session 5 learning with errors chris peikert
play

Session #5: Learning With Errors Chris Peikert Georgia Institute - PowerPoint PPT Presentation

Jun 23, 2023 •33 likes •853 views

Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,

  1. Session #5: Learning With Errors Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 – 22 Feb 2012 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 1/15

  2. Last Time. . . ◮ SIS: find “small” nontrivial z 1 , . . . , z m ∈ Z such that:       | | | ∈ Z n a 1 a 2 · · · a m       q | | | Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  3. Last Time. . . ◮ SIS: find “small” nontrivial z 1 , . . . , z m ∈ Z such that:         | | | |  + z 2 ·  + · · · + z m ·  =  ∈ Z n z 1 · a 1 a 2 a m 0     q | | | | Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  4. Last Time. . . ◮ SIS: find “short” nonzero z ∈ Z m such that:        = 0 ∈ Z n    · · · · · · · · A  z    q � �� � m Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  5. Last Time. . . ◮ SIS: find “short” nonzero z ∈ Z m such that:        = 0 ∈ Z n    · · · · · · · · A  z    q � �� � m ◮ This talk: a complementary problem, Learning With Errors Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 2/15

  6. Overview of LWE Hardness quantum [R’05] GapSVP, ≤ SIVP search-LWE ≤ decision-LWE ≤ crypto ≤ [BFKL’94,R’05, [R’05,PW’08, GapSVP P’09,. . . ] GPV’08,. . . ] classical (large q ) [P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 3/15

  7. History of LWE Crypto papers with “something new” regarding LWE: Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 4/15

  8. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  9. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  10. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Errors e i ← χ = Gaussian over Z , param αq α · q > √ n Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  11. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  12. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  13. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  14. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] ◮ Why error αq > √ n ? ⋆ Required by worst-case hardness proofs [R’05,P’09] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  15. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 , ‘error rate’ α ≪ 1 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’   | |  , b t = s t A + e t A = · · · a 1 a m  | | Errors e i ← χ = Gaussian over Z , param αq α · q > √ n ◮ Decision: distinguish ( a i , b i ) from uniform ( a i , b i ) pairs Generalizes LPN ( q = 2 , Bernoulli noise) [AL’88,BFKL’94,. . . ] ◮ Why error αq > √ n ? ⋆ Required by worst-case hardness proofs [R’05,P’09] ⋆ There’s an exp(( αq ) 2 ) -time attack! [AG’11] Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 5/15

  16. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  17. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) problem a la factoring, CDH Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  18. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  19. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  20. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  21. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then b t z = e t z is small, but b t z is ‘well-spread’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  22. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  23. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

  24. SIS versus LWE SIS LWE ( A , b t = s t A + e t ) vs. ( A , b t ) Az = 0 , ‘short’ z � = 0 ◮ ‘Computational’ (search) ◮ ‘Decisional’ problem a la QR, problem a la factoring, CDH DCR, DDH ◮ Many valid solutions z ◮ Unique solution s (w/short e ) ◮ LWE ≤ SIS: if Az = 0 , then ?? ◮ SIS ≤ LWE (stay till Wed...) b t z = e t z is small, but b t z is ‘well-spread’ ◮ Applications: OWF / CRHF, signatures, ID schemes ‘minicrypt’ Lattice-Based Crypto & Applications, Bar-Ilan University, Israel 2012 6/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded

On Ideal Lattices and Learning With Errors Over Rings Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 1 1 Tel Aviv University 2 Georgia Institute of Technology Eurocrypt 2010 1 / 12 The Learning With Errors Problem [Regev05]

819 views • 59 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+ 1 May 2019 1 / 15 Zero Knowledge [GoldwasserMicaliRackoff85] Zero-knowledge (interactive) proof for language L : allows a prover P to

1.21k views • 89 slides
Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC

Algebraically Structured LWE, Revisited Chris Peikert Zachary Pepin University of Michigan TCC 2019 1 / 13 Algebraic Learning With Errors A foundation of efficient lattice crypto: Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE,

954 views • 57 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &

1.2k views • 76 slides
Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter

Session #9: Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto & Applications,

1.27k views • 94 slides
Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum

Kuperbergs Collimation Sieve vs. CSIDH Chris Peikert University of Michigan Quantum Cryptanalysis of Post-Quantum Cryptography Simons Institute 24 February 2020 1 / 16 He Gives C-Sieves on the CSIDH Chris Peikert University of Michigan

