An intro to lattices and learning with errors
|
|
- Chastity Gilmore
- 6 years ago
- Views:
Transcription
1 A way to keep your secrets secret in a post-quantum world
2 Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys on his personal website regev/ (as of Sept 29, 2012)
3 Introduction to LWE 1. Learning with Errors Let p = p(n) poly(n). Consider the noisy linear equations: a 1, s χ b 1 (mod p) a 2, s χ b 2 (mod p). for s Z n $ p, a i Z n p, b i Z p, and error χ : Z p R + on Z p.
4 Introduction to LWE 1. Learning with Errors Let p = p(n) poly(n). Consider the noisy linear equations: a 1, s χ b 1 (mod p) a 2, s χ b 2 (mod p). for s Z n p, a i $ Z n p, b i Z p, and error χ : Z p R + on Z p. Goal: Recover s.
5 Introduction to LWE 1. Learning with Errors Let p = p(n) poly(n). Consider the noisy linear equations: a 1, s χ b 1 (mod p) a 2, s χ b 2 (mod p). for s Z n p, a i $ Z n p, b i Z p, and error χ : Z p R + on Z p. Goal: Recover s. 2. Why we care: Believed hard for quantum algorithms Average-case = worst-case Many crypto applications!
6 Talk Overview. Up next: Intro to lattices 1. Intro to lattices 1.1 What s a lattice? 1.2 Hard lattice problems 2. Gaussians and lattices 3. From lattices to learning 4. From learning to crypto
7 What s a lattice? A lattice is a discrete additive subgroup of R n
8 What s a lattice? A lattice is a discrete additive subgroup of R n A lattice is a set of points in n-dimensional space with a periodic structure
9 What s a lattice? A lattice is a discrete additive subgroup of R n A lattice is a set of points in n-dimensional space with a periodic structure Given n linearly independent vectors v 1,..., v n R n, the lattice they generate is the set of vectors { n } L(v 1,..., v n ) def = α i v i αi Z. i=1
10 What s a lattice? A lattice is a discrete additive subgroup of R n A lattice is a set of points in n-dimensional space with a periodic structure Given n linearly independent vectors v 1,..., v n R n, the lattice they generate is the set of vectors { n } L(v 1,..., v n ) def = α i v i αi Z. The basis B = ( v 1 v 2 i=1 ) v n generates the lattice L(B).
11 More on lattice bases
12 More on lattice bases The gray-shaded region is the fundamental parallelepiped, given by P(B) = {Bx x [0, 1) n }.
13 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 ))
14 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b)
15 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b) det(b 1 ) = det(b 2 ) iff B 1 = B 2 U for a unimodular matrix U
16 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b) det(b 1 ) = det(b 2 ) iff B 1 = B 2 U for a unimodular matrix U A matrix U is unimodular if it is integral and det(u) = ±1.
17 More on the fundamental parallelepiped Useful facts: For bases B 1, B 2, L(B 1 ) = L(B 2 ) vol(p(b 1 )) = vol(p(b 2 )) vol(p(b)) = det(b) det(b 1 ) = det(b 2 ) iff B 1 = B 2 U for a unimodular matrix U A matrix U is unimodular if it is integral and det(u) = ±1. Moral of the story: All lattices have countably infinitely many bases, and given some fixed lattice, all of its possible bases are related by volume-preserving transformations.
18 The dual of a lattice Given a lattice L = L(B), the dual lattice L def = L(B ) is generated by the dual basis B ; the unique basis s.t. B T B = I.
19 The dual of a lattice Given a lattice L = L(B), the dual lattice L def = L(B ) is generated by the dual basis B ; the unique basis s.t. B T B = I. Equivalently, the dual of a lattice L R n is given by } L = {y R n x, y Z, for all x L.
20 The dual of a lattice Given a lattice L = L(B), the dual lattice L def = L(B ) is generated by the dual basis B ; the unique basis s.t. B T B = I. Equivalently, the dual of a lattice L R n is given by } L = {y R n x, y Z, for all x L. Fact. For any L = L(B), L = L(B ), vol(p(b)) = 1 vol(p(b )).
