Lattice-Based Cryptography

Size: px

Start display at page:

Download "Lattice-Based Cryptography"

Joanna Virginia Grant
5 years ago
Views:

1 Liljana Babinkostova Department of Mathematics Computing Colloquium Series

2 Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute

3 Quantum Computing

4 Are Quantum Computers Moving Closer to Reality? March 17, 2017 IBM Q Quantum computing service that runs alongside IBM s other cloud products. September 25, 2017 Topological Qubit New programming language, integrated with Visual Studio and designed to work on both a quantum simulator and a quantum computer.

5 QUANTUM COMPUTERS PUT ALL ENCRYPTED INTERNET COMMUNICATION AT RISK!

6 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected.

7 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice).

8 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice). Need authenticated encryption/secure channels reordering, replay, deletion of packets.

9 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice). Need authenticated encryption/secure channels reordering, replay, deletion of packets. Protection of meta-data is very hard.

10 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice). Need authenticated encryption/secure channels reordering, replay, deletion of packets. Protection of meta-data is very hard. Key management problem.

11 Factoring and Discrete Log Problem All widely used public-key systems rely on three problems from algebraic number theory: Integer factorization: RSA, n = pq Discrete LOGarithm : Diffie-Hellman, DSA: y = g x Elliptic Curve Discrete Logarithm, ECDSA: Q = xp

12 Factoring and Discrete Log Problem All widely used public-key systems rely on three problems from algebraic number theory: Integer factorization: RSA, n = pq Discrete LOGarithm : Diffie-Hellman, DSA: y = g x Elliptic Curve Discrete Logarithm, ECDSA: Q = xp RSA-1024 DLOG-1024 ECC-146 RSA-2048 DLOG-2048 ECC-206 RSA-4096 DLOG-4096 ECC-282

13 Factoring and Discrete Log Problem All widely used public-key systems rely on three problems from algebraic number theory: Integer factorization: RSA, n = pq Discrete LOGarithm : Diffie-Hellman, DSA: y = g x Elliptic Curve Discrete Logarithm, ECDSA: Q = xp RSA-1024 DLOG-1024 ECC-146 RSA-2048 DLOG-2048 ECC-206 RSA-4096 DLOG-4096 ECC-282 Are these problems hard?

14 The Sky is Falling? When will a quantum computer be built?

15 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni)

16 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact?

17 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure!

18 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems

19 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems AES Need larger keys Triple DES Need larger keys

20 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems AES Need larger keys Triple DES Need larger keys Hash functions

21 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems AES Need larger keys Triple DES Need larger keys Hash functions SHA-1, SHA-2 and SHA-3 Use longer output

22 Key Exchange Protocols NewHope [ADPS 15]:

23 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security.

24 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security.

25 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers.

26 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers. Frodo [BCDMNNRS 16]: Plain-LWE key exchange, with many tricks and optimizations.

27 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers. Frodo [BCDMNNRS 16]: Plain-LWE key exchange, with many tricks and optimizations. Conjectured 200-bit quantum security.

28 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers. Frodo [BCDMNNRS 16]: Plain-LWE key exchange, with many tricks and optimizations. Conjectured 200-bit quantum security. About 10 slower than NewHope, but only 2 slower than ECDH.

29 Lattices and Cryptography Lattice problems

30 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time)

31 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... )

32 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions.

33 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions.

34 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions. Lattice related constructions and cryptographic functions

35 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions. Lattice related constructions and cryptographic functions Have many useful features (linearity, trapdoors,...)

36 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions. Lattice related constructions and cryptographic functions Have many useful features (linearity, trapdoors,...) Are efficient and easy to implement (simple arithmetic operations on small numbers).

37 Lattices Definition Given n linearly independent vectors v 1,..., v n R m, the lattice generated by them is defined as { n } L( v 1,..., v n ) = x i v i x i Z i=1

38 Lattices Definition Given n linearly independent vectors v 1,..., v n R m, the lattice generated by them is defined as { n } L( v 1,..., v n ) = x i v i x i Z i=1 We call v 1,..., v n a basis of the lattice.

39 Lattices Definition Given n linearly independent vectors v 1,..., v n R m, the lattice generated by them is defined as { n } L( v 1,..., v n ) = x i v i x i Z We call v 1,..., v n a basis of the lattice.note that the definition requires v 1,..., v n to be linearly independent over R (and not over Z). i=1

40 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n.

41 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n. That is, we will write B = v 1... v n

42 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n. That is, we will write B = v 1... v n and thus, in this notation, L(B) = {B v v Z n }

43 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n. That is, we will write B = v 1... v n and thus, in this notation, L(B) = {B v v Z n } The determinant of a lattice is the absolute value of the determinant of the basis matrix det(l(b)) = det(b).

44 Lattices - Example The lattice Z 2 with basis vectors (0, 1) and (1, 0). b 2 b 1

45 Lattices - Example The lattice Z 2 with a different basis consisting of vectors (1, 2) and (2, 3). In fact, any lattice has infinitely many bases. b 2 b 1

46 q-ary Lattices Of particular importance in lattice-based cryptography are q-ary lattices.

