On the Ring-LWE and Polynomial-LWE problems
|
|
- Charleen Clark
- 5 years ago
- Views:
Transcription
1 On the Ring-LWE and Polynomial-LWE problems Miruna Rosca Damien Stehlé Alexandre Wallet EUROCRYPT 2018 Miruna Rosca EUROCRYPT / 14
2 Lattices and hard problems Lattice Let b 1, b 2,..., b n R n be some linearly independent vectors. The set L(B) = {x 1 b 1 +x 2 b 2 + +x n b n : x i Z} = is called the lattice generated by them. Approx SVP γ Find a nonzero x Z n s.t. B x < γ min( B y : y Z n ). * some of the gures borrowed from A. Wallet Miruna Rosca EUROCRYPT / 14
3 How to use lattices for crypto? Miruna Rosca EUROCRYPT / 14
4 How to use lattices for crypto? Learning with Errors: Search: Find s. Decision: Distinguish this distribution from the uniform one. Miruna Rosca EUROCRYPT / 14
5 How to use lattices for crypto? eciency? Learning with Errors: Search: Find s. Decision: Distinguish this distribution from the uniform one. Miruna Rosca EUROCRYPT / 14
6 More structure: PLWE, RLWE, RLWE [SSTX09],[LPR10] f monic, deg. n, irred. R := Z[x]/f PLWE s R q := R/qR B s,σ distribution a U(R q ) e D Σ (a, b = a s + e mod qr) Miruna Rosca EUROCRYPT / 14
7 More structure: PLWE, RLWE, RLWE [SSTX09],[LPR10] K := Q[x]/f f monic, deg. n, irred. R := Z[x]/f n eld embeddings: σ j canonical embedding: σ(a) = (σ 1 (a),..., σ n(a)) H = {(v 1,..., v n) R s 1 C 2s 2 : v i+s1 +s 2 = v i+s1 } H = Span{h i } i { DΣ H : x D Σ output x i h i O K ring of integers of K, O K the dual of O K PLWE s R q := R/qR B s,σ distribution a U(R q ) e D Σ (a, b = a s + e mod qr) Miruna Rosca EUROCRYPT / 14
8 More structure: PLWE, RLWE, RLWE [SSTX09],[LPR10] K := Q[x]/f f monic, deg. n, irred. R := Z[x]/f n eld embeddings: σ j canonical embedding: σ(a) = (σ 1 (a),..., σ n(a)) H = {(v 1,..., v n) R s 1 C 2s 2 : v i+s1 +s 2 = v i+s1 } H = Span{h i } i { DΣ H : x D Σ output x i h i O K ring of integers of K, O K the dual of O K PLWE RLWE RLWE s R q := R/qR s O K,q := O K /qo K s O K,q := O K /qo K B s,σ distribution a U(R q ) e D Σ (a, b = a s + e mod qr) A s,σ distribution a U(O K,q ) e D H Σ (a, b = a s + e mod qo K) A s,σ distribution a U(O K,q ) e D H Σ (a, b = a s + e mod qo K) Miruna Rosca EUROCRYPT / 14
9 State of the art and Contributions ApproxSIVP (OK-modules) ApproxSVP (OK-ideals) [LS15] decision Module-LWE [AD17] [PRS17] decision RLWE search RLWE decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision MPLWE search MPLWE Miruna Rosca EUROCRYPT / 14
10 State of the art and Contributions ApproxSIVP (OK-modules) ApproxSVP (OK-ideals) [LS15] decision Module-LWE [AD17] [PRS17] decision RLWE search RLWE decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision MPLWE search MPLWE Miruna Rosca EUROCRYPT / 14
11 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) Miruna Rosca EUROCRYPT / 14
12 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) A s,σ to A s,σ If (a, b) A s,σ : tb = a(ts) + te, te DΣ H Σ = diag [ σ i (t) ] Σ diag [ σ i (t) ] uniform to uniform If (a, b) uniform: (a, tb) uniform Miruna Rosca EUROCRYPT / 14
13 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) A s,σ to A s,σ If (a, b) A s,σ : tb = a(ts) + te, te DΣ H Σ = diag [ σ i (t) ] Σ diag [ σ i (t) ] uniform to uniform If (a, b) uniform: (a, tb) uniform Does such a t exist? Miruna Rosca EUROCRYPT / 14
14 From RLWE to RLWE Assume t (O K ) 1 such that [ t] : O K,q O K,q. θ t : OK,q O K,q O K,q O K,q (a, b) (a, tb mod q) A s,σ to A s,σ If (a, b) A s,σ : tb = a(ts) + te, te DΣ H Σ = diag [ σ i (t) ] Σ diag [ σ i (t) ] uniform to uniform If (a, b) uniform: (a, tb) uniform Does such a t exist? How large is te? Miruna Rosca EUROCRYPT / 14
15 Control the size of t [LPR10] Compute t in poly(n)-time using CRT. Existence Size Miruna Rosca EUROCRYPT / 14
16 Control the size of t [LPR10] Compute t in poly(n)-time using CRT. Existence Size New result By Gaussian sampling on (O K ) 1, we can nd t with small σ(t). 1 Existence Size Idea: show that short vectors are not all trapped in (O K ) 1 J for J a divisor of (q). 1 It requires advice on the number eld. Miruna Rosca EUROCRYPT / 14
17 From RLWE to PLWE New result We can nd t in the conductor ideal C R := {t K : to K R} s.t. [ t] : O K,q R q and σ(t) is small. R? O K C R If C R coprime to qo K then O K,q C R /qc R R q. Miruna Rosca EUROCRYPT / 14
18 From RLWE to PLWE New result We can nd t in the conductor ideal C R := {t K : to K R} s.t. [ t] : O K,q R q and σ(t) is small. R? O K C R If C R coprime to qo K then O K,q C R /qc R R q. θ t : OK,q OK,q Rq Rq (a, b) (ta, t 2 b mod q) If (a, b) A s,σ : A s,σ to B s,σ t 2 b = (ta)(ts) + t 2 e uniform to uniform If (a, b) uniform: (ta, t 2 b) uniform Miruna Rosca EUROCRYPT / 14
19 Is this really PLWE? Not yet. e = t 2 e D H Σ t, where Σ t = diag[ σ i (t) 2 ] Σ diag[ σ i (t) 2 ]. The embedding of the error is small in H! Miruna Rosca EUROCRYPT / 14
20 Is this really PLWE? Not yet. e = t 2 e D H Σ t, where Σ t = diag[ σ i (t) 2 ] Σ diag[ σ i (t) 2 ]. The embedding of the error is small in H! Minkowski vs. Coecient embeddings: 1 α 1 α α n α 2 α α n 1 2 σ(a) = V f a, with V f = α n α 2 n... αn n 1 The α i 's are the roots of the polynomial f. Miruna Rosca EUROCRYPT / 14
21 How small is the coecient embedding? New noise: V f 1 σ(e ) D Σ, with Σ = V f Σ t V 1 f The distorsion introduced by V 1 f could be: too large reasonable too skew Miruna Rosca EUROCRYPT / 14
22 How to get a small distorsion? V 1 f small for f := X n c Z[X]. Miruna Rosca EUROCRYPT / 14
23 How to get a small distorsion? V 1 f small for f := X n c Z[X]. Can we nd more polynomials? V 1 f = ( Si,j j ), where j = k j (α k α j ). i,j Miruna Rosca EUROCRYPT / 14
24 How to get a small distorsion? V 1 f small for f := X n c Z[X]. Can we nd more polynomials? V 1 f = ( Si,j j ), where j = k j (α k α j ). i,j Idea: Try to apply a small perturbation on the roots of f and keep the norm small. Miruna Rosca EUROCRYPT / 14
25 Lots of polynomials f = X n c Z[X] Take P = n/2 i=1 p ix i Z[X] Perturbation: g := f + P Technique: Rouché theorem New result For every such g Z[X], we have that poly(n). V 1 g Miruna Rosca EUROCRYPT / 14
26 Search to decision New result There is a probabilistic poly. time reduction from search RLWE/RLWE to decision RLWE/RLWE. Miruna Rosca EUROCRYPT / 14
27 Search to decision New result There is a probabilistic poly. time reduction from search RLWE/RLWE to decision RLWE/RLWE. Technique: prove a LHL variant over rings and use it to create new samples Miruna Rosca EUROCRYPT / 14
28 Search to decision New result There is a probabilistic poly. time reduction from search RLWE/RLWE to decision RLWE/RLWE. Technique: prove a LHL variant over rings and use it to create new samples nd good approx. of the error by using the OHCP technique from [PRS17] nd the secret Miruna Rosca EUROCRYPT / 14
29 ApproxSIVP (OK-modules) ApproxSVP (OK-ideals) [LS15] decision Module-LWE [AD17] [PRS17] decision RLWE search RLWE decision RLWE search RLWE decision PLWE search PLWE [RSSS17] [RSSS17] decision MPLWE search MPLWE Thank you. Miruna Rosca EUROCRYPT / 14
On the Ring-LWE and Polynomial-LWE Problems
On the Ring-LWE and Polynomial-LWE Problems Miruna Rosca 1,2, Damien Stehlé 1, and Alexandre Wallet 1 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), France 2 Bitdefender, Romania Abstract.
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationProvably Weak Instances of Ring-LWE Revisited
Provably Weak Instances of Ring-LWE Revisited Wouter Castryck 1,2, Ilia Iliashenko 1, and Frederik Vercauteren 1 1 KU Leuven ESAT/COSIC and iminds Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationWeak Instances of PLWE
Weak Instances of PLWE Kirsten Eisenträger 1, Sean Hallgren 2, and Kristin Lauter 3 1 Department of Mathematics, The Pennsylvania State University, University Park, PA 16802, USA, and Harvard University.
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca 1,2, Amin Sakzad 3, Damien Stehlé 1, and Ron Steinfeld 3 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), France 2 Bitdefender, Romania
More informationImplementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields
Department of Mathematics and Department of Computer Science Master Thesis Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields Christoph Manuel Mayer December 16,
More informationOn Error Distributions in Ring-based LWE
Submitted exclusively to the London Mathematical Society doi:10.111/0000/000000 On Error Distributions in Ring-based LWE W. Castryck, I. Iliashenko and F. Vercauteren Abstract Since its introduction in
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationLarge Modulus Ring-LWE Module-LWE
Large Modulus Ring-LWE Module-LWE Martin R. Albrecht and Amit Deo Information Security Group Royal Holloway, University of London martin.albrecht@royalholloway.ac.uk, amit.deo.205@rhul.ac.uk Abstract.
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky Chris Peikert Oded Regev June 25, 2013 Abstract The learning with errors (LWE) problem is to distinguish random linear equations,
More informationNoise Distributions in Homomorphic Ring-LWE
Noise Distributions in Homomorphic Ring-LWE Sean Murphy and Rachel Player Royal Holloway, University of London, U.K. s.murphy@rhul.ac.uk Rachel.Player.2013@live.rhul.ac.uk 12 June 2017 Abstract. We develop
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationTitanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality
Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality Ron Steinfeld, Amin Sakzad, Raymond K. Zhao Monash University ron.steinfeld@monash.edu Ron Steinfeld
More informationOn the Security of the Multivariate Ring Learning with Errors Problem
On the Security of the Multivariate Ring Learning with Errors Problem Carl Bootland, Wouter Castryck, Frederik Vercauteren imec-cosic, ESAT, KU Leuven Kasteelpark Arenberg 10 3001 Heverlee, Belgium carl.bootland@kuleuven.be,
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationA Toolkit for Ring-LWE Cryptography
A Toolkit for Ring-LWE Cryptography Vadim Lyubashevsky Chris Peikert Oded Regev May 16, 2013 Abstract Recent advances in lattice cryptography, mainly stemming from the development of ring-based primitives
More informationTitanium: Proposal for a NIST Post-Quantum Public-key Encryption and KEM Standard
Titanium: Proposal for a NIST Post-Quantum Public-key Encryption and KEM Standard Ron Steinfeld and Amin Sakzad and Raymond Kuo Zhao Faculty of Information Technology Monash University, Australia December
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationAlgebraic Number Theory
TIFR VSRP Programme Project Report Algebraic Number Theory Milind Hegde Under the guidance of Prof. Sandeep Varma July 4, 2015 A C K N O W L E D G M E N T S I would like to express my thanks to TIFR for
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationAlgorithms for ray class groups and Hilbert class fields
(Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationRing-SIS and Ideal Lattices
Ring-SIS and Ideal Lattices Noah Stephens-Davidowitz (for Vinod Vaikuntanathan s class) 1 Recalling h A, and its inefficiency As we have seen, the SIS problem yields a very simple collision-resistant hash
More information12.5 Equations of Lines and Planes
12.5 Equations of Lines and Planes Equation of Lines Vector Equation of Lines Parametric Equation of Lines Symmetric Equation of Lines Relation Between Two Lines Equations of Planes Vector Equation of
More informationSelected exercises from Abstract Algebra by Dummit and Foote (3rd edition).
