Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
|
|
- Jasmine Stevens
- 6 years ago
- Views:
Transcription
1 Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March / 14
2 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b ) N = p q = (Images courtesy xkcd.org) 2 / 14
3 Lattice-Based Cryptography = (Images courtesy xkcd.org) 2 / 14
4 Lattice-Based Cryptography = Main Attractions Efficient: linear, embarrassingly parallel operations (Images courtesy xkcd.org) 2 / 14
5 Lattice-Based Cryptography = Main Attractions Efficient: linear, embarrassingly parallel operations Resists quantum attacks (so far) (Images courtesy xkcd.org) 2 / 14
6 Lattice-Based Cryptography = Main Attractions Efficient: linear, embarrassingly parallel operations Resists quantum attacks (so far) Security from worst-case assumptions (Images courtesy xkcd.org) 2 / 14
7 Lattice-Based Cryptography = Main Attractions Efficient: linear, embarrassingly parallel operations Resists quantum attacks (so far) Security from worst-case assumptions Solutions to holy grail problems in crypto: FHE and related (Images courtesy xkcd.org) 2 / 14
8 Learning With Errors [Regev 05] Parameters: dimension n, integer modulus q, error rate α 3 / 14
9 Learning With Errors [Regev 05] Parameters: dimension n, integer modulus q, error rate α Search: find secret s Z n q given many noisy inner products a 1 Z n q, b 1 a 1, s Z q a 2 Z n q, b 2 a 2, s Z q. 3 / 14
10 Learning With Errors [Regev 05] Parameters: dimension n, integer modulus q, error rate α Search: find secret s Z n q given many noisy inner products a 1 Z n q, b 1 = a 1, s + e 1 Z q a 2 Z n q, b 2 = a 2, s + e 2 Z q. width αq 3 / 14
11 Learning With Errors [Regev 05] Parameters: dimension n, integer modulus q, error rate α Search: find secret s Z n q given many noisy inner products a 1 Z n q, b 1 = a 1, s + e 1 Z q a 2 Z n q, b 2 = a 2, s + e 2 Z q. width αq Decision: distinguish (a i, b i ) from uniform (a i, b i ) 3 / 14
12 Learning With Errors [Regev 05] Parameters: dimension n, integer modulus q, error rate α Search: find secret s Z n q given many noisy inner products a 1 Z n q, b 1 = a 1, s + e 1 Z q a 2 Z n q, b 2 = a 2, s + e 2 Z q. width αq Decision: distinguish (a i, b i ) from uniform (a i, b i ) LWE is Hard and Versatile worst case (n/α)-sivp on n-dim lattices (quantum [R 05]) search-lwe [BFKL 93,R 05,... ] decision-lwe much crypto 3 / 14
13 Learning With Errors [Regev 05] Parameters: dimension n, integer modulus q, error rate α Search: find secret s Z n q given many noisy inner products a 1 Z n q, b 1 = a 1, s + e 1 Z q a 2 Z n q, b 2 = a 2, s + e 2 Z q. width αq Decision: distinguish (a i, b i ) from uniform (a i, b i ) LWE is Hard and Versatile worst case (n/α)-sivp on n-dim lattices (quantum [R 05]) search-lwe [BFKL 93,R 05,... ] Classically, GapSVP search-lwe (worse params) decision-lwe much crypto [P 09,BLPRS 13] 3 / 14
14 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] 4 / 14
15 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: 4 / 14
16 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: Any prime q = poly(n) [R 05] 4 / 14
17 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: Any prime q = poly(n) [R 05] Any somewhat smooth q = p1 p t (large enough primes p i ) [P 09] 4 / 14
18 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: Any prime q = poly(n) [R 05] Any somewhat smooth q = p1 p t (large enough primes p i ) [P 09] Any q = p e for large enough prime p [ACPS 09] 4 / 14
19 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: Any prime q = poly(n) [R 05] Any somewhat smooth q = p1 p t (large enough primes p i ) [P 09] Any q = p e for large enough prime p [ACPS 09] Any q = p e with uniform error mod p i [MM 11] 4 / 14
20 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: Any prime q = poly(n) [R 05] Any somewhat smooth q = p1 p t (large enough primes p i ) [P 09] Any q = p e for large enough prime p [ACPS 09] Any q = p e with uniform error mod p i [MM 11] Any q = p e but increases α [MP 12] 4 / 14
