visualizing size security tradeoffs for lattice based
play

Visualizing size-security tradeoffs for lattice-based encryption - PowerPoint PPT Presentation

May 08, 2023 •600 likes •835 views

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal axis: ciphertext size Why focus on size instead of CPU time? Fitting into existing frameworks and protocols. Data from Google. Long term:

  1. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  2. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  3. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  4. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. — Google’s 2016 experiment used key+ciphertext. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  5. Horizontal axis: ciphertext size Why focus on size instead of CPU time? — Fitting into existing frameworks and protocols. Data from Google. Long term: Hardware trends. Which size metric to use? e.g. ntrulpr beats sntrup in key size, but sntrup beats ntrulpr in ciphertext size. — Google’s 2016 experiment used key+ciphertext. But long term: Use IND-CCA2 to multicast+cache public keys (2015 McGrew). Lattice traffic is then much closer to ciphertext than to key+ciphertext. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  6. Vertical axis: Core-SVP security estimate Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to: • Overstating security. • Understating security—damaging deployment. • Damaging comparisons: e.g. omitting “hybrid attacks”; e.g. overstating sntrup “rotations”. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  7. Vertical axis: Core-SVP security estimate Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to: • Overstating security. • Understating security—damaging deployment. • Damaging comparisons: e.g. omitting “hybrid attacks”; e.g. overstating sntrup “rotations”. Security estimate where (claimed) data points are easiest to find: “Core-SVP” pre-quantum estimate. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  8. Vertical axis: Core-SVP security estimate Beware (potential/actual) oversimplifications inside lattice security estimates. Can lead to: • Overstating security. • Understating security—damaging deployment. • Damaging comparisons: e.g. omitting “hybrid attacks”; e.g. overstating sntrup “rotations”. Security estimate where (claimed) data points are easiest to find: “Core-SVP” pre-quantum estimate. Some work on better estimates; should continue this work, re-estimate all the schemes, draw new graphs. Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

  9. 148 257 286 131 131 131 147 155 179 257 283 112 130 136 146 154 176 194 194 194 203 256 256 256 281 281 281 320 106 111 125 129 133 133 133 145 153 175 181 193 199 199 199 214 235 254 279 314 620 620 620 699 712 736 736 740 740 740 897 917 934 934 934 931 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1188 1184 1230 1285 1285 1285 1312 1307 1424 1472 1509 1509 1509 1568 1697 2208 threebears round5nd sntrup 5788 ntru lac 9720 9716 round5n1 newhope ntrulpr frodo kyber saber 14708 15744 21632

  10. 148 257 286 131 131 131 147 155 179 257 283 112 130 136 146 154 176 194 194 194 203 256 256 256 281 281 281 320 106 111 125 129 133 133 133 145 153 175 181 193 199 199 199 214 235 254 279 314 620 620 620 699 712 736 736 740 740 740 897 917 934 934 934 931 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1188 1184 1230 1285 1285 1285 1312 1307 1424 1472 1509 1509 1509 1568 1697 2208 threebears round5nd sntrup 5788 ntru lac 9720 9716 round5n1 newhope ntrulpr frodo kyber saber 14708 15744 21632

  11. 148 257 286 131 131 131 147 155 179 257 283 112 130 136 146 154 176 194 194 194 203 256 256 256 281 281 281 320 106 111 125 129 133 133 133 145 153 175 181 193 199 199 199 214 235 254 279 314 620 620 620 699 712 736 736 740 740 740 897 917 934 934 934 931 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1188 1184 1230 1285 1285 1285 1312 1307 1424 1472 1509 1509 1509 1568 1697 2208 threebears round5nd sntrup 5788 ntru lac 9720 9716 round5n1 newhope ntrulpr frodo kyber saber 14708 15744 21632

  12. 320 314 286 283 281 281 281 257 256 256 256 254 235 203 199 199 199 194 194 194 181 179 176 175 155 154 153 147 145 136 133 133 133 131 131 131 130 129 round5nd 125 lac sntrup 112 111 threebears 106 ntru 620 620 620 699 712 736 736 740 740 740 897 917 931 934 934 934 1025 1039 1088 1088 1103 1103 1103 1120 1138 1167 1184 1188 1230 1285 1285 1285 1307 1312 1424 1472 1509 1509 1509 1568 1697 2208 ntrulpr saber kyber newhope round5n1 frodo

  13. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 153 153 129 129 111 736 897 897 1039 1039 1088 1184 1184 1568

  14. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 But this is not true . 153 153 129 129 111 736 897 897 1039 1039 1088 1184 1184 1568

  15. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 But this is not true . 153 153 User requires sec 111 for kyber . size ≤ 1024: sec 129 for sntrup . 129 129 111 736 897 897 1039 1039 1088 1184 1184 1568

  16. 254 How the first graph misleads readers kyber is above and to the left of sntrup . Better Core-SVP sec level at each size. Better size at each sec level. 181 175 175 But this is not true . 153 153 User requires sec 111 for kyber . size ≤ 1024: sec 129 for sntrup . 129 129 User requires size 1088 for kyber . sec ≥ 128: size 897 for sntrup . 111 736 897 897 1039 1039 1088 1184 1184 1568

  17. Ciphertext-size comparison examples Core-SVP for sntrup options: 129, 153, 175. User picks λ ≥ 100, requires Core-SVP ≥ λ . size( sntrup ) < size( X ) for λ in X { 100 , . . . , 175 } frodo { 112 , . . . , 153 } kyber { 148 , . . . , 175 } lac { 100 , . . . , 175 } newhope � { 146 , . . . , 175 } { 107 , . . . , 129 } ntru { 100 , . . . , 175 } round5n1 {} round5nd { 126 , . . . , 153 } saber � { 155 , . . . , 175 } { 100 , . . . , 129 } threebears Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H.

