worst case to average case reduction for sis
play

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky - PowerPoint PPT Presentation

Sep 17, 2022 •261 likes •909 views

Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012 Session Outline Average-Case Problems The Small Integer Solution (SIS)

  1. Worst-Case to Average-Case Reduction for SIS Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University Israel 2012

  2. Session Outline • Average-Case Problems – The Small Integer Solution (SIS) problem • Gaussian Distributions and Lattices • Reducing a Worst-Case Lattice Problem to SIS Lattice-Based Crypto & Applications 2 Bar-Ilan University Israel 2012

  3. THE AVERAGE-CASE PROBLEMS Lattice-Based Crypto & Applications 3 Bar-Ilan University, Israel 2012

  4. Lattice Problems Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 4 Bar-Ilan University Israel 2012

  5. SIVP BDD quantum Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 5 Bar-Ilan University Israel 2012

  6. Small Integer Solution Problem n Given: Random vectors a 1 ,...,a m in Z q Find: non-trivial solution z 1 ,...,z m in {-1,0,1} such that n z 1 in Z q 0 a 1 a 2 a m + z 2 z m + … + = Observations:  If size of z i is not restricted, then the problem is trivial  Immediately implies a collision-resistant hash function  A relationship to lattices emerges … Lattice-Based Crypto & Applications 6 Bar-Ilan University Israel 2012

  7. Relationship of SIS to Lattice Problems Find: non-trivial solution z 1 ,...,z m in {-1,0,1} such that n in Z q z 1 0 a 1 a 2 a m + z 2 + … + z m = Let S be the set of all integer z =(z 1 ,…, z m ), such that a 1 z 1 + … + a m z m =0 mod q S is a lattice! SIS problem asks to find a short vector in S. Lattice-Based Crypto & Applications 7 Bar-Ilan University, Israel 2012

  8. Representing Lattices L ⊥ ( A ) = { z in Z m : Az = 0 mod q} L( B ) = { z : z = Bx for x in Z n } B x z = z = 0 mod q A Worst-Case to Average-Case Reduction: Approximately solving SIVP in all lattices < Finding short vectors in these lattices (m ≈ nlog n) Lattice-Based Crypto & Applications 8 Bar-Ilan University, Israel 2012

  9. SIVP BDD quantum Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 9 Bar-Ilan University Israel 2012

  10. Collision-Resistant Hash Functions For a random h in H, H It is hard to find: x 1 , x 2 in D such that D R h(x 1 ) = h(x 2 ) Lattice-Based Crypto & Applications 10 Bar-Ilan University Israel 2012

  11. Collision-Resistant Hash Function n Given: Random vectors a 1 ,...,a m in Z q Find: non-trivial solution z 1 ,...,z m in {-1,0,1} such that n in Z q z 1 0 a 1 a 2 a m + z 2 z m + … + = A =( a 1 ,..., a m ) Define h A : {0,1} m → Z q n where h A ( z 1 ,..., z m )= a 1 z 1 + … + a m z m Domain of h = {0,1} m (size = 2 m ) Range of h = Z q n (size = q n ) Set m>nlog q to get compression Collision: a 1 z 1 + … + a m z m = a 1 y 1 + … + a m y m So, a 1 (z 1 -y 1 ) + … + a m (z m -y m ) = 0 and z i -y i are in {-1,0,1} Lattice-Based Crypto & Applications 11 Bar-Ilan University Israel 2012

  12. SIVP BDD quantum Worst-Case Average-Case Learning With Errors Small Integer Solution Problem (LWE) Problem (SIS) One-Way Functions Public Key Encryption … Collision-Resistant Hash Functions (Cryptomania) Digital Signatures Identification Schemes (Minicrypt) Lattice-Based Crypto & Applications 12 Bar-Ilan University Israel 2012

  13. THE GAUSSIAN (NORMAL) DISTRIBUTION Lattice-Based Crypto & Applications 13 Bar-Ilan University, Israel 2012

  14. Definition 1-dimensional Gaussian distribution: ρ s (x) = (1/s) e - π x 2 /s 2 It’s a Normal distribution: Centered at 0 Standard deviation: s/√ 2 π Lattice-Based Crypto & Applications 14 Bar-Ilan University, Israel 2012

