trapdoors for lattices simpler tighter faster smaller
play

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele - PowerPoint PPT Presentation

May 11, 2023 •366 likes •1.2k views

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

  1. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17

  2. Lattice-Based Cryptography p d o m x g = y N = = ⇒ p m e mod N · q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17

  3. Lattice-Based Cryptography = ⇒ (Images courtesy xkcd.org) 2 / 17

  4. Lattice-Based Cryptography = ⇒ Why? ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] ◮ Solve ‘holy grail’ problems like FHE [Gentry’09,. . . ] (Images courtesy xkcd.org) 2 / 17

  5. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q 3 / 17

  6. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q f A ( x ) = Ax mod q ∈ Z n q (“short” x , surjective) CRHF if SIS hard [Ajtai’96,. . . ] 3 / 17

  7. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] 3 / 17

  8. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } ( 0 , q ) O ( q , 0 ) 3 / 17

  9. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ Lattice interpretation: Λ ⊥ ( A ) = { x ∈ Z m : f A ( x ) = Ax = 0 mod q } ( 0 , q ) x O ( q , 0 ) 3 / 17

  10. Lattice-Based One-Way Functions � � ∈ Z n × m ◮ Public key · · · A · · · for q = poly ( n ) , m = Ω( n log q ) . q g A ( s , e ) = s t A + e t mod q ∈ Z m f A ( x ) = Ax mod q ∈ Z n q q (“short” x , surjective) (“short” e , injective) CRHF if SIS hard [Ajtai’96,. . . ] OWF if LWE hard [Regev’05,P’09] ◮ f A , g A in forward direction yield CRHFs, CPA-secure encryption . . . and not much else. 3 / 17

  11. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . 4 / 17

  12. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert g A ( s , e ) = s t A + e t mod q : find the unique preimage s (equivalently, e ) 4 / 17

  13. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ mod q : Invert g A ( s , e ) = s t A + e t mod q : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp ( −� x � 2 / s 2 ) . (equivalently, e ) 4 / 17

  14. Trapdoor Inversion ◮ Many cryptographic applications need to invert f A and/or g A . Invert u = f A ( x ′ ) = Ax ′ mod q : Invert g A ( s , e ) = s t A + e t mod q : sample random x ← f − 1 A ( u ) find the unique preimage s with prob ∝ exp ( −� x � 2 / s 2 ) . (equivalently, e ) ◮ How? Use a “strong trapdoor” for A : a short basis of Λ ⊥ ( A ) [Babai’86,GGH’97,Klein’01,GPV’08,P’10] O 4 / 17

  15. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . 5 / 17

  16. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) 5 / 17

  17. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” 5 / 17

  18. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard 5 / 17

  19. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Other “Black-Box” Applications of f − 1 , g − 1 ◮ Standard model signatures [CHKP’10,R’10,B’10] ◮ CCA-secure encryption [PW’08,P’09] ◮ (Hierarchical) ID-based encryption [GPV’08,CHKP’10,ABB’10a,ABB’10b] ◮ Much more: [PVW’08,PV’08,GHV’10,GKV’10,BF’10a,BF’10b,OPW’11,AFV’11,ABVVW’11,. . . ] 5 / 17

  20. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] 5 / 17

  21. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known algorithms trade quality for efficiency 5 / 17

  22. Applications of Strong Trapdoors Canonical App: [GPV’08] Signatures ◮ pk = A , sk = short basis for A , random oracle H : { 0 , 1 } ∗ → Z n q . ◮ Sign( m ): let u = H ( m ) and output Gaussian x ← f − 1 A ( u ) ◮ Verify( m , x ): check f A ( x ) = Ax = H ( m ) and x “short enough” ◮ Security: finding “short enough” preimages in f A must be hard Some Drawbacks. . . ✗ Generating A w/ short basis is complicated and slow [Ajtai’99,AP’09] ✗ Known algorithms trade quality for efficiency g − 1 A : [Babai’86] (tight,iterative,fp) vs [Babai’86] (looser,parallel,offline) f − 1 A : [Klein’01,GPV’08] (ditto) vs [P’10] (ditto) 5 / 17

  23. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 6 / 17

  24. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 6 / 17

  25. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . 6 / 17

  26. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = 6 / 17

  27. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = 4 Choose n , q so that finding β -bounded preimages is hard. 6 / 17

  28. Taming the Parameters �� � · · · · · · n A � �� � m O f A ( x ) = Ax 1 Trapdoor construction yields some lattice dim m = Ω( n log q ) . 2 Basis “quality” ≈ lengths of basis vectors ≈ Gaussian std dev s . ⇒ preimage length β = � x � ≈ s √ m . 3 Dimension m , std dev s = 4 Choose n , q so that finding β -bounded preimages is hard. ✔ Better dimension m & quality s = ⇒ “win-win-win” in security-keysize-runtime 6 / 17

  29. Our Contributions New “strong” trapdoor generation and inversion algorithms: 7 / 17

  30. Our Contributions New “strong” trapdoor generation and inversion algorithms: ✔ Very simple & fast ⋆ Generation: one matrix mult. No HNF or inverses (cf. [A’99,AP’09] ) ⋆ Inversion: practical, parallel, & mostly offline ⋆ No more efficiency-vs-quality tradeoff 7 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich

Making State Government Simpler, Faster, Better, and Less Costly Michael Buerger and Rich Martinski February 10, 2014 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. 7 Steps to Implementing Lean

910 views • 37 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris

How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions Chris Peikert SRI Work with Craig Gentry and Vinod Vaikuntanathan 1 / 14 Digital Signatures 2 / 14 Digital Signatures (public) (secret) 2 / 14

