short generators without quantum computers the case of
play

Short generators without quantum computers: the case of - PowerPoint PPT Presentation

Dec 23, 2023 •142 likes •553 views

Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry de Valence & Tanja Lange &

  1. Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry de Valence & Tanja Lange & Christine van Vredendaal Followup to my SIAM AG15 talk “Computational algebraic number theory tackles lattice-based cryptography”: https://cr.yp.to/talks.html#2015.08.06 Daniel J. Bernstein 1 multiquad.cr.yp.to

  2. “ Lattice-based crypto is secure because lattice problems are hard. ” — Everyone who works on lattice-based crypto Daniel J. Bernstein 2 multiquad.cr.yp.to

  3. “ Lattice-based crypto is secure because lattice problems are hard. ” — Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time < 2 100 ? Which cryptosystems are broken in time < 2 100 ? Daniel J. Bernstein 2 multiquad.cr.yp.to

  4. “ Lattice-based crypto is secure because lattice problems are hard. ” — Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time < 2 100 ? Which cryptosystems are broken in time < 2 100 ? 2006 Silverman: “Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography.” Daniel J. Bernstein 2 multiquad.cr.yp.to

  5. “ Lattice-based crypto is secure because lattice problems are hard. ” — Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time < 2 100 ? Which cryptosystems are broken in time < 2 100 ? 2006 Silverman: “Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography.” 2014 Peikert: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds of years—even when one allows for the power of quantum algorithms (see, e.g., . . . )—we have solid and unique evidence that lattice-based cryptoschemes are secure.” Daniel J. Bernstein 2 multiquad.cr.yp.to

  6. “ Lattice-based crypto is secure because lattice problems are hard. ” — Everyone who works on lattice-based crypto Really? How hard are they? Which problems are broken in time < 2 100 ? Which cryptosystems are broken in time < 2 100 ? 2006 Silverman: “Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography.” 2014 Peikert: “Because finding short vectors in high-dimensional lattices has been a notoriously hard algorithmic question for hundreds of years—even when one allows for the power of quantum algorithms (see, e.g., . . . )—we have solid and unique evidence that lattice-based cryptoschemes are secure.” Sounds like SVP is claimed to be a hard problem. How hard is it? Daniel J. Bernstein 2 multiquad.cr.yp.to

  7. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Daniel J. Bernstein 3 multiquad.cr.yp.to

  8. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. Daniel J. Bernstein 3 multiquad.cr.yp.to

  9. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. c ≈ 0 . 384: 2011 Wang–Liu–Tian–Bi. Daniel J. Bernstein 3 multiquad.cr.yp.to

  10. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. c ≈ 0 . 384: 2011 Wang–Liu–Tian–Bi. c ≈ 0 . 378: 2013 Zhang–Pan–Hu. Daniel J. Bernstein 3 multiquad.cr.yp.to

  11. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. c ≈ 0 . 384: 2011 Wang–Liu–Tian–Bi. c ≈ 0 . 378: 2013 Zhang–Pan–Hu. c ≈ 0 . 337: 2014 Laarhoven. Daniel J. Bernstein 3 multiquad.cr.yp.to

  12. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. c ≈ 0 . 384: 2011 Wang–Liu–Tian–Bi. c ≈ 0 . 378: 2013 Zhang–Pan–Hu. c ≈ 0 . 337: 2014 Laarhoven. c ≈ 0 . 298: 2015 Laarhoven–de Weger. Daniel J. Bernstein 3 multiquad.cr.yp.to

  13. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. c ≈ 0 . 384: 2011 Wang–Liu–Tian–Bi. c ≈ 0 . 378: 2013 Zhang–Pan–Hu. c ≈ 0 . 337: 2014 Laarhoven. c ≈ 0 . 298: 2015 Laarhoven–de Weger. c ≈ 0 . 292: 2015 Becker–Ducas–Gama–Laarhoven. Daniel J. Bernstein 3 multiquad.cr.yp.to

  14. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. c ≈ 0 . 384: 2011 Wang–Liu–Tian–Bi. c ≈ 0 . 378: 2013 Zhang–Pan–Hu. c ≈ 0 . 337: 2014 Laarhoven. c ≈ 0 . 298: 2015 Laarhoven–de Weger. c ≈ 0 . 292: 2015 Becker–Ducas–Gama–Laarhoven. c ≈ 0 . 268 quantum algorithm: 2014 Laarhoven–Mosca–van de Pol. Daniel J. Bernstein 3 multiquad.cr.yp.to

