pseudorandomness of ring lwe for any ring and modulus
play

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert - PowerPoint PPT Presentation

Oct 29, 2023 •246 likes •1.08k views

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

  1. Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC’17) 10 March 2017 1 / 14

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 14

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 14

  4. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations (Images courtesy xkcd.org) 2 / 14

  5. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) (Images courtesy xkcd.org) 2 / 14

  6. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) ◮ Security from worst-case assumptions (Images courtesy xkcd.org) 2 / 14

  7. Lattice-Based Cryptography = ⇒ Main Attractions ◮ Efficient: linear, embarrassingly parallel operations ◮ Resists quantum attacks (so far) ◮ Security from worst-case assumptions ◮ Solutions to ‘holy grail’ problems in crypto: FHE and related (Images courtesy xkcd.org) 2 / 14

  8. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α 3 / 14

  9. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 ≈ � a 1 , s � ∈ Z q q a 2 ← Z n , b 2 ≈ � a 2 , s � ∈ Z q q . . . 3 / 14

  10. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq 3 / 14

  11. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) 3 / 14

  12. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Hard and Versatile worst case ( n/α ) -SIVP on ≤ search-LWE ≤ decision-LWE ≤ much crypto n -dim lattices (quantum [R’05]) [BFKL’93,R’05,. . . ] 3 / 14

  13. Learning With Errors [Regev’05] ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α ◮ Search: find secret s ∈ Z n q given many ‘noisy inner products’ a 1 ← Z n , b 1 = � a 1 , s � + e 1 ∈ Z q q a 2 ← Z n , b 2 = � a 2 , s � + e 2 ∈ Z q q . . . width αq ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) LWE is Hard and Versatile worst case ( n/α ) -SIVP on ≤ search-LWE ≤ decision-LWE ≤ much crypto n -dim lattices (quantum [R’05]) [BFKL’93,R’05,. . . ] ◮ Classically , GapSVP ≤ search-LWE (worse params) [P’09,BLPRS’13] 3 / 14

  14. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] 4 / 14

  15. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : 4 / 14

  16. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] 4 / 14

  17. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] 4 / 14

  18. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] 4 / 14

  19. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] 4 / 14

  20. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] 4 / 14

  21. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] ⋆ Any q via “mod-switching” — but increases α [P’09,BV’11,BLPRS’13] 4 / 14

  22. LWE Hardness and Parameters ◮ Parameters: dimension n , integer modulus q , error ‘rate’ α Worst case SIVP ≤ Search-LWE ◮ One reduction for best known parameters: any q ≥ √ n/α [R’05] Search-LWE ≤ Decision-LWE ◮ Messy. Many incomparable reductions for different forms of q : ⋆ Any prime q = poly ( n ) [R’05] ⋆ Any “somewhat smooth” q = p 1 · · · p t (large enough primes p i ) [P’09] ⋆ Any q = p e for large enough prime p [ACPS’09] ⋆ Any q = p e with uniform error mod p i [MM’11] ⋆ Any q = p e — but increases α [MP’12] ⋆ Any q via “mod-switching” — but increases α [P’09,BV’11,BLPRS’13] ◮ Increasing q, α yields a weaker ultimate hardness guarantee. 4 / 14

  23. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q    . . . 5 / 14

  24. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. 5 / 14

  25. LWE is Efficient (Sort Of) ◮ Getting one pseudorandom scalar requires an n -dim inner   . . product mod q . � �   · · · a i · · · s  + e = b ∈ Z q   ◮ Can amortize each a i over many  . . secrets s j , but still ˜ O ( n ) work . per scalar output. ◮ Cryptosystems have rather large keys: Ω( n 2 log 2 q ) bits:      . . . .  . .       pk = , Ω( n ) A b         . .  . .   . . � �� � n 5 / 14

  26. Wishful Thinking. . .         . . . . ◮ Get n pseudorandom scalars . . . . . . . . from just one cheap product          ∈ Z n a i  ⋆ s  + e i  = b i         q operation?     . . . . . . . . . . . . 6 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

lattice element example in the Recycler Ring octupole 14 0.00000 0.33083E-01 0.0000E+00

Crystal Extraction from the Recycler Ring A.I. Drozhdin Fermi National Accelerator Laboratory P.O. Box 500, Batavia, Illinois 60510 May 31, 2012 1 Recycler Ring Lattice The choices to install the crystal in the Recycler Ring would be

427 views • 13 slides
New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of

New criteria for a ring to have a semisimple left quotient ring V. V. Bavula (University of Sheffield) V. V. Bavula, New criteria for a ring to have a semisim- ple left quotient ring. Arxiv:math.RA:1303.0859. talk-NewCrit-SS-lQuot.tex 1

359 views • 15 slides
A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic

A05: Quantum cr A05: Quantum crystal and ring e ystal and ring exchange change Novel magnetic stat No el magnetic states es induced b induced by ring e ring exchange change Members: Tsutomu Momoi (RIKEN) Kenn Kubo (Aoyama Gakuinn Univ.)