21 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L
22 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L 1. GapSVP γ Input: n-dimensional lattice L and a number d > 0 Output: YES if λ1 (L) d; NO if λ 1 (L) > γ(n) d
23 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L 1. GapSVP γ Input: n-dimensional lattice L and a number d > 0 Output: YES if λ1 (L) d; NO if λ 1 (L) > γ(n) d 2. CVP L,d Input: n-dimensional (dual) lattice L and a point x R n within distance d of L Output: the closest vector in L to x
24 Lattice problems Defn: λ 1 (L) is the length of the shortest nonzero vector in L 1. GapSVP γ Input: n-dimensional lattice L and a number d > 0 Output: YES if λ1 (L) d; NO if λ 1 (L) > γ(n) d 2. CVP L,d Input: n-dimensional (dual) lattice L and a point x R n within distance d of L Output: the closest vector in L to x 3. Other common lattice problems: Shortest Independent Vectors Problem (SIVP), Covering Radius Problem (CRP), Bounded Distance Decoding (BDD), Discrete Gaussian Sampling Problem (DGS), Generalized Independent Vectors Problem (GIVP)
25 Complexity of (Gap)SVP and (Gap)CVP (and SIVP) Moral of the story: We can get Õ(2 n )-approximate solutions in polynomial time. Constant-factor approximations are NP-hard. The best algorithms for anything in between require Ω(2 n ) time.
26 Talk Overview. Up next: Gaussians and lattices 1. Intro to lattices 2. Gaussians and lattices 2.1 Uniformly sampling space 2.2 D L,r : The discrete Gaussian of width r on a lattice L 3. From lattices to learning 4. From learning to crypto
27 Uniformly sampling space Question: How do you uniformly sample over an unbounded range? Eg, how do you uniformly sample x Z?
28 Uniformly sampling space Question: How do you uniformly sample over an unbounded range? Eg, how do you uniformly sample x Z? Answer: You can t!
29 Uniformly sampling space Question: How do you uniformly sample over an unbounded range? Eg, how do you uniformly sample x Z? Answer: You can t! The lattice answer : Sample uniformly from Z p ; view Z as being partitioned by copies of Z p
30 Uniformly sampling space Question: How do you uniformly sample from R n?
31 Uniformly sampling space Question: How do you uniformly sample from R n? Answer: You can t!
32 Uniformly sampling space Question: How do you uniformly sample from R n? Answer: You can t! The lattice answer : Sample uniformly from the fundamental parallelepiped of a lattice.
33 Lattices with Gaussian noise A related question: What does a lattice look like when you smudge the lattice points with Gaussian-distributed noise?
34 Lattices with Gaussian noise A related question: What does a lattice look like when you smudge the lattice points with Gaussian-distributed noise? Answer: R n Left-to-right: PDFs of Gaussians centered at lattice points with increasing standard deviation
35 The discrete Gaussian: D L,r Denote by D L,r the discrete Gaussian on a lattice L of width r
36 The discrete Gaussian: D L,r Denote by D L,r the discrete Gaussian on a lattice L of width r Define the smoothing parameter, η ɛ (L), as the least width s.t. D L,r is at most ɛ-far from the continuous Gaussian (over L).
37 The discrete Gaussian: D L,r Denote by D L,r the discrete Gaussian on a lattice L of width r Define the smoothing parameter, η ɛ (L), as the least width s.t. D L,r is at most ɛ-far from the continuous Gaussian (over L). Important fact. η negl(n) (L) = ω( log n) Θ( n)
38 Talk Overview. Up next: From lattices to learning 1. Intro to lattices 2. Gaussians and lattices 3. From lattices to learning 3.1 Reduction sketch: GapSVP to LWE 4. From learning to crypto
39 Reduction from GapSVP to LWE Overview Reduction sketch 1. Our goal: Prove LWE is hard 2. Reduction outline 2.1 Why quantum? 3. Classical step: D L,r + LWE oracle CVP L,αp/r oracle 4. Quantum step: CVP L,αp/r oracle D L,r n/(αp) 4.1 Note: (η ɛ (L) ) αp > 2 n D L,r n/(αp) D L,<r/2 5. Conclude: Either LWE is hard, or the complexity landscape turns into a war zone 5.1 War zone: At least 4 or 5 good complexity classes had to give their lives to ensure stability that sort of thing.