  15. Example (s=1) Lattice-Based Crypto & Applications 15 Bar-Ilan University, Israel 2012

  16. Example (s=1 and 5) Lattice-Based Crypto & Applications 16 Bar-Ilan University, Israel 2012

  17. 2-Dimensional Gaussian 1-dim gaussian on the x 1 axis: 2 /s 2 ρ s (x 1 ) = (1/s) e - π x 1 1-dim gaussian on the x 2 axis: 2 /s 2 ρ s (x 2 ) = (1/s) e - π x 2 ρ s (x 1 ,x 2 ) = ρ s (x 1 ) ∙ ρ s (x 2 ) 2 /s 2 ∙ (1/s)e - π x 2 2 /s 2 = (1/s)e - π x 1 = (1/s) 2 e - π (x 1 2 + x 2 2 )/s 2 | 2 /s 2 ρ s ( x ) = (1/s) 2 e - π | | x | Lattice-Based Crypto & Applications 17 Bar-Ilan University, Israel 2012

  18. 2-Dimensional Example Lattice-Based Crypto & Applications 18 Bar-Ilan University, Israel 2012

  19. n-Dimensional Gaussian n-dimensional Gaussian distribution: | 2 /s 2 ρ s ( x ) = (1/s) n e - π | | x | It’s an n -dimensional Normal distribution: Centered at 0 Standard deviation: s/√ 2 π Lattice-Based Crypto & Applications 19 Bar-Ilan University, Israel 2012

  20. Useful Properties of the Gaussian Distribution 1. It is a Product Distribution 2. It is Spherically-Symmetric 3. It is “uniform” modulo parallelepipeds Lattice-Based Crypto & Applications 20 Bar-Ilan University, Israel 2012

  21. Product Distribution ρ s ( x ) = ρ s (x 1 ) ∙ … ∙ ρ s (x n ) Lattice-Based Crypto & Applications 21 Bar-Ilan University, Israel 2012

  22. Spherically Symmetric | 2 /s 2 ρ s ( x )= (1/s) n e - π | | x | The probability of x only depends on its length The distribution is “axis - independent” Lattice-Based Crypto & Applications 22 Bar-Ilan University, Israel 2012

  23. Generating Uniform Elements on a Line Segment ρ s (x)= (1/s) e - π x 2 /s 2 and s=5M, for some positive M if X ~ ρ s , then for all m < M, Δ (X mod m , Uniform [0, m) ) < 2 -110 Lattice-Based Crypto & Applications 23 Bar-Ilan University, Israel 2012

  24. Example (s=1,m=1) Lattice-Based Crypto & Applications 24 Bar-Ilan University, Israel 2012

  25. Example (s=1,m=1, .9, .8) Lattice-Based Crypto & Applications 25 Bar-Ilan University, Israel 2012

  26. Example (s=2) Lattice-Based Crypto & Applications 26 Bar-Ilan University, Israel 2012

  27. Example (s=5, m=1) Lattice-Based Crypto & Applications 27 Bar-Ilan University, Israel 2012

  28. Generating Uniform Elements in an n-dimensional Parallelepiped Reducing modulo a parallelepiped Lattice-Based Crypto & Applications 28 Bar-Ilan University, Israel 2012

  29. Generating Uniform Elements in an n-Dimensional Box Box B with dimensions (m 1 , … , m n ), all m i < M. Generate X 1 , … , X n ~ ρ s (x) = (1/s) e - π x 2 /s 2 , where s=5M For each j, Δ (X j mod m , Uniform [0, m j ) ) < 2 -110 Thus Δ ((X 1 mod m 1 , … , X n mod m n ) , Uniform( B )) < n2 -110 | 2 /s 2 for s=5M, Δ ( X mod B , Uniform( B )) < n2 -110 ≈ 0 So, if X ~ ρ s ( x ) = (1/s) n e - π | | x | m 2 B m 1 Lattice-Based Crypto & Applications 29 Bar-Ilan University, Israel 2012

  30. Generating Uniform Elements in a Rotated n-Dimensional Box | 2 /s 2 is a spherical distribution ρ s ( x ) = (1/s) n e - π | | x | So rotating axes doesn’t affect it Lattice-Based Crypto & Applications 30 Bar-Ilan University, Israel 2012

  31. Generating Uniform Elements in a Rotated n-Dimensional Box | 2 /s 2 is a spherical distribution ρ s ( x ) = (1/s) n e - π | | x | So rotating axes doesn’t affect it Thus, Δ ( X mod B’ , Uniform( B’ )) ≈ 0 Lattice-Based Crypto & Applications 31 Bar-Ilan University, Israel 2012

