Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
|
|
- Raymond Baker
- 5 years ago
- Views:
Transcription
1 1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010
2 2 / 14 Talk Outline 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP 3 Future Work
3 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: b 2 L = n (Z b i ) i=1 λ b 1
4 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: b 2 L = n (Z b i ) i=1 λ b 1 Shortest Vector Problem (γ-gapsvp) Given B, decide: λ 1 or λ > γ?
5 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: L = n (Z b i ) λ i=1 b 1 b 2 Shortest Vector Problem (γ-gapsvp) Given B, decide: λ 1 or λ > γ?
6 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: L = n (Z b i ) i=1 λ b 2 b 1 γ λ Shortest Vector Problem (γ-gapsvp) Given B, decide: λ 1 or λ > γ? Unique SVP (γ-usvp) Given B with γ-unique shortest vector, find it.
7 Worst-Case Complexity GapSVP γ = 2 (log n) 1 ɛ n n 2 n NP-hard [Ajt98,...,HR07] conp [GG98,AR05] (some) crypto [Ajt96,..., MR04,Reg05] P [LLL82,Sch87] 4 / 14
8 Worst-Case Complexity GapSVP γ = 2 (log n) 1 ɛ n n 2 n NP-hard [Ajt98,...,HR07] conp [GG98,AR05] (some) crypto [Ajt96,..., MR04,Reg05] P [LLL82,Sch87] For γ = poly(n), best algorithm is 2 n time & space [AKS01] 4 / 14
9 Worst-Case Complexity GapSVP γ = 2 (log n) 1 ɛ n n 2 n NP-hard [Ajt98,...,HR07] conp [GG98,AR05] (some) crypto [Ajt96,..., MR04,Reg05] P [LLL82,Sch87] For γ = poly(n), best algorithm is 2 n time & space [AKS01] usvp γ =?? NP-hard 4 n coam [Cai98] n 1.5 crypto [AD97/07,Reg03] 4 / 14
10 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt OWF [Ajt96,... ] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10]
11 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt OWF [Ajt96,... ] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] GapSVP etc. hard
12 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt CRYPTOMANIA OWF [Ajt96,... ] PKE [AD97,Reg03,Reg05] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] CCA [PW08] ID-based [GPV08] GapSVP etc. hard
13 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt CRYPTOMANIA OWF [Ajt96,... ] PKE [AD97,Reg03,Reg05] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] CCA [PW08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09,GHV10], KDM [ACPS09], HIBE [CHKP10], Deniable [OP10],... ) GapSVP etc. hard
14 Taxonomy of Lattice-Based Crypto minicrypt CRYPTOMANIA OWF [Ajt96,... ] PKE [AD97,Reg03,Reg05] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] CCA [PW08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09,GHV10], KDM [ACPS09], HIBE [CHKP10], Deniable [OP10],... ) GapSVP etc. hard usvp hard GapSVP etc. quantum-hard 5 / 14
15 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2
16 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 a 1, s mod q a 2, b 2 a 2, s mod q.
17 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 = a 1, s + x 1 mod q a 2, b 2 = a 2, s + x 2 mod q. Uniform a i Z n q, Gaussian errors x i α q n
18 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 = a 1, s + x 1 mod q a 2, b 2 = a 2, s + x 2 mod q. Uniform a i Z n q, Gaussian errors x i Decision: distinguish from uniform (a i, b i ) α q n
19 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 = a 1, s + x 1 mod q a 2, b 2 = a 2, s + x 2 mod q. Uniform a i Z n q, Gaussian errors x i Decision: distinguish from uniform (a i, b i ) α q n State of the Art (n/α)-gapsvp etc. search-lwe decision-lwe crypto quantum [Reg05] prime q = poly(n) [BFKL94,R05] [R05,PW08,GPV08, PVW08,AGV09,ACPS09,... ]
20 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness
21 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors
22 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n
23 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n New ζ-to-(n/α) -GapSVP: q ζ [ = poly(n) ]
24 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n New ζ-to-(n/α) -GapSVP: q ζ [ = poly(n) ] 2 LWE search decision for large q [ poly(n) ] GapSVP-hardness of prior LWE-based crypto [Reg05,... ]
25 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n New ζ-to-(n/α) -GapSVP: q ζ [ = poly(n) ] 2 LWE search decision for large q [ poly(n) ] GapSVP-hardness of prior LWE-based crypto [Reg05,... ] 3 New LWE-based chosen ciphertext-secure encryption Simpler construction, milder assumption than prior CCA [PW08]
26 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 L BDD classical LWE
27 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 quantum L BDD L BDD classical classical LWE LWE
28 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 quantum quantum L BDD L BDD classical classical LWE LWE
29 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 quantum quantum L BDD L BDD classical LWE classical LWE GapSVP SIVP
30 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L
31 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L A better answer: to make use of BDD/LWE oracle 1 Choose some x L 2 Perturb to y x 3 Invoke oracle on y x y y BDD (LWE)
32 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L A better answer: to make use of BDD/LWE oracle 1 Choose some x L 2 Perturb to y x 3 Invoke oracle on y 4 Returns x we already knew that! x y y BDD (LWE) x
33 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L A better answer: to make use of BDD/LWE oracle 1 Choose some x L 2 Perturb to y x 3 Invoke oracle on y 4 Returns x we already knew that! Quantum can uncompute x x y y BDD (LWE) x
34 10 / 14 Our Approach New way of solving GapSVP in a reduction
35 10 / 14 Our Approach The Usual New way of solving GapSVP in a reduction x y y BDD (LWE) x
36 10 / 14 Our Approach New way of solving GapSVP in a reduction The Usual IMAGINE x y x y y BDD (LWE) x y BDD (LWE)??
