public key cryptosystems from the worst case shortest
play

Public-Key Cryptosystems from the Worst-Case Shortest Vector - PowerPoint PPT Presentation

Aug 24, 2022 •162 likes •908 views

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

  1. Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI → Georgia Tech Impagliazzo’s World Workshop 1 / 16

  2. This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP 3 Proof & Future Work 2 / 16

  3. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: b 2 n b 1 � L = ( Z · b i ) i = 1 λ 3 / 16

  4. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: b 2 n b 1 � L = ( Z · b i ) i = 1 λ Shortest Vector Problem ( γ - GapSVP ) ◮ Given B , decide: λ ≤ 1 or λ > γ ? 3 / 16

  5. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: n � L = ( Z · b i ) λ i = 1 b 1 b 2 Shortest Vector Problem ( γ - GapSVP ) ◮ Given B , decide: λ ≤ 1 or λ > γ ? 3 / 16

  6. Shortest Vector Problem(s) A lattice L ⊂ R n having basis B = { b 1 , . . . , b n } is: b 1 n b 2 � L = ( Z · b i ) i = 1 λ γ · λ Shortest Vector Problem ( γ - GapSVP ) ◮ Given B , decide: λ ≤ 1 or λ > γ ? Unique SVP ( γ - uSVP ) ◮ Given B with ‘ γ -unique’ shortest vector, find it. 3 / 16

  7. Worst-Case Complexity GapSVP √ n γ = 2 ( log n ) 1 − ǫ 2 ∼ n n NP-hard ∗ ∈ coNP ∈ P (some) crypto [Ajt96,. . . , [Ajt98,. . . ,HR07] [GG98,AR05] [LLL82,Sch87] MR04,Reg05] 4 / 16

  8. Worst-Case Complexity GapSVP √ n γ = 2 ( log n ) 1 − ǫ 2 ∼ n n NP-hard ∗ ∈ coNP ∈ P (some) crypto [Ajt96,. . . , [Ajt98,. . . ,HR07] [GG98,AR05] [LLL82,Sch87] MR04,Reg05] ◮ For γ = poly ( n ) , best algorithm is 2 n time & space [AKS01] 4 / 16

  9. Worst-Case Complexity GapSVP √ n γ = 2 ( log n ) 1 − ǫ 2 ∼ n n NP-hard ∗ ∈ coNP ∈ P (some) crypto [Ajt96,. . . , [Ajt98,. . . ,HR07] [GG98,AR05] [LLL82,Sch87] MR04,Reg05] ◮ For γ = poly ( n ) , best algorithm is 2 n time & space [AKS01] uSVP √ n γ = 4 n 1 . 5 ?? ∈ coAM crypto NP-hard [AD97/07,Reg03] [Cai98] 4 / 16

  10. Taxonomy of Lattice-Based Crypto ‘minicrypt’ OWF [Ajt96,. . . ] Sigs [LM08,GPV08] ID schemes [MV03,Lyu08] 5 / 16

  11. Taxonomy of Lattice-Based Crypto ‘minicrypt’ OWF [Ajt96,. . . ] Sigs [LM08,GPV08] ID schemes [MV03,Lyu08] ☞ GapSVP etc. hard 5 / 16

  12. Taxonomy of Lattice-Based Crypto ‘CRYPTOMANIA’ ‘minicrypt’ OWF [Ajt96,. . . ] PKE [AD97,Reg03,Reg05] Sigs CCA [PW08] [LM08,GPV08] ID schemes [MV03,Lyu08] ID-based [GPV08] ☞ GapSVP etc. hard 5 / 16

  13. Taxonomy of Lattice-Based Crypto ‘CRYPTOMANIA’ ‘minicrypt’ OWF [Ajt96,. . . ] PKE [AD97,Reg03,Reg05] Sigs CCA [PW08] [LM08,GPV08] ID schemes [MV03,Lyu08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09], KDM [ACPS09], HIBE [P09]) ☞ GapSVP etc. hard 5 / 16

