some recent progress in lattice based cryptography chris
play

Some Recent Progress in Lattice-Based Cryptography Chris Peikert - PowerPoint PPT Presentation

Aug 13, 2022 •179 likes •923 views

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

  1. Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 17

  4. Lattice-Based Cryptography = ⇒ Why? ◮ Simple & efficient: linear, parallelizable ◮ Resists subexp & quantum attacks (so far) ◮ Security from worst-case assumptions [Ajtai96,. . . ] (Images courtesy xkcd.org) 2 / 17

  5. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  6. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  7. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  8. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  9. If We Had 6 Hours. . . ◮ Worst-case / average-case reductions [Aj96,AD97,CN97,Mi03,Re03,MR04,Re05,Pe07,GPV08,Pe09,. . . ] ◮ Cryptanalysis & concrete parameters [LLL82,Sc87,BKW00,AKS01,NR06,GN08,NV08,MR08,. . . ] ◮ Cyclic / Ideal lattices [Mi02,PR06,LM06,PR07,LM08,Ge09,. . . ] ⋆ Efficiency — complements general techniques !! Functionality — uses ‘extra features’ of ideals ◮ Complexity of lattice problems ⋆ Hardness [vEB81,Aj98,CN99,Mi00,Kh05,RR06,HR07,. . . ] ⋆ Limits on hardness [LLS90,Ba93,GG97,Ca98,AR04,GMR05,LLM06,P07,. . . ] 3 / 17

  10. This Talk Hard Avg-Case Problems 4 / 17

  11. This Talk Abstract Crypto Properties Functions Hard Avg-Case Problems 4 / 17

  12. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems 4 / 17

  13. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 4 / 17

  14. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective 4 / 17

  15. This Talk Applications Abstract Crypto Properties Functions Hard Avg-Case Problems Goals 1 ‘De-mystify’ lattice-based crypto 2 Advocate a geometric perspective 3 Answer your questions 4 / 17

  16. Lattices ◮ Today: full-rank subgroup L of Z m ( x , y ∈ L ⇒ x ± y ∈ L ; dim span = m ) O 5 / 17

  17. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 2 i = 1 b 1 O 5 / 17

  18. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O 5 / 17

  19. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O (Other representations too . . . ) 5 / 17

  20. Lattices ◮ Today: full-rank subgroup L of Z m ◮ Basis B = { b 1 , . . . , b m } : m � L = ( Z · b i ) b 1 i = 1 b 2 O (Other representations too . . . ) Hard Computational Problems ◮ Find ‘relatively short’ (nonzero) vectors ◮ Estimate geometric quantities (minimum distance, covering radius, . . . ) 5 / 17

  21. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q 6 / 17

  22. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q       | | | ∈ Z n a 1 a 2 · · · a m       q | | | 6 / 17

  23. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z 1 , . . . , z m ∈ { 0 , ± 1 } such that:         | | | |  + z 2 ·  + · · · + z m ·  =  ∈ Z n z 1 · a 1 a 2 a m 0     q | | | | 6 / 17

  24. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:          = 0 ∈ Z n  · · · · A · · · ·  z    q � �� � m 6 / 17

  25. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:         = 0 ∈ Z n   · · · · A · · · ·  z    q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax 6 / 17

  26. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:         = 0 ∈ Z n   · · · · A · · · ·  z    q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . 6 / 17

  27. A Combinatorial Problem ◮ Security param n , modulus q : group Z n (e.g., q = poly ( n ) ) q ◮ Goal: find nontrivial z ∈ { 0 , ± 1 } m such that:          = 0 ∈ Z n  · · · · A · · · ·  z    q � �� � m Hash Function [Ajtai96,GGH97] ◮ Set m > n lg q . Define f A : { 0 , 1 } m → Z n q f A ( x ) = Ax ◮ Collision x , x ′ ∈ { 0 , 1 } m where Ax = Ax ′ . . . . . . yields solution z = x − x ′ ∈ { 0 , ± 1 } m . 6 / 17

  28. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } O 7 / 17

  29. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O 7 / 17

  30. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O 7 / 17

  31. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ nonzero z ∈ L ⊥ ( A ) ⇓ approx lattice problems in worst case 7 / 17

  32. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ nonzero z ∈ L ⊥ ( A ) ⇓ approx lattice problems in worst case 7 / 17

  33. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ◮ Each x ∈ Z m has syndrome x u = Ax ∈ Z n q ( q , 0 ) O Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case 7 / 17

