session 10 more trapdoors and applications chris peikert
play

Session #10: (More) Trapdoors and Applications Chris Peikert - PowerPoint PPT Presentation

Jul 22, 2023 •430 likes •1.2k views

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &

  1. Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/16

  2. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16

  3. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q f A ( x ) = Ax mod q ∈ Z n q (“short” x , surjective) CRHF if SIS hard [Ajtai’96,. . . ] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16

  4. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16

  5. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } (0 , q ) O ( q, 0) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16

  6. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] u ( A ) = { x ∈ Z m : f A ( x ) = Ax = u mod q } ◮ Lattice interpretation: Λ ⊥ (0 , q ) x O ( q, 0) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16

  7. Lattice-Based One-Way Functions � � ◮ Public key ∈ Z n × m · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ f A , g A in forward direction yield CRHFs, CPA security (w/FHE!) . . . but not much else. Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/16

  8. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16

  9. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert g A ( s , e ) = s t A + e t : find the unique preimage s (equivalently, e ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16

  10. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16

  11. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ : Invert g A ( s , e ) = s t A + e t : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp( −� x � 2 /s 2 ) . (equivalently, e ) ◮ How? Use a “strong trapdoor” for A : a short basis of Λ ⊥ ( A ) [Babai’86,GGH’97,Klein’01,GPV’08,P’10] O Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/16

  12. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  13. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  14. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  15. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  16. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Other “Black-Box” Applications of f − 1 , g − 1 ◮ Standard Model (no RO) signatures [CHKP’10,R’10,B’10] ◮ SM CCA-secure encryption [PW’08,P’09] ◮ SM (Hierarchical) IBE [GPV’08,CHKP’10,ABB’10a,ABB’10b] ◮ Many more: OT, NISZK, homom enc/sigs, deniable enc, func enc, . . . [PVW’08,PV’08,GHV’10,GKV’10,BF’10a,BF’10b,OPW’11,AFV’11,ABVVW’11,. . . ] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  17. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  18. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  19. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m, x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known inversion algorithms trade quality for efficiency tight, iterative, fp looser, parallel, offline g − 1 [Babai’86] [Babai’86] A f − 1 [Klein’01,GPV’08] [P’10] A Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/16

  20. Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16

  21. Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax 1 Trapdoor generator yields some lattice dim m ≥ Cn log q . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16

  22. Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax 1 Trapdoor generator yields some lattice dim m ≥ Cn log q . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16

  23. Taming the Parameters �� � n · · · · · · A � �� � m O f A ( x ) = Ax 1 Trapdoor generator yields some lattice dim m ≥ Cn log q . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,

1.27k views • 94 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14 Digital Signatures 2 / 14 Digital Signatures (public) (secret) 2 / 14

1.48k views • 78 slides
Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,

853 views • 82 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
Logistics Assignments Crossover and Mutation Checkpoint 1 -- Problem Graded --

Logistics Assignments Crossover and Mutation Checkpoint 1 -- Problem Graded --

Logistics Assignments Crossover and Mutation Checkpoint 1 -- Problem Graded -- comments on mycourses Checkpoint 2 --Framework Mostly all graded -- comments on mycourses Checkpoint 3 -- Genotype / Phenotype Due last

422 views • 9 slides
Embeddings of Metrics on Strings and Permutations Graham Cormode joint work with S.

Embeddings of Metrics on Strings and Permutations Graham Cormode joint work with S.

Embeddings of Metrics on Strings and Permutations Graham Cormode joint work with S. Muthukrishnan, Cenk Sahinalp Miss Hepburn runs the gamut of emotions from A to B Dorothy Parker, 1933 Permutations and Strings Strings Web pages,

922 views • 42 slides
VLSI Placement Sadiq M. Sait & Habib Youssef December 1995 Placement Placement is the

VLSI Placement Sadiq M. Sait & Habib Youssef December 1995 Placement Placement is the

King Fahd University of Petroleum & Minerals College of Computer Sciences & Engineering Department of Computer Engineering VLSI Placement Sadiq M. Sait & Habib Youssef December 1995 Placement Placement is the process of

1.15k views • 52 slides
Inverse Kinematics (part 2) CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring

Inverse Kinematics (part 2) CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring

Inverse Kinematics (part 2) CSE169: Computer Animation Instructor: Steve Rotenberg UCSD, Spring 2016 Forward Kinematics We will use the vector: ... 1 2 M to represent the array of M joint DOF values

930 views • 75 slides
Parallel Shift-Invert Spectrum Slicing on Distributed Architectures with GPU Accelerators

Parallel Shift-Invert Spectrum Slicing on Distributed Architectures with GPU Accelerators

Parallel Shift-Invert Spectrum Slicing on Distributed Architectures with GPU Accelerators (pap167s1) Da David Williams-You Young, Chao o Ya Yang Sc Scalable e So Solver ers s Group up Co Computational Research Di Division La

367 views • 17 slides
Inverse kinematics Forward kinematics Given a joint configuration, what is the position of an end

Inverse kinematics Forward kinematics Given a joint configuration, what is the position of an end

Kinematics The study of motion without regard to the forces that cause it Inverse kinematics Forward kinematics Given a joint configuration, what is the position of an end point on the structure? Inverse kinematics Given the position for an

321 views • 7 slides
Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute

Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute

Existence and uniqueness of inverse Determinants Radboud University Nijmegen Basis transformations Matrix Calculations: Inverse and Basis Transformation A. Kissinger (and H. Geuvers) Institute for Computing and Information Sciences

944 views • 39 slides
High-speed key encapsulation from NTRU Andreas Hlsing 1 , Joost Rijneveld 2 , John Schanck 3,4 ,

High-speed key encapsulation from NTRU Andreas Hlsing 1 , Joost Rijneveld 2 , John Schanck 3,4 ,

High-speed key encapsulation from NTRU Andreas Hlsing 1 , Joost Rijneveld 2 , John Schanck 3,4 , Peter Schwabe 2 1 Eindhoven University of Technology, The Netherlands 2 Radboud University, Nijmegen, The Netherlands 3 Institute for Quantum

1.25k views • 96 slides

More recommend