21 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: Any prime q = poly(n) [R 05] Any somewhat smooth q = p1 p t (large enough primes p i ) [P 09] Any q = p e for large enough prime p [ACPS 09] Any q = p e with uniform error mod p i [MM 11] Any q = p e but increases α [MP 12] Any q via mod-switching but increases α [P 09,BV 11,BLPRS 13] 4 / 14
22 LWE Hardness and Parameters Parameters: dimension n, integer modulus q, error rate α Worst case SIVP Search-LWE One reduction for best known parameters: any q n/α [R 05] Search-LWE Decision-LWE Messy. Many incomparable reductions for different forms of q: Any prime q = poly(n) [R 05] Any somewhat smooth q = p1 p t (large enough primes p i ) [P 09] Any q = p e for large enough prime p [ACPS 09] Any q = p e with uniform error mod p i [MM 11] Any q = p e but increases α [MP 12] Any q via mod-switching but increases α [P 09,BV 11,BLPRS 13] Increasing q, α yields a weaker ultimate hardness guarantee. 4 / 14
23 LWE is Efficient (Sort Of). ( ai ) s + e = b Z q. Getting one pseudorandom scalar requires an n-dim inner product mod q 5 / 14
24 LWE is Efficient (Sort Of). ( ai ) s + e = b Z q. Getting one pseudorandom scalar requires an n-dim inner product mod q Can amortize each a i over many secrets s j, but still Õ(n) work per scalar output. 5 / 14
25 LWE is Efficient (Sort Of). ( ai ) s + e = b Z q. Getting one pseudorandom scalar requires an n-dim inner product mod q Can amortize each a i over many secrets s j, but still Õ(n) work per scalar output. Cryptosystems have rather large keys: Ω(n 2 log 2 q) bits: pk =. A. } {{ } n,. b Ω(n). 5 / 14
26 Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one cheap product operation? 6 / 14
27 Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one cheap product operation? Question How to define the product so that (a i, b i ) is pseudorandom? 6 / 14
28 Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one cheap product operation? Question How to define the product so that (a i, b i ) is pseudorandom? Careful! With small error, coordinate-wise multiplication is insecure! 6 / 14
29 Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one cheap product operation? Question How to define the product so that (a i, b i ) is pseudorandom? Careful! With small error, coordinate-wise multiplication is insecure! Answer = multiplication in a polynomial ring: e.g., Z q [X]/(X n + 1). Fast and practical with FFT: n log n operations mod q. 6 / 14
30 Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one cheap product operation? Question How to define the product so that (a i, b i ) is pseudorandom? Careful! With small error, coordinate-wise multiplication is insecure! Answer = multiplication in a polynomial ring: e.g., Z q [X]/(X n + 1). Fast and practical with FFT: n log n operations mod q. Same ring structures used in NTRU cryptosystem [HPS 98], & in compact one-way / CR hash functions [Mic 02,PR 06,LM 06,... ] 6 / 14
31 Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one cheap product operation? 6 / 14
32 Learning With Errors over Rings (Ring-LWE) [LPR 10] Ring R, often R = Z[X]/(f(X)) for irred. f of degree n (or R = O K) 7 / 14
33 Learning With Errors over Rings (Ring-LWE) [LPR 10] Ring R, often R = Z[X]/(f(X)) for irred. f of degree n (or R = O K) Has a dual ideal R (w.r.t. canonical geometry) 7 / 14
34 Learning With Errors over Rings (Ring-LWE) [LPR 10] Ring R, often R = Z[X]/(f(X)) for irred. f of degree n (or R = O K) Has a dual ideal R (w.r.t. canonical geometry) Integer modulus q defining R q := R/qR and Rq := R /qr 7 / 14
35 Learning With Errors over Rings (Ring-LWE) [LPR 10] Ring R, often R = Z[X]/(f(X)) for irred. f of degree n (or R = O K) Has a dual ideal R (w.r.t. canonical geometry) Integer modulus q defining R q := R/qR and Rq := R /qr Gaussian error of width αq over R 7 / 14