47 q-ary Lattices Of particular importance in lattice-based cryptography are q-ary lattices. These are lattices L satisfying Z n q L Z for some (possibly prime) integer q. In other words, the membership of a vector x L is determined by x (mod q).

48 Lattice Problems The most well known computational problems on lattices are the following: Shortest Vector Problem (SVP): Given a lattice basis B, find nonzero vector x in L(B) of length (at most) x = λ.

49 Lattice Problems The most well known computational problems on lattices are the following: Shortest Vector Problem (SVP): Given a lattice basis B, find nonzero vector x in L(B) of length (at most) x = λ. Closest Vector Problem (CVP): Given a lattice basis B and a target vector t (not necessarily in the lattice), find the lattice point x L(B) closest to t.

50 Lattice Problems The most well known computational problems on lattices are the following: Shortest Vector Problem (SVP): Given a lattice basis B, find nonzero vector x in L(B) of length (at most) x = λ. Closest Vector Problem (CVP): Given a lattice basis B and a target vector t (not necessarily in the lattice), find the lattice point x L(B) closest to t. Shortest Independent Vectors Problem (SIVP): Given a lattice basis B, find n linearly independent lattice vectors S = [s 1,, s n ], where s i L(B) and max s i < λ i.

51 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)]

52 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)] (Almost) NP-hard for factors up to γ = n 1/ log log n. [Ajtai, Haviv and Regev (2006)]

53 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)] (Almost) NP-hard for factors up to γ = n 1/ log log n. [Ajtai, Haviv and Regev (2006)] Polynomial time for slightly subexponential γ. [LLL, Schnorr, AKS]

54 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)] (Almost) NP-hard for factors up to γ = n 1/ log log n. [Ajtai, Haviv and Regev (2006)] Polynomial time for slightly subexponential γ. [LLL, Schnorr, AKS] Unlikely to be NP-hard for γ (n/ log n) 1/2. [GG, AR]

55 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)

56 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean SIS problem Given q N, elements g 1,, g m of Z n q, and real number β > 0, find z Z m such that 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)

57 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean SIS problem Given q N, elements g 1,, g m of Z n q, and real number β > 0, find z Z m such that and z 1 g 1 + z 2 g z m g m = 0 (mod q) 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)

58 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean SIS problem Given q N, elements g 1,, g m of Z n q, and real number β > 0, find z Z m such that and z < β. z 1 g 1 + z 2 g z m g m = 0 (mod q) 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)

59 Learning With Errors (LWE) LWE Simplified:

60 Learning With Errors (LWE) LWE Simplified: Given a system of approximate random linear equations, find s Z 4 17 that satisfies the equations with some (negligible) error χ.

61 Learning With Errors (LWE) LWE Simplified: Given a system of approximate random linear equations, find s Z 4 17 that satisfies the equations with some (negligible) error χ. 14s s 2 + 5s 3 + 2s 4 8 (mod 17) 13s s s 3 + 6s 4 16 (mod 17) 6s s s 3 + s 4 3 (mod 17) 10s 1 + 4s s s 4 12 (mod 17) 9s 1 + 5s 2 + 9s 3 + 6s 4 9 (mod 17) 3s 1 + 6s 2 + 4s 3 + 5s 4 16 (mod 17)

62 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n.

63 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing

64 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random,

65 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and

66 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and returning the pair

67 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and returning the pair ( a, c) = ( a, a, s + e (mod q)) (Z q ) n Z q.

68 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and returning the pair ( a, c) = ( a, a, s + e (mod q)) (Z q ) n Z q. LWE Problem Find s Z n q given pairs ( a, c) (Z q ) n Z q sampled according to L s,χ.

69 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2).

70 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation:

71 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n.

72 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and

73 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ.

74 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ. We set

75 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ. We set b i = a i, s + 2e i (mod q) and output

76 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ. We set b i = a i, s + 2e i (mod q) and output the public key (( a 1, b 1 ), ( a i, b 2 ),, ( a m, b m )).

77 Public-Key Cryptosystem Based on LWE Encryption:

78 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M.

79 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values

80 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values m c = t i a i n=1 and

81 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1

82 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values Decryption: c = m t i a i and d = M n=1 m t i b i n=1

83 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2)

84 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2)

85 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2) = (( m n=1 2 t i e i ) + M (mod q)) (mod 2)

86 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2) = (( m n=1 2 t i e i ) + M (mod q)) (mod 2) = (2 small + M) (mod 2)

87 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2) = (( m n=1 2 t i e i ) + M (mod q)) (mod 2) = (2 small + M) (mod 2) = M

88 Confidence-Inspiring Cryptography Takes Time to Build

89 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view:

90 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems.

91 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems.

92 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware.

93 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc.

94 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc. Focus on secure implementations and performance requirements.

95 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc. Focus on secure implementations and performance requirements. Integrate securely into real-world applications.

96 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc. Focus on secure implementations and performance requirements. Integrate securely into real-world applications. THANK YOU!

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016 Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal