short generators without quantum computers the case of
play

Short generators without quantum computers: the case of - PowerPoint PPT Presentation

Feb 10, 2024 •21 likes •461 views

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de Valence & Tanja Lange

  1. Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de Valence & Tanja Lange Christine van Vredendaal 1 multiquad

  2. Part I: Introduction Christine van Vredendaal 2 multiquad

  3. “ Lattice-based crypto is secure because lattice problems are hard. ” — Everyone who works on lattice-based crypto Christine van Vredendaal 3 multiquad

  4. “ Lattice-based crypto is secure because lattice problems are hard. ” — Everyone who works on lattice-based crypto Really? How hard are they? Which cryptosystems are secure? Christine van Vredendaal 3 multiquad

  5. How secure? Multiple attack avenues showing progress Sieving asymptotics for dimension- N SVP ◮ 2008 Nguyen–Vidick: 2 (0 . 415+ o (1)) N ◮ 2015 Becker–Ducas–Gama–Laarhoven: 2 (0 . 292+ o (1)) N ◮ 2014 Laarhoven–Mosca–van de Pol: Quantumly 2 (0 . 268+ o (1)) N Christine van Vredendaal 4 multiquad

  6. How secure? Multiple attack avenues showing progress Sieving asymptotics for dimension- N SVP ◮ 2008 Nguyen–Vidick: 2 (0 . 415+ o (1)) N ◮ 2015 Becker–Ducas–Gama–Laarhoven: 2 (0 . 292+ o (1)) N ◮ 2014 Laarhoven–Mosca–van de Pol: Quantumly 2 (0 . 268+ o (1)) N Pre-quantum attacks against cyclotomic ideal lattice problems ◮ 2017 Biasse–Espitau–Fouque–G´ elin–Kirchner: L | ∆ | (1 / 2) (see next talk) Christine van Vredendaal 4 multiquad

  7. How secure? Multiple attack avenues showing progress Sieving asymptotics for dimension- N SVP ◮ 2008 Nguyen–Vidick: 2 (0 . 415+ o (1)) N ◮ 2015 Becker–Ducas–Gama–Laarhoven: 2 (0 . 292+ o (1)) N ◮ 2014 Laarhoven–Mosca–van de Pol: Quantumly 2 (0 . 268+ o (1)) N Pre-quantum attacks against cyclotomic ideal lattice problems ◮ 2017 Biasse–Espitau–Fouque–G´ elin–Kirchner: L | ∆ | (1 / 2) (see next talk) Quantum attacks against cyclotomic ideal lattice problems ◮ 2015 Biasse–Song (using 2014 Campbell–Groves–Shepherd): poly-time quantum algorithm against short generators ◮ 2016 Cramer–Ducas–Peikert–Regev: general analysis for arbitrary O ( n 1 / 2 ) approximation factor) principal ideals (within an e ˜ ◮ 2016 Cramer–Ducas–Wesolowski: generalize to any ideal Christine van Vredendaal 4 multiquad

  8. Non-cyclotomic lattice-based cryptography Cyclotomics are scary. Let’s explore alternatives: Eliminate the ideal structure. e.g., use LWE instead of Ring-LWE. But this limits the security achievable for key size K . Christine van Vredendaal 5 multiquad

  9. Non-cyclotomic lattice-based cryptography Cyclotomics are scary. Let’s explore alternatives: Eliminate the ideal structure. e.g., use LWE instead of Ring-LWE. But this limits the security achievable for key size K . 2016 Bernstein–Chuengsatiansup–Lange–van Vredendaal “NTRU Prime”: eliminate unnecessary ring morphisms. Use prime degree, large Galois group: e.g., x p − x − 1. Christine van Vredendaal 5 multiquad