489 views • 31 slides
T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

T / U T proves we utter the phrase Let R be a ring.. A surprising observation is that the

The generic model Nongeometric properties A systematic source A topos-theoretic Nullstellensatz This talk in a nutshell: There is a certain ring, the generic ring , which is special in that it is conserva- tive : It has exactly

855 views • 26 slides
EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union:

EU -Russia/Ukraine: from Ring of Friends to Ring of Fire? The European Union: challenges and strategic responses Colloquium 27 October 2015 Dr. Graeme P. Herd , Professor of Transnational Security Studies, George C. Marshall

344 views • 9 slides
From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms

From ring epimorphisms to universal localisations joint with Jorge Vitoria I. Ring epimorphisms II. Universal localisations III. Recollements Throughout, A will denote a ring (with unit) and K a field. I. Ring epimorphisms Ring epimorphisms

418 views • 5 slides
Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res

Magnet neto-pl plasmonic asmonic Au/ u/Tb Tb 18 18 Co Co 82 82 nano nano-ring ring res esona onator tors s Initial patterning and update by Agn iuiulkait Uppsala University Motivation Fabricate magneto-plasmonic

321 views • 28 slides
Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB

Sicherheitsunterweisung fr Operateure fr den AEB Ring-HF im BG1.016 Sicherheitsbelehrung AEB Ring-HF 1 Elektrische Anlagen im AEB Ring HF BG1016 Sicherheitsbelehrung AEB Ring-HF 2 Elektr. Anlagen im BG1016 Netzgerte fr

290 views • 17 slides
thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released

A clitellum is a band of thickened, specialized segments. Secrete a mucus ring into which egg and sperm are released After eggs are fertilized in the ring, the ring slips off the worm's body and forms a protective cocoon.

218 views • 7 slides
in store stock case cOLLECTION Description Internal dimensions * SC001 12 on ring case each ring

in store stock case cOLLECTION Description Internal dimensions * SC001 12 on ring case each ring

in store stock case cOLLECTION Description Internal dimensions * SC001 12 on ring case each ring individually 227mmx170mmx38mm set in soft roll soft roll ring section 35mm x35mm * SC002 8 on earring pendant case each lift out inner pad set

605 views • 5 slides
Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter

Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter

Token Ring Developed by IBM, adopted by IEEE as 802.5 standard Token rings latter extended to FDDI (Fiber Distributed Data Interface) and 802.17 (Resilient Packet Ring) standards Nodes connected in a ring Data always flows in

809 views • 16 slides
Wo rk Sha ring : A la yo ff pre ve ntio n to o l fo r We st Virg inia Ju ly 2 8 , 2 0 1 2 Se a

Wo rk Sha ring : A la yo ff pre ve ntio n to o l fo r We st Virg inia Ju ly 2 8 , 2 0 1 2 Se a

Wo rk Sha ring : A la yo ff pre ve ntio n to o l fo r We st Virg inia Ju ly 2 8 , 2 0 1 2 Se a n OL e a ry, Polic y Ana lyst T he c a se fo r wo rk sha ring Une mployme nt Re ma ins Hig h Sinc e E nd of Re c e ssion 12% 10% Une mplo

549 views • 21 slides
Thoughts from the Shire Geoff Wright A standard for moving surveys between survey One Ring to

Thoughts from the Shire Geoff Wright A standard for moving surveys between survey One Ring to

Thoughts from the Shire Geoff Wright A standard for moving surveys between survey One Ring to rule them all, One Ring to find them, packages on various hardware and software platforms One Ring to bring them all and in the darkness bind them

229 views • 10 slides
Design Design process of FFAG-ERIT ring rocess of FFAG-ERIT ring FFAG09J(2009/11/13) Kota Okabe

Design Design process of FFAG-ERIT ring rocess of FFAG-ERIT ring FFAG09J(2009/11/13) Kota Okabe