  14. Taxonomy of Lattice-Based Crypto ‘CRYPTOMANIA’ ‘minicrypt’ OWF [Ajt96,. . . ] PKE [AD97,Reg03,Reg05] Sigs CCA [PW08] [LM08,GPV08] ID schemes [MV03,Lyu08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09], KDM [ACPS09], HIBE [P09]) ☞ GapSVP etc. hard ☞ uSVP hard ☞ GapSVP etc. quantum -hard 5 / 16

  15. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 6 / 16

  16. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 ≈ � a 1 , s � mod q a 1 a 2 , b 2 ≈ � a 2 , s � mod q . . . 6 / 16

  17. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 = � a 1 , s � + x 1 mod q a 1 a 2 , b 2 = � a 2 , s � + x 2 mod q . . . Uniform a i ∈ Z n q , Gaussian errors x i α · q ≥ √ n 6 / 16

  18. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 = � a 1 , s � + x 1 mod q a 1 a 2 , b 2 = � a 2 , s � + x 2 mod q . . . Uniform a i ∈ Z n q , Gaussian errors x i α · q ≥ √ n ◮ Decision: distinguish from uniform ( a i , b i ) 6 / 16

  19. Learning With Errors ◮ Generalizes ‘learning parity with noise’: dim n , modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ , b 1 = � a 1 , s � + x 1 mod q a 1 a 2 , b 2 = � a 2 , s � + x 2 mod q . . . Uniform a i ∈ Z n q , Gaussian errors x i α · q ≥ √ n ◮ Decision: distinguish from uniform ( a i , b i ) State of the Art ( n /α ) -GapSVP etc. ≤ search-LWE ≤ decision-LWE ≤ crypto quantum prime q = poly ( n ) [R05,PW08,GPV08, PVW08,AGV09,ACPS09,. . . ] [Reg05] [BFKL94,R05] 6 / 16

  20. Our Results First public-key encryption based on classical GapSVP hardness 7 / 16

  21. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors 7 / 16

  22. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n 7 / 16

  23. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n ⋆ ‘Improve ζ to ( n /α ) ’-GapSVP: q ≈ ζ [ = poly ( n ) ] 7 / 16

  24. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n ⋆ ‘Improve ζ to ( n /α ) ’-GapSVP: q ≈ ζ [ = poly ( n ) ] 2 LWE search = decision for large q [ ≫ poly ( n ) ] ⇒ GapSVP-hardness of prior LWE-based crypto [Reg05,. . . ] 7 / 16

  25. Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP ≤ Learning With Errors ⋆ Standard ( n /α ) -GapSVP: large LWE modulus q ≥ 2 n ⋆ ‘Improve ζ to ( n /α ) ’-GapSVP: q ≈ ζ [ = poly ( n ) ] 2 LWE search = decision for large q [ ≫ poly ( n ) ] ⇒ GapSVP-hardness of prior LWE-based crypto [Reg05,. . . ] 3 New LWE-based chosen ciphertext-secure encryption ⋆ Much simpler, milder assumption than prior CCA [PW08] 7 / 16

  26. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 BDD L ∗ classical LWE 8 / 16

  27. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 q u a n t u m BDD BDD L ∗ L ∗ classical classical LWE LWE 8 / 16

  28. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 q q u u a a n n t t u u m m BDD BDD L ∗ L ∗ classical classical LWE LWE 8 / 16

  29. [Regev05] Reduction to LWE BDD on L : d ≪ λ/ 2 q q u u a a n n t t u u m m BDD BDD L ∗ L ∗ classical classical GapSVP SIVP LWE LWE 8 / 16

  30. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L 9 / 16

  31. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L ◮ Another answer: to make use of BDD/LWE oracle 1 Choose some x ∈ L 2 Perturb to y ≈ x x y y 3 Invoke oracle on y BDD ( LWE ) 9 / 16

  32. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L ◮ Another answer: to make use of BDD/LWE oracle 1 Choose some x ∈ L 2 Perturb to y ≈ x x y y 3 Invoke oracle on y BDD ( LWE ) 4 Returns x — we already knew that! x 9 / 16

