on bounded distance decoding unique shortest vectors and
play

On Bounded Distance Decoding, Unique Shortest Vectors, and the - PowerPoint PPT Presentation

Apr 06, 2024 •945 likes •1.33k views

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set of linearly independent

  1. On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio

  2. Lattices Lattice: A discrete additive subgroup of R n

  3. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  4. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  5. Why are Lattices Interesting? (In Cryptography) � � Ajtai ('96) showed that solving “average” instances of some lattice problem implies solving all instances of a lattice problem � Possible to base cryptography on worst-case instances of lattice problems

  6. [Ajt '96,...] Minicrypt SIVP primitives

  7. Shortest Independent Vector Problem (SIVP) � Find n short linearly independent vectors

  8. Shortest Independent Vector Problem (SIVP) � Find n short linearly independent vectors

  9. Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

  10. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP

  11. Minimum Distance Problem (GapSVP) � Find the minimum distance between the vectors in the lattice

  12. Minimum Distance Problem (GapSVP) � d Find the minimum distance between the vectors in the lattice

  13. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP

  14. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  15. Unique Shortest Vector Problem (uSVP) � Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

  16. Unique Shortest Vector Problem (uSVP) � Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

  17. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n GapSVP ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  18. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n (quantum reduction) � GapSVP Cryptosystem Regev '05 ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  19. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n (quantum reduction) � GapSVP Cryptosystems Regev '05 Peikert '09 ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  20. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n n (quantum reduction) � [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] ≈ 1 [Reg '03] Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  21. Bounded Distance Decoding (BDD) � Given a target vector that's close to the lattice, find the nearest lattice vector

  22. [Ajt '96,...] Minicrypt SIVP primitives [Ban '93] n n (quantum reduction) � [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] 1 1 2 Cryptosystems uSVP Ajtai-Dwork '97 Regev '03

  23. Minicrypt SIVP primitives (quantum reduction) � GapSVP Crypto- BDD systems uSVP

  24. Cryptosystem Hardness Assumptions uSVP BDD GapSVP SIVP (quantum) O(n 2 ) O(n 2 ) O(n 2.5 ) O(n 3 ) Ajtai-Dwork '97 Regev '03 O(n 1.5 ) O(n 1.5 ) O(n 2 ) O(n 2.5 ) Regev '05 - - - O(n 1.5 ) Peikert '09 O(n 1.5 ) O(n 1.5 ) O(n 2 ) O(n 2.5 ) Implications of our results

  25. Lattice-Based Primitives Minicrypt Public-Key Cryptosystems [AD '97] (uSVP) � One-way functions [Ajt '96] � � [Reg '03] (uSVP) � Collision-resistant hash � � functions [Ajt '96,MR '07] [Reg '05] (SIVP and GapSVP under � quantum reductions) � Identification schemes � [MV '03,Lyu '08, KTX '08] [Pei '09] (GapSVP) � � Signature schemes [LM '08, � GPV '08] All Based on All Based on GapSVP and GapSVP quantum SIVP and SIVP Major Open Problem: Construct cryptosystems based on SIVP

  26. Reductions GapSVP BDD 1 1 2 uSVP

  27. Proof Sketch (BDD < uSVP) �

  28. Proof Sketch (BDD < uSVP) �

  29. Proof Sketch (BDD < uSVP) �

  30. Proof Sketch (BDD < uSVP) �

  31. Proof Sketch (BDD < uSVP) �

  32. Proof Sketch (BDD < uSVP) � New basis vector used exactly once in constructing the unique shortest vector

  33. Proof Sketch (BDD < uSVP) � New basis vector used exactly once in constructing the unique shortest vector

  34. Proof Sketch (BDD < uSVP) � New basis vector used exactly once in constructing the unique shortest vector Subtracting unique shortest vector from new basis vector gives the closest point to the target.

  35. Open Problems � Can we construct cryptosystems based on SIVP − (SVP would be even better!) � � Can the reduction GapSVP < BDD be tightened? � Can the reduction BDD < uSVP be tightened?