36 Learning With Errors over Rings (Ring-LWE) [LPR 10] Ring R, often R = Z[X]/(f(X)) for irred. f of degree n (or R = O K) Has a dual ideal R (w.r.t. canonical geometry) Integer modulus q defining R q := R/qR and Rq := R /qr Gaussian error of width αq over R Search: find secret ring element s R q, given independent samples a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. R αq 7 / 14
37 Learning With Errors over Rings (Ring-LWE) [LPR 10] Ring R, often R = Z[X]/(f(X)) for irred. f of degree n (or R = O K) Has a dual ideal R (w.r.t. canonical geometry) Integer modulus q defining R q := R/qR and Rq := R /qr Gaussian error of width αq over R Search: find secret ring element s R q, given independent samples a 1 R q, b 1 = a 1 s + e 1 R q a 2 R q, b 2 = a 2 s + e 2 R q. R αq Decision: distinguish (a i, b i ) from uniform (a i, b i ) R q R q 7 / 14
38 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α 8 / 14
39 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α (Ideal I R: additive subgroup, x r I for all x I, r R.) R = Z[X]/(1 + X + X 2 ) ideal I = 3R + (1 X)R R 8 / 14
40 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α Large disparity in known hardness of search versus decision: 8 / 14
41 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α Large disparity in known hardness of search versus decision: Search: any number ring, any q n c /α. 8 / 14
42 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α Large disparity in known hardness of search versus decision: Search: any number ring, any q n c /α. Decision: any Galois number ring (e.g., cyclotomic), any highly splitting prime q = poly(n). 8 / 14
43 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α Large disparity in known hardness of search versus decision: Search: any number ring, any q n c /α. Decision: any Galois number ring (e.g., cyclotomic), any highly splitting prime q = poly(n). Can then get any q by mod-switching, but increases α [LS 15] 8 / 14
44 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α Large disparity in known hardness of search versus decision: Search: any number ring, any q n c /α. Decision: any Galois number ring (e.g., cyclotomic), any highly splitting prime q = poly(n). Can then get any q by mod-switching, but increases α [LS 15] Decision has no known worst-case hardness in non-galois rings. 8 / 14
45 Hardness of Ring-LWE [LPR 10] worst-case (n c /α)-sivp on ideal lattices in R (quantum, any R = O K ) search R-LWE q,α (classical, any Galois R) decision R-LWE q,α Large disparity in known hardness of search versus decision: Search: any number ring, any q n c /α. Decision: any Galois number ring (e.g., cyclotomic), any highly splitting prime q = poly(n). Can then get any q by mod-switching, but increases α [LS 15] Decision has no known worst-case hardness in non-galois rings. But no examples of easy(er) decision when search is worst-case hard! 8 / 14
46 Our Results Main Theorem: Ring-LWE is Pseudorandom in Any Ring worst-case (n c /α)-sivp on ideal lattices in R decision R-LWE q,α quantum, any R = O K, any q n c 1/2 /α 9 / 14
47 Our Results Main Theorem: Ring-LWE is Pseudorandom in Any Ring worst-case (n c /α)-sivp on ideal lattices in R decision R-LWE q,α quantum, any R = O K, any q n c 1/2 /α Bonus Theorem: LWE is Pseudorandom for Any Modulus worst case (n/α)-sivp on n-dim lattices decision-lwe q,α quantum, any q n/α 9 / 14
48 Our Results Main Theorem: Ring-LWE is Pseudorandom in Any Ring worst-case (n c /α)-sivp on ideal lattices in R decision R-LWE q,α quantum, any R = O K, any q n c 1/2 /α Bonus Theorem: LWE is Pseudorandom for Any Modulus worst case (n/α)-sivp on n-dim lattices decision-lwe q,α quantum, any q n/α Both theorems match or improve the previous best params: 9 / 14
49 Our Results Main Theorem: Ring-LWE is Pseudorandom in Any Ring worst-case (n c /α)-sivp on ideal lattices in R decision R-LWE q,α quantum, any R = O K, any q n c 1/2 /α Bonus Theorem: LWE is Pseudorandom for Any Modulus worst case (n/α)-sivp on n-dim lattices decision-lwe q,α quantum, any q n/α Both theorems match or improve the previous best params: One reduction to rule them all. 9 / 14