  33. Why Quantum? ◮ “Obvious” answer: iterative step L ∗ quantum FT BDD on L ◮ Another answer: to make use of BDD/LWE oracle 1 Choose some x ∈ L 2 Perturb to y ≈ x x y y 3 Invoke oracle on y BDD ( LWE ) 4 Returns x — we already knew that! ✔ Quantum can x “uncompute” x 9 / 16

  34. Our Approach New way of solving GapSVP in a reduction 10 / 16

  35. Our Approach New way of solving GapSVP in a reduction “The Usual” x y y BDD ( LWE ) x 10 / 16

  36. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” x y x y y y BDD BDD ( LWE ) ( LWE ) x ?? 10 / 16

  37. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” Illegal BDD instance ⇓ x y Incorrect (& unknown!) LWE distribution x y y y BDD BDD ( LWE ) ( LWE ) x ?? 10 / 16

  38. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” Illegal BDD instance ⇓ x y Incorrect (& unknown!) LWE distribution x y SO WHAT! y y When λ ≪ d , oracle cannot guess x BDD BDD ⇓ ( LWE ) ( LWE ) Distinguishes large λ from small x ?? 10 / 16

  39. Our Approach New way of solving GapSVP in a reduction IMAGINE “The Usual” Illegal BDD instance ⇓ x y Incorrect (& unknown!) LWE distribution x y SO WHAT! y y When λ ≪ d , oracle cannot guess x BDD BDD ⇓ ( LWE ) ( LWE ) Distinguishes large λ from small x ?? ◮ View as [GoldGold98] AM proof between reduction and oracle 10 / 16

  40. Technical Obstacles 1 What about in BDD → LWE reduction? (No quantum allowed!) 11 / 16

  41. Technical Obstacles 1 What about in BDD → LWE reduction? (No quantum allowed!) ⋆ Use [GPV08] sampling algorithm with ‘best available’ basis for L ∗ . 11 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fully dynamic all-pairs shortest paths with worst-case update-time revisited Ittai Abraham 1 Shiri

Fully dynamic all-pairs shortest paths with worst-case update-time revisited Ittai Abraham 1 Shiri

Fully dynamic all-pairs shortest paths with worst-case update-time revisited Ittai Abraham 1 Shiri Chechik 2 Sebastian Krinninger 3 1 Hebrew University of Jerusalem 2 Tel-Aviv University 3 Max Planck Institute for Informatics Saarland Informatics

918 views • 65 slides
Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case) Make - Heap (1) (1) (1) (lg n ) O (lg n ) (1) Insert (1) O (lg n ) (1) Minimum Extract - Min (lg n ) (lg n ) O (lg n ) ( n

376 views • 16 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

851 views • 58 slides
Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC) Background Deterministic QoS guarantees dictate a need for an analytical evaluation of QoS parameters: worst-case latency, worst- case

211 views • 6 slides
Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen High Performance Networking Group Stanford University HotNets-IV, November 2005 Introduction: Worst-case design Preference for worst-case

1.24k views • 14 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal MaxPlanckInstitut f ur Informatik Saarbr ucken Germany Jyrki Katajainen Datalogisk Institut Kbenhavns Universitet Denmark July 1998 Worst-Case Ef

161 views • 12 slides
Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

909 views • 63 slides
Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and History Royal InsAtute of Technology KTH, Stockholm Background IniAal phase of a 2-year research project on values in worst case scenarios.

631 views • 41 slides
quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place? recursive version? data structures and algorithms merge sort: 2020 09 10 worst-case time complexity? lecture 4 best-case time complexity? in-place?

