( L ) = max x ∈ R n dist ( x , L ) . 4 / 13

  16. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  17. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  18. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  19. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) 5 / 13

  20. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) Applications ◮ Worst-case to average-case reductions [MR’04,Regev’05] 5 / 13

  21. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) Applications ◮ Worst-case to average-case reductions [MR’04,Regev’05] ◮ Constructions of cryptographic primitives [GPV’08,. . . ] 5 / 13

  22. The Smoothing Parameter [MicciancioRegev’04] ◮ η ε ( L ) = minimal Gaussian ‘blur’ that ‘smooths out’ L (up to error ε : think 2 − n ≤ ε ≤ 1 / 2) Applications ◮ Worst-case to average-case reductions [MR’04,Regev’05] ◮ Constructions of cryptographic primitives [GPV’08,. . . ] ◮ Algorithms for SVP and CVP [ADRS’15,ADS’15] 5 / 13

  23. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? 6 / 13

  24. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. 6 / 13

  25. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. 6 / 13

  26. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central 6 / 13

  27. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central ◮ Replacing ‘classic’ problems w/GapSPP in proof systems [GG’98] and worst-case to average-case reductions [MR’04,R’05] subsumes the original results, and yields seemingly stronger ones. 6 / 13

  28. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central ◮ Replacing ‘classic’ problems w/GapSPP in proof systems [GG’98] and worst-case to average-case reductions [MR’04,R’05] subsumes the original results, and yields seemingly stronger ones. ◮ GapSPP ∈ SZK ⊆ AM ∩ coAM [CDLP’13] , but classic problems ∈ NISZK, coNP [AR’04,PV’08] . 6 / 13

  29. The Smoothing Parameter Problem [ChungDadushLiuPeikert’13] Definition: γ -GapSPP ε ◮ Given a lattice L , is η ε ( L ) ≤ 1 OR η ε ( L ) > γ ? ◮ Equivalent to ‘classical’ problems like GapSVP, up to ≈ √ n factors. We’re interested in non-trivial factors, where equivalence doesn’t help. GapSPP is Central ◮ Replacing ‘classic’ problems w/GapSPP in proof systems [GG’98] and worst-case to average-case reductions [MR’04,R’05] subsumes the original results, and yields seemingly stronger ones. ◮ GapSPP ∈ SZK ⊆ AM ∩ coAM [CDLP’13] , but classic problems ∈ NISZK, coNP [AR’04,PV’08] . Motivating Question Are there noninteractive proof systems for GapSPP? 6 / 13

  30. Our Results ◮ Noninteractive (NISZK/coNP) proof systems for GapSPP, improving prior ‘trivial’ factors by ≈ √ n . 7 / 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X ,

Proofs for Satisfiability Problems Marijn J.H. Heule Joint work with Armin Biere X . X , July 18, 2014 1/32 Outline Introduction Proof Systems Proof Search Proof Formats Proof Production Proof Consumption Applications Conclusions

574 views • 36 slides
Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

902 views • 58 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan Lattice QCD and Nuclei Nuclear theory predictions are needed to extract or constrain new physics from intensity frontier experiments Lattice QCD can

359 views • 20 slides
Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts ttts Tenerife PQCrypto Conference (January 31, 2018) Lattices What is a lattice? O Lattices What

1.59k views • 136 slides
Synthesis of Geometry Proof Problems Chris Alvin, Louisiana State University In Collaboration

Synthesis of Geometry Proof Problems Chris Alvin, Louisiana State University In Collaboration

Synthesis of Geometry Proof Problems Chris Alvin, Louisiana State University In Collaboration with Supratik Mukhopadhyay, LSU Sumit Gulwani, Microsoft Research, Redmond Rupak Majumdar, Max Planck Institute for Software Systems AAAI 14

639 views • 35 slides
a ; 90 o c -face centered lattice, having the

a ; 90 o c -face centered lattice, having the

PH-409 (2015) Tutorial Sheet No. 2 * Problems shall be discussed in tutorial class 20*. A two dimensional lattice has basis vectors 2 ; 2 . Find the a i b i j basis vectors of the reciprocal lattice. 21. (a) Show

214 views • 5 slides
Lattice Coding I: From Theory To Application Amin Sakzad Dept of Electrical and Computer Systems

Lattice Coding I: From Theory To Application Amin Sakzad Dept of Electrical and Computer Systems

Motivation Preliminaries Problems Relation Lattice Coding I: From Theory To Application Amin Sakzad Dept of Electrical and Computer Systems Engineering Monash University amin.sakzad@monash.edu Oct. 2013 Lattice Coding I: From Theory To

709 views • 58 slides
Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco

Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco

Modular proof theory for axiomatic extension and expansions of lattice logic Giuseppe Greco (joint work with P . Jipsen, F. Liang, A. Palmigiano) Prague, 28 June TACL 2017 Multi-type methodology Syntax meets semantics: the wider picture