50 Our Results Main Theorem: Ring-LWE is Pseudorandom in Any Ring worst-case (n c /α)-sivp on ideal lattices in R decision R-LWE q,α quantum, any R = O K, any q n c 1/2 /α Bonus Theorem: LWE is Pseudorandom for Any Modulus worst case (n/α)-sivp on n-dim lattices decision-lwe q,α quantum, any q n/α Both theorems match or improve the previous best params: One reduction to rule them all. Seems to adapt to module lattices/lwe w/techniques from [LS 15] 9 / 14
51 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP 10 / 14
52 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP We have no nontrivial relations between lattice problems over different rings. (Great open question!) 10 / 14
53 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP We have no nontrivial relations between lattice problems over different rings. (Great open question!) Progress on Ideal-SIVP Quantum poly-time exp(õ( n))-ideal-sivp in prime-power cyclotomics (modulo heuristics) [CGS 14,BS 16,CDPR 16,CDW 17] 10 / 14
54 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP We have no nontrivial relations between lattice problems over different rings. (Great open question!) Progress on Ideal-SIVP Quantum poly-time exp(õ( n))-ideal-sivp in prime-power cyclotomics (modulo heuristics) [CGS 14,BS 16,CDPR 16,CDW 17] Quite far from the (quasi-)poly(n) factors typically used for crypto 10 / 14
55 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP We have no nontrivial relations between lattice problems over different rings. (Great open question!) Progress on Ideal-SIVP Quantum poly-time exp(õ( n))-ideal-sivp in prime-power cyclotomics (modulo heuristics) [CGS 14,BS 16,CDPR 16,CDW 17] Quite far from the (quasi-)poly(n) factors typically used for crypto Doesn t apply to R-LWE or NTRU (unknown if R-LWE Ideal-SIVP) 10 / 14
56 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP We have no nontrivial relations between lattice problems over different rings. (Great open question!) Progress on Ideal-SIVP Quantum poly-time exp(õ( n))-ideal-sivp in prime-power cyclotomics (modulo heuristics) [CGS 14,BS 16,CDPR 16,CDW 17] Quite far from the (quasi-)poly(n) factors typically used for crypto Doesn t apply to R-LWE or NTRU (unknown if R-LWE Ideal-SIVP) Options Keep using R-LWE over cyclotomics 10 / 14
57 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP We have no nontrivial relations between lattice problems over different rings. (Great open question!) Progress on Ideal-SIVP Quantum poly-time exp(õ( n))-ideal-sivp in prime-power cyclotomics (modulo heuristics) [CGS 14,BS 16,CDPR 16,CDW 17] Quite far from the (quasi-)poly(n) factors typically used for crypto Doesn t apply to R-LWE or NTRU (unknown if R-LWE Ideal-SIVP) Options Keep using R-LWE over cyclotomics Use R-LWE over (slower) rings like Z[X]/(X p X 1) [BCLvV 16] 10 / 14
58 Which Rings To Use? Our results don t give any guidance: they work within a single ring R, lower-bounding the hardness of R-LWE by R-Ideal-SIVP We have no nontrivial relations between lattice problems over different rings. (Great open question!) Progress on Ideal-SIVP Quantum poly-time exp(õ( n))-ideal-sivp in prime-power cyclotomics (modulo heuristics) [CGS 14,BS 16,CDPR 16,CDW 17] Quite far from the (quasi-)poly(n) factors typically used for crypto Doesn t apply to R-LWE or NTRU (unknown if R-LWE Ideal-SIVP) Options Keep using R-LWE over cyclotomics Use R-LWE over (slower) rings like Z[X]/(X p X 1) Use higher rank problem Module-LWE over cyclotomics/others [BCLvV 16] 10 / 14
59 Overview of LWE Reduction Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α 11 / 14
60 Overview of LWE Reduction Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Reduction strategy: play with α, detect when it decreases. 11 / 14
61 Overview of LWE Reduction Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Reduction strategy: play with α, detect when it decreases. Suppose O solves decision-lwe q,α with non-negl advantage. Define p(β) = Pr[O accepts on LWE q,exp(β) samples]. 11 / 14