  34. Geometric Perspective ◮ ‘Parity check’ matrix A ∈ Z n × m ( 0 , q ) q L ⊥ ( A ) = { z ∈ Z m : Az = 0 } ◮ Each x ∈ Z m has syndrome x u = Ax ∈ Z n q ( q , 0 ) O ◮ Enlarge domain of f A to . . . . . . still O-W & C-R! Average / Worst-Case Connection [Ajtai96,. . . ] Finding ‘short’ x with (uniform) syndrome u ⇓ approx lattice problems in worst case 7 / 17

  35. Gaussians and Lattices 8 / 17

  36. Gaussians and Lattices 8 / 17

  37. Gaussians and Lattices 8 / 17

  38. Gaussians and Lattices “Uniform” over R m when std dev ≥ min basis length (Used in worst/average-case reductions [Re03,MR04,. . . ]) 8 / 17

  39. Discrete Gaussians ◮ Fix uniform A . Choose Gaussian input x ∈ Z m : x 9 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris

Lattice-Based Cryptography: Short Integer Solution (SIS) and Learning With Errors (LWE) Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 17 Recall: Lattices Full-rank additive subgroup in Z m . O 2 / 17 Recall:

971 views • 94 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work with Oded Regev and Noah Stephens-Davidowitz to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N =

1.01k views • 84 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology

Session #10: (More) Trapdoors and Applications Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based Crypto &

1.2k views • 76 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19 Talk Agenda Encryption schemes with special features: 2 / 19 Talk Agenda

876 views • 71 slides
INTRODUCTION TO RIVANNA 20 March 2019 Rivanna in More Detail Compute Nodes Head Nodes ssh

INTRODUCTION TO RIVANNA 20 March 2019 Rivanna in More Detail Compute Nodes Head Nodes ssh

INTRODUCTION TO RIVANNA 20 March 2019 Rivanna in More Detail Compute Nodes Head Nodes ssh client Ethernet Infiniband Home Other Scratch Directory Storage (Lustre) Allocations Rivanna is allocated: At the most basic level, an

1.17k views • 104 slides
INF5470 Fall 2012 Lecture 10: Analog Storage Content Overview Volatile Short Term Storage

INF5470 Fall 2012 Lecture 10: Analog Storage Content Overview Volatile Short Term Storage

INF5470 Fall 2012 Lecture 10: Analog Storage Content Overview Volatile Short Term Storage Indirect Multi-Level (AD/DA Digital) Storage Direct Multi-Level Storage Non-Volatile Storage Weekly Questions Lecture 10: Analog Storage 2

326 views • 18 slides
Connectomics! Neurons in the brain illustration Image credit: Benedict Campbell. Welcome

Connectomics! Neurons in the brain illustration Image credit: Benedict Campbell. Welcome

Connectomics! Neurons in the brain illustration Image credit: Benedict Campbell. Welcome Images Neural Structure Reconstruction from Fluorescence Imaging of Neural Activity Karan Singh Pankaj Gupta Objectives Communicate research

887 views • 25 slides
Introduction to Artificial Intelligence Neural Networks - Deep Learning for NLP Janyl Jumadinova

Introduction to Artificial Intelligence Neural Networks - Deep Learning for NLP Janyl Jumadinova

Introduction to Artificial Intelligence Neural Networks - Deep Learning for NLP Janyl Jumadinova November 21, 2016 Neural Networks 2/20 Neural Networks 3/20 Neural Networks Neural computing requires a number of neurons , to be connected

813 views • 21 slides
Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto Alexander May Horst Grtz Institute for IT-Security Faculty of Mathematics Ruhr-University of Bochum L ATTICE C ODING AND C RYPTO M EETING M AY 2017,

793 views • 32 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Teaching probability and statistics from a purely Bayesian point of view Sanjoy Mahajan Olin

Teaching probability and statistics from a purely Bayesian point of view Sanjoy Mahajan Olin

Teaching probability and statistics from a purely Bayesian point of view Sanjoy Mahajan Olin College of Engineering sanjoy@olin.edu streetfightingmath.com MIT ESME, Cambridge, MA, 05 Mar 2019 Philosophy of mathematics from the start Pr(10 13

824 views • 66 slides
7/1/2013 ABIM Certification Exam: Nephrology Division of Nephrology Department of Medicine

7/1/2013 ABIM Certification Exam: Nephrology Division of Nephrology Department of Medicine

7/1/2013 ABIM Certification Exam: Nephrology Division of Nephrology Department of Medicine July 2013 UCSF CME Kathleen D. Liu, MD, PhD Associate Professor NEPHROLOGY Roadmap for today Department of Medicine AKI (beyond ATN) Division

643 views • 51 slides

More recommend