37 10 / 14 Our Approach New way of solving GapSVP in a reduction The Usual x y y BDD (LWE) IMAGINE x y y BDD (LWE) Illegal BDD instance Incorrect (& unknown!) LWE distribution x??
38 10 / 14 Our Approach New way of solving GapSVP in a reduction The Usual x y y BDD (LWE) x IMAGINE x y y BDD (LWE)?? Illegal BDD instance Incorrect (& unknown!) LWE distribution SO WHAT! When λ d, oracle cannot guess x Distinguishes large λ from small
39 10 / 14 Our Approach The Usual x y y BDD (LWE) x New way of solving GapSVP in a reduction IMAGINE x y y BDD (LWE)?? Illegal BDD instance Incorrect (& unknown!) LWE distribution SO WHAT! When λ d, oracle cannot guess x Distinguishes large λ from small View as [GoldGold98] AM proof between reduction and oracle
40 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!)
41 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L.
42 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. (LLL-reduced basis is 2 n -good.)
43 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. One shot (non-iterative) reduction (LLL-reduced basis is 2 n -good.)
44 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. (LLL-reduced basis is 2 n -good.) One shot (non-iterative) reduction 2 LWE search / decision equivalence? (Normally requires prime q = poly(n)... ) 11 / 14
45 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. (LLL-reduced basis is 2 n -good.) One shot (non-iterative) reduction 2 LWE search / decision equivalence? (Normally requires prime q = poly(n)... ) Option 1: crypto directly based on search-lwe Option 2: search = decision for smooth q and Gaussian error 11 / 14
46 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform.
47 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n).
48 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi
49 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi If yes, maps A s,α to itself. If not, maps A s,α to uniform?
50 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi If yes, maps A s,α to itself. If not, maps A s,α to uniform! Gaussians of width αq (q/q i ) separated by (q/q i ) uniform by smoothing bounds [MicReg04]
51 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi If yes, maps A s,α to itself. If not, maps A s,α to uniform! Gaussians of width αq (q/q i ) separated by (q/q i ) uniform by smoothing bounds [MicReg04] (NB: for general error dists, hybrid argument over q i s fails.)
52 13 / 14 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle
53 13 / 14 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08].
54 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08]. Define g A (s, x) = A t s + x. Can generate A with trapdoor for g 1 A [GGH97,Ajt99,AP09] 13 / 14
55 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08]. Define g A (s, x) = A t s + x. Can generate A with trapdoor for g 1 A [GGH97,Ajt99,AP09] Distinguish g A1 (s, x 1 ),..., g Ak (s, x k ) [same s!] solve LWE So g A1,..., g Ak pseudorandom under correlated inputs [RS09] 13 / 14
56 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08]. Define g A (s, x) = A t s + x. Can generate A with trapdoor for g 1 A [GGH97,Ajt99,AP09] Distinguish g A1 (s, x 1 ),..., g Ak (s, x k ) [same s!] solve LWE So g A1,..., g Ak pseudorandom under correlated inputs [RS09] Correlation-secure injective TDF CCA-secure encryption But care needed to make g A chosen-output secure. 13 / 14
57 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03]
58 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03] Unifies two styles of cryptosystems [AD97,Reg03] and [Reg05,... ] under (almost) same assumption.
59 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03] Unifies two styles of cryptosystems [AD97,Reg03] and [Reg05,... ] under (almost) same assumption. 2 Open: classical, iterative reduction from lattices to LWE I d expect it to work for GapSVP, SIVP, etc. with q = poly(n)
60 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03] Unifies two styles of cryptosystems [AD97,Reg03] and [Reg05,... ] under (almost) same assumption. 2 Open: classical, iterative reduction from lattices to LWE I d expect it to work for GapSVP, SIVP, etc. with q = poly(n) 3 Open: complexity of new ζ-to-γ -GapSVP problem? NP-hard for nontrivial ζ? Better algorithms?
Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky and Daniele Micciancio May 9, 009 Abstract We prove the equivalence, up to a small polynomial
More informationOded Regev Courant Institute, NYU
Fast er algorithm for the Shortest Vector Problem Oded Regev Courant Institute, NYU (joint with Aggarwal, Dadush, and Stephens-Davidowitz) A lattice is a set of points Lattices L={a 1 v 1 + +a n v n a
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationAugmented Learning with Errors: The Untapped Potential of the Error Term
Augmented Learning with Errors: The Untapped Potential of the Error Term Rachid El Bansarkhani, Özgür Dagdelen, and Johannes Buchmann Technische Universität Darmstadt Fachbereich Informatik Kryptographie
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationSolving LWE problem with bounded errors in polynomial time
Solving LWE problem with bounded errors in polynomial time Jintai Ding, Southern Chinese University of Technology, University of Cincinnati, ding@mathucedu Abstract In this paper, we present a new algorithm,
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationLeakage of Signal function with reused keys in RLWE key exchange
Leakage of Signal function with reused keys in RLWE key exchange Jintai Ding 1, Saed Alsayigh 1, Saraswathy RV 1, Scott Fluhrer 2, and Xiaodong Lin 3 1 University of Cincinnati 2 Cisco Systems 3 Rutgers
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationEfficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption
Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationA Decade of Lattice Cryptography
A Decade of Lattice Cryptography Chris Peikert 1 September 26, 2015 1 Department of Computer Science and Engineering, University of Michigan. Much of this work was done while at the School of Computer
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationTrapdoor functions from the Computational Diffie-Hellman Assumption
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key
More informationLattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE
Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE Shweta Agrawal 1, Dan Boneh 2, and Xavier Boyen 3 1 University of Texas, Austin 2 Stanford University 3 Université de
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationProxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012
Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of
More informationPublic-Key Cryptographic Primitives Provably as Secure as Subset Sum
Public-Key Cryptographic Primitives Provably as Secure as Subset Sum Vadim Lyubashevsky 1, Adriana Palacio 2, and Gil Segev 3 1 Tel-Aviv University, Tel-Aviv, Israel vlyubash@cs.ucsd.edu 2 Bowdoin College,
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More information1 / 10. An Efficient and Parallel Gaussian Sampler for Lattices. Chris Peikert Georgia Tech
1 / 10 An Effiient and Parallel Gaussian Sampler for Latties Chris Peikert Georgia Teh CRYPTO 2010 2 / 10 Lattie-Based Crypto L R n 2 / 10 Lattie-Based Crypto L R n p 1 p 2 Lattie-Based Crypto L R n p
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationLARA A Design Concept for Lattice-based Encryption
LARA A Design Concept for Lattice-based Encryption Rachid El Bansarkhani Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraÿe 10, 64289 Darmstadt,
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationClassical Hardness of Learning with Errors
Classical Hardness of Learning with Errors Zvika Brakerski Adeline Langlois Chris Peikert Oded Regev Damien Stehlé Abstract We show that the Learning with Errors (LWE) problem is classically at least as
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationOn the Leakage Resilience of Ideal-Lattice Based Public Key Encryption
On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni, and Aria Shahverdi University of Maryland, College Park, USA danadach@ece.umd.edu,
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationNew Lattice Based Cryptographic Constructions
New Lattice Based Cryptographic Constructions Oded Regev August 7, 2004 Abstract We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop
More informationSecure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University
Secure Signatures and Chosen Ciphertext Security in a Quantu Coputing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) σ = S(sk, ) signing key sk Classical CMA
More informationA Lattice-Based Universal Thresholdizer for Cryptographic Systems
A Lattice-Based Universal Thresholdizer for Cryptographic Systems Dan Boneh Rosario Gennaro Steven Goldfeder Sam Kim Abstract We develop a general approach to thresholdizing a large class of (non-threshold)
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky Chris Peikert Oded Regev June 25, 2013 Abstract The learning with errors (LWE) problem is to distinguish random linear equations,
More informationOn the concrete hardness of Learning with Errors
On the concrete hardness of Learning with Errors Martin R. Albrecht 1, Rachel Player 1, and Sam Scott 1 Information Security Group, Royal Holloway, University of London Abstract. The Learning with Errors
More informationA New Trapdoor in Modular Knapsack Public-Key Cryptosystem
A New Trapdoor in Modular Knapsack Public-Key Cryptosystem Takeshi Nasako Yasuyuki Murakami Abstract. Merkle and Hellman proposed a first knapsack cryptosystem. However, it was broken because the density
More informationFunctional Encryption for Inner Product Predicates from Learning with Errors
Functional Encryption for Inner Product Predicates from Learning with Errors Shweta Agrawal University of California, Los Angeles shweta@cs.ucla.edu Vinod Vaikuntanathan University of Toronto vinodv@cs.toronto.edu
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More information1 Introduction An old folklore rooted in Brassard's paper [7] states that \cryptography" cannot be based on NPhard problems. However, what Brassard ha
On the possibility of basing Cryptography on the assumption that P 6= N P Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded@wisdom.weizmann.ac.il Sha Goldwasser
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationCryptography. Most of slides in today s lecture courtesy of Stephen Rudich and Martin Tompa
Cryptography Five or six weeks later, she asked me if I had deciphered the manuscript I told her that I had. Without the key, sir, excuse me if I believe the thing impossible. Do you wish me to name your
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More information