Selected exercises from Abstract Algebra by Dummit and Foote (3rd edition). Bryan Félix Abril 12, 2017 Section 14.2 Exercise 3. Determine the Galois group of (x 2 2)(x 2 3)(x 2 5). Determine all the subfields
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationCRPSF and NTRU Signatures over cyclotomic fields
CRPSF and NTRU Signatures over cyclotomic fields Yang Wang 1 and Mingqiang Wang 1, School of Mathematics, Shandong University 1 wyang1114@mail.sdu.edu.cn wangmingqiang@sdu.edu.cn Abstract We propose a
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationMaking NTRU as Secure as Worst-Case Problems over Ideal Lattices
Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé 1 and Ron Steinfeld 2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d'italie, 69364 Lyon Cedex
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé 1,2 and Ron Steinfeld 2 1 CNRS/Department of Mathematics and Statistics (F07), University of Sydney NSW 2006, Australia. damien.stehle@gmail.com http://perso.ens-lyon.fr/damien.stehle
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationSolutions to odd-numbered exercises Peter J. Cameron, Introduction to Algebra, Chapter 2
Solutions to odd-numbered exercises Peter J Cameron, Introduction to Algebra, Chapter 1 The answers are a No; b No; c Yes; d Yes; e No; f Yes; g Yes; h No; i Yes; j No a No: The inverse law for addition
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationHomework 9 Solutions to Selected Problems
Homework 9 Solutions to Selected Problems June 11, 2012 1 Chapter 17, Problem 12 Since x 2 + x + 4 has degree 2 and Z 11 is a eld, we may use Theorem 17.1 and show that f(x) is irreducible because it has
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationImproving NFS for the discrete logarithm problem in non-prime nite elds
Improving NFS for the discrete logarithm problem in non-prime nite elds Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, Francois Morain Institut national de recherche en informatique et en automatique
More informationRINGS: SUMMARY OF MATERIAL
RINGS: SUMMARY OF MATERIAL BRIAN OSSERMAN This is a summary of terms used and main results proved in the subject of rings, from Chapters 11-13 of Artin. Definitions not included here may be considered
More informationIn Praise of Twisted Canonical Embedding
In Praise of Twisted Canonical Embedding Jheyne N. Ortiz 1, Robson R. de Araujo 2, Ricardo Dahab 1, Diego F. Aranha 1, and Sueli I. R. Costa 2 1 Institute of Computing, University of Campinas, Brazil jheyne.ortiz@ic.unicamp.br
More informationOn the Leakage Resilience of Ideal-Lattice Based Public Key Encryption
On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni, and Aria Shahverdi University of Maryland, College Park, USA danadach@ece.umd.edu,
More informationRing-LWE security in the case of FHE
Chair of Naval Cyber Defense 5 July 2016 Workshop HEAT Paris Why worry? Which algorithm performs best depends on the concrete parameters considered. For small n, DEC may be favourable. For large n, BKW
More informationProvably Weak Instances of Ring-LWE
Provably Weak Instances of Ring-LWE Yara Elias 1, Kristin E. Lauter 2, Ekin Ozman 3, and Katherine E. Stange 4 1 Department of Mathematics And Statistics, McGill University, Montreal, Quebec, Canada, yara.elias@mail.mcgill.ca
More informationAlgebra Homework, Edition 2 9 September 2010
Algebra Homework, Edition 2 9 September 2010 Problem 6. (1) Let I and J be ideals of a commutative ring R with I + J = R. Prove that IJ = I J. (2) Let I, J, and K be ideals of a principal ideal domain.
More informationMATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION
MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION 1. Polynomial rings (review) Definition 1. A polynomial f(x) with coefficients in a ring R is n f(x) = a i x i = a 0 + a 1 x + a 2 x 2 + + a n x n i=0
More informationPROVABLY WEAK INSTANCES OF RING-LWE
PROVABLY WEAK INSTANCES OF RING-LWE YARA ELIAS, KRISTIN E. LAUTER, EKIN OZMAN, AND KATHERINE E. STANGE Abstract. The ring and polynomial learning with errors problems (Ring-LWE and Poly-LWE) have been
More informationx 3 2x = (x 2) (x 2 2x + 1) + (x 2) x 2 2x + 1 = (x 4) (x + 2) + 9 (x + 2) = ( 1 9 x ) (9) + 0
1. (a) i. State and prove Wilson's Theorem. ii. Show that, if p is a prime number congruent to 1 modulo 4, then there exists a solution to the congruence x 2 1 mod p. (b) i. Let p(x), q(x) be polynomials
More informationHomework 8 Solutions to Selected Problems
Homework 8 Solutions to Selected Problems June 7, 01 1 Chapter 17, Problem Let f(x D[x] and suppose f(x is reducible in D[x]. That is, there exist polynomials g(x and h(x in D[x] such that g(x and h(x
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationPart 2 LWE-based cryptography
Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationMINKOWSKI THEORY AND THE CLASS NUMBER
MINKOWSKI THEORY AND THE CLASS NUMBER BROOKE ULLERY Abstract. This paper gives a basic introduction to Minkowski Theory and the class group, leading up to a proof that the class number (the order of the
More informationRéduction de réseau et cryptologie.