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H.

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H. Andrs Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode * * Rutgers University # AT&amp;T Labs Research Smart Phone

709 views • 28 slides
Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benot Libert 3 Damien Stehl 2 1 LIP, Universit Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group

239 views • 20 slides
FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33 Plan

932 views • 39 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

Introduction FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regevs Lecture Notes on Lattices in

460 views • 30 slides
Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for IT Security Ruhr University Bochum Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions

971 views • 60 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp; Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Size-Noise Tradeoffs in Generative Networks Bolton Bailey Matus Telgarsky Univ. of Illinois

Size-Noise Tradeoffs in Generative Networks Bolton Bailey Matus Telgarsky Univ. of Illinois

Size-Noise Tradeoffs in Generative Networks Bolton Bailey Matus Telgarsky Univ. of Illinois Urbana-Champaign November 29, 2018 Generative networks Easy distribution X R n . What can Y be? Hard distribution Y R d . Generator Network g :

263 views • 5 slides
UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER)

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER)

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER) Security Research Analyst @ Cisco Umbrella (formerly OpenDNS) in San Francisco since 2015 Previously a System Administrator for 12 years JOSH

1.51k views • 114 slides
The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single source and sink. The least upper bound of the security classes {x} and {z} is {x,z} and the greatest lower bound of the security classes {x,y} and

698 views • 31 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation

1.03k views • 66 slides
Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data - Visualizing trajectories - Visualizing time Tasks Locations (0D, Points) Areas (2D) Distribution Comparison Sensity Max/min values

961 views • 48 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Initial objectives Employ plasmonic and geometrical resonances to enhance magneto-optical effects

Initial objectives Employ plasmonic and geometrical resonances to enhance magneto-optical effects

Initial objectives Employ plasmonic and geometrical resonances to enhance magneto-optical effects Investigate layouts for efficient rotation of polarization Magnetically tunable lens based on a gradient metasurface 1 Vitaliy Goryashko

233 views • 5 slides
Microcell Urban Propagation Channel Analysis Using Measurement Data Mir Ghoraishi Jun-ichi

Microcell Urban Propagation Channel Analysis Using Measurement Data Mir Ghoraishi Jun-ichi

Microcell Urban Propagation Channel Analysis Using Measurement Data Mir Ghoraishi Jun-ichi Takada Tetsuro Imai Tokyo Institute of Technology NTT DoCoMo Inc. Takada Lab - TokyoTech 1 Urban Channel Models Usually considers wall

521 views • 28 slides
Microphone Array Processing : A Quick Update Iain McCowan Guillaume Lathoud, Darren Moore,

Microphone Array Processing : A Quick Update Iain McCowan Guillaume Lathoud, Darren Moore,

Microphone Array Processing : A Quick Update Iain McCowan Guillaume Lathoud, Darren Moore, Olivier Masson TAM May 2003 p. 1/6 Outline Speech enhancement Speaker segmentation Files available online TAM May 2003 p. 2/6

329 views • 6 slides
For Wednesday Read chapter 5, sections 1-4 Homework: Chapter 3, exercise 23. Then do

For Wednesday Read chapter 5, sections 1-4 Homework: Chapter 3, exercise 23. Then do

For Wednesday Read chapter 5, sections 1-4 Homework: Chapter 3, exercise 23. Then do the exercise again, but use greedy heuristic search instead of A* Program 1 Any questions? Problem Formulation States Initial state

739 views • 20 slides
MPII at the NTCIR-14 WWW-2 Task Andrew Yates Max Planck Institute for Informatics Motivation

MPII at the NTCIR-14 WWW-2 Task Andrew Yates Max Planck Institute for Informatics Motivation

MPII at the NTCIR-14 WWW-2 Task Andrew Yates Max Planck Institute for Informatics Motivation Opportunity to evaluate NIR model (participatingin pool) Previously evaluated on TREC Web Track 09-14 (WSDM '18, EMNLP '17) With long queries

369 views • 21 slides
Inductive general game playing Andrew Cropper, Richard Evans, and Mark Law General game playing

Inductive general game playing Andrew Cropper, Richard Evans, and Mark Law General game playing

Inductive general game playing Andrew Cropper, Richard Evans, and Mark Law General game playing competition Game description language initial game state legal moves how moves update the game state how the game terminates Game

610 views • 33 slides
Beyond Spectrum Music game project Team member: Class

Beyond Spectrum Music game project Team member: Class

Project Presentation Beyond Spectrum Music game project Team member: Class F1603020 Date 2017.06.01 01 Introduction 02 View CONTENTS Controller 03 Model

256 views • 23 slides
Outline Morning program Preliminaries Semantic matching Learning to rank Entities Afternoon

Outline Morning program Preliminaries Semantic matching Learning to rank Entities Afternoon

Outline Morning program Preliminaries Semantic matching Learning to rank Entities Afternoon program Modeling user behavior Generating responses Recommender systems Industry insights Q &amp; A 148 Modeling user behavior Understanding

576 views • 35 slides

More recommend