40 Reduction outline: GapSVP to LWE LLL Basis Reduction algorithm: In polytime, given an arbitrary L(B) outputs a new basis B of length at most 2 n times the shortest basis. GOAL: Given an arbitrary lattice L, output a very short vector, or decide none exist.
41 Reduction outline: GapSVP to LWE LLL Basis Reduction algorithm: In polytime, given an arbitrary L(B) outputs a new basis B of length at most 2 n times the shortest basis. GOAL: Given an arbitrary lattice L, output a very short vector, or decide none exist. Let r i denote r (αp/ n) i for i = 3n, 3n 1,..., 1 and r O(n/α). (Imagine α 1/n 1.5, so r n 1.5 n.) Using LLL, generate B, and using B, draw n c samples from D L,r3n.
42 Reduction outline: GapSVP to LWE LLL Basis Reduction algorithm: In polytime, given an arbitrary L(B) outputs a new basis B of length at most 2 n times the shortest basis. GOAL: Given an arbitrary lattice L, output a very short vector, or decide none exist. Let r i denote r (αp/ n) i for i = 3n, 3n 1,..., 1 and r O(n/α). (Imagine α 1/n 1.5, so r n 1.5 n.) Using LLL, generate B, and using B, draw n c samples from D L,r3n. For i = 3n,...1, Call IterativeStep n c times, using the n c samples from D L,ri to produce 1 sample from D L,ri 1 each time. Output a sample from D L,r0 = D L,r.
43 The iterative step Two steps: (1) classical, (2) quantum
44 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O?
45 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O? One idea: Choose some lattice vector y L. Let x = y + z with z d. Give x to O.
46 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O? One idea: Choose some lattice vector y L. Let x = y + z with z d. Give x to O. But then O(x) = y!
47 Why quantum? Let L be a lattice. Let d λ 1 (L). You are given an oracle O that, on input x R n within distance d from L, outputs the closest lattice vector to x. (Caveat: If x of distance > d from L, O s output is arbitrary.) How do you use O? One idea: Choose some lattice vector y L. Let x = y + z with z d. Give x to O. But then O(x) = y! But quantumly, knowing how to compute y given only y + z is useful it allows us to uncompute a register containing y.
48 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Let D be a probability distribution on a lattice L. Consider the Fourier transform f : R n C, given by f (x) def = y L D(y)exp(2πi x, y ) = E y D [exp(2πi x, y )]
49 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Let D be a probability distribution on a lattice L. Consider the Fourier transform f : R n C, given by f (x) def = y L D(y)exp(2πi x, y ) = E y D [exp(2πi x, y )] Using Hoeffding s inequality, if y 1,..., y N are N = poly(n) independent samples from D, then w.h.p. f (x) 1 N N exp(2πi x, y j ) j=1
50 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Applying this idea to D L,r, we get a good approximation of its Fourier transform, denoted f 1/r. Note f 1/r is L -periodic.
51 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Applying this idea to D L,r, we get a good approximation of its Fourier transform, denoted f 1/r. Note f 1/r is L -periodic. It can be shown that 1/r λ 1 (L ), so we have f 1/r (x) exp( π(r dist(l, x)) 2 )
52 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Attempt #1: Using samples from D L,r, we repeatedly compute approximations to f 1/r and attempt to walk uphill to find the peak (a dual lattice point).
53 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Attempt #1: Using samples from D L,r, we repeatedly compute approximations to f 1/r and attempt to walk uphill to find the peak (a dual lattice point). The problem: This procedure only gives a method to solve CVP L,1/r. (Beyond that distance, the value of f 1/r becomes negligible.) Plugging this into our iterative step means we go from D L,r to D L,r n, which is the wrong direction!
54 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Attempt #1: Using samples from D L,r, we repeatedly compute approximations to f 1/r and attempt to walk uphill to find the peak (a dual lattice point). The problem: This procedure only gives a method to solve CVP L,1/r. (Beyond that distance, the value of f 1/r becomes negligible.) Plugging this into our iterative step means we go from D L,r to D L,r n, which is the wrong direction! Goal: We need a FATTER Fourier transform!