  10. Non-cyclotomic lattice-based cryptography Cyclotomics are scary. Let’s explore alternatives: Eliminate the ideal structure. e.g., use LWE instead of Ring-LWE. But this limits the security achievable for key size K . 2016 Bernstein–Chuengsatiansup–Lange–van Vredendaal “NTRU Prime”: eliminate unnecessary ring morphisms. Use prime degree, large Galois group: e.g., x p − x − 1. This talk: Switch from cyclotomics to other Galois number fields. Another popular example in algebraic-number-theory textbooks: √ √ √ √ √ √ √ √ √ multiquadratics; e.g., Q ( 2 , 3 , 5 , 7 , 11 , 13 , 17 , 19 , 23). Christine van Vredendaal 5 multiquad

  11. A reasonable multiquadratic cryptosystem Case study of a lattice-based cryptosystem that was already defined in detail for arbitrary number fields: 2010 Smart–Vercauteren, optimized version of 2009 Gentry. Parameter: R = Z [ α ] for an algebraic integer α . Secret key: very short g ∈ R . Public key: gR . Christine van Vredendaal 6 multiquad

  12. A reasonable multiquadratic cryptosystem Case study of a lattice-based cryptosystem that was already defined in detail for arbitrary number fields: 2010 Smart–Vercauteren, optimized version of 2009 Gentry. Parameter: R = Z [ α ] for an algebraic integer α . Secret key: very short g ∈ R . Public key: gR . Like Smart–Vercauteren, we took N ∈ λ 2+ o (1) for target security 2 λ . Checked security against standard lattice attacks: nothing better than exponential time. Christine van Vredendaal 6 multiquad

  13. Part II: Some preliminaries Christine van Vredendaal 7 multiquad

  14. Definition A number field is a field L containing Q with finite dimension as a Q -vector space. Its degree is this dimension. Definition The ring of integers O L of a number field L is the set of algebraic integers in L . The invertible elements of this ring form the unit group O × L . Problem Recover a “small” g ∈ O L (modulo roots of unity) given g O L . Definition (for this talk) A multiquadratic field is a number field that can be written in the form L = Q ( √ d 1 , . . . , √ d n ), where ( d 1 , . . . , d n ) are distinct primes. The degree of the multiquadratic field is N = 2 n . Christine van Vredendaal 8 multiquad

  15. General strategy to recover g 0 Compute the unit group O × L Christine van Vredendaal 9 multiquad

  16. General strategy to recover g 0 Compute the unit group O × L 1 Find some generator ug of principal ideal g O L ◮ subexponential time algorithm [1990 Buchmann, 2014 Biasse–Fieker, 2014 Biasse] ◮ quantum poly-time algorithm [2016 Biasse–Song] Christine van Vredendaal 9 multiquad

  17. General strategy to recover g 0 Compute the unit group O × L 1 Find some generator ug of principal ideal g O L ◮ subexponential time algorithm [1990 Buchmann, 2014 Biasse–Fieker, 2014 Biasse] ◮ quantum poly-time algorithm [2016 Biasse–Song] 2 Solve BDD for Log ug in the log-unit lattice to find Log u ◮ 2014 Campbell–Groves–Shepherd pointed out this was easy for cyclotomic fields with h + small ◮ 2015 Schanck confirmed experimentally ◮ 2015 Cramer–Ducas–Peikert–Regev proved pre-quantum polynomial time for these fields (BDD: bounded-distance decoding; i.e., finding a lattice vector close to an input point.) Christine van Vredendaal 9 multiquad

  18. Definition Fix a number field L of degree N and fix distinct complex embeddings σ 1 , . . . , σ N of L . The Dirichlet logarithm map is defined as Log : L × R N �→ x �→ (log | σ 1 ( x ) | , . . . , log | σ N ( x ) | ) Christine van Vredendaal 10 multiquad

  19. Definition Fix a number field L of degree N and fix distinct complex embeddings σ 1 , . . . , σ N of L . The Dirichlet logarithm map is defined as Log : L × R N �→ x �→ (log | σ 1 ( x ) | , . . . , log | σ N ( x ) | ) Theorem (Dirichlet Unit Theorem) The kernel of Log | O L −{ 0 } is the cyclic group of roots of unity in O L . Let Λ = Log O × L ⊂ R N . Λ is a lattice of rank r + c − 1 , where r is the number of real embeddings and c is the number of complex-conjugate pairs of non-real embeddings of L. Christine van Vredendaal 10 multiquad