548 views • 7 slides
Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Algorithm : Design & Analysis [6] Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds for Sorting by Comparison of Keys Worst Case Average Behavior Heapsort Heap Structure and Patial

658 views • 31 slides
Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B:

Review of insertionSort and mergeSort insertionSort I worst-case running time: ( n 2 ) Inf 2B: Heapsort and Quicksort I sorts in place , is stable Kyriakos Kalorkoti mergeSort I worst-case running time: ( n lg ( n )) School of Informatics

334 views • 4 slides
Unitary friezes and frieze vectors Emily Gunawan and Ralf Schiffler University of Connecticut

Unitary friezes and frieze vectors Emily Gunawan and Ralf Schiffler University of Connecticut

Unitary friezes and frieze vectors Emily Gunawan and Ralf Schiffler University of Connecticut The 31st International Conference on Formal Power Series and Algebraic Combinatorics (FPSAC) University of Ljubljana, Slovenia 5 July 2019 Emily

428 views • 23 slides
Maximal Vector Computation in Large Data Sets Parke Godfrey 1 Ryan Shipley 2 Jarek Gryz 1 1 York

Maximal Vector Computation in Large Data Sets Parke Godfrey 1 Ryan Shipley 2 Jarek Gryz 1 1 York

Maximal Vector Computation in Large Data Sets Parke Godfrey 1 Ryan Shipley 2 Jarek Gryz 1 1 York University 2 College of William and Mary Toronto, C ANADA Williamsburg, USA 30 August 2005 VLDB Trondheim, Norway Maximal VectorGodfrey,

1.07k views • 73 slides
Introduction to Information Retrieval http://informationretrieval.org IIR 6&7: Vector Space

Introduction to Information Retrieval http://informationretrieval.org IIR 6&7: Vector Space

tf-idf weighting Vector space model Pivot length normalization Introduction to Information Retrieval http://informationretrieval.org IIR 6&7: Vector Space Model Hinrich Sch utze Institute for Natural Language Processing, University of

1.76k views • 136 slides
Word, Sense and Contextualized Embeddings: Vector Representations of Meaning in NLP Jose

Word, Sense and Contextualized Embeddings: Vector Representations of Meaning in NLP Jose

Word, Sense and Contextualized Embeddings: Vector Representations of Meaning in NLP Jose Camacho-Collados Cardiff University, 18 March 2019 1 Outline Background Vector Space Models (word embeddings) Lexical resources Sense

1.33k views • 98 slides
BOILING ASSEMBLAGES IN THE KUPEL OCCURRENCE, KRUMOVGRAD GOLDFIELD, SE BULGARIA IRINA

BOILING ASSEMBLAGES IN THE KUPEL OCCURRENCE, KRUMOVGRAD GOLDFIELD, SE BULGARIA IRINA

BOILING ASSEMBLAGES IN THE KUPEL OCCURRENCE, KRUMOVGRAD GOLDFIELD, SE BULGARIA IRINA MARINOVA, ELENA TACHEVA Institute of Mineralogy and Crystallography, Bulgarian Academy of Sciences, Sofia, Bulgaria e-mail: irimari@gmail.com 1.

339 views • 30 slides
Automated identification of tsetse fly wing vein intersections Shane Josias: 18642365 Supervisor:

Automated identification of tsetse fly wing vein intersections Shane Josias: 18642365 Supervisor:

Automated identification of tsetse fly wing vein intersections Shane Josias: 18642365 Supervisor: Prof. B.M. Herbst October 26, 2017 Stellenbosch University, Applied Mathematics Division Goals Fly wing morphometry provides insight in tsetse

248 views • 6 slides
T odays webinar will begin in a few minutes. Please press *6 to mute your line or use the

T odays webinar will begin in a few minutes. Please press *6 to mute your line or use the

T odays webinar will begin in a few minutes. Please press *6 to mute your line or use the mute button on your phone. If you have questions for the presenter or need to contact TCPS staff, type your comments into the chat box. Lines

743 views • 33 slides
Viral vectors for neural circuit analysis Andy Murray a.murray@ucl.ac.uk Gaining experimental

Viral vectors for neural circuit analysis Andy Murray a.murray@ucl.ac.uk Gaining experimental

Viral vectors for neural circuit analysis Andy Murray a.murray@ucl.ac.uk Gaining experimental access to neural circuits Adeno-associated virus (AAV) Adeno-associated virus (AAV) Adeno-associated virus (AAV) Recombinant AAV (rAAV) 4.9 Kb

766 views • 40 slides

More recommend