55 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Equivalently, we need tighter samples! Attempt #2: Take samples from D L,r and just divide every coordinate by p. This gives samples from D L/p,r/p, where L/p is L scaled down by a factor of p.
56 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Equivalently, we need tighter samples! Attempt #2: Take samples from D L,r and just divide every coordinate by p. This gives samples from D L/p,r/p, where L/p is L scaled down by a factor of p. That is, the lattice L/p consists of p n translates of L. Label these p n translates by vectors from Z n p.
57 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Equivalently, we need tighter samples! Attempt #2: Take samples from D L,r and just divide every coordinate by p. This gives samples from D L/p,r/p, where L/p is L scaled down by a factor of p. That is, the lattice L/p consists of p n translates of L. Label these p n translates by vectors from Z n p. It can be shown that r/p > η ɛ (L), which implies D L/p,r/p is uniform over the set of L + La/p, for a Z n p For any choice of a Z n p, L + La/p (modulo the parallelepiped) corresponds to a choice of translate
58 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?)
59 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?) From the previous slide, we know that we can obtain D from D L,r.
60 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?) From the previous slide, we know that we can obtain D from D L,r. Also, we know that D is equivalently obtained by: 1. First, a $ Z n p ( Ahh! Much nicer. :)) 2. Then, y D L+La/p,r/p
61 Classical step: D L,r + LWE oracle CVP L,αp/r oracle This motivates defining a new distribution, D with samples (a, y) obtained by: 1. y D L/p,r/p 2. a Z n p s.t. y L + La/p ( Complicated to analyze..?) From the previous slide, we know that we can obtain D from D L,r. Also, we know that D is equivalently obtained by: 1. First, a $ Z n p ( Ahh! Much nicer. :)) 2. Then, y D L+La/p,r/p The width of the discrete Gaussian samples y is tighter now!..
62 Classical step: D L,r + LWE oracle CVP L,αp/r oracle How about the Fourier transform of D? It s wider now! But...
63 Classical step: D L,r + LWE oracle CVP L,αp/r oracle How about the Fourier transform of D? It s wider now! But... The problem: Each hill of f p/r now has its own phase. Do we climb up or down? Two examples of the Fourier transform of D L+La/p,r/p with a=(0,0) (left) and a=(1,1) (right).
64 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Key observation #1: For x L, each sample (a, y) D gives a linear equation a, τ(x) = p x, y mod p for a $ Z n p. After about n equations, we can use Gaussian elimination to recover τ(x) Z n p. What if x L?
65 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Key observation #2: For x close to L, each sample (a, y) D gives a linear equation with error a, τ(x) p x, y mod p for a $ Z n p. After poly(n) equations, we use the LWE oracle to recover τ(x) Z n p. (NOTE: error = τ(x) 2 )
66 Classical step: D L,r + LWE oracle CVP L,αp/r oracle Key observation #2: For x close to L, each sample (a, y) D gives a linear equation with error a, τ(x) p x, y mod p for a $ Z n p. After poly(n) equations, we use the LWE oracle to recover τ(x) Z n p. (NOTE: error = τ(x) 2 ) This lets us compute the phase exp(2πi a, τ(x) /p), and hence recover the closest dual lattice vector to x. Classical step DONE.
67 Quantum step: CVP L,αp/r oracle D L,r n/(αp) Observe: CVP L,αp/r D L,r n/(αp) = CVP L, n/r D L,r
68 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r.
69 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so.
70 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so. 1. Create a uniform superposition on L : x L x.
71 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so. 1. Create a uniform superposition on L : x L x. 2. On a separate register, create a Gaussian state of width 1/r: z R n exp( π rz 2 ) z.
72 New quantum step: CVP L, n/roracle D L,r Ok, let s give a solution for CVP L, n/r D L,r. GOAL: Get a quantum state corresponding to f 1/r (on the dual lattice) and use the quantum Fourier transform to get D L,r (on the primal lattice). We will use the promised CVP oracle to do so. 1. Create a uniform superposition on L : x L x. 2. On a separate register, create a Gaussian state of width 1/r: z R n exp( π rz 2 ) z. 3. The combined system state is written: x L,z R n exp( π rz 2 ) x, z.