  15. How secure is SVP? Best SVP algorithms known at the end of the 20th century: time 2 Θ( N log N ) for almost all dimension- N lattices. Best SVP algorithms known today: 2 Θ( N ) , asymptotically much faster. Some algorithms taking time 2 ( c + o (1)) N , under plausible assumptions: c ≈ 0 . 415: 2008 Nguyen–Vidick. c ≈ 0 . 415: 2010 Micciancio–Voulgaris. c ≈ 0 . 384: 2011 Wang–Liu–Tian–Bi. c ≈ 0 . 378: 2013 Zhang–Pan–Hu. c ≈ 0 . 337: 2014 Laarhoven. c ≈ 0 . 298: 2015 Laarhoven–de Weger. c ≈ 0 . 292: 2015 Becker–Ducas–Gama–Laarhoven. c ≈ 0 . 268 quantum algorithm: 2014 Laarhoven–Mosca–van de Pol. Who thinks this is the end of the story? Is 2 (0 . 1+ o (1)) N possible? 2 Θ( N / log N ) ? 2 N 1 / 2+ o (1) ? Daniel J. Bernstein 3 multiquad.cr.yp.to

  16. How secure is approx SVP? Public-key lattice-based crypto allows approximation factors. How much does this damage security? Daniel J. Bernstein 4 multiquad.cr.yp.to

  17. How secure is approx SVP? Public-key lattice-based crypto allows approximation factors. How much does this damage security? 2002 Micciancio–Goldwasser (emphasis added): “To date, the best known polynomial time (possibly randomized) approximation algorithms for SVP and CVP achieve worst-case (over the choice of the input) approximation factors γ ( n ) that are essentially exponential in the rank n .” 2007 Regev: 2013 Micciancio: “Smooth trade-off between running time and approximation: γ ≈ 2 O ( n log log T / log T ) ” Daniel J. Bernstein 4 multiquad.cr.yp.to

  18. Quantum attacks against cyclotomic lattice problems STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song: poly-time quantum algorithm for K �→ O × K . K : number field. O K : ring of algebraic integers in K . O × K : group of units in O K . Daniel J. Bernstein 5 multiquad.cr.yp.to

  19. Quantum attacks against cyclotomic lattice problems STOC 2014 Eisentr¨ ager–Hallgren–Kitaev–Song: poly-time quantum algorithm for K �→ O × K . K : number field. O K : ring of algebraic integers in K . O × K : group of units in O K . 2015 (and SODA 2016) Biasse–Song, also using an idea from 2014 Campbell–Groves–Shepherd: poly-time quantum algorithm for K , g O K �→ ζ j m g for some j , assuming cyclotomic K = Q ( ζ m ), small h + m , very short g . Daniel J. Bernstein 5 multiquad.cr.yp.to

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal

Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch &amp; Daniel J. Bernstein &amp; Henry de Valence &amp; Tanja Lange

461 views • 44 slides
Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Summary: * Why quantum for computers? * Logic gates and algorithms * Manipulating quantum

Elements of quantum information processing and quantum computers (with trapped ion examples) D. J. Wineland, Dept. of Physics, U Oregon, Eugene, OR; &amp; Research Associate, NIST, Boulder, CO Summary: * Why quantum for computers? *

742 views • 42 slides
Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

1 Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. Short generators without quantum computers: the case of multiquadratics. Eurocrypt

1.13k views • 97 slides
COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules

COMPUTING COMPUTERS TAKING A QUANTUM LEAP Quantum computers will harness the power of atoms and molecules to perform calculations billions of times faster than todays silicon-based computers. They will also enable new revolutionary

299 views • 6 slides
Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do?

Qu Quantum co computers, ho how do do the hey work and nd wha hat can n the hey do do? Outline Quantum technology Quantum computing What is the advantage? The qubits Operating the quantum computer Quantum computing initiatives

475 views • 31 slides
Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum

Quantum Mechanics; a Blessing and a Curse By Elias Marcopoulos Quantum Computers Quantum Computers are just like regular computers, they crunch numbers Quantum Computers Quantum Computers are just like regular computers, they crunch

926 views • 74 slides
Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz

Cryptography for the quantum internet Elements of a quantum TLS Christian Majenz Colloquium Informatics Institute, University of Amsterdam Quantum computers Quantum computers Accelerating effort to build a quantum computer Quantum

1.74k views • 115 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas,

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, L eo Ducas, Chris Peikert , Oded Regev 9 July 2015 Simons Institute Workshop on Math of Modern Crypto 1 / 15 Short Generators of Ideals in Cryptography A

688 views • 43 slides
An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction &quot; Cryptography and Relativity &quot; Quantum Algorithms &quot; Quantum Computers !