  32. Generating Uniform Elements in Parallelepipeds | 2 /s 2 Suppose we have X ~ ρ s ( x ) = (1/s) n e - π | | x | and X mod A is uniform Is X uniform modulo B ? Lattice-Based Crypto & Applications 32 Bar-Ilan University, Israel 2012

  33. Generating Uniform Elements in Parallelepipeds If B is much bigger than A (i.e. has a bigger determinant), then probably NO. Lattice-Based Crypto & Applications 33 Bar-Ilan University, Israel 2012

  34. Generating Uniform Elements in Parallelepipeds If B is much bigger than A (i.e. has a bigger determinant), then probably NO. But what if B = AU when det( U )=1? Still … not necessarily. A B Lattice-Based Crypto & Applications 34 Bar-Ilan University, Israel 2012

  35. Generating Uniform Elements in Parallelepipeds If B = AU and det( U )=1, then X mod A is uniform  X mod B is uniform if: 1.) U is an integer matrix or 2.) U is an upper-triangular matrix with 1 ’s on the diagonal Lattice-Based Crypto & Applications 35 Bar-Ilan University, Israel 2012

  36. Some Simplifying Assumptions Pretend that the space R n is divided into a very very fine grid. Any two parallelepipeds that have the same determinant have the same number of grid points inside them. Lattice-Based Crypto & Applications 36 Bar-Ilan University, Israel 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 1 / 15 Worst-case versus average-case complexity Lattices are an

851 views • 58 slides
Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of

Lattices: From Worst-Case, to Average-Case, to Cryptography Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 6 May 2010 1 / 16 Talk Agenda 1 Smoothing and discrete Gaussians 2 From worst-case

1.43k views • 74 slides
Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and

Worst-case to average case reductions for the distance to a code CCC 2018 Eli Ben-Sasson and Swastik Kopparty and Shubhangi Saraf June 2018 Overview motivation main results applications one proof Motivation Arithmetization

283 views • 15 slides
Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds

Algorithm : Design &amp; Analysis [6] Heapsort In the last class Mergesort Worst Case Analysis of Mergesort Lower Bounds for Sorting by Comparison of Keys Worst Case Average Behavior Heapsort Heap Structure and Patial

658 views • 31 slides
Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort

Lower Bounds Best-, Average-, and Worst-Case Time Complexity Ex. Insertion sort of x 1 , x 2 , , x n . For i = 2, 3, , n , insert x i into x 1 , x 2 , , x i 1 such that these i data items are sorted.

509 views • 31 slides
Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case)

Comparison of Efficiency Binary Binomial Procedure (worst- (worst- (amortized) case) case) Make - Heap (1) (1) (1) (lg n ) O (lg n ) (1) Insert (1) O (lg n ) (1) Minimum Extract - Min (lg n ) (lg n ) O (lg n ) ( n

376 views • 16 slides
Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research)

Average-case Acceleration Through Spectral Density Estimation Fabian Pedregosa (Google Research) Damien Scieur (Samsung SAIT AI Lab, Montral) International Conference on Machine Learning 2020 Complexity Analysis in Optimization Worst-case

271 views • 12 slides
Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC)

Worst-case Ethernet Network Latency for Shaped Sources Max Azarov, Standard Microsystems (SMSC) Background Deterministic QoS guarantees dictate a need for an analytical evaluation of QoS parameters: worst-case latency, worst- case

211 views • 6 slides
Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if...

Oblivious randomized rounding Neal E. Young April 28, 2008 What would the world be like if... SAT is hard in the worst case, BUT... generating hard random instances of SAT is hard? Lipton, 1993 worst-case versus average-case complexity 1.

481 views • 22 slides
Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen

Typical versus Worst Case Design in Networking Nandita Dukkipati Yashar Ganjali, Rui Zhang-Shen High Performance Networking Group Stanford University HotNets-IV, November 2005 Introduction: Worst-case design Preference for worst-case

1.24k views • 14 slides
quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place?

quiz insertion sort: worst-case time complexity? best-case time complexity? in-place? recursive version? data structures and algorithms merge sort: 2020 09 10 worst-case time complexity? lecture 4 best-case time complexity? in-place?

548 views • 7 slides
1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

1 Expectimax Pseudocode Expectimax Example 10 1/2 1/6 1/3 5 8 24 7 -12 def

Worst-Case vs. Average Case CSE 473: Artificial Intelligence Expectimax, Uncertainty, Utilities max min 10 10 9 100 Dieter Fox [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188

394 views • 8 slides
Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal

Worst-Case Ef fi cient External-Memory Priority Queues Gerth Stlting Brodal MaxPlanckInstitut f ur Informatik Saarbr ucken Germany Jyrki Katajainen Datalogisk Institut Kbenhavns Universitet Denmark July 1998 Worst-Case Ef

161 views • 12 slides
Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and

Values in Worst-Case Scenarios Per Wikman-Svahn, Ph.D. Researcher, Department of Philosophy and History Royal InsAtute of Technology KTH, Stockholm Background IniAal phase of a 2-year research project on values in worst case scenarios.

