so how hard is solving lwe ntru anyway
play

So how hard is solving LWE/NTRU anyway? Martin R. Albrecht - PowerPoint PPT Presentation

Oct 05, 2022 •184 likes •651 views

So how hard is solving LWE/NTRU anyway? Martin R. Albrecht @martinralbrecht 10 January 2019, RWC Based on joint work with Alex Davidson, Amit Deo, Benjamin R. Curtis, Eamonn W. Postlethwaite, Elena Kirshanova, Fernando Virdia, Florian Gpfert,

  1. So how hard is solving LWE/NTRU anyway? Martin R. Albrecht @martinralbrecht 10 January 2019, RWC Based on joint work with Alex Davidson, Amit Deo, Benjamin R. Curtis, Eamonn W. Postlethwaite, Elena Kirshanova, Fernando Virdia, Florian Göpfert, Gottfried Herold, Léo Ducas, Marc Stevens, Rachel Player, Sam Scott and Thomas Wunderer as well as the work of many other authors.

  2. Introduction

  3. NIST Process: Selected Non-Quantum Security Estimates Scheme / Kyber Lima R EMBLEM NTRU HRSS SNTRU’ Cost Model Kyber 1 180 218 112 136 155 Lima 2 196 234 129 152 171 R EMBLEM 3 210 248 142 165 184 NTRU HRSS 4 456 587 242 313 370 SNTRU’ 5 535 722 270 350 410 Source: Martin R. Albrecht, Benjamin R. Curtis, Amit Deo, Alex Davidson, Rachel Player, Eamonn W. Postlethwaite, Fernando Virdia, and Thomas Wunderer. Estimate All the LWE, NTRU Schemes! In: SCN 18 . Ed. by Dario Catalano and Roberto De Prisco. Vol. 11035. LNCS. Springer, Heidelberg, Sept. 2018, pp. 351–367. doi: 10.1007/978-3-319-98113-0_19 , https://estimate-all-the-lwe-ntru-schemes.github.io/docs/ 1 0 . 292 β [Alk+16], this is an explicit underestimate 2 0 . 292 β + 16 . 4 [Sma+17], this is a somewhat explicit underestimate 3 0 . 292 β + log( 8 d ) + 16 . 4 [APS15] 4 0 . 18728 β log( β ) − 1 . 0192 β + 16 . 10 + 7 [APS15] 5 0 . 000784314 β 2 + 0 . 366078 β − 6 . 125 log( 8 d ) + 7 [Hof+15]

  4. Learning with Errors Given ( A , c ) , find s when    n    ← →                                c   A  s  e  ≡ · +                                             , and s ∈ Z n and e ∈ Z m having small coefficients. q , A ∈ Z m × n for c ∈ Z m q

  5. Primal Attack

  6. Unique SVP Approach We can reformulate c − A · s ≡ e mod q over the Integers as: � � � � � � � � q I − A c e ∗ · + = 0 I s 0 s Alternatively:  q I − A c     e  ∗ B = 0 I 0 B · s s  ,  =           0 0 1 1 1 In other words, there exists an integer-linear combination of the columns of B that produces a vector with “unusually” small coefficients → a unique shortest vector.

  7. Computational Problem Unique Shortest Vector Problem Find a unique shortest vector amongst the integer combinations of the columns of:   q I − A c B = 0 I 0     0 0 1 where B ∈ Z d × d .

  8. Lattice Reduction

  9. Length of Gram-Schmidt Vectors It will be useful to consider the lengths of the Gram-Schmidt vectors. The vector b ∗ i is the orthogonal projection of b i to the space spanned by the vectors b 0 , . . . , b i − 1 . b 1 Informally, this means taking out the contributions in the directions of b 0 previous vectors b 0 , . . . , b i − 1 .

  10. Length of Gram-Schmidt Vectors It will be useful to consider the lengths of the Gram-Schmidt vectors. The vector b ∗ i is the orthogonal projection of b i to the space spanned by the vectors b 0 , . . . , b i − 1 . b 1 Informally, this means taking out the b ∗ 1 contributions in the directions of b 0 previous vectors b 0 , . . . , b i − 1 .

