on algebraic variants of the lwe problem
play

On algebraic variants of the LWE problem Damien Stehl e Based on - PowerPoint PPT Presentation

Mar 26, 2023 •394 likes •1.04k views

Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion On algebraic variants of the LWE problem Damien Stehl e Based on joint works with M. Rosca, A. Sakzad, R. Steinfeld and A. Wallet Figures borrowed from M. Rosca and A.

  1. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion On algebraic variants of the LWE problem Damien Stehl´ e Based on joint works with M. Rosca, A. Sakzad, R. Steinfeld and A. Wallet Figures borrowed from M. Rosca and A. Wallet ENS de Lyon , Bitdefender, U. Monash ICERM, April 2018 Damien Stehl´ e On algebraic variants of LWE 24/04/2018 1/32

  2. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion What is this talk about Signatures PKE FHE Hash SIS LWE IBE [Ajt96] [Reg05] ApproxSVP SIS and LWE are lattice problems that are convenient for cryptographic design. We’ll focus on “efficient” variants of LWE. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 2/32

  3. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE [Reg05] LWE parameters: m ≥ n ≥ 1, q ≥ 2 and α > 0. m s s find A A + , e n ֓ U ( Z m × n A ← ), q ֓ U ( Z n s ← q ), α q Gaussian error distribution D α q ֓ D m e ← α q . Typical parameters : n proportional to the bit-security, q = n Θ(1) , m = Θ( n log q ), α ≈ √ n / q . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 3/32

  4. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE [Reg05] LWE parameters: m ≥ n ≥ 1, q ≥ 2 and α > 0. m s s find A A + , e n ֓ U ( Z m × n A ← ), q ֓ U ( Z n s ← q ), α q Gaussian error distribution D α q ֓ D m e ← α q . Typical parameters : n proportional to the bit-security, q = n Θ(1) , m = Θ( n log q ), α ≈ √ n / q . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 3/32

  5. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Search LWE as a Closest Vector Problem variant m s s find A A + , e n A defines the Construction-A lattice L q ( A ) = A Z n q + q Z m . As + e mod q is a point near that lattice. Finding s is finding the closest vector in L q ( A ). LWE is CVP for a uniformly sampled Construction-A lattice, a random lattice vector and a Gaussian lattice offset. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 4/32

  6. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Decision LWE Decide whether a given ( A , b ) is uniformly sampled or of the form ( A , As + e ) with A and s uniform and e sampled from D m α q . This is a distribution distinguishing problem. More convenient for cryptographic design. There are poly-time reductions between search-LWE and decision-LWE [Re05,MiMo11] . [During the talk, I will focus on the search variant] Damien Stehl´ e On algebraic variants of LWE 24/04/2018 5/32

  7. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Decision LWE Decide whether a given ( A , b ) is uniformly sampled or of the form ( A , As + e ) with A and s uniform and e sampled from D m α q . This is a distribution distinguishing problem. More convenient for cryptographic design. There are poly-time reductions between search-LWE and decision-LWE [Re05,MiMo11] . [During the talk, I will focus on the search variant] Damien Stehl´ e On algebraic variants of LWE 24/04/2018 5/32

  8. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion (for α q ≥ 2 √ n ) Hardness results on LWE The Approximate Shortest Vector Problem ApproxSIVP γ : Given B ∈ Z n × n defining L , find ( b i ) i ≤ n in L lin. indep. such that max � b i � ≤ γ · λ n ( L ). Regev’s worst-case to average-case reduction For q prime and ≤ n O (1) , there is a quantum poly-time reduction from ApproxSIVP γ in dimension n to LWE n , m , q ,α , with γ ≈ n /α . Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α · log( n log q Time ≈ exp log 2 α ) Damien Stehl´ e On algebraic variants of LWE 24/04/2018 6/32

  9. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion (for α q ≥ 2 √ n ) Hardness results on LWE The Approximate Shortest Vector Problem ApproxSIVP γ : Given B ∈ Z n × n defining L , find ( b i ) i ≤ n in L lin. indep. such that max � b i � ≤ γ · λ n ( L ). Regev’s worst-case to average-case reduction For q prime and ≤ n O (1) , there is a quantum poly-time reduction from ApproxSIVP γ in dimension n to LWE n , m , q ,α , with γ ≈ n /α . Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α · log( n log q Time ≈ exp log 2 α ) Damien Stehl´ e On algebraic variants of LWE 24/04/2018 6/32

  10. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE is “inefficient” Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α log( n log q Time ≈ exp log 2 α ) Representing an LWE instance is quadratic in the bit-security. One then performs (at least) matrix-vector multiplications... Frodo: submission to the NIST post-quantum standardization process public-key and ciphertexts ≈ 10 kB encryption and decryption ≈ 2 million cycles. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 7/32