  20. Definition Fix a number field L of degree N and fix distinct complex embeddings σ 1 , . . . , σ N of L . The Dirichlet logarithm map is defined as Log : L × R N �→ x �→ (log | σ 1 ( x ) | , . . . , log | σ N ( x ) | ) Theorem (Dirichlet Unit Theorem) The kernel of Log | O L −{ 0 } is the cyclic group of roots of unity in O L . Let Λ = Log O × L ⊂ R N . Λ is a lattice of rank r + c − 1 , where r is the number of real embeddings and c is the number of complex-conjugate pairs of non-real embeddings of L. Fact If h O L = g O L and g � = 0 then h = ug for some u ∈ O × L , and Log g ∈ Log h + Λ . Christine van Vredendaal 10 multiquad

  21. Part III: The algorithm https://starecat.com/algorithm-word-used-by-programmers-when-they-do-not-want-to-explain-what-they-did/ Christine van Vredendaal 11 multiquad

  22. Algorithm idea 1: subfields Multiquadratic fields have a huge number of subfields Christine van Vredendaal 12 multiquad

  23. Algorithm idea 1: subfields Multiquadratic fields have a huge number of subfields √ √ √ K = Q ( 5 , 13 , 17) √ √ √ √ √ √ √ √ √ √ √ √ √ √ Q ( 5 , 13) Q ( 5 , 17) Q ( 13 , 17) Q ( 5 , 221) Q ( 13 , 85) Q ( 17 , 65) Q ( 65 , 85) √ √ √ √ √ √ √ Q ( 5) Q ( 13) Q ( 17) Q ( 65) Q ( 85) Q ( 221) Q ( 1105) Q Christine van Vredendaal 12 multiquad

  24. Algorithm idea 1: subfields Multiquadratic fields have a huge number of subfields We use 3 specific ones (plus recursion) √ √ √ K = Q ( 5 , 13 , 17) √ √ √ √ √ √ Q ( 5 , 13) Q ( 5 , 17) Q ( 5 , 221) √ √ √ √ √ √ √ Q ( 5) Q ( 13) Q ( 17) Q ( 65) Q ( 85) Q ( 221) Q ( 1105) Q Christine van Vredendaal 12 multiquad

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry de Valence & Tanja Lange &

553 views • 41 slides
Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Elements of quantum information processing and quantum computers (with trapped ion examples) D. J. Wineland, Dept. of Physics, U Oregon, Eugene, OR; & Research Associate, NIST, Boulder, CO Summary: * Why quantum for computers? *

742 views • 42 slides
Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

1 Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. Short generators without quantum computers: the case of multiquadratics. Eurocrypt

1.13k views • 97 slides
COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTING COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules to perform calculations billions of times faster than todays silicon-based computers. They will also enable new revolutionary

299 views • 6 slides
Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do? Outline Quantum technology Quantum computing What is the advantage? The qubits Operating the quantum computer Quantum computing initiatives

475 views • 31 slides
Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum Computers are just like regular computers, they crunch numbers Quantum Computers Quantum Computers are just like regular computers, they crunch

926 views • 74 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas, Chris Peikert , Oded Regev 9 July 2015 Simons Institute Workshop on Math of Modern Crypto 1 / 15 Short Generators of Ideals in Cryptography A

688 views • 43 slides
An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction " Cryptography and Relativity " Quantum Algorithms " Quantum Computers !