62 Overview of LWE Reduction Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Reduction strategy: play with α, detect when it decreases. Suppose O solves decision-lwe q,α with non-negl advantage. Define p(β) = Pr[O accepts on LWE q,exp(β) samples] p / 14
63 Overview of LWE Reduction Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Reduction strategy: play with α, detect when it decreases. Suppose O solves decision-lwe q,α with non-negl advantage. Define p(β) = Pr[O accepts on LWE q,exp(β) samples]. Key Properties 1 p(β) is smooth (Lipschitz) because D σ, D τ are ( τ σ 1)-close. 11 / 14
64 Overview of LWE Reduction Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Reduction strategy: play with α, detect when it decreases. Suppose O solves decision-lwe q,α with non-negl advantage. Define Key Properties p(β) = Pr[O accepts on LWE q,exp(β) samples]. 1 p(β) is smooth (Lipschitz) because D σ, D τ are ( τ σ 1)-close. 2 For all β log n, p(β) p( ) = Pr[O accepts on uniform samples], because huge Gaussian error is near-uniform mod qz. 11 / 14
65 Overview of LWE Reduction Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Reduction strategy: play with α, detect when it decreases. Suppose O solves decision-lwe q,α with non-negl advantage. Define Key Properties p(β) = Pr[O accepts on LWE q,exp(β) samples]. 1 p(β) is smooth (Lipschitz) because D σ, D τ are ( τ σ 1)-close. 2 For all β log n, p(β) p( ) = Pr[O accepts on uniform samples], because huge Gaussian error is near-uniform mod qz. 3 p(log α) p( ) is noticeable, so there is a noticeable change in p somewhere between log α and log n. 11 / 14
66 Exploiting the Oracle Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α 12 / 14
67 Exploiting the Oracle Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Classical part of [Regev 05] reduction: t + = LWE q,α samples α = dr/q BDD L, dist d D L,r samples 12 / 14
68 Exploiting the Oracle Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Classical part of [Regev 05] reduction: t + = LWE q,α samples α = dr/q BDD L, dist d D L,r samples (D L,r samples come from previous iteration, quantumly. They re eventually narrow enough to solve SIVP on L.) 12 / 14
69 Exploiting the Oracle Theorem: quantumly, (n/α)-sivp decision-lwe q,α q n/α Classical part of [Regev 05] reduction: t t + = LWE q,α samples α = dr/q BDD L, dist d D L,r samples 1.0 Idea: perturb t, use O to check whether we re closer to L by how α = dr/q changes. We get a suffix of p( ) p / 14
70 Extending to the Ring Setting The LWE proof relies on 1-parameter BDD distance d error rate α 13 / 14
71 Extending to the Ring Setting The LWE proof relies on 1-parameter BDD distance d error rate α R-LWE proof has n-parameter BDD offset e params α = (α i ). Gaussian error rate of α i in the ith dimension. 13 / 14
72 Extending to the Ring Setting The LWE proof relies on 1-parameter BDD distance d error rate α R-LWE proof has n-parameter BDD offset e params α = (α i ). Gaussian error rate of α i in the ith dimension. Classical part of [LPR 10] reduction: t BDD I, offset e + D I,r samples = R-LWE q,α samples α i = e i r i /q 13 / 14
73 Extending to the Ring Setting The LWE proof relies on 1-parameter BDD distance d error rate α R-LWE proof has n-parameter BDD offset e params α = (α i ). Gaussian error rate of α i in the ith dimension. Classical part of [LPR 10] reduction: t R-LWE q,α + = samples α i = e i r i /q BDD I, offset e D I,r samples Now oracle s acceptance prob. is p(β), mapping (R + ) n [0, 1]. lim βi p(β) = p( ): huge error in one dim is smooth mod R. 13 / 14
74 Extending to the Ring Setting The LWE proof relies on 1-parameter BDD distance d error rate α R-LWE proof has n-parameter BDD offset e params α = (α i ). Gaussian error rate of α i in the ith dimension. Classical part of [LPR 10] reduction: t R-LWE q,α + = samples α i = e i r i /q BDD I, offset e D I,r samples Now oracle s acceptance prob. is p(β), mapping (R + ) n [0, 1]. lim βi p(β) = p( ): huge error in one dim is smooth mod R. Problem: Reduction never produces spherical error (all α i equal), so it s hard to get anything useful from O. 13 / 14