Design Design process of FFAG-ERIT ring rocess of FFAG-ERIT ring FFAG09J(2009/11/13) Kota Okabe Conte tents ts Back ground Requirements for FFAG storage ring Magnet design method 2D & 3D magnetic field calculation and

413 views • 25 slides
Ed Education & Community Em Empower ermen ent t in a ti time e of f Crisis Vi Virtu

Ed Education & Community Em Empower ermen ent t in a ti time e of f Crisis Vi Virtu

Ed Education & Community Em Empower ermen ent t in a ti time e of f Crisis Vi Virtu tual Town wn Ha Hall Mee eeti ting Ju June 4, 2020 Recording is available on YouTube Here: https://youtu.be/s3WDVICDlsM?t=432 Ag Agenda

182 views • 6 slides
Updating XML with XQuery Web Data Management and Distribution Serge Abiteboul Ioana Manolescu

Updating XML with XQuery Web Data Management and Distribution Serge Abiteboul Ioana Manolescu

Updating XML with XQuery Web Data Management and Distribution Serge Abiteboul Ioana Manolescu Philippe Rigaux Marie-Christine Rousset Pierre Senellart Web Data Management and Distribution http://webdam.inria.fr/textbook September 29, 2011

428 views • 21 slides
W HO IS A S TAKEHOLDER ? Technical Definition: Someone that sends or receives

W HO IS A S TAKEHOLDER ? Technical Definition: Someone that sends or receives

9/10/2015 K AUAI ITS A RCHITECTURE O PERATIONAL C ONCEPT W ORKSHOP 1 September 9, 2015 A GENDA Introductions and Welcome Stakeholders Review Operational Concepts Elements Projects / Future Efforts Agreements Customized

501 views • 18 slides
CS 4518 Mobile and Ubiquitous Computing Lecture 6: Databases, Camera, Face Detection Emmanuel

CS 4518 Mobile and Ubiquitous Computing Lecture 6: Databases, Camera, Face Detection Emmanuel

CS 4518 Mobile and Ubiquitous Computing Lecture 6: Databases, Camera, Face Detection Emmanuel Agu Administrivia Project 2 Emailed out last week Should be done in groups of 5 or 6 Due this Thursday, 11.59PM Can be done on

653 views • 62 slides
Testing for projectivity and transfinite extensions of simple artinian rings Jan Trlifaj, Charles

Testing for projectivity and transfinite extensions of simple artinian rings Jan Trlifaj, Charles

Testing for projectivity and transfinite extensions of simple artinian rings Jan Trlifaj, Charles University Functor Categories, Model Theory, and Constructive Category Theory University of Tartu, P arnu College Jan Trlifaj (MFF UK)

755 views • 24 slides
Takahiro Nishinaka ( Ritsumeikan U. ) 1. Review of [ Beem, Lemos, Liendo, Peelaers, Rastelli,

Takahiro Nishinaka ( Ritsumeikan U. ) 1. Review of [ Beem, Lemos, Liendo, Peelaers, Rastelli,

Chiral algebras for 4d superconformal field theories N 2 Takahiro Nishinaka ( Ritsumeikan U. ) 1. Review of [ Beem, Lemos, Liendo, Peelaers, Rastelli, van Rees ] arXiv: 1312.5344 thanks to : Matt Buican, Jaewang Choi, Kazuki

584 views • 41 slides
NODES 2019 Modeling a Tournament in Neo4j Michael McKenzie 6th Degree UFAF Black Belt October

NODES 2019 Modeling a Tournament in Neo4j Michael McKenzie 6th Degree UFAF Black Belt October

NODES 2019 Modeling a Tournament in Neo4j Michael McKenzie 6th Degree UFAF Black Belt October 10, 2019 Problem United Fighting Arts Federation (UFAF) Martial arts organization founded by Chuck Norris International Training

478 views • 13 slides
NLNOG RING from a user perspective Bartek Gajda gajda@man.poznan.pl Source: Job Snijders

NLNOG RING from a user perspective Bartek Gajda gajda@man.poznan.pl Source: Job Snijders

NLNOG RING from a user perspective Bartek Gajda gajda@man.poznan.pl Source: Job Snijders https://ripe65.ripe.net/presentations/105-RIPE65_NLNOG_RING_Job_Snijders.pdf 2 Source: Job Snijders

221 views • 21 slides

More recommend