  36. Thanks!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fast Shortest Path Distance Estimation in Large Networks Michalis Potamias Francesco

Fast Shortest Path Distance Estimation in Large Networks Michalis Potamias Francesco

Fast Shortest Path Distance Estimation in Large Networks Michalis Potamias Francesco Bonchi Carlos Castillo Aristides Gionis Context-aware Search use shortest-path distance in wikipedia links-graph! S h o r t e s t

685 views • 19 slides
Three Graph Algorithms Shortest Distance Paths Distance/Cost of a path in weighted graph sum of

Three Graph Algorithms Shortest Distance Paths Distance/Cost of a path in weighted graph sum of

Three Graph Algorithms Shortest Distance Paths Distance/Cost of a path in weighted graph sum of weights of all edges on the path path A, B, E, cost is 2+3=5 path A, B, C, E, cost is 2+1+4=7 How to find shortest distance path from a node

335 views • 6 slides
Truly Subcubic Algorithms for Language Edit Distance and RNA Folding via Fast Bounded-Difference

Truly Subcubic Algorithms for Language Edit Distance and RNA Folding via Fast Bounded-Difference

Truly Subcubic Algorithms for Language Edit Distance and RNA Folding via Fast Bounded-Difference Min-Plus Product Karl Bringmann , Fabrizio Grandoni, Barna Saha, Virginia Vassilevska Williams June 11, 2017 Bounded Differences (BD) Matrices

639 views • 22 slides
Computing Shortest Non-Trivial Cycles on Orientable Surfaces of Bounded Genus in Almost Linear

Computing Shortest Non-Trivial Cycles on Orientable Surfaces of Bounded Genus in Almost Linear

Computing Shortest Non-Trivial Cycles on Orientable Surfaces of Bounded Genus in Almost Linear Time Martin Kutz Max-Planck Institut fr Informatik Saarbrcken, Germany max planck institut Martin Kutz: Shortest non-trivial cycles on surfaces

946 views • 78 slides
STRUCTS IN C THE SHORTEST DISTANCE BETWEEN TWO POINTS IS UNDER CON STRUCT ION -- NOELIE ALTITO

STRUCTS IN C THE SHORTEST DISTANCE BETWEEN TWO POINTS IS UNDER CON STRUCT ION -- NOELIE ALTITO

STRUCTS IN C THE SHORTEST DISTANCE BETWEEN TWO POINTS IS UNDER CON STRUCT ION -- NOELIE ALTITO THERE ONCE WAS A YOUNG MAN FROM LYME WHO COULDN'T GET HIS LIMERICKS TO RHYME WHEN ASKED &quot;WHY NOT?&quot; IT WAS SAID THAT HE THOUGHT THEY WERE

256 views • 13 slides
Shortest Paths A priority queue will turn out to be useful for efficiency An example of

Shortest Paths A priority queue will turn out to be useful for efficiency An example of

2/21/2016 Dijkstras Algorithm The idea: reminiscent of BFS, but adapted to handle weights Grow the set of nodes whose shortest distance has been computed CSE373: Data Structures and Algorithms Nodes not in the set will have a

208 views • 8 slides
23. Shortest Paths Motivation, Dijkstras algorithm on distance graphs, Bellman-Ford Algorithm,

23. Shortest Paths Motivation, Dijkstras algorithm on distance graphs, Bellman-Ford Algorithm,

23. Shortest Paths Motivation, Dijkstras algorithm on distance graphs, Bellman-Ford Algorithm, Floyd-Warshall Algorithm [Ottman/Widmayer, Kap. 9.5 Cormen et al, Kap. 24.1-24.3, 25.2-25.3] 644 River Crossing (Missionaries and Cannibals)

533 views • 38 slides
Hardness of exact distance queries in sparse graphs through hub labeling Adrian Kosowski,

Hardness of exact distance queries in sparse graphs through hub labeling Adrian Kosowski,

Hardness of exact distance queries in sparse graphs through hub labeling Adrian Kosowski, Przemysaw Uznaski and Laurent Viennot Inria University of Wrocaw Irif (Paris Univ.) Shortest-path oracle What is the shortest path from A to

440 views • 20 slides
Non-unique factorizations in bounded hereditary noetherian prime rings Daniel Smertnig

Non-unique factorizations in bounded hereditary noetherian prime rings Daniel Smertnig

Non-unique factorizations in bounded hereditary noetherian prime rings Daniel Smertnig University of Waterloo Conference on Rings and Factorizations Graz, Feb 21, 2018 Outline Factorizations in noncommutative rings Non-unique factorizations

589 views • 34 slides
Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets

Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets

Optimal arrangements of unit vectors in Hilbert spaces I: New constructions of few-distance sets and biangular lines Ferenc Szll osi szoferi@gmail.com This research has been carried out while the speaker was with the Department of

689 views • 34 slides
Clustering In this example distance matrix: and have the most similar vectors 0 0.265 0.799

Clustering In this example distance matrix: and have the most similar vectors 0 0.265 0.799

30 Mar 15 A distance matrix allows us to create clusters Clustering In this example distance matrix: and have the most similar vectors 0 0.265 0.799 and are the second most similar 0.265 0 0.534 and are the third most

315 views • 3 slides
1 Dynamic Programming Dynamic Programming is a technique for solving problems

1 Dynamic Programming Dynamic Programming is a technique for solving problems

All Shortest Paths Questions from exercises and exams The Problem: G = (V, E, w) is a weighted directed graph. We want to find the shortest path between any pair of vertices in G. Example: find the distance between cities on a

431 views • 12 slides
6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics Hard-decision &amp; soft-decision decoding Performance issues: decoder complexity, post- decoding BER, free distance concept 6.02 Fall 2012

488 views • 20 slides
Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html

Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html

Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html #simplelist D. J. Bernstein University of Illinois at Chicago Thanks to: Cisco University Research Program And thanks to: NIST grant 60NANB10D263

580 views • 20 slides
Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit

Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit

Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit Vectors Homework 1 Vectors and Scalars Vector - quantity that has magnitude and direction e.g. displacement, velocity, acceleration, force

560 views • 16 slides
Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings

Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings

Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings and notes from prof. Tom Cormen Single Source SP Context: directed graph G=(V ,E,w), weighted edges The shortest path (SP) between

881 views • 69 slides
Strategic Prototyping for Developing Big Data Systems Hong-Mei Chen, University of Hawaii Serhiy

Strategic Prototyping for Developing Big Data Systems Hong-Mei Chen, University of Hawaii Serhiy

SATURN 2016 May 2-5, San Diego Strategic Prototyping for Developing Big Data Systems Hong-Mei Chen, University of Hawaii Serhiy Haziyev , SoftServe Inc. Olha Hrytsay, SoftServe Inc. Rick Kazman , University of Hawaii and SEI/CMU Agenda Small

216 views • 19 slides
Example Mapping: The New Three Amigos Presented by:

Example Mapping: The New Three Amigos Presented by:

AW11 Product Ownership Practices Wednesday, November 6th, 2019 11:45 AM Example Mapping: The New Three Amigos Presented by:

463 views • 25 slides
Use BDD and Product Analytics to Change Your Vision of

Use BDD and Product Analytics to Change Your Vision of

W10 AI and Data Analytics Wednesday, October 17th, 2018 1:30 PM Use BDD and Product Analytics to Change Your Vision of

804 views • 34 slides
Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application

Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application

Practical BDD with Behat and Mink Jeremy Mikola (@jmikola) In order to verify application behavior As a software developer I need tests In order to verify application behavior As a software developer I need tests Preferably automated tests

482 views • 44 slides
Effect of BDD Optim ization Effect of BDD Optim ization on Synthesis of Reversible and Quantum

Effect of BDD Optim ization Effect of BDD Optim ization on Synthesis of Reversible and Quantum

Effect of BDD Optim ization Effect of BDD Optim ization on Synthesis of Reversible and Quantum Logic d Q L i Robert Wille, Rolf Drechsler , Institute of Computer Science University of Bremen, Germany University of Bremen, Germany {

391 views • 22 slides
HOW BDD CAN SAVE AGILE @mattwynne | QCon 2015 | London Does agile really need saving? Scrum !=

HOW BDD CAN SAVE AGILE @mattwynne | QCon 2015 | London Does agile really need saving? Scrum !=

HOW BDD CAN SAVE AGILE @mattwynne | QCon 2015 | London Does agile really need saving? Scrum != Agile Predictability Communication Quality Small pieces Collaboration Technical discipline How does BDD help? Individuals and Interactions

843 views • 37 slides
{Behat &amp; BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro &gt;

{Behat &amp; BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro &gt;

{Behat &amp; BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro &gt; Systems Architect at CI&amp;T &gt; +5Years Drupal experience &gt; Large Open Source experience &gt; Working with ~150 Drupallers ciandt.com Why

447 views • 40 slides
Childline Whats Behind Body Image? Eleni Kypridemos and Igor Vidovic Housekeeping Self Care

Childline Whats Behind Body Image? Eleni Kypridemos and Igor Vidovic Housekeeping Self Care

Childline Whats Behind Body Image? Eleni Kypridemos and Igor Vidovic Housekeeping Self Care Talking eating disorders and body image can: Challenge our assumptions and ideas Remind us of past experiences, good and bad Trigger

320 views • 18 slides

More recommend