75 Extending to the Ring Setting The LWE proof relies on 1-parameter BDD distance d error rate α R-LWE proof has n-parameter BDD offset e params α = (α i ). Gaussian error rate of α i in the ith dimension. Classical part of [LPR 10] reduction: t R-LWE q,α + = samples α i = e i r i /q BDD I, offset e D I,r samples Now oracle s acceptance prob. is p(β), mapping (R + ) n [0, 1]. lim βi p(β) = p( ): huge error in one dim is smooth mod R. Problem: Reduction never produces spherical error (all α i equal), so it s hard to get anything useful from O. Solution from [LPR 10]: randomize the α i : increase by n 1/4 factor. 13 / 14
76 Extending to the Ring Setting The LWE proof relies on 1-parameter BDD distance d error rate α R-LWE proof has n-parameter BDD offset e params α = (α i ). Gaussian error rate of α i in the ith dimension. Classical part of [LPR 10] reduction: t R-LWE q,α + = samples α i = e i r i /q BDD I, offset e D I,r samples Now oracle s acceptance prob. is p(β), mapping (R + ) n [0, 1]. lim βi p(β) = p( ): huge error in one dim is smooth mod R. Problem: Reduction never produces spherical error (all α i equal), so it s hard to get anything useful from O. Solution from [LPR 10]: randomize the α i : increase by n 1/4 factor. Improvement: randomization increases α i by only ω(1) factor. 13 / 14
77 Final Thoughts and Open Problems decision-r-lwe q,α is worst-case hard for any ring R = O K, mod q 14 / 14
78 Final Thoughts and Open Problems decision-r-lwe q,α is worst-case hard for any ring R = O K, mod q decision-lwe q,α is hard for any q; approx factor independent of q 14 / 14
79 Final Thoughts and Open Problems decision-r-lwe q,α is worst-case hard for any ring R = O K, mod q decision-lwe q,α is hard for any q; approx factor independent of q Open Questions 14 / 14
80 Final Thoughts and Open Problems decision-r-lwe q,α is worst-case hard for any ring R = O K, mod q decision-lwe q,α is hard for any q; approx factor independent of q Open Questions 1 Hardness for spherical error: Avoid n 1/4 degradation in α i? Support unbounded samples? 14 / 14
81 Final Thoughts and Open Problems decision-r-lwe q,α is worst-case hard for any ring R = O K, mod q decision-lwe q,α is hard for any q; approx factor independent of q Open Questions 1 Hardness for spherical error: Avoid n 1/4 degradation in α i? Support unbounded samples? 2 Nontrivially relate Ideal-SIVP or Ring-LWE for different rings? 14 / 14
82 Final Thoughts and Open Problems decision-r-lwe q,α is worst-case hard for any ring R = O K, mod q decision-lwe q,α is hard for any q; approx factor independent of q Open Questions 1 Hardness for spherical error: Avoid n 1/4 degradation in α i? Support unbounded samples? 2 Nontrivially relate Ideal-SIVP or Ring-LWE for different rings? 3 Classical reduction matching params of quantum reductions? 14 / 14
Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationRing-SIS and Ideal Lattices
Ring-SIS and Ideal Lattices Noah Stephens-Davidowitz (for Vinod Vaikuntanathan s class) 1 Recalling h A, and its inefficiency As we have seen, the SIS problem yields a very simple collision-resistant hash
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationRecovering Short Generators of Principal Ideals: Extensions and Open Problems
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationOn the Ring-LWE and Polynomial-LWE problems
On the Ring-LWE and Polynomial-LWE problems Miruna Rosca Damien Stehlé Alexandre Wallet EUROCRYPT 2018 Miruna Rosca EUROCRYPT 2018 1 / 14 Lattices and hard problems Lattice Let b 1, b 2,..., b n R n be
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de
More informationWeak Instances of PLWE
Weak Instances of PLWE Kirsten Eisenträger 1, Sean Hallgren 2, and Kristin Lauter 3 1 Department of Mathematics, The Pennsylvania State University, University Park, PA 16802, USA, and Harvard University.