Réduction de réseau et cryptologie Séminaire CCA Nicolas Gama Ensicaen 8 janvier 2010 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier 2010 1 / 54 Outline 1 Example of lattice problems
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationConnections between Learning with Errors and the Dihedral Coset Problem
Connections between Learning with Errors and the Dihedral Coset Problem Elena Kirshanova joint work with Zvika Brakerski, Damien Stehlé, and Weiiang Wen LWE and DCP LWE: Given (a 1, a 1,s + e 1 mod ).
More informationTHE ARITHMETIC OF NUMBER RINGS. Peter Stevenhagen
THE ARITHMETIC OF NUMBER RINGS Peter Stevenhagen Abstract. We describe the main structural results on number rings, i.e., integral domains for which the field of fractions is a number field. Whenever possible,
More informationFACTORIZATION OF IDEALS
FACTORIZATION OF IDEALS 1. General strategy Recall the statement of unique factorization of ideals in Dedekind domains: Theorem 1.1. Let A be a Dedekind domain and I a nonzero ideal of A. Then there are
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationCHAPTER I. Rings. Definition A ring R is a set with two binary operations, addition + and
CHAPTER I Rings 1.1 Definitions and Examples Definition 1.1.1. A ring R is a set with two binary operations, addition + and multiplication satisfying the following conditions for all a, b, c in R : (i)
More informationLeakage of Signal function with reused keys in RLWE key exchange
Leakage of Signal function with reused keys in RLWE key exchange Jintai Ding 1, Saed Alsayigh 1, Saraswathy RV 1, Scott Fluhrer 2, and Xiaodong Lin 3 1 University of Cincinnati 2 Cisco Systems 3 Rutgers
More informationpart 2: detecting smoothness part 3: the number-field sieve
Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness Integer factorization, part 3: the number-field sieve D. J. Bernstein Problem: Factor 611. The Q sieve forms
More informationALGEBRAIC NUMBER THEORY - COURSE NOTES
ALGEBRAIC NUMBER THEORY - COURSE NOTES STEVE DONNELLY Housekeeping (1) There ll be a final exam (3 hours or so) on the whole semester (representation theory and algebraic number theory) weighted towards
More information6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree
Quadratic extensions Definition: Let R, S be commutative rings, R S. An extension of rings R S is said to be quadratic there is α S \R and monic polynomial f(x) R[x] of degree such that f(α) = 0 and S
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationTOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS. 1. Introduction
TOTALLY RAMIFIED PRIMES AND EISENSTEIN POLYNOMIALS KEITH CONRAD A (monic) polynomial in Z[T ], 1. Introduction f(t ) = T n + c n 1 T n 1 + + c 1 T + c 0, is Eisenstein at a prime p when each coefficient
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationChapter 12. Algebraic numbers and algebraic integers Algebraic numbers
Chapter 12 Algebraic numbers and algebraic integers 12.1 Algebraic numbers Definition 12.1. A number α C is said to be algebraic if it satisfies a polynomial equation with rational coefficients a i Q.
More informationSieving for Shortest Vectors in Ideal Lattices:
Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective Joppe W. Bos Microsoft Research LACAL@RISC Seminar on Cryptologic Algorithms CWI, Amsterdam, Netherlands Joint work with Michael
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationUniqueness of Factorization in Quadratic Fields
Uniqueness of Factorization in Quadratic Fields Pritam Majumder Supervisors: (i Prof. G. Santhanam, (ii Prof. Nitin Saxena A project presented for the degree of Master of Science Department of Mathematics
More informationAlgebraic Number Theory and Representation Theory
Algebraic Number Theory and Representation Theory MIT PRIMES Reading Group Jeremy Chen and Tom Zhang (mentor Robin Elliott) December 2017 Jeremy Chen and Tom Zhang (mentor Robin Algebraic Elliott) Number
More informationA provably secure variant of NTRU cryptosystem
A provably secure variant of NTRU cryptosystem Danilo Ciaffi Advised by Guilhem Castagnos a Università di Padova Université de Bordeaux Academic year 2016-2017 Cheesy catchphrase Contents 1 Preliminaries
More informationMATH 131B: ALGEBRA II PART B: COMMUTATIVE ALGEBRA
MATH 131B: ALGEBRA II PART B: COMMUTATIVE ALGEBRA I want to cover Chapters VIII,IX,X,XII. But it is a lot of material. Here is a list of some of the particular topics that I will try to cover. Maybe I
More information