1.61k views • 85 slides
A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded

A Too it for Ri - E y o Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography Vadim

814 views • 70 slides
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert

Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices Chris Peikert 1 Alon Rosen 2 1 MIT CSAIL 2 Harvard DEAS Theory of Cryptography Conference 5 March 2006 Chris Peikert, Alon Rosen (MIT, Harvard) Efficient

897 views • 61 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory of Cryptography Conference 5 March 2006 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 1 / 9 Error Correction (in the

1.04k views • 58 slides
New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah

New (and Old) Proof Systems for Lattice Problems Navid Alamati Chris Peikert Noah Stephens-Davidowitz PKC 2018 1 / 13 Zero-Knowledge Proofs [GoldwasserMicaliRackoff85] A protocol allowing an unbounded Prover P to convince a skeptical,

960 views • 68 slides
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded

Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N = = p m

1.08k views • 82 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Large Graph Limits of Learning Algorithms Andrew M Stuart Computing and Mathematical Sciences,

Large Graph Limits of Learning Algorithms Andrew M Stuart Computing and Mathematical Sciences,

Large Graph Limits of Learning Algorithms Andrew M Stuart Computing and Mathematical Sciences, Caltech Andrea Bertozzi, Michael Luo (UCLA) and Kostas Zygalakis (Edinburgh) Matt Dunlop (Caltech), Dejan Slep cev (CMU) and Matt Thorpe

763 views • 40 slides
Lecture 3: Perceptron Princeton University COS 495 Instructor: Yingyu Liang Perceptron Overview

Lecture 3: Perceptron Princeton University COS 495 Instructor: Yingyu Liang Perceptron Overview

Machine Learning Basics Lecture 3: Perceptron Princeton University COS 495 Instructor: Yingyu Liang Perceptron Overview Previous lectures: (Principle for loss function) MLE to derive loss Example: linear regression; some linear

769 views • 33 slides
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes,

Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes,

Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 1/ 23 Introduction

429 views • 26 slides
Approximate Dynamic Programming A. LAZARIC ( SequeL Team @INRIA-Lille ) ENS Cachan - Master 2 MVA

Approximate Dynamic Programming A. LAZARIC ( SequeL Team @INRIA-Lille ) ENS Cachan - Master 2 MVA

Approximate Dynamic Programming A. LAZARIC ( SequeL Team @INRIA-Lille ) ENS Cachan - Master 2 MVA SequeL INRIA Lille MVA-RL Course Approximate Dynamic Programming (a.k.a. Batch Reinforcement Learning) A. LAZARIC Reinforcement Learning

1.74k views • 140 slides
Probabilistic Knowledge Bases Guy Van den Broeck First Conference on Automated Knowledge Base

Probabilistic Knowledge Bases Guy Van den Broeck First Conference on Automated Knowledge Base

Towards Querying Probabilistic Knowledge Bases Guy Van den Broeck First Conference on Automated Knowledge Base Construction May 20, 2019 Cartoon Motivation Cartoon Motivation: Relational Embedding Models x Coauthor(Einstein,x)

508 views • 47 slides
Day 1: Introduction to Statistical Learning Lucas Leemann Essex Summer School Introduction to

Day 1: Introduction to Statistical Learning Lucas Leemann Essex Summer School Introduction to

LL Day 1: Introduction to Statistical Learning Lucas Leemann Essex Summer School Introduction to Statistical Learning L. Leemann (Essex Summer School) Day 1 Introduction to SL 1 / 29 LL 1 What is Statistical Learning? 2 Statistical Learning

486 views • 29 slides
MACHINE LEARNING Liviu Ciortuz Department of CS, University of Ia si, Rom ania 1. What is

MACHINE LEARNING Liviu Ciortuz Department of CS, University of Ia si, Rom ania 1. What is

0. MACHINE LEARNING Liviu Ciortuz Department of CS, University of Ia si, Rom ania 1. What is Machine Learning? ML studies algorithms that improve with experience. learn from Tom Mitchells Definition of the [

358 views • 25 slides
Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin Ozman, and Katherine Stange UC Irvine, August 31, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork: public-key crypto based

500 views • 27 slides

More recommend