1.48k views • 78 slides
Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert

Lattice-Based Cryptography: Trapdoors, Discrete Gaussians, and Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 21 Agenda 1 Strong trapdoors for lattices 2 Discrete Gaussians, sampling, and preimage

2.02k views • 113 slides
KenLM: Faster and Smaller Language Model Queries Kenneth Heafield heafield@cs.cmu.edu Carnegie

KenLM: Faster and Smaller Language Model Queries Kenneth Heafield heafield@cs.cmu.edu Carnegie

Backoff Models Data Structures Results KenLM: Faster and Smaller Language Model Queries Kenneth Heafield heafield@cs.cmu.edu Carnegie Mellon July 30, 2011 kheafield.com/code/kenlm Heafield KenLM: Faster and Smaller Language Model Queries

435 views • 41 slides
Functions Function Smaller, simpler, subcomponent of program Provides abstraction hide

Functions Function Smaller, simpler, subcomponent of program Provides abstraction hide

Chapter 14 Functions Function Smaller, simpler, subcomponent of program Provides abstraction hide low-level details give high-level structure to program, easier to understand overall program flow enables separable, independent

353 views • 20 slides
Contraction Hierarchies: Faster and Simpler Hierarchical Routing in Road Networks R. Geisberger

Contraction Hierarchies: Faster and Simpler Hierarchical Routing in Road Networks R. Geisberger

Motivation Our Contributions Contraction Hierarchies: Faster and Simpler Hierarchical Routing in Road Networks R. Geisberger P . Sanders D. Schultes D. Delling 7th International Workshop on Experimental Algorithms R. Geisberger, P .

4.95k views • 30 slides
Ohio Department of Natural Resources PARKS-WATERCRAFT MERGER September 26 - 30, 2016 SIMPLER.

Ohio Department of Natural Resources PARKS-WATERCRAFT MERGER September 26 - 30, 2016 SIMPLER.

Ohio Department of Natural Resources PARKS-WATERCRAFT MERGER September 26 - 30, 2016 SIMPLER. FASTER. BETTER. LESS COSTLY. SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov lean.ohio.gov Facilitator: Y'vette Helm - Green Belt

630 views • 33 slides
YELLOW BELT TRAINING (LEAN DAILY) SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov

YELLOW BELT TRAINING (LEAN DAILY) SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov

YELLOW BELT TRAINING (LEAN DAILY) SIMPLER. FASTER. BETTER. LESS COSTLY. lean.ohio.gov Objectives Start thinking Lean Introduce Lean concepts that can be used for daily improvements Basic knowledge on Lean tools for

1.01k views • 48 slides
Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio (UCSD) Nicholas Genise (UCSD) Modern Cryptography Founded on Mathematics / Complexity Theory Start from mathematical problem P that is

461 views • 32 slides
Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world

Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world

Smaller and faster public-key crypto for IoT from genus-2 curves Benjamin Smith Real-world crypto+privacy summer school, Sibenik, 18/6/2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Ancient history singularities

501 views • 37 slides
Creating smaller, faster, production-worthy mobile machine learning models Jameson Toole

Creating smaller, faster, production-worthy mobile machine learning models Jameson Toole

Creating smaller, faster, production-worthy mobile machine learning models Jameson Toole OReilly AI London, 2019 We showcase this approach by training an 8.3 billion parameter transformer language model with 8-way model parallelism and

827 views • 31 slides
WebRTC enabling faster, smaller and more beautiful web +Stephen Konig skonig@google.com +Ilya

WebRTC enabling faster, smaller and more beautiful web +Stephen Konig skonig@google.com +Ilya

Video @ bit.ly/io-webp WebRTC enabling faster, smaller and more beautiful web +Stephen Konig skonig@google.com +Ilya Grigorik igrigorik@google.com https://developers.google.com/speed/webp/ For an average page, images account for... 60% of

903 views • 36 slides
uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research

uniprof: Transparent Unikernel Performance Profiling & Debugging Florian Schmidt, Research Scientist, NEC Europe Ltd. Unikernels? Faster, smaller, better! 2 Unikernels? Faster, smaller, better! clip arts: clipproject.info Unikernels

1.14k views • 71 slides
Cache 10/27/16 The Memory Hierarchy Smaller On 1 cycle to access Chip Faster Registers CPU

Cache 10/27/16 The Memory Hierarchy Smaller On 1 cycle to access Chip Faster Registers CPU

Cache 10/27/16 The Memory Hierarchy Smaller On 1 cycle to access Chip Faster Registers CPU Storage instrs Costlier can per byte directly Cache(s) ~10s of cycles to access access (SRAM) Main memory ~100 cycles to access

1.07k views • 64 slides
On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins 2 The sponge construction 3 Inside

1.12k views • 71 slides
Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre-

Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre-

Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre- Evariste Dagand Joint work with Darius Mercadier Based on an original idea from Xavier Leroy LIP6 CNRS Inria Sorbonne Universit e 1 / 31

775 views • 76 slides
Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI Kolkata November 18, 2018 Introduction Types of Circuits: Brief background. Block cipher circuits: Round based vs Serial. Eg: Working example

489 views • 44 slides
Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS REMINDER 2: Security Services in X.800 Authentication 1. Pear entity authentication Data origin authentication Access Control 2.

618 views • 13 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides
Public key encryp4on: defini4ons and security Dan Boneh

Public key encryp4on: defini4ons and security Dan Boneh

Online Cryptography Course

999 views • 55 slides
CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor

CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor

740 views • 45 slides

More recommend