461 views • 32 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik

Proof Systems that Take Advice Olaf Beyersdorff Institut fr Theoretische Informatik Leibniz-Universitt Hannover, Germany joint work with Johannes Kbler and Sebastian Mller Olaf Beyersdorff Proof Systems that Take Advice Proof Systems

854 views • 69 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation

1.03k views • 66 slides
Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ Automated Reasoning and Satisfiability, September 24, 2019 Certificates What makes a problem hard? Certificate angle: can one efficiently check an

1.11k views • 107 slides
Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Background on lattice reduction Our results Our technical ideas and argument Conclusion and open problems Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL, UK London-ish Lattice Coding &

1.91k views • 167 slides
Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer

Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open

1.21k views • 91 slides
Lectures 6 & 7: Optimization and Optimization and Lectures 6 & 7: Uncertainty of Supply

Lectures 6 & 7: Optimization and Optimization and Lectures 6 & 7: Uncertainty of Supply

Lectures 6 & 7: Optimization and Optimization and Lectures 6 & 7: Uncertainty of Supply Chain Uncertainty of Supply Chain Network (2) Network (2) Quality Assurance in Supply Chain Management (INSE 6300/4-UU) Winter 2011

438 views • 25 slides
Historical and Future Changes of Tropical Rain Belts: Cloud and Aerosol Processes Hui Su

Historical and Future Changes of Tropical Rain Belts: Cloud and Aerosol Processes Hui Su

Historical and Future Changes of Tropical Rain Belts: Cloud and Aerosol Processes Hui Su Chengxing Zhai 1 , Jonathan H. Jiang 1 , Longtao Wu 1 , J. David Neelin 2 , Yuk L. Yung 3 1 Jet Propulsion Laboratory, California Institute of Technology 2

518 views • 23 slides
1 Overview Of DCF Timing Diagram for DCF Both RTS and CTS packets specify the time for which the

1 Overview Of DCF Timing Diagram for DCF Both RTS and CTS packets specify the time for which the

Capacity of Ad Hoc Networks Physical Layer Issues Quality of Wireless links Quality of Wireless links Bandwidth of 802.11 Bandwidth of 802.11 b/g b/g Physical Layer Issues Physical Layer Issues upto upto 30 MHz, centered at

381 views • 6 slides
Strengthening Early Childhood in Kansas in 2019 WEBINAR December 11, 2019 Whats Next?

Strengthening Early Childhood in Kansas in 2019 WEBINAR December 11, 2019 Whats Next?

Strengthening Early Childhood in Kansas in 2019 WEBINAR December 11, 2019 Whats Next? Finalizing Needs Assessment Report Strategic Plan Development Online Share Form - https://kschildrenscabinet.org/share/ PDG B-5 Grant

543 views • 41 slides
4K Initiative in Poland: 4K Initiative in Poland: 4K Node in PSNC 4K Node in PSNC TF-Media

4K Initiative in Poland: 4K Initiative in Poland: 4K Node in PSNC 4K Node in PSNC TF-Media

4K Initiative in Poland: 4K Initiative in Poland: 4K Node in PSNC 4K Node in PSNC TF-Media Meeting 5 Nov 2009, Prague Maciej Glowiak - mac@man.poznan.pl What is 4K? The technology of displaying and processing high resolution video

289 views • 16 slides
SIMCI Combined Project FY08 Accomplishments FY08 Demonstration FY09 Plan Dr. Stanley H. Levine

SIMCI Combined Project FY08 Accomplishments FY08 Demonstration FY09 Plan Dr. Stanley H. Levine

Simulation-to-C4I Interoperability OIPT SIMCI Combined Project FY08 Accomplishments FY08 Demonstration FY09 Plan Dr. Stanley H. Levine for the BML Conference 2/4/2009 Simulation C4I Interoperability (SIMCI) FY08 Project Briefing

443 views • 15 slides
Foundations of Chemical Kinetics Lecture 27: Further developments of diffusion theory Marc R.

Foundations of Chemical Kinetics Lecture 27: Further developments of diffusion theory Marc R.

Foundations of Chemical Kinetics Lecture 27: Further developments of diffusion theory Marc R. Roussel Department of Chemistry and Biochemistry Stokes-Einstein theory In the last lecture, we obtained the equation D i = k B T / f i where f i

393 views • 11 slides
ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires & CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires & CONICET In

ON ABJM BDS EXPONENTIATION Matias Leoni Universidad de Buenos Aires & CONICET In collaboration with Marco S. Bianchi arXiv:1403.3398 N=4 SYM Exponentiation Consider color ordered MHV 4p amplitude in We define the ratio

415 views • 29 slides

More recommend