  11. Example sage : A = IntegerMatrix.random(120, "qary", k=60, bits=20)[::-1] sage : M = GSO.Mat(A); M.update_gso() sage : lg = [(i,log(r_, 2)/2) for i, r_ in enumerate (M.r())] sage : line(lg, **plot_kwds)

  12. Example - LLL sage : A = LLL.reduction(A) sage : M = GSO.Mat(A); M.update_gso() sage : lg = [(i,log(r_, 2)/2) for i, r_ in enumerate (M.r())] sage : line(lg, **plot_kwds) Geometric Series Assumption: The shape after lattice reduction is a line with a flatter slope as lattice reduction gets stronger.

  13. Success Condition for uSVP GSA for � b ∗ � � i � 8 length of projection of ( e , s , 1 ) log 2 ( ∥·∥ ) 6 4 2 d − β + 1 20 40 60 80 100 120 140 160 180 Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post-quantum Key Exchange - A New Hope. In: 25th USENIX Security Symposium, USENIX Security 16 . Ed. by Thorsten Holz and Stefan Savage. USENIX Association, 2016, pp. 327–343. url: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim Martin R. Albrecht, Florian Göpfert, Fernando Virdia, and Thomas Wunderer. Revisiting the Expected Cost of Solving uSVP and Applications to LWE. In: ASIACRYPT 2017, Part I . ed. by Tsuyoshi Takagi and Thomas Peyrin. Vol. 10624. LNCS. Springer, Heidelberg, Dec. 2017, pp. 297–322. doi: 10.1007/978-3-319-70694-8_11

  14. Slope The slope depends on the root Hermite factor δ which depends on the “block size” β . 1 . 012 1 2 π e · ( π β ) 1 /β ) ( β 2 ( β − 1 ) 1 . 01 δ 1 . 008 1 . 006 40 60 80 100 120 140 160 180 200 220 240 260 β Yuanmi Chen. Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. PhD thesis. Paris 7, 2013

  15. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  16. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  17. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  18. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  19. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  20. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  21. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  22. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  23. Strong Lattice Reduction: BKZ Algorithm β = 5            b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7  . . .             Picture credit: Eamonn Postlethwaite

  24. BKZ Algorithm Data: LLL-reduced lattice basis B Data: block size β repeat until no more change for κ ← 0 to d − 1 do LLL on local projected block [ κ, . . . , κ + β − 1 ] ; v ← find shortest vector in local projected block [ κ, . . . , κ + β − 1 ] ; insert v into B ; end Jargon An outer loop iteration is called a “tour”.

  25. Behaviour in Practice: BKZ-60 in Dimension 120 GSA 13 simulator lll tour 0 12 tour 1 tour 2 tour 3 11 i k log 2 k b ∗ 10 9 8 7 0 20 40 60 80 100 120 i

  26. Number of Tours Scheme / Kyber Lima R EMBLEM NTRU HRSS SNTRU’ Cost Model 0 . 292 β 180 218 112 136 155 0 . 292 β + 16 . 4 196 234 129 152 171 0 . 292 β + log( 8 d ) + 16 . 4 210 248 142 165 184 0 . 18728 β log( β ) − 1 . 0192 β + 16 . 10 + 7 456 587 242 313 370 0 . 000784314 β 2 + 0 . 366078 β − 6 . 125 + log( 8 d ) + 7 535 722 270 350 410 After 4 to 8 tours the output does not change much. Thus, some authors write 8 d · t SVP . Others argue that we need to call the SVP oracle at least once and write t SVP . Open Question 8 d is too large 6 but it is not clear how far this factor can be reduced in practice. 6 Mingjie Liu and Phong Q. Nguyen. Solving BDD by Enumeration: An Update. In: CT-RSA 2013 . Ed. by Ed Dawson. Vol. 7779. LNCS. Springer, Heidelberg, 2013, pp. 293–309. doi: 10.1007/978-3-642-36095-4_19 .

  27. Solving SVP

  28. Solving SVP Scheme / Kyber Lima R EMBLEM NTRU HRSS SNTRU’ Cost Model 0 . 292 β 180 218 112 136 155 0 . 292 β + 16 . 4 196 234 129 152 171 0 . 292 β + log( 8 d ) + 16 . 4 210 248 142 165 184 0 . 18728 β log( β ) − 1 . 0192 β + 16 . 10 + 7 456 587 242 313 370 0 . 000784314 β 2 + 0 . 366078 β − 6 . 125 + log( 8 d ) + 7 535 722 270 350 410 Sieving Enumeration • Produce new, shorter vectors by • Search through vectors smaller than a considering sums and differences of given bound: project down to 1-dim existing vectors problem, lift to 2-dim problem . . . • Time: 2 O ( β log β ) or 2 O ( β 2 ) • Time: 2 O ( β ) • Memory: 2 O ( β ) • Memory: poly ( β )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule

Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule

Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule Joint work with Armin Biere, Oliver Kullmann, and Victor W. Marek Parallel Constraint Reasoning August 6, 2017 1/19 Satisfiability (SAT) Solving Has

463 views • 31 slides
NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia (partly based on joint work with

1.29k views • 76 slides
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Universit de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3.