  11. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion LWE is “inefficient” Best known attack for most parameter ranges: lattice reduction. � � n log q log 2 α log( n log q Time ≈ exp log 2 α ) Representing an LWE instance is quadratic in the bit-security. One then performs (at least) matrix-vector multiplications... Frodo: submission to the NIST post-quantum standardization process public-key and ciphertexts ≈ 10 kB encryption and decryption ≈ 2 million cycles. Damien Stehl´ e On algebraic variants of LWE 24/04/2018 7/32

  12. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Road-map The Learning With Errors problem Algebraic variants of the LWE problem On Polynomial-LWE and Ring-LWE The Middle-Product-LWE problem Damien Stehl´ e On algebraic variants of LWE 24/04/2018 8/32

  13. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Take structured matrices! Damien Stehl´ e On algebraic variants of LWE 24/04/2018 9/32

  14. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Polynomial-LWE [SSTX09] Let q ≥ 2, α > 0, f ∈ Z [ x ] monic irreducible of degree n . Search P-LWE f Given ( a 1 , . . . , a m ) and ( a 1 · s + e 1 , . . . , a m · s + e m ), find s . s uniform in Z q [ x ] / f All a i ’s uniform in Z q [ x ] / f The coefficients of the e i ’s are sampled from D α q This is LWE, with matrix A made of stacked blocks Rot f ( a i ). The j -th row of Rot f ( a i ) is made of the coefficients of x j − 1 · a i mod f . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 10/32

  15. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Polynomial-LWE [SSTX09] Let q ≥ 2, α > 0, f ∈ Z [ x ] monic irreducible of degree n . Search P-LWE f Given ( a 1 , . . . , a m ) and ( a 1 · s + e 1 , . . . , a m · s + e m ), find s . s uniform in Z q [ x ] / f All a i ’s uniform in Z q [ x ] / f The coefficients of the e i ’s are sampled from D α q This is LWE, with matrix A made of stacked blocks Rot f ( a i ). The j -th row of Rot f ( a i ) is made of the coefficients of x j − 1 · a i mod f . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 10/32

  16. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Polynomial-LWE [SSTX09] Let q ≥ 2, α > 0, f ∈ Z [ x ] monic irreducible of degree n . Search P-LWE f Given ( a 1 , . . . , a m ) and ( a 1 · s + e 1 , . . . , a m · s + e m ), find s . s uniform in Z q [ x ] / f All a i ’s uniform in Z q [ x ] / f The coefficients of the e i ’s are sampled from D α q This is LWE, with matrix A made of stacked blocks Rot f ( a i ). The j -th row of Rot f ( a i ) is made of the coefficients of x j − 1 · a i mod f . Damien Stehl´ e On algebraic variants of LWE 24/04/2018 10/32

  17. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Hardness of P-LWE [SSTX09] - oversimplified For any f monic irreducible, there is a quantum reduction from ApproxSVP γ for ideals of Z [ x ] / f to search P-LWE f . The error rate α is proportional to γ and EF( f ) := max i < 2 n � x i mod f � . This is an adaptation of Regev’s ac-wc reduction Vacuous if ApproxSVP for ideals of Z [ x ] / f is easy Damien Stehl´ e On algebraic variants of LWE 24/04/2018 11/32

  18. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Hardness of P-LWE [SSTX09] - oversimplified For any f monic irreducible, there is a quantum reduction from ApproxSVP γ for ideals of Z [ x ] / f to search P-LWE f . The error rate α is proportional to γ and EF( f ) := max i < 2 n � x i mod f � . This is an adaptation of Regev’s ac-wc reduction Vacuous if ApproxSVP for ideals of Z [ x ] / f is easy Damien Stehl´ e On algebraic variants of LWE 24/04/2018 11/32

  19. Introduction LWE Algebraic variants P-LWE and R-LWE MP-LWE Conclusion Ideal-SVP [SSTX09] - oversimplified For any f monic irreducible, there is a quantum reduction from ApproxSVP for ideals of Z [ x ] / f to search P-LWE f . The reduction may be vacuous if ApproxSVP for ideals of Z [ x ] / f is easy For large approx. factors and some f ’s, faster algorithms are known for such lattices [see L´ eo’s talk] This wouldn’t necessarily impact the P-LWE f hardness The situation is not necessarily uniform across all f ’s Damien Stehl´ e On algebraic variants of LWE 24/04/2018 12/32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Algebraic Eigenvalue Problem Algebraic Eigenvalue Problem Computers are useless. They can only

Algebraic Eigenvalue Problem Algebraic Eigenvalue Problem Computers are useless. They can only