227 views • 11 slides
Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos

Quantum cryptanalysis: How to break some classical cryptosystems with quantum computers? Miklos Santha CNRS, IRIF, Universit Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore 1/36 Plan of the talk 1 Crash course on

543 views • 36 slides
Generators of quantum Markov Semigroups Matt Ziemke University of South Carolina Virginia

Generators of quantum Markov Semigroups Matt Ziemke University of South Carolina Virginia

Generators of quantum Markov Semigroups Matt Ziemke University of South Carolina Virginia Operator Theory and Complex Analysis Meeting (VOTCAM) November 7th, 2015 Matt Ziemke Generators of QMS Paper (with G. Androulakis), Generators of

372 views • 22 slides
Show Case I: free fall at short distances Julio Gea-Banacloche, Am. J. Phys.1999 Quantum

Show Case I: free fall at short distances Julio Gea-Banacloche, Am. J. Phys.1999 Quantum

q B OUNCE A quantum bouncing ball gravity spectrometer Hartmut Abele Schloss Waldthausen 13. April 2016 Hartmut Abele, TU Wien Show Case I: free fall at short distances Julio Gea-Banacloche, Am. J. Phys.1999 Quantum interference: sensitivity

635 views • 42 slides
Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q

Recovering Short Generators of Principal Ideals in Cyclotomic Fields of Conductor p q Patrick Holzer, Thomas Wunderer, Johannes Buchmann Recovering Short Generators | Thomas Wunderer | 1 Contents Introduction Preliminaries Algorithmic

488 views • 30 slides
Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist?

Quantum Information Theory Renato Renner ETH Zurich Do quantum computers exist? Geordie Rose and his D-Wave quantum computer Commercial devices Quantum cryptography device by id

1.29k views • 112 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm

1 What do quantum computers do? Daniel J. Bernstein Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction is in a quantum computers supported instruction set.

1.5k views • 132 slides
Broad PCORI Funding Announcement Applicant Town Hall Cycle 3 2016 November 2, 2016 Agenda

Broad PCORI Funding Announcement Applicant Town Hall Cycle 3 2016 November 2, 2016 Agenda

Broad PCORI Funding Announcement Applicant Town Hall Cycle 3 2016 November 2, 2016 Agenda Research Strategy Patient Engagement and Engagement Plan Additional sections required for your application The Merit Review Process Questions Submit

1.24k views • 57 slides
Investing in Transport Infrastructure in East Asia: Lessons from the Philippines and Korea 22

Investing in Transport Infrastructure in East Asia: Lessons from the Philippines and Korea 22

Investing in Transport Infrastructure in East Asia: Lessons from the Philippines and Korea 22 February 2005 1. Introduction 2. Case study 1 : Manila North Tollway Project (the Philippines) 3. Case study 2 : Daejon Riverside Expressway (South

300 views • 18 slides
Comit de programme du 1 ocobre 2014 Outline StG 2014 step 1 results General Overview

Comit de programme du 1 ocobre 2014 Outline StG 2014 step 1 results General Overview

Comit de programme du 1 ocobre 2014 Outline StG 2014 step 1 results General Overview Gender Years past PhD Resubmissions HI country 2 2 StG2014 Outcome Step1 evaluation Submitted Proposals proposals retained

1.58k views • 90 slides
1 2 3 This is the flowchart for stating/reporting the budget starting from the proposal phase

1 2 3 This is the flowchart for stating/reporting the budget starting from the proposal phase

1 2 3 This is the flowchart for stating/reporting the budget starting from the proposal phase tup till diurng control by an auditor. The key message is that funding is not based on the estimated budget, but on actual costs, and proof of proper

1.23k views • 70 slides
CS 378: Autonomous Intelligent Robotics FRI-II Instructor: Jivko Sinapov

CS 378: Autonomous Intelligent Robotics FRI-II Instructor: Jivko Sinapov

CS 378: Autonomous Intelligent Robotics FRI-II Instructor: Jivko Sinapov http://www.cs.utexas.edu/~jsinapov/teaching/cs378_fall2016/ Reinforcement Learning (Part 2) Announcements Volunteers needed for robot study Sign up sheet here:

790 views • 46 slides
Turning Down the Lights: Darknet Deployment Lessons Learned

Turning Down the Lights: Darknet Deployment Lessons Learned

Turning Down the Lights: Darknet Deployment Lessons Learned Casey Deccio DUST 2012 - 1st International Workshop on Darkspace and UnSolicited Traffic Analysis May 14, 2012 SDSC, UCSD, San Diego, CA

447 views • 24 slides
The Homestake Deep Underground Science and Engineering Laboratory Kevin T. Lesko UC Berkeley

The Homestake Deep Underground Science and Engineering Laboratory Kevin T. Lesko UC Berkeley

The Homestake Deep Underground Science and Engineering Laboratory Kevin T. Lesko UC Berkeley May 2008 1 Homestake DUSEL Proposal NSFs Major Research Equipment and Facility Construction Effort Facility Initial Suite of

427 views • 19 slides
Preliminary Earnings Results Summary August 1, 2019 SAFE HARBOR STATEMENT This presentation may

Preliminary Earnings Results Summary August 1, 2019 SAFE HARBOR STATEMENT This presentation may

Q2 2019 Preliminary Earnings Results Summary August 1, 2019 SAFE HARBOR STATEMENT This presentation may contain projections or other forward-looking statements within the meaning Section 27A of the Private Securities Litigation Reform Act.

393 views • 13 slides

More recommend