697 views • 40 slides
Solving the Routing Scalability Problem -- The Hard Parts Jari Arkko APRICOT 2007, Bali,

Solving the Routing Scalability Problem -- The Hard Parts Jari Arkko APRICOT 2007, Bali,

Solving the Routing Scalability Problem -- The Hard Parts Jari Arkko APRICOT 2007, Bali, Indonesia Outline Where are we on this? Some hard bits Proposed plan of action Where Are We on This? There is a lot of interest People

273 views • 15 slides
Solving very hard SAT problems: a form of partial KC Oliver Kullmann Computer Science Department

Solving very hard SAT problems: a form of partial KC Oliver Kullmann Computer Science Department

Solving very hard SAT problems: a form of partial KC Oliver Kullmann Computer Science Department Swansea University Recent Trends in Knowledge Compilation Dagstuhl Seminar 17381 Dagstuhl, September 22, 2017 O Kullmann (Swansea) Solving very

782 views • 52 slides
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo, and Javier Lopez Network, Information and

929 views • 38 slides
Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen, Bo-Yin Yang Academia Sinica, Taiwan

Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen, Bo-Yin Yang Academia Sinica, Taiwan

Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen, Bo-Yin Yang Academia Sinica, Taiwan CHES 2020 1 Topics NTRU Prime A Brief Preview Correlation Power Analysis: vertical vs. horizontal in-depth Online Template

1.38k views • 50 slides
Solving Hard Instances of Floorplacement Aaron Ng, Igor Markov University of Michigan Rajat

Solving Hard Instances of Floorplacement Aaron Ng, Igor Markov University of Michigan Rajat

Solving Hard Instances of Floorplacement Aaron Ng, Igor Markov University of Michigan Rajat Aggarwal Xilinx, Inc. Venky Ramachandran Calypto Design Systems, Inc. 1 Outline Motivation and previous work Design trends and placement

722 views • 27 slides
Solving a Dirichlet problem for Poissons Equation on a disc is as hard as integration.

Solving a Dirichlet problem for Poissons Equation on a disc is as hard as integration.

Definitions and examples Complexity of integration Poissons problem on a disc Solving a Dirichlet problem for Poissons Equation on a disc is as hard as integration. Akitoshi Kawamura, Florian Steinberg, Martin Ziegler Technische

725 views • 17 slides
Automating the Configuration of Algorithms for Solving Hard Computational Problems Ph.D. Thesis

Automating the Configuration of Algorithms for Solving Hard Computational Problems Ph.D. Thesis

Automating the Configuration of Algorithms for Solving Hard Computational Problems Ph.D. Thesis Defence Frank Hutter Supervisory committee: Prof. Holger Hoos (supervisor) Prof. Kevin Leyton-Brown (co-supervisor) Prof. Kevin Murphy

1.24k views • 108 slides
Optimally Solving Hard Combinatorial Problems in Computational Biology Falk Hffner Institut

Optimally Solving Hard Combinatorial Problems in Computational Biology Falk Hffner Institut

Colorful Components Graph Orientation Optimally Solving Hard Combinatorial Problems in Computational Biology Falk Hffner Institut fr Softwaretechnik und Theoretische Informatik, TU Berlin 7 October 2013 Falk Hffner (TU Berlin)

901 views • 46 slides
Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv University and CNRS, ENS-Paris)

Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv University and CNRS, ENS-Paris)

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 20/2/2012 Learning a Parallelepiped: Bar-Ilan University Dept. of Computer Science Cryptanalysis of GGH and NTRU Signatures Oded Regev (Tel Aviv

422 views • 29 slides
A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded

A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded

A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes Martin R. Albrecht , Shi Bai and Lo Ducas London-ish Lattice Coding and Cryptography Meeting, Star Wars Day, 2016 Outline

1.35k views • 66 slides
Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Logical Agents Chapter 7 Why Do We Need Logic? Problem-solving agents were very inflexible:

Logical Agents Chapter 7 Why Do We Need Logic? Problem-solving agents were very inflexible:

Logical Agents Chapter 7 Why Do We Need Logic? Problem-solving agents were very inflexible: hard code every possible state. Search is almost always exponential in the number of states. Problem solving agents cannot infer unobserved

779 views • 77 slides
Logical Agents Chapter 7 Why Do We Need Logic? Problem-solving agents were very inflexible:

Logical Agents Chapter 7 Why Do We Need Logic? Problem-solving agents were very inflexible:

Logical Agents Chapter 7 Why Do We Need Logic? Problem-solving agents were very inflexible: hard code every possible state. Search is almost always exponential in the number of states. Problem solving agents cannot infer unobserved

566 views • 27 slides
IDO Public Process Training Office of Neighborhood Coordination, Planning Department, Alternative

IDO Public Process Training Office of Neighborhood Coordination, Planning Department, Alternative

IDO Public Process Training Office of Neighborhood Coordination, Planning Department, Alternative Dispute Resolution Office November 2018 The Neighborhood Association Recognition Ordinance (NARO Ord. 14-1987) A standardized recognition

379 views • 26 slides
http://www.neutrino2008.co.nz NEUTRINOS: Ghosts of the Universe Stephen Parke Theoretical

http://www.neutrino2008.co.nz NEUTRINOS: Ghosts of the Universe Stephen Parke Theoretical

http://www.neutrino2008.co.nz NEUTRINOS: Ghosts of the Universe Stephen Parke Theoretical Physicist Fermilab Websters Online Dictionary Main Entry: neutrino Pronunciation: n-'trE-(")nO, ny- Etymology: Italian, from neutro

1.44k views • 88 slides
Comparison between difgerent online storage systems WA105 Technical Board Meeting, June 15th,

Comparison between difgerent online storage systems WA105 Technical Board Meeting, June 15th,

PUGNRE Denis CNRS / IN2P3 / IPNL D.Autjero, D.Caiulo, S.Galymov, J.Marteau, E.Pennacchio E.Bechetoille, B.Carlus, C.Girerd, H.Mathez Comparison between difgerent online storage systems WA105 Technical Board Meeting, June 15th, 2016 2 WA105

408 views • 28 slides
Gov 2000: 13. Panel Data and Clustering Matthew Blackwell Fall 2016 1 / 55 1. Panel Data 2.

Gov 2000: 13. Panel Data and Clustering Matthew Blackwell Fall 2016 1 / 55 1. Panel Data 2.

Gov 2000: 13. Panel Data and Clustering Matthew Blackwell Fall 2016 1 / 55 1. Panel Data 2. First Difgerencing Methods 3. Fixed Efgects Methods 4. Clustering 5. Whats next for you? 2 / 55 Where are we? Where are we going? and

557 views • 55 slides
and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020

and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020

The Slavic guest and some of his Indo- European colleagues Katsiaryna Ackermann SLS 15, 4 - 6 September 2020 RUSSIAN ACADEMY OF SCIENCES PSl. * gost- - (m.) OCS, ORuss. gost, Bulg. gost, B/C/S gst , Gen. gsta , Slov. gst ,

520 views • 36 slides
On the cohomology of pseudoeffective line bundles Jean-Pierre Demailly Institut Fourier,

On the cohomology of pseudoeffective line bundles Jean-Pierre Demailly Institut Fourier,

On the cohomology of pseudoeffective line bundles Jean-Pierre Demailly Institut Fourier, Universit e de Grenoble I, France & Acad emie des Sciences de Paris in honor of Professor Yum-Tong Siu on the occasion of his 70th birthday

958 views • 77 slides
GEE PE p is even en 2K for some KEK By definition P 4k2 Then p2 2K 2q2_ Rbi q2 q2 is even

GEE PE p is even en 2K for some KEK By definition P 4k2 Then p2 2K 2q2_ Rbi q2 q2 is even

Q Suppose there're 25 students in your discussion Whichone is more likely LOO there're two students with the same birthday everyone has different birthdays A proof is a finite list of logical deductions which establishes the truth of a statement 1

243 views • 8 slides
Strugglers: This Centurys New Development Challenge Keynote Australasian Aid Society

Strugglers: This Centurys New Development Challenge Keynote Australasian Aid Society

Strugglers: This Centurys New Development Challenge Keynote Australasian Aid Society Conference Canberra, February 13, 2018 (modified for posting March 1, 2018) Nanc ancy B Birdsal all Sen enior F Fellow a and Pr Pres esiden ent

544 views • 30 slides

More recommend