Algebraic Eigenvalue Problem Algebraic Eigenvalue Problem Computers are useless. They can only give answers. Pablo Picasso 1 Fall 2010 Topics to Be Discussed Topics to Be Discussed This unit requires the knowledge of eigenvalues This

786 views • 76 slides
Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger University of Basel April 29, 2020 Other Halting Problem Variants Rices Theorem Summary Other Halting Problem Variants Other Halting

675 views • 45 slides
Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin

Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin

Variants of zero forcing and their applications to the minimum rank problem Jephian C.-H. Lin Department of Mathematics, Iowa State University Feb 9, 2017 Final Defense Zero forcing and their applns to the min rank problem 1/47 Department

1.24k views • 92 slides
Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we consider here, just like in consensus, the processes need to make consistent decisions, such as agreeing on one common value. Most of the

590 views • 35 slides
A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants

A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants

A branch-and-cut algorithm for the Minimum Labeling Hamiltonian Cycle Problem and two variants Nicolas Jozefowiez 1 , Gilbert Laporte 2 , Fr eric Semet 3 ed 1. LAAS-CNRS, INSA, Universit e de Toulouse, Toulouse, France,

345 views • 21 slides
Goal Goal: Illustrate how a problem from algebraic geometry can be approached using combinatorics

Goal Goal: Illustrate how a problem from algebraic geometry can be approached using combinatorics

The combinatorial Problem The cones U and L for the space of phylogenetic trees The algebraic geometry story A combinatorial approach to the study of divisors on M 0 , n Laura Escobar Encuentro Colombiano de Combinatoria 2012 June 14, 2012

533 views • 26 slides
Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem

Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem

Pairwise, Rigid Registration The ICP Algorithm and Its Variants 1 1 Correspondence Problem Classification How many meshes? Two: Pairwise registration More than two: multi-view registration Initial registration available? Yes: Local

1.1k views • 50 slides
Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness Robustness of a mathematical object (such as proof, definition, algorithm, method, etc.) is measured by its invariance to certain changes To prove that a

944 views • 49 slides
A Symbolic Approach for Solving Algebraic Riccati Equations G. Rance, Y. Bouzidi, Al. Quadrat, Ar.

A Symbolic Approach for Solving Algebraic Riccati Equations G. Rance, Y. Bouzidi, Al. Quadrat, Ar.

Algebraic Riccati Equations for the optimal control problem A new algebraic description The case of 3 order systems A practical example Conclusion and persp A Symbolic Approach for Solving Algebraic Riccati Equations G. Rance, Y. Bouzidi, Al.

554 views • 31 slides
Character Polynomials Problem From Stanleys Positivity Problems in Algebraic

Character Polynomials Problem From Stanleys Positivity Problems in Algebraic

Character Polynomials Problem From Stanleys Positivity Problems in Algebraic Combinatorics Problem 12: Give a combinatorial interpretation of the row sums of the character table for S n (combinatorial proof of non-negativity)

735 views • 28 slides
A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik

A NEW ALGORITHM FOR THE VARIANTS OF ACD PROBLEM Jung Hee Cheon, Wonhee Cho, Minki Hhan, Minsik Kang, Jiseung Kim, Changmin Lee ENS de Lyon June 27, 2019 Changmin Lee Analysis of CRT-ACD June 27, 2019 1 / 23 Approximate Common-Divisor

459 views • 29 slides
Problem Formulation for Truth-Table Invariant Cylindrical Algebraic Decomposition by Incremental

Problem Formulation for Truth-Table Invariant Cylindrical Algebraic Decomposition by Incremental

Background material Problem formulation Problem Formulation for Truth-Table Invariant Cylindrical Algebraic Decomposition by Incremental Triangular Decomposition Matthew England (The University of Bath) Joint work with: R. Bradford, J.H.

1.07k views • 68 slides
A deterministic solution to Smales 17th problem Algorithms and complexity in algebraic

A deterministic solution to Smales 17th problem Algorithms and complexity in algebraic

A deterministic solution to Smales 17th problem Algorithms and complexity in algebraic geometry Simons Institute, Berkeley, December 16, 2015 Pierre Lairez TU Berlin Introduction The homotopy method Un algorithme dterministe Smale 17th

549 views • 26 slides
Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) =

Algebraic Properties of ln( x ) We can derive algebraic properties of our new function f ( x ) = ln( x ) by comparing derivatives. We can in turn use these algebraic rules to simplify the natural logarithm of products and quotients. If a and b are

182 views • 5 slides
The Proof-Search Problem (between bdd-width resolution and bdd-degree semi-algebraic proofs)

The Proof-Search Problem (between bdd-width resolution and bdd-degree semi-algebraic proofs)