631 views • 41 slides
Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert

Best-Case and Worst-Case Behavior of Greedy Best-First Search Thomas Keller Malte Helmert Manuel Heusner University of Basel July 19th, 2018 Introduction Theoretical Results Experimental Results Conclusion Motivation A [Hart et

535 views • 22 slides
From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms

From Worst-Case to Realistic-Case Analysis for Large Scale Machine Learning Algorithms Maria-Florina Balcan, PI Avrim Blum, Co-PI Tom M Mitchell, Co-PI Students Travis Dick Nika Haghtalab Hongyang Zhang Motivation Machine learning

443 views • 22 slides
SIS Webinar Series FieldConnect Webinar Field Service Software for Dynamics SL www.sisn.com

SIS Webinar Series FieldConnect Webinar Field Service Software for Dynamics SL www.sisn.com

SIS Webinar Series FieldConnect Webinar Field Service Software for Dynamics SL www.sisn.com About SIS Founded in 1996, Headquarters Duluth, GA (Greater Atlanta) SIS (Strategic Industry Solutions) delivers business solutions that help

263 views • 12 slides
DISCRETE TIME FOURIER SERIES CHAPTER 3.6 30 DTFS VS CTFS DIFFERENCES While quite similar to

DISCRETE TIME FOURIER SERIES CHAPTER 3.6 30 DTFS VS CTFS DIFFERENCES While quite similar to

29 DISCRETE TIME FOURIER SERIES CHAPTER 3.6 30 DTFS VS CTFS DIFFERENCES While quite similar to the CT case, DTFS is a finite series, , k &lt; K Does not have convergence issues Good News: motivation and intuition from

286 views • 11 slides
Math 1060Q Lecture 13 Jeffrey Connors University of Connecticut October 15, 2014 Sinusoidal

Math 1060Q Lecture 13 Jeffrey Connors University of Connecticut October 15, 2014 Sinusoidal

Math 1060Q Lecture 13 Jeffrey Connors University of Connecticut October 15, 2014 Sinusoidal functions Relationship of unit circle with sin( ) and cos( ) The Pythagorean Identity Sinusoidal graphs Sinusoids are

418 views • 17 slides
Introduction to Machine Learning 7. Kernels Methods Geoff Gordon and Alex Smola Carnegie Mellon

Introduction to Machine Learning 7. Kernels Methods Geoff Gordon and Alex Smola Carnegie Mellon

Introduction to Machine Learning 7. Kernels Methods Geoff Gordon and Alex Smola Carnegie Mellon University http://alex.smola.org/teaching/cmu2013-10-701x 10-701 Regression Regression Estimation Find function f minimizing regression error

1.4k views • 108 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge

995 views • 95 slides
Reverse the Trend of Irreversible Actions: Ohio AAP Annual Meeting Dr. Sarah Denny, MD Dr. Mike

Reverse the Trend of Irreversible Actions: Ohio AAP Annual Meeting Dr. Sarah Denny, MD Dr. Mike

Reverse the Trend of Irreversible Actions: Ohio AAP Annual Meeting Dr. Sarah Denny, MD Dr. Mike Gittelman, MD We have, as documented, no financial relationships to disclose or Conflicts of Interest (COIs) to resolve Suicide risk Of youth

452 views • 29 slides
Nonequilibrium dynamics on complex topologies: models for epidemics and opinions Claudio

Nonequilibrium dynamics on complex topologies: models for epidemics and opinions Claudio

Nonequilibrium dynamics on complex topologies: models for epidemics and opinions Claudio Castellano (claudio.castellano@roma1.infn.it) Istituto dei Sistemi Complessi (ISC-CNR), Roma, Italy and Dipartimento di Fisica, Sapienza Universita di

430 views • 26 slides
The Case for Computer Science CS 1110/1111 Introduc9on to

The Case for Computer Science CS 1110/1111 Introduc9on to

The Case for Computer Science CS 1110/1111 Introduc9on to Programming CS 1110/1111 The Course Goals To teach the skill of programming To

638 views • 17 slides

More recommend