73 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible.
74 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible. 1. Add the first register to the second (reversible) to obtain: x L,z R n exp( π rz 2 ) x, x + z.
75 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible. 1. Add the first register to the second (reversible) to obtain: x L,z R n exp( π rz 2 ) x, x + z. 2. Since we have a CVP L, n/r oracle we can compute x from x + z. Therefore, we can uncompute the first register: exp( π rz 2 ) x + z f 1/r (z) z. x L,z R n z R n
76 New quantum step: CVP L, n/roracle D L,r Key rule: All quantum computations must be reversible. 1. Add the first register to the second (reversible) to obtain: x L,z R n exp( π rz 2 ) x, x + z. 2. Since we have a CVP L, n/r oracle we can compute x from x + z. Therefore, we can uncompute the first register: exp( π rz 2 ) x + z f 1/r (z) z. x L,z R n z R n 3. Finally, apply the quantum Fourier transform to obtain D L,r (y) y, y L and measure it to obtain a sample from D L,r.
77 Talk Overview. Up next: From learning to crypto 1. Intro to lattices 2. Gaussians and lattices 3. From lattices to learning 4. From learning to crypto 4.1 Regev s PKE scheme from LWE
78 Decisional Learning with Errors (DLWE) For positive integers n and q 2, a secret s Z n q, and a distribution χ on Z, define A s,χ as the distribution obtained by drawing a $ Z n q uniformly at random and a noise term e $ χ, and outputting (a, b) = (a, a, s + e (mod q)) Z n q Z q.
79 Decisional Learning with Errors (DLWE) For positive integers n and q 2, a secret s Z n q, and a distribution χ on Z, define A s,χ as the distribution obtained by drawing a $ Z n q uniformly at random and a noise term e $ χ, and outputting (a, b) = (a, a, s + e (mod q)) Z n q Z q. (DLWE n,q,χ ). An adversary gets oracle access to either A s,χ or U(Z n q Z q ) and aims to distinguish (with non-negligible advantage) which is the case.
80 Decisional Learning with Errors (DLWE) For positive integers n and q 2, a secret s Z n q, and a distribution χ on Z, define A s,χ as the distribution obtained by drawing a $ Z n q uniformly at random and a noise term e $ χ, and outputting (a, b) = (a, a, s + e (mod q)) Z n q Z q. (DLWE n,q,χ ). An adversary gets oracle access to either A s,χ or U(Z n q Z q ) and aims to distinguish (with non-negligible advantage) which is the case. Theorem. Let B ω(log n) n. There exists an efficiently sampleable distribution χ with χ < B (meaning, χ is supported only on [ B, B]) s.t. if an efficient algorithm solves the average-case DLWE n,q,χ problem, then there is an efficient quantum algorithm that solves GapSVPÕ(n q/b) on any n-dimensional lattice.
81 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s.
82 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s. 2. PublicKeyGen(s): Let N def = O(n log q). Sample A $ Z N n q and e $ χ N. Compute b = A s + e (mod q), and define Output pk = P. P def = [b A] Z N (n+1) q.
83 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s. 2. PublicKeyGen(s): Let N def = O(n log q). Sample A $ Z N n q and e $ χ N. Compute b = A s + e (mod q), and define P def = [b A] Z N (n+1) q. Output pk = P. 3. Enc pk (m): To encrypt a message m {0, 1} using pk = P, sample r {0, 1} N and output the ciphertext q c = P T r + m mod q Z n+1 q, 2 where m def = (m, 0,..., 0) {0, 1} n+1.
84 Regev s PKE scheme 1. SecretKeyGen(1 n ): Sample s $ Z n q. Output sk = s. 2. PublicKeyGen(s): Let N def = O(n log q). Sample A $ Z N n q and e $ χ N. Compute b = A s + e (mod q), and define P def = [b A] Z N (n+1) q. Output pk = P. 3. Enc pk (m): To encrypt a message m {0, 1} using pk = P, sample r {0, 1} N and output the ciphertext q c = P T r + m mod q Z n+1 q, 2 where m def = (m, 0,..., 0) {0, 1} n Dec sk (c): To decrypt c Z n+1 q using secret key sk = s, compute 2 m = ( c, (1, s) mod q) mod 2. q
85 Regev s PKE scheme: Correctness Encryption noise. Let all parameters be as before. Then for some e where e N B, c, (1, s) = q 2 m + e (mod q).