The Proof-Search Problem (between bdd-width resolution and bdd-degree semi-algebraic proofs) Albert Atserias Universitat Polit` ecnica de Catalunya Barcelona, Spain Satisfiability Example : 15 variables and 40 clauses x 1 x 2 x 6 x 1

1.16k views • 88 slides
On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea GRASTA 2014 Joint work with Hans Bodlaender, Vincent Kreuzen, Stefan Kratsch and Seongmin Ok 1 / 22 On the variants

756 views • 31 slides
Tokenization and Word Segmentation Daniel Zeman, Rudolf Rosa March 6, 2020 NPFL120 Multilingual

Tokenization and Word Segmentation Daniel Zeman, Rudolf Rosa March 6, 2020 NPFL120 Multilingual

Tokenization and Word Segmentation Daniel Zeman, Rudolf Rosa March 6, 2020 NPFL120 Multilingual Natural Language Processing Charles University Faculty of Mathematics and Physics Institute of Formal and Applied Linguistics unless otherwise

974 views • 50 slides
Reachability in Networks of Register Protocols under Stochastic Schedulers Patricia Bouyer 1

Reachability in Networks of Register Protocols under Stochastic Schedulers Patricia Bouyer 1

Reachability in Networks of Register Protocols under Stochastic Schedulers Patricia Bouyer 1 Nicolas Markey 1 Mickael Randour 2 Arnaud Sangnier 3 Daniel Stan 1 1 LSV - CNRS &amp; ENS Cachan, France 2 ULB, Belgium 3 IRIF - CNRS &amp; Universit e

1.08k views • 56 slides
IXA pipes: Efficient and Ready to Use Multilingual NLP tools Rodrigo Agerri IXA NLP Group,

IXA pipes: Efficient and Ready to Use Multilingual NLP tools Rodrigo Agerri IXA NLP Group,

IXA pipes: Efficient and Ready to Use Multilingual NLP tools Rodrigo Agerri IXA NLP Group, UPV/EHU OpenNLP project, Apache Software Foundation Rodrigo Agerri (IXA NLP Group, UPV/EHU OpenNLP project, Apache Software Foundation) IXA pipes:

584 views • 21 slides
ArchJava: Java extension architectural features components, ports and connections

ArchJava: Java extension architectural features components, ports and connections

ArchJava: Java extension architectural features components, ports and connections Benefits Better program understanding Reliable architectural reasoning about code Keeping architecture and code consistent as they

440 views • 16 slides
dnsprobe for probing anycast DNS -- Analysis &amp; Future Work -- Yuji Sekiya WIDE Project

dnsprobe for probing anycast DNS -- Analysis &amp; Future Work -- Yuji Sekiya WIDE Project

dnsprobe for probing anycast DNS -- Analysis &amp; Future Work -- Yuji Sekiya WIDE Project &lt;sekiya@wide.ad.jp&gt; What is dnsprobe ? dnsprobe is a tool for probing RTT hostname.bind To DNS Server Set Root DNS Servers

489 views • 31 slides
George Tzagkarakis FORTH-ICS, SPL SPL at a glance 2006 3 Researchers/Academics (permanent) 2

George Tzagkarakis FORTH-ICS, SPL SPL at a glance 2006 3 Researchers/Academics (permanent) 2

George Tzagkarakis FORTH-ICS, SPL SPL at a glance 2006 3 Researchers/Academics (permanent) 2 Postdoctoral Researchers 12 Postgraduate Students FORTH 2 Research Engineers ICS + 7 Institutes &gt; 5M (PI/co-PI in EC &amp; national

316 views • 12 slides
Outline 0) Course Info 1) Introduction 2) Data Preparation and Cleaning 3) Schema matching and

Outline 0) Course Info 1) Introduction 2) Data Preparation and Cleaning 3) Schema matching and

Outline 0) Course Info 1) Introduction 2) Data Preparation and Cleaning 3) Schema matching and mapping 4) Virtual Data Integration 5) Data Exchange 6) Data Warehousing 7) Big Data Analytics 8) Data Provenance 1 CS520 - 1) Introduction 2.

1.02k views • 87 slides
Literary Data: Some Approaches Andrew Goldstone http://www.rci.rutgers.edu/~ag978/litdata April

Literary Data: Some Approaches Andrew Goldstone http://www.rci.rutgers.edu/~ag978/litdata April

Literary Data: Some Approaches Andrew Goldstone http://www.rci.rutgers.edu/~ag978/litdata April 30, 2015. Named entity recognition. one tool does not do it all NLP and openNLP packages let you interface with the Apache OpenNLP Java software

673 views • 23 slides

More recommend