227 views • 11 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
Generators of quantum Markov Semigroups Matt Ziemke University of South Carolina Virginia

Generators of quantum Markov Semigroups Matt Ziemke University of South Carolina Virginia

Generators of quantum Markov Semigroups Matt Ziemke University of South Carolina Virginia Operator Theory and Complex Analysis Meeting (VOTCAM) November 7th, 2015 Matt Ziemke Generators of QMS Paper (with G. Androulakis), Generators of

372 views • 22 slides
Show Case I: free fall at short distances Julio Gea-Banacloche, Am. J. Phys.1999 Quantum

Show Case I: free fall at short distances Julio Gea-Banacloche, Am. J. Phys.1999 Quantum

q B OUNCE A quantum bouncing ball gravity spectrometer Hartmut Abele Schloss Waldthausen 13. April 2016 Hartmut Abele, TU Wien Show Case I: free fall at short distances Julio Gea-Banacloche, Am. J. Phys.1999 Quantum interference: sensitivity

635 views • 42 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q Patrick Holzer, Thomas Wunderer, Johannes Buchmann Recovering Short Generators | Thomas Wunderer | 1 Contents Introduction Preliminaries Algorithmic

488 views • 30 slides
Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist? Geordie Rose and his D-Wave quantum computer Commercial devices Quantum cryptography device by id

1.29k views • 112 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

1 What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set.

1.5k views • 132 slides
O PTGEN : A Generator for Local Optimizations Sebastian Buchwald Institute for Program Structures

O PTGEN : A Generator for Local Optimizations Sebastian Buchwald Institute for Program Structures

TRR 89 O PTGEN : A Generator for Local Optimizations Sebastian Buchwald Institute for Program Structures and Data Organization, Karlsruhe Institute of Technology (KIT) 1 April 17, 2015 Sebastian Buchwald O PTGEN : A Generator for Local

373 views • 35 slides
GEMM-Like Operations Applications Richard Michael Veras Platforms Carnegie Mellon Want

GEMM-Like Operations Applications Richard Michael Veras Platforms Carnegie Mellon Want

Carnegie Mellon Performance An Algorithmic Specific Code Generator for GEMM-Like Operations Applications Richard Michael Veras Platforms Carnegie Mellon Want Automatic High Performance Model Driven GEMM-Like approach for Operations

318 views • 17 slides
Overview of Monte Carlo Generators John Campbell, Fermilab Monte Carlo overview: history

Overview of Monte Carlo Generators John Campbell, Fermilab Monte Carlo overview: history

Overview of Monte Carlo Generators John Campbell, Fermilab Monte Carlo overview: history Theoretical description of a sample of events recorded by an experiment. Distinction between: flexible event generators that provide an

565 views • 30 slides
Blaise Code Generator From implementing standards to coding automation ric Joyal September

Blaise Code Generator From implementing standards to coding automation ric Joyal September

Blaise Code Generator From implementing standards to coding automation ric Joyal September 24th, 2013 Overview Context Application Development Standards Code Builder Questionnaire Development Tool (QDT) Blaise Code

338 views • 31 slides
Combinatorial interpretations in affine Coxeter groups Christopher R. H. Hanusa Queens College,

Combinatorial interpretations in affine Coxeter groups Christopher R. H. Hanusa Queens College,

Combinatorial interpretations in affine Coxeter groups Christopher R. H. Hanusa Queens College, CUNY Joint work with Brant C. Jones, James Madison University Coxeter Groups Interpretations Application Future work What is a Coxeter group? A

1.5k views • 136 slides
Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya Hatami 2 William M. Hoza 3 UT Austin Stanford UT Austin Ohio State UT Austin July 19 CCC 2019 1Supported by NSF Grant CCF-1705028 2Supported

1.08k views • 105 slides
Generating Structured Test Data with Specific Properties using Metaheuristic and Nested

Generating Structured Test Data with Specific Properties using Metaheuristic and Nested

Generating Structured Test Data with Specific Properties using Metaheuristic and Nested Monte-Carlo Search Simon Poulding Blekinge Institute of Technology Robert Feldt Chalmers University Context software testing: generating test data for

594 views • 34 slides
1 File Management: Outline File Management File Package Overview The GATFile class Authors

1 File Management: Outline File Management File Package Overview The GATFile class Authors

What is GAT? Grid Application Toolkit GAT is? an API and toolkit for developing and running portable grid apps independently of the underlying grid infrastructure and available services Authors: Gabrielle Allen, K. Davis, T. Goodale,

194 views • 5 slides

More recommend