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky Chris Peikert Oded Regev June 25, 2013 Abstract The learning with errors (LWE) problem is to distinguish random linear equations,
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationPart 2 LWE-based cryptography
Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationIn Praise of Twisted Canonical Embedding
In Praise of Twisted Canonical Embedding Jheyne N. Ortiz 1, Robson R. de Araujo 2, Ricardo Dahab 1, Diego F. Aranha 1, and Sueli I. R. Costa 2 1 Institute of Computing, University of Campinas, Brazil jheyne.ortiz@ic.unicamp.br
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationTitanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality
Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality Ron Steinfeld, Amin Sakzad, Raymond K. Zhao Monash University ron.steinfeld@monash.edu Ron Steinfeld
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationAlgorithms for ray class groups and Hilbert class fields
(Quantum) Algorithms for ray class groups and Hilbert class fields Sean Hallgren joint with Kirsten Eisentraeger Penn State 1 Quantum Algorithms Quantum algorithms for number theoretic problems: Factoring
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationPROVABLY WEAK INSTANCES OF RING-LWE
PROVABLY WEAK INSTANCES OF RING-LWE YARA ELIAS, KRISTIN E. LAUTER, EKIN OZMAN, AND KATHERINE E. STANGE Abstract. The ring and polynomial learning with errors problems (Ring-LWE and Poly-LWE) have been
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationMore Efficient Lattice PRFs from Keyed Pseudorandom Synthesizers
More Efficient Lattice PRFs from Keyed Pseudorandom Synthesizers Hart Montgomery hmontgomery@us.fujitsu.com Fujitsu Laboratories of America November 5, 2018 Abstract We develop new constructions of lattice-based
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationProvably Weak Instances of Ring-LWE
Provably Weak Instances of Ring-LWE Yara Elias 1, Kristin E. Lauter 2, Ekin Ozman 3, and Katherine E. Stange 4 1 Department of Mathematics And Statistics, McGill University, Montreal, Quebec, Canada, yara.elias@mail.mcgill.ca
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationOn Error Distributions in Ring-based LWE
Submitted exclusively to the London Mathematical Society doi:10.111/0000/000000 On Error Distributions in Ring-based LWE W. Castryck, I. Iliashenko and F. Vercauteren Abstract Since its introduction in
More informationMaking NTRU as Secure as Worst-Case Problems over Ideal Lattices
Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé 1 and Ron Steinfeld 2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d Italie, 69364 Lyon Cedex
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationFaster Bootstrapping with Polynomial Error
Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert June 13, 2014 Abstract Bootstrapping is a technique, originally due to Gentry (STOC 2009), for refreshing ciphertexts of a
More informationSolving LWE problem with bounded errors in polynomial time
Solving LWE problem with bounded errors in polynomial time Jintai Ding, Southern Chinese University of Technology, University of Cincinnati, ding@mathucedu Abstract In this paper, we present a new algorithm,
More informationA Decade of Lattice Cryptography
A Decade of Lattice Cryptography Chris Peikert 1 September 26, 2015 1 Department of Computer Science and Engineering, University of Michigan. Much of this work was done while at the School of Computer
More informationOn the Leakage Resilience of Ideal-Lattice Based Public Key Encryption
On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni, and Aria Shahverdi University of Maryland, College Park, USA danadach@ece.umd.edu,
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationNoise Distributions in Homomorphic Ring-LWE
Noise Distributions in Homomorphic Ring-LWE Sean Murphy and Rachel Player Royal Holloway, University of London, U.K. s.murphy@rhul.ac.uk Rachel.Player.2013@live.rhul.ac.uk 12 June 2017 Abstract. We develop
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca 1,2, Amin Sakzad 3, Damien Stehlé 1, and Ron Steinfeld 3 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), France 2 Bitdefender, Romania
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee Chris Peikert June 13, 2014 Abstract A key-homomorphic pseudorandom function (PRF) family {F s : D R} allows one to efficiently
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationLarge Modulus Ring-LWE Module-LWE
Large Modulus Ring-LWE Module-LWE Martin R. Albrecht and Amit Deo Information Security Group Royal Holloway, University of London martin.albrecht@royalholloway.ac.uk, amit.deo.205@rhul.ac.uk Abstract.
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationIncreased efficiency and functionality through lattice-based cryptography
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert October 9, 2013 Abstract Gentry s bootstrapping technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme
More informationA provably secure variant of NTRU cryptosystem
A provably secure variant of NTRU cryptosystem Danilo Ciaffi Advised by Guilhem Castagnos a Università di Padova Université de Bordeaux Academic year 2016-2017 Cheesy catchphrase Contents 1 Preliminaries
More informationFixed-Point Arithmetic in SHE Schemes
Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016 Outline Motivation
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More information