86 Regev s PKE scheme: Correctness Encryption noise. Let all parameters be as before. Then for some e where e N B, c, (1, s) = q 2 m + e (mod q). q Proof. c, (1, s) = P T r + m, (1, s) (mod q) 2 q = m + r T P (1, s) (mod q) 2 q = m + r T b r T As (mod q) 2 q = m + r, e (mod q), 2 and r, e r 1 e = N B.
87 Regev s PKE scheme: Correctness Encryption noise. Let all parameters be as before. Then for some e where e N B, c, (1, s) = q 2 m + e (mod q). q Proof. c, (1, s) = P T r + m, (1, s) (mod q) 2 q = m + r T P (1, s) (mod q) 2 q = m + r T b r T As (mod q) 2 q = m + r, e (mod q), 2 and r, e r 1 e = N B. Decryption noise. We re good to go as long as noise q/2 /2!
88 Regev s PKE scheme: Security Let n, q, χ be chosen so that DLWE n,q,χ holds. Then for any m {0, 1}, the joint distribution ( (P, c) is computationally Z N (n+1) q Z n+1 q indistinguishable from U from Regev s PKE scheme. ), where P and c come
89 That s all. :)
Proving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationLecture 7 Limits on inapproximability
Tel Aviv University, Fall 004 Lattices in Computer Science Lecture 7 Limits on inapproximability Lecturer: Oded Regev Scribe: Michael Khanevsky Let us recall the promise problem GapCVP γ. DEFINITION 1
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationOn the Leakage Resilience of Ideal-Lattice Based Public Key Encryption
On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni, and Aria Shahverdi University of Maryland, College Park, USA danadach@ece.umd.edu,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University zvika@stanford.edu Abstract. We present a new tensoring techniue for LWE-based fully homomorphic
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationLattice Basis Reduction Part 1: Concepts
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationLimits on the Hardness of Lattice Problems in l p Norms
Electronic Colloquium on Computational Complexity, Report No. 148 (2006) Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert December 3, 2006 Abstract We show that for any p 2, lattice
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationProxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012
Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert Alon Rosen November 26, 2006 Abstract We demonstrate an average-case problem which is as hard as finding γ(n)-approximate
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationLimits on the Hardness of Lattice Problems in l p Norms
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 148 (2006) Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert 15 February, 2007 Abstract We show that several
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationSolving LPN Using Covering Codes
Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT
More informationNew Lattice Based Cryptographic Constructions
New Lattice Based Cryptographic Constructions Oded Regev August 7, 2004 Abstract We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationCSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Minkowski s theorem Instructor: Daniele Micciancio UCSD CSE There are many important quantities associated to a lattice. Some of them, like the
More informationCSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationCS259C, Final Paper: Discrete Log, CDH, and DDH
CS259C, Final Paper: Discrete Log, CDH, and DDH Deyan Simeonov 12/10/11 1 Introduction and Motivation In this paper we will present an overview of the relations between the Discrete Logarithm (DL), Computational
More informationLimits on the Hardness of Lattice Problems in l p Norms
Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert Abstract Several recent papers have established limits on the computational difficulty of lattice problems, focusing primarily on the
More informationPost-Quantum Commitment Schemes
Darmstadt University of Technology Department of Computer Science Cryptography and Computeralgebra Master Thesis May 2015 Post-Quantum Commitment Schemes Nabil Alkeilani Alkadri Darmstadt University of
More informationQuantum FHE (Almost) As Secure as Classical
Quantum FHE (Almost) As Secure as Classical Zvika Brakerski Abstract Fully homomorphic encryption schemes (FHE) allow to apply arbitrary efficient computation to encrypted data without decrypting it first.
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationPost Quantum Cryptography
Malaysian Journal of Mathematical Sciences 11(S) August: 1-28 (2017) Special Issue: The 5th International Cryptology and Information Security Conference (New Ideas in Cryptology) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More information